DX-98836: add support for EntraID authentication for azureStorage

iambrianngo · iambrianngo · commit 80da60e78614 · 2025-01-02T16:01:24.000-05:00
Change-Id: I55de7a4f0265e2e5d728872c050af35e29204a07
diff --git a/charts/dremio_v2/config/core-site.xml b/charts/dremio_v2/config/core-site.xml
@@ -154,12 +154,7 @@
   <property>
     <name>dremio.azure.account</name>
     <description>The name of the storage account.</description>
-    <value>{{required "Azure storage account name required" $.Values.distStorage.azureStorage.accountName }}</value>
-  </property>
-  <property>
-    <name>dremio.azure.key</name>
-    <description>The shared access key for the storage account.</description>
-    <value>{{ required "Shared access key required" $.Values.distStorage.azureStorage.credentials.accessKey }}</value>
+    <value>{{ required "Azure storage account name required" $.Values.distStorage.azureStorage.accountName }}</value>
   </property>
   <property>
     <name>dremio.azure.mode</name>
@@ -171,6 +166,41 @@
     <description>Boolean option to enable SSL connections.</description>
     <value>True</value>
   </property>
+  {{- if eq  $.Values.distStorage.azureStorage.authentication "accessKey" -}}
+  <property>
+    <name>dremio.azure.credentialsType</name>
+    <description>The credentials used for authentication.</description>
+    <value>ACCESS_KEY</value>
+  </property>
+  <property>
+    <name>dremio.azure.key</name>
+    <description>The shared access key for the storage account.</description>
+    <value>{{ required "Shared access key required" $.Values.distStorage.azureStorage.credentials.accessKey }}</value>
+  </property>
+  {{- else if eq $.Values.distStorage.azureStorage.authentication "entraID" -}}
+  <property>
+    <name>dremio.azure.credentialsType</name>
+    <description>The credentials used for authentication.</description>
+    <value>AZURE_ACTIVE_DIRECTORY</value>
+  </property>
+  <property>
+    <name>dremio.azure.clientId</name>
+    <description>The Application (client) ID of the Azure application used to secure access to Azure Storage</description>
+    <value>{{ required "Application client ID required" $.Values.distStorage.azureStorage.credentials.clientId }}</value>
+  </property>
+  <property>
+    <name>dremio.azure.tokenEndpoint</name>
+    <description>OAuth 2.0 token endpoint V1.0 for Microsoft EntraID</description>
+    <value>{{ required "EntraID token endpoint required" $.Values.distStorage.azureStorage.credentials.tokenEndpoint }}</value>
+  </property>
+  <property>
+    <name>dremio.azure.clientSecret</name>
+    <description>The Application (client) secret of the Azure application used to secure access to Azure Storage</description>
+    <value>{{ required "Azure Application client secret required" $.Values.distStorage.azureStorage.credentials.clientSecret }}</value>
+  </property>
+  {{- else -}}
+  {{ fail "Unrecognized Azure authentication mode." }}
+  {{- end -}}
   {{- if $.Values.distStorage.azureStorage.extraProperties -}}
   {{- $.Values.distStorage.azureStorage.extraProperties | nindent 4 }}
   {{- end -}}
diff --git a/charts/dremio_v2/docs/Values-Reference.md b/charts/dremio_v2/docs/Values-Reference.md
@@ -1627,13 +1627,48 @@ Dremio will write to the root path of the provided Azure Storage blob container.
 
 #### Credentials for Azure Storage Gen2
 
+##### `distStorage.azureStorage.authentication`
+
+Type: String
+
+Dremio supports authentication using an access key or Microsoft EntraID.
+
+The valid values for `distStorage.azureStorage.authentication` are `accessKey` or `entraID`.
+
+By default, this value is set to `accessKey`.
+
 ##### `distStorage.azureStorage.credentials.accessKey`
 
 Type: String
 
 By default, this value is set to `Azure Storage Account Access Key` and must be changed to a valid access key.
 
-For Dremio to authenticate to the provided Azure Storage blob container, provide a valid access key.
+For Dremio to authenticate to the provided Azure Storage blob container via access key, provide a valid access key.
+
+##### `distStorage.azureStorage.credentials.clientId`
+
+Type: String
+
+By default, this value is set to `Azure Application Client ID` and must be changed to a valid application client ID.
+
+For Dremio to authenticate to the provided Azure Storage blob container via Entra ID, provide a valid application client ID.
+
+##### `distStorage.azureStorage.credentials.tokenEndpoint`
+
+Type: String
+
+By default, this value is set to `Azure Entra ID Token Endpoint` and must be changed to a valid token endpoint.
+
+For Dremio to authenticate to the provided Azure Storage blob container via Entra ID, provide a valid token endpoint.
+
+##### `distStorage.azureStorage.credentials.clientSecret`
+
+Type: String
+
+By default, this value is set to `Azure Application Client Secret` and must be changed to a valid client secret.
+
+For Dremio to authenticate to the provided Azure Storage blob container via Entra ID, provide a valid client secret.
+
 
 #### Advanced Configuration for Azure Storage Gen2
 
diff --git a/charts/dremio_v2/values.yaml b/charts/dremio_v2/values.yaml
@@ -362,7 +362,7 @@ distStorage:
   # local: (<21.0.0 only) Not recommended for production use. When using local, dist-caching is disabled.
   # aws: AWS S3, additional parameters required, see "aws" section.
   # azure: ADLS Gen 1, additional parameters required, see "azure" section.
-  # azureStorage: Azure Storage Gen2, additional paramters required, see "azureStorage" section.
+  # azureStorage: Azure Storage Gen2, additional parameters required, see "azureStorage" section.
   # gcp: Google Cloud Storage, additional parameters required, see "gcp" section.
   type: "local"
 
@@ -468,15 +468,25 @@ distStorage:
   # https://docs.dremio.com/deployment/dist-store-config.html#azure-storage
   #
   # accountName: The name of the storage account.
+  # authentication: Valid types are: accessKey or entraID
   # filesystem: The name of the blob container to use within the storage account.
   # path: The path, relative to the filesystem, to create Dremio's directories.
   # credentials:
   azureStorage:
     accountName: "Azure Storage Account Name"
+    authentication: "accessKey"
     filesystem: "Azure Storage Account Blob Container"
     path: "/"
     credentials:
-      accessKey: "Azure Storage Account Access Key"
+      # If using accessKey for authentication against Azure Storage, uncomment the lines below and use the values
+      # to configure the appropriate credentials.
+      #accessKey: "Azure Storage Account Access Key"
+
+      # If using entraID for authentication against Azure Storage, uncomment the lines below and use the values
+      # to configure the appropriate credentials.
+      #clientId: "Azure Application Client ID"
+      #tokenEndpoint: "Azure Entra ID Token Endpoint"
+      #clientSecret: "Azure Application Client Secret"
 
     # Extra Properties
     # Use the extra properties block to provide additional parameters to configure the distributed
