[jira] [Created] (HADOOP-18610) ABFS OAuth2 Token Provider to support Azure Workload Identity for AKS

Wed, 01 Feb 2023 20:19:09 -0800 

Haifeng Chen created HADOOP-18610:
-------------------------------------

             Summary: ABFS OAuth2 Token Provider to support Azure Workload 
Identity for AKS
                 Key: HADOOP-18610
                 URL: https://issues.apache.org/jira/browse/HADOOP-18610
             Project: Hadoop Common
          Issue Type: Improvement
          Components: tools
    Affects Versions: 3.3.4
            Reporter: Haifeng Chen


In Jan 2023, Microsoft Azure AKS replaced its original pod-managed identity 
with with [Azure Active Directory (Azure AD) workload 
identities|https://learn.microsoft.com/en-us/azure/active-directory/develop/workload-identities-overview]
 (preview), which integrate with the Kubernetes native capabilities to federate 
with any external identity providers. This approach is simpler to use and 
deploy.

Refer to for more details: 
[https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview.]

The basic use scenario is to access Azure cloud resources (such as cloud 
storage) from Kubernetes (such as AKS) workload using Azure managed identity 
federated with Kubernetes service account. The credential environment variables 
in pod projected by Azure AD workload identity are like following:

AZURE_AUTHORITY_HOST: (Injected by the webhook, 
https://login.microsoftonline.com/)

AZURE_CLIENT_ID: (Injected by the webhook)

AZURE_TENANT_ID: (Injected by the webhook)

AZURE_FEDERATED_TOKEN_FILE: (Injected by the webhook, 
/var/run/secrets/azure/tokens/azure-identity-token)

 

The token in the file pointed by AZURE_FEDERATED_TOKEN_FILE is a JWT (JASON Web 
Token) client assertion token which we can use to request to 
AZURE_AUTHORITY_HOST (url is  AZURE_AUTHORITY_HOST + tenantId + 
"/oauth2/v2.0/token")  for a AD token which can be used to directly access the 
Azure cloud resources.

This approach is very common and similar among cloud providers such as AWS and 
GCP. Hadoop AWS integration has WebIdentityTokenCredentialProvider to handle 
the same case.

The existing MsiTokenProvider can only handle the managed identity associated 
with Azure VM instance. We need to implement a WorkloadIdentityTokenProvider 
which handle Azure Workload Identity case. For this, we need to add one method 
(getTokenUsingJWTAssertion)

in AzureADAuthenticator which will be used by WorkloadIdentityTokenProvider.

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to