Azure 中继身份验证和授权Azure Relay authentication and authorization

应用程序可以使用共享访问签名 (SAS) 身份验证对 Azure 中继进行身份验证。Applications can authenticate to Azure Relay using Shared Access Signature (SAS) authentication. 通过 SAS 身份验证,应用程序能够使用在中继命名空间中配置的访问密钥向 Azure 中继服务进行身份验证。SAS authentication enables applications to authenticate to the Azure Relay service using an access key configured on the Relay namespace. 然后可以使用此密钥生成共享访问签名令牌,客户端可用它向中继服务进行身份验证。You can then use this key to generate a Shared Access Signature token that clients can use to authenticate to the relay service.

共享访问签名身份验证Shared Access Signature authentication

通过 SAS 身份验证可向具有特定权限的用户授予对 Azure 中继资源的访问权限。SAS authentication enables you to grant a user access to Azure Relay resources with specific rights. SAS 身份验证涉及配置具有资源相关权限的加密密钥。SAS authentication involves the configuration of a cryptographic key with associated rights on a resource. 客户端随后即可通过提供 SAS 令牌获取该资源的访问权限,该令牌由要访问的资源 URI 和签有已配置密钥的过期时间组成。Clients can then gain access to that resource by presenting a SAS token, which consists of the resource URI being accessed and an expiry signed with the configured key.

可以在中继命名空间上配置用于 SAS 的密钥。You can configure keys for SAS on a Relay namespace. 与服务总线消息传送不同,中继混合连接支持未经授权的发件人或匿名发件人。Unlike Service Bus messaging, Relay Hybrid Connections supports unauthorized or anonymous senders. 可在创建实体时启用它的匿名访问权限,如门户中以下屏幕截图所示:You can enable anonymous access for the entity when you create it, as shown in the following screenshot from the portal:

若要使用 SAS,可在由以下项构成的中继命名空间上配置 SharedAccessAuthorizationRule 对象:To use SAS, you can configure a SharedAccessAuthorizationRule object on a Relay namespace that consists of the following:

  • 标识此规则的 KeyName。KeyName that identifies the rule.
  • PrimaryKey ,是用于对 SAS 令牌进行签名/验证的加密密钥。PrimaryKey is a cryptographic key used to sign/validate SAS tokens.
  • SecondaryKey ,是用于对 SAS 令牌进行签名/验证的加密密钥。SecondaryKey is a cryptographic key used to sign/validate SAS tokens.
  • Rights,表示授予的侦听、发送或管理权限的集合。Rights representing the collection of Listen, Send, or Manage rights granted.

在命名空间级别配置的授权规则,可以向具有使用相应密钥签名的令牌的客户端授予命名空间中所有中继连接的访问权限。Authorization rules configured at the namespace level can grant access to all relay connections in a namespace for clients with tokens signed using the corresponding key. 在中继命名空间上最多可配置 12 个此类授权规则。Up to 12 such authorization rules can be configured on a Relay namespace. 默认情况下,首次预配时,为每个命名空间配置具有所有权限的 SharedAccessAuthorizationRuleBy default, a SharedAccessAuthorizationRule with all rights is configured for every namespace when it is first provisioned.

若要访问某个实体,客户端需要使用特定 SharedAccessAuthorizationRule 生成的 SAS 令牌。To access an entity, the client requires a SAS token generated using a specific SharedAccessAuthorizationRule. SAS 令牌是通过使用资源字符串的 HMAC-SHA256 生成的,该字符串由要授予对其访问权限的资源 URI 和授权规则相关加密密钥的过期时间组成。The SAS token is generated using the HMAC-SHA256 of a resource string that consists of the resource URI to which access is claimed, and an expiry with a cryptographic key associated with the authorization rule.

Azure.NET SDK 2.0 版和更高版本中包含 Azure 中继的 SAS 身份验证支持。SAS authentication support for Azure Relay is included in the Azure .NET SDK versions 2.0 and later. SAS 支持 SharedAccessAuthorizationRuleSAS includes support for a SharedAccessAuthorizationRule. 允许将连接字符串作为参数的所有 API 都支持 SAS 连接字符串。All APIs that accept a connection string as a parameter include support for SAS connection strings.

后续步骤Next steps