nandorKollar commented on code in PR #16541:
URL: https://github.com/apache/iceberg/pull/16541#discussion_r3302356023
##########
azure/src/main/java/org/apache/iceberg/azure/AzureProperties.java:
##########
@@ -212,4 +202,38 @@ public String keyWrapAlgorithm() {
public Optional<String> keyVaultUrl() {
return Optional.ofNullable(this.keyVaultUrl);
}
+
+ /**
+ * Returns the credential to use when authenticating to Azure Key Vault,
derived only from
+ * credentials explicitly supplied through configuration: a catalog-vended
{@link #ADLS_TOKEN}
+ * bearer token, or an explicitly configured {@link
#ADLS_TOKEN_CREDENTIAL_PROVIDER}.
+ *
+ * <p>Ambient credentials such as {@link
com.azure.identity.DefaultAzureCredential} are
+ * intentionally not used for Key Vault: combined with a misconfigured or
malicious vault URL they
+ * could be used to exfiltrate the client's ambient identity. The supplied
token must be scoped
+ * for Key Vault (for the public cloud, {@code https://vault.azure.net}).
+ *
+ * @return the configured Key Vault token credential, or empty if none was
supplied
+ */
+ public Optional<TokenCredential> keyVaultTokenCredential() {
+ if (token != null && !token.isEmpty()) {
+ return Optional.of(tokenCredential(token));
+ }
+
+ if (allProperties.containsKey(ADLS_TOKEN_CREDENTIAL_PROVIDER)) {
+ return
Optional.of(AdlsTokenCredentialProviders.from(allProperties).credential());
Review Comment:
Nit: probably `AdlsTokenCredentialProviders` is not the best name here, as
this is connecting to Key Vault now.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
