Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Storage] Handling AzureNamedKeyCredential in Python SDK #24967

Merged
merged 19 commits into from
Jul 22, 2022
Merged

[Storage] Handling AzureNamedKeyCredential in Python SDK #24967

Show file tree
Hide file tree
Changes from 12 commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
637e3c5
Ready for draft PR blob, then finish blob
vincenttran-msft Jun 24, 2022
c99f6f4
Forgot to copy in typehint
vincenttran-msft Jun 24, 2022
2719370
PR feedback
vincenttran-msft Jun 24, 2022
4bc285b
Make Pylint happy so we can proceed
vincenttran-msft Jun 28, 2022
f9e4c0c
Finished blob
vincenttran-msft Jun 28, 2022
d395106
Bring back 1 line
vincenttran-msft Jun 29, 2022
0b57430
Fixed up connection string docstrings in blob & dlake, added dlake
vincenttran-msft Jun 29, 2022
7f96b23
Added cf support
vincenttran-msft Jun 29, 2022
e017e74
Add supp for file share, fix pylint, comment out cf (recording not ge…
vincenttran-msft Jun 30, 2022
398815d
Add support for queue
vincenttran-msft Jun 30, 2022
eed11f2
Merge branch 'main' into vincenttran/credential_changes
vincenttran-msft Jun 30, 2022
7806af2
Newline fix
vincenttran-msft Jun 30, 2022
f2fca51
Re-record datalake tests
vincenttran-msft Jun 30, 2022
4bae706
Omit changefeed test
vincenttran-msft Jun 30, 2022
e192ca0
Add credential typehint to all func. prototypes
vincenttran-msft Jul 9, 2022
3ac2acf
Re-record failing dsc tests
vincenttran-msft Jul 12, 2022
d3bca2a
Merge branch 'main' into vincenttran/credential_changes
vincenttran-msft Jul 12, 2022
725ef10
Bump version for DataLake dependency
vincenttran-msft Jul 12, 2022
5da9f68
Added changelog entry
vincenttran-msft Jul 22, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 8 additions & 4 deletions ...torage/azure-storage-blob-changefeed/azure/storage/blob/changefeed/_change_feed_client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,12 @@ class ChangeFeedClient(object): # pylint: disable=too-many-public-methods
:param credential:
vincenttran-msft marked this conversation as resolved.
Show resolved Hide resolved
The credentials with which to authenticate. This is optional if the
account URL already has a SAS token. The value can be a SAS token string,
an instance of a AzureSasCredential from azure.core.credentials, an account
shared access key, or an instance of a TokenCredentials class from azure.identity.
an instance of a AzureSasCredential or AzureNamedKeyCredential from azure.core.credentials,
an account shared access key, or an instance of a TokenCredentials class from azure.identity.
If the resource URI already contains a SAS token, this will be ignored in favor of an explicit credential
- except in the case of AzureSasCredential, where the conflicting SAS tokens will raise a ValueError.
If using an instance of AzureNamedKeyCredential, "name" should be the storage account name, and "key"
should be the storage account key.
:keyword str secondary_hostname:
The hostname of the secondary endpoint.
:keyword int max_single_get_size:
Expand Down Expand Up @@ -71,9 +73,11 @@ def from_connection_string(
The credentials with which to authenticate. This is optional if the
account URL already has a SAS token, or the connection string already has shared
access key values. The value can be a SAS token string,
an instance of a AzureSasCredential from azure.core.credentials, an account shared access
key, or an instance of a TokenCredentials class from azure.identity.
an instance of a AzureSasCredential or AzureNamedKeyCredential from azure.core.credentials,
an account shared access key, or an instance of a TokenCredentials class from azure.identity.
Credentials provided here will take precedence over those in the connection string.
If using an instance of AzureNamedKeyCredential, "name" should be the storage account name, and "key"
should be the storage account key.
:returns: A change feed client.
:rtype: ~azure.storage.blob.changefeed.ChangeFeedClient

Expand Down
12 changes: 12 additions & 0 deletions sdk/storage/azure-storage-blob-changefeed/tests/test_change_feed.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@

from devtools_testutils.storage import StorageTestCase
from settings.testcase import ChangeFeedPreparer
from azure.core.credentials import AzureNamedKeyCredential
vincenttran-msft marked this conversation as resolved.
Show resolved Hide resolved

@pytest.mark.playback_test_only
class StorageChangeFeedTest(StorageTestCase):
Expand Down Expand Up @@ -333,3 +334,14 @@ def test_list_3_shards_events_works_with_1_shard_cursor(self, storage_account_na
dict_token_with_1_shard = json.loads(token_with_1_shard)
self.assertEqual(len(dict_token_with_1_shard['CurrentSegmentCursor']['ShardCursors']), 1)
self.assertEqual(len(dict_token['CurrentSegmentCursor']['ShardCursors']), 3)

# @ChangeFeedPreparer()
# def test_azure_named_key_credential_access(self, storage_account_name, storage_account_key):
vincenttran-msft marked this conversation as resolved.
Show resolved Hide resolved
# named_key = AzureNamedKeyCredential(storage_account_name, storage_account_key)
# cf_client = ChangeFeedClient(self.account_url(storage_account_name, "blob"), named_key)
#
# # Act
# change_feed = cf_client.list_changes()
#
# # Assert
# self.assertIsNotNone(change_feed)
10 changes: 7 additions & 3 deletions sdk/storage/azure-storage-blob/azure/storage/blob/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,10 +85,12 @@ def upload_blob_to_url(
:param credential:
The credentials with which to authenticate. This is optional if the
blob URL already has a SAS token. The value can be a SAS token string,
an instance of a AzureSasCredential from azure.core.credentials, an account
shared access key, or an instance of a TokenCredentials class from azure.identity.
an instance of a AzureSasCredential or AzureNamedKeyCredential from azure.core.credentials,
an account shared access key, or an instance of a TokenCredentials class from azure.identity.
If the resource URI already contains a SAS token, this will be ignored in favor of an explicit credential
- except in the case of AzureSasCredential, where the conflicting SAS tokens will raise a ValueError.
If using an instance of AzureNamedKeyCredential, "name" should be the storage account name, and "key"
should be the storage account key.
:keyword bool overwrite:
Whether the blob to be uploaded should overwrite the current data.
If True, upload_blob_to_url will overwrite any existing data. If set to False, the
Expand Down Expand Up @@ -141,10 +143,12 @@ def download_blob_from_url(
:param credential:
The credentials with which to authenticate. This is optional if the
blob URL already has a SAS token or the blob is public. The value can be a SAS token string,
an instance of a AzureSasCredential from azure.core.credentials,
an instance of a AzureSasCredential or AzureNamedKeyCredential from azure.core.credentials,
an account shared access key, or an instance of a TokenCredentials class from azure.identity.
If the resource URI already contains a SAS token, this will be ignored in favor of an explicit credential
- except in the case of AzureSasCredential, where the conflicting SAS tokens will raise a ValueError.
If using an instance of AzureNamedKeyCredential, "name" should be the storage account name, and "key"
should be the storage account key.
:keyword bool overwrite:
Whether the local file should be overwritten if it already exists. The default value is
`False` - in which case a ValueError will be raised if the file already exists. If set to
Expand Down
18 changes: 12 additions & 6 deletions sdk/storage/azure-storage-blob/azure/storage/blob/_blob_client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,10 +104,12 @@ class BlobClient(StorageAccountHostsMixin, StorageEncryptionMixin): # pylint: d
:param credential:
The credentials with which to authenticate. This is optional if the
account URL already has a SAS token. The value can be a SAS token string,
an instance of a AzureSasCredential from azure.core.credentials, an account
shared access key, or an instance of a TokenCredentials class from azure.identity.
an instance of a AzureSasCredential or AzureNamedKeyCredential from azure.core.credentials,
an account shared access key, or an instance of a TokenCredentials class from azure.identity.
If the resource URI already contains a SAS token, this will be ignored in favor of an explicit credential
- except in the case of AzureSasCredential, where the conflicting SAS tokens will raise a ValueError.
If using an instance of AzureNamedKeyCredential, "name" should be the storage account name, and "key"
should be the storage account key.
:keyword str api_version:
The Storage API version to use for requests. Default value is the most recent service version that is
compatible with the current SDK. Setting to an older version may result in reduced feature compatibility.
Expand Down Expand Up @@ -222,10 +224,12 @@ def from_blob_url(cls, blob_url, credential=None, snapshot=None, **kwargs):
The credentials with which to authenticate. This is optional if the
account URL already has a SAS token, or the connection string already has shared
access key values. The value can be a SAS token string,
an instance of a AzureSasCredential from azure.core.credentials, an account shared access
key, or an instance of a TokenCredentials class from azure.identity.
an instance of a AzureSasCredential or AzureNamedKeyCredential from azure.core.credentials,
an account shared access key, or an instance of a TokenCredentials class from azure.identity.
If the resource URI already contains a SAS token, this will be ignored in favor of an explicit credential
- except in the case of AzureSasCredential, where the conflicting SAS tokens will raise a ValueError.
If using an instance of AzureNamedKeyCredential, "name" should be the storage account name, and "key"
should be the storage account key.
:param str snapshot:
The optional blob snapshot on which to operate. This can be the snapshot ID string
or the response returned from :func:`create_snapshot`. If specified, this will override
Expand Down Expand Up @@ -309,9 +313,11 @@ def from_connection_string(
The credentials with which to authenticate. This is optional if the
account URL already has a SAS token, or the connection string already has shared
access key values. The value can be a SAS token string,
an instance of a AzureSasCredential from azure.core.credentials, an account shared access
key, or an instance of a TokenCredentials class from azure.identity.
an instance of a AzureSasCredential or AzureNamedKeyCredential from azure.core.credentials,
an account shared access key, or an instance of a TokenCredentials class from azure.identity.
Credentials provided here will take precedence over those in the connection string.
If using an instance of AzureNamedKeyCredential, "name" should be the storage account name, and "key"
should be the storage account key.
:returns: A Blob client.
:rtype: ~azure.storage.blob.BlobClient

Expand Down
12 changes: 8 additions & 4 deletions sdk/storage/azure-storage-blob/azure/storage/blob/_blob_service_client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,10 +73,12 @@ class BlobServiceClient(StorageAccountHostsMixin, StorageEncryptionMixin):
:param credential:
vincenttran-msft marked this conversation as resolved.
Show resolved Hide resolved
The credentials with which to authenticate. This is optional if the
account URL already has a SAS token. The value can be a SAS token string,
an instance of a AzureSasCredential from azure.core.credentials, an account
shared access key, or an instance of a TokenCredentials class from azure.identity.
an instance of a AzureSasCredential or AzureNamedKeyCredential from azure.core.credentials,
an account shared access key, or an instance of a TokenCredentials class from azure.identity.
If the resource URI already contains a SAS token, this will be ignored in favor of an explicit credential
- except in the case of AzureSasCredential, where the conflicting SAS tokens will raise a ValueError.
If using an instance of AzureNamedKeyCredential, "name" should be the storage account name, and "key"
should be the storage account key.
:keyword str api_version:
The Storage API version to use for requests. Default value is the most recent service version that is
compatible with the current SDK. Setting to an older version may result in reduced feature compatibility.
Expand Down Expand Up @@ -159,9 +161,11 @@ def from_connection_string(
The credentials with which to authenticate. This is optional if the
account URL already has a SAS token, or the connection string already has shared
access key values. The value can be a SAS token string,
an instance of a AzureSasCredential from azure.core.credentials, an account shared access
key, or an instance of a TokenCredentials class from azure.identity.
an instance of a AzureSasCredential or AzureNamedKeyCredential from azure.core.credentials,
an account shared access key, or an instance of a TokenCredentials class from azure.identity.
Credentials provided here will take precedence over those in the connection string.
If using an instance of AzureNamedKeyCredential, "name" should be the storage account name, and "key"
should be the storage account key.
:returns: A Blob service client.
:rtype: ~azure.storage.blob.BlobServiceClient

Expand Down
18 changes: 12 additions & 6 deletions sdk/storage/azure-storage-blob/azure/storage/blob/_container_client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,10 +87,12 @@ class ContainerClient(StorageAccountHostsMixin, StorageEncryptionMixin): # py
:param credential:
The credentials with which to authenticate. This is optional if the
account URL already has a SAS token. The value can be a SAS token string,
an instance of a AzureSasCredential from azure.core.credentials, an account
shared access key, or an instance of a TokenCredentials class from azure.identity.
an instance of a AzureSasCredential or AzureNamedKeyCredential from azure.core.credentials,
an account shared access key, or an instance of a TokenCredentials class from azure.identity.
If the resource URI already contains a SAS token, this will be ignored in favor of an explicit credential
- except in the case of AzureSasCredential, where the conflicting SAS tokens will raise a ValueError.
If using an instance of AzureNamedKeyCredential, "name" should be the storage account name, and "key"
should be the storage account key.
:keyword str api_version:
The Storage API version to use for requests. Default value is the most recent service version that is
compatible with the current SDK. Setting to an older version may result in reduced feature compatibility.
Expand Down Expand Up @@ -180,10 +182,12 @@ def from_container_url(cls, container_url, credential=None, **kwargs):
The credentials with which to authenticate. This is optional if the
account URL already has a SAS token, or the connection string already has shared
access key values. The value can be a SAS token string,
an instance of a AzureSasCredential from azure.core.credentials, an account shared access
key, or an instance of a TokenCredentials class from azure.identity.
an instance of a AzureSasCredential or AzureNamedKeyCredential from azure.core.credentials,
an account shared access key, or an instance of a TokenCredentials class from azure.identity.
If the resource URI already contains a SAS token, this will be ignored in favor of an explicit credential
- except in the case of AzureSasCredential, where the conflicting SAS tokens will raise a ValueError.
If using an instance of AzureNamedKeyCredential, "name" should be the storage account name, and "key"
should be the storage account key.
:returns: A container client.
:rtype: ~azure.storage.blob.ContainerClient
"""
Expand Down Expand Up @@ -229,9 +233,11 @@ def from_connection_string(
The credentials with which to authenticate. This is optional if the
account URL already has a SAS token, or the connection string already has shared
access key values. The value can be a SAS token string,
an instance of a AzureSasCredential from azure.core.credentials, an account shared access
key, or an instance of a TokenCredentials class from azure.identity.
an instance of a AzureSasCredential or AzureNamedKeyCredential from azure.core.credentials,
an account shared access key, or an instance of a TokenCredentials class from azure.identity.
Credentials provided here will take precedence over those in the connection string.
If using an instance of AzureNamedKeyCredential, "name" should be the storage account name, and "key"
should be the storage account key.
:returns: A container client.
:rtype: ~azure.storage.blob.ContainerClient

Expand Down
13 changes: 10 additions & 3 deletions sdk/storage/azure-storage-blob/azure/storage/blob/_shared/base_client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,12 @@
import logging
import uuid
from typing import ( # pylint: disable=unused-import
Optional,
Any,
Dict,
Tuple,
Union,
Optional,
TYPE_CHECKING
)

try:
Expand All @@ -20,7 +23,7 @@
import six

from azure.core.configuration import Configuration
from azure.core.credentials import AzureSasCredential
from azure.core.credentials import AzureSasCredential, AzureNamedKeyCredential
from azure.core.exceptions import HttpResponseError
from azure.core.pipeline import Pipeline
from azure.core.pipeline.transport import RequestsTransport, HttpTransport
Expand Down Expand Up @@ -53,6 +56,8 @@
from .._version import VERSION
from .response_handlers import process_storage_error, PartialBatchErrorException

if TYPE_CHECKING:
vincenttran-msft marked this conversation as resolved.
Show resolved Hide resolved
from azure.core.credentials import TokenCredential

_LOGGER = logging.getLogger(__name__)
_SERVICE_PARAMS = {
Expand All @@ -68,7 +73,7 @@ def __init__(
self,
parsed_url, # type: Any
service, # type: str
credential=None, # type: Optional[Any]
credential=None, # type: Optional[Union[str, Dict[str, str], AzureNamedKeyCredential, AzureSasCredential, "TokenCredential"]] # pylint: disable=line-too-long
**kwargs # type: Any
):
# type: (...) -> None
Expand Down Expand Up @@ -353,6 +358,8 @@ def _format_shared_key_credential(account_name, credential):
if "account_key" not in credential:
raise ValueError("Shared key credential missing 'account_key")
return SharedKeyCredentialPolicy(**credential)
if isinstance(credential, AzureNamedKeyCredential):
return SharedKeyCredentialPolicy(credential.named_key.name, credential.named_key.key)
return credential


Expand Down
12 changes: 8 additions & 4 deletions sdk/storage/azure-storage-blob/azure/storage/blob/aio/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,13 +31,15 @@ async def upload_blob_to_url(
:param data:
The data to upload. This can be bytes, text, an iterable or a file-like object.
:type data: bytes or str or Iterable
:param credential:
:param credential:
The credentials with which to authenticate. This is optional if the
blob URL already has a SAS token. The value can be a SAS token string,
an instance of a AzureSasCredential from azure.core.credentials, an account
shared access key, or an instance of a TokenCredentials class from azure.identity.
an instance of a AzureSasCredential or AzureNamedKeyCredential from azure.core.credentials,
an account shared access key, or an instance of a TokenCredentials class from azure.identity.
If the resource URI already contains a SAS token, this will be ignored in favor of an explicit credential
- except in the case of AzureSasCredential, where the conflicting SAS tokens will raise a ValueError.
If using an instance of AzureNamedKeyCredential, "name" should be the storage account name, and "key"
should be the storage account key.
:keyword bool overwrite:
Whether the blob to be uploaded should overwrite the current data.
If True, upload_blob_to_url will overwrite any existing data. If set to False, the
Expand Down Expand Up @@ -90,10 +92,12 @@ async def download_blob_from_url(
:param credential:
The credentials with which to authenticate. This is optional if the
blob URL already has a SAS token or the blob is public. The value can be a SAS token string,
an instance of a AzureSasCredential from azure.core.credentials,
an instance of a AzureSasCredential or AzureNamedKeyCredential from azure.core.credentials,
an account shared access key, or an instance of a TokenCredentials class from azure.identity.
If the resource URI already contains a SAS token, this will be ignored in favor of an explicit credential
- except in the case of AzureSasCredential, where the conflicting SAS tokens will raise a ValueError.
If using an instance of AzureNamedKeyCredential, "name" should be the storage account name, and "key"
should be the storage account key.
:keyword bool overwrite:
Whether the local file should be overwritten if it already exists. The default value is
`False` - in which case a ValueError will be raised if the file already exists. If set to
Expand Down
Loading