ServicePrincipal with client certificate auth for azure-cosmos-spark (Azure#40325)

* ServicePrincipal with client certificate auth for azure-cosmos-spark

* Update spark.yml

* Fixing test failure

* Update CosmosConfig.scala

* Fixing test failures

* Update AccountTokenResolverSample.ipynb

* Update basicScenarioAadCert.scala

* Update databricks-notebooks-install.sh

* Changelog

* Adding option to include sendCertificateChain

* Update AccountTokenResolverSample.ipynb

* Fixing Spark live tests

* Update basicScenarioAadCert.scala

* Update CosmosConfigSpec.scala

* Fixing Spark live tests

* Adding logs in notebooks

* Update basicScenarioAadCert.scala

* NOtebook adjustments

* Fixing notebooks

* Update databricks-notebooks-install.sh

* Create basicScenarioAadMisspelled.scala

* Update basicScenarioAadMisspelled.scala

* Update basicScenarioAadMisspelled.scala

Author: FabianMeiswinkel

sdk/cosmos/azure-cosmos-spark-account-data-resolver-sample/sample/AccountTokenResolverSample.ipynb

@@ -5,43 +5,48 @@
    "execution_count": 0,
    "metadata": {
     "application/vnd.databricks.v1+cell": {
-     "cellmetadata": {
-      "bytelimit": 2048000,
-      "rowlimit": 10000
+     "cellMetadata": {
+      "byteLimit": 2048000,
+      "rowLimit": 10000
      },
-     "inputwidgets": {},
+     "inputWidgets": {},
      "nuid": "edf2bb67-c3fa-459c-bb4b-83dec2075401",
-     "showtitle": false,
+     "showTitle": false,
      "title": ""
     }
    },
    "outputs": [],
    "source": [
-    "cosmosendpoint = \"https://fabianm-oltp-spark-workshop-cdb.documents.azure.com:443/\"\n",
-    "cosmosmasterkey = \"\"\n",
-    "cosmosserviceprincipalpassword=\"\"\n"
+    "cosmosendpoint = \"<YourEndpoint>\"\n",
+    "cosmosmasterkey = \"<YourKey>\"\n",
+    "cosmosserviceprincipalpassword=\"\"\n",
+    "accountDataResolverName = \"com.azure.cosmos.spark.samples.MasterKeyAccountDataResolver\"\n",
+    "#accountDataResolverName = \"com.azure.cosmos.spark.samples.ServicePrincipalAccountDataResolver\"\n",
+    "#accountDataResolverName = \"com.azure.cosmos.spark.samples.ManagedIdentityAccountDataResolver\""
    ]
   },
   {
    "cell_type": "code",
    "execution_count": 0,
    "metadata": {
     "application/vnd.databricks.v1+cell": {
-     "cellmetadata": {
-      "bytelimit": 2048000,
-      "rowlimit": 10000
+     "cellMetadata": {
+      "byteLimit": 2048000,
+      "rowLimit": 10000
      },
-     "inputwidgets": {},
+     "inputWidgets": {},
      "nuid": "67f2404c-a6b6-4342-9dac-638a2bd7731c",
-     "showtitle": false,
+     "showTitle": false,
      "title": ""
     }
    },
    "outputs": [],
    "source": [
     "import base64\n",
     "import os\n",
-    "cert_file= open(\"/workspace/users/[email protected]/fabianm-spark-auth-sp-cert.pem\",\"rb\")\n",
+    "\n",
+    "\n",
+    "cert_file= open(\"/Workspace/Users/[email protected]/someCert.pem\",\"rb\")\n",
     "cert_data_binary = cert_file.read()\n",
     "cert_data = (base64.b64encode(cert_data_binary)).decode('ascii')\n"
    ]
@@ -51,31 +56,22 @@
    "execution_count": 0,
    "metadata": {
     "application/vnd.databricks.v1+cell": {
-     "cellmetadata": {
-      "bytelimit": 2048000,
-      "rowlimit": 10000
+     "cellMetadata": {
+      "byteLimit": 2048000,
+      "rowLimit": 10000
      },
-     "inputwidgets": {},
+     "inputWidgets": {},
      "nuid": "bfbd87f9-7628-489c-8f8a-1f0d5d14d2be",
-     "showtitle": false,
+     "showTitle": false,
      "title": ""
     }
    },
-   "outputs": [
-    {
-     "output_type": "stream",
-     "name": "stdout",
-     "output_type": "stream",
-     "text": [
