[
https://issues.apache.org/jira/browse/HADOOP-17363?focusedWorklogId=612446&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-612446
]
ASF GitHub Bot logged work on HADOOP-17363:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 21/Jun/21 05:58
Start Date: 21/Jun/21 05:58
Worklog Time Spent: 10m
Work Description: mukund-thakur commented on a change in pull request
#2445:
URL: https://github.com/apache/hadoop/pull/2445#discussion_r655093731
##########
File path:
hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azurebfs/oauth2/AzureADAuthenticator.java
##########
@@ -154,6 +154,53 @@ public static AzureADToken getTokenFromMsi(final String
authEndpoint,
return getTokenCall(authEndpoint, qp.serialize(), headers, "GET", true);
}
+
+ /**
+ * gets Azure Active Directory token using the user's username and password.
This only
+ * works if the identity can be authenticated directly by
microsoftonline.com. It will likely
+ * not work if the domain is federated and/or multi-factor authentication or
other form of
+ * strong authentication is configured for the user.
+ *
+ * @param authEndpoint the OAuth 2.0 token endpoint associated
+ * with the user's directory (obtain from
+ * Active Directory configuration)
+ * @param username the user name of the user
+ * @param password the password of the user
+ * @param clientId the client ID (GUID) of the client web app
+ * obtained from Azure Active Directory configuration
+ * @param clientSecret (optional) the secret key of the client web app
+ * If the app is a confidential client, then it must be
included
+ * @return {@link AzureADToken} obtained using the creds
+ * @throws IOException throws IOException if there is a failure in
connecting to Azure AD
+ */
+ public static AzureADToken getTokenUsingUserCreds(String authEndpoint,
+ String username, String password, String clientId,
+ String clientSecret) throws IOException {
Review comment:
Seems like clientSecret is not required. Why are we still passing this?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 612446)
Time Spent: 40m (was: 0.5h)
> ABFS does not work with OAuth 2.0: Username and Password
> --------------------------------------------------------
>
> Key: HADOOP-17363
> URL: https://issues.apache.org/jira/browse/HADOOP-17363
> Project: Hadoop Common
> Issue Type: Bug
> Components: fs/azure
> Affects Versions: 3.3.0
> Reporter: Matsushita Shin
> Priority: Major
> Labels: pull-request-available
> Time Spent: 40m
> Remaining Estimate: 0h
>
> https://hadoop.apache.org/docs/current/hadoop-azure/abfs.html
> I have tried OAuth 2.0 authentication with the username and password written
> above.
> However, it failed with the following exception.
> ~~~
> Exception in thread "main" HTTP Error 400;
> url='https://login.microsoftonline.com/3070a5de-410e-4885-XXXX-XXXXXXXXXXXX/oauth2/token'
> AADToken: HTTP connection to
> https://login.microsoftonline.com/3070a5de-410e-4885-XXXX-XXXXXXXXXXXX/oauth2/token
> failed for getting token from AzureAD.;
> requestId='187c97a4-82a0-4b36-b764-XXXXXXXXXXXX';
> contentType='application/json; charset=utf-8'; response
> '{"error":"unauthorized_client","error_description":"AADSTS700016:
> Application with identifier 'jiro' was not found in the directory
> '3070a5de-410e-4885-XXXX-XXXXXXXXXXXX'. This can happen if the application
> has not been installed by the administrator of the tenant or consented to by
> any user in the tenant. You may have sent your authentication request to the
> wrong tenant.\r\nTrace ID:
> 187c97a4-82a0-4b36-b764-a3b8b1c45201\r\nCorrelation ID:
> 4eb4a71e-2eef-4788-9c8c-24f4c84f6981\r\nTimestamp: 2020-11-07
> 11:49:21Z","error_codes":[700016],"timestamp":"2020-11-07
> 11:49:21Z","trace_id":"187c97a4-82a0-4b36-b764-a3b8b1c45201","correlation_id":"4eb4a71e-2eef-4788-9c8c-24f4c84f6981","error_uri":"https://login.microsoftonline.com/error?code=700016"}'org.apache.hadoop.fs.azurebfs.oauth2.AzureADAuthenticator$HttpException:
> HTTP Error 400;
> url='https://login.microsoftonline.com/3070a5de-410e-4885-b6cd-95fe759ced2b/oauth2/token'
> AADToken: HTTP connection to
