I am using Access Control Service to authorize access to specific Service Bus Subscriptions for specific Service Identities.
When receiving sessions or messages from the subscription, the Service Identity is authorized and can receive and complete or abandon messages as required.
However, I am not seeing an UnauthorizedAccessException
when attempting to access a subscription the Service Identity does not have access to, nor am I seeing this exception when attempting to perform an operation that the Rule Group does not issue a claim to for that Service Identity and Relying Party (such as Send a message or create a topic).
Instead, I eventually see a TimeoutException - "The timeout elapsed upon attempting to obtain a token while accessing 'https://namespace-sb.accesscontrol.windows.net/WRAPv0.9/'"
. The Inner Exception is a SecurityTokenException - "The token provider was unable to provide a security token while accessing 'https://namespace-sb.accesscontrol.windows.net/WRAPv0.9/'. Token provider returned message: 'The operation has timed out'"
. This causes a problem for the RetryPolicy, since a Timeout Exception is considered transient.
Strangely, though, I am receiving an UnauthorizedAccessException
when attempting to receive the Subscription Description. Something which, according to Rights Required for Service Bus Operations, should be available to Service Identities with the Listen Claim within the ...myTopic/Subscriptions/mySubscription scope.
I have the following set up:
I am seeing the following issues:
var manager = NamespaceManager.CreateFromConnectionString("Endpoint=sb://namespace.servicebus.windows.net/;SharedSecretIssuer=testidentity;SharedSecretValue=SSdtIE5vdCBUZWxsaW5n=");
var description = manager.GetSubscription("myTopic","mySubscription");
Results in an UnauthoriszedAccessException - "The remote server returned an error: (401) Unauthorized."
I would expect to be able to retrieve the description, rather than receive this exception. What is interesting is that this is the only realm the identity has access to, and is the only time I see an UnauthorizedAccessException.
var subscriptions = manager.GetSubscriptions("myTopic");
Results in a TimeoutException
, with an inner exception of type SecurityTokenException
. I would expect an UnauthorizedAccessException
here.
var client = SubscriptionClient.CreateFromConnectionString("Endpoint=sb://namespace.servicebus.windows.net/;SharedSecretIssuer=testidentity;SharedSecretValue=SSdtIE5vdCBUZWxsaW5n=", "myTopic", "otherSubscription");
var message = client.Receive()
Results in message being null
, but again I would expect an UnauthorizedAccessException
. Examining the output, I see exceptions occurring in the output window but being swallowed by the client:
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.TimeoutException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.TimeoutException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.TimeoutException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.TimeoutException' occurred in Microsoft.ServiceBus.dll
Similarly, attempting to create topics, send messages, etc. also result in a TimeoutException
.
Is this the correct behaviour when attempting to access realms that the service identity does not have any access to, rather than my expectation of receiving an UnauthorizedAccessException
?
I guess the set up does have the desired result - identities cannot listen to subscriptions other than the one(s) identified by the subscription realm against which the identity has a Listen rule associated, but I am concerned that the error feedback is not clear, and will result in continuous retries.
Any advice would be most appreciated.
User errors generally occur due to mistakes in the client application like, InvalidOperationException, The requested user operation is not allowed within the server or service. For example, Complete() generates InvalidOperationException if the message was received in ReceiveAndDelete mode.
Azure Service Bus is a messaging service on cloud used to connect any applications, devices, and services running in the cloud to any other applications or services. As a result, it acts as a messaging backbone for applications available in the cloud or across any devices.
In order to connect to Azure Service Bus go to Azure portal, open the Service Bus namespace you want, then go to: Settings -> Shared access policies -> RootManageSharedAccessKey -> Primary connection string.
New SB namespaces created after 8/22 via the Azure portal do NOT generate the companion ACS namespaces any longer. So its entirely possible that the timeout you are receiving is the correct behavior.
To generate the ACS namespace, try creating the SB namespace by using the new-azuresbnamespace PowerShell cmdlet.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With