Azure Datalake Gen1 到 Azure 分析服务的服务到服务身份验证失败

【问题标题】:Service to service authentication is failing for Azure Datalake Gen1 to Azure Analysis servicesAzure Datalake Gen1 到 Azure 分析服务的服务到服务身份验证失败
【发布时间】:2021-09-13 20:29:54
【问题描述】:

我正在使用 Azure 数据湖 Gen1 和 Azure 分析服务。我正在使用 Azure Data Lake 连接授权我的 Azure Analysis Services 数据模型。

对于此活动,Microsoft 维护了一个document。我遵循同样的方式。基于本文档的理论,我创建了一个 PowerShell 脚本,它执行并带来 access_token。当我获得 access_token 时,我更新 Azure Analysis Services 数据模型连接部分的 XMLA 并部署它。

我曾尝试使用End-User authentication 机制来实现它,但没有成功。

当我部署和处理相同的模型时,它工作正常,但是当我在 1 小时后处理时,它给了我以下错误。

Failed to save modifications to the server. Error returned: '<pii>The credentials provided cannot be used for the DataLake source. (Source at https://mydatalake.azuredatalakestore.net/.)</pii>. The exception was raised by the IDbCommand interface.

Technical Details:
RootActivityId: 46646584-7ccb-4946-a38c-b91c1963e82c
Date (UTC): 9/13/2021 7:53:10 PM
<pii>The credentials provided cannot be used for the DataLake source. (Source at https://mydatalake.azuredatalakestore.net/.)</pii>. The exception was raised by the IDbCommand interface.
<pii>The credentials provided cannot be used for the DataLake source. (Source at https://mydatalake.azuredatalakestore.net/.)</pii>. The exception was raised by the IDbCommand interface.
The command has been canceled.. The exception was raised by the IDbCommand interface.
'.

我的 PowerShell 代码

$dataModelsList = "MY-DM-Cost-Test"
$datalakeName= 'mydatalakename'
$aasName= 'asazure://aspaaseastus2.asazure.windows.net/myaasname'

$password = ConvertTo-SecureString -String "lajsdfkjjfdakasjdfhjkud&98asdllfkf" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential("xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",$password)
Connect-AzAccount -Credential $credential -Tenant $tenantID -ServicePrincipal

$authUrl = "https://login.windows.net/" + $tenantID + "/oauth2/token/"
$body = @{
    "resource" = "https://management.azure.com/";
    "grant_type" = "client_credentials";
    "client_id" = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    "client_secret" = "lajsdfkjjfdakasjdfhjkud&98asdllfkf"
}

$adlsToken = Invoke-RestMethod -Uri $authUrl –Method POST -Body $body

$date = Get-Date -Format r
$password = ConvertTo-SecureString -String $secretKey -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($ClientID,$password)
Connect-AzAccount -Credential $credentials -Tenant $tenantID

for($f = 0; $f -lt $dataModelsList.Count; $f++)
{
    if($dataModelsList.Count -eq 1)
    {
        $AASDatabaseName = $dataModelsList
    }
    else
    {
        $AASDatabaseName = $dataModelsList[$f]
    }

    Write-Output "Refreshing $AASDatabaseName data model ..."
    $updateDataSource = '
    {
        "createOrReplace": {
            "object": {
                "database": "'+$AASDatabaseName+'",
                "dataSource": "DataLake/https://'+$datalakeName+' azuredatalakestore net/",
            },
            "dataSource": {
                "type": "structured",
                "name": "DataLake/https://'+$datalakeName+' azuredatalakestore net/",
                "connectionDetails": {
                    "protocol": "data-lake-store",
                    "address": {
                        "url": "https://' + $datalakeName + '.azuredatalakestore.net"
                    }
                },
                "options": {
                    "pageSize": 999999999
                },
                "credential": {
                    "DataSourceKind": "DataLake",
                    "AuthenticationKind": "OAuth2",
                    "Expires": "'+$date+'",
                    "RefreshToken":"'+$adlsToken.access_token+'",
                    "token_type": "Bearer",
                    "scope": "user_impersonation",
                    "ext_expires_in": "'+$adlsToken.ext_expires_in+'",
                    "expires_on": "'+$adlsToken.expires_on+'",
                    "not_before": "'+$adlsToken.not_before+'",
                    "resource": "https://management.azure.com",
                    "AccessToken":"'+$adlsToken.access_token+'"
                }
            }
        }
    }'

