search

Azure / azure-sdk-for-net

This repository is for active development of the Azure SDK for .NET. For consumers of the SDK we recommend visiting our public developer docs at https://learn.microsoft.com/dotnet/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-net.
MIT License
5.47k stars 4.8k forks source link

[BUG] ServiceBusException with MessagingEntityNotFound when unauthorized? #28435

Closed hugoqribeiro closed 1 year ago

hugoqribeiro commented 2 years ago

Library name and version

Azure.Messaging.ServiceBus 7.7.0

Describe the bug

When trying to connect to the service using ServiceNamespace and credentials (ChainedTokenCredential), if using managed identity with an identity (client id) that as no access to the service, the library throws a ServiceBusException with reason MessagingEntityNotFound.

The operation being called is ServiceBusAdministrationClient.DeleteTopicAsync(), do this behavior makes it impossible to distinguish between an unauthorized error (the case) or the error that should happen when the topic does not exist.

Expected behavior

I think this should raise an UnauthorizedAccessException (?).

Actual behavior

The exception that is being raised by the library follows:

Azure.Messaging.ServiceBus.ServiceBusException: Service request failed.
Status: 404 (Not Found)

Content:
<Error><Code>404</Code><Detail>No service is hosted at the specified address. TrackingId:2e8f1d1c-7330-4506-9feb-5a20cb71b26c_G30, SystemTracker:hydrogen-tests.servicebus.windows.net:HT-AEBMSfdb33562-96b1-4b50-a136-ed040106e234, Timestamp:2022-04-28T10:25:21</Detail></Error>

Headers:
Transfer-Encoding: chunked
Server: Microsoft-HTTPAPI/2.0
Strict-Transport-Security: REDACTED
Date: Thu, 28 Apr 2022 10:25:20 GMT
Content-Type: application/xml; charset=utf-8
 (MessagingEntityNotFound)
 ---> Azure.RequestFailedException: Service request failed.
Status: 404 (Not Found)

Content:
<Error><Code>404</Code><Detail>No service is hosted at the specified address. TrackingId:2e8f1d1c-7330-4506-9feb-5a20cb71b26c_G30, SystemTracker:hydrogen-tests.servicebus.windows.net:HT-AEBMSfdb33562-96b1-4b50-a136-ed040106e234, Timestamp:2022-04-28T10:25:21</Detail></Error>

Headers:
Transfer-Encoding: chunked
Server: Microsoft-HTTPAPI/2.0
Strict-Transport-Security: REDACTED
Date: Thu, 28 Apr 2022 10:25:20 GMT
Content-Type: application/xml; charset=utf-8

   --- End of inner exception stack trace ---
   at Azure.Messaging.ServiceBus.Administration.HttpRequestAndResponse.ThrowIfRequestFailedAsync(Request request, Response response)
   at Azure.Messaging.ServiceBus.Administration.HttpRequestAndResponse.SendHttpRequestAsync(Request request, CancellationToken cancellationToken)
   at Azure.Messaging.ServiceBus.Administration.HttpRequestAndResponse.DeleteEntityAsync(String entityPath, CancellationToken cancellationToken)
   at Azure.Messaging.ServiceBus.Administration.ServiceBusAdministrationClient.DeleteTopicAsync(String name, CancellationToken cancellationToken)
   at Primavera.Hydrogen.EventBus.Azure.AzureEventBusManagementService.<>c__DisplayClass20_0.<<DeletePathAsync>b__0>d.MoveNext() in D:\GitHub\lithium-product-core.hydrogen\src\server\EventBus.Azure\AzureEventBusManagementService.cs:line 231
--- End of stack trace from previous location ---
   at Primavera.Hydrogen.EventBus.Azure.AzureEventBusExceptionHandler.HandleAsync(Func`1 action, Target target, Object[] args) in D:\GitHub\lithium-product-core.hydrogen\src\server\EventBus.Azure\AzureEventBusExceptionHandler.cs:line 53

Reproduction Steps

See above.

  1. Create a new instance of ServiceBusAdministrationClient using ChainedTokenCredential with managed identity and an existing client that has no access to the service bus service (e.g. the identity of an app service for example).

NOTE: I used the client id for the managed identity given that this is being tested from a local development machine).

