You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/event-hubs/authorize-access-event-hubs.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,13 +1,14 @@
1
1
---
2
2
title: Authorize access to Azure Event Hubs
3
3
description: This article provides information about different options for authorizing access to Azure Event Hubs resources.
4
-
ms.topic: conceptual
5
-
ms.date: 03/13/2023
4
+
ms.topic: concept-article
5
+
ms.date: 06/26/2024
6
6
ms.author: spelluru
7
+
#customer intent: As an Azure Event Hubs user, I want to know how to authorize requests to event hubs.
7
8
---
8
9
9
10
# Authorize access to Azure Event Hubs
10
-
Every time you publish or consume events from an event hub, your client is trying to access Event Hubs resources. Every request to a secure resource must be authorized so that the service can ensure that the client has the required permissions to publish or consume the data.
11
+
Every time you publish events to or consume events from an event hub, your client is trying to access Event Hubs resources. Every request to a secure resource must be authorized so that the service can ensure that the client has the required permissions to publish or consume the data.
11
12
12
13
Azure Event Hubs offers the following options for authorizing access to secure resources:
13
14
@@ -17,10 +18,9 @@ Azure Event Hubs offers the following options for authorizing access to secure r
17
18
> [!NOTE]
18
19
> This article applies to both Event Hubs and [Apache Kafka](azure-event-hubs-kafka-overview.md) scenarios.
19
20
20
-
<aname='azure-active-directory'></a>
21
21
22
22
## Microsoft Entra ID
23
-
Microsoft Entra integration with Event Hubs resources provides Azure role-based access control (Azure RBAC) for fine-grained control over a client's access to resources. You can use Azure RBAC to grant permissions to security principal, which may be a user, a group, or an application service principal. Microsoft Entra authenticates the security principal and returns an OAuth 2.0 token. The token can be used to authorize a request to access an Event Hubs resource.
23
+
Microsoft Entra integration with Event Hubs resources provides Azure role-based access control (RBAC) for fine-grained control over a client's access to resources. You can use Azure RBAC to grant permissions to security principal, which may be a user, a group, or an application service principal. Microsoft Entra authenticates the security principal and returns an OAuth 2.0 token. The token can be used to authorize a request to access an Event Hubs resource.
24
24
25
25
For more information about authenticating with Microsoft Entra ID, see the following articles:
Copy file name to clipboardExpand all lines: articles/event-hubs/authorize-access-shared-access-signature.md
+14-12Lines changed: 14 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,8 +1,9 @@
1
1
---
2
-
title: Authorize access with a shared access signature in Azure Event Hubs
2
+
title: Authorize access with shared access signatures
3
3
description: This article provides information about authorizing access to Azure Event Hubs resources by using Shared Access Signatures (SAS).
4
-
ms.topic: conceptual
5
-
ms.date: 03/13/2023
4
+
ms.topic: concept-article
5
+
ms.date: 06/26/2024
6
+
#customer intent: As an Azure Event Hubs user, I want to know how to authorize requests to event hubs using Shared Access Signatures (SAS).
6
7
---
7
8
8
9
# Authorizing access to Event Hubs resources using Shared Access Signatures
@@ -26,40 +27,41 @@ SAS is a claim-based authorization mechanism using simple tokens. When you use S
26
27
27
28
## Shared access authorization policies
28
29
Each Event Hubs namespace and each Event Hubs entity (an event hub or a Kafka topic) has a shared access authorization policy made up of rules. The policy at the namespace level applies to all entities inside the namespace, irrespective of their individual policy configuration.
30
+
29
31
For each authorization policy rule, you decide on three pieces of information: name, scope, and rights. The name is a unique name in that scope. The scope is the URI of the resource in question. For an Event Hubs namespace, the scope is the fully qualified domain name (FQDN), such as `https://<yournamespace>.servicebus.windows.net/`.
30
32
31
33
The rights provided by the policy rule can be a combination of:
34
+
32
35
-**Send** – Gives the right to send messages to the entity
33
36
-**Listen** – Gives the right to listen or receive messages from the entity
34
37
-**Manage** – Gives the right to manage the topology of the namespace, including creation and deletion of entities. The **Manage** right includes the **Send** and **Listen** rights.
35
38
36
39
A namespace or entity policy can hold up to 12 shared access authorization rules, providing room for the three sets of rules, each covering the basic rights, and the combination of Send and Listen. This limit underlines that the SAS policy store isn't intended to be a user or service account store. If your application needs to grant access to Event Hubs resources based on user or service identities, it should implement a security token service that issues SAS tokens after an authentication and access check.
37
40
38
-
An authorization rule is assigned a **primary key** and a **secondary key**. These keys are cryptographically strong keys. Don’t lose them or leak them. They’ll always be available in the Azure portal. You can use either of the generated keys, and you can regenerate them at any time. If you regenerate or change a key in the policy, all previously issued tokens based on that key become instantly invalid. However, ongoing connections created based on such tokens will continue to work until the token expires.
41
+
An authorization rule is assigned a **primary key** and a **secondary key**. These keys are cryptographically strong keys. Don’t lose them or leak them. They’ll always be available in the Azure portal. You can use either of the generated keys, and you can regenerate them at any time. If you regenerate or change a key in the policy, all previously issued tokens based on that key become instantly invalid. However, ongoing connections created based on such tokens continue to work until the token expires.
39
42
40
-
When you create an Event Hubs namespace, a policy rule named **RootManageSharedAccessKey** is automatically created for the namespace. This policy has **manage** permissions for the entire namespace. It’s recommended that you treat this rule like an administrative root account and don’t use it in your application. You can create additional policy rules in the **Configure** tab for the namespace in the portal, via PowerShell or Azure CLI.
43
+
When you create an Event Hubs namespace, a policy rule named **RootManageSharedAccessKey** is automatically created for the namespace. This policy has **manage** permissions for the entire namespace. It’s recommended that you treat this rule like an administrative root account and don’t use it in your application. You can create more policy rules in the **Configure** tab for the namespace in the portal, via PowerShell or Azure CLI.
41
44
42
45
## Best practices when using SAS
43
46
When you use shared access signatures in your applications, you need to be aware of two potential risks:
44
47
45
48
- If a SAS is leaked, it can be used by anyone who obtains it, which can potentially compromise your Event Hubs resources.
46
-
- If a SAS provided to a client application expires and the application is unable to retrieve a new SAS from your service, then application’s functionality may be hindered.
49
+
- If a SAS provided to a client application expires and the application is unable to retrieve a new SAS from your service, then application’s functionality might be hindered.
47
50
48
51
The following recommendations for using shared access signatures can help mitigate these risks:
49
52
50
-
-**Have clients automatically renew the SAS if necessary**: Clients should renew the SAS well before expiration, to allow time for retries if the service providing the SAS is unavailable. If your SAS is meant to be used for a small number of immediate, short-lived operations that are expected to be completed within the expiration period, then it may be unnecessary as the SAS isn't expected to be renewed. However, if you have client that is routinely making requests via SAS, then the possibility of expiration comes into play. The key consideration is to balance the need for the SAS to be short-lived (as previously stated) with the need to ensure that client is requesting renewal early enough (to avoid disruption due to the SAS expiring prior to a successful renewal).
51
-
-**Be careful with the SAS start time**: If you set the start time for SAS to **now**, then due to clock skew (differences in current time according to different machines), failures may be observed intermittently for the first few minutes. In general, set the start time to be at least 15 minutes in the past. Or, don’t set it at all, which will make it valid immediately in all cases. The same generally applies to the expiry time as well. Remember that you may observe up to 15 minutes of clock skew in either direction on any request.
53
+
-**Have clients automatically renew the SAS if necessary**: Clients should renew the SAS well before expiration, to allow time for retries if the service providing the SAS is unavailable. If your SAS is meant to be used for a small number of immediate, short-lived operations that are expected to be completed within the expiration period, then it might be unnecessary as the SAS isn't expected to be renewed. However, if you have client that is routinely making requests via SAS, then the possibility of expiration comes into play. The key consideration is to balance the need for the SAS to be short-lived (as previously stated) with the need to ensure that client is requesting renewal early enough (to avoid disruption due to the SAS expiring before a successful renewal).
54
+
-**Be careful with the SAS start time**: If you set the start time for SAS to **now**, then due to clock skew (differences in current time according to different machines), failures might be observed intermittently for the first few minutes. In general, set the start time to be at least 15 minutes in the past. Or, don’t set it at all, which make it valid immediately in all cases. The same generally applies to the expiry time as well. Remember that you might observe up to 15 minutes of clock skew in either direction on any request.
52
55
-**Be specific with the resource to be accessed**: A security best practice is to provide user with the minimum required privileges. If a user only needs read access to a single entity, then grant them read access to that single entity, and not read/write/delete access to all entities. It also helps lessen the damage if a SAS is compromised because the SAS has less power in the hands of an attacker.
53
-
-**Don’t always use SAS**: Sometimes the risks associated with a particular operation against your Event Hubs outweigh the benefits of SAS. For such operations, create a middle-tier service that writes to your Event Hubs after business rule validation, authentication, and auditing.
56
+
-**Don’t always use SAS**: Sometimes the risks associated with a particular operation against your Event Hubs outweigh the benefits of SAS. For such operations, create a middle-tier service that writes to your event hubs after business rule validation, authentication, and auditing.
54
57
-**Always use HTTPs**: Always use Https to create or distribute a SAS. If a SAS is passed over HTTP and intercepted, an attacker performing a man-in-the-middle attack is able to read the SAS and then use it just as the intended user could have, potentially compromising sensitive data or allowing for data corruption by the malicious user.
55
58
56
59
## Conclusion
57
60
Share access signatures are useful for providing limited permissions to Event Hubs resources to your clients. They're vital part of the security model for any application using Azure Event Hubs. If you follow the best practices listed in this article, you can use SAS to provide greater flexibility of access to your resources, without compromising the security of your application.
58
61
59
-
## Next steps
62
+
## Related content
60
63
See the following related articles:
61
64
65
+
-[Authenticate requests to Azure Event Hubs using Shared Access Signatures](authenticate-shared-access-signature.md)
62
66
-[Authenticate requests to Azure Event Hubs from an application using Microsoft Entra ID](authenticate-application.md)
63
67
-[Authenticate a managed identity with Microsoft Entra ID to access Event Hubs Resources](authenticate-managed-identity.md)
64
-
-[Authenticate requests to Azure Event Hubs using Shared Access Signatures](authenticate-shared-access-signature.md)
65
-
-[Authorize access to Event Hubs resources using Microsoft Entra ID](authorize-access-azure-active-directory.md)
0 commit comments