[
https://issues.apache.org/jira/browse/HADOOP-15823?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16642380#comment-16642380
]
Thomas Marquardt commented on HADOOP-15823:
-------------------------------------------
[~mackrorysd], [~DanielZhou] correct, the tenant ID and client ID are not
required or even valid options for a system-assigned managed identity.
However, the client ID is needed when you have multiple user-assigned managed
identities. This is discussed in the following links:
[https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview]
[https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token]
Looking at the ABFS implementation of AzureADAuthenticator.getTokenFromMsi, I
see it is using a couple undocumented query parameters, specifically
"authority" and "bypass_cache". Those should be removed, unless the above
documentation links are incorrect. Furthermore, client_id is optional for the
user-assigned managed identity case, when there are multiple user-assigned
identities.
> ABFS: Stop requiring client ID and tenant ID for MSI
> ----------------------------------------------------
>
> Key: HADOOP-15823
> URL: https://issues.apache.org/jira/browse/HADOOP-15823
> Project: Hadoop Common
> Issue Type: Sub-task
> Affects Versions: 3.2.0
> Reporter: Sean Mackrory
> Assignee: Da Zhou
> Priority: Major
>
> ABFS requires the user to configure the tenant ID and client ID. From my
> understanding of MSI, that shouldn't be necessary and is an added requirement
> compared to MSI in ADLS. Can that be dropped?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