  1. Invoke ServiceBusAdministrationClient.DeleteTopicAsync() on a topic that does not exist.

Environment

.NET SDK (reflecting any global.json): Version: 6.0.202 Commit: f8a55617d2

Runtime Environment: OS Name: Windows OS Version: 10.0.19042 OS Platform: Windows RID: win10-x64 Base Path: C:\Program Files\dotnet\sdk\6.0.202\

Host (useful for support): Version: 6.0.4 Commit: be98e88c76

.NET SDKs installed: 2.1.526 [C:\Program Files\dotnet\sdk] 5.0.300 [C:\Program Files\dotnet\sdk] 5.0.405 [C:\Program Files\dotnet\sdk] 6.0.202 [C:\Program Files\dotnet\sdk]

.NET runtimes installed: Microsoft.AspNetCore.All 2.1.28 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All] Microsoft.AspNetCore.All 2.1.30 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All] Microsoft.AspNetCore.App 2.1.28 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 2.1.30 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 3.1.22 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 3.1.24 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 5.0.14 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 5.0.15 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 6.0.4 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.NETCore.App 2.1.26 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.1.28 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.1.30 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 3.1.22 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 3.1.24 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 5.0.14 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 5.0.15 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 6.0.4 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.WindowsDesktop.App 3.1.22 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] Microsoft.WindowsDesktop.App 3.1.24 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] Microsoft.WindowsDesktop.App 5.0.14 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] Microsoft.WindowsDesktop.App 6.0.4 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

ghost commented 2 years ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @shankarsama, @DorothySun216, @EldertGrootenboer, @saglodha.

Issue Details
### Library name and version Azure.Messaging.ServiceBus 7.7.0 ### Describe the bug When trying to connect to the service using `ServiceNamespace` and credentials (`ChainedTokenCredential`), if using managed identity with an identity (client id) that as no access to the service, the library throws a `ServiceBusException` with reason `MessagingEntityNotFound`. The operation being called is `ServiceBusAdministrationClient.DeleteTopicAsync()`, do this behavior makes it impossible to distinguish between an unauthorized error (the case) or the error that should happen when the topic does not exist. ### Expected behavior I think this should raise an `UnauthorizedAccessException` (?). ### Actual behavior The exception that is being raised by the library follows: ``` Azure.Messaging.ServiceBus.ServiceBusException: Service request failed. Status: 404 (Not Found) Content: 404No service is hosted at the specified address. TrackingId:2e8f1d1c-7330-4506-9feb-5a20cb71b26c_G30, SystemTracker:hydrogen-tests.servicebus.windows.net:HT-AEBMSfdb33562-96b1-4b50-a136-ed040106e234, Timestamp:2022-04-28T10:25:21 Headers: Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Strict-Transport-Security: REDACTED Date: Thu, 28 Apr 2022 10:25:20 GMT Content-Type: application/xml; charset=utf-8 (MessagingEntityNotFound) ---> Azure.RequestFailedException: Service request failed. Status: 404 (Not Found) Content: 404No service is hosted at the specified address. TrackingId:2e8f1d1c-7330-4506-9feb-5a20cb71b26c_G30, SystemTracker:hydrogen-tests.servicebus.windows.net:HT-AEBMSfdb33562-96b1-4b50-a136-ed040106e234, Timestamp:2022-04-28T10:25:21 Headers: Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Strict-Transport-Security: REDACTED Date: Thu, 28 Apr 2022 10:25:20 GMT Content-Type: application/xml; charset=utf-8 --- End of inner exception stack trace --- at Azure.Messaging.ServiceBus.Administration.HttpRequestAndResponse.ThrowIfRequestFailedAsync(Request request, Response response) at Azure.Messaging.ServiceBus.Administration.HttpRequestAndResponse.SendHttpRequestAsync(Request request, CancellationToken cancellationToken) at Azure.Messaging.ServiceBus.Administration.HttpRequestAndResponse.DeleteEntityAsync(String entityPath, CancellationToken cancellationToken) at Azure.Messaging.ServiceBus.Administration.ServiceBusAdministrationClient.DeleteTopicAsync(String name, CancellationToken cancellationToken) at Primavera.Hydrogen.EventBus.Azure.AzureEventBusManagementService.<>c__DisplayClass20_0.<b__0>d.MoveNext() in D:\GitHub\lithium-product-core.hydrogen\src\server\EventBus.Azure\AzureEventBusManagementService.cs:line 231 --- End of stack trace from previous location --- at Primavera.Hydrogen.EventBus.Azure.AzureEventBusExceptionHandler.HandleAsync(Func`1 action, Target target, Object[] args) in D:\GitHub\lithium-product-core.hydrogen\src\server\EventBus.Azure\AzureEventBusExceptionHandler.cs:line 53 ``` ### Reproduction Steps See above. 1. Create a new instance of `ServiceBusAdministrationClient` using `ChainedTokenCredential` with managed identity and an existing client that has no access to the service bus service (e.g. the identity of an app service for example). NOTE: I used the client id for the managed identity given that this is being tested from a local development machine). 2. Invoke `ServiceBusAdministrationClient.DeleteTopicAsync()` on a topic that does not exist. ### Environment .NET SDK (reflecting any global.json): Version: 6.0.202 Commit: f8a55617d2 Runtime Environment: OS Name: Windows OS Version: 10.0.19042 OS Platform: Windows RID: win10-x64 Base Path: C:\Program Files\dotnet\sdk\6.0.202\ Host (useful for support): Version: 6.0.4 Commit: be98e88c76 .NET SDKs installed: 2.1.526 [C:\Program Files\dotnet\sdk] 5.0.300 [C:\Program Files\dotnet\sdk] 5.0.405 [C:\Program Files\dotnet\sdk] 6.0.202 [C:\Program Files\dotnet\sdk] .NET runtimes installed: Microsoft.AspNetCore.All 2.1.28 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All] Microsoft.AspNetCore.All 2.1.30 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All] Microsoft.AspNetCore.App 2.1.28 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 2.1.30 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 3.1.22 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 3.1.24 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 5.0.14 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 5.0.15 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 6.0.4 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.NETCore.App 2.1.26 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.1.28 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.1.30 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 3.1.22 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 3.1.24 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 5.0.14 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 5.0.15 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 6.0.4 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.WindowsDesktop.App 3.1.22 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] Microsoft.WindowsDesktop.App 3.1.24 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] Microsoft.WindowsDesktop.App 5.0.14 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] Microsoft.WindowsDesktop.App 6.0.4 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Author: hugoqribeiro
Assignees: -
Labels: `Service Bus`, `Service Attention`, `customer-reported`, `question`, `needs-team-triage`, `Service`
Milestone: -
jsquire commented 2 years ago

Hi @hugoqribeiro. Thank you for reaching out and we regret that you're experiencing difficulties. This is a behavior of the service used by the client library; I've looped in the team that owns the service for their assistance.

hugoqribeiro commented 2 years ago

Hi @jsquire, no news here...

jsquire commented 2 years ago

@EldertGrootenboer - Do you have any insight that you can share?

EldertGrootenboer commented 2 years ago

We have opened an investigation task for this in our backlog, and will update this issue when we have more information.

karankesri commented 1 year ago

@hugoqribeiro Do you currently experience any problems with this error?

hugoqribeiro commented 1 year ago

The behavior continues the same as described initially @karankesri.

Saglodha commented 1 year ago

@hugoqribeiro, Thanks for feedback.

We did some investigation on the issue and could understand the bump you had been noticing. While we understand the expectation is to throw unauthorized exception before entitynotfound exception, we would like to know more about the scenario you are getting this error in. From our side, this looks like rare usage case. Knowing more about your setup would help us gaze the impact and take action accordingly.

hugoqribeiro commented 1 year ago

Let me try to explain this better.

We have a bunch of microservices running on Azure and some of them use Service Bus to implement messaging patterns. As such, those microservices use the .NET SDK to interact with SB.

Historically, the connection to SB was being made with connection strings. The same happened with other Azure services (like table storage for example). As the .NET SDK has been evolving to support managed identity, because we would prefer to use that instead of connection strings in production, we have updated our implementations accordingly, supporting both usages (connection strings or managed identity) also so that we can upgrade the services progressively.

The problem here is that if, for example, the app service (running the microservice) managed identity is not configured well for some reason, it will be unauthorized, but we won't be able to distinguish that error from other "normal" errors like when you try to publish a message to a non-existent topic.

It is also relevant to understand that we want to support both connection strings and managed identity so that development environments can fall back to connection strings even if the service being debugged will use managed identity when published to production environments.

karankesri commented 1 year ago

@hugoqribeiro , this looks to be by design behavior. We check for authorization after verifying entity existence If in case, entity doesn't exist, we return a 404.

For any entity that exists and permissions are lacking, we do return an unauthorized status code in response. I tried running some tests for both of scenarios - Managed Identity & connection strings and could observe same results in both of the cases.

CC: @Saglodha

github-actions[bot] commented 1 year ago

Hi @hugoqribeiro. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.

github-actions[bot] commented 1 year ago

Hi @hugoqribeiro, since you haven’t asked that we /unresolve the issue, we’ll close this out. If you believe further discussion is needed, please add a comment /unresolve to reopen the issue.