[
https://issues.apache.org/jira/browse/HADOOP-19660?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18020152#comment-18020152
]
ASF GitHub Bot commented on HADOOP-19660:
-----------------------------------------
kunalmnnit commented on code in PR #7901:
URL: https://github.com/apache/hadoop/pull/7901#discussion_r2347335431
##########
hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azurebfs/oauth2/WorkloadIdentityTokenProvider.java:
##########
@@ -38,11 +38,72 @@ public class WorkloadIdentityTokenProvider extends
AccessTokenProvider {
private static final String EMPTY_TOKEN_FILE_ERROR = "Empty token file found
at specified path: ";
private static final String TOKEN_FILE_READ_ERROR = "Error reading token
file at specified path: ";
+ /**
+ * Internal implementation of ClientAssertionProvider for file-based token
reading.
+ * This provides backward compatibility for the file-based constructor.
+ */
+ private static class FileBasedClientAssertionProvider implements
ClientAssertionProvider {
+ private final String tokenFile;
+
+ public FileBasedClientAssertionProvider(String tokenFile) {
+ this.tokenFile = tokenFile;
+ }
+
+ @Override
+ public void initialize(Configuration configuration, String accountName)
throws IOException {
+ // No initialization needed for file-based provider
+ }
+
+ @Override
+ public String getClientAssertion() throws IOException {
+ String clientAssertion = "";
+ try {
+ File file = new File(tokenFile);
+ clientAssertion = FileUtils.readFileToString(file, "UTF-8");
Review Comment:
Additionally, this will only be invoked when the actual AAD token is expired
which is roughly every hour and directly coincides with expiry of KSA token so
don't think this will be unnecessarily invoked. wdyt?
> ABFS: Proposed Enhancement in WorkloadIdentityTokenProvider
> -----------------------------------------------------------
>
> Key: HADOOP-19660
> URL: https://issues.apache.org/jira/browse/HADOOP-19660
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: fs/azure
> Affects Versions: 3.5.0, 3.4.1
> Reporter: Anuj Modi
> Priority: Major
> Labels: pull-request-available
>
> Externally Reported Enhancement:
> *Current Limitation*
> The current WorkloadIdentityTokenProvider implementation works well for
> file-based token scenarios, but it's tightly coupled to file system
> operations and cannot be easily extended for alternative token sources
> {*}Use Case{*}: *Kubernetes TokenRequest API*
> In modern Kubernetes environments, the recommended approach is to use the
> TokenRequest API to generate short-lived, on-demand service account tokens
> rather than relying on projected volume mounts.
> *Proposed Enhancement*
> I propose modifying WorkloadIdentityTokenProvider to accept a Supplier for
> token retrieval instead of being hardcoded to file operations:
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
