[Enhancement] Support Azure Workload Identity authentication for Azure Data Lake Storage Gen2 (backport #62754) (#62882)

Signed-off-by: Cosmin Constantin Lazar <[email protected]>

Author: CosminLazar

fe/fe-core/src/main/java/com/starrocks/credential/azure/AzureCloudConfigurationProvider.java

@@ -30,6 +30,7 @@
 import static com.starrocks.connector.share.credential.CloudConfigurationConstants.AZURE_ADLS2_OAUTH2_CLIENT_ID;
 import static com.starrocks.connector.share.credential.CloudConfigurationConstants.AZURE_ADLS2_OAUTH2_CLIENT_SECRET;
 import static com.starrocks.connector.share.credential.CloudConfigurationConstants.AZURE_ADLS2_OAUTH2_TENANT_ID;
+import static com.starrocks.connector.share.credential.CloudConfigurationConstants.AZURE_ADLS2_OAUTH2_TOKEN_FILE;
 import static com.starrocks.connector.share.credential.CloudConfigurationConstants.AZURE_ADLS2_OAUTH2_USE_MANAGED_IDENTITY;
 import static com.starrocks.connector.share.credential.CloudConfigurationConstants.AZURE_ADLS2_SAS_TOKEN;
 import static com.starrocks.connector.share.credential.CloudConfigurationConstants.AZURE_ADLS2_SHARED_KEY;
@@ -95,7 +96,8 @@ public CloudConfiguration build(Map<String, String> properties) {
                 properties.getOrDefault(AZURE_ADLS2_SHARED_KEY, ""),
                 properties.getOrDefault(AZURE_ADLS2_SAS_TOKEN, ""),
                 properties.getOrDefault(AZURE_ADLS2_OAUTH2_CLIENT_SECRET, ""),
-                properties.getOrDefault(AZURE_ADLS2_OAUTH2_CLIENT_ENDPOINT, "")
+                properties.getOrDefault(AZURE_ADLS2_OAUTH2_CLIENT_ENDPOINT, ""),
+                properties.getOrDefault(AZURE_ADLS2_OAUTH2_TOKEN_FILE, "")
         );
         if (adls2.validate()) {
             return new AzureCloudConfiguration(adls2);

fe/fe-core/src/main/java/com/starrocks/credential/azure/AzureStorageCloudCredential.java

@@ -29,6 +29,7 @@
 import org.apache.hadoop.fs.azurebfs.constants.ConfigurationKeys;
 import org.apache.hadoop.fs.azurebfs.oauth2.ClientCredsTokenProvider;
 import org.apache.hadoop.fs.azurebfs.oauth2.MsiTokenProvider;
+import org.apache.hadoop.fs.azurebfs.oauth2.WorkloadIdentityTokenProvider;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
@@ -40,7 +41,7 @@
 // For Azure Data Lake Gen1 (adl://)
 // We support Managed Service Identity & Service Principal
 // For Azure Data Lake Gen2 (abfs:// & abfss://)
-// We support Managed Identity & Shared Key & Service Principal
+// We support Managed Identity & Shared Key & Service Principal & Workload Identity
 abstract class AzureStorageCloudCredential implements CloudCredential {
 
     public static final Logger LOG = LogManager.getLogger(AzureStorageCloudCredential.class);
@@ -231,10 +232,11 @@ class AzureADLS2CloudCredential extends AzureStorageCloudCredential {
     private final String sasToken;
     private final String oauth2ClientSecret;
     private final String oauth2ClientEndpoint;
+    private final String oauth2TokenFile;
 
     public AzureADLS2CloudCredential(String endpoint, boolean oauth2ManagedIdentity, String oauth2TenantId, String oauth2ClientId,
                                      String storageAccount, String sharedKey, String sasToken, String oauth2ClientSecret,
-                                     String oauth2ClientEndpoint) {
+                                     String oauth2ClientEndpoint, String oauth2TokenFile) {
         Preconditions.checkNotNull(endpoint);
         Preconditions.checkNotNull(oauth2TenantId);
         Preconditions.checkNotNull(oauth2ClientId);
@@ -243,6 +245,7 @@ public AzureADLS2CloudCredential(String endpoint, boolean oauth2ManagedIdentity,
         Preconditions.checkNotNull(sasToken);
         Preconditions.checkNotNull(oauth2ClientSecret);
         Preconditions.checkNotNull(oauth2ClientEndpoint);
+        Preconditions.checkNotNull(oauth2TokenFile);
 
         this.endpoint = endpoint;
         this.oauth2ManagedIdentity = oauth2ManagedIdentity;
@@ -253,6 +256,7 @@ public AzureADLS2CloudCredential(String endpoint, boolean oauth2ManagedIdentity,
         this.sasToken = sasToken;
         this.oauth2ClientSecret = oauth2ClientSecret;
         this.oauth2ClientEndpoint = oauth2ClientEndpoint;
+        this.oauth2TokenFile = oauth2TokenFile;
 
