georgew5656 opened a new pull request, #15287: URL: https://github.com/apache/druid/pull/15287
### Description Druid does not support various forms of auth that Azure Storage Accounts has added support for, like Service Client auth, Workload Identity Auth (e.g. for AKS) or managed identity Auth. Adding the AzureDefaultCredential chain to the azure clients druid uses allows support for configuring these things. See: https://learn.microsoft.com/en-us/java/api/overview/azure/identity-readme?view=azure-java-stable In order to support this new identity library, I had to upgrade the druid azure client libraries for blob storage (they were very old anyways). #### Fixed the bug ... #### Renamed the class ... #### Added a forbidden-apis entry ... - Many of the changes from the client upgrade were pretty straightforward (I used this .NET docs a lot: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/storage/Azure.Storage.Blobs/AzureStorageNetMigrationV12.md#class-conversion-reference) - Most of these changes are in AzureStorage Less straightforward changes - The client supports retrying requests by default, so I removed instances of RetryUtils in favor of using the client directly. There are several places where druid uses a different retry configuration for different azure operations, so I had to add AzureClientFactory to support creating additional clients on the fly (because the library doesn't let you override the retry policy on existing clients). I also updated AzureStorage to reuse these per-container overrided clients, the new client is stateless so it is technically fine to just recreate a client each time but i figured it would be better to reuse them as a performance optimization. A couple of the tests were removed because they were testing this retry functionality - I had to change the AzureCloudBlobIterator because the new client supports pagination by default (it only fetches additional pages if you request additional items) #### Release note - Upgrade druid azure client libraries - Support AzureDefaultCredential for druid auth to azure services - I removed some of the mocks from the tests and added a test implementation (TestPagedResponse). This let me remove the ListBlobItemHolder class that was mostly there for testing. ##### Key changed/added classes in this PR * AzureClientFactory * AzureAccountConfig * AzureCloudBlobIterator * AzureStorage * AzureStorageDruidModule <hr> <!-- Check the items by putting "x" in the brackets for the done things. Not all of these items apply to every PR. Remove the items which are not done or not relevant to the PR. None of the items from the checklist below are strictly necessary, but it would be very helpful if you at least self-review the PR. --> This PR has: - [X] been self-reviewed. - [ ] using the [concurrency checklist](https://github.com/apache/druid/blob/master/dev/code-review/concurrency.md) (Remove this item if the PR doesn't have any relation to concurrency.) - [ ] added documentation for new or modified features or behaviors. - [ ] a release note entry in the PR description. - [ ] added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links. - [ ] added or updated version, license, or notice information in [licenses.yaml](https://github.com/apache/druid/blob/master/dev/license.md) - [ ] added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader. - [X] added unit tests or modified existing tests to cover new code paths, ensuring the threshold for [code coverage](https://github.com/apache/druid/blob/master/dev/code-review/code-coverage.md) is met. - [ ] added integration tests. - [X] been tested in a test Druid cluster. I have tested the following scenarios for auth SAS token auth Key auth Workload identity auth (using a k8s serviceAccount and managed identity to mount credentials for druid running on a pod in AKS) Environment variable auth (using a App registration client id/secret) Managed identity auth (I technically have not tested this directly on a VM, but I am pretty sure this will work on a VM with a managed identity by setting the managedIdentityClientId property https://github.com/Azure/azure-sdk-for-java/wiki/Azure-Identity-Examples#authenticating-in-azure-with-managed-identity) Technically the AzureDefaultCredential supports more types of auth but I did not test any of them. I also tested the following migration scenarios Cluster running old azure extension using a sas token -> new azure extension using a sas token Sas token (new client) -> workload credential auth (new client) For actual functionality I tested all the basic druid functionality (ingesting data from azure, creating and loading segments, managing task logs, killing segments), but I didn't test any of the retry logic that the new clients promise. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
