[jira] [Work logged] (HADOOP-17363) ABFS does not work with OAuth 2.0: Username and Password

ASF GitHub Bot (Jira) Sat, 07 Nov 2020 08:34:45 -0800


     [ 
https://issues.apache.org/jira/browse/HADOOP-17363?focusedWorklogId=508776&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-508776
 ]


ASF GitHub Bot logged work on HADOOP-17363:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 07/Nov/20 16:33
            Start Date: 07/Nov/20 16:33
    Worklog Time Spent: 10m 
      Work Description: matsushita-shin opened a new pull request #2445:
URL: https://github.com/apache/hadoop/pull/2445


   https://hadoop.apache.org/docs/current/hadoop-azure/abfs.html
   
   I have tried OAuth 2.0 authentication with the username and password written 
above.
   However, it failed with the following exception.
   
   ~~~
   Exception in thread "main" HTTP Error 400; 
url='https://login.microsoftonline.com/3070a5de-410e-4885-XXXX-XXXXXXXXXXXX/oauth2/token'
 AADToken: HTTP connection to 
https://login.microsoftonline.com/3070a5de-410e-4885-XXXX-XXXXXXXXXXXX/oauth2/token
 failed for getting token from AzureAD.; 
requestId='187c97a4-82a0-4b36-b764-XXXXXXXXXXXX'; 
contentType='application/json; charset=utf-8'; response 
'{"error":"unauthorized_client","error_description":"AADSTS700016: Application 
with identifier 'jiro' was not found in the directory 
'3070a5de-410e-4885-XXXX-XXXXXXXXXXXX'. This can happen if the application has 
not been installed by the administrator of the tenant or consented to by any 
user in the tenant. You may have sent your authentication request to the wrong 
tenant.\r\nTrace ID: 187c97a4-82a0-4b36-b764-a3b8b1c45201\r\nCorrelation ID: 
4eb4a71e-2eef-4788-9c8c-24f4c84f6981\r\nTimestamp: 2020-11-07 
11:49:21Z","error_codes":[700016],"timestamp":"2020-11-07 
11:49:21Z","trace_id":"187c97a4-82a0-4b36-b764-a3b8b1c45201","correlation_id":"4eb4a71e-2eef-4788-9c8c-24f4c84f6981","error_uri":"https://login.microsoftonline.com/error?code=700016"}'org.apache.hadoop.fs.azurebfs.oauth2.AzureADAuthenticator$HttpException:
 HTTP Error 400; 
url='https://login.microsoftonline.com/3070a5de-410e-4885-b6cd-95fe759ced2b/oauth2/token'
 AADToken: HTTP connection to 
https://login.microsoftonline.com/3070a5de-410e-4885-XXXX-XXXXXXXXXXXX/oauth2/token
 failed for getting token from AzureAD.; 
requestId='187c97a4-82a0-4b36-b764-XXXXXXXXXXXX'; 
contentType='application/json; charset=utf-8'; response 
'{"error":"unauthorized_client","error_description":"AADSTS700016: Application 
with identifier 'jiro' was not found in the directory 
'3070a5de-410e-4885-XXXX-XXXXXXXXXXXX'. This can happen if the application has 
not been installed by the administrator of the tenant or consented to by any 
user in the tenant. You may have sent your authentication request to the wrong 
tenant.\r\nTrace ID: 187c97a4-82a0-4b36-b764-a3b8b1c45201\r\nCorrelation ID: 
4eb4a71e-2eef-4788-9c8c-24f4c84f6981\r\nTimestamp: 2020-11-07 
11:49:21Z","error_codes":[700016],"timestamp":"2020-11-07 
11:49:21Z","trace_id":"187c97a4-82a0-4b36-b764-a3b8b1c45201","correlation_id":"4eb4a71e-2eef-4788-9c8c-24f4c84f6981","error_uri":"https://login.microsoftonline.com/error?code=700016"}'
        at 
org.apache.hadoop.fs.azurebfs.services.AbfsRestOperation.executeHttpOperation(AbfsRestOperation.java:215)
        at 
org.apache.hadoop.fs.azurebfs.services.AbfsRestOperation.execute(AbfsRestOperation.java:134)
        at 
org.apache.hadoop.fs.azurebfs.services.AbfsClient.createPath(AbfsClient.java:293)
        at 
org.apache.hadoop.fs.azurebfs.AzureBlobFileSystemStore.createDirectory(AzureBlobFileSystemStore.java:445)
        at 
org.apache.hadoop.fs.azurebfs.AzureBlobFileSystem.mkdirs(AzureBlobFileSystem.java:409)
        at org.apache.hadoop.fs.FileSystem.mkdirs(FileSystem.java:2355)
        at com.sample.HelloWorld.main(HelloWorld.java:116)
   Caused by: 
org.apache.hadoop.fs.azurebfs.oauth2.AzureADAuthenticator$HttpException: HTTP 
Error 400; 
url='https://login.microsoftonline.com/3070a5de-410e-XXXX-XXXXXXXXXXXX/oauth2/token'
 AADToken: HTTP connection to 
https://login.microsoftonline.com/3070a5de-410e-4885-XXXX-XXXXXXXXXXXX/oauth2/token
 failed for getting token from AzureAD.; 
requestId='187c97a4-82a0-4b36-b764-a3b8b1c45201'; 
contentType='application/json; charset=utf-8'; response 
'{"error":"unauthorized_client","error_description":"AADSTS700016: Application 
with identifier 'jiro' was not found in the directory 
'3070a5de-410e-4885-XXXX-XXXXXXXXXXXX'. This can happen if the application has 
not been installed by the administrator of the tenant or consented to by any 
user in the tenant. You may have sent your authentication request to the wrong 
tenant.\r\nTrace ID: 187c97a4-82a0-4b36-b764-a3b8b1c45201\r\nCorrelation ID: 
4eb4a71e-2eef-4788-9c8c-24f4c84f6981\r\nTimestamp: 2020-11-07 
11:49:21Z","error_codes":[700016],"timestamp":"2020-11-07 
11:49:21Z","trace_id":"187c97a4-82a0-4b36-b764-a3b8b1c45201","correlation_id":"4eb4a71e-2eef-4788-9c8c-24f4c84f6981","error_uri":"https://login.microsoftonline.com/error?code=700016"}'
        at 
org.apache.hadoop.fs.azurebfs.oauth2.AzureADAuthenticator.getTokenSingleCall(AzureADAuthenticator.java:394)
        at 
org.apache.hadoop.fs.azurebfs.oauth2.AzureADAuthenticator.getTokenCall(AzureADAuthenticator.java:291)
        at 
org.apache.hadoop.fs.azurebfs.oauth2.AzureADAuthenticator.getTokenCall(AzureADAuthenticator.java:273)
        at 
org.apache.hadoop.fs.azurebfs.oauth2.AzureADAuthenticator.getTokenUsingClientCreds(AzureADAuthenticator.java:96)
        at 
org.apache.hadoop.fs.azurebfs.oauth2.UserPasswordTokenProvider.refreshToken(UserPasswordTokenProvider.java:54)
        at 
org.apache.hadoop.fs.azurebfs.oauth2.AccessTokenProvider.getToken(AccessTokenProvider.java:50)
        at 
org.apache.hadoop.fs.azurebfs.services.AbfsClient.getAccessToken(AbfsClient.java:670)
        at 
org.apache.hadoop.fs.azurebfs.services.AbfsRestOperation.executeHttpOperation(AbfsRestOperation.java:168)
        ... 6 more
   ~~~
   
   The cause of the error seems to be that UserPasswordTokenProvider is calling 
getTokenUsingClientCreds() for the service principal.
   
   https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
   
   I checked the API specifications of Azure and fixed the cause of this error.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

            Worklog Id:     (was: 508776)
    Remaining Estimate: 0h
            Time Spent: 10m

> ABFS does not work with OAuth 2.0: Username and Password
> --------------------------------------------------------
>
>                 Key: HADOOP-17363
>                 URL: https://issues.apache.org/jira/browse/HADOOP-17363
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: fs/azure
>    Affects Versions: 3.3.0
>            Reporter: Matsushita Shin
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> https://hadoop.apache.org/docs/current/hadoop-azure/abfs.html
> I have tried OAuth 2.0 authentication with the username and password written 
> above.
> However, it failed with the following exception.
> ~~~
> Exception in thread "main" HTTP Error 400; 
> url='https://login.microsoftonline.com/3070a5de-410e-4885-XXXX-XXXXXXXXXXXX/oauth2/token'
>  AADToken: HTTP connection to 
> https://login.microsoftonline.com/3070a5de-410e-4885-XXXX-XXXXXXXXXXXX/oauth2/token
>  failed for getting token from AzureAD.; 
> requestId='187c97a4-82a0-4b36-b764-XXXXXXXXXXXX'; 
> contentType='application/json; charset=utf-8'; response 
> '{"error":"unauthorized_client","error_description":"AADSTS700016: 
> Application with identifier 'jiro' was not found in the directory 
> '3070a5de-410e-4885-XXXX-XXXXXXXXXXXX'. This can happen if the application 
> has not been installed by the administrator of the tenant or consented to by 
> any user in the tenant. You may have sent your authentication request to the 
> wrong tenant.\r\nTrace ID: 
> 187c97a4-82a0-4b36-b764-a3b8b1c45201\r\nCorrelation ID: 
> 4eb4a71e-2eef-4788-9c8c-24f4c84f6981\r\nTimestamp: 2020-11-07 
> 11:49:21Z","error_codes":[700016],"timestamp":"2020-11-07 
> 11:49:21Z","trace_id":"187c97a4-82a0-4b36-b764-a3b8b1c45201","correlation_id":"4eb4a71e-2eef-4788-9c8c-24f4c84f6981","error_uri":"https://login.microsoftonline.com/error?code=700016"}'org.apache.hadoop.fs.azurebfs.oauth2.AzureADAuthenticator$HttpException:
>  HTTP Error 400; 
> url='https://login.microsoftonline.com/3070a5de-410e-4885-b6cd-95fe759ced2b/oauth2/token'
>  AADToken: HTTP connection to 
> https://login.microsoftonline.com/3070a5de-410e-4885-XXXX-XXXXXXXXXXXX/oauth2/token
>  failed for getting token from AzureAD.; 
> requestId='187c97a4-82a0-4b36-b764-XXXXXXXXXXXX'; 
> contentType='application/json; charset=utf-8'; response 
> '{"error":"unauthorized_client","error_description":"AADSTS700016: 
> Application with identifier 'jiro' was not found in the directory 
> '3070a5de-410e-4885-XXXX-XXXXXXXXXXXX'. This can happen if the application 
> has not been installed by the administrator of the tenant or consented to by 
> any user in the tenant. You may have sent your authentication request to the 
> wrong tenant.\r\nTrace ID: 
> 187c97a4-82a0-4b36-b764-a3b8b1c45201\r\nCorrelation ID: 
> 4eb4a71e-2eef-4788-9c8c-24f4c84f6981\r\nTimestamp: 2020-11-07 
> 11:49:21Z","error_codes":[700016],"timestamp":"2020-11-07 
> 11:49:21Z","trace_id":"187c97a4-82a0-4b36-b764-a3b8b1c45201","correlation_id":"4eb4a71e-2eef-4788-9c8c-24f4c84f6981","error_uri":"https://login.microsoftonline.com/error?code=700016"}'
>       at 
> org.apache.hadoop.fs.azurebfs.services.AbfsRestOperation.executeHttpOperation(AbfsRestOperation.java:215)
>       at 