    $result = Invoke-ASCmd -Server $AASServerName -Database $AASDatabaseName -Query $updateDataSource -Credential $credentials #-ServicePrincipal
}

以上代码返回以下响应。

token_type     : Bearer
expires_in     : 3599
ext_expires_in : 3599
expires_on     : 1631542903
not_before     : 1631539003
resource       : https://management.azure.com/
access_token   : eyxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xx.xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxx
                 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
                 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
                 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
                 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
                 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

据我了解,我的数据模型在 1 小时后无法刷新,因为我没有获得刷新令牌作为响应,因此在可能的帮助下,我可以获得新的访问令牌。但这对我来说只是一个想象的想法。

请帮助我了解为什么我的 Azure Analysis Services 数据模型在一小时后未能处理,然后使用上述脚本刷新凭据。

【问题讨论】:

    标签: powershell oauth-2.0 azure-active-directory azure-data-lake azure-analysis-services


    【解决方案1】:

    您的令牌即将到期,这并不是一个真正的大问题,因为您只需测试一下您的令牌是否有效,如果不是,就换一个新的。因此,令牌响应 expires_on 中有一个属性,即 1970-01-01T0:0:0Z UTC 之后的秒数,表示令牌何时到期。因此,我们可以通过以下方式简单地对此进行测试:

    If(([datetime]::UtcNow - [datetime]'01/01/1970 00:00:00Z').totalseconds -gt $adlsToken.expires_on){ $adlsToken = Invoke-RestMethod -Uri $authUrl –Method POST -Body $body }

    现在我们只是在你引用访问令牌之前把它放好,你应该已经准备好了。

        Write-Output "Refreshing $AASDatabaseName data model ..."
    If(([datetime]::UtcNow - [datetime]'01/01/1970 00:00:00Z').totalseconds -gt $adlsToken.expires_on){ $adlsToken = Invoke-RestMethod -Uri $authUrl –Method POST -Body $body }
    $updateDataSource = '

    【讨论】:

    • 嗨@TheMadTechnician,我认为你的建议不会奏效,因为“expire_in”键设置为 3599 秒,即 59 分钟。所以如果我增加 $adlsToken.expire_on 时间,它不会产生任何影响。
    • 我对 expire_in 属性只字未提。这只会告诉您令牌的有效期。我们正在使用 expire_on 属性,它表示令牌过期的日期/时间。它表示为 1970 年 1 月 1 日 UTC 午夜后的秒数。我们并没有增加 expire_on 的值,我们是用它来判断你的 token 是否过期,如果过期了我们会得到一个新的 token,它会有一个新的 expire_on 值来代表新的 token 的新过期时间。跨度>
    • 你是对的@TheMadTechnician!实际上,我希望它应该在具有相同访问令牌的一两天后过期。我知道这听起来像是用蜡烛融化石头。我不想在每小时内更新 Azure 分析服务的数据模型的凭据。此解决方案的任何替代方案?
    • 您不应该在此处手动任何事情,只要脚本正在运行,它就会根据需要自行获取新令牌。我不知道您是否可以更改令牌生命周期的持续时间,我对 Azure REST API 不够熟悉。
    • 很抱歉,该解决方案不起作用。因为在我们处理数据模型时凭证是无效的。
    猜你喜欢
    • 2022-11-03
    • 2016-02-14
    • 2018-07-27
    • 2019-01-24
    • 1970-01-01
    • 2023-04-10
    • 1970-01-01
    • 2020-10-21
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode