New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move Service Bus Pubsub/Binding to common auth #1201
Conversation
FYI, @halspang and I successfully verified this works with managed identity now apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: azure-servicebus
spec:
type: pubsub.azure.servicebus
version: v1
metadata:
- name: namespaceName
value: "dapr2-conf-test-servicebus"
- name: consumerID
value: "helloworld" We ran the conformance test in an environment with managed identity where the identity was given "Azure Service Bus Data Owner" role for the particular Service Bus Namespace |
Thank you for doing this! |
fef8510
to
f31a724
Compare
assert.Equal(t, "fakeNamespace", m.NamespaceName) | ||
}) | ||
|
||
t.Run("connectionString preferred over namespace", func(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Per the PR template, please make sure there's a docs issue for this, specifically the interaction with the new metadata property namespaceName
.
For my understanding, do we think it'll be a common scenario to have the same config deployed in different environments where the fallthrough behavior is desirable, or is this how other Azure components handle selection of multiple auth options? If not, I generally advise that they be mutually exclusive properties that can be more clearly enforced at input time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@CodeMonkeyLeet the commonAuth used across all of Azure SDKs (and hence also implemented in our common auth logic is):
- Try Service Principal
- Try Certificate
- Try Managed Identity
However the service specific connection methods take precedence before this AAD options.
Note that this new variable is necessary for AAD to request the correctly scoped Auth token. There is no way around it unfortunately.
AAD should generally be the preferred method to connect to services where available.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@berndverst Thanks for the info, but I'm not sure if that answers my question, which is specifically about the design of the configuration options exposed by Dapr to the end user in the Service Bus components. It might be easier to correct my understanding:
- These are the first components where a component-specific metadata property (
namespaceName
) must be provided to opt into AAD-based auth.- While there are common metadata properties defined for the authentication/azure library, they do not need to be specified for the commonAuth logic you describe to be exercised (i.e. because Managed Identity could be present, which is not parameterized by the component config).
- Since this opt-in may be implicit in other cases, all existing Dapr Azure components using commonAuth prioritize service-specific connection methods over commonAuth, as indicated by the comment:
However the service specific connection methods take precedence before this AAD options.
- Given that
namespaceName
is both component-specific and gates the use of AAD-based auth, these components have the option to require express their intent to use AAD-based auth or not more explicitly.-
Specifically, if users have the expectation that:
AAD should generally be the preferred method to connect to services where available.
Then the existing behavior of using the connection string when both are specified is counterintuitive. It can be modified to require the developer to choose one or the other, so the question is, should these components be requiring that?
-
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@CodeMonkeyLeet - Here's the docs PR: dapr/docs#1867
As for the counterintuitive nature between the connection string and AAD, the reason I went for that was to make the user explicitly opt into the feature. In order to do so, they have to not only add the new field but remove the old one. To me, this both honors the existing method of auth and makes the opt-in more explicit as it requires the full removal of the old method.
I do understand that this can be counterintuitive though, so I'm actually all for introducing a standard here for actually opting into the feature instead explicitly instead of implicitly. In this case, I'd prefer to have a label in the yaml that states the desired auth mode (component, AAD, etc). The only caveat with this is that if any component went out in 1.4 with the auth library, it'd be weird to add the explicit field. I'm pretty sure at least one went out doing this (azure keyvault?).
What do you think? I'm also curious to hear your opinions @berndverst and @ItalyPaleAle.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@CodeMonkeyLeet @halspang I wrote original common auth layer.
To my understanding, the "original" method of authentication for ServiceBus was providing a connection string. This is a "URL-encoded-ish" string that contains both a shared key and other metadata, including the name of the namespace.
When using AAD, the auth system (the AAD service) provides the credentials that replace the shared key. However they're not able to provide the namespace, so the developer needs to pass it themselves. I am not an expert on SB but I don't believe there's an alternative to this, can you confirm that?
In this case, IMHO it's less about making the developer need to opt-into AAD auth, but rather requiring a way to provide the missing information. I think it's ok if namespaceName
and connectionString
are NOT mutually exclusive, as it should be possible to pass a namespaceName
even if there's a connection string: in that case, it will simply be ignored (and I agree this is something we should document).
As for making AAD auth opt-in in all cases, for all components, my vote on this is on no. Backwards compatibility aside, the idea is that with AAD-based auth your app will "just work" without you needing to do anything in particular, as the auth comes from the environment. This could be an Ops person manually injecting the AAD credentials (the clientId/clientSecret or the certificate) in the environment (enforcing the idea of separation of roles), or even more transparently the app could use MSI if it runs on a service that supports that. In this sense, the choice of not supplying a connection string or shared key on its own is an implied choice of relying on AAD.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@CodeMonkeyLeet - So is there anything else you want to see here? I'm fine making the options mutually exclusive to make the preference more explicit but can also just document everything.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@halspang Until someone overrules me, I'd say make them mutually exclusive, on the basis that it's easier to relax restrictions later as a non-breaking change. ☺
@ItalyPaleAle Total side conversation here, but does az ad sp create-for-rbac --skip-assignment
help simplify your instructions? (Don't need a separate credential reset step to use client secret) It creates a SP with no default Contributor role assignment to the subscription, and is stated as the intended default behavior in the future (presumably on the 3.0 major version update).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@CodeMonkeyLeet I did not know about --skip-assignment
. Looks like it should work! I've opened an issue here: dapr/docs#1872 feel free to assign it to me
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ItalyPaleAle --skip-assignment
definitely will work :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@CodeMonkeyLeet @halspang so what does making these options mutually exclusive mean? Throw an error if both are used? I suppose that would be fine.
I see it as mostly a documentation concern. Something like:
- shared access tokens are already scoped to a Service Bus namespace and it serves no purpose to provide the namespace
- if AAD authentication is desired, pick one of the methods described here (https://docs.dapr.io/developing-applications/integrations/cloud-providers/authenticating-azure/) and additionally provide the namespace
} | ||
} else { | ||
// Initialization code | ||
settings, sErr := azauth.NewEnvironmentSettings("serviceBus", metadata.Properties) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could use constant for "serviceBus"? I do not find where to define this setting either.
a2a292e
to
ef14895
Compare
Both the pubsub and input/output binding for Azure Service Bus were connecting via a connection string. This is still supported but will now fallback to using AAD from the common auth library. This is also the recommended auth pattern going forward.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks for the fixes!
FYI there's a new "track 2" SDK for Azure Service Bus: https://github.com/Azure/azure-sdk-for-go/tree/main/sdk/messaging/azservicebus Eventually the component will need to be updated to that (and pending merge of #1290 for auth support) |
Codecov Report
@@ Coverage Diff @@
## master #1201 +/- ##
==========================================
+ Coverage 35.02% 35.22% +0.20%
==========================================
Files 148 148
Lines 12825 12709 -116
==========================================
- Hits 4492 4477 -15
+ Misses 7853 7749 -104
- Partials 480 483 +3
Continue to review full report at Codecov.
|
* Move Service Bus Pubsub/Binding to common auth Both the pubsub and input/output binding for Azure Service Bus were connecting via a connection string. This is still supported but will now fallback to using AAD from the common auth library. This is also the recommended auth pattern going forward. * Move AMPQ specific auth and fix linter issues * Make conn string and namespace mutually exclusive * Move resourceName to a constant * Update auth_amqp.go * Update auth.go Co-authored-by: Long Dai <long.dai@intel.com> Co-authored-by: Simon Leet <31784195+CodeMonkeyLeet@users.noreply.github.com> Co-authored-by: Artur Souza <artursouza.ms@outlook.com> Co-authored-by: Dapr Bot <56698301+dapr-bot@users.noreply.github.com> Signed-off-by: Scott Hussey <sthussey@gmail.com>
* Move Service Bus Pubsub/Binding to common auth Both the pubsub and input/output binding for Azure Service Bus were connecting via a connection string. This is still supported but will now fallback to using AAD from the common auth library. This is also the recommended auth pattern going forward. * Move AMPQ specific auth and fix linter issues * Make conn string and namespace mutually exclusive * Move resourceName to a constant * Update auth_amqp.go * Update auth.go Co-authored-by: Long Dai <long.dai@intel.com> Co-authored-by: Simon Leet <31784195+CodeMonkeyLeet@users.noreply.github.com> Co-authored-by: Artur Souza <artursouza.ms@outlook.com> Co-authored-by: Dapr Bot <56698301+dapr-bot@users.noreply.github.com> Signed-off-by: Amit Mor <amitm@at-bay.com>
* Move Service Bus Pubsub/Binding to common auth Both the pubsub and input/output binding for Azure Service Bus were connecting via a connection string. This is still supported but will now fallback to using AAD from the common auth library. This is also the recommended auth pattern going forward. * Move AMPQ specific auth and fix linter issues * Make conn string and namespace mutually exclusive * Move resourceName to a constant * Update auth_amqp.go * Update auth.go Co-authored-by: Long Dai <long.dai@intel.com> Co-authored-by: Simon Leet <31784195+CodeMonkeyLeet@users.noreply.github.com> Co-authored-by: Artur Souza <artursouza.ms@outlook.com> Co-authored-by: Dapr Bot <56698301+dapr-bot@users.noreply.github.com> Signed-off-by: Amit Mor <amitm@at-bay.com>
* Move Service Bus Pubsub/Binding to common auth Both the pubsub and input/output binding for Azure Service Bus were connecting via a connection string. This is still supported but will now fallback to using AAD from the common auth library. This is also the recommended auth pattern going forward. * Move AMPQ specific auth and fix linter issues * Make conn string and namespace mutually exclusive * Move resourceName to a constant * Update auth_amqp.go * Update auth.go Co-authored-by: Long Dai <long.dai@intel.com> Co-authored-by: Simon Leet <31784195+CodeMonkeyLeet@users.noreply.github.com> Co-authored-by: Artur Souza <artursouza.ms@outlook.com> Co-authored-by: Dapr Bot <56698301+dapr-bot@users.noreply.github.com> Signed-off-by: Amit Mor <amitm@at-bay.com>
* Move Service Bus Pubsub/Binding to common auth Both the pubsub and input/output binding for Azure Service Bus were connecting via a connection string. This is still supported but will now fallback to using AAD from the common auth library. This is also the recommended auth pattern going forward. * Move AMPQ specific auth and fix linter issues * Make conn string and namespace mutually exclusive * Move resourceName to a constant * Update auth_amqp.go * Update auth.go Co-authored-by: Long Dai <long.dai@intel.com> Co-authored-by: Simon Leet <31784195+CodeMonkeyLeet@users.noreply.github.com> Co-authored-by: Artur Souza <artursouza.ms@outlook.com> Co-authored-by: Dapr Bot <56698301+dapr-bot@users.noreply.github.com> Signed-off-by: Amit Mor <amitm@at-bay.com>
* Move Service Bus Pubsub/Binding to common auth Both the pubsub and input/output binding for Azure Service Bus were connecting via a connection string. This is still supported but will now fallback to using AAD from the common auth library. This is also the recommended auth pattern going forward. * Move AMPQ specific auth and fix linter issues * Make conn string and namespace mutually exclusive * Move resourceName to a constant * Update auth_amqp.go * Update auth.go Co-authored-by: Long Dai <long.dai@intel.com> Co-authored-by: Simon Leet <31784195+CodeMonkeyLeet@users.noreply.github.com> Co-authored-by: Artur Souza <artursouza.ms@outlook.com> Co-authored-by: Dapr Bot <56698301+dapr-bot@users.noreply.github.com> Signed-off-by: Amit Mor <amitm@at-bay.com>
* Move Service Bus Pubsub/Binding to common auth Both the pubsub and input/output binding for Azure Service Bus were connecting via a connection string. This is still supported but will now fallback to using AAD from the common auth library. This is also the recommended auth pattern going forward. * Move AMPQ specific auth and fix linter issues * Make conn string and namespace mutually exclusive * Move resourceName to a constant * Update auth_amqp.go * Update auth.go Co-authored-by: Long Dai <long.dai@intel.com> Co-authored-by: Simon Leet <31784195+CodeMonkeyLeet@users.noreply.github.com> Co-authored-by: Artur Souza <artursouza.ms@outlook.com> Co-authored-by: Dapr Bot <56698301+dapr-bot@users.noreply.github.com>
* Move Service Bus Pubsub/Binding to common auth Both the pubsub and input/output binding for Azure Service Bus were connecting via a connection string. This is still supported but will now fallback to using AAD from the common auth library. This is also the recommended auth pattern going forward. * Move AMPQ specific auth and fix linter issues * Make conn string and namespace mutually exclusive * Move resourceName to a constant * Update auth_amqp.go * Update auth.go Co-authored-by: Long Dai <long.dai@intel.com> Co-authored-by: Simon Leet <31784195+CodeMonkeyLeet@users.noreply.github.com> Co-authored-by: Artur Souza <artursouza.ms@outlook.com> Co-authored-by: Dapr Bot <56698301+dapr-bot@users.noreply.github.com> Signed-off-by: Amit Mor <amit.mor@hotmail.com>
* Move Service Bus Pubsub/Binding to common auth Both the pubsub and input/output binding for Azure Service Bus were connecting via a connection string. This is still supported but will now fallback to using AAD from the common auth library. This is also the recommended auth pattern going forward. * Move AMPQ specific auth and fix linter issues * Make conn string and namespace mutually exclusive * Move resourceName to a constant * Update auth_amqp.go * Update auth.go Co-authored-by: Long Dai <long.dai@intel.com> Co-authored-by: Simon Leet <31784195+CodeMonkeyLeet@users.noreply.github.com> Co-authored-by: Artur Souza <artursouza.ms@outlook.com> Co-authored-by: Dapr Bot <56698301+dapr-bot@users.noreply.github.com> Signed-off-by: Amit Mor <amit.mor@hotmail.com>
* Move Service Bus Pubsub/Binding to common auth Both the pubsub and input/output binding for Azure Service Bus were connecting via a connection string. This is still supported but will now fallback to using AAD from the common auth library. This is also the recommended auth pattern going forward. * Move AMPQ specific auth and fix linter issues * Make conn string and namespace mutually exclusive * Move resourceName to a constant * Update auth_amqp.go * Update auth.go Co-authored-by: Long Dai <long.dai@intel.com> Co-authored-by: Simon Leet <31784195+CodeMonkeyLeet@users.noreply.github.com> Co-authored-by: Artur Souza <artursouza.ms@outlook.com> Co-authored-by: Dapr Bot <56698301+dapr-bot@users.noreply.github.com> Signed-off-by: jigargandhi <jigarr.gandhi@gmail.com>
* Move Service Bus Pubsub/Binding to common auth Both the pubsub and input/output binding for Azure Service Bus were connecting via a connection string. This is still supported but will now fallback to using AAD from the common auth library. This is also the recommended auth pattern going forward. * Move AMPQ specific auth and fix linter issues * Make conn string and namespace mutually exclusive * Move resourceName to a constant * Update auth_amqp.go * Update auth.go Co-authored-by: Long Dai <long.dai@intel.com> Co-authored-by: Simon Leet <31784195+CodeMonkeyLeet@users.noreply.github.com> Co-authored-by: Artur Souza <artursouza.ms@outlook.com> Co-authored-by: Dapr Bot <56698301+dapr-bot@users.noreply.github.com> Signed-off-by: Ian Luo <ian.luo@gmail.com>
Description
Both the pubsub and input/output binding for Azure Service Bus were
connecting via a connection string. This is still supported but will
now fallback to using AAD from the common auth library. This is also
the recommended auth pattern going forward.
Issue reference
We strive to have all PR being opened based on an issue, where the problem or feature have been discussed prior to implementation.
Partial: #1103
Checklist
Please make sure you've completed the relevant tasks for this PR, out of the following list: