Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: Support for DefaultAzureCredential-backed authentication method #177

Open
headcr4sh opened this issue May 17, 2024 · 8 comments · May be fixed by #178
Open

Feature request: Support for DefaultAzureCredential-backed authentication method #177

headcr4sh opened this issue May 17, 2024 · 8 comments · May be fixed by #178

Comments

@headcr4sh
Copy link

Description

I would like to simplify the configuration of jgroups in my current setup where I run my workload on Azure Container Apps. I have assigned my Container App instance all the necessary IAM permissions to interact with the blob storage that I want to utilize and therefore don't want to specify storage_access_key, which is

  1. unnecessary
  2. possibly unsafe, because it's a "shared secret" that I need to distribute and rotate

Suggestion

  • a. Make the parameter storage_access_key optional
  • b. If the parameter has not been set, use DefaultAzureCredential to authenticate/authorize the blob storage client

Side effects

Utilizing the AzureDefaultCredential offers some other benefits as well, because the full chain of posssible mechanisms to obtain credentials (6 steps as of writing this ticket) will be utilized, which is the standard way when working in/with Azure.
@rhusar
Copy link
Member

rhusar commented May 17, 2024

You are absolutely right @headcr4sh, this needs to be done, just nobody got around to it yet, so thank you for raising this.

If I submit the changes, would you be able to test and verify the changes?

@headcr4sh
Copy link
Author

You are absolutely right @headcr4sh, this needs to be done, just nobody got around to it yet, so thank you for raising this.

If I submit the changes, would you be able to test and verify the changes?

Hi @rhusar,
thanks for the quick reply.

I am just tinkering around with your sources and about to provide a patch for what I would like to see. Hopefully, I can provide a Pull Request (which will then of course have been tested in my Azure environment) for you, which you might incorporate. It's been a while since I wrote some Java code, so you'll better double-check what I come up with, though...

@rhusar
Copy link
Member

rhusar commented May 17, 2024

You are absolutely right @headcr4sh, this needs to be done, just nobody got around to it yet, so thank you for raising this.
If I submit the changes, would you be able to test and verify the changes?

Hi @rhusar, thanks for the quick reply.

I am just tinkering around with your sources and about to provide a patch for what I would like to see. Hopefully, I can provide a Pull Request (which will then of course have been tested in my Azure environment) for you, which you might incorporate. It's been a while since I wrote some Java code, so you'll better double-check what I come up with, though...

OK great, that's even better. I might have an old unfinished branch for this somewhere too, I ll have a look.

headcr4sh added a commit to headcr4sh/jgroups-azure that referenced this issue May 17, 2024
@headcr4sh
Add support for AzureDefaultCredential-based auth
d65e7c0 
Closes: jgroups-extras#177
@headcr4sh headcr4sh linked a pull request May 17, 2024 that will close this issue
Draft
@headcr4sh
Copy link
Author

@rhusar

Unfortunately, the PR became a lot more complex than intended.
Not quite sure if that's something you want to go with...

@rhusar
Copy link
Member

rhusar commented May 17, 2024

@rhusar

Unfortunately, the PR became a lot more complex than intended. Not quite sure if that's something you want to go with...

I see the change includes changes to the SDK which was also on the list, so two birds with one stone. Unfortunately that makes it harder to see in SCM what changes are version bump and which are supporting proper credentials, but we can manage.

What software are you using this in? Any chance you using this in WildFly? Because that will needs changes when integrated to it.

@headcr4sh
Copy link
Author

What software are you using this in? Any chance you using this in WildFly? Because that will needs changes when integrated to it.

I am working on the deployment of Keycloak in a containerized environment using Container images from Bitnami and figured out that this jgroups module might be a good solution to configure the distributed caching mechanism.

Thus: I think the software is running on an embedded version of WildFly under the hood ... ?

@J0F3
Copy link

J0F3 commented Oct 4, 2024

I would be very interested in this too (for running Keycloak in Azure Container Apps). Currently I am passing the Storage Account Key trough the JAVA_OPTS_APPEND env variable. But this is actually quite insecure and would love when we cloud get rid of the Access Key and can use the Azure credentials instead.

So, any news on this? 🙂

@rhusar
Copy link
Member

rhusar commented Oct 4, 2024
edited
Loading

I would be very interested in this too (for running Keycloak in Azure Container Apps). Currently I am passing the Storage Account Key trough the JAVA_OPTS_APPEND env variable. But this is actually quite insecure and would love when we cloud get rid of the Access Key and can use the Azure credentials instead.

So, any news on this? 🙂

Thanks for the ping, yeah agreed, this needs to happen. I will try to resume this next week.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for AzureDefaultCredential-based auth headcr4sh/jgroups-azure
3 participants
@headcr4sh @rhusar @J0F3