[
https://issues.apache.org/jira/browse/HADOOP-14627?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16115287#comment-16115287
]
John Zhuge edited comment on HADOOP-14627 at 8/5/17 5:43 AM:
-------------------------------------------------------------
Thanks [~ASikaria] for the new rev. Looking great except a few minors:
* Use all upper case {{MSI}} except in config property names.
* Convert {{fs.adl.oauth2.devicecode.ClientAppId}} to all lower case.
* At AdlConfKeys.java#61, need a space after "//" in "//DeviceCode Auth
configuration".
* AdlFileSystem#getAdlStoreClient is unused.
was (Author: jzhuge):
Thanks [~ASikaria] for the new rev. Looking great except a few minors:
* Use all upper case {{MSI}} except in config property names.
* Convert {{fs.adl.oauth2.devicecode.ClientAppId}} to all lower case.
> Support MSI and DeviceCode token provider
> -----------------------------------------
>
> Key: HADOOP-14627
> URL: https://issues.apache.org/jira/browse/HADOOP-14627
> Project: Hadoop Common
> Issue Type: Improvement
> Components: fs/adl
> Environment: MSI Change applies only to Hadoop running in an Azure VM
> Reporter: Atul Sikaria
> Assignee: Atul Sikaria
> Attachments: HADOOP-14627-001.patch, HADOOP-14627.002.patch
>
>
> This change is to upgrade the Hadoop ADLS connector to enable new auth
> features exposed by the ADLS Java SDK.
> Specifically:
> MSI Tokens: MSI (Managed Service Identity) is a way to provide an identity to
> an Azure Service. In the case of VMs, they can be used to give an identity to
> a VM deployment. This simplifies managing Service Principals, since the creds
> don’t have to be managed in core-site files anymore. The way this works is
> that during VM deployment, the ARM (Azure Resource Manager) template needs to
> be modified to enable MSI. Once deployed, the MSI extension runs a service on
> the VM that exposes a token endpoint to http://localhost at a port specified
> in the template. The SDK has a new TokenProvider to fetch the token from this
> local endpoint. This change would expose that TokenProvider as an auth option.
> DeviceCode auth: This enables a token to be obtained from an interactive
> login. The user is given a URL and a token to use on the login screen. User
> can use the token to login from any device. Once the login is done, the token
> that is obtained is in the name of the user who logged in. Note that because
> of the interactive login involved, this is not very suitable for job
> scenarios, but can work for ad-hoc scenarios like running “hdfs dfs” commands.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
