问题
The error message I get is:
Creating embed token for accessing dataset <my-data-set-guid> requries effective identity username to be identical to the caller's principal name.
I am using PowerBI Embedded inside a .NET Core 2.2 Web App with a master account (as opposed to a service principal). Behind the scenes is Azure Active Directory and Azure Analysis Services with Live Connection. I am trying to pass in an effective identity based off the currently logged in user so that their permissions are used for loading the report.
My code is as follows:
// In Razor Page Get method
ClaimsPrincipal user = _httpContextAccessor.HttpContext.User;
List<Claim> claims = user.Claims.ToList();
string name = claims.FirstOrDefault(c => c.Type == "name")?.Value;
string preferredName = claims.FirstOrDefault(c => c.Type == "preferred_username")?.Value;
string roles = claims.FirstOrDefault(c => c.Type == ClaimTypes.Role)?.Value;
string upn = claims.FirstOrDefault(c => c.Type == ClaimTypes.Upn)?.Value;
var SelectedReport = await _reportRepository.GetReportForIdAsync(reportId.Value, upn, roles);
// In Repository
public async Task<EmbeddedReportConfig> GetReportForIdAsync(Guid reportId, string name, string roles)
{
try
{
AzureToken azureToken = await _authenticationHandler.GetAzureTokenDataAsync();
using (PowerBIClient powerBiClient = new PowerBIClient(new Uri(_powerBiSettings.ApiUrl), azureToken.TokenCredentials))
{
Report powerBiReport = await powerBiClient.Reports.GetReportAsync(_powerBiSettings.WorkspaceId, reportId.ToString());
var rolesList = new List<string>();
if (!string.IsNullOrWhiteSpace(roles))
{
rolesList.AddRange(roles.Split(','));
}
List<EffectiveIdentity> rowLevelSecurityIdentity = new List<EffectiveIdentity>
{
new EffectiveIdentity(
name,
roles: rolesList,
datasets: new List<string> {powerBiReport.DatasetId}
)
};
GenerateTokenRequest powerBiTokenRequestParameters = new GenerateTokenRequest("View", null, identities: rowLevelSecurityIdentity);
EmbedToken powerBiTokenResponse = await powerBiClient.Reports.GenerateTokenInGroupAsync(_powerBiSettings.WorkspaceId, powerBiReport.Id, powerBiTokenRequestParameters);
return new EmbeddedReportConfig
{
ReportId = Guid.Parse(powerBiReport.Id),
Name = powerBiReport.Name,
EmbedUrl = powerBiReport.EmbedUrl,
AccessToken = powerBiTokenResponse.Token
};
}
}
catch (HttpOperationException ex)
{
// https://community.powerbi.com/t5/Developer/quot-shouldn-t-have-effective-identity-quot-error-when-passing/td-p/433730
// https://docs.microsoft.com/en-us/power-bi/developer/embedded-row-level-security
//Bad Request
var content = ex.Response.Content;
Console.WriteLine(content);
}
return null;
}
As you can see I pass in the user's UPN for the Effective Identity name. If I sign in as the master user (for embedding) then the request for the token will succeed, but if I use any other account that belongs to the same AAD tenant then it fails with the error message above.
I see that others have run into this issue before here. Using the CustomData functionality as mentioned here will not work as not all of the data tables are tagged with the UPN, there are separate roles setup inside Azure Analysis Services.
I noticed some mention of adding UPN mapping (link1, link2) but I'm not sure if I can use this because the BI Analyst setup the Data Gateway inside the Azure Portal rather than in the PowerBI portal.
I have tried using the sample App Owns Data application but I run into the same issue.
回答1:
I realise this question is old now but maybe this will help someone.
You need to set the EffectiveIdentity username property to the service principal object ID as per this article
来源:https://stackoverflow.com/questions/55254188/powerbi-embedded-app-owns-data-creating-embed-token-with-effective-identity-fa