Accessing Cloud Data
Also available as:
PDF
loading table of contents...

Configure Access by Using Client Credential

To configure authentication with ADLS using the client credential, you must register a new application with Active Directory service and then give your application access to your ADL account. After you've performed these steps, you can configure your core-site.xml.

[Note]Note

For more detailed instructions including screenshots refer to How to Configure Authentication with ADLS blog post.

Prerequisites

In one of the steps, you will be required to assign the Owner role to your application. If you do not have sufficient permissions, the role assignment step may have to be performed by your Azure admin.

Register an Application

If you already have your application registered with Active Directory, simply obtain the parameters listed in step 7 below. If you are starting from scratch, perform all the steps:

  1. Log in to the Azure Portal.

  2. Navigate to your Active Directory and then select App Registrations.

  3. Create a new web application by clicking on +New application registration.

  4. Specify an application name, type (Web app/API), and sign-on URLs.

    Remember the application name: you will later add it to your ADLS account as an authorized user.

  5. Once an application is created, navigate to the application configuration and find the Keys in the application's settings.

  6. Create a key by entering key description, selecting a key duration, and then clicking Save.

    Make sure to copy and save the key value. You won't be able to retrieve it after you leave the page.

  7. Note down the properties that you will need to authenticate:

    ParameterHow to obtain it
    Application ID

    You can find it in your application's settings.

    This will be your fs.adl.oauth2.client.id

    Key

    This is the key that you generated for your application. If you did not copy the it, you must create a new key from the Keys page in your application's settings.

    This will be your fs.adl.oauth2.credential

    Token endpoint

    You can obtain this from the App Registrations>Endpoints page by copying the OAUTH 2.0 TOKEN ENDPOINT value.

    This will be your fs.adl.oauth2.refresh.url

Add the Application to your Data Lake Store Account

If you are planning to use multiple Data Lake Store accounts, perform these steps for each account.

  1. Log in to the Azure Portal.

  2. If you don't have a Data Lake Store account, create one.

  3. Navigate to your Data Lake Store account and then select Access Control (IAM).

  4. Click on +Add to add role-based permissions.

  5. Under Role select the "Owner". Under Select, select your application.

    This will grant the "Owner" role for this ADL account to your application.

Configure core-site.xml

Add the following four properties to your core-site.xml. While fs.adl.oauth2.access.token.provider.type must be set to “ClientCredential”, you can obtain the remaining three parameters from step 7 above.

<property>
  <name>fs.adl.oauth2.access.token.provider.type</name>
  <value>ClientCredential</value>
</property>

<property>
  <name>fs.adl.oauth2.client.id</name>
  <value>APPLICATION-ID</value>
</property>

<property>
  <name>fs.adl.oauth2.credential</name>
  <value>KEY</value>
</property>

<property>
  <name>fs.adl.oauth2.refresh.url</name>
  <value>TOKEN-ENDPOINT</value>
</property>

Next Steps

To protect these credentials, we recommend that you use the credential provider framework to securely store and access your credentials.

To make sure that authentication works, try referencing ADLS in the URLs.