cosmos db，在客户端上为Azure Table终结点生成身份验证密钥 [英] cosmos db, generate authentication key on client for Azure Table endpoint

问题描述

Cosmos DB，API Azure表，在概述"刀片中为您提供了2个终结点

Cosmos DB, API Azure Tables, gives you 2 endpoints in the Overview blade

• 文档端点
• Azure表端点

(1)的示例是

https://myname.documents.azure.com/dbs/tempdb/colls

(2)的示例是

https://myname.table.cosmosdb.azure.com/FirstTestTable ?$ filter = PartitionKey％20eq％20'car'％20and％20RowKey％20eq％20'124'

https://myname.table.cosmosdb.azure.com/FirstTestTable?$filter=PartitionKey%20eq%20'car'%20and%20RowKey%20eq%20'124'

您可以使用以下Postman脚本中的预请求代码在客户端上为(1)创建授权代码:

You can create the authorization code for (1) on the client using the prerequest code from this Postman script: https://github.com/MicrosoftCSA/documentdb-postman-collection/blob/master/DocumentDB.postman_collection.json

哪个会给你这样的代码:

Which will give you a code like this:

授权:类型％3Dmaster％26ver％3D1.0％26sig％3DavFQkBscU ...

Authorization: type%3Dmaster%26ver%3D1.0%26sig%3DavFQkBscU...

这对于播放其余网址很有用

This is useful for playing with the rest urls

对于(2)，我能找到的唯一可以生成有效代码的代码是在服务器端，并且为您提供了这样的代码:

For (2) the only code I could find to generate a code that works was on the server side and gives you a code like this:

授权:SharedKey myname:JXkSGZlcB1gX8Mjuu ...

Authorization: SharedKey myname:JXkSGZlcB1gX8Mjuu...

我不得不把它从提琴手那里弄走

I had to get this out of Fiddler

我的问题

(i)是否可以像在情况(1)中那样在客户端上为上述情况(2)生成代码

(i) Can you generate a code for case (2) above on the client like you can for case (1)

(ii)您可以从客户端安全地使用Cosmos DB吗?

(ii) Can you securely use Cosmos DB from the client?

推荐答案

如果转到GA Table API帐户的Azure门户，将不再看到文档终结点.相反，仅公告Azure表端点(例如X.table.cosmosdb.azure.com).因此，我们将专注于此.

If you go to the Azure Portal for a GA Table API account you won't see the document endpoint anymore. Instead only the Azure Table Endpoint is advertised (e.g. X.table.cosmosdb.azure.com). So we'll focus on that.

在.NET SDK中使用除直接模式以外的任何方式时，当与X.table.cosmosdb.azure.com端点进行通信时，我们现有的SDK都使用SharedKey身份验证方案.还有一个SharedKeyLight方案也应该起作用.两者都记录在 https://docs.microsoft.com/en-us/rest/api/storageservices/authentication-for-the-azure-storage-services .确保您阅读了表服务上专门介绍的内容.需要注意的是，SharedKey标头直接与其关联的请求相关联.因此，基本上每个请求都需要一个唯一的标头.这对安全性很有用，因为这意味着泄漏的标头只能在有限的时间内用于重播特定请求.不能用于授权其他请求.但是，当然，这正是您想要做的.

When using anything but direct mode with the .NET SDK, our existing SDKs when talking to X.table.cosmosdb.azure.com endpoint are using the SharedKey authentication scheme. There is also a SharedKeyLight scheme which should also work. Both are documented in https://docs.microsoft.com/en-us/rest/api/storageservices/authentication-for-the-azure-storage-services. Make sure you read the sections specifically on the Table Service. The thing to notice is that a SharedKey header is directly tied to the request it is associated with. So basically every request needs a unique header. This is useful for security because it means that a leaked header can only be used for a limited time to replay a specific request. It can't be used to authorize other requests. But of course that is exactly what you are trying to do.

另一种方法是SharedKeyLight标头，因为它只需要一个日期和一个URL，所以实现起来要容易一些.

An alternative is the SharedKeyLight header which is a bit easier to implement as it just requires a date and the a URL.

但是我们都没有外部化的代码库可以真正为您提供帮助.

But we don't have externalized code libraries to really help with either.

