Re: [PR] HADOOP-18610. ABFS OAuth2 Token Provider support for Azure Workload Identity [hadoop]

Thu, 18 Jan 2024 14:05:55 -0800 


sugibuchi commented on PR #5953:
URL: https://github.com/apache/hadoop/pull/5953#issuecomment-1899296689

   This behaviour of the AAD workload identity is not well documented, but the 
AAD workload identity webhook injects the following env variables into pods.
   
   
https://azure.github.io/azure-workload-identity/docs/quick-start.html#7-deploy-workload
   
   | Environment variable         | Description                                 
                                       |
   | ---------------------------- | 
----------------------------------------------------------------------------------
 |
   | `AZURE_AUTHORITY_HOST`       | The Azure Active Directory (AAD) endpoint.  
                                       |
   | `AZURE_CLIENT_ID`            | The client ID of the AAD application or 
user-assigned managed identity.            |
   | `AZURE_TENANT_ID`            | The tenant ID of the registered AAD 
application or user-assigned managed identity. |
   | `AZURE_FEDERATED_TOKEN_FILE` | The path of the projected service account 
token file.                              |
   
   `WorkloadIdentityCredential` provided by Azure SDK also reads these env 
variables by default.
   * 
https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/identity/azure-identity/azure/identity/_credentials/workload_identity.py#L70-L72
   * 
https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/azidentity/workload_identity.go#L64-L80
   
   I think it is better to make the following config properties optional and 
use values provided by the env variables above by default.
   
   * `fs.azure.account.oauth2.msi.authority`
   * `fs.azure.account.oauth2.client.id`
   * `fs.azure.account.oauth2.msi.tenant`
   * `fs.azure.account.oauth2.token.file`
   
   These values provided by Hadoop config are redundant in general and 
potentially cause inconsistency with the correct properties of federated 
identities.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to