{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 地球回转人心会变 的问题《WebJob ServiceBus Topic permissions》','https://www.manongdao.com/q-960598.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm involved in a multi-tier project, one part of which is consuming a stream of "events" from a third-party system. The vendor is publishing these via an Azure Service Bus Topic - they provide, control & manage the Bus. We are simply provided with the URI, TopicName and Subscription details.
Our approach was to put together a Webjob, using the provided ServiceBusTrigger in the SDK to handle listening for new messages & triggering processing them into our system. However, we seem to have hit a roadblock in-so-much as the job continuously fails to read from the Topic. The job fails with a vague Timeout Exception:
Unhandled Exception: System.TimeoutException: The timeout elapsed upon attempting to obtain a token while accessing 'https://****-sb.accesscontrol.windows.net/WRAPv0.9/'.
---> System.IdentityModel.Tokens.SecurityTokenException: The token provider was unable to provide a security token while accessing 'https://****-sb.accesscontrol.windows.net/WRAPv0.9/'.
Token provider returned message: 'The operation has timed out'.
But further down, the trace includes:
[ERR] at Microsoft.ServiceBus.Common.AsyncResult.End[TAsyncResult](IAsyncResult result)
[ERR] at Microsoft.ServiceBus.NamespaceManager.OnEndTopicExists(IAsyncResult result)
[ERR] at Microsoft.ServiceBus.NamespaceManager.EndTopicExists(IAsyncResult result)
The vendor has subsequently confirmed that the only permission / claim the Subscription has on the Topic is Listen
Can anyone confirm what the permission requirements are for the ServiceBusTrigger?
And as a +1, on the assumption that it, for whatever reason, needs more the Listen (i.e needs Manage), would anyone like to suggest an alternative approach? It seems a shame to lose the WebJob infrastructure (the project already has 3 other jobs) - especially the loss of features like the async & concurrent processing of messages from the Topic
The SDK makes the following call which would require Manage permission. Microsoft.Azure.WebJobs.ServiceBus.Listeners.NamespaceManagerExtensions. One alternative if you cannot set those permissions is to not use the SDK for the Service Bus Triggers but use it for everything else.
To close on this, we've made the suggested change to the WebJobs SDK (pull request here: https://github.com/Azure/azure-webjobs-sdk/pull/528). This will be in the next release. Here's an example of how you specify the AccessRights per attribute:
When not specified, the default will be "Manage". When set to anything other than manage, the SDK will not attempt to create any SB resources. I assume this meets your needs?