Question 105773 in Azure Question posted in
The official documentation to get you started can be found here.

Azure Service Bus – Topic – Message Attribute Based Access Control

I have an Azure Service Bus topic. Messages send to the topic contain application properties.

I want to set permissions on the topic based on values of one or more application properties, i.e. only when identity A sends a message with property e.g. Destination = 'service' the message is allowed to be added to the topic.

The reason behind this: assume a topic where there are multiple publishers and multiple subscribers to consume the messages from the publishers. But each message shall only go to specific consumers using filters. An actor with bad intentions or just by accident could choose a filter value and send the message therefore to wrong consumers. And I don’t want to create multiple topics. I want to limit the publishers to send messages to certain consumers by limiting their permissions by message attributes with certain values on a certain topic.

Is this possible? If yes, how?

Tags:

2

Answers


  1. 0
    • You can start a separate app which will peek the message in the queue
      check for the properties and then abandon the messages.
    • To peek create a receiver and use receiver.ReceiveMessageAsync();
      to peek the message. After this you can apply your logic to filter
      the messages using the properties.

    After that use AbandonAsync to abandon the message with wrong properties.

    // create a reciever and peek the messages.
await using var client = new ServiceBusClient(connectionString);

//reciever
ServiceBusReceiver receiver = client.CreateReceiver(queueName) ;

// get the messages
ServiceBusReceivedMessage receivedMessage = await receiver.ReceiveMessageAsync();

// write you logic for filtering the message

//now we can abandon the message. Here "reason":" Wrong message" is optional 
await receivedMessage.AbandonAsync(new Dictionary<string, object> { { "Reason", "wrong properties"} });

    Refernce:
    Refer the article by sfeldman

    Peek messages

    Login or Signup to reply.
  2. 0

    You can’t use ServiceBus (or any message broker) the way you describe.

    My advice is to consider messages only as signals to do something. But the service is entirely responsible to check if the message is legitimate or not (by calling the source service or another source of truth synchronously for example).

    Imagine this scenario:

    • SourceApp send a DeletedEvent{CustomerId="42"}.
    • DestApp receives this message, and before deleting data related to this customer, makes an HTTP call to the customer service GET CustomerService/42.
      • If the customer is deleted => perfect
      • If not… something went wrong, what you described by an actor with bad intentions or just by accident

    Also, if you use the same topic for a lot of applications consider using AAD authentication, with managed identity per app. Or at least forbid sharing SAS keys. Every app should have dedicated connection string, scoped to the subscription or the topic with only the access needed.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search