服务总线身份验证和授权Service Bus authentication and authorization

可通过两种方式验证和授权对 Azure 服务总线资源的访问:Azure Activity Directory (Azure AD) 和共享访问签名 (SAS)。There are two ways to authenticate and authorize access to Azure Service Bus resources: Azure Activity Directory (Azure AD) and Shared Access Signatures (SAS). 本文将详细介绍如何使用这两种类型的安全机制。This article gives you details on using these two types of security mechanisms.

Azure Active DirectoryAzure Active Directory

服务总线资源的 Azure AD 集成提供了基于角色的访问控制 (RBAC),用于对客户端的资源访问进行细粒度控制。Azure AD integration for Service Bus resources provides role-based access control (RBAC) for fine-grained control over a client's access to resources. 可以使用基于角色的访问控制 (RBAC) 授予对安全主体(可以是用户、组或应用程序服务主体)的权限。You can use role-based access control (RBAC) to grant permissions to a security principal, which may be a user, a group, or an application service principal. 安全主体经 Azure AD 进行身份验证后会返回 OAuth 2.0 令牌。The security principal is authenticated by Azure AD to return an OAuth 2.0 token. 令牌可用于授权访问服务总线资源(队列、主题等)的请求。The token can be used to authorize a request to access an Service Bus resource (queue, topic, etc.).

有关使用 Azure AD 进行身份验证的详细信息,请参阅以下文章:For more information about authenticating with Azure AD, see the following articles:

备注

服务总线 REST API 支持通过 Azure AD 进行 OAuth 身份验证。Service Bus REST API supports OAuth authentication with Azure AD.

重要

使用 Azure AD 返回的 OAuth 2.0 令牌授权用户或应用程序可提供比共享访问签名 (SAS) 更高的安全性和易用性。Authorizing users or applications using OAuth 2.0 token returned by Azure AD provides superior security and ease of use over shared access signatures (SAS). 使用 Azure AD,不需要在代码中存储令牌,也不需要冒潜在的安全漏洞风险。With Azure AD, there is no need to store the tokens in your code and risk potential security vulnerabilities. 我们建议你尽可能通过 Azure 服务总线应用程序使用 Azure AD。We recommend that you use using Azure AD with your Azure Service Bus applications when possible.

共享访问签名Shared access signature

通过 SAS 身份验证可向具有特定权限的用户授予对服务总线资源的访问权限。SAS authentication enables you to grant a user access to Service Bus resources, with specific rights. 服务总线中的 SAS 身份验证涉及配置具有服务总线资源相关权限的加密密钥。SAS authentication in Service Bus involves the configuration of a cryptographic key with associated rights on a Service Bus resource. 客户端随后即可通过提供 SAS 令牌获取该资源的访问权限,该令牌由要访问的资源 URI 和签有已配置密钥的过期时间组成。Clients can then gain access to that resource by presenting a SAS token, which consists of the resource URI being accessed and an expiry signed with the configured key.

可以在服务总线命名空间上配置用于 SAS 的密钥。You can configure keys for SAS on a Service Bus namespace. 该密钥将应用到该命名空间中的所有消息传送实体。The key applies to all messaging entities within that namespace. 还可在服务总线队列和主题上配置密钥。You can also configure keys on Service Bus queues and topics. Azure 中继也支持 SAS。SAS is also supported on Azure Relay.

若要使用 SAS,可以为命名空间、队列或主题配置 SharedAccessAuthorizationRule 对象。To use SAS, you can configure a SharedAccessAuthorizationRule object on a namespace, queue, or topic. 此规则由以下元素组成:This rule consists of the following elements:

  • KeyName:标识规则。KeyName: identifies the rule.
  • PrimaryKey:用于对 SAS 令牌进行签名/验证的加密密钥。PrimaryKey: a cryptographic key used to sign/validate SAS tokens.
  • SecondaryKey:用于对 SAS 令牌进行签名/验证的加密密钥。密钥。SecondaryKey: a cryptographic key used to sign/validate SAS tokens.
  • Rights:表示授予的“侦听”、“发送”或“管理”权限的集合。Rights: represents the collection of Listen, Send, or Manage rights granted.

通过在命名空间级别配置的授权规则,可以向具有使用相应密钥签名的令牌的客户端授予对命名空间中所有实体的访问权限。Authorization rules configured at the namespace level can grant access to all entities in a namespace for clients with tokens signed using the corresponding key. 在服务总线命名空间、队列或主题上最多可配置 12 个此类规则。You can configure up to 12 such authorization rules on a Service Bus namespace, queue, or topic. 默认情况下,首次预配时,为每个命名空间配置具有所有权限的 SharedAccessAuthorizationRuleBy default, a SharedAccessAuthorizationRule with all rights is configured for every namespace when it is first provisioned.

若要访问某个实体,客户端需要使用特定 SharedAccessAuthorizationRule 生成的 SAS 令牌。To access an entity, the client requires a SAS token generated using a specific SharedAccessAuthorizationRule. SAS 令牌是通过使用资源字符串的 HMAC-SHA256 生成的,该字符串由要授予对其访问权限的资源 URI 和授权规则相关加密密钥的到期时间组成。The SAS token is generated using the HMAC-SHA256 of a resource string that consists of the resource URI to which access is claimed, and an expiry with a cryptographic key associated with the authorization rule.

Azure .NET SDK 2.0 版和更高版本支持服务总线的 SAS 身份验证。SAS authentication support for Service Bus is included in the Azure .NET SDK versions 2.0 and later. SAS 支持 SharedAccessAuthorizationRuleSAS includes support for a SharedAccessAuthorizationRule. 允许将连接字符串作为参数的所有 API 都支持 SAS 连接字符串。All APIs that accept a connection string as a parameter include support for SAS connection strings.

重要

如果结合使用 Azure Active Directory 访问控制(又称为访问控制服务或 ACS)与服务总线,请注意当前对此方法的支持有限,应迁移应用程序以使用 SAS 或通过 Azure AD 使用 OAuth 2.0 身份验证(推荐)。有关弃用 ACS 的详细信息,请参阅此博客文章If you are using Azure Active Directory Access Control (also known as Access Control Service or ACS) with Service Bus, note that the support for this method is now limited and you should migrate your application to use SAS or use OAuth 2.0 authentication with Azure AD (recommended).For more information about deprecation of ACS, see this blog post.

后续步骤Next steps

有关使用 Azure AD 进行身份验证的详细信息,请参阅以下文章:For more information about authenticating with Azure AD, see the following articles:

有关使用 SAS 进行身份验证的详细信息,请参阅以下文章:For more information about authenticating with SAS, see the following articles: