Azure: GetTokenCredential optionally disable certain auth methods #3183
Comments
|
Alternatively, the function could be made “smart” and based on the metadata fields the user passes it could identify what authentication method it is attempting and just try that always. |
that may be a breaking change depending on the usecase and the users currently setting unneeded metadata fields but that are able to successfully authenticate thanks to other auth methods being tried |
|
I don't think using environment variables are the right approach because it applies daprd wide rather than being scoped to a single component- which is much more inline with the multiple components to a single dapr model. As @guergabo suggests, I think this should be configured via a component metadata field. I'd expect a single field |
|
I think empty string should mean no auth method is attempted. |
you need this to be backwards compatible |
It is, previous deployments will not be setting the |
|
Yes I agree this is a good feature. Also agree we should use a metadata property per-component. Strongly disagree that "unset != empty". In our metadata we always consider empty to be the same as unset. Not doing so can cause unnecessary confusion as users need to be aware of the 3 possible states (unset, empty, set) rather than just 2 (empty or not empty). Additionally, it makes no sense to attempt no auth method in this case. So something like This can be implemented in the shared azure auth package. If you're up for it, PRs are welcome :) |
ItalyPaleAle
added
help wanted
|
would you accept using a more generic metadata option, such as there is a problem across all components in regards to being able to automatically identify which auth profile is being used and a generic metadata such as i.e this is something that the kafka components already implement there is the common Recognizing that the azure components have this problem and having the kafka component already address this in an elegant way, we could put in place a solution that works for all components |
This is a very separate issue from the one that was discussed in the first message :) I am not sure I agree with this statement:
I would say that most components are fine right now, as they can determine the auth method to use depending on what metadata options are passed. For example, take the Cosmos DB state store: this can already detect if Azure AD is to be used depending on whether the "masterkey" is passed or not. Components like Kafka (and to a lesser extent, Postgres and SQL Server which have the "useAzureAD" boolean) are arguably the exception here. Although the current method is more implicit, we haven't heard feedback that it was a significant source of confusion for users so far. I am not sure an explicit method is strictly necessary. This issue however is very different from what was the original issue opened here, which is that there is a legit need to control certain authentication methods used by Azure AD to retrieve a token. This is very specific to Azure AD and is for some advanced scenarios only. Now, given this premise and going back to this:
I think this is something that should be discussed further, but possibly in a separate issue where all maintainers of this repo can chime in. One thing is adding a metadata property for Azure AD only, but if we are talking something generic that impacts all components, then I'd like to get the majority of maintainers on board with this first. I think the first step would be to do an audit of what auth methods each component supports, and if there's more than one, how they are chosen. |
|
I agree my last comment is deviated from the original reason of this issue, I was testing the waters 😄 Anyway, to confirm with your proposal:
I agree this can be implemented, its quite localized and could be easy to do. If I find the time I can do it, or anyone else interested is free to jump in. Lastly, in regards to finding a generic solution across components, I'll try to create an issue to see if it sparks some interest. |
|
So the only feature we are discussing here is: Whatever we do here, lets not change the default. I absolutely want to retain the behavior that Managed Identity Credential and Azure CLI credential will be tried by default. @famarting, the maintainers that have authored this code are @ItalyPaleAle and I (@berndverst) with myself having made the most recent changes there. For anything related to Azure auth, only the two of us need to sign off on the plan (and in fact other maintainers should not make decisions for the Azure experience). At a high level the code would be something like the following:
Please do not change any of the details for how any given auth method works. Only connect the ordering of operations to the creation of the ChainedTokenCredential. As the code states, the ChainedTokenCredential is what actually executes the auth methods in order. components-contrib/internal/authentication/azure/auth.go Lines 202 to 205 in 20a46e6 Thanks! @ItalyPaleAle I'd called it generically |
While we can distinguish between empty and unset with a string pointer in the metadata, I agree with @ItalyPaleAle that this is confusing. Let's just use the special words |
|
I'll tackle this tomorrow. Should be super quick. Unless you have started looking into it @famarting :) |
|
I haven't started, thanks @berndverst |
|
I'm done with the PR. @famarting see #3217 |
Describe the feature
for all azure based components they use this function for authentication https://github.com/dapr/components-contrib/blob/master/internal/authentication/azure/auth.go#L116
this function tries several authentication methods sequentially and returns the token for the first auth method that succeeds... however there are certain usecases when a user or a system admin does not want to allow certain auth methods to even be tried... and with the current implementation on failure scenarios all auth methods will always be tried, which will produce noisy and confusing errors
this could be improved simply using environment variables, i.e
DISABLE_AZURE_MI_AUTHto disable specific auth methods, so ifDISABLE_AZURE_MI_AUTHis set to true the azure components would skip and not even try the azure managed identity auth method.Release Note
RELEASE NOTE: ADD Options to disable adhoc azure auth methods
The text was updated successfully, but these errors were encountered: