feat(geneva): add Managed Identity authentication support (#451)

Co-authored-by: Lalit Kumar Bhasin <[email protected]>

Author: gscalderon

opentelemetry-exporter-geneva/geneva-uploader-ffi/Cargo.toml

@@ -5,7 +5,7 @@ version = "0.2.0"
 edition = "2021"
 homepage = "https://github.com/open-telemetry/opentelemetry-rust-contrib/tree/main/opentelemetry-exporter-geneva/geneva-uploader-ffi"
 repository = "https://github.com/open-telemetry/opentelemetry-rust-contrib/tree/main/opentelemetry-exporter-geneva/geneva-uploader-ffi"
-rust-version = "1.75.0"
+rust-version = "1.85.0"
 keywords = ["opentelemetry", "geneva", "ffi", "uploader"]
 license = "Apache-2.0"
 

opentelemetry-exporter-geneva/geneva-uploader-ffi/examples/otlp_builder/Cargo.toml

@@ -5,7 +5,7 @@ version = "0.1.0"
 edition = "2021"
 homepage = "https://github.com/open-telemetry/opentelemetry-rust-contrib/tree/main/opentelemetry-exporter-geneva/geneva-uploader-ffi/examples/otlp_builder"
 repository = "https://github.com/open-telemetry/opentelemetry-rust-contrib/tree/main/opentelemetry-exporter-geneva/geneva-uploader-ffi/examples/otlp_builder"
-rust-version = "1.75.0"
+rust-version = "1.85.0"
 keywords = ["opentelemetry", "geneva", "otlp", "builder"]
 license = "Apache-2.0"
 

opentelemetry-exporter-geneva/geneva-uploader-ffi/src/lib.rs

@@ -288,7 +288,8 @@ pub unsafe extern "C" fn geneva_client_new(
 
     // Auth method conversion
     let auth_method = match config.auth_method {
-        0 => AuthMethod::ManagedIdentity,
+        // 0 => Managed Identity (default to system-assigned when coming from FFI for now)
+        0 => AuthMethod::SystemManagedIdentity,
         1 => {
             // Certificate authentication: read fields from tagged union
             let cert = unsafe { config.auth.cert };
@@ -333,6 +334,7 @@ pub unsafe extern "C" fn geneva_client_new(
         tenant,
         role_name,
         role_instance,
+        msi_resource: None, // FFI path currently does not accept MSI resource; extend API if needed
     };
 
     // Create client
@@ -560,6 +562,7 @@ mod tests {
     use std::ffi::CString;
 
     // Build a minimal unsigned JWT with the Endpoint claim and an exp. Matches what extract_endpoint_from_token expects.
+    #[allow(dead_code)]
     fn generate_mock_jwt_and_expiry(endpoint: &str, ttl_secs: i64) -> (String, String) {
         use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine as _};
         use chrono::{Duration, Utc};
@@ -832,6 +835,7 @@ mod tests {
             tenant: "testtenant".to_string(),
             role_name: "testrole".to_string(),
             role_instance: "testinstance".to_string(),
+            msi_resource: None,
         };
         let client = GenevaClient::new(cfg).expect("failed to create GenevaClient with MockAuth");
 
@@ -941,6 +945,7 @@ mod tests {
             tenant: "testtenant".to_string(),
             role_name: "testrole".to_string(),
             role_instance: "testinstance".to_string(),
+            msi_resource: None,
         };
         let client = GenevaClient::new(cfg).expect("failed to create GenevaClient with MockAuth");
 

opentelemetry-exporter-geneva/geneva-uploader/Cargo.toml

@@ -5,7 +5,7 @@ version = "0.2.0"
 edition = "2021"
 homepage = "https://github.com/open-telemetry/opentelemetry-rust-contrib/tree/main/opentelemetry-exporter-geneva/geneva-uploader"
 repository = "https://github.com/open-telemetry/opentelemetry-rust-contrib/tree/main/opentelemetry-exporter-geneva/geneva-uploader"
-rust-version = "1.75.0"
+rust-version = "1.85.0"
 keywords = ["opentelemetry", "geneva", "logs", "uploader"]
 license = "Apache-2.0"
 
@@ -24,6 +24,9 @@ url = "2.2"
 md5 = "0.8.0"
 hex = "0.4"
 lz4_flex = { version = "0.11", features = ["safe-encode"], default-features = false }
+# Azure Identity dependencies - using public crates.io versions
+azure_identity = "0.27.0"
+azure_core = "0.27.0"
 
 [features]
 self_signed_certs = [] # Empty by default for security

opentelemetry-exporter-geneva/geneva-uploader/src/client.rs

@@ -1,6 +1,7 @@
 //! High-level GenevaClient for user code. Wraps config_service and ingestion_service.
 