但是还有另一种对Fiddler或Postman之类的东西非常友好的解决方案，即使用

But there is another solution that is much friendly to things like Fiddler or Postman, which is to use a SAS URL as defined in https://blogs.msdn.microsoft.com/windowsazurestorage/2012/06/12/introducing-table-sas-shared-access-signature-queue-sas-and-update-to-blob-sas/.

至少有两种方法可以获取SAS令牌.一种方法是自己创造自己.这是一些示例代码可以做到这一点:

There are at least two ways to get a SAS token. One way is to generate one yourself. Here is some sample code to do that:

        var connectionString = "DefaultEndpointsProtocol=https;AccountName=tableaccount;AccountKey=X;TableEndpoint=https://tableaccount.table.cosmosdb.azure.com:443/;";
        var tableName = "ATable";

        CloudStorageAccount storageAccount = CloudStorageAccount.Parse(connectionString);
        CloudTableClient tableClient = storageAccount.CreateCloudTableClient();
        CloudTable table = tableClient.GetTableReference(tableName);
        await table.CreateIfNotExistsAsync();

        SharedAccessTablePolicy policy = new SharedAccessTablePolicy()
        {
            SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(1000),
            Permissions = SharedAccessTablePermissions.Add
            | SharedAccessTablePermissions.Query
            | SharedAccessTablePermissions.Update
            | SharedAccessTablePermissions.Delete
        };

        string sasToken = table.GetSharedAccessSignature(
            policy, null, null, null, null, null);

这将返回创建SAS URL所需的URL查询部分.

This returns the query portion of the URL you will need to create a SAS URL.

另一种免费的获取SAS URL的方法是转到 https://azure.microsoft.com/zh-cn/features/storage-explorer/并下载Azure存储资源管理器.启动它时，它将显示连接到Azure存储"对话框.在这种情况下:

Another, code free way, to get a SAS URL is to go to https://azure.microsoft.com/en-us/features/storage-explorer/ and download the Azure Storage Explorer. When you start it up it will show you the "Connect to Azure Storage" dialog. In that case:

1. 选择使用连接字符串或共享访问签名URI"，然后单击下一步
2. 选择使用连接字符串"并从Azure门户中为您的Azure Cosmos DB Table API帐户粘贴连接字符串，然后单击下一步"，然后在下一个对话框中单击连接"
3. 在左侧的资源管理器窗格中，在存储帐户"下找到您的帐户(不是Cosmos DB帐户(预览))，然后单击表"，然后右键单击要浏览的特定表.在右键单击对话框中，您将看到获取共享访问签名"的条目，然后单击该条目.
4. 将显示一个名为生成共享访问签名"的新对话框.不幸的是，错误对话框会抱怨"NotImplemented"，您可以忽略它.只需在错误对话框上单击确定"即可.
5. 现在您可以选择如何配置SAS，我通常只采用默认值，因为它提供了最大的访问权限.现在，单击创建.

结果将是一个包含完整URL和查询字符串的对话框.

The result will be a dialog with both a complete URL and a query string.

因此，现在我们可以获取该URL(或使用代码的查询输出自行创建)并创建提琴手请求:

So now we can take that URL (or create it ourselves using the query output from the code) and create a fiddler request:

GET https://tableaccount.table.cosmosdb.azure.com/ATable?se=2018-01-12T05%3A22%3A00Z&sp=raud&sv=2017-04-17&tn=atable&sig=X&$filter=PartitionKey%20eq%20'Foo'%20and%20RowKey%20eq%20'bar' HTTP/1.1
User-Agent: Fiddler
Host: tableaccount.table.cosmosdb.azure.com
Accept: application/json;odata=nometadata
DataServiceVersion: 3.0

为了使请求更有趣，我添加了$ filter操作.这是一个OData过滤器，可让我们浏览内容.注意，顺便说一句，要使过滤器正常工作，需要Accept和DataServiceVersion标头.但是您可以使用基本URL(例如，不使用filter参数)在特定表上进行任何REST API调用.

To make the request more interesting I added a $filter operation. This is an OData filter that lets us explore the content. Note, btw, to make filter work both the Accept and DataServiceVersion headers are needed. But you can use the base URL (e.g. without the filter parameter) to make any of the REST API calls on a specific table.

请注意，SAS令牌的作用域是单个表.因此，更高级别的操作将无法使用此SAS令牌.

Do be aware that the SAS token is scoped to an individual table. So higher level operations won't work with this SAS token.

这篇关于cosmos db，在客户端上为Azure Table终结点生成身份验证密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！