[
https://issues.apache.org/jira/browse/JCLOUDS-1579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17352560#comment-17352560
]
Stefan H. commented on JCLOUDS-1579:
------------------------------------
Received an initial response by Microsoft. They confirm they behavior of
SharedKeyLite not working with Premium Page Blob backed accounts. However
support could not directly verify whether it is intended. According to them the
issue does not occur with Premium Block Blob backed storage so depending on the
use-case that can be a workaround. I verified that changing the backing to
Block Blob actually works around the issue.
They also mentioned that updating to the SharedKey method requires only a few
additional headers. Depending on the operations none of them are required so
potentially all it takes are a few additional empty lines in what is signed and
changing the auth method.
> SharedKeyLite authentication against Azure Blob with Premium SKU fails
> ----------------------------------------------------------------------
>
> Key: JCLOUDS-1579
> URL: https://issues.apache.org/jira/browse/JCLOUDS-1579
> Project: jclouds
> Issue Type: Bug
> Components: jclouds-blobstore
> Affects Versions: 2.3.0, 2.4.0
> Reporter: Stefan H.
> Priority: Major
> Labels: azureblob
>
> We have been using jclouds with Azure Blob Storage successfully. However when
> changing the SKU of one of the Storage Accounts from Standard to
> [Premium|https://azure.microsoft.com/en-us/blog/azure-premium-block-blob-storage-is-now-generally-available/]
> jclouds was suddenly no longer able to authenticate against the storage
> event though the credentials were valid. E.g. checking the existence of a
> container results in:
> request: HEAD https://XXX.blob.core.windows.net/test?restype=container
> HTTP/1.1 failed with response: HTTP/1.1 403 Server failed to authenticate the
> request. Make sure the value of Authorization header is formed correctly
> including the signature.
> After some investigation this seems to be caused by Premium storage not
> supporting the SharedKeyLite authenticatication method jclouds uses. Other
> projects seem to also have stumbled over this issue (e.g.
> [https://github.com/khenidak/dysk/issues/6#issuecomment-355877888] ,
> [https://github.com/terraform-providers/terraform-provider-azurerm/issues/3939#issuecomment-524401721]
> ).
> My reading of
> [https://docs.microsoft.com/en-us/rest/api/storageservices/authorize-with-shared-key]
> would have been that auth is the same for the SKUs and we have opened a
> support case with Microsoft to get further information. But given that at
> least one of the issues I linked before also mentioned raising this with them
> it is unlikely this behavior is unintended or will change.
> Everyone else encountering this seems to switch to SharedKey authentication
> instead to resolve the issue and their code changes seem quite contained at
> first glance. This would also resolve the local development workflow issue of
> the Azurite storage emulator from Microsoft not supporting SharedKeyLite on
> blob storage.
> To reproduce the problem just create Standard and a Premium SKU storage
> account and try to use them with jclouds to do a call like containerExists.
> With all else being the same Standard SKU will work while Premium SKU 403s.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
