hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Atul Sikaria (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-14627) Enable new features of ADLS SDK (MSI, Device Code auth)
Date Thu, 06 Jul 2017 00:40:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-14627?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16075698#comment-16075698
] 

Atul Sikaria commented on HADOOP-14627:
---------------------------------------

Thanks [~liuml07], I thought about that too. However, I went with one Jira for this time because
1) The combined change is small (~30-40 lines of code) so it was small enough already. 2)
The changes for  the two auth methods were very similar, so I thought it would make it easier
to review them together.  3) The biggest change is to the doc file (index.md), which would
be easier to see as a final doc containing both, rather than individual isolated changes for
each.

Having said that, this is my perspective (from the patch creator's side), so I am only guessing
at your usability in reading the change. Let me know if the current change is not as easy
to review as I thought; if so, I can break it up.



> Enable new features of ADLS SDK (MSI, Device Code auth)
> -------------------------------------------------------
>
>                 Key: HADOOP-14627
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14627
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: fs/adl
>         Environment: MSI Change applies only to Hadoop running in an Azure VM
>            Reporter: Atul Sikaria
>            Assignee: Atul Sikaria
>         Attachments: HADOOP-14627-001.patch
>
>
> This change is to upgrade the Hadoop ADLS connector to enable new auth features exposed
by the ADLS Java SDK.
> Specifically:
> MSI Tokens: MSI (Managed Service Identity) is a way to provide an identity to an Azure
Service. In the case of VMs, they can be used to give an identity to a VM deployment. This
simplifies managing Service Principals, since the creds don’t have to be managed in core-site
files anymore. The way this works is that during VM deployment, the ARM (Azure Resource Manager)
template needs to be modified to enable MSI. Once deployed, the MSI extension runs a service
on the VM that exposes a token endpoint to http://localhost at a port specified in the template.
The SDK has a new TokenProvider to fetch the token from this local endpoint. This change would
expose that TokenProvider as an auth option.
> DeviceCode auth: This enables a token to be obtained from an interactive login. The user
is given a URL and a token to use on the login screen. User can use the token to login from
any device. Once the login is done, the token that is obtained is in the name of the user
who logged in. Note that because of the interactive login involved, this is not very suitable
for job scenarios, but can work for ad-hoc scenarios like running “hdfs dfs” commands.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message