-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Eventhub Entra ID authentication fails with RBAC permissions granted on consumer group #35337
Comments
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @kasun04. |
Thank you for the feedback @dlindblom . We will investigate and get back to you asap. |
Hi @dlindblom - Based on prior internal issues, the recommendation from the service team has been to assign the role at the namespace level, as assigning at the consumer group level does not work consistently. We would suggest that you report this issue with the documentation by following the directions under the Feedback section at the bottom of the page. Additional Note: It looks like you are using Thanks! |
Hi @dlindblom. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation. |
Hi, Thx for feedback on AMQP Stack. But the suggestion on documentation is not suitable approach. The assignment at consumer group level have been recommended general approach by Microsoft and is working fine except for the Python SDK. |
Hi @dlindblom - Would you be able to provide a list of other SDKs you've tested with assignment at the consumer group level that have worked? |
Hi @dlindblom. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue. |
@swathipil I been informed that it works with .Net SDK |
@dlindblom - Can you confirm that you are testing with the same Event Hub, consumer group, and credentials when receiving from both the Python and .NET SDKs, and .NET is consistently working while Python returns the above error? |
Hi @dlindblom. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue. |
@swathipil I been informed that it works with .Net SDK |
@swathipil confirmed by Microsoft engineering |
Hi @dlindblom - We've gotten confirmation from the service team that permission should be granted at either the namespace level or Event Hub level. They will be updating documentation to reflect this. Can you let us know the steps that you took to grant permission at the consumer group level? |
Hi @dlindblom. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue. |
@swathipil https://learn.microsoft.com/en-us/azure/event-hubs/authorize-access-azure-active-directory#resource-scope "Before you assign an Azure role to a security principal, determine the scope of access that the security principal should have. Best practices dictate that it's always best to grant only the narrowest possible scope. The following list describes the levels at which you can scope access to Event Hubs resources, starting with the narrowest scope: Consumer group: At this scope, role assignment applies only to this entity. Currently, the Azure portal doesn't support assigning an Azure role to a security principal at this level. It's mention Azure portal doesn't support assigning it at that level, and that is true from default navigation, but Microsoft dev team have advised that adding /consumergroup_name in the URL it's possible in Azure Portal as well and the navigation is pending to be fixed. |
Hi @dlindblom - Thanks for the information and your patience! I was able to confirm from our side that the .NET SDK is able to receive when the role is assigned at the consumer group level. I was also able to reproduce the "Unauthorized access" error in the Python SDK. We are currently looking into this and will keep you updated. In the meantime, would you be able to provide the steps you are taking to deploy permissions using the Graph API? |
Hi @dlindblom. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue. |
Hi @dlindblom, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you! |
@swathipil example using PowerShell: |
Describe the bug
When connecting to Eventhub to read data from consumer group authentication fails when using AD/Entra Authentication is used, and RBAC permissions assigned to consumer group per design for Event hub and following least access principle and avoid risk consuming application read from wrong consumer group causing problems for other consumers.
Ref: https://learn.microsoft.com/en-us/azure/event-hubs/authorize-access-azure-active-directory.
Error message: "Unauthorized access. 'Listen' claim(s) are required to perform this operation"
To Reproduce
Steps to reproduce the behavior:
Create Azure Eventhub
Create Consumer Group inside Eventhub
Aassign RBAC Role of Azure Event Hubs Data receiver to Consumer group for Service Principle
Use AD Service Principle Authentication in Python SDK for Eventhub and try to read Consumer Group.
Expected behavior
Successful authentication towards Event hub and Consumer Group, and allow Data receiver to only read from Consumer Group granted permission for.
Screenshots
INFO - 2024-04-03T10:17:14+0000 - connection_async - work_async: b'Cannot get initial delivery count' (b'/project/src/vendor/azure-uamqp-c/src/link.c':b'link_frame_received':343)
INFO - 2024-04-03T10:17:14+0000 - receiver - _state_changed: Receiver link failed to open - expecting to receive DETACH frame.
INFO - 2024-04-03T10:17:14+0000 - receiver - _detach_received: Received Link detach event: b'amqp:unauthorized-access'
Link: b'receiver-link-069af3dd-8783-414c-99f6-7434b4cfb924'
Description: b'Unauthorized access. 'Listen' claim(s) are required to perform this operation. Resource: 'sb://XXXXXX.servicebus.windows.net/XYZ/consumergroups/ABC/partitions/1'. TrackingId:402635ccdfb648218ee8a5effc4e33c3_G21, SystemTracker:gateway5, Timestamp:2024-04-03T10:17:14'
Details: None
Retryable: False
Connection: b'EHReceiver-e90c7302-4ad8-4126-acbf-ea8423d7a9f5-partition1'
DEBUG - 2024-04-03T10:17:14+0000 - connection_async - work_async: Deallocating cError
WARNING - 2024-04-03T10:17:14+0000 - receiver - get_state: LinkDetach('ErrorCodes.UnauthorizedAccess: Unauthorized access. 'Listen' claim(s) are required to perform this operation. Resource: 'sb://XXXXXX.servicebus.windows.net/XYZ/consumergroups/ABC/partitions/1'. TrackingId:402635ccdfb648218ee8a5effc4e33c3_G21, SystemTracker:gateway5, Timestamp:2024-04-03T10:17:14')
DEBUG - 2024-04-03T10:17:14+0000 - receiver - destroy: Destroying cMessageReceiver
DEBUG - 2024-04-03T10:17:14+0000 - receiver - destroy: Destroying cLink
INFO - 2024-04-03T10:17:14+0000 - client_async - close_async: CBS session pending b'EHReceiver-e90c7302-4ad8-4126-acbf-ea8423d7a9f5-partition1'.
Additional context
The text was updated successfully, but these errors were encountered: