Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable local auth for service bus #5747

Open
Steinblock opened this issue Sep 17, 2024 · 1 comment
Open

Enable local auth for service bus #5747

Steinblock opened this issue Sep 17, 2024 · 1 comment
Labels
area-integrations Issues pertaining to Aspire Integrations packages azure Issues associated specifically with scenarios tied to using Azure enhancement An enhancement to an existing feature or capability.

Comments

@Steinblock
Copy link

Steinblock commented Sep 17, 2024
edited
Loading

Background and Motivation

The Aspire.Hosting.Azure.ServiceBus integration

builder.AddAzureServiceBus("messaging");

disables local auth

    public static IResourceBuilder<AzureServiceBusResource> AddAzureServiceBus(this IDistributedApplicationBuilder builder, string name, Action<IResourceBuilder<AzureServiceBusResource>, ResourceModuleConstruct, ServiceBusNamespace>? configureResource)
    {
        builder.AddAzureProvisioning();

        var configureConstruct = (ResourceModuleConstruct construct) =>
        {
            ...
            serviceBusNamespace.AssignProperty(p => p.DisableLocalAuth, "true");
            ...
            configureResource?.Invoke(azureResourceBuilder, construct, serviceBusNamespace);
            ...

but I need local auth for my KEDA scale rule on a different container.

The documentation is a bit outdated since it mentions this way to configure azure service bus

builder.AddAzureServiceBus(
    "messaging",
    static settings => settings.FullyQualifiedNamespace = "YOUR_SERVICE_BUS_NAMESPACE");

but there is only the AddAzureServiceBus(this IDistributedApplicationBuilder builder, string name, Action<IResourceBuilder<AzureServiceBusResource>, ResourceModuleConstruct, ServiceBusNamespace>? configureResource) overload. If I use this code

builder.AddAzureServiceBus("messaging", (builder, construct, serviceBusNamespace) =>
        {
            serviceBusNamespace.Properties.DisableLocalAuth = false;
        })

that does not work. I'm not sure how AssignProperty works because if I set a breakpoint inside the
configureResource the serviceBusNamespace.Properties.DisableLocalAuth is still null. After azd up local auth is still disabled. I guess the AssignProperty works different. But if I use this myself

builder.AddAzureServiceBus("messaging", (builder, construct, serviceBusNamespace) =>
        {
            serviceBusNamespace.AssignProperty(p => p.DisableLocalAuth, "false");
        })

I get an error during deployment

  (✓) Done: Resource group: rg-production
  (✓) Done: Log Analytics workspace: law-08154711
  (✓) Done: Key Vault: kvd08154711
  (✓) Done: Container Registry: acr08154711
  (✓) Done: Container Apps Environment: cae-08154711
  |=      | Creating/Updating resources
ERROR: error executing step command 'provision': deployment failed: error deploying infrastructure: deploying to subscription:

Deployment Error Details:
DotNetComponentOperationError: Failed to provision component 'aspire-dashboard'. Error details: Cannot modify DotNet Component with name 'aspire-dashboard' because another modification is in progress..

TraceID: 08154711

Local Auth is needed for development as well

var serviceBus = builder.ExecutionContext.IsPublishMode
    ? builder.AddAzureServiceBus("messaging")
    : builder.AddConnectionString("messaging"); <-- needs local auth

otherwise you'll get errors like this

System.UnauthorizedAccessException: 'LocalAuthDisabled: Authorization failed because SAS authentication has been disabled for the namespace. TrackingId:08154711, SystemTracker:NoSystemTracker, Timestamp:2024-09-17T06:11:38
Status: 401 (Unauthorized)

Currently I am using a post deploy hook and az servicebus namespace update to reenable it but it would be great to have an way to do this with c#

Proposed API

Bring back the settings overload mentioned here

Usage Examples

builder.AddAzureServiceBus(
    "messaging",
    static settings => settings.DisaDisableLocalAuth = false);

Alternative Designs

use the fluent interface

builder.AddAzureServiceBus("messaging")
        .WithLocalAuth(true)
        .AddQueue("queue")

or

builder.AddAzureServiceBus("messaging")
        .WithProperty(ServiceBusProperty.DisableLocalAuth, false)
        .AddQueue("queue")

or (but that's in the scope of the aspire team)

make KEDA scale rules available without local auth

Risks

I'm not 100% certain but the default a while back was local auth enabled by default Now it's disabled by default which is propably a good thing. But being able to enable local auth should be possible.
@dotnet-issue-labeler dotnet-issue-labeler bot added the area-app-model Issues pertaining to the APIs in Aspire.Hosting, e.g. DistributedApplication label Sep 17, 2024
@davidfowl
Copy link
Member

See #5494

@davidfowl davidfowl added azure Issues associated specifically with scenarios tied to using Azure area-integrations Issues pertaining to Aspire Integrations packages enhancement An enhancement to an existing feature or capability. and removed area-app-model Issues pertaining to the APIs in Aspire.Hosting, e.g. DistributedApplication labels Sep 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-integrations Issues pertaining to Aspire Integrations packages azure Issues associated specifically with scenarios tied to using Azure enhancement An enhancement to an existing feature or capability.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@davidfowl @Steinblock