Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposed fixes for token-based auth in azure fileshare service #820

Merged
merged 11 commits into from
Aug 3, 2024
Merged

Proposed fixes for token-based auth in azure fileshare service #820

merged 11 commits into from
Aug 3, 2024

Conversation

eujing
Copy link
Contributor

@eujing eujing commented Jul 25, 2024

To use token-based authentication for ShareClient, I think we should be passing in the credential object derived from TokenCredential (in our case, some instance of DefaultAzureCredential.

Previously, we were passing specific string tokens to the credential argument, which is being intepreted as a SAS token.
This leads to errors like: azure.core.exceptions.ClientAuthenticationError: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.

ShareClient documentation on the credential argument.

By passing in the whole TokenCredential object, I believe ShareClient will manage the token lifecycle and we won't need to do so as mentioned in #818.

@eujing eujing requested a review from a team as a code owner July 25, 2024 01:19
@eujing
Copy link
Contributor Author

eujing commented Jul 25, 2024

Want to add that I haven't been able to test this fully on my side yet.
Currently getting a permissions error, so I am trying to grant myself the Storage File Data Privileged Contributor role to see if that works. Currently only have overall Contributor role to the storage account.

azure.core.exceptions.HttpResponseError: This request is not authorized to perform this operation using this permission. RequestId:15e8cf1a-301a-0068-0618-de1302000000 Time:2024-07-24T22:29:41.5702312Z ErrorCode:AuthorizationPermissionMismatch

motus
motus reviewed Aug 2, 2024
View reviewed changes
Copy link
Member

@motus motus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, although I suspect that we need to make sure that the credential has been properly initialized in get_credential() implementation - just like we do in get_auth_token(). I've pushed an update along with a few cosmetic fixes to eujing#1 - @eujing please take a look

@motus motus merged commit 45528cf into microsoft:main Aug 3, 2024
12 checks passed
This was referenced Aug 3, 2024
Closed
Open
bpkroth
bpkroth reviewed Aug 8, 2024
View reviewed changes
mlos_bench/mlos_bench/services/remote/azure/azure_fileshare.py
credential = self._auth_service.get_credential()
assert isinstance(
credential, TokenCredential
), f"Expected a TokenCredential, but got {type(credential)} instead."
Copy link
Contributor

@bpkroth bpkroth Aug 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is still a late runtime error that I was trying to turn into a config load error in #819

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alright, I made a new change to #819 to handle that now.
From what I can tell the rest of this one is good, but it'd be good to get confirmation that DefaultCredential doesn't need refreshed, especially with the SP part.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bpkroth bpkroth bpkroth left review comments

@motus motus motus approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@eujing @motus @bpkroth