服务总线身份验证和授权Service Bus authentication and authorization

应用程序使用共享访问签名 (SAS) 令牌身份验证获取对 Azure 服务总线资源的访问权限。Applications gain access to Azure Service Bus resources using Shared Access Signature (SAS) token authentication. 通过 SAS,应用程序向服务总线提供一个由对称密钥签名的令牌,该对称密钥对令牌颁发者和服务总线是已知的(因此是“共享的”),且直接与授予特定访问权限的规则相关联(例如接收/侦听/发送消息的权限)。With SAS, applications present a token to Service Bus that has been signed with a symmetric key known both to the token issuer and Service Bus (hence "shared") and that key is directly associated with a rule granting specific access rights, like the permission to receive/listen or send messages. SAS 规则既可在命名空间中配置,也可直接在队列或主题等实体中配置,从而支持细化的访问控制。SAS rules are either configured on the namespace, or directly on entities such as a queue or topic, allowing for fine grained access control.

SAS 令牌既可由服务总线客户端直接生成,也可由某些颁发与客户端进行交互的终结点的中间令牌生成。SAS tokens can either be generated by a Service Bus client directly, or they can be generated by some intermediate token issuing endpoint with which the client interacts. 例如,系统可能要求客户端调用受 Active Directory 授权保护的 Web 服务终结点,以证明其标识和系统访问权限,Web 服务随之返回相应的服务总线令牌。For example, a system may require the client to call an Active Directory authorization protected web service endpoint to prove its identity and system access rights, and the web service then returns the appropriate Service Bus token. 可使用 Azure SDK 中的服务总线令牌提供程序轻松生成此 SAS 令牌。This SAS token can be easily generated using the Service Bus token provider included in the Azure SDK.

重要

如果结合使用 Azure Active Directory 访问控制(又称为访问控制服务或 ACS)与服务总线,请注意当前提供给此方法的支持有限,应将应用程序迁移至使用 SAS。If you are using Azure Active Directory Access Control (also known as Access Control Service or ACS) with Service Bus, note that the support for this method is now limited and you should migrate your application to use SAS. 有关详细信息,请参阅此博客文章此文章For more information, see this blog post and this article.

Azure Active DirectoryAzure Active Directory

服务总线资源的 Azure Active Directory (Azure AD) 集成提供了基于角色的访问控制 (RBAC),用于对客户端的资源访问进行细粒度控制。Azure Active Directory (Azure AD) integration for Service Bus resources provides role-based access control (RBAC) for fine-grained control over a client’s access to resources. 可以使用基于角色的访问控制 (RBAC) 授予对安全主体的权限,该服务主体可能是用户、组或应用程序服务主体。You can use role-based access control (RBAC) to grant permissions to security principal, which may be a user, a group, or an application service principal. 安全主体经 Azure AD 进行身份验证后会返回 OAuth 2.0 令牌。The security principal is authenticated by Azure AD to return an OAuth 2.0 token. 令牌可用于授权访问服务总线资源(队列、主题等)的请求。The token can be used to authorize a request to access an Service Bus resource (queue, topic, etc.).

有关使用 Azure AD 进行身份验证的详细信息,请参阅以下文章:For more information about authenticating with Azure AD, see the following articles:

重要

使用 Azure AD 返回的 OAuth 2.0 令牌授权用户或应用程序可提供比共享访问签名 (SAS) 更高的安全性和易用性。Authorizing users or applications using OAuth 2.0 token returned by Azure AD provides superior security and ease of use over shared access signatures (SAS). 使用 Azure AD,不需要在代码中存储令牌,也不需要冒潜在的安全漏洞风险。With Azure AD, there is no need to store the tokens in your code and risk potential security vulnerabilities. 我们建议你尽可能通过 Azure 服务总线应用程序使用 Azure AD。We recommend that you use using Azure AD with your Azure Service Bus applications when possible.

共享访问签名Shared access signature

通过 SAS 身份验证可向具有特定权限的用户授予对服务总线资源的访问权限。SAS authentication enables you to grant a user access to Service Bus resources, with specific rights. 服务总线中的 SAS 身份验证涉及配置具有服务总线资源相关权限的加密密钥。SAS authentication in Service Bus involves the configuration of a cryptographic key with associated rights on a Service Bus resource. 客户端随后即可通过提供 SAS 令牌获取该资源的访问权限,该令牌由要访问的资源 URI 和签有已配置密钥的过期时间组成。Clients can then gain access to that resource by presenting a SAS token, which consists of the resource URI being accessed and an expiry signed with the configured key.

可以在服务总线命名空间上配置用于 SAS 的密钥。You can configure keys for SAS on a Service Bus namespace. 该密钥将应用到该命名空间中的所有消息传送实体。The key applies to all messaging entities within that namespace. 还可在服务总线队列和主题上配置密钥。You can also configure keys on Service Bus queues and topics. Azure 中继也支持 SAS。SAS is also supported on Azure Relay.

若要使用 SAS,可以为命名空间、队列或主题配置 SharedAccessAuthorizationRule 对象。To use SAS, you can configure a SharedAccessAuthorizationRule object on a namespace, queue, or topic. 此规则由以下元素组成:This rule consists of the following elements:

  • KeyName:标识规则。KeyName: identifies the rule.
  • PrimaryKey:用于对 SAS 令牌进行签名/验证的加密密钥。PrimaryKey: a cryptographic key used to sign/validate SAS tokens.
  • SecondaryKey:用于对 SAS 令牌进行签名/验证的加密密钥。密钥。SecondaryKey: a cryptographic key used to sign/validate SAS tokens.
  • Rights:表示授予的“侦听”、“发送”或“管理”权限的集合。Rights: represents the collection of Listen, Send, or Manage rights granted.

通过在命名空间级别配置的授权规则,可以向具有使用相应密钥签名的令牌的客户端授予对命名空间中所有实体的访问权限。Authorization rules configured at the namespace level can grant access to all entities in a namespace for clients with tokens signed using the corresponding key. 在服务总线命名空间、队列或主题上最多可配置 12 个此类规则。You can configure up to 12 such authorization rules on a Service Bus namespace, queue, or topic. 默认情况下,首次预配时,为每个命名空间配置具有所有权限的 SharedAccessAuthorizationRuleBy default, a SharedAccessAuthorizationRule with all rights is configured for every namespace when it is first provisioned.

若要访问某个实体,客户端需要使用特定 SharedAccessAuthorizationRule 生成的 SAS 令牌。To access an entity, the client requires a SAS token generated using a specific SharedAccessAuthorizationRule. SAS 令牌是通过使用资源字符串的 HMAC-SHA256 生成的,该字符串由要授予对其访问权限的资源 URI 和授权规则相关加密密钥的到期时间组成。The SAS token is generated using the HMAC-SHA256 of a resource string that consists of the resource URI to which access is claimed, and an expiry with a cryptographic key associated with the authorization rule.

Azure .NET SDK 2.0 版和更高版本支持服务总线的 SAS 身份验证。SAS authentication support for Service Bus is included in the Azure .NET SDK versions 2.0 and later. SAS 支持 SharedAccessAuthorizationRuleSAS includes support for a SharedAccessAuthorizationRule. 允许将连接字符串作为参数的所有 API 都支持 SAS 连接字符串。All APIs that accept a connection string as a parameter include support for SAS connection strings.

后续步骤Next steps