处理来自不同 AD 租户中多个 Azure 订阅中的存储帐户的 blob 事件? [英] Handle blob events from storage accounts in multiple Azure Subscriptions in different AD Tenants?
问题描述
是否可以获得有关在多个 Azure 订阅中的多个存储帐户中发生的 blobCreated 事件的通知?
我想处理在我订阅中的中央 Azure 函数中的任意存储帐户中发生的 blob 创建事件,但我想让客户可以将数据存储在他们自己的订阅中.
我正在考虑使用事件网格 Webhook 端点将事件路由到我的中央 Azure 函数.这是启用多订阅方案的可靠方法吗?
更准确地说,我需要它来处理不同的租户(因为我们的客户会带来他们自己的订阅,我们需要将它们集成而不将它们分配给我们的 AD 租户)
根据我们的讨论,以下屏幕片段显示了您的多租户风扇方案.
通过 azure 订阅(多租户)订阅分布式兴趣源已完成将主题映射到 webhook 端点.请注意,该主题表示将事件发布(发布)到 AEG 服务的位置的完整资源路径 (id).该路径在当前租户的范围内,见下例:
"topic": "/subscriptions/myID/resourceGroups/myRG/providers/microsoft.storage/storageaccounts/mySA""endpointBaseUrl": "https://myFnc.azurewebsites.net/runtime/webhooks/EventGrid?functionName=myEventGridTrigger&code=xxxx"此映射在与主题相同范围内存储的订阅元数据中声明.另一方面,webhook 端点可以发布在此范围之外.
以下屏幕片段显示了其他更复杂的解决方案以及使用 FAN-OUT Pub/Sub 方式通过事件分发完全隔离租户:
在上述解决方案中,扇入订阅者可以将原始事件消息调解为适当的面向业务的事件消息,包括用于访问 blob 元数据和/或正文等的短 sasToken.
要在您的租户中使用 EventGridTrigger 函数的事件处理程序创建事件订阅,您可以使用例如
通过以标准 Pub/Sub 方式将自定义主题端点订阅到另一个事件网格模型的 WebHook 事件处理程序来启用基于扇入到扇出模式的级联概念.
请注意,Azure 事件网格没有用于相互级联的内置端点,包括验证事件环回.但是,以下步骤可以让 Azure 事件网格彼此级联.
使用 CustomInputSchema 创建自定义主题端点,例如:
<代码>{特性": {"inputSchema": "CustomEventSchema",输入架构映射":{特性": {ID": {源字段":空},话题": {源字段":空},事件时间":{源字段":空},事件类型": {"sourceField": "myEventType",默认值":记录插入"},主题": {"sourceField": "主题","defaultValue": "/myapp/vehicles/motorcycles"},数据版本":{源字段":空,默认值":1.0"}},"inputSchemaMappingType": "Json"}}}请注意,主题属性必须具有 "sourceField": null,这对于自定义主题(不适用于事件域)是可以的.
对于 webhook 事件处理程序端点,在 url 查询字符串中使用 aeg-sas-key,例如:
https://myTopic.westus-1.eventgrid.azure.net/api/events?aeg-sas-key=xxxxxxxxxx
注意,aeg-sas-key 值必须是 url 编码的字符串.
对于订阅验证,使用 validationUrl 握手,以即发即忘"的方式进行.它可以在 EventGridTrigger 函数中实现并订阅自定义主题以实现级联目的.以下代码片段显示了此实现的示例:
#r "Newtonsoft.Json"使用系统;使用 System.Threading.Tasks;使用 System.Text;使用 System.Linq;使用 System.Net;使用 System.Net.Http;使用 System.Web;使用 Newtonsoft.Json;使用 Newtonsoft.Json.Linq;公共静态异步任务运行(JObject eventGridEvent,ILogger 日志){log.LogInformation(eventGridEvent.ToString());string eventType = $"{eventGridEvent["data"]?["eventType"]?.Value()}";if(!string.IsNullOrEmpty(eventType) && eventType == "Microsoft.EventGrid.SubscriptionValidationEvent"){//手动验证stringvalidationUrl = $"{eventGridEvent["data"]?["data"]?["validationUrl"]?.Value ()}";使用 (var client = new HttpClient()){var response = await client.GetAsync(validationUrl);log.LogInformation(response.ToString());}}别的{//通知}等待 Task.CompletedTask;} 请注意,每次发布时,原始事件消息(原始源兴趣)都会级联(嵌套)在事件数据对象中
Is it possible to get notified about blobCreated events happening in multiple storage accounts who live in multiple Azure Subscriptions?
I would like to handle blob created events happening in arbitrary storage accounts in a central Azure Function which lives in my subscription but i would like to give customers the possibility to store the data in their own subscription.
I was thinking about using Event Grid Webhook endpoints to route the events to my central Azure Function. Would this be a solid approach to enable multi-subscription scenarios?
