Add user authentication support for local dev

Charles Zipprequested to merge
feature/local-development-authentication into master

All Submissions:

  • [YES/NO] I have added an explanation of what changes in this merge do and why we should include it?
  • [YES/NO] I have updated the documentation accordingly.
  • [YES] I have added tests to cover my changes.
  • [YES] All new and existing tests passed.
  • [YES] My code follows the code style of this project.
  • [YES] I ran lint checks locally prior to submission.

What is the issue or story related to the change?

This change enables use of Azure CLI or IntelliJ credential to acquire access tokens when the spring profile is set to "local". This is done so that, when we are running the service locally (to debug changes), access tokens can be acquired. Additionally, this provides an alternative to service principal authentication for this case. Service principal authentication is not allowed in some tenants as they have been a security exploit in recent years. The Azure CLI auth provides an interactive way for the developer to authenticate with MFA and passkeys (windows hello, etc) which is more secure authentication than service principal via client id/secret.

High level design:

Run the service with the spring profile set to local. This then engages application-local.properties which can override the default application.properties. In the "-local" workload identity and msi are disabled, local auth is enabled. If local auth is enabled then an access token is acquired using Azure CLI Credentials or IntelliJ.

When running in production scenario, the Azure CLI credential will not work as the spring profile will not be set to local and the local setting is off by default.

Change details:

Updates AzureServicePrincipleTokenService and AzureServicePrinciple to be able to resolve tokens using Azure CLI credentials. The other mechanisms still available.

Test coverage:

Tests have been added to cover changes in both classes

Does this introduce a breaking change?

  • [NO]

The existing auth mechanisms will still function. This is additive.

Pending items

There may be changes to the partition service itself to enable local development. I have not been able to have partition successfully accept a token from Azure CLI creds with or without istio. There may be follow up changes to that service specifically for local dev.

Reviewer request

  • Please provide an ETA when you plan to review this MR. Write a comment to decline or provide an ETA.
  • Block the MR if you feel there is less testing or no details in the MR
  • Please cover the following aspects in the MR -- Coding design: <Reviewer1> -- Backward Compatibility: <Reviewer2> -- Feature Logic: <Logic design> -- <Any other context mention here> OR -- <Component 1>: <Reviewer1> -- <CosmosDB>: <Reviewer2> -- <ServiceBus> <Reviewer3> -- <Mention any other component and owner>

Other information

Merge request reports