stackoom
  简体   繁体   中英

Managed Service Identity configuration for Azure Data Lake Storage Gen2

 原文  2019-08-28 11:21:32       azure-active-directory/ azure-data-lake

Question

Trying to connect to Azure Data Lake storage Gen2 using MSI (Azure Managed Identity) via Hadoop client in console and receive the error ls: AADToken: HTTP connection failed for getting token from AzureAD. Http response: 400 Bad Request* ls: AADToken: HTTP connection failed for getting token from AzureAD. Http response: 400 Bad Request*

Connection via Shared Key works fine.

What was done:

  1. Created a Windows 10 VM in Azure and installed Haddop client 3.2 from Apache site and JRE 1.8.0
  2. Created Storage account using https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-quickstart-create-account
  3. Created Azure AD application using https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
  4. Turned on System-assigned managed identity for VM as described here https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm
  5. Assigned a managed identity access to the Storage account as described here https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/howto-assign-access-portal

To connect using a command below: 

hadoop fs -Dfs.azure.ssl.channel.mode=Default_JSSE -Dfs.azure.account.oauth.provider.type=org.apache.hadoop.fs.azurebfs.oauth2.MsiTokenProvider -Dfs.azure.account.auth.type=OAuth -Dfs.azure.account.oauth2.msi.tenant=<tenant_ID> -Dfs.azure.account.oauth2.client.id=<Client_ID> -ls abfss://<filesystem_name>2@<storage_account_name>.dfs.core.windows.net/

Something wrong or missed? Please advice.

Thank you!

1 answers

solution1
 1 ACCPTED  2019-08-29 09:41:20

Add my comment as an answer:

No need to do the step 3, if you enable the MSI of the VM, it will create a service principal in your tenant automatically, it is the same name of your VM, it has its own client id. You can find it in the Azure Active Directory in the portal -> Enterprise applications-> search with your VM name(filter with All Applications ).

In the step 5, you need to give the MSI a Storage Blob Data Owner role.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Azure Data Lake Storage Gen2 access token generation - "AADSTS65001: The user or administrator has not consented to use the application with ID AuthenticationException when creating Azure ML Dataset from Azure Data Lake Gen2 Datastore Unable to access FileSystem of Azure Data Lake Gen2 with Angular using azure-sdk-for-js What are the different ways to expose Azure Data Lake Gen2 to Customers for querying purpose Gdal connection to Azure Data Lake Storage (Gen 2) virtual file using AZURE_STORAGE_ACCESS_TOKEN Azure storage account rejects the issuer of a managed service identity REST API call to Azure Data lake Storage Gen 2 not working. Giving me error "Audience validation failed. Audience did not match" Authorization for Azure Function using Managed Service Identity to fetch blob from Azure Storage container How to create SAS token for Azure Data Lake Store (Gen-2) using service principals (clientId and clientSecret) in C#? Service to Service authentication with Managed Identity in Azure
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM