[
https://issues.apache.org/jira/browse/HADOOP-18610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17853742#comment-17853742
]
ASF GitHub Bot commented on HADOOP-18610:
-----------------------------------------
mukund-thakur commented on code in PR #6787:
URL: https://github.com/apache/hadoop/pull/6787#discussion_r1633579425
##########
hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azurebfs/oauth2/WorkloadIdentityTokenProvider.java:
##########
@@ -63,58 +64,35 @@ protected AzureADToken refreshToken() throws IOException {
return token;
}
- /**
- * Gets the Azure AD token from a client assertion in JWT format.
- * This method exists to make unit testing possible.
- *
- * @param clientAssertion the client assertion.
- * @return the Azure AD token.
- * @throws IOException if there is a failure in connecting to Azure AD.
- */
- @VisibleForTesting
- AzureADToken getTokenUsingJWTAssertion(String clientAssertion) throws
IOException {
- return AzureADAuthenticator
- .getTokenUsingJWTAssertion(authEndpoint, clientId, clientAssertion);
- }
-
/**
* Checks if the token is about to expire as per base expiry logic.
- * Otherwise, try to expire if enough time has elapsed since the last
refresh.
+ * Otherwise, expire if there is a clock skew issue in the system.
*
* @return true if the token is expiring in next 1 hour or if a token has
* never been fetched
*/
@Override
protected boolean isTokenAboutToExpire() {
- return super.isTokenAboutToExpire() ||
hasEnoughTimeElapsedSinceLastRefresh();
- }
-
- /**
- * Checks to see if enough time has elapsed since the last token refresh.
- *
- * @return true if the token was last refreshed more than an hour ago.
- */
- protected boolean hasEnoughTimeElapsedSinceLastRefresh() {
- if (getTokenFetchTime() == -1) {
+ if (tokenFetchTime == -1 || super.isTokenAboutToExpire()) {
return true;
}
- boolean expiring = false;
+
+ // In case of, any clock skew issues, refresh token.
long elapsedTimeSinceLastTokenRefreshInMillis =
- System.currentTimeMillis() - getTokenFetchTime();
- // In case token is not refreshed for 1 hr or any clock skew issues,
- // refresh token.
- expiring = elapsedTimeSinceLastTokenRefreshInMillis >= ONE_HOUR
- || elapsedTimeSinceLastTokenRefreshInMillis < 0;
+ System.currentTimeMillis() - tokenFetchTime;
+ boolean expiring = elapsedTimeSinceLastTokenRefreshInMillis < 0;
Review Comment:
ah..sorry somehow I missed that expiring is getting returned. I think it was
better before.
Do you mind reverting this part?
so sorry for the rework.
> ABFS OAuth2 Token Provider to support Azure Workload Identity for AKS
> ---------------------------------------------------------------------
>
> Key: HADOOP-18610
> URL: https://issues.apache.org/jira/browse/HADOOP-18610
> Project: Hadoop Common
> Issue Type: Improvement
> Components: tools
> Affects Versions: 3.3.4
> Reporter: Haifeng Chen
> Assignee: Anuj Modi
> Priority: Critical
> Labels: pull-request-available
> Attachments: HADOOP-18610-preview.patch
>
> Original Estimate: 168h
> Remaining Estimate: 168h
>
> In Jan 2023, Microsoft Azure AKS replaced its original pod-managed identity
> with with [Azure Active Directory (Azure AD) workload
> identities|https://learn.microsoft.com/en-us/azure/active-directory/develop/workload-identities-overview]
> (preview), which integrate with the Kubernetes native capabilities to
> federate with any external identity providers. This approach is simpler to
> use and deploy.
> Refer to
> [https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview|https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview.]
> and [https://azure.github.io/azure-workload-identity/docs/introduction.html]
> for more details.
> The basic use scenario is to access Azure cloud resources (such as cloud
> storage) from Kubernetes (such as AKS) workload using Azure managed identity
> federated with Kubernetes service account. The credential environment
> variables in pod projected by Azure AD workload identity are like following:
> AZURE_AUTHORITY_HOST: (Injected by the webhook,
> [https://login.microsoftonline.com/])
> AZURE_CLIENT_ID: (Injected by the webhook)
> AZURE_TENANT_ID: (Injected by the webhook)
> AZURE_FEDERATED_TOKEN_FILE: (Injected by the webhook,
> /var/run/secrets/azure/tokens/azure-identity-token)
> The token in the file pointed by AZURE_FEDERATED_TOKEN_FILE is a JWT (JASON
> Web Token) client assertion token which we can use to request to
> AZURE_AUTHORITY_HOST (url is AZURE_AUTHORITY_HOST + tenantId +
> "/oauth2/v2.0/token") for a AD token which can be used to directly access
> the Azure cloud resources.
> This approach is very common and similar among cloud providers such as AWS
> and GCP. Hadoop AWS integration has WebIdentityTokenCredentialProvider to
> handle the same case.
> The existing MsiTokenProvider can only handle the managed identity associated
> with Azure VM instance. We need to implement a WorkloadIdentityTokenProvider
> which handle Azure Workload Identity case. For this, we need to add one
> method (getTokenUsingJWTAssertion) in AzureADAuthenticator which will be used
> by WorkloadIdentityTokenProvider.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
