[Feature] To be able to rotate subscription key #7596
Conversation
| * @param subscriptionKey the subscription key | ||
| * @return the {@link TextAnalyticsSubscriptionKeyCredential} itself | ||
| */ | ||
| public TextAnalyticsSubscriptionKeyCredential updateCredential(String subscriptionKey) { |
There was a problem hiding this comment.
Don't think returning TextAnalyticsSubscriptionKeyCredential is necessary here. Returning void should be sufficient.
There was a problem hiding this comment.
I am not sure if we agreed on the terminology here in previous arch-board review - there were several proposals refresh, update, set, rotate etc.
| * @param subscriptionKey the subscription key | ||
| * @return the {@link TextAnalyticsSubscriptionKeyCredential} itself | ||
| */ | ||
| public TextAnalyticsSubscriptionKeyCredential updateCredential(String subscriptionKey) { |
There was a problem hiding this comment.
Also, when is this method called? Is this method expected to be called by the user when they want to update the key? If so, it would be good to include in samples and code snippets.
There was a problem hiding this comment.
I will add the samples and snippet.
| package com.azure.ai.textanalytics.models; | ||
|
|
||
| /** | ||
| * Subscription key credential that shared across cognitive services, or restrict to single service. |
There was a problem hiding this comment.
Is this applicable for all cognitive services? If so, is the plan to duplicate this credential in all cognitive services modules or would we create a common module like storage has to put the common stuff there?
There was a problem hiding this comment.
We had a discussion about having a common module. We decided not to have a common module now because currently we only have one service implemented. We don't really know the use case.
There was a problem hiding this comment.
@mssfang is right - this is still an open question. We're starting to look at FormRecognizer now, though, so we'll start driving the "where would we put a common Cognitive credential" with the architects.
| * @return the {@link TextAnalyticsSubscriptionKeyCredential} itself | ||
| */ | ||
| public TextAnalyticsSubscriptionKeyCredential updateCredential(String subscriptionKey) { | ||
| this.subscriptionKey = subscriptionKey; |
There was a problem hiding this comment.
Can subscriptionKey be null or empty? If not, you may want to check for these conditions here and in the constructor.
There was a problem hiding this comment.
Agreed. Will add the check
.../src/main/java/com/azure/ai/textanalytics/models/TextAnalyticsSubscriptionKeyCredential.java
Outdated
Show resolved
Hide resolved
| * @return the {@link TextAnalyticsSubscriptionKeyCredential} itself | ||
| */ | ||
| public TextAnalyticsSubscriptionKeyCredential updateCredential(String subscriptionKey) { | ||
| this.subscriptionKey = subscriptionKey; |
There was a problem hiding this comment.
Is this thread safe? Is there a way to guarantee that when modified it updates everywhere?
There was a problem hiding this comment.
I had a few discussions on the thread-safe concern. some believe it is thread-safe. the reason is it is a single atomic assignment. But depends on how you use it, It could be not threaded safe. This is one I am not sure yet. I will give you an update once finalized.
There was a problem hiding this comment.
In the pipeline policy, it is fetched, so it's possible that the policy picks up a different value than the one that is set. This is not thread safe.
...src/main/java/com/azure/ai/textanalytics/implementation/SubscriptionKeyCredentialPolicy.java
Outdated
Show resolved
Hide resolved
.../src/main/java/com/azure/ai/textanalytics/models/TextAnalyticsSubscriptionKeyCredential.java
Outdated
Show resolved
Hide resolved
...i-textanalytics/src/test/java/com/azure/ai/textanalytics/TextAnalyticsClientBuilderTest.java
Outdated
Show resolved
Hide resolved
.../src/main/java/com/azure/ai/textanalytics/models/TextAnalyticsSubscriptionKeyCredential.java
Outdated
Show resolved
Hide resolved
|
Looking at the
Looking at the authentication model for text analytics, a subscription key is passed via header and that's it (it acts as the access token). Currently, in Azure Identity there is no support to rotate any of the credentials it supports. The credential needs to be restarted. |
This was the main point of my request - I do not want this API to be evolving separately than azure-identity intends to evolve, and would therefore like consideration about whether there is any reconciliation that needs to go on here. |
...re-ai-textanalytics/src/main/java/com/azure/ai/textanalytics/TextAnalyticsClientBuilder.java
Outdated
Show resolved
Hide resolved
...re-ai-textanalytics/src/main/java/com/azure/ai/textanalytics/TextAnalyticsClientBuilder.java
Outdated
Show resolved
Hide resolved
| * @return the {@link TextAnalyticsSubscriptionKeyCredential} itself | ||
| */ | ||
| public TextAnalyticsSubscriptionKeyCredential updateCredential(String subscriptionKey) { | ||
| this.subscriptionKey = subscriptionKey; |
There was a problem hiding this comment.
In the pipeline policy, it is fetched, so it's possible that the policy picks up a different value than the one that is set. This is not thread safe.
I think it would be better to have a rotating credential (either manual or on some cadence, etc.) of sorts in azure-identity. We want to support rotating credentials in Event Hubs, too. |
Some of the other cognitive services support getting a bearer token from an STS in addition to passing the subscription key. TextAnalytics doesn't currently support this, which is part of why we're scoping this type to TA-only. |
…into RotateSubscriptionKey
…into RotateSubscriptionKey
| .subscriptionKey("{subscription_key}") | ||
| .endpoint("https://{servicename}.cognitiveservices.azure.com/") | ||
| .subscriptionKey(new TextAnalyticsSubscriptionKeyCredential("{subscription_key}")) | ||
| .endpoint("{endpoint}") |
There was a problem hiding this comment.
Why the change to {endpoint}? It is more clear what the string should look like with the last change.
There was a problem hiding this comment.
Based on what Mariana point out here: #7596 (comment)
The subscription key could apply to both Cognitive Subscription Key or Text Analytics Subscription key.
| public void nullAADCredential() { | ||
| assertThrows(NullPointerException.class, () -> { | ||
| final TextAnalyticsClientBuilder builder = new TextAnalyticsClientBuilder(); | ||
| builder.endpoint(getEndpoint()).credential(null).buildClient(); |
There was a problem hiding this comment.
Generally, you try to limit the scope of your assertion. How do you know it threw in credential(null) and not buildclient()?
This goes for all the other tests that do the same.
// arrange
final TextAnalyticsClientBuilder builder = new TextAnalyticsClientBuilder();
// Act & Assert
assertThrows(NullPointerException.class, () -> builder.credential(null));There was a problem hiding this comment.
Make sense. I will update it.
|
|
||
| <!-- embedme ./src/samples/java/com/azure/ai/textanalytics/ReadmeSamples.java#L174-L180 --> | ||
| ```java | ||
| TextAnalyticsSubscriptionKeyCredential credential = new TextAnalyticsSubscriptionKeyCredential("{expired_subscription_key}"); |
There was a problem hiding this comment.
I wouldn't call it expired_subscription_key as it might give the wrong message to people when creating the client.
it could be just subscription_key, and leave new_subscription_key
|
@JonathanGiles Sorry. No for your question. I will follow up with vinay and scott for further improvement and open a new PR if needed. |
Add the ability to rotate the subscription key.
In addition, increase test coverage to TextAnalyticsClientBuilder.
Fixes: #7390