Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Azure Service Bus Operations Raising TimeoutException instead of UnauthorizedAccessException using ACS

I am using Access Control Service to authorize access to specific Service Bus Subscriptions for specific Service Identities.

When receiving sessions or messages from the subscription, the Service Identity is authorized and can receive and complete or abandon messages as required.

However, I am not seeing an UnauthorizedAccessException when attempting to access a subscription the Service Identity does not have access to, nor am I seeing this exception when attempting to perform an operation that the Rule Group does not issue a claim to for that Service Identity and Relying Party (such as Send a message or create a topic).

Instead, I eventually see a TimeoutException - "The timeout elapsed upon attempting to obtain a token while accessing 'https://namespace-sb.accesscontrol.windows.net/WRAPv0.9/'". The Inner Exception is a SecurityTokenException - "The token provider was unable to provide a security token while accessing 'https://namespace-sb.accesscontrol.windows.net/WRAPv0.9/'. Token provider returned message: 'The operation has timed out'". This causes a problem for the RetryPolicy, since a Timeout Exception is considered transient.

Strangely, though, I am receiving an UnauthorizedAccessException when attempting to receive the Subscription Description. Something which, according to Rights Required for Service Bus Operations, should be available to Service Identities with the Listen Claim within the ...myTopic/Subscriptions/mySubscription scope.

I have the following set up:

  • Service Identity: testidentity
  • Rule Groups:
    • Default Rule Group for Service Bus
      • 3 rules, Input Claim: owner, Output Claims: Manage, Send, Listen
    • Rule Group for http://namespace.servicebus.windows.net/myTopic
      • No Rules
    • Rule Group for http://namespace.servicebus.windows.net/myTopic/Subscriptions
      • No Rules
    • Rule Group for http://namespace.servicebus.windows.net/myTopic/Subscriptions/mySubscription
      • One Rule: Input Claim: testidentity, Output Claim: Listen
  • Relying Party Application:
    • Realm: http://namespace.servicebus.windows.net/myTopic/Subscriptions/mySubscription
    • Token Format: SWT
    • Token Lifetime: 10800
    • Identity Providers: None (ACS)
    • Associated with all Rule Groups listed above

I am seeing the following issues:

var manager = NamespaceManager.CreateFromConnectionString("Endpoint=sb://namespace.servicebus.windows.net/;SharedSecretIssuer=testidentity;SharedSecretValue=SSdtIE5vdCBUZWxsaW5n=");
var description = manager.GetSubscription("myTopic","mySubscription");

Results in an UnauthoriszedAccessException - "The remote server returned an error: (401) Unauthorized." I would expect to be able to retrieve the description, rather than receive this exception. What is interesting is that this is the only realm the identity has access to, and is the only time I see an UnauthorizedAccessException.

var subscriptions = manager.GetSubscriptions("myTopic");

Results in a TimeoutException, with an inner exception of type SecurityTokenException. I would expect an UnauthorizedAccessException here.

var client = SubscriptionClient.CreateFromConnectionString("Endpoint=sb://namespace.servicebus.windows.net/;SharedSecretIssuer=testidentity;SharedSecretValue=SSdtIE5vdCBUZWxsaW5n=", "myTopic", "otherSubscription");
var message = client.Receive()

Results in message being null, but again I would expect an UnauthorizedAccessException. Examining the output, I see exceptions occurring in the output window but being swallowed by the client:

A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.TimeoutException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.TimeoutException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.TimeoutException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.TimeoutException' occurred in Microsoft.ServiceBus.dll

Similarly, attempting to create topics, send messages, etc. also result in a TimeoutException.

Is this the correct behaviour when attempting to access realms that the service identity does not have any access to, rather than my expectation of receiving an UnauthorizedAccessException?

I guess the set up does have the desired result - identities cannot listen to subscriptions other than the one(s) identified by the subscription realm against which the identity has a Listen rule associated, but I am concerned that the error feedback is not clear, and will result in continuous retries.

Any advice would be most appreciated.

like image 337
GaryJL Avatar asked Sep 09 '14 12:09

GaryJL


People also ask

What are user errors in Azure Service Bus?

User errors generally occur due to mistakes in the client application like, InvalidOperationException, The requested user operation is not allowed within the server or service. For example, Complete() generates InvalidOperationException if the message was received in ReceiveAndDelete mode.

How does Azure Service Bus work?

Azure Service Bus is a messaging service on cloud used to connect any applications, devices, and services running in the cloud to any other applications or services. As a result, it acts as a messaging backbone for applications available in the cloud or across any devices.

Where is Azure Service Bus connection string?

In order to connect to Azure Service Bus go to Azure portal, open the Service Bus namespace you want, then go to: Settings -> Shared access policies -> RootManageSharedAccessKey -> Primary connection string.


1 Answers

New SB namespaces created after 8/22 via the Azure portal do NOT generate the companion ACS namespaces any longer. So its entirely possible that the timeout you are receiving is the correct behavior.

To generate the ACS namespace, try creating the SB namespace by using the new-azuresbnamespace PowerShell cmdlet.

like image 55
BrentDaCodeMonkey Avatar answered Sep 20 '22 05:09

BrentDaCodeMonkey