Edit: To be more precise, i need this to work over different tenants (as our customers would bring their own subscriptions and we need to integrate them without assigning them to our AD tenant)
Based on our discussion, the following screen snippets show your multi-tenant-fan-in-scenarios.
Subscribing to the distributed interest source across the azure subscriptions (multi-tenants) is done mapping the topic to the webhook endpoint. Note, that the topic represents a full resource path (id) of the place where the event is posting (publishing) to the AEG service. This path is in the scope of the current tenant, see the following example:
"topic": "/subscriptions/myID/resourceGroups/myRG/providers/microsoft.storage/storageaccounts/mySA"
"endpointBaseUrl": "https://myFnc.azurewebsites.net/runtime/webhooks/EventGrid?functionName=myEventGridTrigger&code=xxxx"
This mapping is declared in the subscription metadata stored in the same scope as a topic. On the other side, the webhook endpoint can be posted outside of this scope.
Other more complex solution and the full isolation from the tenats with an event distribution using an FAN-OUT Pub/Sub manner is shown in the following screen snippet:
In the above solution, the fan-in subscriber can mediate an original event message to the properly business oriented event message included a short sasToken for accessing a blob metadata and/or body, etc.
To create an event subscription in your tenant with an event handler for your EventGridTrigger function, you can use for instance the REST API call, see the following example:
PUT https://management.azure.com/subscriptions/myId/resourceGroups/myRG/providers/Microsoft.Storage/storageaccounts/mySA/providers/Microsoft.EventGrid/eventSubscriptions/mySubscription?api-version=2019-01-01
Headers:
Authorization:Bearer eyJ0eXAiOiJKV1QiLCJhb....
Body (minimum payload):
{
"properties": {
"destination": {
"endpointType": "WebHook",
"properties": {
"endpointUrl": "https://myFnc.azurewebsites.net/runtime/webhooks/EventGrid?functionName=myEventGridTrigger&code=xxxxxxxx..."
}
}
}
}
UPDATE:
Another way using the Azure Event Grid Pub/Sub model in the isolated multi-tenants distributed eventing architecture is its cascading. The logical event pipeline can be constructed via cascading of the Azure Event Grids such as subscribing an Azure Event Grid to the another one using a custom topic.
The following screen snippet shows an example of the Azure Event Grid cascading:
The cascading concept which is based on the Fan-In to Fan-Out pattern is enabled by subscribing a custom topic endpoint to the WebHook event handler of the another event grid model in the standard Pub/Sub manner.
Note, that the Azure Event Grid doesn't have a built-in endpoint for cascading each other including a validation event loopback. However, the following steps can allow to cascade an Azure Event Grid each other.
Create a custom topic endpoint with a CustomInputSchema for example:
{ "properties": { "inputSchema": "CustomEventSchema", "inputSchemaMapping": { "properties": { "id": { "sourceField": null }, "topic": { "sourceField": null }, "eventTime": { "sourceField": null }, "eventType": { "sourceField": "myEventType", "defaultValue": "recordInserted" }, "subject": { "sourceField": "subject", "defaultValue": "/myapp/vehicles/motorcycles" }, "dataVersion": { "sourceField": null, "defaultValue": "1.0" } }, "inputSchemaMappingType": "Json" } } }Note, that the topic property must have a "sourceField": null, which is OK for a custom topic (not for event domains).
For webhook event handler endpoint use the aeg-sas-key in the url query string, for example:
https://myTopic.westus-1.eventgrid.azure.net/api/events?aeg-sas-key=xxxxxxxxxx
Note, that the aeg-sas-key value must be url encoded string.
For subscription validation is used a validationUrl handshake in the fire&forget manner. It can be implemented in the EventGridTrigger function and subscribing to the custom topic for cascading purpose. The following code snippet shows an example of this implementation:
#r "Newtonsoft.Json" using System; using System.Threading.Tasks; using System.Text; using System.Linq; using System.Net; using System.Net.Http; using System.Web; using Newtonsoft.Json; using Newtonsoft.Json.Linq; public static async Task Run(JObject eventGridEvent, ILogger log) { log.LogInformation(eventGridEvent.ToString()); string eventType = $"{eventGridEvent["data"]?["eventType"]?.Value<string>()}"; if(!string.IsNullOrEmpty(eventType) && eventType == "Microsoft.EventGrid.SubscriptionValidationEvent") { // manual validation string validationUrl = $"{eventGridEvent["data"]?["data"]?["validationUrl"]?.Value<string>()}"; using (var client = new HttpClient()) { var response = await client.GetAsync(validationUrl); log.LogInformation(response.ToString()); } } else { // notifications } await Task.CompletedTask; }Note, that the original event message (original source interest) is cascaded (nested) in the event data object each time when is published
这篇关于处理来自不同 AD 租户中多个 Azure 订阅中的存储帐户的 blob 事件?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
