Support Microsoft Entra ID authentication to Azure. #4126
Conversation
|
This pull request has been linked to Shortcut Story #25944: Support Active Directory authentication to Azure.. |
teo-tsirpanis
force-pushed
the
azure-ad
branch
2 times, most recently
from
41f112b to
c80b8bd
Compare
teo-tsirpanis
force-pushed
the
azure-ad
branch
2 times, most recently
from
6c4b189 to
91ae487
Compare
teo-tsirpanis
changed the title
With the conda feedstock being ready to get the Azure SDK from conda-forge (conda-forge/tiledb-feedstock#205), there is little value in adding yet another external project for `azure-identity-cpp`, to keep supporting Azure with the legacy external projects system.
…ntity credentials as well.
teo-tsirpanis
force-pushed
the
azure-ad
branch
from
14ed0b3 to
b79a945
Compare
|
Closing for now. We don't have time to test the authentication properly at the moment. It's still a good change and we can re-open this PR when we prioritize the shortcut story. |
|
Validated successfully on the real Azure. I followed these steps:
Footnotes |
There was a problem hiding this comment.
I would like to see the same concerns addressed as in the GCS PR here.
In addition, I see that this is changing a lot on the build, probably because we now need more components and it's easier to get those from VCPKG. I need confirmation that this will not end up breaking dependencies like SOMA, mariaBD before we merge this change.
tiledb/sm/filesystem/azure.cc
Outdated
| try { | ||
| ::Azure::Core::Credentials::TokenCredentialOptions cred_options; | ||
| cred_options.Retry = options.Retry; | ||
| cred_options.Transport = options.Transport; |
tiledb/sm/filesystem/azure.cc
Outdated
| // If a token is not available we wouldn't know it until we make a | ||
| // request and it would be too late. Try getting a token, and if it | ||
| // fails fall back to anonymous authentication. |
There was a problem hiding this comment.
For simplicity, instead of trying to fetch a token during initialization, I am thinking of enabling Entra ID authentication by default unless:
- A storage key or SAS token is specified.
- A custom endpoint is specified with the
httpprotocol. - A new config option
vfs.azure.disable_token_authis enabled.
What do you think?
There was a problem hiding this comment.
Most existing use cases would not be broken since they already specify a shared key.
There was a problem hiding this comment.
@robertbindar @KiterLuc thoughts on this? And if we don't add the config option to disable it now, can we do it in a subsequent PR/release?
There was a problem hiding this comment.
@teo-tsirpanis I think it's better if we move this work in incremental steps. The current implementation you have here keeps the behavior we currently have intact. I'd go with this, then try to do config+no token in a PR past this release.
There was a problem hiding this comment.
+1 on Robert's comment. @teo-tsirpanis, we can file a follow up story.
| find_package(AzureCore_EP REQUIRED) | ||
| find_package(AzureStorageCommon_EP REQUIRED) | ||
| find_package(AzureStorageBlobs_EP REQUIRED) | ||
| if (NOT WIN32) | ||
| if (NOT TARGET LibXml2::LibXml2) | ||
| find_package(LibXml2 REQUIRED) | ||
| endif() | ||
| endif() | ||
| target_link_libraries(TILEDB_CORE_OBJECTS_ILIB | ||
| INTERFACE | ||
| Azure::azure-storage-blobs | ||
| Azure::azure-storage-common | ||
| Azure::azure-core) | ||
| # Link xml after Azure to allow symbol resolution on all platforms | ||
| if (NOT WIN32) | ||
| target_link_libraries(TILEDB_CORE_OBJECTS_ILIB INTERFACE LibXml2::LibXml2) | ||
| endif() | ||
| endif() |
There was a problem hiding this comment.
This part is used only if vcpkg is disabled, which no longer happens in first-party code.
Regarding the new dependency, Conda will need to be updated to add azure-identity-cpp in the requirements, and an empty vcpkg port overlay.
There was a problem hiding this comment.
This PR looks good to me, minor code structure suggestions.
I would be more comfortable with all the build changes here (removal of non-vcpkg cmake code) if #4570 would already be in and things would scream if we'd still have any builds with -DTILEDB_VCPKG=OFF.
I'll reproduce asap Theo's steps for manually testing this, in the meantime it'd be lovely to get a confirmation on this statement, @ihnorton can you help out?
Regarding the new dependency, Conda will need to be updated to add azure-identity-cpp in the requirements, and an empty vcpkg port overlay.
tiledb/sm/filesystem/azure.cc
Outdated
| @@ -79,9 +80,12 @@ std::string get_config_with_env_fallback( | |||
| } | |||
|
|
|||
| std::string get_blob_endpoint( | |||
| const Config& config, const std::string& account_name) { | |||
There was a problem hiding this comment.
definitely a new function for checking if there is a sas token.
| @@ -192,15 +196,57 @@ Azure::AzureClientSingleton::get(const AzureParameters& params) { | |||
| make_shared<::Azure::Storage::StorageSharedKeyCredential>( | |||
| HERE(), params.account_name_, params.account_key_), | |||
| options)); | |||
| } else { | |||
There was a problem hiding this comment.
we should return early here the client if not nullptr, it'll help us get rid of the some if levels.
|
Merging so that we can test the build changes early. @robertbindar will validate further and make fixes if required before we ship. |
SC-25944
To authenticate to Azure, we currently support shared keys and SAS tokens. The former have the disadvantage of being discouraged by Microsoft and the latter have the disadvantage of having a usually short expiry time (edit: and being impossible to individually revoke).
This PR adds support for Microsoft Entra ID authentication (formerly known as Azure Active Directory), which is what Microsoft recommends. It will be used for HTTPS endpoints if neither a shared key or SAS token are specified in the config. We use the
ChainedTokenCredentialclass from theazure-identity-cpppackage, and try to get credentials from the following sources in order:At initialization time we try to fetch an Active Directory token. If all three credential sources fail, we fall back to anonymous authentication.
TODO
TYPE: FEATURE
DESC: Support Microsoft Entra ID authentication to Azure.