[
https://issues.apache.org/jira/browse/HADOOP-19471?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17938907#comment-17938907
]
ASF GitHub Bot commented on HADOOP-19471:
-----------------------------------------
anujmodi2021 commented on code in PR #7461:
URL: https://github.com/apache/hadoop/pull/7461#discussion_r2016329968
##########
hadoop-tools/hadoop-azure/src/site/markdown/abfs.md:
##########
@@ -754,22 +754,39 @@ requests. User can specify them as fixed SAS Token to be
used across all the req
</property>
```
- 1. Fixed SAS Token:
+ 2. Account SAS (Fixed SAS Token at Account Level):
+ ```xml
+ <property>
+ <name>fs.azure.sas.fixed.token.ACCOUNT_NAME</name>
+ <value>FIXED_ACCOUNT_SAS_TOKEN</value>
+ </property>
+ ```
+
+ - Replace `FIXED_ACCOUNT_SAS_TOKEN` with fixed Account/Service SAS. You
can also
+ generate SAS from Azure portal. Account -> Security + Networking ->
Shared Access Signature
+
+ 3. Service SAS (Fixed SAS Token at Container Level):
```xml
- <property>
- <name>fs.azure.sas.fixed.token</name>
- <value>FIXED_SAS_TOKEN</value>
- </property>
- ```
+ <property>
+ <name>fs.azure.sas.fixed.token.CONTAINER_NAME.ACCOUNT_NAME</name>
+ <value>FIXED_SAS_TOKEN</value>
+ </property>
+ ```
+
+ - Replace `FIXED_SERVICE_SAS_TOKEN` with fixed Service SAS. You can also
+ generate SAS from Azure portal. Account -> Data storage -> Containers ->
+ right click on your container and select generate SAS ->
+ Give valid permissions and expiry time -> Click on generate SAS and copy
+ the SAS token.
- Replace `FIXED_SAS_TOKEN` with fixed Account/Service SAS. You can also
-generate SAS from Azure portal. Account -> Security + Networking -> Shared
Access Signature
- **Security**: Account/Service SAS requires account keys to be used which
makes
them less secure. There is no scope of having delegated access to different
users.
-*Note:* When `fs.azure.sas.token.provider.type` and `fs.azure.fixed.sas.token`
-are both configured, precedence will be given to the custom token provider
implementation.
+*Note:*
+- When both account SAS and service SAS are configured, precedence will be
given to the service SAS.
+- When `fs.azure.sas.token.provider.type` and `fs.azure.fixed.sas.token`
+ are both configured, precedence will be given to the custom token provider
implementation.
Review Comment:
Preference order will be:
fs.azure.sas.token.provider.type
fs.azure.sas.fixed.token.CONTAINER_NAME.ACCOUNT_NAME
fs.azure.sas.fixed.token.ACCOUNT_NAME
fs.azure.sas.fixed.token
Right?
##########
hadoop-tools/hadoop-azure/src/site/markdown/abfs.md:
##########
@@ -754,22 +754,39 @@ requests. User can specify them as fixed SAS Token to be
used across all the req
</property>
```
- 1. Fixed SAS Token:
+ 2. Account SAS (Fixed SAS Token at Account Level):
+ ```xml
+ <property>
+ <name>fs.azure.sas.fixed.token.ACCOUNT_NAME</name>
+ <value>FIXED_ACCOUNT_SAS_TOKEN</value>
+ </property>
+ ```
+
+ - Replace `FIXED_ACCOUNT_SAS_TOKEN` with fixed Account/Service SAS. You
can also
+ generate SAS from Azure portal. Account -> Security + Networking ->
Shared Access Signature
+
+ 3. Service SAS (Fixed SAS Token at Container Level):
```xml
- <property>
- <name>fs.azure.sas.fixed.token</name>
- <value>FIXED_SAS_TOKEN</value>
- </property>
- ```
+ <property>
+ <name>fs.azure.sas.fixed.token.CONTAINER_NAME.ACCOUNT_NAME</name>
+ <value>FIXED_SAS_TOKEN</value>
+ </property>
+ ```
+
+ - Replace `FIXED_SERVICE_SAS_TOKEN` with fixed Service SAS. You can also
+ generate SAS from Azure portal. Account -> Data storage -> Containers ->
+ right click on your container and select generate SAS ->
+ Give valid permissions and expiry time -> Click on generate SAS and copy
+ the SAS token.
- Replace `FIXED_SAS_TOKEN` with fixed Account/Service SAS. You can also
-generate SAS from Azure portal. Account -> Security + Networking -> Shared
Access Signature
- **Security**: Account/Service SAS requires account keys to be used which
makes
them less secure. There is no scope of having delegated access to different
users.
-*Note:* When `fs.azure.sas.token.provider.type` and `fs.azure.fixed.sas.token`
-are both configured, precedence will be given to the custom token provider
implementation.
+*Note:*
+- When both account SAS and service SAS are configured, precedence will be
given to the service SAS.
+- When `fs.azure.sas.token.provider.type` and `fs.azure.fixed.sas.token`
+ are both configured, precedence will be given to the custom token provider
implementation.
Review Comment:
We should specify exact order of preference also, it should be clear what if
all three are configured.
> ABFS: Support Fixed SAS token at container level
> -------------------------------------------------
>
> Key: HADOOP-19471
> URL: https://issues.apache.org/jira/browse/HADOOP-19471
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: fs/azure
> Affects Versions: 3.4.0, 3.4.1
> Reporter: Manika Joshi
> Assignee: Manika Joshi
> Priority: Major
> Labels: pull-request-available
>
> The ABFS driver currently lacks support for multiple SAS tokens for the same
> storage account across different containers.
> We are now introducing this support.
> To use fixed SAS token at container level the configuration to be used is:
> {quote}fs.azure.sas.fixed.token.<container-name>.<storage-account-name>
> {quote}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
