Eventhub Entra ID authentication fails with RBAC permissions granted on consumer group
dlindblom opened this issue · 8 comments
- Package Name: azure-eventhub
- Package Version: 5.11.6
- Operating System: Linux
- Python Version: 3.12.2
Describe the bug
When connecting to Eventhub to read data from consumer group authentication fails when using AD/Entra Authentication is used, and RBAC permissions assigned to consumer group per design for Event hub and following least access principle and avoid risk consuming application read from wrong consumer group causing problems for other consumers.
Ref: https://learn.microsoft.com/en-us/azure/event-hubs/authorize-access-azure-active-directory.
Error message: "Unauthorized access. 'Listen' claim(s) are required to perform this operation"
To Reproduce
Steps to reproduce the behavior:
Create Azure Eventhub
Create Consumer Group inside Eventhub
Aassign RBAC Role of Azure Event Hubs Data receiver to Consumer group for Service Principle
Use AD Service Principle Authentication in Python SDK for Eventhub and try to read Consumer Group.
Expected behavior
Successful authentication towards Event hub and Consumer Group, and allow Data receiver to only read from Consumer Group granted permission for.
Screenshots
INFO - 2024-04-03T10:17:14+0000 - connection_async - work_async: b'Cannot get initial delivery count' (b'/project/src/vendor/azure-uamqp-c/src/link.c':b'link_frame_received':343)
INFO - 2024-04-03T10:17:14+0000 - receiver - _state_changed: Receiver link failed to open - expecting to receive DETACH frame.
INFO - 2024-04-03T10:17:14+0000 - receiver - _detach_received: Received Link detach event: b'amqp:unauthorized-access'
Link: b'receiver-link-069af3dd-8783-414c-99f6-7434b4cfb924'
Description: b'Unauthorized access. 'Listen' claim(s) are required to perform this operation. Resource: 'sb://XXXXXX.servicebus.windows.net/XYZ/consumergroups/ABC/partitions/1'. TrackingId:402635ccdfb648218ee8a5effc4e33c3_G21, SystemTracker:gateway5, Timestamp:2024-04-03T10:17:14'
Details: None
Retryable: False
Connection: b'EHReceiver-e90c7302-4ad8-4126-acbf-ea8423d7a9f5-partition1'
DEBUG - 2024-04-03T10:17:14+0000 - connection_async - work_async: Deallocating cError
WARNING - 2024-04-03T10:17:14+0000 - receiver - get_state: LinkDetach('ErrorCodes.UnauthorizedAccess: Unauthorized access. 'Listen' claim(s) are required to perform this operation. Resource: 'sb://XXXXXX.servicebus.windows.net/XYZ/consumergroups/ABC/partitions/1'. TrackingId:402635ccdfb648218ee8a5effc4e33c3_G21, SystemTracker:gateway5, Timestamp:2024-04-03T10:17:14')
DEBUG - 2024-04-03T10:17:14+0000 - receiver - destroy: Destroying cMessageReceiver
DEBUG - 2024-04-03T10:17:14+0000 - receiver - destroy: Destroying cLink
INFO - 2024-04-03T10:17:14+0000 - client_async - close_async: CBS session pending b'EHReceiver-e90c7302-4ad8-4126-acbf-ea8423d7a9f5-partition1'.
Additional context
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @kasun04.
Thank you for the feedback @dlindblom . We will investigate and get back to you asap.
Hi @dlindblom - Based on prior internal issues, the recommendation from the service team has been to assign the role at the namespace level, as assigning at the consumer group level does not work consistently.
We would suggest that you report this issue with the documentation by following the directions under the Feedback section at the bottom of the page.
Additional Note: It looks like you are using uamqp as the underlying AMQP stack, which is no longer supported. We highly recommend that the default pure Python AMQP stack is used, as it includes all latest bug fixes and support for new features. You can do this by removing uamqp_transport=True from arguments that are passed in during client creation.
Thanks!
Hi @dlindblom. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.
Hi, Thx for feedback on AMQP Stack. But the suggestion on documentation is not suitable approach. The assignment at consumer group level have been recommended general approach by Microsoft and is working fine except for the Python SDK.
/unresolve