search

Azure / azure-functions-signalrservice-extension

Azure Functions bindings for SignalR Service. Project moved to https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/signalr/Microsoft.Azure.WebJobs.Extensions.SignalRService .
MIT License
97 stars 47 forks source link

Update SignalR Functions extension to support Azure.Identity #238

Closed jongio closed 2 years ago

jongio commented 3 years ago

Right now the only way to connect to SignalRService is via connection string, which causes the developer to have to store the connection string in a secret store.

The SignalR service supports managed identity.

We should update the SignalRService binding to also support Azure Identity.

Tracking issue: https://github.com/Azure/azure-sdk-for-net/issues/21446

Y-Sindo commented 3 years ago

You can use AAD connection string in SignalR Service binding. See Authenticate a managed identity with Azure Active Directory to access Azure SignalR Resources Do this satisfy your need?

jongio commented 3 years ago

No, that only gets me Managed Identity support. With Azure.Identity we get much more than that, including all of the credential types derived from TokenCredential, AzureCliCredential, etc.

Have a look at the new extensions for Event Grid, Event Hub, Service Bus and Storage for implementation ideas.

Y-Sindo commented 3 years ago

Is to create a TokenCredential from IConfiguration the key point to support Azure.Identity in function extensions? Like the codes in Event Hub, it accepts a connection string or a fullyQualifiedNamespace+TokenCredential as the connection inforamtion. https://github.com/Azure/azure-sdk-for-net/blob/d0f4b8be10d9d354353c4bdd6f82d577e3f1f61a/sdk/eventhub/Microsoft.Azure.WebJobs.Extensions.EventHubs/src/Config/EventHubClientFactory.cs#L188-L232

jongio commented 3 years ago

@pakrym @JoshLove-msft Could you please provide @Y-Sindo with guidance on how to implement Azure.Identity for the SignalR extension?

Should they also look at moving it in to the mono-repo?

JoshLove-msft commented 3 years ago

Is to create a TokenCredential from IConfiguration the key point to support Azure.Identity in function extensions? Like the codes in Event Hub, it accepts a connection string or a fullyQualifiedNamespace+TokenCredential as the connection inforamtion. https://github.com/Azure/azure-sdk-for-net/blob/d0f4b8be10d9d354353c4bdd6f82d577e3f1f61a/sdk/eventhub/Microsoft.Azure.WebJobs.Extensions.EventHubs/src/Config/EventHubClientFactory.cs#L188-L232

Yes, you just need to create and use the TokenCredential based on the IConfiguration.

JoshLove-msft commented 3 years ago

Should they also look at moving it in to the mono-repo?

@AlexGhiondea what do you think about moving the SignalR extension to the mono repo?

pakrym commented 3 years ago

I think moving makes a lot of sense. Other extensions are there, free infrastructure is there.

jongio commented 3 years ago

@Y-Sindo - Do you own this? Would like to discuss. Thanks

Y-Sindo commented 3 years ago

@jongio Sure, already ping you on teams.

drdamour commented 2 years ago

tested this out, seems to work for sends. should add to list at https://docs.microsoft.com/en-us/azure/azure-functions/functions-reference#connection-properties and related signalr docs.

drdamour commented 2 years ago

i'm new to signalr and this specific function binding extension, but i am somewhat randomly getting

System.Private.CoreLib: Exception while executing function: SignalrSend. Microsoft.Azure.SignalR.Common: Azure SignalR service runtime error. Request Uri: https://xxx.service.signalr.net/api/v1/hubs/xxx/users/12345. Response status code does not indicate success: 500 (Internal Server Error)

not sure if this is identity related, but seems like random failures would be reported elsewhere.

seemingly happens after i don't do anything for a few minutes with signalr, a subsequent send immediately after seems to work.

this is running local with a VS provided credential. i see no entries in the live trace tool.

