[C++][FS][Azure] SAS token authentication #44308
Comments
|
take |
|
I have it working to some extent, but as I feared there is a complexity with There are 2 options:
|
|
The option 1 is better, right? Let's try the option 1. |
I thought so too but, after trying it, now I'm not so sure. I checked a few of the Azure SDKs (C++, Python, and golang) and it actually looks like none of them expose the Copy Blob API. I found the This is all looking rather complicated and I don't think we can generate the required bearer tokens with SAS or account key auth. So I think I'll stick with generating SAS tokens, and I think I will just bump their expiry a bit as a simple mitigation for the problem mentioned in azcopy where tokens expired during retries. |
|
Ok, I think I finally worked it out |
### Rationale for this change
SAS token auth is sometimes useful and it the last one we haven't implemented.
### What changes are included in this PR?
- Implement `ConfigureSasCredential`
- Update `AzureOptions::FromUri` so that simply appending a SAS token to a blob storage URI works. e.g. `AzureOptions::FromUri("abfs://file_system@ account.dfs.core.windows.net/?se=2024-12-12T18:57:47Z&sig=pAs7qEBdI6sjUhqX1nrhNAKsTY%2B1SqLxPK%2BbAxLiopw%3D&sp=racwdxylti&spr=https,http&sr=c&sv=2024-08-04")`
- SAS tokens are made up of a bunch of URI query parameters that I'm not sure we can exhaustively list.
- Therefore we now assume that any unrecognised URI query parameters are assumed to be part of a SAS token, instead of returning an error status.
- Update `CopyFile` to use StartCopyFromUri instead of CopyFromUri
- This avoids the need to generate SAS tokens.
- Supports blobs bigger than 256MiB
- This makes #41315 redundant
### Are these changes tested?
Yes
- Added new tests for authenticating with SAS and doing some operations including `CopyFile`
- Added new tests for `AzureOptions::FromUri` with a SAS token.
I also made sure to run the tests which connect to real blob storage.
### Are there any user-facing changes?
- SAS token in now supported
- Unrecognised URI query parameters are ignored by `AzureOptions::FromUri` instead of failing fast. IMO this is a regression but still the best option to support SAS token.
* GitHub Issue: #44308
Authored-by: Thomas Newton <thomas.w.newton@gmail.com>
Signed-off-by: Sutou Kouhei <kou@clear-code.com>
|
Issue resolved by pull request 45021 |
Describe the enhancement requested
Child of #38598
Add support for Azure CLI auth. Probably just accept the SAS token as an argument and use AzureSasCredential https://github.com/Azure/azure-sdk-for-cpp/blob/101f20f2bbf3dd5f6438565cd9f709a231317f77/sdk/tables/azure-data-tables/inc/azure/data/tables/credentials/azure_sas_credential.hpp#L16C9-L16C27. This should make the implementation very similar to all the other Azure auths.
One possible complication I'm aware of is in
CopyFile, because this is implemented by generating a federated SAS token from whatever the original authentication was. I don't know if its possible to get a federated SAS token when using SAS token auth.Also I'm not sure we need to generate a federated SAS token to implement
CopyFile. I think we should be able to use Copy Blob instead of Copy Blob From URL. I think the latter is only needed if the source is not in the same Azure blob storage account.Component(s)
C++
The text was updated successfully, but these errors were encountered: