[
https://issues.apache.org/jira/browse/HADOOP-18610?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Haifeng Chen updated HADOOP-18610:
----------------------------------
Description:
In Jan 2023, Microsoft Azure AKS replaced its original pod-managed identity
with with [Azure Active Directory (Azure AD) workload
identities|https://learn.microsoft.com/en-us/azure/active-directory/develop/workload-identities-overview]
(preview), which integrate with the Kubernetes native capabilities to federate
with any external identity providers. This approach is simpler to use and
deploy.
Refer to
[https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview|https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview.]
and [https://azure.github.io/azure-workload-identity/docs/introduction.html]
for more details.
The basic use scenario is to access Azure cloud resources (such as cloud
storage) from Kubernetes (such as AKS) workload using Azure managed identity
federated with Kubernetes service account. The credential environment variables
in pod projected by Azure AD workload identity are like following:
AZURE_AUTHORITY_HOST: (Injected by the webhook,
[https://login.microsoftonline.com/])
AZURE_CLIENT_ID: (Injected by the webhook)
AZURE_TENANT_ID: (Injected by the webhook)
AZURE_FEDERATED_TOKEN_FILE: (Injected by the webhook,
/var/run/secrets/azure/tokens/azure-identity-token)
The token in the file pointed by AZURE_FEDERATED_TOKEN_FILE is a JWT (JASON Web
Token) client assertion token which we can use to request to
AZURE_AUTHORITY_HOST (url is AZURE_AUTHORITY_HOST + tenantId +
"/oauth2/v2.0/token") for a AD token which can be used to directly access the
Azure cloud resources.
This approach is very common and similar among cloud providers such as AWS and
GCP. Hadoop AWS integration has WebIdentityTokenCredentialProvider to handle
the same case.
The existing MsiTokenProvider can only handle the managed identity associated
with Azure VM instance. We need to implement a WorkloadIdentityTokenProvider
which handle Azure Workload Identity case. For this, we need to add one method
(getTokenUsingJWTAssertion) in AzureADAuthenticator which will be used by
WorkloadIdentityTokenProvider.
was:
In Jan 2023, Microsoft Azure AKS replaced its original pod-managed identity
with with [Azure Active Directory (Azure AD) workload
identities|https://learn.microsoft.com/en-us/azure/active-directory/develop/workload-identities-overview]
(preview), which integrate with the Kubernetes native capabilities to federate
with any external identity providers. This approach is simpler to use and
deploy.
Refer to for more details:
[https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview.]
The basic use scenario is to access Azure cloud resources (such as cloud
storage) from Kubernetes (such as AKS) workload using Azure managed identity
federated with Kubernetes service account. The credential environment variables
in pod projected by Azure AD workload identity are like following:
AZURE_AUTHORITY_HOST: (Injected by the webhook,
https://login.microsoftonline.com/)
AZURE_CLIENT_ID: (Injected by the webhook)
AZURE_TENANT_ID: (Injected by the webhook)
AZURE_FEDERATED_TOKEN_FILE: (Injected by the webhook,
/var/run/secrets/azure/tokens/azure-identity-token)
The token in the file pointed by AZURE_FEDERATED_TOKEN_FILE is a JWT (JASON Web
Token) client assertion token which we can use to request to
AZURE_AUTHORITY_HOST (url is AZURE_AUTHORITY_HOST + tenantId +
"/oauth2/v2.0/token") for a AD token which can be used to directly access the
Azure cloud resources.
This approach is very common and similar among cloud providers such as AWS and
GCP. Hadoop AWS integration has WebIdentityTokenCredentialProvider to handle
the same case.
The existing MsiTokenProvider can only handle the managed identity associated
with Azure VM instance. We need to implement a WorkloadIdentityTokenProvider
which handle Azure Workload Identity case. For this, we need to add one method
(getTokenUsingJWTAssertion)
in AzureADAuthenticator which will be used by WorkloadIdentityTokenProvider.
> ABFS OAuth2 Token Provider to support Azure Workload Identity for AKS
> ---------------------------------------------------------------------
>
> Key: HADOOP-18610
> URL: https://issues.apache.org/jira/browse/HADOOP-18610
> Project: Hadoop Common
> Issue Type: Improvement
> Components: tools
> Affects Versions: 3.3.4
> Reporter: Haifeng Chen
> Assignee: Haifeng Chen
> Priority: Critical
> Original Estimate: 168h
> Remaining Estimate: 168h
>
> In Jan 2023, Microsoft Azure AKS replaced its original pod-managed identity
> with with [Azure Active Directory (Azure AD) workload
> identities|https://learn.microsoft.com/en-us/azure/active-directory/develop/workload-identities-overview]
> (preview), which integrate with the Kubernetes native capabilities to
> federate with any external identity providers. This approach is simpler to
> use and deploy.
> Refer to
> [https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview|https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview.]
> and [https://azure.github.io/azure-workload-identity/docs/introduction.html]
> for more details.
> The basic use scenario is to access Azure cloud resources (such as cloud
> storage) from Kubernetes (such as AKS) workload using Azure managed identity
> federated with Kubernetes service account. The credential environment
> variables in pod projected by Azure AD workload identity are like following:
> AZURE_AUTHORITY_HOST: (Injected by the webhook,
> [https://login.microsoftonline.com/])
> AZURE_CLIENT_ID: (Injected by the webhook)
> AZURE_TENANT_ID: (Injected by the webhook)
> AZURE_FEDERATED_TOKEN_FILE: (Injected by the webhook,
> /var/run/secrets/azure/tokens/azure-identity-token)
> The token in the file pointed by AZURE_FEDERATED_TOKEN_FILE is a JWT (JASON
> Web Token) client assertion token which we can use to request to
> AZURE_AUTHORITY_HOST (url is AZURE_AUTHORITY_HOST + tenantId +
> "/oauth2/v2.0/token") for a AD token which can be used to directly access
> the Azure cloud resources.
> This approach is very common and similar among cloud providers such as AWS
> and GCP. Hadoop AWS integration has WebIdentityTokenCredentialProvider to
> handle the same case.
> The existing MsiTokenProvider can only handle the managed identity associated
> with Azure VM instance. We need to implement a WorkloadIdentityTokenProvider
> which handle Azure Workload Identity case. For this, we need to add one
> method (getTokenUsingJWTAssertion) in AzureADAuthenticator which will be used
> by WorkloadIdentityTokenProvider.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
