Authorization Header for WebHDFS with Azure Data Lake - azure-active-directory

I'm trying to use WebHDFS with Azure Data Lake. According to Microsoft's documentation, the steps one should follow are:
Create a new application in Azure AD with a key and delegated permissions to Azure Management Services
Using the client_id, tenant_id, and secret key, make a request to the OAUTH2 endpoint
curl -X POST https://login.microsoftonline.com/<TENANT-ID>/oauth2/token \
-F grant_type=client_credentials \
-F resource=https://management.core.windows.net/ \
-F client_id=<CLIENT-ID> \
-F client_secret=<AUTH-KEY>
Upon success, you then get back some JSON including an "access_token" object, which content you should include with subsequent WebHDFS requests by adding the header
Authorization: Bearer <content of "access_token">
where <content of "access_token"> is the long string in "access_token" object.
Once you have included that header, you should be able to make WebHDFS calls, such as to list directories, you could do
curl -i -X GET -H "Authorization: Bearer <REDACTED>" https://<yourstorename>.azuredatalakestore.net/webhdfs/v1/?op=LISTSTATUS
Having followed all those steps, I am getting an HTTP 401 error when running the above curl command to list directories:
WWW-Authenticate: Bearer authorization_uri="https://login.windows.net/<REDACTED>/", error="invalid_token", error_description="The access token is invalid."
with the body
{"error":{"code":"AuthenticationFailed","message":"Failed to validate the access token in the 'Authorization' header."}}
Does anyone know what might be the problem?
I pasted the token into jwt.io and it is valid (didn't check the signature). The content is something like this:
{
typ: "JWT",
alg: "RS256",
x5t: "MnC_VZcATfM5pOYiJHMba9goEKY",
kid: "MnC_VZcATfM5pOYiJHMba9goEKY"
}.
{
aud: "https://management.core.windows.net",
iss: "https://sts.windows.net/<TENANT-ID>/",
iat: 1460908119,
nbf: 1460908119,
exp: 1460912019,
appid: "<APP-ID>",
appidacr: "1",
idp: "https://sts.windows.net/<TENANT-ID>/",
oid: "34xxxxxx-xxxx-xxxx-xxxx-5460xxxxxxd7",
sub: "34xxxxxx-xxxx-xxxx-xxxx-5460xxxxxxd7",
tid: "<TENANT-ID>",
ver: "1.0"
}.

Please click the Data Explorer button then highlight the root folder and click Access. Then grant your AAD app permissions to WebHDFS there. I believe what you have done already is just to grant that AAD app permissions to manage your Azure Data Lake Store with the portal or Azure PowerShell. You haven't actually granted WebHDFS permissions yet. Further reading on security is here.

Related

What are cURL headers needed for GMail API (message.send)?

I'm trying to get the GMail API working, for sending an Email. I am building the JSON and cURL requests myself (instead of with a 3rd party library - not able to easily use one of those; and shouldn't need to...)
I got far enough that I have a JSON object that fails when I make the cURL request from my solution (error 400 - Recipient required...), but it WORKS went sent via their 'Try this API' widget on the GMail API docs page.
I'm thinking that I have something wrong in my cURL headers (which would be different between my solution's code and their API widget). So what cURL headers are required? I thought I had looked around, but I am not finding the information. Could be missing something obvious. :)
URL: https://gmail.googleapis.com/upload/gmail/v1/users/me/messages/send
cURL headers used (exact syntax is not this, this is just close-representation):
-X POST
-H Authorization: Bearer <accessToken>
-H Content-Type: message/rfc822
-d <JSON>
Example JSON object:
{"payload":
{"body":
{"data":""}
,"headers":[
{"name":"To","value":"email#email.net"}
,{"name":"From","value":"email#address.com"}
,{"name":"Subject","value":"Test message --- TESTING"}
]
,"mimeType":"text/plain"
,"partId":"1"
}
,"raw":"TUlNRS1WZX... < rest of encoded RFC2822 content>"
}```

Calling Google IAM generateAccessToken API always returns error

I'm facing the issue where I am not able to generate an Access Token for Google IAM Service Account using this method .
I've got my personal OAuth2 access token using:
gcloud auth application-default print-access-token
I've got all the necessary roles (roles/iam.serviceAccountTokenCreator) but when I cURL the API I always get an error response:
{
"error": {
"code": 400,
"message": "Request contains an invalid argument.",
"status": "INVALID_ARGUMENT"
}
}
This is how full curl request looks like:
curl -X POST --header 'Content-Type: application/json' --header 'authorization: Bearer ya29.AASDSADASDASDi9C1yAXXXXXXZzLtDDrCAzblqF_qi5sKvMZcHieBADASDASDTNJiOKrqJBffb4Moh3gTgiTbDgMIF1XDQU5JZ31aACs0aUbI4wgeqV2Q' https://iamcredentials.googleapis.com/v1/projects/<PROJECT_NAME>/serviceAccounts/<SA_NAME>#<PROJECT_NAME>.iam.gserviceaccount.com:generateAccessToken -d '{"scope": ["https://www.googleapis.com/auth/cloud-platform"]}'
Thanks
You have two problems in your API call.
The Service Account Name is a path parameter and must be URL encoded. The # character is not valid. Use %40 in its place (as an example of correct encoding).
The URI specifies a PROJECT_NAME. This is not correct. You need to use a - (hyphen/dash character). Example projects/-/serviceAccounts.
You also need to have the permission iam.serviceAccounts.getAccessToken attached to one of the roles that are assigned to the account that created the request Access Token use in this API request. This will cause a different error if incorrect. Just a tip as you get to the next step.

Using HTTP Request for Google Dialogflow

https://api.dialogflow.com/v1/query?v=20150910&contexts=shop&lang=en&query=apple&sessionId=12345&timezone=America/New_York
Headers:
Authorization: Bearer YOUR_CLIENT_ACCESS_TOKEN
How do i use the above code to make a HTTP Request in Google Dialogflow? How do i add headers as a part of HTTP request
You can use the Postman application for sending POST request,
Select Post request in Postman Application,
Copy and paste URL https://api.dialogflow.com/v1/query?v=20150910&contexts=shop&lang=en&query=apple&sessionId=12345&timezone=America/New_York
In headers section, choose Authorization as key and paste the Bearer YOUR_CLIENT_ACCESS_TOKEN
Then, if you click send you will get the proper response in a body.
An easy start is to use curl from the command line as in the documentation:
curl \
-H "Authorization: Bearer YOUR_CLIENT_ACCESS_TOKEN" \
"https://api.dialogflow.com/v1/query?v=20150910&contexts=shop&lang=en&query=apple&sessionId=12345&timezone=America/New_York"
Just copy the whole thing and paste it into your command line and you will get a json response.
Ref: https://dialogflow.com/docs/reference/agent/query#get_query_sample

Access Coinbase Create Account API using curl without OAuth2

I am using Coinbase Wallet Endpoints of Coinbase API in my application and trying to hit create_account API https://developers.coinbase.com/api/v2#create-account using curl without OAuth2. According to Coinbase documentation, curl command would be like:
curl https://api.coinbase.com/v2/accounts \
-X POST
-H 'Content-Type: application/json'
-H 'Authorization: Bearer
abd90df5f27a7b170cd775abf89d632b350b7c1c9d53e08b340cd9832ce52c2c'
-d '{"name": "New wallet"}'
I am unable to figure out what will be the value of access token and how I will get it without using OAuth2 request.
Please guide me that "How I will get Bearer access token without using OAuth2?".

deploying to google app engine flexible env

i am following
https://cloud.google.com/endpoints/docs/quickstart-app-engine
but when i run
gcloud service-management deploy openapi.yaml
i am hitting:
ERROR: (gcloud.service-management.deploy) PERMISSION_DENIED: Not allowed to get project settings for project instasmarttagger-162719
i am not sure what i have to do to resolve it.
the openapi.yml looks like
VSKUMAR-mac:appengine vskumar$ vi openapi.yaml
- "application/json"
responses:
200:
description: "Authenication info."
schema:
$ref: "#/definitions/authInfoResponse"
x-security:
- google_id_token:
audiences:
# Your OAuth2 client's Client ID must be added here. You can add
# multiple client IDs to accept tokens from multiple clients.
- "YOUR-CLIENT-ID"
definitions:
echoMessage:
properties:
message:
type: "string"
authInfoResponse:
properties:
id:
type: "string"
email:
type: "string"
# This section requires all requests to any path to require an API key.
security:
- api_key: []
securityDefinitions:
# This section configures basic authentication with an API key.
api_key:
type: "apiKey"
name: "key"
in: "query"
# This section configures authentication using Google API Service Accounts
# to sign a json web token. This is mostly used for server-to-server
# communication.
google_jwt:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
# This must match the 'iss' field in the JWT.
x-google-issuer: "jwt-client.endpoints.sample.google.com"
# Update this with your service account's email address.
x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/jwk/YOUR-SERVICE-ACCOUNT-EMAIL"
# This section configures authentication using Google OAuth2 ID Tokens.
# ID Tokens can be obtained using OAuth2 clients, and can be used to access
# your API on behalf of a particular user.
google_id_token:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
x-google-issuer: "accounts.google.com"
x-google-jwks_uri: "https://www.googleapis.com/oauth2/v1/certs"
Looks like i was signed into a different account and was trying to deploy to the app hosted on another account. doing a gcloud list projects helped me identify it

Resources