sugibuchi commented on PR #5953: URL: https://github.com/apache/hadoop/pull/5953#issuecomment-1904357804
@steveloughran I agree. The env ver resolution looks the best solution for this. @creste Thank you very much for this prompt update. About the descriptions of the four properties, I think we can simply copy-paste the descriptions provided by ADD Workload identity documentation. * `fs.azure.account.oauth2.msi.tenant`: The tenant ID of the registered AAD application or user-assigned managed identity. * `fs.azure.account.oauth2.client.id`: The client ID of the AAD application or user-assigned managed identity. * `fs.azure.account.oauth2.token.file`: The path of the projected service account token file. About the description of the auth method: > OAuth 2.0 tokens are written to a file that is only accessible from the executing pod (`/var/run/secrets/azure/tokens/azure-identity-token`). The issued credentials can be used to authenticate. This is not precise. The token files injected by the AAD workload identity webhook are files of "projected service account tokens" issued by Kubernetes clusters. They are not OAuth2 access tokens for accessing Azure resources. https://azure.github.io/azure-workload-identity/docs/introduction.html#how-it-works I propose to update the description of this auth method like: > With a projected service account token injected by the Azure Workload Identity webhook, make a request of the Azure Active Directry endpoint to retrieve access tokens. > The required properties for this authentication method are automatically injected into the executing pod as environment variables by the AAD Workload Identity webhook. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
