Community Articles

wsalazar · ‎12-04-2016

First ... if you need background Azure Event Hubs go here: https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-overview

Second, its handy to know why you need a SAS token and what you can do once you have one. See: https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-authentication-and-security-model-overv...

We will use an example configuration for and Event Hub service. The corresponding data for your service can be found on the details page of the share access policy you want to use. More information on this topic can be found here

https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-shared-access-signature-aut...

From the shared access policy "hub-nifi"'s detail page we can get all the information we need to create our token from the connection string-primary key field

Endpoint=sb://nifi-eventhub.servicebus.windows.net/;
SharedAccessKeyName=hub-user;
SharedAccessKey=2hmLYbJk2q5uZ2Yfyl0XSezXbxD+afO9ysh0Vsv4Xq8=;EntityPath=hub1

A SAS token is simply the hash of a string consisting of two substrings, the endpoint URL and the date the token should expire. The expiration date should be in Unix epoch format. The format for the string is <resourceURI> + \n + <expiry>

For our example the URL is https://eventhub-nifi.servicebus.windows.net/hub-nifi and for <expiry> we arbitrarily used Thu Dec 08 2016 06:26:40 UTC-0600 which is 1481200000 in Unix epic.

The string to hash is then

http://nifi-eventhub.servicebus.windows.net/hub1\n1481868000

Before hashing this string we must URL Encode it, which would result in

http%3A%2F%2Fnifi-eventhub.servicebus.windows.net%2Fhub1\n1481868000

Hash the URL encoded string using the shared access key and openssl. The format of the openssl command is:

echo -n -e 'value' | openssl sha256 -binary -hmac 'key' | openssl base64

using our example values

echo -e -n 'http%3A%2F%2Fnifi-eventhub.servicebus.windows.net%2Fhub1\n1481868000' | openssl dgst -sha256 -binary -hmac '2hmLYbJk2q5uZ2Yfyl0XSezXbxD+afO9ysh0Vsv4Xq8=' | openssl base64

The output should be similar to

ZYxl4SEwnNMa/gir+aYgkb5rZv/6vUCqh1+NZgIGI4s=

To make a HTTP request to an Event Hubs endpoint a "Authorization" property must be added to the headers of the request. IMPORTANT URL encode the hash before using it in the token

The value of the authorization property is formatted as

Authorization: SharedAccessSignature sr={URI}&sig={HMAC_SHA256_SIGNATURE}&se={EXPIRATION_TIME}&skn={KEY_NAME}

Using our example values the property are

Authorization: SharedAccessSignature sig=ZYxl4SEwnNMa%2Fgir%2BaYgkb5rZv%2F6vUCqh1%2BNZgIGI4s%3D&se=1481868000&skn=hub-user&sr=http%3A%2F%2Fnifi-eventhub.servicebus.windows.net%2Fhub1

use curl to confirm the token we have generated works

curl -v -H 'Authorization: SharedAccessSignature sig=ZYxl4SEwnNMa%2Fgir%2BaYgkb5rZv%2F6vUCqh1%2BNZgIGI4s%3D&se=1481868000&skn=hub-user&sr=http%3A%2F%2Fnifi-eventhub.servicebus.windows.net%2Fhub1' --data 'hello world!' https://nifi-eventhub.servicebus.windows.net/hub1/messages?timeout=60\&api-version=2014-01

peter_doornbosc · ‎04-13-2017

Thanks for sharing.

There are a few inaccuracies:

the example URL https://eventhub-nifi.servicebus.windows.net/hub-nifi differs from what you actually use in the example
what is even more confusing, it that the URL you encode and hash is http; this however does not work, the hashed URL should be https
the text says (or at least suggest) that the string contain of the URL with the "\n" and date append, must be URL-encoded, but this wont work: first the URL must be encoded and after that, the "\n" and date must be appended.

Cloudera Community

Community Articles

Creating Shared Access Signature (SAS) token for Azure Event Hubs REST API

Apache NiFi

Re: Creating Shared Access Signature (SAS) token for Azure Event Hubs REST API