Configuring WASB Secure Mode
WASB can operate in secure mode, where the storage access keys required to communicate with Azure storage do not have to be in the same address space as the process using WASB. In this mode, all interactions with Azure storage are performed using SAS URIs. There are two sub-modes within the secure mode:
(Option 1) The remote SAS key mode, where the SAS keys are generated from a remote process
(Option 2) The local mode, where SAS keys are generated within WASB.
By default, the SAS key mode is expected to run in the remote mode; however, for testing purposes the local mode can be enabled to generate SAS keys in the same process as WASB.
To enable the secure mode, set the following property in
core-site.xml
:
<property> <name>fs.azure.secure.mode</name> <value>true</value> </property>
Next, do one of the following, depending on the sub-mode that you are using:
To enable SAS key generation locally (Option 1), set the following property in
core-site.xml
:
<property> <name>fs.azure.local.sas.key.mode</name> <value>true</value> </property>
To use the remote SAS key generation mode (Option 2), an external REST service is
expected to provided required SAS keys. The following property can set in
core-site.xml
to provide the end point to use for remote SAS key
generation:
<property> <name>fs.azure.cred.service.url</name> <value>{URL}</value> </property>
The remote service is expected to provide support for two REST calls
{URL}/GET_CONTAINER_SAS
and {URL}/GET_RELATIVE_BLOB_SAS
, for
generating container and relative blob SAS keys.
Example requests:
{URL}/GET_CONTAINER_SAS?storage_account=<account_name>&container=<container>&sas_expiry=<expiry
period>&delegation_token=<delegation token>
{URL}/GET_CONTAINER_SAS?storage_account=<account_name>&container=<container>&relative_path=<relative
path>&sas_expiry=<expiry period>&delegation_token=<delegation
token>
The service is expected to return a response in JSON format:
{ "responseCode" : 0 or non-zero <int>, "responseMessage" : relavant message on failure <String>, "sasKey" : Requested SAS Key <String> }