         tryGenerateConfigurationMap();
     }
@@ -315,6 +319,18 @@ void tryGenerateConfigurationMap() {
                     oauth2ClientSecret);
             generatedConfigurationMap.put(createConfigKey(ConfigurationKeys.FS_AZURE_ACCOUNT_OAUTH_CLIENT_ENDPOINT),
                     oauth2ClientEndpoint);
+        } else if (!oauth2TokenFile.isEmpty() && !oauth2TenantId.isEmpty() && !oauth2ClientId.isEmpty()) {
+            generatedConfigurationMap.put(createConfigKey(ConfigurationKeys.FS_AZURE_ACCOUNT_AUTH_TYPE_PROPERTY_NAME),
+                    "OAuth");
+            generatedConfigurationMap.put(
+                    createConfigKey(ConfigurationKeys.FS_AZURE_ACCOUNT_TOKEN_PROVIDER_TYPE_PROPERTY_NAME),
+                    WorkloadIdentityTokenProvider.class.getName());
+            generatedConfigurationMap.put(createConfigKey(ConfigurationKeys.FS_AZURE_ACCOUNT_OAUTH_TOKEN_FILE),
+                    oauth2TokenFile);
+            generatedConfigurationMap.put(createConfigKey(ConfigurationKeys.FS_AZURE_ACCOUNT_OAUTH_CLIENT_ID),
+                    oauth2ClientId);
+            generatedConfigurationMap.put(createConfigKey(ConfigurationKeys.FS_AZURE_ACCOUNT_OAUTH_MSI_TENANT),
+                    oauth2TenantId);
         }
     }
 
@@ -328,6 +344,7 @@ public String toCredString() {
                 ", sharedKey='" + sharedKey + '\'' +
                 ", oauth2ClientSecret='" + oauth2ClientSecret + '\'' +
                 ", oauth2ClientEndpoint='" + oauth2ClientEndpoint + '\'' +
+                ", oauth2TokenFile='" + oauth2TokenFile + '\'' +
                 '}';
     }
 

fe/fe-core/src/test/java/com/starrocks/credential/CloudConfigurationFactoryTest.java

@@ -246,6 +246,7 @@ public void testAzureADLS2CloudConfiguration() {
                 put(CloudConfigurationConstants.AZURE_ADLS2_OAUTH2_CLIENT_ENDPOINT, "XX");
                 put(CloudConfigurationConstants.AZURE_ADLS2_OAUTH2_CLIENT_SECRET, "XX");
                 put(CloudConfigurationConstants.AZURE_ADLS2_OAUTH2_USE_MANAGED_IDENTITY, "XX");
+                put(CloudConfigurationConstants.AZURE_ADLS2_OAUTH2_TOKEN_FILE, "XX");
             }
         };
         CloudConfiguration cc = CloudConfigurationFactory.buildCloudConfigurationForStorage(map);
@@ -259,7 +260,7 @@ public void testAzureADLS2CloudConfiguration() {
                 "AzureCloudConfiguration{resources='', jars='', hdpuser='', " +
                         "cred=AzureADLS2CloudCredential{oauth2ManagedIdentity=false, " +
                         "oauth2TenantId='XX', oauth2ClientId='XX', storageAccount='XX', sharedKey='XX', " +
-                        "oauth2ClientSecret='XX', oauth2ClientEndpoint='XX'}}");
+                        "oauth2ClientSecret='XX', oauth2ClientEndpoint='XX', oauth2TokenFile='XX'}}");
     }
 
     @Test
@@ -305,6 +306,27 @@ public void testAzureADLS2Oauth2() {
         Assertions.assertEquals("client-id", conf.get("fs.azure.account.oauth2.client.id"));
     }
 
+    @Test
+    public void testAzureADLS2WorkloadIdentity() {
+        Map<String, String> map = new HashMap<>() {
+            {                
+                put(CloudConfigurationConstants.AZURE_ADLS2_OAUTH2_CLIENT_ID, "client-id");
+                put(CloudConfigurationConstants.AZURE_ADLS2_OAUTH2_TENANT_ID, "tenant-id");
+                put(CloudConfigurationConstants.AZURE_ADLS2_OAUTH2_TOKEN_FILE, "/path/to/token");
+            }
+        };
+
+        CloudConfiguration cc = CloudConfigurationFactory.buildCloudConfigurationForStorage(map);
+        Assertions.assertEquals(cc.getCloudType(), CloudType.AZURE);
+        Configuration conf = new Configuration();
+        cc.applyToConfiguration(conf);
+        Assertions.assertEquals("OAuth", conf.get("fs.azure.account.auth.type"));
+        Assertions.assertEquals("org.apache.hadoop.fs.azurebfs.oauth2.WorkloadIdentityTokenProvider",
+                conf.get("fs.azure.account.oauth.provider.type"));
+        Assertions.assertEquals("tenant-id", conf.get("fs.azure.account.oauth2.msi.tenant"));
+        Assertions.assertEquals("/path/to/token", conf.get("fs.azure.account.oauth2.token.file"));
+    }
+
     @Test
     public void testGCPCloudConfiguration() {
         Map<String, String> map = new HashMap<String, String>() {

java-extensions/hadoop-ext/src/main/java/com/starrocks/connector/share/credential/CloudConfigurationConstants.java

@@ -103,6 +103,7 @@ public class CloudConfigurationConstants {
     public static final String AZURE_ADLS2_SAS_TOKEN = "azure.adls2.sas_token";
     public static final String AZURE_ADLS2_OAUTH2_CLIENT_SECRET = "azure.adls2.oauth2_client_secret";
     public static final String AZURE_ADLS2_OAUTH2_CLIENT_ENDPOINT = "azure.adls2.oauth2_client_endpoint";
+    public static final String AZURE_ADLS2_OAUTH2_TOKEN_FILE = "azure.adls2.oauth2_token_file";
 
     // Credential for Google Cloud Platform (GCP)
     // For Google Cloud Storage (GCS)