 use crate::config_service::client::{AuthMethod, GenevaConfigClient, GenevaConfigClientConfig};
+// ManagedIdentitySelector removed; no re-export needed.
 use crate::ingestion_service::uploader::{GenevaUploader, GenevaUploaderConfig};
 use crate::payload_encoder::otlp_encoder::OtlpEncoder;
 use opentelemetry_proto::tonic::logs::v1::ResourceLogs;
@@ -29,7 +30,8 @@ pub struct GenevaClientConfig {
     pub tenant: String,
     pub role_name: String,
     pub role_instance: String,
-    // Add event name/version here if constant, or per-upload if you want them per call.
+    pub msi_resource: Option<String>, // Required for Managed Identity variants
+                                      // Add event name/version here if constant, or per-upload if you want them per call.
 }
 
 /// Main user-facing client for Geneva ingestion.
@@ -42,6 +44,22 @@ pub struct GenevaClient {
 
 impl GenevaClient {
     pub fn new(cfg: GenevaClientConfig) -> Result<Self, String> {
+        // Validate MSI resource presence for managed identity variants
+        match cfg.auth_method {
+            AuthMethod::SystemManagedIdentity
+            | AuthMethod::UserManagedIdentity { .. }
+            | AuthMethod::UserManagedIdentityByObjectId { .. }
+            | AuthMethod::UserManagedIdentityByResourceId { .. } => {
+                if cfg.msi_resource.is_none() {
+                    return Err(
+                        "msi_resource must be provided for managed identity auth".to_string()
+                    );
+                }
+            }
+            AuthMethod::Certificate { .. } => {}
+            #[cfg(feature = "mock_auth")]
+            AuthMethod::MockAuth => {}
+        }
         let config_client_config = GenevaConfigClientConfig {
             endpoint: cfg.endpoint,
             environment: cfg.environment.clone(),
@@ -50,6 +68,7 @@ impl GenevaClient {
             region: cfg.region,
             config_major_version: cfg.config_major_version,
             auth_method: cfg.auth_method,
+            msi_resource: cfg.msi_resource,
         };
         let config_client = Arc::new(
             GenevaConfigClient::new(config_client_config)

opentelemetry-exporter-geneva/geneva-uploader/src/config_service/client.rs

@@ -2,7 +2,7 @@
 
 use base64::{engine::general_purpose, Engine as _};
 use reqwest::{
-    header::{HeaderMap, HeaderValue, ACCEPT, USER_AGENT},
+    header::{HeaderMap, HeaderValue, ACCEPT, AUTHORIZATION, USER_AGENT},
     Client,
 };
 use serde::Deserialize;
@@ -18,6 +18,10 @@ use std::fs;
 use std::path::PathBuf;
 use std::sync::RwLock;
 
+// Azure Identity imports for MSI authentication
+use azure_core::credentials::TokenCredential;
+use azure_identity::{ManagedIdentityCredential, ManagedIdentityCredentialOptions, UserAssignedId};
+
 /// Authentication methods for the Geneva Config Client.
 ///
 /// The client supports two authentication methods:
@@ -53,25 +57,29 @@ pub enum AuthMethod {
     /// * `path` - Path to the PKCS#12 (.p12) certificate file
     /// * `password` - Password to decrypt the PKCS#12 file
     Certificate { path: PathBuf, password: String },
-    /// Azure Managed Identity authentication
-    ///
-    /// Note(TODO): This is not yet implemented.
-    ManagedIdentity,
+    /// System-assigned managed identity (auto-detected)
+    SystemManagedIdentity,
+    /// User-assigned managed identity by client ID
+    UserManagedIdentity { client_id: String },
+    /// User-assigned managed identity by object ID
+    UserManagedIdentityByObjectId { object_id: String },
+    /// User-assigned managed identity by resource ID
+    UserManagedIdentityByResourceId { resource_id: String },
     #[cfg(feature = "mock_auth")]
     MockAuth, // No authentication, used for testing purposes
 }
 
 #[derive(Debug, Error)]
 pub(crate) enum GenevaConfigClientError {
     // Authentication-related errors
-    #[error("Authentication method not implemented: {0}")]
-    AuthMethodNotImplemented(String),
     #[error("Missing Auth Info: {0}")]
     AuthInfoNotFound(String),
     #[error("Invalid or malformed JWT token: {0}")]
     JwtTokenError(String),
     #[error("Certificate error: {0}")]
     Certificate(String),
+    #[error("MSI authentication error: {0}")]
+    MsiAuth(String),
 
     // Networking / HTTP / TLS
     #[error("HTTP error: {0}")]
@@ -129,6 +137,7 @@ pub(crate) struct GenevaConfigClientConfig {
     pub(crate) region: String,
     pub(crate) config_major_version: u32,
     pub(crate) auth_method: AuthMethod, // agent_identity and agent_version are hardcoded for now
+    pub(crate) msi_resource: Option<String>, // Required when using any Managed Identity variant
 }
 
