Remove ManagedIdentityCredential::UseProbeRequest from public surface (#6764)
* Remove ManagedIdentityCredential::UseProbeRequest from public surface --------- Co-authored-by: Anton Kolesnyk <antkmsft@users.noreply.github.com>
This commit is contained in:
Anton Kolesnyk
GitHub
parent
217a155417
commit
6fcc5d570f
@ -4,12 +4,12 @@
|
||||
|
||||
### Features Added
|
||||
|
||||
- Added `UseProbeRequest` option for `ManagedIdentityCredential`.
|
||||
- By default, `ManagedIdentityCredential` does not send a probe request, unless it is a part of credential chain in `DefaultAzureCredential`.
|
||||
- When `AZURE_TOKEN_CREDENTIALS` environment variable is configured to `ManagedIdentityCredential`, the `DefaultAzureCredential` does not issue a probe request and performs retries with exponential backoff.
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
- By default, `ManagedIdentityCredential` does not send a probe request, unless it is a part of credential chain in `DefaultAzureCredential`.
|
||||
|
||||
### Bugs Fixed
|
||||
|
||||
### Other Changes
|
||||
|
||||
@ -168,18 +168,6 @@ namespace Azure { namespace Identity {
|
||||
* it was configured.
|
||||
*/
|
||||
ManagedIdentityId IdentityId;
|
||||
|
||||
/**
|
||||
* @brief If Azure Instance Metadata Service (IMDS) gets selected as managed identity source,
|
||||
* specifies whether the first request should be a short probe request (`true`), instead of a
|
||||
* normal request with retries and exponential backoff (`false`). Default is `false`.
|
||||
*
|
||||
* @note When `true`, there's a potential that the credential would not detect IMDS being
|
||||
* available on a machine, if the response was not received fast enough. When `false` and IMDS
|
||||
* is not available, credential creation may take tens of seconds until multiple attempts to get
|
||||
* a response from IMDS would fail.
|
||||
*/
|
||||
bool UseProbeRequest = false;
|
||||
};
|
||||
|
||||
/**
|
||||
@ -190,6 +178,8 @@ namespace Azure { namespace Identity {
|
||||
* https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/overview
|
||||
*/
|
||||
class ManagedIdentityCredential final : public Core::Credentials::TokenCredential {
|
||||
friend class DefaultAzureCredential;
|
||||
|
||||
private:
|
||||
std::unique_ptr<_detail::ManagedIdentitySource> m_managedIdentitySource;
|
||||
|
||||
@ -212,9 +202,8 @@ namespace Azure { namespace Identity {
|
||||
* @param options Options for token retrieval.
|
||||
*/
|
||||
explicit ManagedIdentityCredential(
|
||||
std::string const& clientId = std::string(),
|
||||
Core::Credentials::TokenCredentialOptions const& options
|
||||
= Core::Credentials::TokenCredentialOptions());
|
||||
std::string const& clientId = {},
|
||||
Core::Credentials::TokenCredentialOptions const& options = {});
|
||||
|
||||
/**
|
||||
* @brief Constructs a Managed Identity Credential.
|
||||
|
||||
@ -92,16 +92,9 @@ DefaultAzureCredential::DefaultAzureCredential(
|
||||
CredentialInfo{
|
||||
true,
|
||||
"ManagedIdentityCredential",
|
||||
[&](auto options) {
|
||||
// If specifically 'ManagedIdentityCredential' is used, do not perform a probe
|
||||
// request, going for the full retry with exponential backoffs instead.
|
||||
ManagedIdentityCredentialOptions managedIdentityCredentialOptions;
|
||||
static_cast<Core::Credentials::TokenCredentialOptions&>(
|
||||
managedIdentityCredentialOptions)
|
||||
= options;
|
||||
|
||||
managedIdentityCredentialOptions.UseProbeRequest = !specificCred;
|
||||
return std::make_shared<ManagedIdentityCredential>(managedIdentityCredentialOptions);
|
||||
[&specificCred](auto options) {
|
||||
return std::shared_ptr<ManagedIdentityCredential>(
|
||||
new ManagedIdentityCredential({}, !specificCred, options));
|
||||
}},
|
||||
CredentialInfo{
|
||||
false,
|
||||
|
||||
@ -75,35 +75,20 @@ ManagedIdentityCredential::ManagedIdentityCredential(
|
||||
switch (idType)
|
||||
{
|
||||
case ManagedIdentityIdKind::SystemAssigned:
|
||||
m_managedIdentitySource = CreateManagedIdentitySource(
|
||||
GetCredentialName(), {}, {}, {}, options.UseProbeRequest, options);
|
||||
m_managedIdentitySource
|
||||
= CreateManagedIdentitySource(GetCredentialName(), {}, {}, {}, false, options);
|
||||
break;
|
||||
case ManagedIdentityIdKind::ClientId:
|
||||
m_managedIdentitySource = CreateManagedIdentitySource(
|
||||
GetCredentialName(),
|
||||
options.IdentityId.GetId(),
|
||||
{},
|
||||
{},
|
||||
options.UseProbeRequest,
|
||||
options);
|
||||
GetCredentialName(), options.IdentityId.GetId(), {}, {}, false, options);
|
||||
break;
|
||||
case ManagedIdentityIdKind::ObjectId:
|
||||
m_managedIdentitySource = CreateManagedIdentitySource(
|
||||
GetCredentialName(),
|
||||
{},
|
||||
options.IdentityId.GetId(),
|
||||
{},
|
||||
options.UseProbeRequest,
|
||||
options);
|
||||
GetCredentialName(), {}, options.IdentityId.GetId(), {}, false, options);
|
||||
break;
|
||||
case ManagedIdentityIdKind::ResourceId:
|
||||
m_managedIdentitySource = CreateManagedIdentitySource(
|
||||
GetCredentialName(),
|
||||
{},
|
||||
{},
|
||||
options.IdentityId.GetId(),
|
||||
options.UseProbeRequest,
|
||||
options);
|
||||
GetCredentialName(), {}, {}, options.IdentityId.GetId(), false, options);
|
||||
break;
|
||||
default:
|
||||
throw std::invalid_argument(
|
||||
|
||||
@ -3196,40 +3196,6 @@ namespace Azure { namespace Identity { namespace Test {
|
||||
TEST(ManagedIdentityCredential, ImdsProbe)
|
||||
{
|
||||
constexpr auto ImATeapot = static_cast<HttpStatusCode>(418);
|
||||
|
||||
EXPECT_THROW(
|
||||
static_cast<void>(CredentialTestHelper::SimulateTokenRequest(
|
||||
[&ImATeapot](auto transport) {
|
||||
ManagedIdentityCredentialOptions options;
|
||||
options.Transport.Transport = transport;
|
||||
|
||||
options.Retry.MaxRetries = 3;
|
||||
options.Retry.RetryDelay = std::chrono::milliseconds(1);
|
||||
options.Retry.StatusCodes.insert(ImATeapot);
|
||||
|
||||
CredentialTestHelper::EnvironmentOverride const env({
|
||||
{"MSI_ENDPOINT", ""},
|
||||
{"MSI_SECRET", ""},
|
||||
{"IDENTITY_ENDPOINT", "https://visualstudio.com/"},
|
||||
{"IMDS_ENDPOINT", ""},
|
||||
{"IDENTITY_HEADER", ""},
|
||||
{"IDENTITY_SERVER_THUMBPRINT", ""},
|
||||
{"AZURE_POD_IDENTITY_AUTHORITY_HOST", ""},
|
||||
});
|
||||
|
||||
options.UseProbeRequest = true;
|
||||
return std::make_unique<ManagedIdentityCredential>(options);
|
||||
},
|
||||
{{"https://azure.com/.default"}},
|
||||
{{ImATeapot, "{\"expires_in\":3600, \"access_token\":\"ACCESSTOKEN1\"}", {}},
|
||||
// Given there aren't going to be any retries due to probe request, the credential
|
||||
// should never get to make a second request to receive the successful response below.
|
||||
{HttpStatusCode::Ok,
|
||||
"{\"expires_in\":3600, \"access_token\":\"ACCESSTOKEN2\"}",
|
||||
{}}})),
|
||||
Azure::Core::Credentials::AuthenticationException);
|
||||
|
||||
// Everything is the same, including the retry policy, but this time useProbeRequest = false.
|
||||
auto const whenProbeDisabled = CredentialTestHelper::SimulateTokenRequest(
|
||||
[&ImATeapot](auto transport) {
|
||||
TokenCredentialOptions options;
|
||||
@ -3249,8 +3215,7 @@ namespace Azure { namespace Identity { namespace Test {
|
||||
{"AZURE_POD_IDENTITY_AUTHORITY_HOST", ""},
|
||||
});
|
||||
|
||||
return std::make_unique<ManagedIdentityCredential>(
|
||||
options); // <-- useProbeRequest = false (default)
|
||||
return std::make_unique<ManagedIdentityCredential>(options);
|
||||
},
|
||||
{{"https://azure.com/.default"}},
|
||||
{{ImATeapot, "{\"expires_in\":3600, \"access_token\":\"ACCESSTOKEN1\"}", {}},
|
||||
|
||||
Loading…
Reference in New Issue
Block a user