[
https://issues.apache.org/jira/browse/HADOOP-19736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18041051#comment-18041051
]
ASF GitHub Bot commented on HADOOP-19736:
-----------------------------------------
bhattmanish98 commented on code in PR #8051:
URL: https://github.com/apache/hadoop/pull/8051#discussion_r2568503378
##########
hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azurebfs/AbfsConfiguration.java:
##########
@@ -1240,9 +1240,11 @@ public int getNumLeaseThreads() {
}
public boolean getCreateRemoteFileSystemDuringInitialization() {
- // we do not support creating the filesystem when AuthType is SAS
+ // we do not support creating the filesystem when AuthType is SAS or
UserboundSASWithOAuth
return this.createRemoteFileSystemDuringInitialization
- && this.getAuthType(this.accountName) != AuthType.SAS;
+ && this.getAuthType(this.accountName) != AuthType.SAS
Review Comment:
We have used this statement at multiple places to check if authtype is SAS
or UserBoundSAS, wouldn't it be better if we can have a method which returns
true if AuthType is SAS or UserBoundSAS else false.
##########
hadoop-tools/hadoop-azure/src/site/markdown/index.md:
##########
@@ -416,7 +432,7 @@ the key names are slightly different here.
</property>
```
-### <a name="oauth-user-and-passwd"></a> OAuth 2.0: Username and Password
+#### <a name="oauth-user-and-passwd"></a> Username and Password
Review Comment:
What is the need for this change?
##########
hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azurebfs/AbfsConfiguration.java:
##########
@@ -1415,7 +1417,7 @@ public boolean shouldTrackLatency() {
public AccessTokenProvider getTokenProvider() throws
TokenAccessProviderException {
AuthType authType = getEnum(FS_AZURE_ACCOUNT_AUTH_TYPE_PROPERTY_NAME,
AuthType.SharedKey);
- if (authType == AuthType.OAuth) {
+ if (authType == AuthType.OAuth || authType ==
AuthType.UserboundSASWithOAuth) {
Review Comment:
same as above
##########
hadoop-tools/hadoop-azure/src/site/markdown/index.md:
##########
@@ -549,7 +565,7 @@ The Azure Portal/CLI is used to create the service identity.
</property>
```
-### <a name="workload-identity"></a> Azure Workload Identity
+#### <a name="workload-identity"></a> Azure Workload Identity
Review Comment:
Not needed
##########
hadoop-tools/hadoop-azure/src/site/markdown/index.md:
##########
@@ -501,7 +517,7 @@ With an existing Oauth 2.0 token, make a request to the
Active Directory endpoin
</property>
```
-### <a name="managed-identity"></a> Azure Managed Identity
+#### <a name="managed-identity"></a> Azure Managed Identity
Review Comment:
This change is not needed.
> ABFS: Support for new auth type: User-bound SAS
> -----------------------------------------------
>
> Key: HADOOP-19736
> URL: https://issues.apache.org/jira/browse/HADOOP-19736
> Project: Hadoop Common
> Issue Type: Task
> Components: fs/azure
> Affects Versions: 3.4.1, 3.4.2
> Reporter: Manika Joshi
> Assignee: Manika Joshi
> Priority: Major
> Labels: pull-request-available
>
> Adding support for new authentication type: user bound SAS
> User-bound SAS (Shared Access Signature) binds a SAS token to a specific user
> identity rather than just granting access based on possession of the token.
> This approach addresses key vulnerabilities in previous SAS mechanisms.
> The SAS token for it includes identity-binding parameters (e.g., skdutid,
> sduoid) that correspond to the user’s Entra tenant and object ID.
> When accessing storage, the user must present a valid Entra access token
> matching these parameters.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
