使用 Azure Active Directory 对应用程序进行身份验证和授权,使之能够访问 Azure 服务总线实体Authenticate and authorize an application with Azure Active Directory to access Azure Service Bus entities

Azure 服务总线支持使用 Azure Active Directory (Azure AD) 授权对服务总线实体(队列、主题、订阅或筛选器)的请求。Azure Service Bus supports using Azure Active Directory (Azure AD) to authorize requests to Service Bus entities (queues, topics, subscriptions, or filters). 可以通过 Azure AD 使用 Azure 基于角色的访问控制 (Azure RBAC) 授予对安全主体的访问权限,该安全主体可能是用户、组或应用程序服务主体。With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. 若要详细了解角色和角色分配,请参阅了解不同的角色To learn more about roles and role assignments, see Understanding the different roles.

概述Overview

当某个安全主体(用户、组或应用程序)尝试访问服务总线实体时,请求必须获得授权。When a security principal (a user, group, or application) attempts to access a Service Bus entity, the request must be authorized. 使用 Azure AD 是,访问资源的过程包括两个步骤。With Azure AD, access to a resource is a two-step process.

  1. 首先,验证安全主体的身份并返回 OAuth 2.0 令牌。First, the security principal's identity is authenticated, and an OAuth 2.0 token is returned. 用于请求令牌的资源名称为 https://servicebus.chinacloudapi.cnThe resource name to request a token is https://servicebus.chinacloudapi.cn.
  2. 接下来,将该令牌作为请求的一部分传递给服务总线服务,用于授权访问指定的资源。Next, the token is passed as part of a request to the Service Bus service to authorize access to the specified resource.

身份验证步骤要求应用程序请求包含在运行时使用的 OAuth 2.0 访问令牌。The authentication step requires that an application request contains an OAuth 2.0 access token at runtime. 如果应用程序在 Azure 实体(如 Azure VM、虚拟机规模集或 Azure 函数应用)中运行,它可以使用托管标识来访问资源。If an application is running within an Azure entity such as an Azure VM, a virtual machine scale set, or an Azure Function app, it can use a managed identity to access the resources. 若要了解如何对托管标识向服务总线服务发出的请求进行身份验证,请参阅对使用 Azure Active Directory 和 Azure 资源的托管标识访问 Azure 服务总线资源进行身份验证To learn how to authenticate requests made by a managed identity to Service Bus service, see Authenticate access to Azure Service Bus resources with Azure Active Directory and managed identities for Azure Resources.

授权步骤要求将一个或多个 Azure 角色分配给安全主体。The authorization step requires that one or more Azure roles be assigned to the security principal. Azure 服务总线提供 Azure 角色,这些角色涵盖了针对服务总线资源的权限集。Azure Service Bus provides Azure roles that encompass sets of permissions for Service Bus resources. 分配给安全主体的角色确定了该主体拥有的权限。The roles that are assigned to a security principal determine the permissions that the principal will have. 若要详细了解如何向 Azure 服务总线分配 Azure 角色,请参阅针对 Azure 服务总线的 Azure 内置角色To learn more about assigning Azure roles to Azure Service Bus, see Azure built-in roles for Azure Service Bus.

向服务总线发出请求的本机应用程序和 Web 应用程序也可以使用 Azure AD 进行授权。Native applications and web applications that make requests to Service Bus can also authorize with Azure AD. 本文介绍如何请求访问令牌,并使用它针对服务总线资源进行请求授权。This article shows you how to request an access token and use it to authorize requests for Service Bus resources.

分配 Azure 角色以授予访问权限Assigning Azure roles for access rights

Azure Active Directory (Azure AD) 通过 Azure RBAC 授予对受保护资源的访问权限。Azure Active Directory (Azure AD) authorizes access rights to secured resources through Azure RBAC. Azure 服务总线定义了一组 Azure 内置角色,它们包含用于访问服务总线实体的通用权限集。你也可以定义用于访问数据的自定义角色。Azure Service Bus defines a set of Azure built-in roles that encompass common sets of permissions used to access Service Bus entities and you can also define custom roles for accessing the data.

将 Azure 角色分配到 Azure AD 安全主体后,Azure 会向该安全主体授予对这些资源的访问权限。When an Azure role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. 访问权限可以局限到订阅、资源组或服务总线命名空间级别。Access can be scoped to the level of subscription, the resource group, or the Service Bus namespace. Azure AD 安全主体可以是用户、组、应用程序服务主体,也可以是 Azure 资源的托管标识An Azure AD security principal may be a user, a group, an application service principal, or a managed identity for Azure resources.

适用于 Azure 服务总线的 Azure 内置角色Azure built-in roles for Azure Service Bus

对于 Azure 服务总线,通过 Azure 门户和 Azure 资源管理 API 对命名空间和所有相关资源的管理已使用 Azure RBAC 模型进行了保护。For Azure Service Bus, the management of namespaces and all related resources through the Azure portal and the Azure resource management API is already protected using the Azure RBAC model. Azure 提供以下 Azure 内置角色,用于授予对服务总线命名空间的访问权限:Azure provides the below Azure built-in roles for authorizing access to a Service Bus namespace:

资源范围Resource scope

向安全主体分配 Azure 角色之前,请确定安全主体应具有的访问权限的范围。Before you assign an Azure role to a security principal, determine the scope of access that the security principal should have. 最佳做法指出,最好是授予尽可能小的范围。Best practices dictate that it's always best to grant only the narrowest possible scope.

以下列表描述了可将服务总线资源访问权限限定到哪些级别,从最小的范围开始:The following list describes the levels at which you can scope access to Service Bus resources, starting with the narrowest scope:

  • 队列主题订阅:角色分配适用于特定的服务总线实体。Queue, topic, or subscription: Role assignment applies to the specific Service Bus entity. 目前,Azure 门户不支持在订阅级别为服务总线 Azure 角色分配用户/组/托管标识。Currently, the Azure portal doesn't support assigning users/groups/managed identities to Service Bus Azure roles at the subscription level.
  • 服务总线命名空间:角色分配横跨命名空间中服务总线的整个拓扑,并延伸至与之关联的使用者组。Service Bus namespace: Role assignment spans the entire topology of Service Bus under the namespace and to the consumer group associated with it.
  • 资源组:角色分配适用于资源组下的所有服务总线资源。Resource group: Role assignment applies to all the Service Bus resources under the resource group.
  • 订阅:角色分配适用于订阅的所有资源组中的所有服务总线资源。Subscription: Role assignment applies to all the Service Bus resources in all of the resource groups in the subscription.

备注

请记住,Azure 角色分配可能需要最多五分钟的时间进行传播。Keep in mind that Azure role assignments may take up to five minutes to propagate.

有关如何定义内置角色的详细信息,请参阅了解角色定义For more information about how built-in roles are defined, see Understand role definitions. 若要了解如何创建 Azure 自定义角色,请参阅 Azure 自定义角色For information about creating Azure custom roles, see Azure custom roles.

使用 Azure 门户分配 Azure 角色Assign Azure roles using the Azure portal

若要详细了解如何使用 Azure RBAC 和 Azure 门户管理对 Azure 资源的访问,请参阅此文To learn more on managing access to Azure resources using Azure RBAC and the Azure portal, see this article.

在确定角色分配的适当范围后,在 Azure 门户中导航到该资源。After you've determined the appropriate scope for a role assignment, navigate to that resource in the Azure portal. 显示资源的“访问控制(IAM)”设置,并按以下说明管理角色分配:Display the access control (IAM) settings for the resource, and follow these instructions to manage role assignments:

备注

下面介绍的步骤为服务总线命名空间分配一个角色。The steps described below assigns a role to your Service Bus namespace. 可以按照相同的步骤向其他受支持的范围(资源组、订阅等)分配角色。You can follow the same steps to assign a role to other supported scopes (resource group, subscription, etc.).

  1. Azure 门户中,导航到你的服务总线命名空间。In the Azure portal, navigate to your Service Bus namespace. 选择左侧菜单上的“访问控制(标识和访问管理)”,显示命名空间的访问控制设置 。Select Access Control (IAM) on the left menu to display access control settings for the namespace. 如果需要创建服务总线命名空间,请按此文中的说明操作:创建服务总线消息传送命名空间If you need to create a Service Bus namespace, follow instructions from this article: Create a Service Bus Messaging namespace.

    在左侧菜单中选择“访问控制”

  2. 选择“角色分配”选项卡以查看角色分配列表。Select the Role assignments tab to see the list of role assignments. 在工具栏上选择“添加”按钮,然后选择“添加角色分配”。Select the Add button on the toolbar and then select Add role assignment.

    工具栏上的“添加”按钮

  3. 在“添加角色分配” 页上,执行以下步骤:On the Add role assignment page, do the following steps:

    1. 选择要分配的 服务总线角色Select the Service Bus role that you want to assign.

    2. 通过搜索找到要为其分配该角色的 安全主体(用户、组、服务主体)。Search to locate the security principal (user, group, service principal) to which you want to assign the role.

    3. 选择“保存”以保存角色分配。Select Save to save the role assignment.

      向用户分配角色

    4. 分配有该角色的标识列出在该角色下。The identity to whom you assigned the role appears listed under that role. 例如,下图显示 Azure-users 充当“Azure 服务总线数据所有者”角色。For example, the following image shows that Azure-users is in the Azure Service Bus Data Owner role.

      列表中的用户

可以遵循类似的步骤来分配限定为资源组或订阅范围的角色。You can follow similar steps to assign a role scoped to a resource group, or a subscription. 定义角色及其范围后,可以使用 GitHub 上的示例测试此行为。Once you define the role and its scope, you can test this behavior with the samples on GitHub.

通过应用程序进行身份验证Authenticate from an application

将 Azure AD 与服务总线配合使用的主要优势之一在于,不再需要在代码中存储凭据。A key advantage of using Azure AD with Service Bus is that your credentials no longer need to be stored in your code. 可以改为从 Azure 标识平台请求 OAuth 2.0 访问令牌。Instead, you can request an OAuth 2.0 access token from Azure identity platform. Azure AD 对运行应用程序的安全主体(用户、组或服务主体)进行身份验证。Azure AD authenticates the security principal (a user, a group, or service principal) running the application. 如果身份验证成功,Azure AD 会将访问令牌返回应用程序,应用程序可随之使用访问令牌对 Azure 服务总线请求授权。If authentication succeeds, Azure AD returns the access token to the application, and the application can then use the access token to authorize requests to Azure Service Bus.

以下部分介绍如何配置本机应用程序或 Web 应用程序,以便在 Microsoft 标识平台 2.0 中进行身份验证。Following sections shows you how to configure your native application or web application for authentication with Microsoft identity platform 2.0. 有关 Microsoft 标识平台 2.0 的详细信息,请参阅 Microsoft 标识平台 (v2.0) 概述For more information about Microsoft identity platform 2.0, see Microsoft identity platform (v2.0) overview.

有关 OAuth 2.0 代码授权流的概述,请参阅使用 OAuth 2.0 代码授权流来授权访问 Azure Active Directory Web 应用程序For an overview of the OAuth 2.0 code grant flow, see Authorize access to Azure Active Directory web applications using the OAuth 2.0 code grant flow.

将应用程序注册到 Azure AD 租户Register your application with an Azure AD tenant

使用 Azure AD 授权访问服务总线实体的第一步是,通过 Azure 门户在 Azure AD 租户中注册客户端应用程序。The first step in using Azure AD to authorize Service Bus entities is registering your client application with an Azure AD tenant from the Azure portal. 注册客户端应用程序时,需要向 AD 提供关于应用程序的信息。When you register your client application, you supply information about the application to AD. Azure AD 随后会提供客户端 ID(也称为应用程序 ID)。在运行时,可以使用该 ID 将应用程序与 Azure AD 关联。Azure AD then provides a client ID (also called an application ID) that you can use to associate your application with Azure AD runtime. 若要详细了解客户端 ID,请参阅 Azure Active Directory 中的应用程序对象和服务主体对象To learn more about the client ID, see Application and service principal objects in Azure Active Directory.

下图显示了注册 Web 应用程序的步骤:The following images show steps for registering a web application:

注册应用程序

备注

如果将应用程序注册为本机应用程序,可为重定向 URI 指定任何有效的 URI。If you register your application as a native application, you can specify any valid URI for the Redirect URI. 对于本机应用程序,此值不一定要是实际的 URL。For native applications, this value does not have to be a real URL. 对于 Web 应用程序,重定向 URI 必须是有效的 URI,因为它指定了要向哪个 URL 提供令牌。For web applications, the redirect URI must be a valid URI, because it specifies the URL to which tokens are provided.

注册应用程序后,可在“设置”下看到“应用程序(客户端) ID”:After you've registered your application, you'll see the Application (client) ID under Settings:

已注册的应用程序的应用程序 ID

有关向 Azure AD 注册应用程序的详细信息,请参阅将应用程序与 Azure Active Directory 集成。For more information about registering an application with Azure AD, see Integrating applications with Azure Active Directory.

重要

记下 TenantIdApplicationIdMake note of the TenantId and the ApplicationId. 将需要这些值来运行应用程序。You will need these values to run the application.

创建客户端机密Create a client secret

请求令牌时,应用程序需要使用客户端机密来证明其身份。The application needs a client secret to prove its identity when requesting a token. 若要添加客户端机密,请执行以下步骤。To add the client secret, follow these steps.

  1. 在 Azure 门户中导航到你的应用注册(如果尚未转到此页上)。Navigate to your app registration in the Azure portal if you aren't already on the page.

  2. 在左侧菜单上,选择“证书和机密” 。Select Certificates & secrets on the left menu.

  3. 在“客户端机密”下,选择“新建客户端机密”以创建新的机密。Under Client secrets, select New client secret to create a new secret.

    新建客户端机密 - 按钮

  4. 提供机密说明,并选择所需的过期时间间隔,然后选择“添加”。Provide a description for the secret, and choose the wanted expiration interval, and then select Add.

    “添加客户端机密”页

  5. 请马上将新机密的值复制到安全位置。Immediately copy the value of the new secret to a secure location. 填充值只会显示一次。The fill value is displayed to you only once.

    客户端机密

服务总线 API 的权限Permissions for the Service Bus API

如果应用程序是一个控制台应用程序,则必须注册一个本机应用程序并将 Microsoft.ServiceBus 的 API 权限添加到“必需的权限”集。If your application is a console application, you must register a native application and add API permissions for Microsoft.ServiceBus to the required permissions set. 本机应用程序在 Azure AD 中还需要有一个充当标识符的 redirect-URI,该 URI 不需要是网络目标。Native applications also need a redirect-URI in Azure AD, which serves as an identifier; the URI does not need to be a network destination. 对于此示例请使用 https://servicebus.chinacloudapi.cn,因为示例代码已使用了该 URI。Use https://servicebus.chinacloudapi.cn for this example, because the sample code already uses that URI.

用于获取令牌的客户端库Client libraries for token acquisition

注册应用程序并向其授予在 Azure 服务总线发送/接收数据的权限后,可将代码添加到应用程序,以便对安全主体进行身份验证并获取 OAuth 2.0 令牌。Once you've registered your application and granted it permissions to send/receive data in Azure Service Bus, you can add code to your application to authenticate a security principal and acquire OAuth 2.0 token. 若要进行身份验证并获取令牌,可以使用 Microsoft 标识平台身份验证库,或者其他支持 OpenID 或 Connect 1.0 的开源库。To authenticate and acquire the token, you can use either one of the Microsoft identity platform authentication libraries or another open-source library that supports OpenID or Connect 1.0. 然后,应用程序可以使用访问令牌授权针对 Azure 服务总线发出的请求。Your application can then use the access token to authorize a request against Azure Service Bus.

有关支持获取令牌的方案列表,请参阅适用于 .NET 的 Microsoft 身份验证库 (MSAL) GitHub 存储库的方案部分。For a list of scenarios for which acquiring tokens is supported, see the Scenarios section of the Microsoft Authentication Library (MSAL) for .NET GitHub repository.

GitHub 上的示例Sample on GitHub

窗口 GitHub 上的以下示例:服务总线的基于角色的访问控制See the following sample on GitHub: Role-base access control for Service Bus.

使用“客户端机密登录”选项,而不是“交互用户登录”选项。Use the Client Secret Login option, not the Interactive User Login option. 使用客户端机密选项时,看不到弹出窗口。When you use the client secret option, you don't see a pop-up window. 应用程序会使用租户 ID 和应用 ID 进行身份验证。The application utilizes the tenant ID and app ID for authentication.

运行示例Run the sample

在运行示例前,请编辑 app.config 文件并根据方案设置以下值:Before you can run the sample, edit the app.config file and, depending on your scenario, set the following values:

  • tenantId:设置为 TenantId 值。tenantId: Set to TenantId value.
  • clientId:设置为 ApplicationId 值。clientId: Set to ApplicationId value.
  • clientSecret:如果希望使用客户端机密进行登录,请在 Azure AD 中创建它。clientSecret: If you want to sign in using the client secret, create it in Azure AD. 此外,请使用 Web 应用或 API 而非本机应用。Also, use a web app or API instead of a native app. 另外,请在之前创建的命名空间中将该应用添加到“访问控制(IAM)” 下。Also, add the app under Access Control (IAM) in the namespace you previously created.
  • serviceBusNamespaceFQDN:设置为新创建的服务总线命名空间的完整 DNS 名称,例如 example.servicebus.chinacloudapi.cnserviceBusNamespaceFQDN: Set to the full DNS name of your newly created Service Bus namespace; for example, example.servicebus.chinacloudapi.cn.
  • queueName:设置为所创建的队列的名称。queueName: Set to the name of the queue you created.
  • 执行前面的步骤时在应用中指定的重定向 URI。The redirect URI you specified in your app in the previous steps.

运行该控制台应用程序时,系统会提示你选择一个方案。When you run the console application, you are prompted to select a scenario. 请通过键入相应的编号并按 ENTER 来选择“交互用户登录” 。Select Interactive User Login by typing its number and pressing ENTER. 应用程序会显示一个登录窗口,要求你同意访问服务总线,然后使用登录标识通过该服务来演练发送/接收方案。The application displays a login window, asks for your consent to access Service Bus, and then uses the service to run through the send/receive scenario using the login identity.

后续步骤Next steps

若要了解有关服务总线消息传送的详细信息,请参阅以下主题。To learn more about Service Bus messaging, see the following topics.