Authorization in Event Hubs

Question

I am using SAS token authentication along with device-ID (or publisher-Id) in my event Hub publisher code. But i see that it is possible to send an event to any partition ID by using "CreatePartitionedSender" client even though I have authenticated using a device-ID. Whereas I do not want two different device-Ids publishing events in same partition. Is it possible that we can add some custom "authorization" code along with the SAS authentication to allow limited partition access to any device.

The idea behind adding authorization to device and partition-Id combination was to accommodate single event-hub for multiple tenants. Please advise if I am missing anything.

Please see below the code snippet for publisher:

        var publisherId = "1d8480fd-d1e7-48f9-9aa3-6e627bd38bae"; 
        string token = SharedAccessSignatureTokenProvider.GetPublisherSharedAccessSignature(
               new Uri("sb://anyhub-ns.servicebus.windows.net/"),
               eventHubName, publisherId, "send",
               sasKey,
               new TimeSpan(0, 5, 0));

           var factory = MessagingFactory.Create(ServiceBusEnvironment.CreateServiceUri("sb", "anyhub-ns", ""), new MessagingFactorySettings
           {
               TokenProvider = TokenProvider.CreateSharedAccessSignatureTokenProvider(token),
               TransportType = TransportType.Amqp
           });

           var client = factory.CreateEventHubClient(String.Format("{0}/publishers/{1}", eventHubName, publisherId));

           var message = "Event  message for publisher: " + publisherId;

           Console.WriteLine(message);

           var eventData = new EventData(Encoding.UTF8.GetBytes(message));

           await client.SendAsync(eventData);

           await client.CreatePartitionedSender("5").SendAsync(eventData);

           await client.CreatePartitionedSender("6").SendAsync(eventData);

See stackoverflow.com/questions/28292330/… for the part where partitions are going to be shared unless you jump through hoops. Not having used SAS tokens myself, I'm only going to guess, but using the restricted publisher URI (<my namespace>.servicebus.windows.net/<event hub name>/publishers/<my publisher name>) in the SAS URI may provide the restriction you need. Never used it but the docs imply that to me. — cacsar

cacsar cacsar · Accepted Answer · 2015-02-07T08:33:20

I notice in your example code that you have

var connStr = ServiceBusConnectionStringBuilder.CreateUsingSharedAde...

and then have

CreateFromConnectionString(connectionString

This suggests that you may have used a Connection String containing the send key you used to generate the token rather than the limited access token. In my own tests I did not manage to connect to an EventHub using the EventHubClient, which makes an AMQP connection, with a publisher specific token. This doesn't mean it's not supported just that I got errors that made sense, and the ability to do so doesn't appear to be documented.

What is documented and has an example is making the publisher specific tokens and sending events to the EventHub using the HTTP interface. If you examine the SAS token generated you can see that the token grants access to

[namespace].servicebus.windows.net/[eventhubname]/publishers/[publisherId]

This is consistent with the documentation on the security model, and the general discussion of publisher policies in the overview. I would expect the guarantee on publisherId -> PartitionKey to hold with this interface. Thus each publisherId would have its events end up in a consistent partition.

This may be less than ideal for your multitenant system, but the code to send messages is arguably simpler and is a better match for the intended use case of per device keys. As discussed in this question you would need to do something rather dirty to get each publisher their own partition, and you would be outside the designed use cases.

Cross linking questions can be useful.

Authorization in Event Hubs

3 Answers