hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Atul Sikaria (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-14627) Support MSI and DeviceCode token provider
Date Fri, 04 Aug 2017 01:32:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-14627?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16113774#comment-16113774
] 

Atul Sikaria commented on HADOOP-14627:
---------------------------------------

[~jzhuge], [~steve_l]: addressed all your concerns in the comments above. 

Also updating patch to not be dependent on the preview version of SDK (since released version
2.2.1 is now available).

+[~chris.douglas] as FYI

> Support MSI and DeviceCode token provider
> -----------------------------------------
>
>                 Key: HADOOP-14627
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14627
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: fs/adl
>         Environment: MSI Change applies only to Hadoop running in an Azure VM
>            Reporter: Atul Sikaria
>            Assignee: Atul Sikaria
>         Attachments: HADOOP-14627-001.patch, HADOOP-14627-002.patch
>
>
> This change is to upgrade the Hadoop ADLS connector to enable new auth features exposed
by the ADLS Java SDK.
> Specifically:
> MSI Tokens: MSI (Managed Service Identity) is a way to provide an identity to an Azure
Service. In the case of VMs, they can be used to give an identity to a VM deployment. This
simplifies managing Service Principals, since the creds don’t have to be managed in core-site
files anymore. The way this works is that during VM deployment, the ARM (Azure Resource Manager)
template needs to be modified to enable MSI. Once deployed, the MSI extension runs a service
on the VM that exposes a token endpoint to http://localhost at a port specified in the template.
The SDK has a new TokenProvider to fetch the token from this local endpoint. This change would
expose that TokenProvider as an auth option.
> DeviceCode auth: This enables a token to be obtained from an interactive login. The user
is given a URL and a token to use on the login screen. User can use the token to login from
any device. Once the login is done, the token that is obtained is in the name of the user
who logged in. Note that because of the interactive login involved, this is not very suitable
for job scenarios, but can work for ad-hoc scenarios like running “hdfs dfs” commands.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message