Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Key Vault] Add support for multi-tenant authentication #21290

Merged
merged 15 commits into from
Nov 10, 2021
Merged

[Key Vault] Add support for multi-tenant authentication #21290

merged 15 commits into from
Nov 10, 2021

Conversation

mccoyp
Copy link
Member

@mccoyp mccoyp commented Oct 15, 2021
edited
Loading

Resolves #20698.

Context: now that azure-identity supports providing a tenant ID to token requests, we can allow Key Vault clients to make use of tenant discovery. This updates the challenge authentication policy to parse out the tenant ID provided in a challenge and authenticate requests with that tenant. Based off of work Charles did in his fork of the repo, this also updates the challenge auth policy to inherit from azure-core's BearerTokenCredentialPolicy instead of re-implementing the wheel. As a result, doing so also requires azure-core >= 1.15.0 (see changelog).

@mccoyp mccoyp added KeyVault Client This issue points to a problem in the data-plane of the library. labels Oct 15, 2021
@mccoyp mccoyp changed the title [Key Vault] Add support for multitenant authentication [Key Vault] Add support for multi-tenant authentication Oct 15, 2021
xiangyan99
xiangyan99 reviewed Nov 5, 2021
View reviewed changes
...yvault-administration/azure/keyvault/administration/_internal/async_challenge_auth_policy.py


class AsyncChallengeAuthPolicy(ChallengeAuthPolicyBase, AsyncHTTPPolicy):
class AsyncChallengeAuthPolicy(AsyncBearerTokenCredentialPolicy):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you give more context about this change?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just updated the PR description with more context!

@mccoyp mccoyp marked this pull request as ready for review November 5, 2021 16:56
@mccoyp mccoyp requested a review from schaabs as a code owner November 5, 2021 16:56
@mccoyp mccoyp requested a review from chlowell November 6, 2021 00:50
@mccoyp mccoyp requested a review from chlowell November 9, 2021 00:09
@mccoyp mccoyp requested a review from chlowell November 9, 2021 19:49
@mccoyp mccoyp requested a review from chlowell November 9, 2021 23:21
mccoyp
mccoyp commented Nov 9, 2021
View reviewed changes
...yvault-administration/azure/keyvault/administration/_internal/async_challenge_auth_policy.py
"""policy for handling HTTP authentication challenges"""

def __init__(self, credential: "AsyncTokenCredential", **kwargs: "Any") -> None:
def __init__(self, credential: "AsyncTokenCredential", *scopes: str, **kwargs: "Any") -> None:
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added an __init__ back in because _need_new_token made me realize that we shouldn't add any dependencies on private parent class fields. I had been referencing self._credential and self._token from the parent class before

...yvault-administration/azure/keyvault/administration/_internal/async_challenge_auth_policy.py

@property
def _need_new_token(self) -> bool:
# pylint:disable=invalid-overridden-method
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I debated internally a bit over adding this override as a property. I suppressed this warning because the situation in azure-core is likely unintentional, where _need_new_token is a property for BearerTokenCredentialPolicy but a method for AsyncBearerTokenCredentialPolicy. Assuming that will be changed in the future, we can remove this suppression, but I figured that makes more sense than re-implementing the property/method pattern here for the sake of consistency

@mccoyp mccoyp merged commit 0a0cc97 into Azure:main Nov 10, 2021
@mccoyp mccoyp deleted the kv-multitenant branch November 10, 2021 17:52
iscai-msft added a commit to iscai-msft/azure-sdk-for-python that referenced this pull request Nov 10, 2021
@iscai-msft
Merge branch 'main' of https://github.com/Azure/azure-sdk-for-python
fbb680e 
…into add_webpubsub_tests

* 'main' of https://github.com/Azure/azure-sdk-for-python:
  [Key Vault] Add support for multi-tenant authentication (Azure#21290)
  [webpubsub] regen with hub as a client parameter (Azure#21688)
  update automatic close mechanism (Azure#21580)
  [Test Proxy] Add fixture to automatically start/stop Docker container (Azure#21538)
  Update Monitor Query API ref link (Azure#21683)
  Migration Guide from Azure-loganalytics (Azure#21674)
  Update docs for Web PubSub GA (Azure#21659)
  Update CHANGELOG.md (Azure#21681)
  Increment version for formrecognizer releases (Azure#21678)
  Increment version for videoanalyzer releases (Azure#21455)
  Increment version for cognitivelanguage releases (Azure#21566)
  Increment version for storage releases (Azure#21652)
  Increment version for communication releases (Azure#21667)
  raise decode error instead of ContentDecodingError (Azure#19433)
  Update CHANGELOG.md (Azure#21679)
  resolve mac agent failure (Azure#21677)
  Re-add get-codeowners.ps1 (Azure#21676)
  [SchemaRegistry] remove schema prefix in params (Azure#21675)
  Validate python docs packages using docker (Azure#21657)
  update git helper (Azure#21670)
@jiasli jiasli mentioned this pull request Dec 31, 2021
Merged
This was referenced Feb 10, 2022
Merged
Open
azure-sdk pushed a commit to azure-sdk/azure-sdk-for-python that referenced this pull request Nov 29, 2022
CodeGen from PR 21290 in Azure/azure-rest-api-specs
0449f58 
{AzureRecoveryServices} fixes Azure/azure-rest-api-specs#20953 (Azure#21290)

* {AzureRecoveryServices} fixes Azure/azure-rest-api-specs#20953

fixes Azure/azure-rest-api-specs#20953

swagger link: https://github.com/Azure/azure-rest-api-specs/blob/main/specification/recoveryservicesbackup/resource-manager/Microsoft.RecoveryServices/stable/2021-12-01/bms.json#L4362

example link: https://github.com/Azure/azure-rest-api-specs/blob/main/specification/recoveryservicesbackup/resource-manager/Microsoft.RecoveryServices/stable/2021-12-01/examples/ResourceGuardProxyCRUD/PutResourceGuardProxy.json

In the swagger file, there is no parameter named resourceGuardResourceId in ResourceGuardProxy_Put while in the example there is. the parameter is needed to create.

* Update bms.json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chlowell chlowell chlowell approved these changes

@YalinLi0312 YalinLi0312 Awaiting requested review from YalinLi0312

@xiangyan99 xiangyan99 Awaiting requested review from xiangyan99

@schaabs schaabs Awaiting requested review from schaabs

Assignees
No one assigned
Labels
Client This issue points to a problem in the data-plane of the library. KeyVault
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add support for multi-tenant authentication to Key Vault
3 participants
@mccoyp @chlowell @xiangyan99