Y-Sindo commented 2 years ago

@drdamour Thanks for your testing. Could you give me your SignalR resource ID and a time span when the error occurred so that we could investigate the issue? If your resource ID contains sensitive information, you could send it to this email: zityang AT microsoft.com

drdamour commented 2 years ago

usos1sig01-advisor-test and the errors 9/24 2pm - 6 pm MT

drdamour commented 2 years ago

@Y-Sindo any luck figuring out a cause?

drdamour commented 2 years ago

just got it again MT

[2021-10-06T03:21:00.804Z] Executed 'SignalrSend' (Failed, Id=9e4d933e-066f-4e91-98d7-a3c3efeadb74, Duration=15535ms)
[2021-10-06T03:21:00.806Z] System.Private.CoreLib: Exception while executing function: SignalrSend. Microsoft.Azure.SignalR.Common: Azure SignalR service runtime error. Request Uri: https://usos1sig01-advisor-test.service.signalr.net/api/v1/hubs/advisornotificationhub/users/1245. Response status code does not indicate success: 500 (Internal Server Error).
Y-Sindo commented 2 years ago

@drdamour Your resource happens to be located at a known problematic cluster, and we are still investigating into it. Now we have moved your resource to another cluster. Could you please validate if the problem mitigates?

kensykora commented 2 years ago

Any update on this? It would be nice to get Managed Identity working when developing with SignalR locally

Y-Sindo commented 2 years ago

@kensykora It's already supported. Please upgrade to 1.7.0.

FYI:

kensykora commented 2 years ago

@Y-Sindo I reviewed your docs, and tried making some changes, but am experiencing the same result. Can you help me figure out what the correct settings are then? It is not working for me.

Functions version: 4.0.3971 Extensions: <PackageReference Include="Microsoft.Azure.WebJobs.Extensions.SignalRService" Version="1.7.0" />

When I use the connection string:

local.settings.json

{
  "IsEncrypted": false,
  "Values": {
    "AzureWebJobsStorage": "UseDevelopmentStorage=true",
    "FUNCTIONS_WORKER_RUNTIME": "dotnet",
    "AzureSignalRConnectionString": "Endpoint=https://mytestservice.service.signalr.net;AuthType=aad;Version=1.0;",
    "AzureSignalRConnectionString__credential": "managedidentity" // I've tried with & without this, same results
  },
  "ConnectionStrings": {}
}

And using this function:

Function.cs

namespace CSharp
{
    public class Function : ServerlessHub
    {
        [FunctionName("negotiate")]
        public Task<SignalRConnectionInfo> NegotiateAsync([HttpTrigger(AuthorizationLevel.Anonymous)] HttpRequest req)
        {
            return NegotiateAsync(new NegotiationOptions());
        }
    }
}

Calling negotiate endpoint results in:

[2022-04-07T14:18:30.791Z] Executed 'negotiate' (Failed, Id=daecddf6-cf46-417b-893a-e69c28129453, Duration=9119ms)
[2022-04-07T14:18:30.791Z] System.Private.CoreLib: Exception while executing function: negotiate. System.Private.CoreLib: One or more errors occurred. (The given AzureAD identity don't have the permission to generate access token.). Microsoft.Azure.SignalR.Common: The given AzureAD identity don't have the permission to generate access token.

However I've confirmed that my az cli user is logged in and has the role SignalR Service Owner

Calls to send messages from within a simple timer function using Clients.All.SendAsync("newMessage", "status") result in:

[2022-04-07T14:22:39.503Z] Failed to process message: ManagedIdentityCredential authentication unavailable. No Managed Identity endpoint found.
[2022-04-07T14:22:39.503Z] Azure.Identity: ManagedIdentityCredential authentication unavailable. No Managed Identity endpoint found.

So I'm confused how it's supposed to work. What am I missing?

Y-Sindo commented 2 years ago

@kensykora Your configuration mixes two kinds of configuration styles together. And what you need is Azure Cli identity instead of managed identity.

kensykora commented 2 years ago

@Y-Sindo thanks for following up -- I tried as you suggested and am running into the same thing. I'll open up a separate issue.