通知中心安全性Notification Hubs security

概述Overview

本主题介绍 Azure 通知中心的安全模型。This topic describes the security model of Azure Notification Hubs.

共享访问签名安全性Shared Access Signature security

通知中心实现称为共享访问签名 (SAS) 的实体级安全方案。 Notification Hubs implements an entity-level security scheme called a Shared Access Signature (SAS). 每个规则包含一个名称、一个密钥值(共享机密)和一组权限,如后面的安全声明中所述。Each rule contains a name, a key value (shared secret), and a set of rights, as explained later in Security claims.

在创建中心时,将自动创建两个规则:一个具有侦听权限(由客户端应用使用),一个具有所有权限(由应用后端使用):When creating a hub, two rules are automatically created: one with Listen rights (that the client app uses) and one with all rights (that the app backend uses):

  • DefaultListenSharedAccessSignature:仅授予侦听权限。DefaultListenSharedAccessSignature: grants Listen permission only.
  • DefaultFullSharedAccessSignature:授予侦听管理发送权限。DefaultFullSharedAccessSignature: grants Listen, Manage, and Send permissions. 此策略将只用在应用后端中。This policy is to be used only in your app backend. 请勿将它用在客户端应用程序中;请使用只有“侦听”访问权限的策略。 Do not use it in client applications; use a policy with only Listen access. 若要使用新的 SAS 令牌创建新的自定义访问策略,请参阅本文后面的用于访问策略的 SAS 令牌To create a new custom access policy with a new SAS token, see SAS tokens for access policies later in this article.

通过客户端应用执行注册管理时,如果通过通知发送的信息不敏感(例如,天气更新),则访问通知中心的常用方法是,向客户端应用提供规则仅限侦听访问权限的密钥值,并向应用后端提供规则完全访问权限的密钥值。When performing registration management from client apps, if the information sent via notifications is not sensitive (for example, weather updates), a common way to access a Notification Hub is to give the key value of the rule Listen-only access to the client app, and to give the key value of the rule full access to the app backend.

应用不应将密钥值嵌入 Windows Store 客户端应用中,而应让客户端应用在启动时从应用后端检索该值。Apps should not embed the key value in Windows Store client apps; instead, have the client app retrieve it from the app backend at startup.

具有侦听访问权限的密钥允许客户端应用注册任何标记。The key with Listen access allows a client app to register for any tag. 如果应用必须将特定标记的注册限制到特定的客户端(例如,当标记表示用户 ID 时),则应用后端必须执行注册。If your app must restrict registrations to specific tags to specific clients (for example, when tags represent user IDs), your app backend must perform the registrations. 有关详细信息,请参阅注册管理For more information, see Registration management. 请注意,采用这种方式时,客户端应用将无权直接访问通知中心。Note that in this way, the client app will not have direct access to Notification Hubs.

安全声明Security claims

与其他实体类似,可以针对以下三种安全声明执行通知中心操作:侦听发送管理Similar to other entities, Notification Hub operations are allowed for three security claims: Listen, Send, and Manage.

声明Claim 说明Description 允许的操作Operations allowed
侦听Listen 创建/更新、读取和删除单一注册。Create/Update, Read, and Delete single registrations 创建/更新注册Create/Update registration

读取注册Read registration

读取句柄的所有注册Read all registrations for a handle

删除注册Delete registration
发送Send 向通知中心发送消息Send messages to the Notification Hub 发送消息Send message
管理Manage 通知中心的 CRUD(包括更新 PNS 凭据和安全密钥),以及基于标记读取注册CRUDs on Notification Hubs (including updating PNS credentials, and security keys), and read registrations based on tags 创建/更新/读取/删除中心Create/Update/Read/Delete hubs

按标记读取注册Read registrations by tag

通知中心接受使用直接在中心配置的共享密钥生成的 SAS 令牌。Notification Hubs accepts SAS tokens generated with shared keys configured directly on the hub.

不能向多个命名空间发送通知。It is not possible to send a notification to more than one namespace. 命名空间是通知中心的逻辑容器,不参与发送通知。Namespaces are logical containers for Notification Hubs and are not involved in sending notifications.

将命名空间级别的访问策略(凭据)用于命名空间级别的操作,例如:列出中心、创建或删除中心,等等。只有中心级别访问策略才允许你发送通知。Use the namespace-level access policies (credentials) for namespace-level operations; for example: listing hubs, creating or deleting hubs, etc. Only the hub-level access policies let you send notifications.

用于访问策略的 SAS 令牌SAS tokens for access policies

若要创建新的安全声明或查看现有的 SAS 密钥,请执行以下操作:To create a new security claim or to view existing SAS keys, do the following:

  1. 登录到 Azure 门户。Sign in to the Azure portal.
  2. 选择“所有资源”, Select All resources.
  3. 选择要为其创建声明或要查看其 SAS 密钥的通知中心的名称。Select the name of the Notification Hub for which you want to create the claim or view the SAS key.
  4. 在左侧菜单中,选择“访问策略” 。In the left-hand menu, select Access Policies.
  5. 选择“新建策略”,创建新的安全声明 。Select New Policy to create a new security claim. 为策略命名,并选择要授予的权限。Give the policy a name, and select the permissions you want to grant. 然后选择“确定”。 Then select OK.
  6. 此时会在“访问策略”窗口中显示完整的连接字符串(包括新的 SAS 密钥)。The full connection string (including the new SAS key) is displayed in the Access Policies window. 可以将该字符串复制到剪贴板,供以后使用。You can copy this string to the clipboard for later use.

若要从特定策略中提取 SAS 密钥,请选择包含所需 SAS 密钥的策略旁边的“复制”按钮。 To extract the SAS key from a specific policy, select the Copy button next to the policy containing the SAS key you want. 将该值粘贴到某个临时位置中,然后复制连接字符串的 SAS 密钥部分。Paste this value into a temporary location, then copy the SAS key portion of the connection string. 此示例使用名为 mytestnamespace1 的通知中心命名空间,以及名为 policy2 的策略。This example uses a Notification Hubs namespace called mytestnamespace1, and a policy named policy2. SAS 密钥是靠近字符串尾部的值,由 SharedAccessKey 指定:The SAS key is the value near the end of the string, specified by SharedAccessKey:

Endpoint=sb://mytestnamespace1.servicebus.chinacloudapi.cn/;SharedAccessKeyName=policy2;SharedAccessKey=<SAS key value here>

获取 SAS 密钥

后续步骤Next steps