我有上传新资产的代码。创建用于流式传输和缩略图创建的转码作业。然后轮询要更新的代码转换作业的状态更改。
这一切在本地机器上运行良好。当在Azure网站上运行时,我收到:
Access is denied.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Security.Cryptography.CryptographicException: Access is denied.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[CryptographicException: Access is denied.
]
System.Security.Cryptography.X509Certificates.X509Store.Open(OpenFlags flags) +1985499
Microsoft.WindowsAzure.MediaServices.Client.EncryptionUtils.SaveCertificateToStore(X509Certificate2 certToStore) +64
Microsoft.WindowsAzure.MediaServices.Client.ContentKeyBaseCollection.GetCertificateForProtectionKeyId(DataServiceContext dataContext, String protectionKeyId) +201
Microsoft.WindowsAzure.MediaServices.Client.JobData.ProtectTaskConfiguration(TaskData task, X509Certificate2& certToUse, DataServiceContext dataContext) +285
Microsoft.WindowsAzure.MediaServices.Client.JobData.InnerSubmit(DataServiceContext dataContext) +540
Microsoft.WindowsAzure.MediaServices.Client.JobData.SubmitAsync() +63
Microsoft.WindowsAzure.MediaServices.Client.JobData.Submit() +25
SEISMatch.MediaServices.AzureMediaServices.ProcessVideo(Video video) +498
SEISMatch.BusinessLogic.MediaServicesManager.StartProcessingMedia(Video v) +48
SEISMatch.BusinessLogic.VideoManager.UploadComplete(Guid guid) +493
lambda_method(Closure , ControllerBase , Object[] ) +155
System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) +14
System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters) +182
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +27
System.Web.Mvc.Async.<>c__DisplayClass42.<BeginInvokeSynchronousActionMethod>b__41() +28
System.Web.Mvc.Async.<>c__DisplayClass8`1.<BeginSynchronous>b__7(IAsyncResult _) +10
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +50
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +32
System.Web.Mvc.Async.<>c__DisplayClass39.<BeginInvokeActionMethodWithFilters>b__33() +58
System.Web.Mvc.Async.<>c__DisplayClass4f.<InvokeActionMethodFilterAsynchronously>b__49() +225
System.Web.Mvc.Async.<>c__DisplayClass37.<BeginInvokeActionMethodWithFilters>b__36(IAsyncResult asyncResult) +10
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +50
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +34
System.Web.Mvc.Async.<>c__DisplayClass2a.<BeginInvokeAction>b__20() +24
System.Web.Mvc.Async.<>c__DisplayClass25.<BeginInvokeAction>b__22(IAsyncResult asyncResult) +99
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +50
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +27
System.Web.Mvc.<>c__DisplayClass1d.<BeginExecuteCore>b__18(IAsyncResult asyncResult) +14
System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +55
System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +39
System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +55
System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +29
System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) +10
System.Web.Mvc.<>c__DisplayClass8.<BeginProcessRequest>b__3(IAsyncResult asyncResult) +25
System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +55
System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +31
System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +9629296
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155
我在其他地方找到了这个错误的参考资料。但没有解释如何在Azure网站上下文中解决它。假设可以使用Azure网站与Azure媒体服务进行交互?该错误是由于试图为媒体服务库中的某些内部功能保存证书而导致的。
我的代码看起来像:
var inputAsset = mediaContext.Assets.Where(a => a.Name == video.AssetName).FirstOrDefault();
IJob job = mediaContext.Jobs.Create(video.FileName + " Processing");
var thumbnailAssetID = AddThumbnailExtractionTask(job, inputAsset);
var encodedAsset = AddEncodeTask(job, inputAsset);
job.Submit(); //Error thrown here
它正在崩溃:https://github.com/WindowsAzure/azure-sdk-for-media-services/blob/3b2d5e227b2622c6d78fb10b1a733b188f1a6767/src/net/Client/DuplicatedFiles/EncryptionUtils.cs
在SaveCertificateToStore期间,特别是在存储中。打开(OpenFlags.ReadWrite).
其中:https://github.com/WindowsAzure/azure-sdk-for-media-services/blob/3b2d5e227b2622c6d78fb10b1a733b188f1a6767/src/net/Client/ContentKeyBaseCollection.cs
保存从这里调用:
/// <summary>
/// Gets the certificate for protection key id.
/// </summary>
/// <param name="dataContext">The data context.</param>
/// <param name="protectionKeyId">The protection key id.</param>
/// <returns>The content key.</returns>
internal static X509Certificate2 GetCertificateForProtectionKeyId(DataServiceContext dataContext, string protectionKeyId)
{
// First check to see if we have the cert in our store already.
X509Certificate2 certToUse = EncryptionUtils.GetCertificateFromStore(protectionKeyId);
if ((certToUse == null) && (dataContext != null))
{
// If not, download it from Nimbus to use.
Uri uriGetProtectionKey = new Uri(string.Format(CultureInfo.InvariantCulture, "/GetProtectionKey?protectionKeyId='{0}'", protectionKeyId), UriKind.Relative);
IEnumerable<string> results2 = dataContext.Execute<string>(uriGetProtectionKey);
string certString = results2.Single();
byte[] certBytes = Convert.FromBase64String(certString);
certToUse = new X509Certificate2(certBytes);
// Finally save it for next time.
EncryptionUtils.SaveCertificateToStore(certToUse);
}
return certToUse;
}
这应该捕获异常并对其进行处理,因为它的序列化不是强制性的(由于权限限制,在网站中是不可能的)。
类似于:
// Finally try to save it for next time, as an optimization.
try{
EncryptionUtils.SaveCertificateToStore(certToUse);
}
catch()
{
//Do nothing, this is not mandatory and breaks Azure WebSites deployment scenarios where they do not have rights to X509Stor.Open().
//Ref: http://stackoverflow.com/questions/18056707/create-azure-media-services-job-from-azure-shared-website
}
目前,我们没有资源对此进行测试/确认。如果你可以通过上述更改重新构建SDK的GitHub,那么你应该可以跳过这一步。
为了使用媒体服务sdk用来加密内容的证书,asp.net进程需要具有使用证书操作所需的权限。
不幸的是,所描述的行为是意料之中的,并且目前没有办法在Window Azure网站中放松此安全策略。
如果对资产使用任何加密方法对您的案件都不重要,尝试将AssetCreateOptions显式设置为AssetCreationOptions.None以避免使用证书操作
IAsset asset = _dataContext.Assets.Create("Test", AssetCreationOptions.None);
这似乎不是一种简单的方法。可以通过编写自己的MediaServices客户端库来避免证书限制。这显然是一项巨大的工作。
我通过将网站移动到Azure WebRole来解决此问题。由于部署时间或成本增加,这并不理想。但这似乎是唯一的办法。
另一种选择是使用消息队列和WorkerRole或单独的服务WebRole与WAMS通信。然后让网站仍然作为Azure网站存在。但要与新的中间人沟通。
同时使用很重要
TaskOptions.None
参见https://github.com/Azure/azure-sdk-for-media-services/issues/82