You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Thomas Marquardt (JIRA)" <ji...@apache.org> on 2018/10/08 19:45:01 UTC

[jira] [Commented] (HADOOP-15823) ABFS: Stop requiring client ID and tenant ID for MSI

    [ https://issues.apache.org/jira/browse/HADOOP-15823?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16642380#comment-16642380 ] 

Thomas Marquardt commented on HADOOP-15823:
-------------------------------------------

[~mackrorysd], [~DanielZhou] correct, the tenant ID and client ID are not required or even valid options for a system-assigned managed identity.  However, the client ID is needed when you have multiple user-assigned managed identities.  This is discussed in the following links:

[https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview] 

[https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token] 

 

Looking at the ABFS implementation of AzureADAuthenticator.getTokenFromMsi, I see it is using a couple undocumented query parameters, specifically "authority" and "bypass_cache".  Those should be removed, unless the above documentation links are incorrect.  Furthermore, client_id is optional for the user-assigned managed identity case, when there are multiple user-assigned identities.

> ABFS: Stop requiring client ID and tenant ID for MSI
> ----------------------------------------------------
>
>                 Key: HADOOP-15823
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15823
>             Project: Hadoop Common
>          Issue Type: Sub-task
>    Affects Versions: 3.2.0
>            Reporter: Sean Mackrory
>            Assignee: Da Zhou
>            Priority: Major
>
> ABFS requires the user to configure the tenant ID and client ID. From my understanding of MSI, that shouldn't be necessary and is an added requirement compared to MSI in ADLS. Can that be dropped?



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org