> org.apache.hadoop.fs.azurebfs.services.AbfsRestOperation.execute(AbfsRestOperation.java:134)
>       at 
> org.apache.hadoop.fs.azurebfs.services.AbfsClient.createPath(AbfsClient.java:293)
>       at 
> org.apache.hadoop.fs.azurebfs.AzureBlobFileSystemStore.createDirectory(AzureBlobFileSystemStore.java:445)
>       at 
> org.apache.hadoop.fs.azurebfs.AzureBlobFileSystem.mkdirs(AzureBlobFileSystem.java:409)
>       at org.apache.hadoop.fs.FileSystem.mkdirs(FileSystem.java:2355)
>       at com.sample.HelloWorld.main(HelloWorld.java:116)
> Caused by: 
> org.apache.hadoop.fs.azurebfs.oauth2.AzureADAuthenticator$HttpException: HTTP 
> Error 400; 
> url='https://login.microsoftonline.com/3070a5de-410e-XXXX-XXXXXXXXXXXX/oauth2/token'
>  AADToken: HTTP connection to 
> https://login.microsoftonline.com/3070a5de-410e-4885-XXXX-XXXXXXXXXXXX/oauth2/token
>  failed for getting token from AzureAD.; 
> requestId='187c97a4-82a0-4b36-b764-a3b8b1c45201'; 
> contentType='application/json; charset=utf-8'; response 
> '{"error":"unauthorized_client","error_description":"AADSTS700016: 
> Application with identifier 'jiro' was not found in the directory 
> '3070a5de-410e-4885-XXXX-XXXXXXXXXXXX'. This can happen if the application 
> has not been installed by the administrator of the tenant or consented to by 
> any user in the tenant. You may have sent your authentication request to the 
> wrong tenant.\r\nTrace ID: 
> 187c97a4-82a0-4b36-b764-a3b8b1c45201\r\nCorrelation ID: 
> 4eb4a71e-2eef-4788-9c8c-24f4c84f6981\r\nTimestamp: 2020-11-07 
> 11:49:21Z","error_codes":[700016],"timestamp":"2020-11-07 
> 11:49:21Z","trace_id":"187c97a4-82a0-4b36-b764-a3b8b1c45201","correlation_id":"4eb4a71e-2eef-4788-9c8c-24f4c84f6981","error_uri":"https://login.microsoftonline.com/error?code=700016"}'
>       at 
> org.apache.hadoop.fs.azurebfs.oauth2.AzureADAuthenticator.getTokenSingleCall(AzureADAuthenticator.java:394)
>       at 
> org.apache.hadoop.fs.azurebfs.oauth2.AzureADAuthenticator.getTokenCall(AzureADAuthenticator.java:291)
>       at 
> org.apache.hadoop.fs.azurebfs.oauth2.AzureADAuthenticator.getTokenCall(AzureADAuthenticator.java:273)
>       at 
> org.apache.hadoop.fs.azurebfs.oauth2.AzureADAuthenticator.getTokenUsingClientCreds(AzureADAuthenticator.java:96)
>       at 
> org.apache.hadoop.fs.azurebfs.oauth2.UserPasswordTokenProvider.refreshToken(UserPasswordTokenProvider.java:54)
>       at 
> org.apache.hadoop.fs.azurebfs.oauth2.AccessTokenProvider.getToken(AccessTokenProvider.java:50)
>       at 
> org.apache.hadoop.fs.azurebfs.services.AbfsClient.getAccessToken(AbfsClient.java:670)
>       at 
> org.apache.hadoop.fs.azurebfs.services.AbfsRestOperation.executeHttpOperation(AbfsRestOperation.java:168)
>       ... 6 more
> ~~~
> The cause of the error seems to be that UserPasswordTokenProvider is calling 
> getTokenUsingClientCreds() for the service principal.
> https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
> I checked the API specifications of Azure and fixed the cause of this error.
> After this, I plan to create a Pull Request.
> Best regards,
> Shin



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Work logged] (HADOOP-17363) ABFS does not work with OAuth 2.0: Username and Password

Reply via email to