Is it possible to setup authentication at a sub namespace level?
Let's say a service bus namespace "mysbnamespace.servicebus.windows.net" exists, and two relay services are running under subnamespaces
Can relayhost1, relayhost2 have their own credentials without using shared key? If relayhost1 credentials are leaked, relayhost2 should not be comprimised. (clients should be not able to relay messages to relayhost2 with credentials used by relayhost1)
One obvious option is to use different namespaces for running relayhost1 and relayhost2, but I am trying to run these hosts under one namespace?
If there is a way, can you help me to get started?
Yep, it is doable. In a nutshell, you need to go into the old portal, select the namespace you want to work with and click on "access control service" in the toolbar. Then create a new "relying party applications" under that namespace using the URI's you
Next, you can create new service identities (one for each relay host). And lastly, add the identities to a rule group with the proper claims (List, Send, Manage).
A couple of MSDN reference links that should help you are:
To add to Brent's reply, you can also use the SBAZTool sample to manage the Relying Party Applications, Identities and Rule Groups. I find it a lot easyer ´when working with service bus authentication.
Thanks a lot for the help. I tried SBAzTool and it worked great. Downloaded the code and modified it to automate our tenant provisioning. There is a minor bug in library that the tool uses (which I fixed on my side).
AddManagementTokenWithRightPermission method of ManagementServiceHelper class in not thread safe and also does not cache at SWT at namespace level. If I use a different namespace, the web request still appends the SWT of first namespace, which
causes ACS to reject the request.