By default, Microsoft Azure deployments integrate with Azure Data Lake Store (ADLS). Optionally, you can configure your deployment to integrate with WASB.

Limitations of WASB Integration

Read-only access

If the base storage layer has been set to ADLS, you can follow these instructions to set up read-only access to WASB. 

NOTE: If you are adding WASB as a secondary integration to ADLS, your WASB blob container or containers must contain at least one folder. This is a known issue.


NOTE: To enable read-only access to WASB, do not set the base storage layer to wasbs. The base storage layer for ADLS read-write access must remain hdfs.

Pre-requisites

General

Create a registered application

Before you integrate with Azure ADLS, you must create the  as a registered application. See Configure for Azure.

Other Azure properties

The following properties should already be specified in the Admin Settings page. Please verify that the following have been set:

The above properties are needed for this configuration. For more information, see Configure for Azure.

Key Vault Setup

For new installs, an Azure Key Vault has already been set up and configured for use by the .

NOTE: An Azure Key Vault is required. Upgrading customers who do not have a Key Vault in their environment must create one.

For more information, see Configure for Azure.

Configure WASB Authentication

Authentication to WASB storage is managed by specifying the appropriate host, container, and token ID in the  configuration. When access to WASB is requested, the platform passes the information through the Secure Token Service to query the specified Azure Key Vault Store using the provided values. The keystore returns the value for the secret. The combination of the key (token ID) and secret is used to access WASB.

NOTE: Per-user authentication is not supported for WASB.

 

For more information on creating the Key Vault Store and accessing it through the Secure Token Service, see Configure for Azure.

Configure the 

Define location of SAS token

The SAS token required for accessing Azure can be accessed from either of the following locations:

  1. Key Vault

whether SAS token is to be retrieved from Azure Key Vault or Configuration

SAS token from Key Vault

To store the SAS token in the key vault, specify the following parameters in platform configuration.

 

 

Secret names used for extra stores

If you are enabling extra WASB stores, specify the secret name to be used to access the SAS token from the Key Vault per extra Store.

NOTE: Additional configuration is required for enabling extra WASB stores. See below.


"azure.wasb.extraStores": [ {
	...
	"keyVaultSasTokenSecretName": "<secret_name>"
  }, {
	...
	"keyVaultSasTokenSecretName": "<secret_name>"
  }
]

 

 

ParameterDescription
"azure.wasb.fetchSasTokensFromKeyVault": true,

Instructs the to query the Key Vault for SAS tokens

NOTE: The Key Vault must already be set up. See "Key Vault Setup" above.


"azure.wasb.defaultStore.keyVaultSasTokenSecretName": "<your_value_here>",The default store's SAS token secret name to retrieve the SAS token for the default store from the Azure Key Value Store.


SAS token from 

To specify the SAS token in the  configuration, set the following flag to false and then specify the SAS token per container.  

ParameterDescription
"azure.wasb.fetchSasTokensFromKeyVault": false,

Instructs the to acquire per-container SAS tokens from the platform configuration.

"azure.wasb.defaultStore.sasToken": "<your_value_here>",Specify the SAS token here for the default store, if azure.wasb.fetchSasTokensFromKeyVault is set to false.
SAS token for extra WASB stores

If you are enabling extra WASB stores and azure.wasb.fetchSasTokensFromKeyVault is set to false, specify the sasToken for each extra store.

NOTE: Additional configuration is required for enabling extra WASB stores. See below.


"azure.wasb.extraStores": [ {
	...
	"sasToken": "<your_value_here>"
  }, {
	...
	"sasToken": "<your_value_here>"
  }
]

 

Define default storage location and access key

In platform configuration, you must define the following properties. When these properties are specified, the platform acquires the secret for the specified token ID, which is used to gain access to WASB. 

Storage account

Azure path to the location where your data is to be stored.

"azure.wasb.defaultStore.blobHost": "<your_value_here>",

Container

Within your storage location, this value defines the default container for storing data.

 

"azure.wasb.defaultStore.container": "<your_value_here>",

 

Define extra stores

If you have additional WASB stores, you can specify access to them for the .  Users of the platform can use them for reading sources and writing results.

Steps:

  1. Locate the azure.wasb.extraStores configuration block and add the following parameters:

    "azure.wasb.extraStores": 
        "extraStores": [
         {
          "sasToken": "<VALUE1_HERE",
          "keyVaultSasTokenSecretName": "<VALUE1_HERE>",
          "container": "<VALUE1_HERE>",
          "blobHost": "<VALUE1_HERE>"
         },
         {
          "sasToken": "VALUE2_HERE",
          "keyVaultSasTokenSecretName": "<VALUE2_HERE>",
          "container": "<VALUE2_HERE>",
          "blobHost": "<VALUE2_HERE>"
         }
        ]
       },
     },


    ParameterDescription
    sasToken

    Set this value to SAS token, if applicable.

    keyVaultSasTokenSecretName

    To use the same SAS token as used in default storage, set this value to the same SAS token ID.

    If needed, you can generate and apply a per-container SAS token for use in this field for this specific store. Details are below.

    container

    Apply the name of the WASB container.

    NOTE: If you are specifying different blob host and container combinations for your extra stores, you must create a new Key Vault store. See above for details.


    blobHost

    Specify the blob host for the extra store.

    NOTE: If you are specifying different blob host and container combinations for your extra stores, you must create a new Key Vault store. See above for details.



  2. Save your changes and restart the platform.

Generate per-container SAS token

Execute the following command at the command line to generate a SAS token for a specific container:

Set-AzureRmStorageAccount -Name 'name'
$sasToken = New-AzureStorageContainerSASToken -Permission r -ExpiryTime (Get-Date).AddHours(2.0) -Name '<container_name>'

Configure storage protocol

You must configure the platform to use the WASBS (secure) storage protocol when accessing.

Steps:

  1. Locate the following parameter and change its value  wasbs for secure access:

    "webapp.storageProtocol": "wasbs",


  2. Save your changes and restart the platform.

Enable

Steps:

  1. Locate the following parameter and change its value to true:

    "azure.wasb.enabled": true,


  2. Save your changes and restart the platform.

Testing

Restart services. See Start and Stop the Platform.

After the configuration has been specified, a WASB connection appears in the Import Data page. Select it to begin navigating through the WASB Browser for data sources.

Try running a simple job from the . For more information, see Verify Operations.