So I can’t take credit for the catchy tag line for this post.  It was inspired by a recent session that Clemens Vasters and Abhishek Lal provided at TechEd North America 2012.  You can watch the entire session here. 

While watching the presentation, this particular segment, on not running as root,  really resonated with me.  I have built some proof of concept mobile applications that use REST APIs to send messages to Service Bus Queues.  In these applications I use the default owner key to submit messages.  I knew at the time that this could not be a good practice but since it was just a POC it was acceptable.  I was curious about how I could solve this problem in a better manner and I think what Microsoft has done here is definitely a step in the right direction.

If you are familiar with the Azure Service Bus, and Azure in general, there are 3 fundamental ‘artifacts’ that are required whenever you try to provision or manipulate Azure Services.  These artifacts include:

• Namespace
• Default Issuer (username)
• Default Key (password)

The Problem

In 99.99% of the demos and blog posts that exist on the interwebs, people are embedding their Default Issuer and Default Key in their solution.  This creates issues on a few different levels:

• The account really is “root” when it comes to your namespace.  Using your “account” allows you to create services like Queues, Topics, ACS Trust relationships, provision Cache etc.  Do you see the problem with embedding these credentials in your app and then distributing it?
• If your account does become compromised, it could be used to maliciously manipulate your solution.  If you comprimised a solution that processed Customer Orders, wouldn’t it be nice to add your own subscriber to the Topic Subscription and receive a copy of each customer’s Credit Card number?

Like any other security principal, we want to ensure that people, or systems, have the minimum level of security rights that they need to perform a specific function.  A parallel example to this scenario is giving end users Domain Admin.  You wouldn’t give that to end users, much like you shouldn’t embed your “owner ‘s” credential in your application.

Enter SBAzTool

There is a tool that is part of the Windows Azure 1.7 SDK that can help us assign fine grained authorization to “Default Name(s)” (Usernames).  You can download the source code for this tool here.  In the rest of this post I will demonstrate how you can use this tool and then show an example that demonstrates why this tool is beneficial and that creating authorization rules is not so hard.

Create Namespace in Portal

Even though I have a functional namespace I am going to go ahead and create one from scratch so that we are all beginning at the same starting point.  If you have an existing namespace that you want to use, you can.  You don’t have to go through these next few steps where I create the namespace.

• From http://www.windowsazure.com, log in and then select the previous(old) portal as Service Bus and ACS do not exist in the new portal…yet.
• Next, click on the Service Bus label and then click on the {New} button

 

• In this case I am selecting Access Control, Service Bus, a namespace and a Country/Region.  Since United States (West) is closest to my locale, I will use it.

 

• So I now have a Namespace called DontRunAsRoot.  It may take a couple minutes to create.  You will also notice that we have a tree like structure where our Queues and Topics will be displayed.

 

• For the purpose of this demo we are going to create a Queue called MyQueue by clicking on the New Queue button.

 

• We will need to populate the Name text box and then can accept the defaults.

 

• Voila, we have our newly created Namespace and Queue

• We are going to need our “owner” key so we might as well get it while we are in the portal.  Click on the View button and then click the Copy to Clipboard button.

 

Compiling SBAzTool

Once you have downloaded the SBAzTool you can compile the solution and then open a command prompt and launch the tool by specifying sbaztool.exe.  You can now see all of the command line arguments.  However you can also access this documentation from the download page as well.

 

StoreOptions

In order to set permissions for other users/issuers we need to be authenticated ourselves using the Key that we previously retrieved from the portal.  By using the storeoptions argument we can continue to execute commands without having to re-issue our key/password.  To do this we will want to execute the following command:

sbaztool.exe storeoptions –n <namespace> –k <key>

 

MakeId

So lets now create a new “user” by specifying the makeid command.  In this case we can actually specify a “username” instead of the regular “owner” that we are so use to. 

sbaztool.exe makeid <username>

As you can see, a Key has been provided for this user(which I have whited out).  We also have the ability to specify a password but including our own <key> provided it is a 32 byte, base64 encoded value.

Grant

Now that we have a Issuer/User created, we can actually assign this user permissions.  The command to do so is:

grant <operation> <path> <name>

The available operations that we have access to are:

• Send
• Listen
• Manage

Send and Listen are pretty self explanatory but Manage deserves further elaboration.  We can actually delegate the authority to manage resources to a particular user based upon the path.  So lets imagine we have a path that looks like this:

/organization/department/engineering

If we wanted to allow someone to administrate the /engineering services we could do so using this command.

For the purpose of this blog post, lets keep things simple and assign Send and Listen privileges to our QueueUser for our queue which is called myqueue. 

Send

Listen

Show

To verify that our permissions have been set correctly we can execute the Show command by providing the following:

show <path>

As you can see below the QueueUser now has Send and Listen permissions on the queue called myqueue.  This is a much better solution than giving entire rights to a namespace when you only need to specify rights on a particular queue.

 

Test permissions

So in order to validate that this stuff actually works and this is not smoke and mirrors I am going to create a very simple console application that will use these credentials to send and receive a message.  Once we have validated that this works we will pull the Send permission and see what happens.

The following code will create a QueueClient, send a message to the queue and then receive the message.

        const string QueueName = "myqueue";
         const string ServiceNamespace = "DontRunAsRoot";
         const string IssuerName = "QueueUser";
         const string IssuerKey = "<removed>";

         //Sending the message

         TokenProvider credentials = TokenProvider.CreateSharedSecretTokenProvider(IssuerName, IssuerKey);
         Uri serviceUri = ServiceBusEnvironment.CreateServiceUri("sb", ServiceNamespace, string.Empty);

         MessagingFactory factory = null;

         try
         {

             factory = MessagingFactory.Create(serviceUri, credentials);

             //This code assumes that queue has already been created since we have
             //provisioned access
             QueueClient myQueueClient = factory.CreateQueueClient(QueueName);

             Console.WriteLine("\nCreated Queue Client");

             //Create Brokered Message
             BrokeredMessage bm = new BrokeredMessage("I hope this works");

             Console.WriteLine("\nSending messages to Queue…");

             myQueueClient.Send(bm);

             Console.WriteLine("\nMessage sent to Queue");
             Console.WriteLine("\nPress Any ENTER to receive message");
             Console.ReadLine();

          
             bm = myQueueClient.Receive(TimeSpan.FromSeconds(5));

             if (bm != null)
             {
                 Console.WriteLine(string.Format("Message received: Id = {0}, Body = {1}", bm.MessageId, bm.GetBody<string>()));
                 // Further custom message processing could go here…
                 bm.Complete();
             }

             Console.WriteLine("\nNo more messages to process");
             Console.WriteLine("\nPress ENTER Key to exit");
             Console.ReadLine();
           

         }
         catch (Exception ex)
         {
             Console.WriteLine(ex.ToString());
         }

     }

When we run the application we will discover that it is executing correctly:

 

Revoke

Let’s now make this a little interesting.  Let’s remove the QueueUser’s ability to send messages to the Queue and see what happens.  To do this we will use the following command:

revoke <operation> <path> <user>

To validate that the permission revoke was successful lets run the show command again.  As you can see our revoke command was successful.

 

Let’s now try to send a message and see what happens.

As expected we get an authentication exception as we should.

 

Conclusion

With the introduction of the SBAzTool tool there is no excuse for using your “owner” credentials when building applications.  The SBAzTool has a wide variety of commands that facilitate managing and even delegating permissions.  Since this is a command line tool you can even script these permissions as you provision your Service Bus artifacts.