The steps below show how to configure authentication between your HDP cluster and WASB using the wasb connector. Note for Cloudbreak users: When you create a cluster with Cloudbreak, you can configure authentication with WASB on the "Add File System" page of the create cluster wizard. If you do this, you do not need to perform the steps below. If you have already created a cluster with Cloudbreak but did not perform WASB configuration on the"Add File System" page of the create cluster wizard, follow the steps below: Prerequisites 1. The Azure prerequisite to configuring authentication is having a storage subscription and creating a storage account. For example: 2. On the HDP side, you must use a version that supports the WASB integration. I am using HDP 2.6.1, which supports connecting to WASB using the WASB connector. Steps In order to access data stored in your Azure blob storage account, you must configure your storage account access key in core-site.xml . The configuration property that you must use is fs.azure.account.key.<account name>.blob.core.windows.net and the value is the access key. For example the following property should be used for a storage account called "testaccount": <property> <name>fs.azure.account.key.testaccount.blob.core.windows.net</name> <value>TESTACCOUNT-ACCESS-KEY</value> </property> You can obtain your access key from the Access keys in your storage account settings: It's recommended that you protect your credentials with credential providers. For steps, see Protecting Azure Credentials with Credential Providers. Working with Blob Storage To make sure that the authentication works, try accessing data. When accessing blob storage via the WASB connector, the URL structure is: wasb://<container_name>@<storage_account_name>.blob.core.windows.net/dir/file For example, to access a file called "testfile" located in a directory called "testdir", stored in the container called "testcontainer" on the account called "hortonworks", the URL is: wasb://testcontainer@hortonworks.blob.core.windows.net/testdir/testfile You can also use wasbs prefix to utilize SSL-encrypted HTTPS access: wasbs://<container_name>@<storage_account_name>.blob.core.windows.net/dir/file For example, the following Hadoop FileSystem shell commands demonstrate access to a storage account named myaccount and a container named mycontainer : hadoop fs -ls wasb://mycontainer@myaccount.blob.core.windows.net/ hadoop fs -mkdir wasb://mycontainer@myaccount.blob.core.windows.net/testDir hadoop fs -put testFile wasb://mycontainer@myaccount.blob.core.windows.net/testDir/testFile hadoop fs -cat wasb://mycontainer@myaccount.blob.core.windows.net/testDir/testFile test file content Learn More For more information about working with WASB using the WASB connector, refer to Getting Started with WASB in Hortonworks documentation. ... View more

Overview To control access, Azure uses Azure Active Directory (Azure AD), a multi-tenant cloud-based directory and identity management service. To learn more, refer to https://docs.microsoft.com/en-us/azure/active-directory/active-directory-whatis. In short, to configure authentication with ADLS using the client credential, you must register a new application with Active Directory service and then give your application access to your ADL account. After you've performed these steps, you can configure your core-site.xml. Note for Cloudbreak users: When you create a cluster with Cloudbreak, you can configure authentication with ADLS on the "Add File System" page of the create cluster wizard and then you must perform an additional step as described in Cloudbreak documentation. If you do this, you do not need to perform the steps below. If you have already created a cluster with Cloudbreak but did not perform ADLS configuration on the "Add File System" page of the create cluster wizard, follow the steps below: Prerequisites 1. To use ADLS storage, you must have a subscription for Data Lake Storage. 2. To access ADLS data in HDP, you must have an HDP version that supports that. I am using HDP 2.6.1, which supports connecting to ADLS using the ADL connector. Step 1: Register an application 1. Log in to the Azure Portal at https://portal.azure.com/. 2. Navigate to your Active Directory and then select App Registrations: 3. Create a new web application by clicking on +New application registration. 4. Specify an application name, type (Web app/API), and sign-on URLs. Remember the application name: you will later add it to your ADLS account as an authorized user: 5. Once an application is created, navigate to the application configuration and find the Keys in the application's settings: 6. Create a key by entering key description, selecting a key duration, and then clicking Save. Make sure to copy and save the key value. You won't be able to retrieve it after you leave the page. 7. Write down the properties that you will need to authenticate: Step 2: Assign permissions to your application 1.Log in to the Azure Portal. 2.If you don't have an ADL account, create one: 3.Navigate to your ADL account and then select Access Control (IAM): 4.Click on +Add to add to add role-based permissions. 5.Under Role select the "Owner". Under Select, select your application. This will grant the "Owner" role for this ADL account to your application. Note: If you are not able to assign the "Owner" role, you can set fine-grained RWX ACL permissions for your application, allowing it access to the files and folders of your ADLS account, as documented here. Note: If using a corporate Azure account, you may be unable to perform the role assignment step. In this case, contact your Azure admin to perform this step for you. Step 3: Configure core-site.xml 1.Add the following four properties to your core-site.xml. While "fs.adl.oauth2.access.token.provider.type" must be set to “ClientCredential” you can obtain the remaining three parameters from step 7 above. <property> <name>fs.adl.oauth2.access.token.provider.type</name> <value>ClientCredential</value></property> <property> <name>fs.adl.oauth2.client.id</name> <value>APPLICATION-ID</value></property> <property> <name>fs.adl.oauth2.credential</name> <value>KEY</value></property> <property> <name>fs.adl.oauth2.refresh.url</name> <value>TOKEN-ENDPOINT</value> </property> 2. (Optional) It's recommended that you protect your credentials with credential providers. For instructions, refer to https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.1/bk_cloud-data-access/content/adls-protecting-credentials.html. Step 4: Validate access to ADLS To make sure that the authentication works, try accessing data. To test access, SSH to any cluster node, switch to the hdfs user by using sudo su hdfs and then try accessing your data. The URL structure is: adl://<data_lake_store_name>.azuredatalakestore.net/dir/file For example, to access "testfile" located in a directory called "testdir", stored in a data lake store called "mytest", the URL is: adl://mytest.azuredatalakestore.net/testdir/testfile The following FileSystem shell commands demonstrate access to a data lake store named mytest: hadoop fs -ls adl://mytest.azuredatalakestore.net/ hadoop fs -mkdir adl://mytest.azuredatalakestore.net/testDir hadoop fs -put testFile adl://mytest.azuredatalakestore.net/testDir/testFile hadoop fs -cat adl://mytest.azuredatalakestore.net/testDir/testFiletest file content Learn more For more information about working with ADLS, refer to Getting Started with ADLS in Hortonworks documentation. ... View more

We are excited to introduce the new Cloud Data Access guide for HDP 2.6.1. The goal of this guide is to provide information and steps required for configuring, using, securing, tuning performance, and troubleshooting access to the cloud storage services using HDP cloud storage connectors available for Amazon Web Services (Amazon S3) and Microsoft Azure (ADLS, WASB). To learn about the architecture of the cloud connectors, refer to Introducing the Cloud Storage Connectors. To get started with your chosen cloud storage service, refer to: Getting Started with Amazon S3 Getting Started with ADLS Getting Started with WASB Once you have configured authentication with the chosen cloud storage service, you can start working with the data. To get started, refer to: Accessing Cloud Data with Hive Accessing Cloud Data with Spark Copying Cloud Data with Hadoop If you have comments or suggestions, corrections or updates regarding our documentation, let us know on HCC. Help us continue to improve our documentation! Thanks! Hortonworks Technical Documentation Team ... View more