ServiceBusExplorer icon indicating copy to clipboard operation
ServiceBusExplorer copied to clipboard
verified publisher icon paolosalvatori

Use when having restricted rights

Open paritoshnagar2016 opened this issue 2 years ago • 5 comments

Hi Team,

We are looking forward to use service bus explorer but need to make sure that developers should be able to move messages from DLQ to Active Queue but not able to add/delete/manage queues or topics. When I can trying to use SAS token explorer only allows when I am selecting manage policy and this would open up for developers to add/delete queues, is there way to restrict the same.

Thank You

paritoshnagar2016 avatar May 19 '23 00:05 paritoshnagar2016

Potentially related to #607

SeanFeldman avatar May 19 '23 06:05 SeanFeldman

@paritoshnagar2016, as far as I know SBE works properly when the connection string used has Listen and Send rights. You have to test that though since there are often changes and this use case is not tested.

According to https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies you need the Manage right to be able to delete and create queues.

Please reply to this thread whether it works or not after you have tested it.

ErikMogensen avatar May 22 '23 19:05 ErikMogensen

@ErikMogensen I have retested this and do receive 401 errors upon connecting: image image

Kunter-Bunt avatar Jun 03 '23 14:06 Kunter-Bunt

I tried it and had the same error. It is the namespaceManager.GetQueuesAsync() method that fails. There is no mention about rights requirements at the method documentation. I can not think of a way of solving this, unless the tool gets support for RBAC authentication, as Sean posted.

I believe this was working in the past, in that case there has been a change in the service.

ErikMogensen avatar Jul 08 '23 08:07 ErikMogensen

This looks like a duplicate of #615.

TomasMalecek avatar Nov 24 '23 10:11 TomasMalecek