backend/azureblob/imds hybrid imds support #6132
Comments
|
It appears that Microsoft has modified the oauthTokenManager.go code which imds.go is based on to support Arc, however it is not as simple as changing the endpoint as the token is saved into a local file and must be read from that file. |
|
It looks like it might be public enough so we could use the code from https://github.com/Azure/azure-storage-azcopy/blob/main/common/oauthTokenManager.go directly which would make maintenance easier. @backerman since you wrote this code originally in #3213 I wonder if you have any thoughts about this? |
|
I have made my own merge of the oauthTokenManager code into imds.go and will use that version locally until it can be integrated/ properly tested. I have attached my imds.go as a txt. I haven't made any changes to make the error messages relevant to rclone instead of azcopy |
|
@ncw I'll take a look. |
|
I'm going to try to get this done in the next week or so. A lot of my previous patch to enable MSI was working around the storage SDK not being compatible with the |
|
That new SDK requires Go 1.18, and rclone currently requires 1.16 - will it be okay to bump the version? |
|
@backerman what we normally do here is use conditional compilation on go version to only include the new feature in go1.18 compilations. When go1.18 becomes the oldest supported version we remove the conditional complilation. This would typically involve one file with a Though in this case we are talking about the whole azureblob backend aren't we? That's fine too - non go1.18 compilations will just be missing the azureblob backend. So you'd just add a build constraint here Something like Though we should probably check to see on which archs the new SDK does actually compile! |
|
@backerman is there a branch with your changes to identity that I can build locally/use until it is released? |
|
@ian-bowler Edit: nope, not today. Still a dozen references to fix and then I can do some basic tests to make sure it doesn't panic all over the place with all these pointers in the new SDK. |
|
@ian-bowler I've got something that, er, compiles in my fork. I'm now going through the integration test failures to make it actually work. |
|
Update: down to a much smaller number of integration test failures. |
|
@backerman nice one :-) Let me know if you need help. Try not to break |
|
@backerman I was able to build and test your fork with success even a windows build. Looking forward to this becoming mainline at some point |
|
@backerman I've been doing this port myself - I had completely forgotten you'd started already so I started from scratch - sorry :-( I've found 5 relevant bugs (I reported 3 of them) in the SDK which are the reason the integration tests aren't 100%
I've managed to work around most of them but there are still a couple of failures from 2) ( I'm going to re-work the auth next which should include fixing this issue. When I've done that I'll post a beta. |
|
@backerman I've pulled the auth port you did out of your tree and added to mine as separate commit - that saved me loads of time - thank you! Hope that is OK. |
This commit switches from using the old Azure go modules
github.com/Azure/azure-pipeline-go/pipeline
github.com/Azure/azure-storage-blob-go/azblob
github.com/Azure/go-autorest/autorest/adal
To the new SDK
github.com/Azure/azure-sdk-for-go/
This stops rclone using deprecated code and enables the full range of
authentication with Azure.
See #6132 and #5284
This commit switches from using the old Azure go modules
github.com/Azure/azure-pipeline-go/pipeline
github.com/Azure/azure-storage-blob-go/azblob
github.com/Azure/go-autorest/autorest/adal
To the new SDK
github.com/Azure/azure-sdk-for-go/
This stops rclone using deprecated code and enables the full range of
authentication with Azure.
See #6132 and #5284
This commit switches from using the old Azure go modules
github.com/Azure/azure-pipeline-go/pipeline
github.com/Azure/azure-storage-blob-go/azblob
github.com/Azure/go-autorest/autorest/adal
To the new SDK
github.com/Azure/azure-sdk-for-go/
This stops rclone using deprecated code and enables the full range of
authentication with Azure.
See #6132 and #5284
|
I've merged this work for v1.61. I took the opportunity to rework the auth to make it a bit easier to configure but it is backwards compatible. Thank you @backerman for you work here - I used your work as a basis for this commit f746b2f I'd appreciate testing of the latest beta which contains the code. You can see the docs for the auth here: https://tip.rclone.org/azureblob/#authenticating-with-azure-blob-storage |
|
@ncw I have confirmed that the latest beta works with my AzureArc authentication scheme on local machines outside azure. Thank you @ncw and @backerman for the work to properly update Azure Auth integration, looking forward to switching from my custom branch back to the main release |
|
Thanks for confirming it works @ian-bowler I'll close this issue now |
The associated forum post URL from
https://forum.rclone.orghttps://forum.rclone.org/t/azure-blob-backend-azure-arc-managed-identity-support-himds/30441
What is your current rclone version (output from
rclone version)?rclone v1.58.0
What problem are you are trying to solve?
Use a different endpoint for IMDS
How do you think rclone should be changed to solve that?
Add config level endpoint specification
OR
Read optional endpoint from environment variable
How to use GitHub
The text was updated successfully, but these errors were encountered: