[jira] [Commented] (HADOOP-14627) Enable new features of ADLS SDK (MSI, Device Code auth)

Wed, 05 Jul 2017 17:43:12 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-14627?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16075706#comment-16075706
 ] 

Mingliang Liu commented on HADOOP-14627:
----------------------------------------

Current change is good. I just propose the general idea. Thanks!

> Enable new features of ADLS SDK (MSI, Device Code auth)
> -------------------------------------------------------
>
>                 Key: HADOOP-14627
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14627
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: fs/adl
>         Environment: MSI Change applies only to Hadoop running in an Azure VM
>            Reporter: Atul Sikaria
>            Assignee: Atul Sikaria
>         Attachments: HADOOP-14627-001.patch
>
>
> This change is to upgrade the Hadoop ADLS connector to enable new auth 
> features exposed by the ADLS Java SDK.
> Specifically:
> MSI Tokens: MSI (Managed Service Identity) is a way to provide an identity to 
> an Azure Service. In the case of VMs, they can be used to give an identity to 
> a VM deployment. This simplifies managing Service Principals, since the creds 
> don’t have to be managed in core-site files anymore. The way this works is 
> that during VM deployment, the ARM (Azure Resource Manager) template needs to 
> be modified to enable MSI. Once deployed, the MSI extension runs a service on 
> the VM that exposes a token endpoint to http://localhost at a port specified 
> in the template. The SDK has a new TokenProvider to fetch the token from this 
> local endpoint. This change would expose that TokenProvider as an auth option.
> DeviceCode auth: This enables a token to be obtained from an interactive 
> login. The user is given a URL and a token to use on the login screen. User 
> can use the token to login from any device. Once the login is done, the token 
> that is obtained is in the name of the user who logged in. Note that because 
> of the interactive login involved, this is not very suitable for job 
> scenarios, but can work for ad-hoc scenarios like running “hdfs dfs” commands.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to