-
Notifications
You must be signed in to change notification settings - Fork 622
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Azure Fusion env misses credentials when no key or SAS provided #5287
fix: Azure Fusion env misses credentials when no key or SAS provided #5287
Conversation
adamrtalbot
commented
Sep 5, 2024
•
edited
Loading
edited
- Fix: Azure Fusion missing authentication if accountKey is provided
- Catch when service principal exists but no keys or SAS
Changes logic of Azure Environment set up: 1. Is there an account name? (no: error) 2. Is there an accountKey or an accountSas or Managed identity? (no: error) 3. If there is a managed identity yes: return no: Create or add a SAS -> return Signed-off-by: adamrtalbot <12817534+adamrtalbot@users.noreply.github.com>
Signed-off-by: adamrtalbot <12817534+adamrtalbot@users.noreply.github.com>
✅ Deploy Preview for nextflow-docs-staging canceled.
|
def mockStorageObject = Mock(Object) { | ||
getOrCreateSasToken() >> 'generatedSasToken' | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@pditommaso o great Spock wizard, why does it not mock the getOrCreateSasToken method properly here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shouldn't it be Mock(AzStorageOpts)
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tried that and I get the same result, env.AZURE_STORAGE_SAS_TOKEN
is sv=2024-05-04&ss=bf&srt=sco&se=2024-09-07T11%3A24%3A38Z&sp=rwdlacut&sig=SIGNATURE%3D
// If a Managed Identity or Service Principal is configured, Fusion only needs to know the account name | ||
if (cfg.managedIdentity().isConfigured() || cfg.activeDirectory().isConfigured()) { | ||
// If a Managed Identity is configured, Fusion only needs to know the account name | ||
if (cfg.managedIdentity().isConfigured()) { | ||
return result | ||
} | ||
|
||
// If a SAS token is configured, instead, Fusion also requires the token value |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@adamrtalbot Could we please update this comment to something like:
// Otherwise, Fusion also requires a SAS Token
// (yes, even if `cfg.storage().sasToken` has not been explicitly defined)
so that this doesn't happen again?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about this:
// If Fusion does not use a managed identity, get or create a SAS token for Fusion to use
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's not much different from what the code itself already tells. I would prefer to have a explicit comment telling us why it's needed despite the configuration not requesting it explicitly.
Signed-off-by: adamrtalbot <12817534+adamrtalbot@users.noreply.github.com>
Signed-off-by: adamrtalbot <12817534+adamrtalbot@users.noreply.github.com>
plugins/nf-azure/src/main/nextflow/cloud/azure/fusion/AzFusionEnv.groovy
Outdated
Show resolved
Hide resolved
…Env.groovy Signed-off-by: Adam Talbot <12817534+adamrtalbot@users.noreply.github.com>
Not working in my tests https://cloud.seqera.io/orgs/seqeralabs/workspaces/showcase/watch/4TjgGOuMwaln3w |
I tested this patch interactively and it fails when running nextflow from an Azure VM using Service Principal authentication:
The reason is that the current implementation of I'm currently working on a fix to test this theory. |
…method Signed-off-by: Alberto Miranda <alberto.miranda@seqera.io>
Ok, I think I finally got it working. I just pushed a fix that works for all the interactive tests I could think of using an Azure VM. @pditommaso @adamrtalbot could you please test it with your workflows and see if I finally got it right? 🥺 |
Is this PR still valid following the outcome of the discussion on the related Fusion thread? |
Yes - we need to make sure the workers have a SAS key when using a managed identity. I believe these changes make Nextflow always generate a storage account SAS, even when using a Managed Identity, is that correct @alberto-miranda? Currently using a Managed Identity + Fusion will fail. |
It is indeed still valid. In fact, it doesn't make sense to proceed with the implementation mentioned in https://github.com/seqeralabs/fusion/issues/526 unless the current PR is confirmed to work. Did this fix pass all the failing tests? |
Integration tests looks OK in this branch |
Signed-off-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>
Signed-off-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>
I tried to run the e2e tests by adding nextflow/.github/workflows/build.yml Line 180 in 62e2604
Any chance you can look at that? |
@pditommaso who is this to? @alberto-miranda ? |
Hopefully not, because I have no idea how that works 😅 |
Tested with:
All worked with and without Fusion. Will dig into it a bit more too see if any edge cases pop up it's acceptable to me now. |
Signed-off-by: adamrtalbot <12817534+adamrtalbot@users.noreply.github.com>
Tried again with 3139dae. See https://github.com/nextflow-io/nextflow/actions/runs/10992221379/job/30516198828?pr=5287 for an example workflow run 🤞 |
Still not working, not understanding why |
I can't see |
I would switch it to be a separate workflow, triggered on Github comment containing |
Signed-off-by: adamrtalbot <12817534+adamrtalbot@users.noreply.github.com>
Here's a test run with the if-statement disabled. Gonna revert that commit now. https://github.com/nextflow-io/nextflow/actions/runs/10993010551/job/30518841423?pr=5287 |
This reverts commit cab3ffe. Signed-off-by: adamrtalbot <12817534+adamrtalbot@users.noreply.github.com>
That make sense, any chance to give it a try? |
I can but can we do a separate PR so we don't block this one? |
Yes, sure |
Signed-off-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>
It looks tests are not running because is an external PR. Closing in favour of #5328 |