From 10b182f46ab408280c4b24f5194435c0d6e2a52c Mon Sep 17 00:00:00 2001 From: Gareth Western Date: Tue, 10 Sep 2024 23:06:14 +0200 Subject: [PATCH 1/3] feat: add support for azure access token authorization --- .github/workflows/CloudTesting.yml | 8 ++++ src/functions/delta_scan.cpp | 11 +++++- test/sql/cloud/azure/access_token_auth.test | 44 +++++++++++++++++++++ 3 files changed, 61 insertions(+), 2 deletions(-) create mode 100644 test/sql/cloud/azure/access_token_auth.test diff --git a/.github/workflows/CloudTesting.yml b/.github/workflows/CloudTesting.yml index ea4cc42..93c627a 100644 --- a/.github/workflows/CloudTesting.yml +++ b/.github/workflows/CloudTesting.yml @@ -65,6 +65,14 @@ jobs: run: | python3 duckdb/scripts/run_tests_one_by_one.py ./build/release/test/unittest `pwd`/test/sql/cloud/* + - name: Test with Access Token in env vars + env: + AZURE_STORAGE_ACCOUNT: ${{secrets.AZURE_STORAGE_ACCOUNT}} + run: | + az login --service-principal -u ${{secrets.AZURE_CLIENT_ID}} -p ${{secrets.AZURE_CLIENT_SECRET}} --tenant ${{secrets.AZURE_TENANT_ID}} + export AZURE_ACCESS_TOKEN=`az account get-access-token --resource https://storage.azure.com --query accessToken --output tsv` + python3 duckdb/scripts/run_tests_one_by_one.py ./build/release/test/unittest `pwd`/test/sql/cloud/* + - name: Test with SPN logged in in azure-cli env: AZURE_STORAGE_ACCOUNT: ${{secrets.AZURE_STORAGE_ACCOUNT}} diff --git a/src/functions/delta_scan.cpp b/src/functions/delta_scan.cpp index a3e4f11..508c01c 100644 --- a/src/functions/delta_scan.cpp +++ b/src/functions/delta_scan.cpp @@ -283,8 +283,15 @@ static ffi::EngineBuilder* CreateBuilder(ClientContext &context, const string &p secret_reader.TryGetSecretKey("chain", chain); auto provider = kv_secret.GetProvider(); - - if (provider == "credential_chain") { + if (provider == "access_token") { + // Authentication option 0: https://docs.rs/object_store/latest/object_store/azure/enum.AzureConfigKey.html#variant.Token + string access_token; + secret_reader.TryGetSecretKey("access_token", access_token); + if (access_token.empty()) { + throw InvalidInputException("No access_token value not found in secret provider!"); + } + ffi::set_builder_option(builder, KernelUtils::ToDeltaString("bearer_token"), KernelUtils::ToDeltaString(access_token)); + } else if (provider == "credential_chain") { // Authentication option 1a: using the cli authentication if (chain.find("cli") != std::string::npos) { ffi::set_builder_option(builder, KernelUtils::ToDeltaString("use_azure_cli"), KernelUtils::ToDeltaString("true")); diff --git a/test/sql/cloud/azure/access_token_auth.test b/test/sql/cloud/azure/access_token_auth.test new file mode 100644 index 0000000..b9eb7ed --- /dev/null +++ b/test/sql/cloud/azure/access_token_auth.test @@ -0,0 +1,44 @@ +# name: test/sql/cloud/azure/access_token_auth.test +# description: test access-token authentication +# group: [azure] + +require azure + +require delta + +require-env AZURE_ACCESS_TOKEN + +require-env AZURE_STORAGE_ACCOUNT + +statement ok +set allow_persistent_secrets=false + +statement error +SELECT count(*) FROM delta_scan('azure://delta-testing-private/dat/all_primitive_types/delta'); +---- +Invalid Input Error: No valid Azure credentials found! + +statement ok +CREATE SECRET az1 ( + TYPE AZURE, + PROVIDER ACCESS_TOKEN, + ACCOUNT_NAME '${AZURE_STORAGE_ACCOUNT}' +) + +statement error +SELECT count(*) FROM delta_scan('azure://delta-testing-private/dat/all_primitive_types/delta'); +---- +Invalid Input Error: No access_token value not found in secret provider! + +statement ok +CREATE OR REPLACE SECRET az1 ( + TYPE AZURE, + PROVIDER ACCESS_TOKEN, + ACCESS_TOKEN '${AZURE_ACCESS_TOKEN}', + ACCOUNT_NAME '${AZURE_STORAGE_ACCOUNT}' +) + +query I +SELECT count(*) FROM delta_scan('azure://delta-testing-private/dat/all_primitive_types/delta'); +---- +5 \ No newline at end of file From 15d160ee9b3a4a9c29053fe2eb1d9ee320937740 Mon Sep 17 00:00:00 2001 From: Gareth Western Date: Tue, 10 Sep 2024 23:55:55 +0200 Subject: [PATCH 2/3] chore: parquet plugin is required for test? --- test/sql/cloud/azure/access_token_auth.test | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/sql/cloud/azure/access_token_auth.test b/test/sql/cloud/azure/access_token_auth.test index b9eb7ed..237c720 100644 --- a/test/sql/cloud/azure/access_token_auth.test +++ b/test/sql/cloud/azure/access_token_auth.test @@ -4,6 +4,8 @@ require azure +require parquet + require delta require-env AZURE_ACCESS_TOKEN From 09cc2dd5b0cebf99a7c6e8fd68106b367d75f1f4 Mon Sep 17 00:00:00 2001 From: Sam Ansmink Date: Wed, 11 Sep 2024 11:05:29 +0200 Subject: [PATCH 3/3] fix test --- test/sql/cloud/azure/access_token_auth.test | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/sql/cloud/azure/access_token_auth.test b/test/sql/cloud/azure/access_token_auth.test index 237c720..d32ed04 100644 --- a/test/sql/cloud/azure/access_token_auth.test +++ b/test/sql/cloud/azure/access_token_auth.test @@ -18,10 +18,10 @@ set allow_persistent_secrets=false statement error SELECT count(*) FROM delta_scan('azure://delta-testing-private/dat/all_primitive_types/delta'); ---- -Invalid Input Error: No valid Azure credentials found! +IO Error statement ok -CREATE SECRET az1 ( +CREATE OR REPLACE SECRET az1 ( TYPE AZURE, PROVIDER ACCESS_TOKEN, ACCOUNT_NAME '${AZURE_STORAGE_ACCOUNT}' @@ -43,4 +43,4 @@ CREATE OR REPLACE SECRET az1 ( query I SELECT count(*) FROM delta_scan('azure://delta-testing-private/dat/all_primitive_types/delta'); ---- -5 \ No newline at end of file +5