[Tables] Multi tenant authentication #17525
Conversation
|
This pull request is protected by Check Enforcer. What is Check Enforcer?Check Enforcer helps ensure all pull requests are covered by at least one check-run (typically an Azure Pipeline). When all check-runs associated with this pull request pass then Check Enforcer itself will pass. Why am I getting this message?You are getting this message because Check Enforcer did not detect any check-runs being associated with this pull request within five minutes. This may indicate that your pull request is not covered by any pipelines and so Check Enforcer is correctly blocking the pull request being merged. What should I do now?If the check-enforcer check-run is not passing and all other check-runs associated with this PR are passing (excluding license-cla) then you could try telling Check Enforcer to evaluate your pull request again. You can do this by adding a comment to this pull request as follows: What if I am onboarding a new service?Often, new services do not have validation pipelines associated with them. In order to bootstrap pipelines for a new service, please perform following steps: For track 2 SDKs Issue the following command as a pull request comment:
|
|
/azp run go - aztables |
|
Azure Pipelines successfully started running 1 pipeline(s). |
| ) | ||
|
|
||
| // ClientOptions are the optional parameters for the NewClient method | ||
| type ClientOptions struct { | ||
| azcore.ClientOptions | ||
| } | ||
|
|
||
| func (c *ClientOptions) toPolicyOptions() *azcore.ClientOptions { | ||
| return &azcore.ClientOptions{ | ||
| func (c *ClientOptions) toPolicyOptions() *policy.ClientOptions { |
There was a problem hiding this comment.
should we make it possible to disable the tenant discovery behavior through clientOptions?
There was a problem hiding this comment.
Did you add that for .NET in storage? I don't have it in the KV clients, but if it's included in other languages I can add it in Go
|
/azp run go - aztables |
|
Azure Pipelines failed to run 1 pipeline(s). |
|
|
||
| // Atomically, update the shared resource's new value & expiration. | ||
| er.cond.L.Lock() | ||
| if err == nil { |
There was a problem hiding this comment.
The latest version of this, in azcore/internal/shared, is more resilient to transient failures
There was a problem hiding this comment.
If this code is going to be used in multiple places, can it be moved to internal instead?
There was a problem hiding this comment.
I like that better than vendoring our own code but I think we want to extend azcore/runtime.BearerTokenPolicy (#17554) and share that instead of ExpiringResource.
There was a problem hiding this comment.
I agree with Charles, are we ok with adding this for now and migrating later or do we want to make the migration into core now?
| s.req.Raw().Context(), | ||
| policy.TokenRequestOptions{ | ||
| Scopes: []string{*s.p.scope}, | ||
| TenantID: *s.p.scope, |
There was a problem hiding this comment.
This won't work with azidentity credentials until we address #14932. I thought we intended to remove this field to avoid suggesting it might have an effect; @jhendrixMSFT do you recall discussing that?
There was a problem hiding this comment.
If that's the case, wouldn't this fail for keyvault which uses the same logic?
Reference: https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/keyvault/internal/challenge_policy.go#L223-L236
There was a problem hiding this comment.
Only when the resource isn't in the credential's configured tenant. You would need to ensure it isn't in order to test multitenancy (the live test you're adding here doesn't).
Adds a challenge policy for clients created with an azidentity credential
#17332