Manage rights required after updating to NServiceBus 8.0.0

gscher · November 18, 2022, 11:49am

Hi,

we are following the least privilege principle when using NServiceBus in combination with the Azure Service Bus transport. Endpoints, queues, topics, and subscriptions are created upfront in a separate pipeline using NServiceBus’ operational scripting mechanisms and the actual applications run with ‘send’ and ‘listen’ rights only.

However, after upgrading to NServiceBus 8.0.0, including NServiceBus.Transport.AzureServiceBus 3.0.0, our test application fails during endpoint creation:

Unhandled exception. System.UnauthorizedAccessException: Service request failed.
Status: 401 (SubCode=40100: Unauthorized : Unauthorized access for 'CreateOrUpdateSubscription' operation on endpoint 'sb://<service-bus-instance>'. 

Headers:
<...>

 ---> Azure.RequestFailedException: Service request failed.
Status: 401 (SubCode=40100: Unauthorized : Unauthorized access for 'CreateOrUpdateSubscription' operation on endpoint 'sb://<service-bus-instance>'. 

Headers:
<...>

   --- End of inner exception stack trace ---
   at Azure.Messaging.ServiceBus.Administration.HttpRequestAndResponse.ThrowIfRequestFailedAsync(Request request, Response response)
   at Azure.Messaging.ServiceBus.Administration.HttpRequestAndResponse.SendHttpRequestAsync(Request request, CancellationToken cancellationToken)
   at Azure.Messaging.ServiceBus.Administration.HttpRequestAndResponse.PutEntityAsync(String entityPath, String requestBody, Boolean isUpdate, String forwardTo, String fwdDeadLetterTo, CancellationToken cancellationToken)
   at Azure.Messaging.ServiceBus.Administration.ServiceBusAdministrationClient.CreateSubscriptionAsync(CreateSubscriptionOptions options, CreateRuleOptions rule, CancellationToken cancellationToken)
   at NServiceBus.Transport.AzureServiceBus.SubscriptionManager.CreateSubscription(CancellationToken cancellationToken) in /_/src/Transport/Administration/SubscriptionManager.cs:line 106
   at NServiceBus.Transport.AzureServiceBus.MessagePump.Initialize(PushRuntimeSettings limitations, OnMessage onMessage, OnError onError, CancellationToken cancellationToken) in /_/src/Transport/Receiving/MessagePump.cs:line 71
   at NServiceBus.ReceiveComponent.Initialize(IServiceProvider builder, RecoverabilityComponent recoverabilityComponent, MessageOperations messageOperations, PipelineComponent pipelineComponent, IPipelineCache pipelineCache, TransportInfrastructure transportInfrastructure, ConsecutiveFailuresConfiguration consecutiveFailuresConfiguration, CancellationToke
n cancellationToken) in /_/src/NServiceBus.Core/Receiving/ReceiveComponent.cs:line 167
   at NServiceBus.StartableEndpoint.Start(CancellationToken cancellationToken) in /_/src/NServiceBus.Core/StartableEndpoint.cs:line 46
   at NServiceBus.HostingComponent.Start(IStartableEndpoint startableEndpoint, CancellationToken cancellationToken) in /_/src/NServiceBus.Core/Hosting/HostingComponent.cs:line 87
   at NServiceBus.Endpoint.Start(EndpointConfiguration configuration, CancellationToken cancellationToken) in /_/src/NServiceBus.Core/Endpoint.cs:line 34
   ...

We are wondering, whether this change was by design or is there a bug involved? We do explicitly disable the AutoSubscribe feature, so why is the CreateOrUpdateSubscription call even executed?

To reproduce, I created a simple demo which runs without any issue on NServiceBus 7.8.0 with version 2.0.3 of the AzureServiceBus transport. The only necessary change is to switch to the new way of registering the transport.

var endpointConfiguration = new EndpointConfiguration("demo");
var transport = new AzureServiceBusTransport("Endpoint=sb://<service-bus-instance>/;SharedAccessKeyName=<KeyWithSendAndListenOnly;SharedAccessKey=<Key>");
endpointConfiguration.UseTransport(transport);

endpointConfiguration.DisableFeature<AutoSubscribe>();
endpointConfiguration.DisableFeature<Sagas>();

var endpointInstance = await Endpoint.Start(endpointConfiguration)
    .ConfigureAwait(false);

The endpoint demo, its input queue and associated subscriptions do exist.

danielmarbach · November 18, 2022, 4:01pm

Hi @gscher

Unfortunately, that is a regression coming from a transport seam refactoring that we have done for NServiceBus v8 plus a lack of test coverage within the transport-specific implementation for that part. Sorry that you are experiencing this!

We will be looking into more details and raise corresponding issues, as well as reporting back here with further information. Stay tuned, and thanks for your patience.

Regards,
Daniel

danielmarbach · November 18, 2022, 4:21pm

I have raised an issue in the public repository

github.com/Particular/NServiceBus.Transport.AzureServiceBus

UnauthorizedAccessException when starting without manage rights

opened 04:19PM - 18 Nov 22 UTC

closed 04:15PM - 21 Nov 22 UTC

danielmarbach

Bug

### Symptoms Historically, the transport supported to run on connections that… do not have manage rights. This is possible by disabling the AutoSubscribe feature and taking manual control over the topology. This feature is there to support least privilege access control. When upgrading to version 3.0 of the transport the least privilidge mode is no longer available and when the endpoint is attempted to be started an `UnauthorizedAccessException` is thrown with ``` Unauthorized access for 'CreateOrUpdateSubscription' operation on endpoint 'sb://<service-bus-instance>'. ``` ### Who's affected Customer running with connections without manage rights ### Root cause Doing the implementation of the redesign of the transport seam, this mode was not considered. Unfortunately, there is no test coverage available for this path, so this regression happened. [See the discuss group for more details](https://discuss.particular.net/t/manage-rights-required-after-updating-to-nservicebus-8-0-0/3269) ### Backported to - [3.0.0](https://github.com/Particular/NServiceBus.Transport.AzureServiceBus/pull/694) - [3.1.0](https://github.com/Particular/NServiceBus.Transport.AzureServiceBus/pull/697)

danielmarbach · November 21, 2022, 2:59pm

Hi gerry,

I wanted to notify you that we have started working on a fix. I’ll keep you posted

Regards,
Daniel

gscher · November 21, 2022, 4:33pm

Awesome, thanks for the quick fix!

Tim · November 22, 2022, 11:38am

Hey @gscher ,

We’ve just released version 3.0.1 of the transport that contains a fix for the UnauthorizedAccessException. See our release announcement here: NServiceBus.Transport.AzureServiceBus 3.0.1 – Patch release available

Please let us know whether that resolves your issue!

gscher · November 23, 2022, 4:00pm

Hey @Tim and @danielmarbach ,

The version 3.0.1 patch release fixes the issue for us. Thanks!

Tim · November 23, 2022, 4:16pm

great to hear, thanks for letting us know