feat: add token provider authorization to azure store #2374
Conversation
roeap
changed the title
object_store/src/azure.rs
Outdated
| /// Set a TokenCredential to be used for authentication (required - one of token_credential ot access key) | ||
| pub fn with_token_credential( | ||
| mut self, | ||
| token_credential: Arc<dyn TokenCredential>, |
There was a problem hiding this comment.
Is there some way we could avoid leaking the azure_core type into the public interface, this will not only make it easier to use, but also survive a move away from the SDK?
There was a problem hiding this comment.
I haven't looked at the S§ implementation, but I seem to remember, that we do have some sense of a token credential as well. The problem I found with that, is that "get_token" accepts a client, while by now the client is somewhat hidden in the azure client. Also for gcs that was not a trait. Maybe thats the way to go?
An alternative might be to expose all (some) options required to initialize the token credentials. I guess we would always need that information regardless of the underlying implementation ..
There was a problem hiding this comment.
I'm not familiar enough with the various authentication options available in Azure-land to know the implications of asking this, but if we can expose the information for the various options that would be ideal imo...
There was a problem hiding this comment.
There are a few, but I can make that work ... also just realized I did this against the upcoming version, so I have to do some method renaming anyhow...
Co-authored-by: Raphael Taylor-Davies <[email protected]>
|
@tustvold - had to convert this back to draft, since the currently released version of the crates do not support identity based credentials just yet ... Maybe I'll wait until this gets released, and do the updates then, or just get it over with and migrate the implementation to a custom one in this crate ... Which is also why there was not yet released APIs in use here :D |
object_store/Cargo.toml
Outdated
| azure_core = { version = "0.2", optional = true, default-features = false, features = ["enable_reqwest_rustls"] } | ||
| azure_storage = { version = "0.2", optional = true, default-features = false, features = ["account"] } | ||
| azure_storage_blobs = { version = "0.2", optional = true, default-features = false, features = ["enable_reqwest_rustls"] } | ||
| azure_core = { version = "0.4", optional = true, default-features = false, features = [ |
There was a problem hiding this comment.
FYI, I'm not sure what is formatting these, but I think it makes the file harder to read...
There was a problem hiding this comment.
I'll make my prettier less eager :)
|
The latest version of the Azure crates finally got released. Since there were many api changes between the last attempt (#2193) I did not update that PR but included it all here. The relevant update - authorizing via identity - is also part of the latest azure release. Working on this made me realize once more that we really want to use our own, more focussed implementation of API interactions. I will take a look at that asap. in the meantime i was hoping to get the token auth in the next release, so while a bit finicky in some places, using the SDKs was more realistic to get doe in time (hopefully :)). |
There was a problem hiding this comment.
This looks good to me, thank you 🎉
I'm going to hold off on merging this whilst the ongoing object_store 0.4 release process trundles along, just in case there are any bumps along the way (it is the first release following the Apache process). I'll then get this in
Working on this made me realize once more that we really want to use our own, more focussed implementation of API interactions. I will take a look at that asap.
Very exciting, btw if you haven't seen #2352 that moves away from rusuto for S3, so the Azure SDKs are the only ones that still remain.
| AzureErrorKind::HttpResponse { | ||
| status: StatusCode::NotFound, | ||
| .. | ||
| } => crate::Error::NotFound { |
|
There do appear to be failing lints and tests btw |
| let first = stream.next().await.transpose()?.unwrap_or_default(); | ||
| Ok(GetResult::Stream(Box::pin( | ||
| futures::stream::once(async { Ok(first) }).chain(stream), | ||
| ))) |
There was a problem hiding this comment.
Somehow this felt a bit strange to collect the first element just to add it to a stream right after, but I saw no other obvious way to have the method raise an error. Before this we are never actually touching any results...
All tests and lints should be passing now.
Very exciting indeed - one more reason to get this done and have everything nice and clean :) |
|
Benchmark runs are scheduled for baseline = f0d7d0b and contender = 12a9d84. 12a9d84 is a master commit associated with this PR. Results will be available as each benchmark for each run completes. |
Which issue does this PR close?
Closes #2373
cc @tustvold @alamb
Rationale for this change
Allow a wider range of use by offering more ob the azure native auth methods. While this change might eventually becoem irrelevant, once we move away from SDKs, it is quite helpful in the meantime.
What changes are included in this PR?
Add an option to provide aTokenProvidercredential via theMicrosoftAzureBuilder.Add an options to provide client credentials via the
MicrosoftAzureBuilder.Are there any user-facing changes?
users now have more authorization options.