Add support for multiuser permissions in unix (#43483)

rads-1996 · Copilot · hectorhdzg · web-flow · commit 894d166350f0 · 2025-10-31T08:15:29.000-07:00
* Add support for multiuser permissions in unix

* Updated CHANGELOG

* Update sdk/monitor/azure-monitor-opentelemetry-exporter/tests/test_storage.py

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* Update sdk/monitor/azure-monitor-opentelemetry-exporter/tests/test_storage.py

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* Fix lint

* Remove unused input

* Revert storage changes

* Fix path formation to allow multiple users unique paths to access

* Fixed path and added unique identifier right after \tmp

* fix cspell

* remove commented line

* Retrigger CI/CD pipeline

* Retrigger CI/CD pipeline

* Retrigger CI/CD pipeline

* Add docstring and exception handling

* Update sdk/monitor/azure-monitor-opentelemetry-exporter/CHANGELOG.md

Co-authored-by: Hector Hernandez &lt;39923391+hectorhdzg@users.noreply.github.com&gt;

* Update sdk/monitor/azure-monitor-opentelemetry-exporter/azure/monitor/opentelemetry/exporter/export/_base.py

Co-authored-by: Hector Hernandez &lt;39923391+hectorhdzg@users.noreply.github.com&gt;

* Cleanup

* Correct keyword

* Docstring

* Modified Path Logic

* Retrigger CI/CD pipeline

* Fix lint

* Retrigger CI/CD pipeline

---------

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
Co-authored-by: Hector Hernandez &lt;39923391+hectorhdzg@users.noreply.github.com&gt;
diff --git a/sdk/monitor/azure-monitor-opentelemetry-exporter/CHANGELOG.md b/sdk/monitor/azure-monitor-opentelemetry-exporter/CHANGELOG.md
@@ -3,6 +3,8 @@
 ## 1.0.0b45 (Unreleased)
 
 ### Features Added
+- Added local storage support for multiple users on the same Linux system
+  ([#43483](https://github.com/Azure/azure-sdk-for-python/pull/43483))
 
 ### Breaking Changes
 
diff --git a/sdk/monitor/azure-monitor-opentelemetry-exporter/azure/monitor/opentelemetry/exporter/_utils.py b/sdk/monitor/azure-monitor-opentelemetry-exporter/azure/monitor/opentelemetry/exporter/_utils.py
@@ -9,6 +9,7 @@
 import threading
 import time
 import warnings
+import hashlib
 from typing import Callable, Dict, Any, Optional
 
 from opentelemetry.semconv.resource import ResourceAttributes
@@ -422,3 +423,6 @@ def get_compute_type():
     if _is_on_aks():
         return _RP_Names.AKS.value
     return _RP_Names.UNKNOWN.value
+
+def _get_sha256_hash(input_str: str) -> str:
+    return hashlib.sha256(input_str.encode("utf-8")).hexdigest()
diff --git a/sdk/monitor/azure-monitor-opentelemetry-exporter/azure/monitor/opentelemetry/exporter/export/_base.py b/sdk/monitor/azure-monitor-opentelemetry-exporter/azure/monitor/opentelemetry/exporter/export/_base.py
@@ -1,12 +1,16 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License.
+import getpass
 import logging
 import os
 import tempfile
 import time
+import sys
+from pathlib import Path
 from enum import Enum
 from typing import List, Optional, Any
 from urllib.parse import urlparse
+import psutil
 
 from azure.core.exceptions import HttpResponseError, ServiceRequestError
 from azure.core.pipeline.policies import (
@@ -54,6 +58,7 @@
     _get_attach_type,
     _get_rp,
     ext_version,
+    _get_sha256_hash
 )
 from azure.monitor.opentelemetry.exporter.statsbeat._state import (
     get_statsbeat_initial_success,
@@ -78,7 +83,7 @@
 
 logger = logging.getLogger(__name__)
 
-_AZURE_TEMPDIR_PREFIX = "Microsoft/AzureMonitor"
+_AZURE_TEMPDIR_PREFIX = "Microsoft-AzureMonitor-"
 _TEMPDIR_PREFIX = "opentelemetry-python-"
 _SERVICE_API_LATEST = "2020-09-15_Preview"
 
@@ -133,13 +138,10 @@ def __init__(self, **kwargs: Any) -> None:
         self._storage_min_retry_interval = kwargs.get(
             "storage_min_retry_interval", 60
         )  # minimum retry interval in seconds
-        temp_suffix = self._instrumentation_key or ""
         if "storage_directory" in kwargs:
             self._storage_directory = kwargs.get("storage_directory")
         elif not self._disable_offline_storage:
-            self._storage_directory = os.path.join(
-                tempfile.gettempdir(), _AZURE_TEMPDIR_PREFIX, _TEMPDIR_PREFIX + temp_suffix
-            )
+            self._storage_directory = _get_storage_directory(self._instrumentation_key or "")
         else:
             self._storage_directory = None
         self._storage_retention_period = kwargs.get(
@@ -604,3 +606,61 @@ def _get_authentication_credential(**kwargs: Any) -> Optional[ManagedIdentityCre
     except Exception as e:
         logger.error("Failed to get authentication credential and enable AAD: %s", e)  # pylint: disable=do-not-log-exceptions-if-not-debug
     return None
+
+def _get_storage_directory(instrumentation_key: str) -> str:
+    """Return the deterministic local storage path for a given instrumentation key.
+
+    On shared Linux hosts the first user to create ``/tmp/Microsoft/AzureMonitor`` can
+    block others because the directory inherits that user's ``umask``. This is avoided by
+    inserting a hash of the instrumentation key, user name, process name, and
+    application directory, giving each user their own subdirectory, e.g.
+    ``/tmp/Microsoft-AzureMonitor-1234...../opentelemetry-python-<ikey>``.
+
+    :param str instrumentation_key: Application Insights instrumentation key.
+    :return: Absolute path to the storage directory.
+    :rtype: str
+    """
+
+    def _safe_psutil_call(func, default=""):
+        try:
+            return func() or default
+        except psutil.Error:
+            return default
+
+    shared_root = tempfile.gettempdir()
+
+    process = None
+    try:
+        process = psutil.Process()
+    except psutil.Error:
+        pass
+
+    process_name = _safe_psutil_call(process.name) if process else ""
+    candidate_path = _safe_psutil_call(process.cwd) if process else ""
+
+    if not candidate_path:
+        candidate_path = sys.argv[0] if sys.argv else ""
+
+    try:
+        application_directory = Path(candidate_path or ".").resolve()
+    except Exception:
+        application_directory = Path(shared_root)
+
+    try:
+        user_segment = getpass.getuser()
+    except Exception:
+        user_segment = ""
+
+    hash_input = ";".join(
+        [
+            instrumentation_key,
+            user_segment,
+            process_name,
+            os.fspath(application_directory), # cspell:disable-line
+        ]
+    )
+    subdirectory = _get_sha256_hash(hash_input)
+    storage_directory = os.path.join(
+        shared_root, _AZURE_TEMPDIR_PREFIX + subdirectory, _TEMPDIR_PREFIX + instrumentation_key
+    )
+    return storage_directory
diff --git a/sdk/monitor/azure-monitor-opentelemetry-exporter/tests/test_base_exporter.py b/sdk/monitor/azure-monitor-opentelemetry-exporter/tests/test_base_exporter.py
@@ -17,6 +17,7 @@
     _get_authentication_credential,
     BaseExporter,
     ExportResult,
+    _get_storage_directory,
 )
 from azure.monitor.opentelemetry.exporter._storage import StorageExportResult
 from azure.monitor.opentelemetry.exporter.statsbeat._state import (
@@ -55,6 +56,7 @@
 
 TEST_AUTH_POLICY = "TEST_AUTH_POLICY"
 TEST_TEMP_DIR = "TEST_TEMP_DIR"
+TEST_USER_DIR = "test-user"
 
