Authentication mechanism
Note
We will retire Azure HDInsight on AKS on January 31, 2025. Before January 31, 2025, you will need to migrate your workloads to Microsoft Fabric or an equivalent Azure product to avoid abrupt termination of your workloads. The remaining clusters on your subscription will be stopped and removed from the host.
Only basic support will be available until the retirement date.
Important
This feature is currently in preview. The Supplemental Terms of Use for Microsoft Azure Previews include more legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability. For information about this specific preview, see Azure HDInsight on AKS preview information. For questions or feature suggestions, please submit a request on AskHDInsight with the details and follow us for more updates on Azure HDInsight Community.
Trino with HDInsight on AKS provides tools such as CLI client, JDBC driver etc., to access the cluster, which is integrated with Microsoft Entra ID to simplify the authentication for users. Supported tools or clients need to authenticate using Microsoft Entra ID OAuth2 standards that are, a JWT access token issued by Microsoft Entra ID must be provided to the cluster endpoint.
This section describes common authentication flows supported by the tools.
Authentication flows overview
The following authentication flows are supported.
Note
Name is reserved and should be used to specify certain flow.
| Name | Required parameters | Optional parameters | Description |
|---|---|---|---|
| AzureDefault | None | Tenant ID, client ID | Meant to be used during development in interactive environment. In most cases, user sign-in using browser. See details. |
| AzureInteractive | None | Tenant ID, client ID | User authenticates using browser. See details. |
| AzureDeviceCode | None | Tenant ID, client ID | Meant for environments where browser isn't available. Device code provided to the user requires an action to sign-in on another device using the code and browser. |
| AzureClientSecret | Tenant ID, client ID, client secret | None | Service principal identity is used, credentials required, non-interactive. |
| AzureClientCertificate | Tenant ID, client ID, certificate file path | Secret/password. If provided, used to decrypt PFX certificate. Otherwise expects PEM format. | Service principal identity is used, certificate required, non-interactive. See details. |
| AzureManagedIdentity | Tenant ID, client ID | None | Uses managed identity of the environment, for example, on Azure VMs or AKS pods. |
AzureDefault flow
This flow is default mode for the Trino CLI and JDBC if auth parameter isn't specified. In this mode, client tool attempts to obtain the token using several methods until token is acquired.
In the following chained execution, if token isn't found or authentication fails, process will continue with next method:
DefaultAzureCredential -> AzureInteractive -> AzureDeviceCode (if no browser)
AzureInteractive flow
This mode is used when auth=AzureInteractive is provided or as part of AzureDefault chained execution.
Note
If browser is available, it will show authentication prompt and awaits user action. If browser isn't available, it will fallback to AzureDeviceCode flow.
AzureClientCertificate flow
Allows using PEM/PFX(PKCS #12) files for service principal authentication. If secret/password is provided, expects file in PFX(PKCS #12) format and uses the secret to decrypt the file. If secret isn't provided, expects PEM formatted file to include private and public keys.
Environment variables
All the required parameters could be provided to CLI/JDBC directly in arguments or connection string. Some of the optional parameters, if not provided, is looked up in environment variables.
Note
Make sure to check environment variables if you face authentication issues. They may affect the flow.
The following table describes the parameters that can be configured in environment variables for the different authentication flows.
They will only be used if corresponding parameter isn't provided in the command line or connection string.
| Variable name | Applicable authentication flows | Description |
|---|---|---|
| AZURE_TENANT_ID | All | Microsoft Entra tenant ID. |
| AZURE_CLIENT_ID | AzureClientSecret, AzureClientCertificate, AzureManagedIdentity | Application/principal client ID. |
| AZURE_CLIENT_SECRET | AzureClientSecret, AzureClientCertificate | Secret or password for service principal or certificate file. |
| AZURE_CLIENT_CERTIFICATE_PATH | AzureClientCertificate | Path to certificate file. |