SalesBuy
1-855-856-7678
Technical SupportSupport
Free Trial
*Internet Service Required
Servicebus authentication at subnamespace level
Servicebus authentication at subnamespace level
-
Tuesday, September 11, 2012 5:59 PM
Is it possible to setup authentication at a sub namespace level?
Let's say a service bus namespace "mysbnamespace.servicebus.windows.net" exists, and two relay services are running under subnamespaces
- mysbnamespace.servicebus.windows.net/relayhost1
- mysbnamespace.servicebus.windows.net/relayhost2
Can relayhost1, relayhost2 have their own credentials without using shared key? If relayhost1 credentials are leaked, relayhost2 should not be comprimised. (clients should be not able to relay messages to relayhost2 with credentials used by relayhost1)
One obvious option is to use different namespaces for running relayhost1 and relayhost2, but I am trying to run these hosts under one namespace?
If there is a way, can you help me to get started?
Thanks in advance
Anil Lingamallu
All Replies
-
Tuesday, September 11, 2012 6:15 PMModerator
Yep, it is doable. In a nutshell, you need to go into the old portal, select the namespace you want to work with and click on "access control service" in the toolbar. Then create a new "relying party applications" under that namespace using the URI's you referrence above.
Next, you can create new service identities (one for each relay host). And lastly, add the identities to a rule group with the proper claims (List, Send, Manage).
A couple of MSDN reference links that should help you are:
Relying Party Applications: http://msdn.microsoft.com/en-us/library/gg185906
Identities: http://msdn.microsoft.com/en-us/library/gg185945.aspx
Rule Groups and Rules: http://msdn.microsoft.com/en-us/library/gg185923
- Marked As Answer by Anil Lingamallu Tuesday, September 11, 2012 6:51 PM
-
Tuesday, September 11, 2012 6:31 PM
Hi,
To add to Brent's reply, you can also use the SBAZTool sample to manage the Relying Party Applications, Identities and Rule Groups. I find it a lot easyer ´when working with service bus authentication.
The tool is available here: http://code.msdn.microsoft.com/windowsazure/Authorization-SBAzTool-6fd76d93
There is a good blog post on using it here: http://middlewareinthecloud.com/2012/06/20/azure-service-busdont-run-as-root/
The blog post uses queues, but the same applies for the relay service. The service identity should have Listen granted, the client identity should have Send granted.
When you use SBAZTool, its good to use the portal to check out what Identities, Relying Party Applications and Rule Groups are bing created in ACS.
Regards,
Alan
Free EBook: "Windows Azure Service Bus Developer Guide" http://www.cloudcasts.net/devguide/
- Marked As Answer by Anil Lingamallu Tuesday, September 11, 2012 6:51 PM
-
Tuesday, September 11, 2012 6:52 PMThank you Brent and Alan for the help! I am going to try them out.
-
Tuesday, September 18, 2012 9:23 PM
Thanks a lot for the help. I tried SBAzTool and it worked great. Downloaded the code and modified it to automate our tenant provisioning. There is a minor bug in library that the tool uses (which I fixed on my side).
AddManagementTokenWithRightPermission method of ManagementServiceHelper class in not thread safe and also does not cache at SWT at namespace level. If I use a different namespace, the web request still appends the SWT of first namespace, which causes ACS to reject the request.
-
Tuesday, September 18, 2012 9:41 PM
Hi,
Thanks for raising that, I passed it on to the team.
Regards,
Alan
Free EBook: "Windows Azure Service Bus Developer Guide" http://www.cloudcasts.net/devguide/
|
