[
https://issues.apache.org/jira/browse/HADOOP-16916?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Thomas Marqardt updated HADOOP-16916:
-------------------------------------
Attachment: HADOOP-16916.001.patch
Status: Patch Available (was: Open)
Submitting patch HADOOP-16916.001.patch. This is the first draft and will be
iterated on.
This patch adds tests in ITestAzureBlobFileSystemDelegationSAS that have a
dependency on new Delegation SAS features that are not yet available in ADLS
Gen2. These tests are not run by default so all the pre-existing tests are
still passing with this change. We may wait for the new ADLS Gen2 features to
be available before committing this patch.
This patch adds a DelegationSASGenerator which returns SAS with minimal
permissions to the caller. This is for testing purposes to ensure that the
ABFS driver operations succeed with minimal permission SAS.
This patch adds a MockDelegationSASTokenProvider which calls the
DelegationSASGenerator to provide SAS tokens. The
MockDelegationSASTokenProvider relies on an Azure app registration and client
credential grant flow to obtain a user delegation key for signing SAS tokens.
This is not the way the SASTokenProvider should be used in production, since
this test scenario allows the potentially low privilege user of ABFS to access
the credentials used by the SASTokenProvider. In production, it is expected
that a low privilege user would not have access to these credentials, for
example the SASTokenProvider could use an endpoint which authenticates the low
privilege user and returns SAS to the user based on authorization rules.
All tests passing against my US West account:
$ mvn -T 1C -Dparallel-tests=abfs -Dscale -DtestsThreadCount=8 clean verify
Tests run: 52, Failures: 0, Errors: 0, Skipped: 0
Tests run: 420, Failures: 0, Errors: 0, Skipped: 41
Tests run: 206, Failures: 0, Errors: 0, Skipped: 24
> ABFS: Delegation SAS generator for integration with Ranger
> ----------------------------------------------------------
>
> Key: HADOOP-16916
> URL: https://issues.apache.org/jira/browse/HADOOP-16916
> Project: Hadoop Common
> Issue Type: New Feature
> Components: fs/azure
> Affects Versions: 3.2.1
> Reporter: Thomas Marqardt
> Assignee: Thomas Marqardt
> Priority: Minor
> Attachments: HADOOP-16916.001.patch
>
>
> HADOOP-16730 added support for Shared Access Signatures (SAS). Azure Data
> Lake Storage Gen2 supports a new SAS type known as User Delegation SAS. This
> Jira tracks an update to the ABFS driver that will include a Delegation SAS
> generator and tests to validate that this SAS type is working correctly with
> the driver.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
