TileDB icon indicating copy to clipboard operation
TileDB copied to clipboard

Published 20 hours ago verified publisher icon TileDB-Inc

Support Microsoft Entra ID authentication to Azure.

Open teo-tsirpanis opened this issue 2 years ago • 1 comments

SC-25944

To authenticate to Azure, we currently support shared keys and SAS tokens. The former have the disadvantage of being discouraged by Microsoft and the latter have the disadvantage of having a usually short expiry time (edit: and being impossible to individually revoke).

This PR adds support for Microsoft Entra ID authentication (formerly known as Azure Active Directory), which is what Microsoft recommends. It will be used for HTTPS endpoints if neither a shared key or SAS token are specified in the config. We use the ChainedTokenCredential class from the azure-identity-cpp package, and try to get credentials from the following sources in order:

At initialization time we try to fetch an Active Directory token. If all three credential sources fail, we fall back to anonymous authentication.

TODO

  • [ ] Verify that it works locally.
  • [ ] Verify that accessing a publicly available blob with Entra ID credentials that do not grant access to it works.
    • If it doesn't, we have to remove the anonymous access fallback and add a config option (whether it will be opt-in or out is TBD).

TYPE: FEATURE DESC: Support Microsoft Entra ID authentication to Azure.

teo-tsirpanis avatar Jun 12 '23 16:06 teo-tsirpanis

This pull request has been linked to Shortcut Story #25944: Support Active Directory authentication to Azure..

shortcut-integration[bot] avatar Jun 12 '23 16:06 shortcut-integration[bot]

Closing for now. We don't have time to test the authentication properly at the moment. It's still a good change and we can re-open this PR when we prioritize the shortcut story.

KiterLuc avatar Feb 28 '24 08:02 KiterLuc

Validated successfully on the real Azure. I followed these steps:

  • Create an Azure Blob Storage account.
  • Add a role assignment of the "Storage Blob Data Contributor" role on the account to your user.
  • Log in to Azure by running az login and select your subscription.
  • Configure the tests to use your account name here, here and here[^1]. Remove the custom endpoint and storage key options.
  • Run tiledb_unit [vfs][uri][file_io].

~~Please don't review yet; I will do some additional changes tomorrow.~~

[^1]: Why is the VFS configuration split in three places? --vfs azure is also broken; I had to change this line to run only Azure tests.

teo-tsirpanis avatar Mar 12 '24 22:03 teo-tsirpanis

Merging so that we can test the build changes early. @robertbindar will validate further and make fixes if required before we ship.

KiterLuc avatar Mar 22 '24 13:03 KiterLuc