Question

我正在使用访问控制服务来授权访问特定服务标识的特定服务总线订阅。

当从订阅接收会话或消息时，服务标识被授权，并且可以根据需要接收和完成或放弃消息。

但是，在尝试访问服务标识无权访问的订阅时，我没有看到UnauthorizedAccessException，在尝试执行规则组未发出的操作时，我也没有看到此异常为该服务标识和依赖方声明（例如发送消息或创建主题）。

相反，我最终看到TimeoutException - "The timeout elapsed upon attempting to obtain a token while accessing 'https://namespace-sb.accesscontrol.windows.net/WRAPv0.9/'"。内部异常是SecurityTokenException - "The token provider was unable to provide a security token while accessing 'https://namespace-sb.accesscontrol.windows.net/WRAPv0.9/'. Token provider returned message: 'The operation has timed out'"。这会导致RetryPolicy出现问题，因为Timeout Exception被认为是暂时的。

但奇怪的是，我在尝试接收订阅描述时收到UnauthorizedAccessException。根据{{3}}，在{myTopic / Subscriptions / mySubscription范围内的服务标识应该可以使用Listen声明。

我有以下设置：

服务标识：testidentity
规则组：
- 服务总线的默认规则组
  - 3条规则，输入声明：所有者，输出声明：管理，发送，收听
- Rights Required for Service Bus Operations的规则组
  - 无规则
- http://namespace.servicebus.windows.net/myTopic的规则组
  - 无规则
- http://namespace.servicebus.windows.net/myTopic/Subscriptions的规则组
  - 一条规则：输入声明：testidentity，输出声明：听取
依赖方申请：
- 境界：http://namespace.servicebus.windows.net/myTopic/Subscriptions/mySubscription
- 令牌格式：SWT
- 令牌生命周期：10800
- 身份提供商：无（ACS）
- 与上面列出的所有规则组相关联

我看到以下问题：

var manager = NamespaceManager.CreateFromConnectionString("Endpoint=sb://namespace.servicebus.windows.net/;SharedSecretIssuer=testidentity;SharedSecretValue=SSdtIE5vdCBUZWxsaW5n=");
var description = manager.GetSubscription("myTopic","mySubscription");

UnauthoriszedAccessException - "The remote server returned an error: (401) Unauthorized."中的结果我希望能够检索描述，而不是接收此异常。有趣的是，这是身份可以访问的唯一领域，也是我唯一一次看到UnauthorizedAccessException。

var subscriptions = manager.GetSubscriptions("myTopic");

结果为TimeoutException，内部异常类型为SecurityTokenException。我希望在这里UnauthorizedAccessException。

var client = SubscriptionClient.CreateFromConnectionString("Endpoint=sb://namespace.servicebus.windows.net/;SharedSecretIssuer=testidentity;SharedSecretValue=SSdtIE5vdCBUZWxsaW5n=", "myTopic", "otherSubscription");
var message = client.Receive()

邮件的结果为null，但我希望再次UnauthorizedAccessException。检查输出，我看到输出窗口中出现异常但被客户端吞噬：

A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.Net.WebException' occurred in System.dll
A first chance exception of type 'Microsoft.ServiceBus.TokenProviderHelper.InternalSecurityTokenException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.TimeoutException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.TimeoutException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.TimeoutException' occurred in Microsoft.ServiceBus.dll
A first chance exception of type 'System.TimeoutException' occurred in Microsoft.ServiceBus.dll

同样，尝试创建主题，发送消息等也会产生TimeoutException。

在尝试访问服务标识无权访问的域时这是正确的行为，而不是我期望接收UnauthorizedAccessException吗？

我认为设置确实有所需的结果 - 身份不能收听订阅领域所标识的订阅以外的订阅，而该身份具有与监管规则相关联的订阅，但我担心错误反馈是不清楚，并将导致连续重试。

任何建议都会受到最高的赞赏。

Answer 1

通过Azure门户在8/22之后创建的新SB名称空间不再生成随附的ACS名称空间。因此，您接收的超时完全可能是正确的行为。

要生成ACS名称空间，请尝试使用new-azuresbnamespace PowerShell cmdlet创建SB名称空间。

Answer 2

这些令牌中的一些具有有限的生命周期/到期。因此，如果您使用令牌已经过了它的过期，可能会导致您遇到的授权错误。

Azure Service Bus Operations使用ACS引发TimeoutException而不是UnauthorizedAccessException

2 个答案: