Configure Access by Using Client Credential
To configure authentication with ADLS using the client credential, you must register a
new application with Active Directory service and then give your application access to your
ADL account. After you've performed these steps, you can configure your
core-site.xml
.
Note | |
---|---|
For more detailed instructions including screenshots refer to How to Configure Authentication with ADLS blog post. |
Prerequisites
In one of the steps, you will be required to assign the Owner role to your application. If you do not have sufficient permissions, the role assignment step may have to be performed by your Azure admin.
Register an Application
If you already have your application registered with Active Directory, simply obtain the parameters listed in step 7 below. If you are starting from scratch, perform all the steps:
Log in to the Azure Portal.
Navigate to your Active Directory and then select App Registrations.
Create a new web application by clicking on +New application registration.
Specify an application name, type (Web app/API), and sign-on URLs.
Remember the application name: you will later add it to your ADLS account as an authorized user.
Once an application is created, navigate to the application configuration and find the Keys in the application's settings.
Create a key by entering key description, selecting a key duration, and then clicking Save.
Make sure to copy and save the key value. You won't be able to retrieve it after you leave the page.
Note down the properties that you will need to authenticate:
Parameter How to obtain it Application ID You can find it in your application's settings.
This will be your
fs.adl.oauth2.client.id
Key This is the key that you generated for your application. If you did not copy the it, you must create a new key from the Keys page in your application's settings.
This will be your
fs.adl.oauth2.credential
Token endpoint You can obtain this from the App Registrations>Endpoints page by copying the
OAUTH 2.0 TOKEN ENDPOINT
value.This will be your
fs.adl.oauth2.refresh.url
Add the Application to your Data Lake Store Account
If you are planning to use multiple Data Lake Store accounts, perform these steps for each account.
Log in to the Azure Portal.
If you don't have a Data Lake Store account, create one.
Navigate to your Data Lake Store account and then select Access Control (IAM).
Click on +Add to add role-based permissions.
Under Role select the "Owner". Under Select, select your application.
This will grant the "Owner" role for this ADL account to your application.
Configure core-site.xml
Add the following four properties to your core-site.xml
. While
fs.adl.oauth2.access.token.provider.type
must be set to
“ClientCredential”, you can obtain the remaining three parameters from step 7 above.
<property> <name>fs.adl.oauth2.access.token.provider.type</name> <value>ClientCredential</value> </property> <property> <name>fs.adl.oauth2.client.id</name> <value>APPLICATION-ID</value> </property> <property> <name>fs.adl.oauth2.credential</name> <value>KEY</value> </property> <property> <name>fs.adl.oauth2.refresh.url</name> <value>TOKEN-ENDPOINT</value> </property>
Next Steps
To protect these credentials, we recommend that you use the credential provider framework to securely store and access your credentials.
To make sure that authentication works, try referencing ADLS in the URLs.