Setting up authorization rights on Service Bus entities

Damir Dobric Posts

Next talks:

 

    

Follow me on Twitter: #ddobric



 

 

Archives

Service Bus for Windows Server provides two ways to setup access rights to its entities (queues/topics). Since the Windows Azure Access Control Service (ACS) is not available on Windows Server, the Service Bus for Windows Server includes a simple Service Bus Security Token Service (SBSTS). The SBSTS integrates with the Windows security model, and silently issues a Simple Web Tokens (SWTs) based on Windows identities (for domain users, or roles for domain groups).

If you setup the rights on the namespace-level the user will automatically get all permissions: Manage, Listen and Send. Additionally rights can be managed at entity level more precisely. When setting up rights on that level you have to deal with two different types of claims. Currently there are two types of claims supported. First type is  used when the right is setup for domain user, and second one when the right is setup to domain group.
In general, both types can be described by short name and full name.  Below are the supported types:

Domain Group claim  type is called RoleType:

shortname: "role"

fullname: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"

Domain User Claim Type is called IdentityType:

shortname: "nameidentifier"

fullname: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"

For better understanding take a look on following example:

            QueueDescription myQueue = new QueueDescription(QueueName);

 

            AuthorizationRule identifierRule = new AllowRule("WorkflowDefaultNamespace","nameidentifier",
"username@yourdomain.com",new List<AccessRights>(){ AccessRights.Listen, AccessRights.Send });

            myQueue.Authorization.Add(identifierRule);

 

            AuthorizationRule groupRule = new AllowRule("WorkflowDefaultNamespace","role",groupname@yourdomain.com,
new List<AccessRights>(){ AccessRights.Listen, AccessRights.Send });

 

            myQueue.Authorization.Add(groupRule);

 

            namespaceManager.CreateQueue(myQueue);

This example adds the send and listen rights to one user and one group. Note that that the first argument (issuer name) can be obtained by command-let Get-SbNamespace. Usually this equals to the name of namespace. In my example I used the namespace of the Workflow Manager (“WorkflowDefaultNamespace”).

Following example shows hot enumerate rights:

  QueueDescription q = namespaceManager.GetQueue(QueueName);

 

            var en = q.Authorization.GetEnumerator();

            while (en.MoveNext())
            {
                AuthorizationRule rule = en.Current;

               
string rights = "";

                foreach (var r in rule.Rights)
                    rights += r;

                Console.WriteLine("type:{0}, value:{1}, rights: {2}", rule.ClaimType, rule.ClaimValue, rights);
            }

The official MSDN article which gives a better high-level overview: http://msdn.microsoft.com/en-us/library/windowsazure/jj193003(v=azure.10).aspx


Posted Jan 31 2013, 07:18 AM by Damir Dobric
developers.de is a .Net Community Blog powered by daenet GmbH.