feat: Support available credentials providers for Azure blob storage #…

…251 (#255) Co-authored-by: Aliaksandr Stsiapanay <[email protected]>
epam · Mar 1, 2024 · a42eb71 · a42eb71
1 parent 711f711
commit a42eb71
Show file tree

Hide file tree

Showing 4 changed files with 81 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -72,7 +72,7 @@ Static settings are used on startup and cannot be changed while application is r
 
 ### Google Cloud Storage
 
-There are two types of credentials providers supported:
+There are two types of credential providers supported:
  - User credentials. You can create a service account and authenticate using its private key obtained from Developer console
  - Temporary credentials. Application default credentials (ADC)
 
@@ -113,6 +113,35 @@ JClouds property `jclouds.oauth.credential-type` should be set `bearerTokenCrede
 }
 ```
 
+### Azure Blob Store
+
+There are two types of credential providers supported:
+- User credentials. You can create a service principle and authenticate using its secret from Azure console
+- Temporary credentials with Azure AD Workload Identity
+
+#### User credentials
+
+You should set `storage.credential` to service principle secret and `storage.identity` - service principle ID.
+
+#### Temporary credentials
+
+You should follow [instructions](https://azure.github.io/azure-workload-identity/docs/) to setup your pod in Azure k8s.
+`storage.credential` and `storage.identity` must be unset.
+
+The properties to be overridden are below:
+
+```
+{
+  "storage": {
+    "endpoint": "https://<Azure Blob storage account>.blob.core.windows.net"
+    "overrides": {
+      "jclouds.azureblob.auth": "azureAd",
+      "jclouds.oauth.credential-type": "bearerTokenCredentials"
+    }
+  }
+}
+```
+
 ### Redis
 The Redis can be used as a cache with volatile-* eviction policies:
 ```

diff --git a/build.gradle b/build.gradle
@@ -51,6 +51,8 @@ dependencies {
     implementation group: 'com.amazonaws', name: 'aws-java-sdk-core', version: '1.12.663'
     implementation group: 'com.amazonaws', name: 'aws-java-sdk-sts', version: '1.12.663'
     implementation group: 'com.google.auth', name: 'google-auth-library-oauth2-http', version: '1.23.0'
+    implementation group: 'com.azure', name: 'azure-identity', version: '1.11.2'
+
 
 
     runtimeOnly 'com.epam.deltix:gflog-slf4j:3.0.5'

diff --git a/src/main/java/com/epam/aidial/core/storage/credential/AzureCredentialProvider.java b/src/main/java/com/epam/aidial/core/storage/credential/AzureCredentialProvider.java
@@ -0,0 +1,47 @@
+package com.epam.aidial.core.storage.credential;
+
+import com.azure.core.credential.AccessToken;
+import com.azure.core.credential.TokenRequestContext;
+import com.azure.identity.DefaultAzureCredential;
+import com.azure.identity.DefaultAzureCredentialBuilder;
+import org.jclouds.domain.Credentials;
+
+import java.time.OffsetDateTime;
+
+public class AzureCredentialProvider implements CredentialProvider {
+
+    private static final long EXPIRATION_WINDOW_IN_SEC = 10;
+
+    private Credentials credentials;
+
+    private DefaultAzureCredential defaultCredential;
+
+    private AccessToken accessToken;
+
+    private TokenRequestContext tokenRequestContext;
+
+    public AzureCredentialProvider(String identity, String secret) {
+        if (identity != null && secret != null) {
+            this.credentials = new Credentials(identity, secret);
+        } else {
+            defaultCredential = new DefaultAzureCredentialBuilder().build();
+            tokenRequestContext = (new TokenRequestContext()).addScopes("https://storage.azure.com/.default");
+        }
+    }
+
+    @Override
+    public Credentials getCredentials() {
+        if (credentials != null) {
+            return credentials;
+        }
+        return getTemporaryCredentials();
+    }
+
+    private synchronized Credentials getTemporaryCredentials() {
+        OffsetDateTime date = OffsetDateTime.now().minusSeconds(EXPIRATION_WINDOW_IN_SEC);
+        if (accessToken == null || date.isAfter(accessToken.getExpiresAt())) {
+            accessToken = defaultCredential.getTokenSync(tokenRequestContext);
+        }
+        return new Credentials("", accessToken.getToken());
+    }
+}
diff --git a/src/main/java/com/epam/aidial/core/storage/credential/CredentialProviderFactory.java b/src/main/java/com/epam/aidial/core/storage/credential/CredentialProviderFactory.java
@@ -8,7 +8,8 @@ public class CredentialProviderFactory {
     public static CredentialProvider create(String providerName, String identity, String credential) {
         StorageProvider provider = StorageProvider.from(providerName);
         return switch (provider) {
-            case S3, AZURE_BLOB -> new DefaultCredentialProvider(identity, credential);
+            case S3 -> new DefaultCredentialProvider(identity, credential);
+            case AZURE_BLOB -> new AzureCredentialProvider(identity, credential);
             case GOOGLE_CLOUD_STORAGE -> new GcpCredentialProvider(identity, credential);
             case FILESYSTEM -> new DefaultCredentialProvider("identity", "credential");
             case AWS_S3 -> new AwsCredentialProvider(identity, credential);