You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "John Zhuge (JIRA)" <ji...@apache.org> on 2017/08/03 03:48:00 UTC

[jira] [Comment Edited] (HADOOP-14627) Enable new features of ADLS SDK (MSI, Device Code auth)

    [ https://issues.apache.org/jira/browse/HADOOP-14627?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16082960#comment-16082960 ] 

John Zhuge edited comment on HADOOP-14627 at 8/3/17 3:47 AM:
-------------------------------------------------------------

* Add all new properties and their default values to core-default.xml.
* Update SDK version whenever it is GA.
* Add unit tests for the new token providers to TestAzureADTokenProvider


was (Author: jzhuge):
Add {{fs.adl.oauth2.msi.port}} with default value to core-default.xml.

> Enable new features of ADLS SDK (MSI, Device Code auth)
> -------------------------------------------------------
>
>                 Key: HADOOP-14627
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14627
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: fs/adl
>         Environment: MSI Change applies only to Hadoop running in an Azure VM
>            Reporter: Atul Sikaria
>            Assignee: Atul Sikaria
>         Attachments: HADOOP-14627-001.patch
>
>
> This change is to upgrade the Hadoop ADLS connector to enable new auth features exposed by the ADLS Java SDK.
> Specifically:
> MSI Tokens: MSI (Managed Service Identity) is a way to provide an identity to an Azure Service. In the case of VMs, they can be used to give an identity to a VM deployment. This simplifies managing Service Principals, since the creds don’t have to be managed in core-site files anymore. The way this works is that during VM deployment, the ARM (Azure Resource Manager) template needs to be modified to enable MSI. Once deployed, the MSI extension runs a service on the VM that exposes a token endpoint to http://localhost at a port specified in the template. The SDK has a new TokenProvider to fetch the token from this local endpoint. This change would expose that TokenProvider as an auth option.
> DeviceCode auth: This enables a token to be obtained from an interactive login. The user is given a URL and a token to use on the login screen. User can use the token to login from any device. Once the login is done, the token that is obtained is in the name of the user who logged in. Note that because of the interactive login involved, this is not very suitable for job scenarios, but can work for ad-hoc scenarios like running “hdfs dfs” commands.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org