[
https://issues.apache.org/jira/browse/HADOOP-19628?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18041324#comment-18041324
]
Lotte Felius edited comment on HADOOP-19628 at 11/28/25 3:07 PM:
-----------------------------------------------------------------
Hi [~anujmodi]
That is actually not what I was looking for. MsiTokenProvider is an older
version of the _unimplemented_ Managed Identity Token provider. Basically, the
difference between MsiTokenProvider and ManagedIdentityTokenProvider is the
name and the absense of clientId and tenantId.
If you now use Azure, and want to access the machine using either or both
"_User Assigned Managed Identity_" or "_System Assigned Managed Identity_" +
Spark (3.5) + hadoop-azure (3.3.6), this throws an error that
ManagedIdentityTokenProvider does not exist, or it falls back to
MsiTokenProvider and keeps asking for a clientId or tenantId, which are not
available for the ManagedIdentityTokenProvider.
The Managed Identity Token provider is not available yet in any +open source+
version of Hadoop-azure, as far as I know.
During my time at Microsoft, I created a fix for this, which completely worked
fine. However, the code is not polished and could be improved before PR'ed:
Patch is in this branch:
https://github.com/ccfelius/hadoop/tree/release-3.3.6-patch, all necessary code
is in this commit:
https://github.com/ccfelius/hadoop/commit/d028c6553f33a757028d53e63f379c093292c7e4
Like I said, it could be implemented way more efficiently but I do not have
free access to Azure machines anymore.
was (Author: JIRAUSER310390):
Hi [~anujmodi]
That is actually not what I was looking for. MsiTokenProvider is an older
version of the _unimplemented_ Managed Identity Token provider. Basically, the
difference between MsiTokenProvider and ManagedIdentityTokenProvider is the
name, but also the fact that there are no clientId or tenantId necessary for
access anymore.
If you now use Azure, and want to access the machine using either or both
"_User Assigned Managed Identity_" or "_System Assigned Managed Identity_" +
Spark (3.5) + hadoop-azure (3.3.6), this throws an error that
ManagedIdentityTokenProvider does not exist, or it falls back to
MsiTokenProvider and keeps asking for a clientId or tenantId, which are not
available for the ManagedIdentityTokenProvider.
The Managed Identity Token provider is not available yet in any +open source+
version of Hadoop-azure, as far as I know.
During my time at Microsoft, I created a fix for this, which completely worked
fine. However, the code is not polished and could be improved before PR'ed:
Patch is in this branch:
https://github.com/ccfelius/hadoop/tree/release-3.3.6-patch, all necessary code
is in this commit:
https://github.com/ccfelius/hadoop/commit/d028c6553f33a757028d53e63f379c093292c7e4
Like I said, it could be implemented way more efficiently but I do not have
free access to Azure machines anymore.
> Managed Identity Token Provider is not implemented
> --------------------------------------------------
>
> Key: HADOOP-19628
> URL: https://issues.apache.org/jira/browse/HADOOP-19628
> Project: Hadoop Common
> Issue Type: Bug
> Components: auth
> Affects Versions: 3.3.6
> Environment: All
> Reporter: Lotte Felius
> Priority: Blocker
> Labels: Azure, authentication, features
> Fix For: 3.3.6
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> Managed Identity Token Provider is not implemented in the hadoop-azure jar.
> Now, if one wants to use either User Assigned Managed Identity or System
> Assigned Managed Identity in Azure, this will throw an error because it's not
> implemented yet.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
