Add support for Azure Shared Access Signatures (#1537)

* Add support for Azure SAS tokens

* Add support for bearer tokens

* Allow both storage account sas and container sas

* Apply clang format

* Add SAS to documentation

* Remove token_credential again since it does not support renew

* Format ipynb

* Get SAS during test time

* Install az cli locally

* Install azure-cli inside test container

* Make sure commands are valid

* Ensure env is setup

Author: janbernloehr

.github/workflows/build.wheel.sh

@@ -8,7 +8,7 @@ run_test() {
   CPYTHON_VERSION=$($entry -c 'import sys; print(str(sys.version_info[0])+str(sys.version_info[1]))')
   (cd wheelhouse && $entry -m pip install tensorflow_io_gcs_filesystem-*-cp${CPYTHON_VERSION}-*.whl)
   (cd wheelhouse && $entry -m pip install tensorflow_io-*-cp${CPYTHON_VERSION}-*.whl)
-  $entry -m pip install -q pytest pytest-benchmark pytest-xdist boto3 fastavro avro-python3 scikit-image pandas pyarrow==3.0.0 google-cloud-pubsub==2.1.0 google-cloud-bigtable==1.6.0 google-cloud-bigquery-storage==1.1.0 google-cloud-bigquery==2.3.1 google-cloud-storage==1.32.0 PyYAML==5.3.1 azure-storage-blob==12.8.1
+  $entry -m pip install -q pytest pytest-benchmark pytest-xdist boto3 fastavro avro-python3 scikit-image pandas pyarrow==3.0.0 google-cloud-pubsub==2.1.0 google-cloud-bigtable==1.6.0 google-cloud-bigquery-storage==1.1.0 google-cloud-bigquery==2.3.1 google-cloud-storage==1.32.0 PyYAML==5.3.1 azure-storage-blob==12.8.1 azure-cli==2.29.0
   (cd tests && $entry -m pytest --benchmark-disable -v --import-mode=append --forked --numprocesses=auto --dist loadfile $(find . -type f \( -iname "test_*.py" ! \( -iname "test_standalone_*.py" \) \)))
   (cd tests && $entry -m pytest --benchmark-disable -v --import-mode=append $(find . -type f \( -iname "test_standalone_*.py" \)))
 }

docs/tutorials/azure.ipynb

@@ -278,6 +278,10 @@
         "else:\n",
         "  # Replace <key> with Azure Storage Key, and <account> with Azure Storage Account\n",
         "  os.environ['TF_AZURE_STORAGE_KEY'] = '<key>'\n",
+        "  account_name = '<account>'\n",
+        "\n",
+        "  # Alternatively, you can use a shared access signature (SAS) to authenticate with the Azure Storage Account\n",
+        "  os.environ['TF_AZURE_STORAGE_SAS'] = '<your sas>'\n",
         "  account_name = '<account>'"
       ]
     },

tensorflow_io/core/filesystems/az/az_filesystem.cc

@@ -184,9 +184,20 @@ std::string errno_to_string() {
 }
 
 std::shared_ptr<azure::storage_lite::storage_credential> get_credential(
-    const std::string& account) {
-  const auto key = std::getenv("TF_AZURE_STORAGE_KEY");
-  if (key != nullptr) {
+    const std::string& account, const std::string& container) {
+  const std::string sas_account_container_env =
+      "TF_AZURE_STORAGE_" + account + "_" + container + "_SAS";
+  const std::string sas_account_env = "TF_AZURE_STORAGE_" + account + "_SAS";
+  if (const auto sas = std::getenv(sas_account_container_env.c_str())) {
+    return std::make_shared<
+        azure::storage_lite::shared_access_signature_credential>(sas);
+  } else if (const auto sas = std::getenv(sas_account_env.c_str())) {
+    return std::make_shared<
+        azure::storage_lite::shared_access_signature_credential>(sas);
+  } else if (const auto sas = std::getenv("TF_AZURE_STORAGE_SAS")) {
+    return std::make_shared<
+        azure::storage_lite::shared_access_signature_credential>(sas);
+  } else if (const auto key = std::getenv("TF_AZURE_STORAGE_KEY")) {
     return std::make_shared<azure::storage_lite::shared_key_credential>(account,
                                                                         key);
   } else {
@@ -195,7 +206,7 @@ std::shared_ptr<azure::storage_lite::storage_credential> get_credential(
 }
 
 azure::storage_lite::blob_client_wrapper CreateAzBlobClientWrapper(
-    const std::string& account) {
+    const std::string& account, const std::string& container) {
   azure::storage_lite::logger::set_logger(
       [](azure::storage_lite::log_level level, const std::string& log_msg) {
         switch (level) {
@@ -232,7 +243,7 @@ azure::storage_lite::blob_client_wrapper CreateAzBlobClientWrapper(
   const auto blob_endpoint =
       std::string(blob_endpoint_env ? blob_endpoint_env : "");
 
-  auto credentials = get_credential(account);
+  auto credentials = get_credential(account, container);
   auto storage_account = std::make_shared<azure::storage_lite::storage_account>(
       account, credentials, use_https, blob_endpoint);
   auto blob_client =
@@ -324,10 +335,12 @@ class AzBlobRandomAccessFile {
       TF_SetStatus(status, TF_OK, "");
       return 0;
     }
-    auto blob_client = CreateAzBlobClientWrapper(account_);
+    auto blob_client = CreateAzBlobClientWrapper(account_, container_);
     auto blob_property = blob_client.get_blob_property(container_, object_);
     if (errno != 0) {
-      TF_SetStatus(status, TF_INTERNAL, "Failed to get properties");
+      std::string error_message =
+          absl::StrCat("Failed to get properties ", errno);
+      TF_SetStatus(status, TF_INTERNAL, error_message.c_str());
       return 0;
     }
     int64_t file_size = blob_property.size;
@@ -433,7 +446,7 @@ class AzBlobWritableFile {
       return;
     }
 
-    auto blob_client = CreateAzBlobClientWrapper(account_);
+    auto blob_client = CreateAzBlobClientWrapper(account_, container_);
     blob_client.upload_file_to_blob(tmp_content_filename_, container_, object_);
     if (errno != 0) {
       std::string error_message =
@@ -476,7 +489,7 @@ Status GetMatchingPaths(const std::string& pattern, std::vector<std::string>* re
   TF_RETURN_IF_ERROR(
       ParseAzBlobPathClass(fixed_prefix, true, &account, &container, &object));
 
-  auto blob_client = CreateAzBlobClientWrapper(account);
+  auto blob_client = CreateAzBlobClientWrapper(account, container);
 
   std::vector<std::string> blobs;
   TF_RETURN_IF_ERROR(ListResources(fixed_prefix, "", blob_client, &blobs));
@@ -637,7 +650,7 @@ static void CreateDir(const TF_Filesystem* filesystem, const char* path,
   }
 
   // Blob storage has virtual folders. We can make sure the container exists
-  auto blob_client_wrapper = CreateAzBlobClientWrapper(account);
+  auto blob_client_wrapper = CreateAzBlobClientWrapper(account, container);
 
   if (blob_client_wrapper.container_exists(container)) {
     TF_SetStatus(status, TF_OK, "");
@@ -667,7 +680,7 @@ static void DeleteFile(const TF_Filesystem* filesystem, const char* path,
     return;
   }
 
-  auto blob_client = CreateAzBlobClientWrapper(account);
+  auto blob_client = CreateAzBlobClientWrapper(account, container);
 
   blob_client.delete_blob(container, object);
   if (errno != 0) {
@@ -698,7 +711,7 @@ static void DeleteDir(const TF_Filesystem* filesystem, const char* path,
     return;
   }
 
-  auto blob_client = CreateAzBlobClientWrapper(account);
+  auto blob_client = CreateAzBlobClientWrapper(account, container);
 
   // Check container exists
   // Just pull out the first path component representing the container
@@ -764,7 +777,7 @@ static void RenameFile(const TF_Filesystem* filesystem, const char* src,
     return;
   }
 
-  auto blob_client = CreateAzBlobClientWrapper(src_account);
+  auto blob_client = CreateAzBlobClientWrapper(src_account, src_container);
 
   blob_client.start_copy(src_container, src_object, dst_container, dst_object);
   if (errno != 0) {
@@ -860,7 +873,7 @@ static void PathExists(const TF_Filesystem* filesystem, const char* path,
     return;
   }
 
-  auto blob_client = CreateAzBlobClientWrapper(account);
+  auto blob_client = CreateAzBlobClientWrapper(account, container);
   auto blob_exists = blob_client.blob_exists(container, object);
   if (errno != 0) {
     std::string error_message = absl::StrCat(
@@ -889,7 +902,7 @@ static bool IsDirectory(const TF_Filesystem* filesystem, const char* path,
     return false;
   }
 
-  auto blob_client = CreateAzBlobClientWrapper(account);
+  auto blob_client = CreateAzBlobClientWrapper(account, container);
 
   if (container.empty()) {
     TF_SetStatus(status, TF_UNIMPLEMENTED,
@@ -935,7 +948,7 @@ static void Stat(const TF_Filesystem* filesystem, const char* path,
     return;
   }
 
-  auto blob_client = CreateAzBlobClientWrapper(account);
+  auto blob_client = CreateAzBlobClientWrapper(account, container);
 
   if (IsDirectory(filesystem, path, status)) {
     stats->length = 0;
@@ -972,7 +985,7 @@ static int GetChildren(const TF_Filesystem* filesystem, const char* path,
     return 0;
   }
 
-  auto blob_client = CreateAzBlobClientWrapper(account);
+  auto blob_client = CreateAzBlobClientWrapper(account, container);
 
   std::string continuation_token;
   if (container.empty()) {
@@ -1049,7 +1062,7 @@ static int64_t GetFileSize(const TF_Filesystem* filesystem, const char* path,
     return 0;
   }
 
-  auto blob_client = CreateAzBlobClientWrapper(account);
+  auto blob_client = CreateAzBlobClientWrapper(account, container);
   auto blob_property = blob_client.get_blob_property(container, object);
   if (errno != 0) {
     std::string error_message = absl::StrCat(

tests/test_azure.py

@@ -15,6 +15,7 @@
 """Tests for Azure File System."""
 
 import os
+import subprocess
 import sys
 import pytest
 
@@ -27,22 +28,13 @@
     pytest.skip("TODO: skip macOS", allow_module_level=True)
 
 
-class AZFSTest(tf.test.TestCase):
+class AZFSTestBase:
     """[summary]
 
     Args:
       test {[type]} -- [description]
     """
 
-    def __init__(self, methodName="runTest"):  # pylint: disable=invalid-name
-
-        os.environ["TF_AZURE_USE_DEV_STORAGE"] = "1"
-
-        self.account = "devstoreaccount1"
-        self.container = "aztest"
-        self.path_root = "az://" + os.path.join(self.account, self.container)
-        super().__init__(methodName)
-
     def _path_to(self, path):
         return os.path.join(self.path_root, path)
 
@@ -59,7 +51,9 @@ def test_also_works_with_full_dns_name(self):
         a path of the form
         az://<account>.blob.core.windows.net/<container>/<path>
         """
-        file_name = self.account + ".blob.core.windows.net" + self.container
+        file_name = "az://" + os.path.join(
+            self.account + ".blob.core.windows.net", self.container
+        )
         if not tf.io.gfile.isdir(file_name):
             tf.io.gfile.makedirs(file_name)
 
@@ -208,5 +202,82 @@ def _test_read_file_offset_and_dataset(self):
         assert i == 2
 
 
+class AZFSTest(tf.test.TestCase, AZFSTestBase):
+    """Run tests for azfs backend using account key authentication."""
+
+    def __init__(self, methodName="runTest"):  # pylint: disable=invalid-name
+
+        self.account = "devstoreaccount1"
+        self.container = "aztest"
+        self.path_root = "az://" + os.path.join(self.account, self.container)
+        super().__init__(methodName)
+
+    def setUp(self):
+        super().setUp()
+
+        os.environ["TF_AZURE_USE_DEV_STORAGE"] = "1"
+
+
+class AZFSSASTest(tf.test.TestCase, AZFSTestBase):
+    """Run tests for azfs backend using shared access signature authentication."""
+
+    def __init__(self, methodName="runTest"):  # pylint: disable=invalid-name
+        self.account = "devstoreaccount1"
+        self.container = "aztest"
+        self.path_root = "az://" + os.path.join(self.account, self.container)
+        super().__init__(methodName)
+
+    def setUp(self):
+        super().setUp()
+
+        if "TF_AZURE_USE_DEV_STORAGE" in os.environ:
+            del os.environ["TF_AZURE_USE_DEV_STORAGE"]
+
+        os.environ["TF_AZURE_STORAGE_USE_HTTP"] = "1"
+        os.environ[
+            "TF_AZURE_STORAGE_BLOB_ENDPOINT"
+        ] = "127.0.0.1:10000/devstoreaccount1"
+
+        sas_end = (
+            subprocess.check_output(["date", "--date", "1 days", r"+%FT%TZ"])
+            .decode()
+            .rstrip()
+        )
+
+        env = os.environ.copy()
+        env["AZURE_STORAGE_CONNECTION_STRING"] = (
+            "DefaultEndpointsProtocol=http;AccountName=devstoreaccount1;"
+            "AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;"
+            "BlobEndpoint=http://127.0.0.1:10000/devstoreaccount1;"
+            "QueueEndpoint=http://127.0.0.1:10001/devstoreaccount1;"
+            "TableEndpoint=http://127.0.0.1:10002/devstoreaccount1;"
+        )
+
+        os.environ["TF_AZURE_STORAGE_SAS"] = (
+            subprocess.check_output(
+                [
+                    "az",
+                    "storage",
+                    "account",
+                    "generate-sas",
+                    "-otsv",
+                    "--permissions",
+                    "acdlpruw",
+                    "--resource-types",
+                    "sco",
+                    "--services",
+                    "b",
+                    "--expiry",
+                    sas_end,
+                    "--account-name",
+                    "devstoreaccount1",
+                ],
+                env=env,
+            )
+            .decode()
+            .rstrip()
+        )
+
+
 if __name__ == "__main__":
     tf.test.main()