Azure Data Lake Store uses Azure Active Directory for authentication. Before authoring an application that works with Azure Data Lake Store or Azure Data Lake Analytics, you must first decide how you would like to authenticate your application with Azure Active Directory (Azure AD). The two main options available are:
- End-user authentication
- Service-to-service authentication (this article)
Both these options result in your application being provided with an OAuth 2.0 token, which gets attached to each request made to Azure Data Lake Store or Azure Data Lake Analytics.
This article talks about how create an Azure AD web application for service-to-service authentication. For instructions on Azure AD application configuration for end-user authentication see End-user authentication with Data Lake Store using Azure Active Directory.
- An Azure subscription. See Get Azure free trial.
Step 1: Create an Active Directory web application
Create and configure an Azure AD web application for service-to-service authentication with Azure Data Lake Store using Azure Active Directory. For instructions, see Create an Azure AD application.
While following the instructions at the above link, make sure you select Web App / API for application type, as shown in the screenshot below.
Step 2: Get application id, authentication key, and tenant id
When programmatically logging in, you need the id for your application. If the application runs under its own credentials, you will also need an authentication key.
For instructions on how to retrieve the application ID and authentication key (also called the client secret) for your application, see Get application ID and authentication key.
For instructions on how to retrieve the tenant ID, see Get tenant ID.
Step 3: Assign the Azure AD application to the Azure Data Lake Store account file or folder (only for service-to-service authentication)
- Sign on to the new Azure portal and open the Azure Data Lake Store account that you want to associate with the Azure Active Directory application you created earlier.
In your Data Lake Store account blade, click Data Explorer.
In the Data Explorer blade, click the file or folder for which you want to provide access to the Azure AD application, and then click Access. To configure access to a file, you must click Access from the File Preview blade.
The Access blade lists the standard access and custom access already assigned to the root. Click the Add icon to add custom-level ACLs.
Click the Add icon to open the Add Custom Access blade. In this blade, click Select User or Group, and then in Select User or Group blade, look for the Azure Active Directory application you created earlier. If you have a lot of groups to search from, use the text box at the top to filter on the group name. Click the group you want to add and then click Select.
Click Select Permissions, select the permissions and whether you want to assign the permissions as a default ACL, access ACL, or both. Click OK.
For more information about permissions in Data Lake Store, and Default/Access ACLs, see Access Control in Data Lake Store.
In the Add Custom Access blade, click OK. The newly added group, with the associated permissions, will now be listed in the Access blade.
Step 4: Get the OAuth 2.0 token endpoint (only for Java-based applications)
Sign on to the new Azure portal and click Active Directory from the left pane.
From the left pane, click App registrations.
From the top of the App registrations blade, click Endpoints.
From the list of endpoints, copy the OAuth 2.0 token endpoint.
In this article you created an Azure AD web application and gathered the information you need in your client applications that you author using .NET SDK, Java SDK, etc. You can now proceed to the following articles that talk about how to use the Azure AD web application to first authenticate with Data Lake Store and then perform other operations on the store.
- Get started with Azure Data Lake Store using .NET SDK
- Get started with Azure Data Lake Store using Java SDK
This article walked you through the basic steps needed to get a user principal up and running for your application. You can look at the following articles to get further information: