Re: [PR] GH-39320: [C++][FS][Azure] Add managed identity auth configuration [arrow]

Fri, 22 Dec 2023 10:16:09 -0800 


Tom-Newton commented on code in PR #39321:
URL: https://github.com/apache/arrow/pull/39321#discussion_r1435264186


##########
cpp/src/arrow/filesystem/azurefs.cc:
##########
@@ -117,27 +117,42 @@ Status 
AzureOptions::ConfigureClientSecretCredential(const std::string& account_
                                                      const std::string& 
tenant_id,
                                                      const std::string& 
client_id,
                                                      const std::string& 
client_secret) {
+  account_name_ = account_name;
   credential_kind_ = CredentialKind::kTokenCredential;
   token_credential_ = 
std::make_shared<Azure::Identity::ClientSecretCredential>(
       tenant_id, client_id, client_secret);
   return Status::OK();
 }
 
 Status AzureOptions::ConfigureDefaultCredential(const std::string& 
account_name) {
+  account_name_ = account_name;
   credential_kind_ = CredentialKind::kTokenCredential;
   token_credential_ = 
std::make_shared<Azure::Identity::DefaultAzureCredential>();
   return Status::OK();
 }
 
+Status AzureOptions::ConfigureManagedIdentityCredential(const std::string& 
account_name,
+                                                        const std::string& 
client_id) {
+  account_name_ = account_name;
+  credential_kind_ = CredentialKind::kTokenCredential;
+  token_credential_ =
+      std::make_shared<Azure::Identity::ManagedIdentityCredential>(client_id);
+  return Status::OK();
+}
+
 Status AzureOptions::ConfigureWorkloadIdentityCredential(
     const std::string& account_name) {
+  account_name_ = account_name;
   credential_kind_ = CredentialKind::kTokenCredential;
   token_credential_ = 
std::make_shared<Azure::Identity::WorkloadIdentityCredential>();
   return Status::OK();
 }
 
 Result<std::unique_ptr<Blobs::BlobServiceClient>> 
AzureOptions::MakeBlobServiceClient()
     const {
+  if (account_name_.empty()) {
+    return Status::Invalid("AzureOptions doesn't contain a valid account 
name");
+  }

Review Comment:
   I think its useful to support both anonymous and default credential as 
distinct things. Admittedly, its a niche use-case but storage accounts can be 
public, which is when anonymous is useful 
https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal.
   
   Its a good question though which should be the default. I know `adlfs` 
deafults to anonomous rather than default credential. In some respects it might 
be good to be consistent but also this choice of default has caused issues for 
me in the past e.g. https://github.com/flyteorg/flyte/issues/3962
   
   
   
    



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to