Re: [PR] GH-39262: [C++][Azure][FS] Add default credential auth configuration [arrow]

Mon, 18 Dec 2023 00:31:37 -0800 


kou commented on code in PR #39263:
URL: https://github.com/apache/arrow/pull/39263#discussion_r1429676298


##########
cpp/src/arrow/filesystem/azurefs_test.cc:
##########
@@ -266,15 +263,12 @@ class AzureHierarchicalNSEnv : public 
AzureEnvImpl<AzureHierarchicalNSEnv> {
   bool WithHierarchicalNamespace() const final { return true; }
 };
 
-// Placeholder tests
-// TODO: GH-18014 Remove once a proper test is added
-TEST(AzureFileSystem, InitializeCredentials) {
-  auto default_credential = 
std::make_shared<Azure::Identity::DefaultAzureCredential>();
-  auto managed_identity_credential =
-      std::make_shared<Azure::Identity::ManagedIdentityCredential>();
-  auto service_principal_credential =
-      std::make_shared<Azure::Identity::ClientSecretCredential>("tenant_id", 
"client_id",
-                                                                
"client_secret");
+TEST(AzureFileSystem, InitialiseFilesystemWithDefaultCredential) {
+  AzureOptions options;
+  options.backend = AzureBackend::kAzurite;  // Irrelevant for this test 
because it
+                                             // doesn't connect to the server.
+  ARROW_EXPECT_OK(options.ConfigureDefaultCredential("dummy-account-name"));
+  EXPECT_OK_AND_ASSIGN(auto default_credential_fs, 
AzureFileSystem::Make(options));

Review Comment:
   I tried and understand why you said SSL.
   `Azure::Identity::DefaultAzureCredential` uses a Bearer token and Azure SDK 
for C++ rejects it with http: `Bearer token authentication is not permitted for 
non TLS protected (https) endpoints.`
   If we want to use `DefaultAzureCredential` with Azurite, we need to generate 
a key and certificate pair and use it.
   
   I looked at how to set it to Azure SDK for C++. It seems that we need to 
`BlobClientOptions::Transport::Transport`:
   * 
https://github.com/Azure/azure-sdk-for-cpp/blob/e328665588d2998fea198972af90d5108e64a968/sdk/storage/azure-storage-blobs/inc/azure/storage/blobs/blob_options.hpp#L174
   * 
https://github.com/Azure/azure-sdk-for-cpp/blob/e328665588d2998fea198972af90d5108e64a968/sdk/core/azure-core/inc/azure/core/internal/client_options.hpp#L97
   * 
https://github.com/Azure/azure-sdk-for-cpp/blob/e328665588d2998fea198972af90d5108e64a968/sdk/core/azure-core/inc/azure/core/http/policies/policy.hpp#L221
   
   If we set `BlobClientOptions::Transport::Transport`, we need to specify curl 
based HTTP transport implementation or WinHTTP based HTTP transport 
implementation. They have different configurations for TLS...
   
   How about using `TestAzureHierarchicalNSFileSystem` to test 
`DefaultAzureCredential`? If we use the real Azure service, we don't need to 
custom TLS configuration.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to