Thomas Marqardt created HADOOP-16730:
----------------------------------------
Summary: ABFS: Support for Shared Access Signatures (SAS)
Key: HADOOP-16730
URL: https://issues.apache.org/jira/browse/HADOOP-16730
Project: Hadoop Common
Issue Type: New Feature
Components: fs/azure
Affects Versions: 3.2.1
Reporter: Thomas Marqardt
Assignee: Sneha Vijayarajan
ABFS supports OAuth and Shared Key but currently lacks support for [Shared
Access Signatures
(SAS)|[https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview]].
SAS is a great way to constrain access to a low-privilege ABFS client. The
ABFS client does not need to possess persistent credentials for accessing
storage but instead can request temporary, constrained access tokens from a
trusted endpoint. This endpoint can authenticate the caller, make an
authorization decision and return a constrained SAS token. The token may have
an expiration, it may be scoped to a specific file or directory, and it may
grant an action or set of actions such as read, write, list, or delete.
Azure Storage also has a new identity based SAS scheme in preview named
Delegation SAS. These new Delegation SAS have these advantages over Service
SAS:
1) Delegation SAS provide authentication as well as authorization. The user
identity associated with each request will appear in the logs when logging is
enabled for the account.
2) Instead of using storage account keys to sign tokens, Delegation SAS relies
on keys assigned to each user. These keys are called user delegation keys. If
a storage account key is leaked, an attacker would have full access to the
storage account. If a user delegation key is leaked, an attacker would only
have access to resources that user has access to within the Blob service–for
example, the user might only have read access to a specific container.
This feature will add support for the ABFS driver to authenticate against a
trusted endpoint. The endpoint will return a SAS which the ABFS driver will use
to access Azure storage. The SAS may be a container or directory SAS to be
used for all subsequent operations, and thus cached for the lifetime of the
filesystem. Or it may be a SAS to be used for the current filesystem
operation, in this case, the ABFS driver will request a SAS for each operation.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org