-      "pk: 7d90716b-4ea1-4753-8090-4b72e4a2b93b\nroot\n |-- id: string (nullable = false)\n |-- pk: string (nullable = false)\n |-- emptycolumn: string (nullable = true)\n |-- nullcolumn: string (nullable = true)\n |-- defaultcolumn: integer (nullable = true)\n |-- largecolumn: string (nullable = true)\n\n+------------------------------------+------------------------------------+-----------+----------+-------------+----------------------------------------------------------------------------------------------------+\n|                                  id|                                  pk|emptycolumn|nullcolumn|defaultcolumn|                                                                                         largecolumn|\n+------------------------------------+------------------------------------+-----------+----------+-------------+----------------------------------------------------------------------------------------------------+\n|fa1a3854-4d41-4ffb-b992-a00c82585ddc|7d90716b-4ea1-4753-8090-4b72e4a2b93b|           |      null|            0|ixcqsfjhwqelwcpjtzaqquhaxlmemdpeheyfxosdobyqvbihrvrftuaicllsfllgmfzwrbefkszobvpihkqxqfyulggqgrznd...|\n|3ef8e8c0-e9e7-4a2e-887f-2a9826f7b987|7d90716b-4ea1-4753-8090-4b72e4a2b93b|           |      null|            0|obltfpuoonfywvusviupkloeojqolqqyabzhcssnefwwptgvwqgnajesmnsyslvogtclasksjwpltsqrqwkeqgazarodmvbmv...|\n+------------------------------------+------------------------------------+-----------+----------+-------------+----------------------------------------------------------------------------------------------------+\n\n"
-     ]
-    }
-   ],
+   "outputs": [],
    "source": [
     "import random\n",
     "import string\n",
     "import uuid\n",
-    "from pyspark.sql.types import structtype,structfield, stringtype, integertype\n",
+    "from pyspark.sql.types import StructType,StructField, StringType, IntegerType\n",
     " \n",
     "def random_string_generator(str_size, allowed_chars):\n",
     "    return ''.join(random.choice(allowed_chars) for x in range(str_size))\n",
@@ -85,54 +81,55 @@
     "    \n",
     "chars = string.ascii_letters\n",
     "data = [\\\n",
-    "    (str(uuid.uuid4()), pk, \"\", none, 0, random_string_generator(16000, chars)),\\\n",
-    "    (str(uuid.uuid4()), pk, \"\", none, 0, random_string_generator(random.randint(16000, 170000), chars)),\\\n",
+    "    (str(uuid.uuid4()), pk, \"\", None, 0, random_string_generator(16000, chars)),\\\n",
+    "    (str(uuid.uuid4()), pk, \"\", None, 0, random_string_generator(random.randint(16000, 170000), chars)),\\\n",
     "  ]\n",
     "\n",
-    "schema = structtype([ \\\n",
-    "    structfield(\"id\",stringtype(),false), \\\n",
-    "    structfield(\"pk\",stringtype(),false), \\\n",
-    "    structfield(\"emptycolumn\",stringtype(),true), \\\n",
-    "    structfield(\"nullcolumn\",stringtype(),true), \\\n",
-    "    structfield(\"defaultcolumn\",integertype(),true), \\\n",
-    "    structfield(\"largecolumn\", stringtype(), true)\\\n",
+    "schema = StructType([ \\\n",
+    "    StructField(\"id\",StringType(),False), \\\n",
+    "    StructField(\"pk\",StringType(),False), \\\n",
+    "    StructField(\"emptycolumn\",StringType(),True), \\\n",
+    "    StructField(\"nullcolumn\",StringType(),True), \\\n",
+    "    StructField(\"defaultcolumn\",IntegerType(),True), \\\n",
+    "    StructField(\"largecolumn\", StringType(), True)\\\n",
     "  ])\n",
     " \n",
-    "df = spark.createdataframe(data=data,schema=schema)\n",
-    "df.printschema()\n",
+    "df = spark.createDataFrame(data=data,schema=schema)\n",
+    "df.printSchema()\n",
     "df.show(truncate=100)\n",
     "\n",
     "writecfg = {\n",
     "  \"spark.cosmos.accountendpoint\": cosmosendpoint,\n",
-    "  \"spark.cosmos.database\": \"test\",\n",
-    "  \"spark.cosmos.container\": \"testitems\",\n",
+    "  \"spark.cosmos.accountDataResolverServiceName\": accountDataResolverName,\n",
+    "  \"spark.cosmos.database\": \"Test\",\n",
+    "  \"spark.cosmos.container\": \"TestItems\",\n",
     "  \"spark.cosmos.write.strategy\": \"itemappend\",\n",
     "  \"spark.cosmos.write.bulk.enabled\": \"true\",  \n",
     "  \"cosmos.auth.sample.enabled\": \"true\",\n",
     "  # masterkey\n",
-    "  #\"cosmos.auth.sample.authtype\": \"masterkey\",\n",
+    "  #\"cosmos.auth.sample.authType\": \"masterkey\",\n",
     "  #\"cosmos.auth.sample.key.secret\": cosmosmasterkey,\n",
     "  #\n",
     "  # aad auth with managed identity\n",
-    "  #\"cosmos.auth.sample.authtype\": \"managedidentity\",\n",
-    "  #\"cosmos.auth.sample.tenantid\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\",\n",
-    "  #\"cosmos.auth.sample.subscriptionid\": \"8fba6d4f-7c37-4d13-9063-fd58ad2b86e2\",\n",
+    "  #\"cosmos.auth.sample.authType\": \"managedidentity\",\n",
+    "  #\"cosmos.auth.sample.tenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\",\n",
+    "  #\"cosmos.auth.sample.subscriptionId\": \"8fba6d4f-7c37-4d13-9063-fd58ad2b86e2\",\n",
     "  #\"cosmos.auth.sample.resourcegroupname\": \"fabianm-oltp-spark-workshop\"\n",
     "  #\n",
     "  # aad auth with service principal (password)\n",
-    "  #\"cosmos.auth.sample.authtype\": \"serviceprincipal\",\n",
-    "  #\"cosmos.auth.sample.tenantid\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\",\n",
-    "  #\"cosmos.auth.sample.subscriptionid\": \"8fba6d4f-7c37-4d13-9063-fd58ad2b86e2\",\n",
+    "  #\"cosmos.auth.sample.authType\": \"serviceprincipal\",\n",
+    "  #\"cosmos.auth.sample.tenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\",\n",
+    "  #\"cosmos.auth.sample.subscriptionId\": \"8fba6d4f-7c37-4d13-9063-fd58ad2b86e2\",\n",
     "  #\"cosmos.auth.sample.resourcegroupname\": \"fabianm-oltp-spark-workshop\",\n",
-    "  #\"cosmos.auth.sample.serviceprincipal.clientid\": \"bd559cf4-786d-43ae-9ff6-eb83c5952c73\",\n",
+    "  #\"cosmos.auth.sample.serviceprincipal.clientId\": \"bd559cf4-786d-43ae-9ff6-eb83c5952c73\",\n",
     "  #\"cosmos.auth.sample.serviceprincipal.clientsecret\": cosmosserviceprincipalpassword\n",
     "  #\n",
     "  # aad auth with service principal (cert)\n",
-    "  #\"cosmos.auth.sample.authtype\": \"serviceprincipal\",\n",
-    "  #\"cosmos.auth.sample.tenantid\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\",\n",
-    "  #\"cosmos.auth.sample.subscriptionid\": \"8fba6d4f-7c37-4d13-9063-fd58ad2b86e2\",\n",
+    "  #\"cosmos.auth.sample.authType\": \"serviceprincipal\",\n",
+    "  #\"cosmos.auth.sample.tenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\",\n",
+    "  #\"cosmos.auth.sample.subscriptionId\": \"8fba6d4f-7c37-4d13-9063-fd58ad2b86e2\",\n",
     "  #\"cosmos.auth.sample.resourcegroupname\": \"fabianm-oltp-spark-workshop\",\n",
-    "  #\"cosmos.auth.sample.serviceprincipal.clientid\": \"88436299-945f-4824-8183-2cbddf981388\",\n",
+    "  #\"cosmos.auth.sample.serviceprincipal.clientId\": \"88436299-945f-4824-8183-2cbddf981388\",\n",
     "  #\"cosmos.auth.sample.serviceprincipal.cert\": cert_data\n",
     "}\n",
     "\n",
@@ -148,17 +145,12 @@
  "metadata": {
   "application/vnd.databricks.v1+notebook": {
    "dashboards": [],
+   "environmentMetadata": null,
    "language": "python",
-   "notebookmetadata": {
-    "mostrecentlyexecutedcommandwithimplicitdf": {
-     "commandid": 3298457839905717,
-     "dataframes": [
-      "_sqldf"
-     ]
-    },
-    "pythonindentunit": 4
+   "notebookMetadata": {
+    "pythonIndentUnit": 4
    },
-   "notebookname": "accounttokenresolversample",
+   "notebookName": "AccountTokenResolverSample",
    "widgets": {}
   }
  },

sdk/cosmos/azure-cosmos-spark-account-data-resolver-sample/src/main/resources/META-INF/services/com.azure.cosmos.spark.AccountDataResolver

@@ -1 +1,3 @@
-com.azure.cosmos.spark.samples.SampleAccountDataResolver
+com.azure.cosmos.spark.samples.ManagedIdentityAccountDataResolver
+com.azure.cosmos.spark.samples.MasterKeyAccountDataResolver
+com.azure.cosmos.spark.samples.ServicePrincipalAccountDataResolver

sdk/cosmos/azure-cosmos-spark-account-data-resolver-sample/src/main/scala/com/azure/cosmos/spark/samples/ManagedIdentityAccountDataResolver.scala

@@ -0,0 +1,101 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+package com.azure.cosmos.spark.samples
+
+import com.azure.core.credential.{TokenCredential, TokenRequestContext}
+import com.azure.cosmos.spark.{AccountDataResolver, CosmosAccessToken}
+import com.azure.identity.ManagedIdentityCredentialBuilder
+
+// scalastyle:off underscore.import
+import scala.collection.JavaConverters._
+// scalastyle:on underscore.import
+
+class ManagedIdentityAccountDataResolver extends AccountDataResolver with BasicLoggingTrait {
+  override def getAccountDataConfig(configs: Map[String, String]): Map[String, String] = {
+    if (isEnabled(configs)) {
+      configs +
+        ("spark.cosmos.auth.type" -> "AccessToken") +
+        ("spark.cosmos.account.tenantId" -> getRequiredConfig(configs, SampleConfigNames.TenantId)) +
+        ("spark.cosmos.account.subscriptionId" -> getRequiredConfig(configs, SampleConfigNames.SubscriptionId)) +
+        ("spark.cosmos.account.resourceGroupName" -> getRequiredConfig(configs, SampleConfigNames.ResourceGroupName))
+    } else {
+      configs
+    }
+  }
+
+  private def getRequiredConfig(configs: Map[String, String], configName: String): String = {
+    val valueOpt = configs.get(configName)
+    assert(valueOpt.isDefined, s"Parameter '$configName' is missing.")
+    valueOpt.get
+  }
+
+  private def isEnabled(configs: Map[String, String]): Boolean = {
+    val enabled = configs.get(SampleConfigNames.CustomAuthEnabled)
+    enabled.isDefined && enabled.get.toBoolean
+  }
+
+  private def getManagedIdentityTokenCredential(configs: Map[String, String]): Option[TokenCredential] = {
+    logInfo(s"Constructing ManagedIdentity TokenCredential")
+    val tokenCredentialBuilder = new ManagedIdentityCredentialBuilder()
+    if (configs.contains(SampleConfigNames.ManagedIdentityClientId)) {
+      tokenCredentialBuilder.clientId(configs(SampleConfigNames.ManagedIdentityClientId))
+    }
+
+    if (configs.contains(SampleConfigNames.ManagedIdentityResourceId)) {
+      tokenCredentialBuilder.resourceId(configs(SampleConfigNames.ManagedIdentityResourceId))
+    }
+
+    Some(tokenCredentialBuilder.build())
+  }
+
+  private def getTokenCredential(configs: Map[String, String]): Option[TokenCredential] = {
+    val authType = getRequiredConfig(configs, SampleConfigNames.AuthType)
+    if (authType.equalsIgnoreCase(SampleAuthTypes.ManagedIdentity)) {
+      logInfo(s"Managed identity used")
+      getManagedIdentityTokenCredential(configs)
+    } else {
+      logError(s"Invalid authType '$authType'.")
+      assert(assertion = false, s"Invalid authType '$authType'.")
+      None
+    }
+  }
+
+  override def getAccessTokenProvider(configs: Map[String, String]): Option[List[String] => CosmosAccessToken] = {
+    if (isEnabled(configs)) {
+      val tokenCredential = getTokenCredential(configs)
+
+      if (tokenCredential.isDefined) {
+        logInfo(s"TokenCredential found - and access token provider used")
+        Some((tokenRequestContextStrings: List[String]) => {
+          val tokenRequestContext = new TokenRequestContext
+          tokenRequestContext.setScopes(tokenRequestContextStrings.asJava)
+          val accessToken = tokenCredential
+            .get
+            .getToken(tokenRequestContext)
+            .block()
+          CosmosAccessToken(accessToken.getToken, accessToken.getExpiresAt)
+        })
+      } else {
+        logWarning(s"No TokenCredential provided")
+        None
+      }
+    } else {
+      logInfo(s"SampleAccountDataResolver is disabled")
+      None
+    }
+  }
+
+  private[this] object SampleConfigNames {
+    val AuthType = "cosmos.auth.sample.authType"
+    val CustomAuthEnabled = "cosmos.auth.sample.enabled"
+    val ManagedIdentityClientId = "cosmos.auth.sample.managedIdentity.clientId"
+    val ManagedIdentityResourceId = "cosmos.auth.sample.managedIdentity.resourceId"
+    val ResourceGroupName = "cosmos.auth.sample.resourceGroupName"
+    val SubscriptionId = "cosmos.auth.sample.subscriptionId"
+    val TenantId = "cosmos.auth.sample.tenantId"
+  }
+
+  private[this] object SampleAuthTypes {
+    val ManagedIdentity: String = "managedidentity"
+  }
+}

sdk/cosmos/azure-cosmos-spark-account-data-resolver-sample/src/main/scala/com/azure/cosmos/spark/samples/MasterKeyAccountDataResolver.scala

@@ -0,0 +1,50 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+package com.azure.cosmos.spark.samples
+
+import com.azure.core.credential.{TokenCredential, TokenRequestContext}
+import com.azure.cosmos.spark.{AccountDataResolver, CosmosAccessToken}
+import com.azure.identity.{ClientCertificateCredentialBuilder, ClientSecretCredentialBuilder, ManagedIdentityCredentialBuilder}
+
+import java.io.ByteArrayInputStream
+import java.util.Base64
+
+// scalastyle:off underscore.import
+import scala.collection.JavaConverters._
+// scalastyle:on underscore.import
+
+class MasterKeyAccountDataResolver extends AccountDataResolver with BasicLoggingTrait {
+  override def getAccountDataConfig(configs: Map[String, String]): Map[String, String] = {
+    if (isEnabled(configs)) {
+      configs + ("spark.cosmos.accountKey" -> getRequiredConfig(configs, SampleConfigNames.MasterKeySecret))
+    } else {
+      configs
+    }
+  }
+
+  private def getRequiredConfig(configs: Map[String, String], configName: String): String = {
+    val valueOpt = configs.get(configName)
+    assert(valueOpt.isDefined, s"Parameter '$configName' is missing.")
+    valueOpt.get
+  }
+
+  private def isEnabled(configs: Map[String, String]): Boolean = {
+    val enabled = configs.get(SampleConfigNames.CustomAuthEnabled)
+    enabled.isDefined && enabled.get.toBoolean
+  }
+  private[this] object SampleConfigNames {
+    val CustomAuthEnabled = "cosmos.auth.sample.enabled"
+    val MasterKeySecret = "cosmos.auth.sample.key.secret"
+  }
+
+  /**
+   * This method will be invoked by the Cosmos DB Spark connector to retrieve access tokens. It will only
+   * be used when the config `spark.cosmos.auth.type` is set to `AccessToken` - and in this case
+   * the implementation of this trait will need to provide a function that can be used to produce
+   * access tokens or None in the case that for the specified configuration no auth can be provided.
+   *
+   * @param configs the user configuration originally provided
+   * @return A function that can be used to provide access tokens
+   */
+  override def getAccessTokenProvider(configs: Map[String, String]): Option[List[String] => CosmosAccessToken] = ???
+}