You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/event-hubs/authenticate-shared-access-signature.md
+18-7Lines changed: 18 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ documentationcenter: ''
7
7
author: spelluru
8
8
9
9
ms.topic: conceptual
10
-
ms.date: 08/22/2019
10
+
ms.date: 11/26/2019
11
11
ms.author: spelluru
12
12
13
13
---
@@ -179,22 +179,33 @@ An event publisher defines a virtual endpoint for an event hub. The publisher ca
179
179
180
180
Typically, an event hub employs one publisher per client. All messages that are sent to any of the publishers of an event hub are enqueued within that event hub. Publishers enable fine-grained access control.
181
181
182
-
Each Event Hubs client is assigned a unique token, which is uploaded to the client. The tokens are produced such that each unique token grants access to different unique publisher. A client that holds a token can only send to one publisher, and no other publisher. If multiple clients share the same token, then each of them shares a publisher.
182
+
Each Event Hubs client is assigned a unique token, which is uploaded to the client. The tokens are produced such that each unique token grants access to different unique publisher. A client that holds a token can only send to one publisher, and no other publisher. If multiple clients share the same token, then each of them shares the publisher.
183
183
184
-
All tokens are assigned with SAS keys. Typically, all tokens are signed with the same key. Clients aren't aware of the key, which prevents other clients from manufacturing tokens. Clients operate on the same tokens until they expire.
184
+
All tokens are assigned with SAS keys. Typically, all tokens are signed with the same key. Clients aren't aware of the key, which prevents clients from manufacturing tokens. Clients operate on the same tokens until they expire.
185
185
186
186
For example, to define authorization rules scoped down to only sending/publishing to Event Hubs, you need to define a send authorization rule. This can be done at a namespace level or give more granular scope to a particular entity (event hubs instance or a topic). A client or an application that is scoped with such granular access is called, Event Hubs publisher. To do so, follow these steps:
187
187
188
188
1. Create a SAS key on the entity you want to publish to assign the **send** scope on it. For more information, see [Shared access authorization policies](authorize-access-shared-access-signature.md#shared-access-authorization-policies).
189
189
2. Generate a SAS token with an expiry time for a specific publisher by using the key generated in step1.
190
-
3. Provide the token to the publisher client, which can only send to the entity that token grants access to.
191
-
4. Once the token expires, the client loses its access to send/publish to the entity.
190
+
191
+
```csharp
192
+
var sasToken =SharedAccessSignatureTokenProvider.GetPublisherSharedAccessSignature(
193
+
newUri("Service-Bus-URI"),
194
+
"eventub-name",
195
+
"publisher-name",
196
+
"sas-key-name",
197
+
"sas-key",
198
+
TimeSpan.FromMinutes(30));
199
+
```
200
+
3. Provide the token to the publisher client, which can only send to the entity and the publisher that token grants access to.
201
+
202
+
Once the token expires, the client loses its access to send/publish to the entity.
192
203
193
204
194
205
> [!NOTE]
195
-
> Although it's not recommended, it is possible to equip devices with tokens that grant access to an event hub. Any device that holds this token can send messages directly to that event hub. Furthermore, the device cannot be blacklisted from sending to that event hub.
206
+
> Although it's not recommended, it is possible to equip devices with tokens that grant access to an event hub or a namespace. Any device that holds this token can send messages directly to that event hub. Furthermore, the device cannot be blacklisted from sending to that event hub.
196
207
>
197
-
> The above behavior can be observed when the same token is distributed to multiple devices which gives you access at the namespace level. In that case, a rouge device/publisher cannot be isolated and revoked. It's always recommended to give specific and granular scopes.
208
+
> It's always recommended to give specific and granular scopes.
198
209
199
210
> [!IMPORTANT]
200
211
> Once the tokens have been created, each client is provisioned with its own unique token.
0 commit comments