> https://login.microsoftonline.com/3070a5de-410e-4885-XXXX-XXXXXXXXXXXX/oauth2/token
> failed for getting token from AzureAD.;
> requestId='187c97a4-82a0-4b36-b764-XXXXXXXXXXXX';
> contentType='application/json; charset=utf-8'; response
> '{"error":"unauthorized_client","error_description":"AADSTS700016:
> Application with identifier 'jiro' was not found in the directory
> '3070a5de-410e-4885-XXXX-XXXXXXXXXXXX'. This can happen if the application
> has not been installed by the administrator of the tenant or consented to by
> any user in the tenant. You may have sent your authentication request to the
> wrong tenant.\r\nTrace ID:
> 187c97a4-82a0-4b36-b764-a3b8b1c45201\r\nCorrelation ID:
> 4eb4a71e-2eef-4788-9c8c-24f4c84f6981\r\nTimestamp: 2020-11-07
> 11:49:21Z","error_codes":[700016],"timestamp":"2020-11-07
> 11:49:21Z","trace_id":"187c97a4-82a0-4b36-b764-a3b8b1c45201","correlation_id":"4eb4a71e-2eef-4788-9c8c-24f4c84f6981","error_uri":"https://login.microsoftonline.com/error?code=700016"}'
> at
> org.apache.hadoop.fs.azurebfs.services.AbfsRestOperation.executeHttpOperation(AbfsRestOperation.java:215)
> at
> org.apache.hadoop.fs.azurebfs.services.AbfsRestOperation.execute(AbfsRestOperation.java:134)
> at
> org.apache.hadoop.fs.azurebfs.services.AbfsClient.createPath(AbfsClient.java:293)
> at
> org.apache.hadoop.fs.azurebfs.AzureBlobFileSystemStore.createDirectory(AzureBlobFileSystemStore.java:445)
> at
> org.apache.hadoop.fs.azurebfs.AzureBlobFileSystem.mkdirs(AzureBlobFileSystem.java:409)
> at org.apache.hadoop.fs.FileSystem.mkdirs(FileSystem.java:2355)
> at com.sample.HelloWorld.main(HelloWorld.java:116)
> Caused by:
> org.apache.hadoop.fs.azurebfs.oauth2.AzureADAuthenticator$HttpException: HTTP
> Error 400;
> url='https://login.microsoftonline.com/3070a5de-410e-XXXX-XXXXXXXXXXXX/oauth2/token'
> AADToken: HTTP connection to
> https://login.microsoftonline.com/3070a5de-410e-4885-XXXX-XXXXXXXXXXXX/oauth2/token
> failed for getting token from AzureAD.;
> requestId='187c97a4-82a0-4b36-b764-a3b8b1c45201';
> contentType='application/json; charset=utf-8'; response
> '{"error":"unauthorized_client","error_description":"AADSTS700016:
> Application with identifier 'jiro' was not found in the directory
> '3070a5de-410e-4885-XXXX-XXXXXXXXXXXX'. This can happen if the application
> has not been installed by the administrator of the tenant or consented to by
> any user in the tenant. You may have sent your authentication request to the
> wrong tenant.\r\nTrace ID:
> 187c97a4-82a0-4b36-b764-a3b8b1c45201\r\nCorrelation ID:
> 4eb4a71e-2eef-4788-9c8c-24f4c84f6981\r\nTimestamp: 2020-11-07
> 11:49:21Z","error_codes":[700016],"timestamp":"2020-11-07
> 11:49:21Z","trace_id":"187c97a4-82a0-4b36-b764-a3b8b1c45201","correlation_id":"4eb4a71e-2eef-4788-9c8c-24f4c84f6981","error_uri":"https://login.microsoftonline.com/error?code=700016"}'
> at
> org.apache.hadoop.fs.azurebfs.oauth2.AzureADAuthenticator.getTokenSingleCall(AzureADAuthenticator.java:394)
> at
> org.apache.hadoop.fs.azurebfs.oauth2.AzureADAuthenticator.getTokenCall(AzureADAuthenticator.java:291)
> at
> org.apache.hadoop.fs.azurebfs.oauth2.AzureADAuthenticator.getTokenCall(AzureADAuthenticator.java:273)
> at
> org.apache.hadoop.fs.azurebfs.oauth2.AzureADAuthenticator.getTokenUsingClientCreds(AzureADAuthenticator.java:96)
> at
> org.apache.hadoop.fs.azurebfs.oauth2.UserPasswordTokenProvider.refreshToken(UserPasswordTokenProvider.java:54)
> at
> org.apache.hadoop.fs.azurebfs.oauth2.AccessTokenProvider.getToken(AccessTokenProvider.java:50)
> at
> org.apache.hadoop.fs.azurebfs.services.AbfsClient.getAccessToken(AbfsClient.java:670)
> at
> org.apache.hadoop.fs.azurebfs.services.AbfsRestOperation.executeHttpOperation(AbfsRestOperation.java:168)
> ... 6 more
> ~~~
> The cause of the error seems to be that UserPasswordTokenProvider is calling
> getTokenUsingClientCreds() for the service principal.
> https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
> I checked the API specifications of Azure and fixed the cause of this error.
> After this, I plan to create a Pull Request.
> Best regards,
> Shin
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