 
 def throw(exc_type, *args, **kwargs):
@@ -174,15 +176,84 @@ def test_constructor_no_storage_directory(self, mock_get_temp_dir):
         self.assertEqual(base._timeout, 10)
         self.assertEqual(base._api_version, "2021-02-10_Preview")
         self.assertEqual(base._storage_min_retry_interval, 100)
+        storage_directory = _get_storage_directory(instrumentation_key="4321abcd-5678-4efa-8abc-1234567890ab")
         self.assertEqual(
             base._storage_directory,
-            os.path.join(
-                TEST_TEMP_DIR,
-                "Microsoft/AzureMonitor",
-                "opentelemetry-python-" + "4321abcd-5678-4efa-8abc-1234567890ab",
-            ),
+            storage_directory
         )
-        mock_get_temp_dir.assert_called_once()
+
+    @mock.patch("azure.monitor.opentelemetry.exporter.export._base.tempfile.gettempdir")
+    def test_constructor_no_storage_directory_and_invalid_instrumentation_key(self, mock_get_temp_dir):
+        mock_get_temp_dir.return_value = TEST_TEMP_DIR
+        base = BaseExporter(
+            api_version="2021-02-10_Preview",
+            connection_string="InstrumentationKey=4321abcd-5678-4efa-8abc-1234567890ab;IngestionEndpoint=https://westus-0.in.applicationinsights.azure.com/",
+            disable_offline_storage=False,
+            distro_version="1.0.0",
+            storage_maintenance_period=30,
+            storage_max_size=1000,
+            storage_min_retry_interval=100,
+            storage_retention_period=2000,
+        )
+        self.assertEqual(
+            base._instrumentation_key,
+            "4321abcd-5678-4efa-8abc-1234567890ab",
+        )
+        self.assertEqual(
+            base._endpoint,
+            "https://westus-0.in.applicationinsights.azure.com/",
+        )
+        self.assertEqual(base._distro_version, "1.0.0")
+        self.assertIsNotNone(base.storage)
+        self.assertEqual(base.storage._max_size, 1000)
+        self.assertEqual(base.storage._retention_period, 2000)
+        self.assertEqual(base._storage_maintenance_period, 30)
+        self.assertEqual(base._timeout, 10)
+        self.assertEqual(base._api_version, "2021-02-10_Preview")
+        self.assertEqual(base._storage_min_retry_interval, 100)
+        storage_directory = _get_storage_directory(instrumentation_key="")
+        self.assertNotEqual(
+            base._storage_directory,
+            storage_directory
+        )
+
+    @mock.patch("azure.monitor.opentelemetry.exporter.export._base.getpass.getuser")
+    @mock.patch("azure.monitor.opentelemetry.exporter.export._base.tempfile.gettempdir")
+    def test_constructor_no_storage_directory_and_invalid_user_details(self, mock_get_temp_dir, mock_get_user):
+        mock_get_temp_dir.return_value = TEST_TEMP_DIR
+        mock_get_user.side_effect = OSError("failed to resolve user")
+        base = BaseExporter(
+            api_version="2021-02-10_Preview",
+            connection_string="InstrumentationKey=4321abcd-5678-4efa-8abc-1234567890ab;IngestionEndpoint=https://westus-0.in.applicationinsights.azure.com/",
+            disable_offline_storage=False,
+            distro_version="1.0.0",
+            storage_maintenance_period=30,
+            storage_max_size=1000,
+            storage_min_retry_interval=100,
+            storage_retention_period=2000,
+        )
+        self.assertEqual(
+            base._instrumentation_key,
+            "4321abcd-5678-4efa-8abc-1234567890ab",
+        )
+        self.assertEqual(
+            base._endpoint,
+            "https://westus-0.in.applicationinsights.azure.com/",
+        )
+        self.assertEqual(base._distro_version, "1.0.0")
+        self.assertIsNotNone(base.storage)
+        self.assertEqual(base.storage._max_size, 1000)
+        self.assertEqual(base.storage._retention_period, 2000)
+        self.assertEqual(base._storage_maintenance_period, 30)
+        self.assertEqual(base._timeout, 10)
+        self.assertEqual(base._api_version, "2021-02-10_Preview")
+        self.assertEqual(base._storage_min_retry_interval, 100)
+        storage_directory = _get_storage_directory(instrumentation_key="4321abcd-5678-4efa-8abc-1234567890ab")
+        self.assertEqual(
+            base._storage_directory,
+            storage_directory
+        )
+        mock_get_user.assert_called()
 
     @mock.patch("azure.monitor.opentelemetry.exporter.export._base.tempfile.gettempdir")
     def test_constructor_disable_offline_storage(self, mock_get_temp_dir):
diff --git a/sdk/monitor/azure-monitor-opentelemetry-exporter/tests/test_storage.py b/sdk/monitor/azure-monitor-opentelemetry-exporter/tests/test_storage.py
@@ -3,6 +3,7 @@
 
 import os
 import shutil
+import tempfile
 import unittest
 from unittest import mock
 
@@ -14,7 +15,12 @@
     _seconds,
 )
 
+from azure.monitor.opentelemetry.exporter.export._base import _get_storage_directory
+
 TEST_FOLDER = os.path.abspath(".test.storage")
+DUMMY_INSTRUMENTATION_KEY = "00000000-0000-0000-0000-000000000000"
+TEST_USER = "multiuser-test"
+STORAGE_MODULE = "azure.monitor.opentelemetry.exporter._storage"
 
 
 def throw(exc_type, *args, **kwargs):
@@ -507,7 +513,7 @@ def test_check_and_set_folder_permissions_readonly_filesystem_sets_readonly_stat
         
         # Clean up - note: cannot easily reset readonly state, but test isolation should handle this
         set_local_storage_setup_state_exception("")
-    
+
     def test_check_and_set_folder_permissions_windows_icacls_failure_sets_exception_state(self):
         test_input = (1, 2, 3)
 
