Matsushita Shin created HADOOP-17363:
----------------------------------------
Summary: ABFS does not work with OAuth 2.0: Username and Password
Key: HADOOP-17363
URL: https://issues.apache.org/jira/browse/HADOOP-17363
Project: Hadoop Common
Issue Type: Bug
Components: fs/azure
Affects Versions: 3.3.0
Reporter: Matsushita Shin
https://hadoop.apache.org/docs/current/hadoop-azure/abfs.html
I have tried OAuth 2.0 authentication with the username and password written
above.
However, it failed with the following exception.
~~~
Exception in thread "main" HTTP Error 400;
url='https://login.microsoftonline.com/3070a5de-410e-4885-XXXX-XXXXXXXXXXXX/oauth2/token'
AADToken: HTTP connection to
https://login.microsoftonline.com/3070a5de-410e-4885-XXXX-XXXXXXXXXXXX/oauth2/token
failed for getting token from AzureAD.;
requestId='187c97a4-82a0-4b36-b764-XXXXXXXXXXXX';
contentType='application/json; charset=utf-8'; response
'{"error":"unauthorized_client","error_description":"AADSTS700016: Application
with identifier 'jiro' was not found in the directory
'3070a5de-410e-4885-XXXX-XXXXXXXXXXXX'. This can happen if the application has
not been installed by the administrator of the tenant or consented to by any
user in the tenant. You may have sent your authentication request to the wrong
tenant.\r\nTrace ID: 187c97a4-82a0-4b36-b764-a3b8b1c45201\r\nCorrelation ID:
4eb4a71e-2eef-4788-9c8c-24f4c84f6981\r\nTimestamp: 2020-11-07
11:49:21Z","error_codes":[700016],"timestamp":"2020-11-07
11:49:21Z","trace_id":"187c97a4-82a0-4b36-b764-a3b8b1c45201","correlation_id":"4eb4a71e-2eef-4788-9c8c-24f4c84f6981","error_uri":"https://login.microsoftonline.com/error?code=700016"}'org.apache.hadoop.fs.azurebfs.oauth2.AzureADAuthenticator$HttpException:
HTTP Error 400;
url='https://login.microsoftonline.com/3070a5de-410e-4885-b6cd-95fe759ced2b/oauth2/token'
AADToken: HTTP connection to
https://login.microsoftonline.com/3070a5de-410e-4885-XXXX-XXXXXXXXXXXX/oauth2/token
failed for getting token from AzureAD.;
requestId='187c97a4-82a0-4b36-b764-XXXXXXXXXXXX';
contentType='application/json; charset=utf-8'; response
'{"error":"unauthorized_client","error_description":"AADSTS700016: Application
with identifier 'jiro' was not found in the directory
'3070a5de-410e-4885-XXXX-XXXXXXXXXXXX'. This can happen if the application has
not been installed by the administrator of the tenant or consented to by any
user in the tenant. You may have sent your authentication request to the wrong
tenant.\r\nTrace ID: 187c97a4-82a0-4b36-b764-a3b8b1c45201\r\nCorrelation ID:
4eb4a71e-2eef-4788-9c8c-24f4c84f6981\r\nTimestamp: 2020-11-07
11:49:21Z","error_codes":[700016],"timestamp":"2020-11-07
11:49:21Z","trace_id":"187c97a4-82a0-4b36-b764-a3b8b1c45201","correlation_id":"4eb4a71e-2eef-4788-9c8c-24f4c84f6981","error_uri":"https://login.microsoftonline.com/error?code=700016"}'
at
org.apache.hadoop.fs.azurebfs.services.AbfsRestOperation.executeHttpOperation(AbfsRestOperation.java:215)
at
org.apache.hadoop.fs.azurebfs.services.AbfsRestOperation.execute(AbfsRestOperation.java:134)
at
org.apache.hadoop.fs.azurebfs.services.AbfsClient.createPath(AbfsClient.java:293)
at
org.apache.hadoop.fs.azurebfs.AzureBlobFileSystemStore.createDirectory(AzureBlobFileSystemStore.java:445)
at
org.apache.hadoop.fs.azurebfs.AzureBlobFileSystem.mkdirs(AzureBlobFileSystem.java:409)
at org.apache.hadoop.fs.FileSystem.mkdirs(FileSystem.java:2355)
at com.sample.HelloWorld.main(HelloWorld.java:116)
Caused by:
org.apache.hadoop.fs.azurebfs.oauth2.AzureADAuthenticator$HttpException: HTTP
Error 400;
url='https://login.microsoftonline.com/3070a5de-410e-XXXX-XXXXXXXXXXXX/oauth2/token'
AADToken: HTTP connection to
https://login.microsoftonline.com/3070a5de-410e-4885-XXXX-XXXXXXXXXXXX/oauth2/token
failed for getting token from AzureAD.;
requestId='187c97a4-82a0-4b36-b764-a3b8b1c45201';
contentType='application/json; charset=utf-8'; response
'{"error":"unauthorized_client","error_description":"AADSTS700016: Application
with identifier 'jiro' was not found in the directory
'3070a5de-410e-4885-XXXX-XXXXXXXXXXXX'. This can happen if the application has
not been installed by the administrator of the tenant or consented to by any
user in the tenant. You may have sent your authentication request to the wrong
tenant.\r\nTrace ID: 187c97a4-82a0-4b36-b764-a3b8b1c45201\r\nCorrelation ID:
4eb4a71e-2eef-4788-9c8c-24f4c84f6981\r\nTimestamp: 2020-11-07
11:49:21Z","error_codes":[700016],"timestamp":"2020-11-07
11:49:21Z","trace_id":"187c97a4-82a0-4b36-b764-a3b8b1c45201","correlation_id":"4eb4a71e-2eef-4788-9c8c-24f4c84f6981","error_uri":"https://login.microsoftonline.com/error?code=700016"}'
at
org.apache.hadoop.fs.azurebfs.oauth2.AzureADAuthenticator.getTokenSingleCall(AzureADAuthenticator.java:394)
at
org.apache.hadoop.fs.azurebfs.oauth2.AzureADAuthenticator.getTokenCall(AzureADAuthenticator.java:291)
at
org.apache.hadoop.fs.azurebfs.oauth2.AzureADAuthenticator.getTokenCall(AzureADAuthenticator.java:273)
at
org.apache.hadoop.fs.azurebfs.oauth2.AzureADAuthenticator.getTokenUsingClientCreds(AzureADAuthenticator.java:96)
at
org.apache.hadoop.fs.azurebfs.oauth2.UserPasswordTokenProvider.refreshToken(UserPasswordTokenProvider.java:54)
at
org.apache.hadoop.fs.azurebfs.oauth2.AccessTokenProvider.getToken(AccessTokenProvider.java:50)
at
org.apache.hadoop.fs.azurebfs.services.AbfsClient.getAccessToken(AbfsClient.java:670)
at
org.apache.hadoop.fs.azurebfs.services.AbfsRestOperation.executeHttpOperation(AbfsRestOperation.java:168)
... 6 more
~~~
The cause of the error seems to be that UserPasswordTokenProvider is calling
getTokenUsingClientCreds() for the service principal.
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
I checked the API specifications of Azure and fixed the cause of this error.
After this, I plan to create a Pull Request.
Best regards,
Shin
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org