 #[allow(dead_code)]
@@ -246,10 +255,10 @@ impl GenevaConfigClient {
                         .map_err(|e| GenevaConfigClientError::Certificate(e.to_string()))?;
                 client_builder = client_builder.use_preconfigured_tls(tls_connector);
             }
-            AuthMethod::ManagedIdentity => {
-                return Err(GenevaConfigClientError::AuthMethodNotImplemented(
-                    "Managed Identity authentication is not implemented yet".into(),
-                ));
+            AuthMethod::SystemManagedIdentity
+            | AuthMethod::UserManagedIdentity { .. }
+            | AuthMethod::UserManagedIdentityByObjectId { .. }
+            | AuthMethod::UserManagedIdentityByResourceId { .. } => { /* no special HTTP client changes needed */
             }
             #[cfg(feature = "mock_auth")]
             AuthMethod::MockAuth => {
@@ -268,11 +277,24 @@ impl GenevaConfigClient {
         let encoded_identity = general_purpose::STANDARD.encode(&identity);
         let version_str = format!("Ver{0}v0", config.config_major_version);
 
+        // Use different API endpoints based on authentication method
+        // Certificate auth uses "api", MSI auth uses "userapi"
+        let api_path = match &config.auth_method {
+            AuthMethod::Certificate { .. } => "api",
+            AuthMethod::SystemManagedIdentity
+            | AuthMethod::UserManagedIdentity { .. }
+            | AuthMethod::UserManagedIdentityByObjectId { .. }
+            | AuthMethod::UserManagedIdentityByResourceId { .. } => "userapi",
+            #[cfg(feature = "mock_auth")]
+            AuthMethod::MockAuth => "api", // treat mock like certificate path for URL shape
+        };
+
         let mut pre_url = String::with_capacity(config.endpoint.len() + 200);
         write!(
             &mut pre_url,
-            "{}/api/agent/v3/{}/{}/MonitoringStorageKeys/?Namespace={}&Region={}&Identity={}&OSType={}&ConfigMajorVersion={}",
+            "{}/{}/agent/v3/{}/{}/MonitoringStorageKeys/?Namespace={}&Region={}&Identity={}&OSType={}&ConfigMajorVersion={}",
             config.endpoint.trim_end_matches('/'),
+            api_path,
             config.environment,
             config.account,
             config.namespace,
@@ -310,6 +332,66 @@ impl GenevaConfigClient {
         headers
     }
 
+    /// Get MSI token for GCS authentication
+    async fn get_msi_token(&self) -> Result<String> {
+        let resource = self.config.msi_resource.as_ref().ok_or_else(|| {
+            GenevaConfigClientError::MsiAuth(
+                "msi_resource not set in config (required for Managed Identity auth)".to_string(),
+            )
+        })?;
+
+        // Normalize resource (strip trailing "/.default" if provided by user)
+        let base = resource.trim_end_matches("/.default").trim_end_matches('/');
+
+        // Candidate scopes tried with Azure Identity
+        let mut scope_candidates: Vec<String> = vec![format!("{base}/.default"), base.to_string()];
+        // Add variant with trailing slash if not already present
+        if !base.ends_with('/') {
+            scope_candidates.push(format!("{base}/"));
+        }
+
+        // Build credential based on selector
+        let user_assigned_id = match &self.config.auth_method {
+            AuthMethod::SystemManagedIdentity => None,
+            AuthMethod::UserManagedIdentity { client_id } => {
+                Some(UserAssignedId::ClientId(client_id.clone()))
+            }
+            AuthMethod::UserManagedIdentityByObjectId { object_id } => {
+                Some(UserAssignedId::ObjectId(object_id.clone()))
+            }
+            AuthMethod::UserManagedIdentityByResourceId { resource_id } => {
+                Some(UserAssignedId::ResourceId(resource_id.clone()))
+            }
+            _ => {
+                return Err(GenevaConfigClientError::MsiAuth(
+                    "get_msi_token called but auth method is not a managed identity variant"
+                        .to_string(),
+                ))
+            }
+        };
+
+        let options = ManagedIdentityCredentialOptions {
+            user_assigned_id,
+            ..Default::default()
+        };
+        let credential = ManagedIdentityCredential::new(Some(options)).map_err(|e| {
+            GenevaConfigClientError::MsiAuth(format!("Failed to create MSI credential: {e}"))
+        })?;
+
+        let mut last_err: Option<String> = None;
+        for scope in &scope_candidates {
+            match credential.get_token(&[scope.as_str()], None).await {
+                Ok(token) => return Ok(token.token.secret().to_string()),
+                Err(e) => last_err = Some(e.to_string()),
+            }
+        }
+        let detail = last_err.unwrap_or_else(|| "no error detail".into());
+        Err(GenevaConfigClientError::MsiAuth(format!(
+            "Managed Identity token acquisition failed. Scopes tried: {scopes}. Last error: {detail}. IMDS fallback intentionally disabled.",
+            scopes = scope_candidates.join(", ")
+        )))
+    }
+
     /// Retrieves ingestion gateway information from the Geneva Config Service.
     ///
     /// # HTTP API Details
@@ -381,7 +463,16 @@ impl GenevaConfigClient {
                     GenevaConfigClientError::InternalError("Failed to parse token expiry".into())
                 })?;
 
-        let token_endpoint = extract_endpoint_from_token(&fresh_ingestion_gateway_info.auth_token)?;
+        let token_endpoint =
+            match extract_endpoint_from_token(&fresh_ingestion_gateway_info.auth_token) {
+                Ok(ep) => ep,
+                Err(err) => {
+                    // Fallback: some tokens legitimately omit the Endpoint claim; use server endpoint.
+                    #[cfg(debug_assertions)]
+                    eprintln!("[geneva][debug] token Endpoint claim missing or unparsable: {err}");
+                    fresh_ingestion_gateway_info.endpoint.clone()
+                }
+            };
 
         // Now update the cache with exclusive write access
         let mut guard = self
@@ -432,10 +523,29 @@ impl GenevaConfigClient {
             .headers(self.static_headers.clone()); // Clone only cheap references
 
         request = request.header("x-ms-client-request-id", req_id);
-        let response = request
-            .send()
-            .await
-            .map_err(GenevaConfigClientError::Http)?;
+
+        // Add MSI authentication for managed identity auth method
+        match &self.config.auth_method {
+            AuthMethod::SystemManagedIdentity
+            | AuthMethod::UserManagedIdentity { .. }
+            | AuthMethod::UserManagedIdentityByObjectId { .. }
+            | AuthMethod::UserManagedIdentityByResourceId { .. } => {
+                let msi_token = self.get_msi_token().await?;
+                request = request.header(AUTHORIZATION, format!("Bearer {}", msi_token));
+            }
+            AuthMethod::Certificate { .. } => { /* mTLS only */ }
+            #[cfg(feature = "mock_auth")]
+            AuthMethod::MockAuth => { /* no auth header */ }
+        }
+
+        // Log the request details for debugging
+        let response = match request.send().await {
+            Ok(response) => response,
+            Err(e) => {
+                return Err(GenevaConfigClientError::Http(e));
+            }
+        };
+
         // Check if the response is successful
         let status = response.status();
         let body = response.text().await?;
@@ -506,12 +616,18 @@ fn extract_endpoint_from_token(token: &str) -> Result<String> {
         _ => payload.to_string(),
     };
 
-    // Decode the Base64-encoded payload into raw bytes
-    let decoded = general_purpose::URL_SAFE_NO_PAD
-        .decode(payload)
-        .map_err(|e| {
-            GenevaConfigClientError::JwtTokenError(format!("Failed to decode JWT: {e}"))
-        })?;
+    // Decode the Base64-encoded payload into raw bytes with a more tolerant approach.
+    let decoded = match general_purpose::URL_SAFE_NO_PAD.decode(&payload) {
+        Ok(b) => b,
+        Err(e_url) => match general_purpose::STANDARD.decode(&payload) {
+            Ok(b) => b,
+            Err(e_std) => {
+                return Err(GenevaConfigClientError::JwtTokenError(format!(
+                    "Failed to decode JWT (url_safe and standard): url_err={e_url}; std_err={e_std}"
+                )))
+            }
+        },
+    };
 
     // Convert the raw bytes into a UTF-8 string
     let decoded_str = String::from_utf8(decoded).map_err(|e| {
@@ -522,15 +638,12 @@ fn extract_endpoint_from_token(token: &str) -> Result<String> {
     let payload_json: serde_json::Value =
         serde_json::from_str(&decoded_str).map_err(GenevaConfigClientError::SerdeJson)?;
 
-    // Extract "Endpoint" from JWT payload as a string, or fail if missing or invalid.
-    let endpoint = payload_json["Endpoint"]
-        .as_str()
-        .ok_or_else(|| {
-            GenevaConfigClientError::JwtTokenError("No Endpoint claim in JWT token".to_string())
-        })?
-        .to_string();
-
-    Ok(endpoint)
+    if let Some(ep) = payload_json["Endpoint"].as_str() {
+        return Ok(ep.to_string());
+    }
+    Err(GenevaConfigClientError::JwtTokenError(
+        "No Endpoint claim in JWT token".to_string(),
+    ))
 }
 
 #[cfg(feature = "self_signed_certs")]