MSI with ADLS gives invalid resource #7462
Comments
Description
Cost: 1 |
|
This has been fixed and will be available in the next release (2018-11-06) |
|
@cormacpayne We are hitting this issue in Az module in the SPI path also (which I am not sure why). I think we need this fix for Az datalake module to work. |
|
@cormacpayne I figured out why it started breaking. Looks like this PR: https://github.com/Azure/azure-sdk-for-net/pull/4218/files changed the way to retrieve token audience from "settings.TokenAudience.ToString();" to "settings.TokenAudience.OriginalString;" (https://github.com/Azure/azure-sdk-for-net/blame/psSdkJson6/src/SdkCommon/Auth/Az.Auth/Az.Authentication/ApplicationTokenProvider.cs#L474 ). For the former code, it would add a trailing "/" to the url string but for the later code it wont. Looks like for azureRm you were using "package id="Microsoft.Rest.ClientRuntime.Azure.Authentication" version="2.3.1" targetFramework="net452" ", but for Az you have updated it to 2.3.6 which contains this above change. I have added a mitigation in this issue: #8141 |
|
@cormacpayne Any status regarding this fix? |
|
This should be fixed in the next release of |
Description
Usi MSI with ADLS gives an error with an invalid resource
Script/Steps for Reproduction
o
o $files = Get-AdlStoreChildItem -Account sandboxadl -Path / -Debug
Module Version
Current version
Environment Data
$PSVersionTableDebug Output
Investigation as copied from email
The ADLS/ADLA commandlet calls AuthenticationFactory (https://github.com/Azure/azure-powershell-common/blob/75e99f8571291238893d16eed3b30ce17f1c4788/src/Authentication/Factories/AuthenticationFactory.cs#L275 ) to get the ServiceClientCredential.
Based on the targetendpoint which is “AzureEnvironment.Endpoint.AzureDataLakeStoreFileSystemEndpointSuffix” in case of ADLS or “AzureEnvironment.Endpoint.AzureDataLakeAnalyticsCatalogAndJobEndpointSuffix” in case of ADLA the token audience returned is of endpoint “AzureEnvironment.Endpoint.DataLakeEndpointResourceId” (https://github.com/Azure/azure-powershell-common/blob/75e99f8571291238893d16eed3b30ce17f1c4788/src/Authentication.Abstractions/Extensions/AzureEnvironmentExtensions.cs#L288 ).
Based on the screenshot Anders shared. Value of “DataLakeEndpointResourceId” is https://datalake.azure.net without the trailing slash.
Base on the settings of AzureCloud, this is set to “"https://datalake.azure.net"” in AzureEnvironment (https://github.com/Azure/azure-powershell-common/blob/75e99f8571291238893d16eed3b30ce17f1c4788/src/Authentication.Abstractions/AzureEnvironment.cs#L50 )
So whatever Anders is seeing should be expected. But the problem is not there. Because in my powershell session, when I login using serviceprincipal I see the resource sent it has a trailing “/” added but for MSI that is not the case.
Not sure but I think the reason is here:
For the serviceprincipal we get the resource as Uri which adds the trailing “/” to the resource (https://github.com/Azure/azure-powershell-common/blob/75e99f8571291238893d16eed3b30ce17f1c4788/src/Authentication/Factories/AuthenticationFactory.cs#L321 )
For MSI though we send the resource as a string here: https://github.com/Azure/azure-powershell-common/blob/75e99f8571291238893d16eed3b30ce17f1c4788/src/Authentication/Factories/AuthenticationFactory.cs#L337 thus no trailing “/” is added. Probable solution is to use Uri to get the normalized resource. Not sure why this was not hit before.
Also I think we should change wherever we are using the constant “http://datalake.azure.net” to “http://datalake.azure.net/” so that we do not hit this issue again. I think there are 3 places, AzureEnvironmentConstants.cs, AddAzureEnvironment.cs and SetAzureRmEnvironment.cs.
Also in SetAzureRMEnvironment.cs (
azure-powershell/src/ResourceManager/Profile/Commands.Profile/Environment/SetAzureRMEnvironment.cs
Line 333 in edd6562
The text was updated successfully, but these errors were encountered: