You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Thomas Marqardt (Jira)" <ji...@apache.org> on 2020/03/13 17:15:00 UTC
[jira] [Updated] (HADOOP-16916) ABFS: Delegation SAS generator for
integration with Ranger
[ https://issues.apache.org/jira/browse/HADOOP-16916?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Thomas Marqardt updated HADOOP-16916:
-------------------------------------
Attachment: HADOOP-16916.001.patch
Status: Patch Available (was: Open)
Submitting patch HADOOP-16916.001.patch. This is the first draft and will be iterated on.
This patch adds tests in ITestAzureBlobFileSystemDelegationSAS that have a dependency on new Delegation SAS features that are not yet available in ADLS Gen2. These tests are not run by default so all the pre-existing tests are still passing with this change. We may wait for the new ADLS Gen2 features to be available before committing this patch.
This patch adds a DelegationSASGenerator which returns SAS with minimal permissions to the caller. This is for testing purposes to ensure that the ABFS driver operations succeed with minimal permission SAS.
This patch adds a MockDelegationSASTokenProvider which calls the DelegationSASGenerator to provide SAS tokens. The MockDelegationSASTokenProvider relies on an Azure app registration and client credential grant flow to obtain a user delegation key for signing SAS tokens. This is not the way the SASTokenProvider should be used in production, since this test scenario allows the potentially low privilege user of ABFS to access the credentials used by the SASTokenProvider. In production, it is expected that a low privilege user would not have access to these credentials, for example the SASTokenProvider could use an endpoint which authenticates the low privilege user and returns SAS to the user based on authorization rules.
All tests passing against my US West account:
$ mvn -T 1C -Dparallel-tests=abfs -Dscale -DtestsThreadCount=8 clean verify
Tests run: 52, Failures: 0, Errors: 0, Skipped: 0
Tests run: 420, Failures: 0, Errors: 0, Skipped: 41
Tests run: 206, Failures: 0, Errors: 0, Skipped: 24
> ABFS: Delegation SAS generator for integration with Ranger
> ----------------------------------------------------------
>
> Key: HADOOP-16916
> URL: https://issues.apache.org/jira/browse/HADOOP-16916
> Project: Hadoop Common
> Issue Type: New Feature
> Components: fs/azure
> Affects Versions: 3.2.1
> Reporter: Thomas Marqardt
> Assignee: Thomas Marqardt
> Priority: Minor
> Attachments: HADOOP-16916.001.patch
>
>
> HADOOP-16730 added support for Shared Access Signatures (SAS). Azure Data Lake Storage Gen2 supports a new SAS type known as User Delegation SAS. This Jira tracks an update to the ABFS driver that will include a Delegation SAS generator and tests to validate that this SAS type is working correctly with the driver.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org