PowerBI Embedded(应用拥有数据)创建具有有效身份的嵌入令牌失败 [英] PowerBI Embedded (App Owns Data) Creating embed token with effective identity fails
问题描述
我收到的错误消息是:
创建用于访问数据集< my-data-set-guid>的嵌入令牌要求有效身份用户名与呼叫者的主体名称相同.
我正在使用具有主帐户(而不是服务主体)的.NET Core 2.2 Web App内的PowerBI Embedded.幕后是Azure Active Directory和带有Live Connection的Azure Analysis Services.我正在尝试根据当前登录的用户传递有效的身份,以便使用其权限来加载报告.
I am using PowerBI Embedded inside a .NET Core 2.2 Web App with a master account (as opposed to a service principal). Behind the scenes is Azure Active Directory and Azure Analysis Services with Live Connection. I am trying to pass in an effective identity based off the currently logged in user so that their permissions are used for loading the report.
我的代码如下:
// In Razor Page Get method
ClaimsPrincipal user = _httpContextAccessor.HttpContext.User;
List<Claim> claims = user.Claims.ToList();
string name = claims.FirstOrDefault(c => c.Type == "name")?.Value;
string preferredName = claims.FirstOrDefault(c => c.Type == "preferred_username")?.Value;
string roles = claims.FirstOrDefault(c => c.Type == ClaimTypes.Role)?.Value;
string upn = claims.FirstOrDefault(c => c.Type == ClaimTypes.Upn)?.Value;
var SelectedReport = await _reportRepository.GetReportForIdAsync(reportId.Value, upn, roles);
// In Repository
public async Task<EmbeddedReportConfig> GetReportForIdAsync(Guid reportId, string name, string roles)
{
try
{
AzureToken azureToken = await _authenticationHandler.GetAzureTokenDataAsync();
using (PowerBIClient powerBiClient = new PowerBIClient(new Uri(_powerBiSettings.ApiUrl), azureToken.TokenCredentials))
{
Report powerBiReport = await powerBiClient.Reports.GetReportAsync(_powerBiSettings.WorkspaceId, reportId.ToString());
var rolesList = new List<string>();
if (!string.IsNullOrWhiteSpace(roles))
{
rolesList.AddRange(roles.Split(','));
}
List<EffectiveIdentity> rowLevelSecurityIdentity = new List<EffectiveIdentity>
{
new EffectiveIdentity(
name,
roles: rolesList,
datasets: new List<string> {powerBiReport.DatasetId}
)
};
GenerateTokenRequest powerBiTokenRequestParameters = new GenerateTokenRequest("View", null, identities: rowLevelSecurityIdentity);
EmbedToken powerBiTokenResponse = await powerBiClient.Reports.GenerateTokenInGroupAsync(_powerBiSettings.WorkspaceId, powerBiReport.Id, powerBiTokenRequestParameters);
return new EmbeddedReportConfig
{
ReportId = Guid.Parse(powerBiReport.Id),
Name = powerBiReport.Name,
EmbedUrl = powerBiReport.EmbedUrl,
AccessToken = powerBiTokenResponse.Token
};
}
}
catch (HttpOperationException ex)
{
// https://community.powerbi.com/t5/Developer/quot-shouldn-t-have-effective-identity-quot-error-when-passing/td-p/433730
// https://docs.microsoft.com/en-us/power-bi/developer/embedded-row-level-security
//Bad Request
var content = ex.Response.Content;
Console.WriteLine(content);
}
return null;
}
如您所见,我输入了用户的UPN作为有效身份名称.如果我以主用户身份登录(用于嵌入),那么对令牌的请求将成功,但是如果我使用属于同一AAD租户的任何其他帐户,则它将失败,并出现上面的错误消息.
As you can see I pass in the user's UPN for the Effective Identity name. If I sign in as the master user (for embedding) then the request for the token will succeed, but if I use any other account that belongs to the same AAD tenant then it fails with the error message above.
我看到其他人在此处.使用此处提到的 CustomData 功能将不起作用,因为并非所有数据表都已用UPN标记,Azure Analysis Services中设置了单独的角色.
I see that others have run into this issue before here. Using the CustomData functionality as mentioned here will not work as not all of the data tables are tagged with the UPN, there are separate roles setup inside Azure Analysis Services.
我注意到有人提到添加UPN映射( link1 , link2 ),但是我不确定是否可以使用它,因为BI Analyst在Azure门户而非PowerBI门户中设置了数据网关.
I noticed some mention of adding UPN mapping (link1, link2) but I'm not sure if I can use this because the BI Analyst setup the Data Gateway inside the Azure Portal rather than in the PowerBI portal.
我尝试使用示例应用拥有的数据应用程序,但我遇到了同样的问题.
I have tried using the sample App Owns Data application but I run into the same issue.
推荐答案
我意识到这个问题现在已经很老了,但是也许这会对某人有所帮助.
I realise this question is old now but maybe this will help someone.
您需要按照 查看全文