@@ -907,3 +913,113 @@ def test_readonly_state_idempotent_set_operations(self):
         # State should remain True after multiple sets
         final_state = get_local_storage_setup_state_readonly()
         self.assertTrue(final_state)
+
+    def test_check_and_set_folder_permissions_unix_multiuser_scenario(self):
+
+        from azure.monitor.opentelemetry.exporter.statsbeat.customer._state import (
+            get_local_storage_setup_state_exception,
+            set_local_storage_setup_state_exception,
+        )
+        
+        # Clear any existing exception state
+        set_local_storage_setup_state_exception("")
+        
+        storage_abs_path = _get_storage_directory(DUMMY_INSTRUMENTATION_KEY)
+
+        with mock.patch(f"{STORAGE_MODULE}.os.name", "posix"):
+            chmod_calls = []
+            makedirs_calls = []
+
+            def mock_chmod(path, mode):
+                chmod_calls.append((path, oct(mode)))
+
+            def mock_makedirs(path, mode=0o777, exist_ok=False):
+                makedirs_calls.append((path, oct(mode), exist_ok))
+
+            with mock.patch(f"{STORAGE_MODULE}.os.makedirs", side_effect=mock_makedirs):
+                with mock.patch(f"{STORAGE_MODULE}.os.chmod", side_effect=mock_chmod):
+                    with mock.patch(f"{STORAGE_MODULE}.os.path.abspath", side_effect=lambda path: path):
+                        stor = LocalFileStorage(storage_abs_path)
+
+                        self.assertTrue(stor._enabled)
+
+                        self.assertEqual(
+                            makedirs_calls,
+                            [(storage_abs_path, '0o777', True)],
+                            f"Unexpected makedirs calls: {makedirs_calls}",
+                        )
+
+                        self.assertEqual(
+                            {(storage_abs_path, '0o700')},
+                            {(call_path, mode) for call_path, mode in chmod_calls},
+                            f"Unexpected chmod calls: {chmod_calls}",
+                        )
+
+                        stor.close()
+        
+        # Clean up
+        set_local_storage_setup_state_exception("")
+        
+    def test_check_and_set_folder_permissions_unix_multiuser_parent_permission_failure(self):
+        from azure.monitor.opentelemetry.exporter.statsbeat.customer._state import (
+            get_local_storage_setup_state_exception,
+            set_local_storage_setup_state_exception,
+        )
+
+        # Clear any existing exception state
+        set_local_storage_setup_state_exception("")
+
+        storage_abs_path = _get_storage_directory(DUMMY_INSTRUMENTATION_KEY)
+
+        with mock.patch(f"{STORAGE_MODULE}.os.name", "posix"):
+            def mock_makedirs(path, mode=0o777, exist_ok=False):
+                raise PermissionError("Operation not permitted on parent directory")
+
+            with mock.patch(f"{STORAGE_MODULE}.os.makedirs", side_effect=mock_makedirs):
+                with mock.patch(f"{STORAGE_MODULE}.os.chmod"):
+                    with mock.patch(f"{STORAGE_MODULE}.os.path.abspath", side_effect=lambda path: path):
+                        stor = LocalFileStorage(storage_abs_path)
+
+                        self.assertFalse(stor._enabled)
+
+                        exception_state = get_local_storage_setup_state_exception()
+                        self.assertEqual(exception_state, "Operation not permitted on parent directory")
+
+                        stor.close()
+        
+        # Clean up
+        set_local_storage_setup_state_exception("")
+
+    def test_check_and_set_folder_permissions_unix_multiuser_storage_permission_failure(self):
+        test_error_message = "PermissionError: Operation not permitted on storage directory"
+
+        from azure.monitor.opentelemetry.exporter.statsbeat.customer._state import (
+            get_local_storage_setup_state_exception,
+            set_local_storage_setup_state_exception,
+        )
+        
+        # Clear any existing exception state
+        set_local_storage_setup_state_exception("")
+
+        storage_abs_path = _get_storage_directory(DUMMY_INSTRUMENTATION_KEY)
+
+        with mock.patch(f"{STORAGE_MODULE}.os.name", "posix"):
+            def mock_chmod(path, mode):
+                if mode == 0o700:
+                    raise PermissionError(test_error_message)
+                raise OSError(f"Unexpected chmod call: {path}, {oct(mode)}")
+
+            with mock.patch(f"{STORAGE_MODULE}.os.makedirs"):
+                with mock.patch(f"{STORAGE_MODULE}.os.chmod", side_effect=mock_chmod):
+                    with mock.patch(f"{STORAGE_MODULE}.os.path.abspath", side_effect=lambda path: path):
+                        stor = LocalFileStorage(storage_abs_path)
+
+                        self.assertFalse(stor._enabled)
+
+                        exception_state = get_local_storage_setup_state_exception()
+                        self.assertEqual(exception_state, test_error_message)
+
+                        stor.close()
+        
+        # Clean up
+        set_local_storage_setup_state_exception("")
