Design Proposal for Publisher Support

[jsquire]

Summary

When using Event Hubs, one common scenario is for untrusted parties, such as IoT devices, to publish events to a given Event Hub. Because these callers are untrusted, it is desirable to manage them at a granular level that doesn't impact all interactions with an Event Hub. In many cases, using AAD principals is either not possible due to device support, undesirable due to the overhead of managing a large number of identities, or may have cost barriers.

For granularity of access, it is possible to create a publisher entity for a given Event Hub and apply access policies to that publisher. This controls authorization on a more granular level than the Event Hub alone and helps to allow individuals or a small group of publishers to be managed as a unit without any actions impacting other publishers.

Scope of Work

• Draft an informal design that allows for publishers to be specified when creating the Event Hubs clients, and which is suitable for team and architect review.

• Once the design has been discussed and approved, create the issues needed for its implementation and provide the level of effort estimation for scheduling.

Success Criteria

• An informal design has been documented to illustrate the proposed approach and detail any public-facing API changes.

• The design has been shared within the Event Hubs feature team and with the .NET architect for feedback; any tweaks or iterations to the design have been captured and the design has been updated.

• A point-in-time decision has been made as to whether we should move forward with the proposed feature or continue to monitor developer feedback if we feel that it is not yet justified.

• If moving forward, the changes for any public API surface have been approved by the .NET language architect.

• Issues to track any work that results form the design/review have been filed and triaged.

Illustration of Legacy Approach

var connectionBuilder = new ServiceBusConnectionStringBuilder(
    endpoint: endpoint,
    entityPath: $"{eventHubName}/Publishers/{publisherId}",
    sharedAccessSignature: token);
 
var eventHubClient = EventHubClient.CreateFromConnectionString(connectionBuilder.ToString());
var dataBytes = System.Text.Encoding.UTF8.GetBytes(dataString);
var eventData = new EventData(dataBytes);
await eventHubClient.SendAsync(eventData);

Related Issues and References

• https://docs.microsoft.com/en-us/azure/event-hubs/authenticate-shared-access-signature#authenticating-event-hubs-publishers-with-sas
• https://docs.microsoft.com/en-us/rest/api/eventhub/publisher-policy-operations

[jsquire]

After discussion, we won't be moving forward with this at present.