HPCC-36059 Enable copy using Azure API

[jackdelv]

Type of change:

• This change is a bug fix (non-breaking change which fixes an issue).
• This change is a new feature (non-breaking change which adds functionality).
• This change improves the code (refactor or other change that does not change the functionality)
• This change fixes warnings (the fix does not alter the functionality or the generated code)
• This change is a breaking change (fix or feature that will cause existing behavior to change).
• This change alters the query API (existing queries will have to be recompiled)

Checklist:

• My code follows the code style of this project.
  • My code does not create any new warnings from compiler, build system, or lint.
• The commit message is properly formatted and free of typos.
  • The commit message title makes sense in a changelog, by itself.
  • The commit is signed.
• My change requires a change to the documentation.
  • I have updated the documentation accordingly, or...
  • I have created a JIRA ticket to update the documentation.
  • Any new interfaces or exported functions are appropriately commented.
• I have read the CONTRIBUTORS document.
• The change has been fully tested:
  • I have added tests to cover my changes.
  • All new and existing tests passed.
  • I have checked that this change does not introduce memory leaks.
  • I have used Valgrind or similar tools to check for potential issues.
• I have given due consideration to all of the following potential concerns:
  • Scalability
  • Performance
  • Security
  • Thread-safety
  • Cloud-compatibility
  • Premature optimization
  • Existing deployed queries will not be broken
  • This change fixes the problem, not just the symptom
  • The target branch of this pull request is appropriate for such a change.
• There are no similar instances of the same problem that should be addressed
  • I have addressed them here
  • I have raised JIRA issues to address them separately
• This is a user interface / front-end modification
  • I have tested my changes in multiple modern browsers
  • The component(s) render as expected

Smoketest:

• Send notifications about my Pull Request position in Smoketest queue.
• Test my draft Pull Request.

Testing:

[github-actions]

Jira Issue: https://hpccsystems.atlassian.net//browse/HPCC-36059

Jirabot Action Result:
Workflow Transition To: Merge Pending
Updated PR

[Copilot]

Pull request overview

Enables copying files using the Azure Storage API with Azure Managed Identity support, improving compatibility for remote-storage scenarios and reducing IMDS throttling.

Changes:

• Add a managed-identity flag to IStorageApiInfo and implement it for storage plane config.
• Update Azure API copy to support managed identity (token intent, credential caching, delegation SAS for blob sources) and handle non-distributed source descriptors.
• Add developer documentation for configuring remote storage planes for Azure API copy.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
system/jlib/jplane.cpp	Implements useManagedIdentity() from environment.xml storage config.
system/jlib/jfile.hpp	Extends IStorageApiInfo with managed-identity flag.
devdoc/RemoteStorageUsingAzureAPI.md	Adds setup/configuration guide for Azure API copy with managed identity.
dali/ft/filecopy.ipp	Stores a source IFileDescriptor for non-distributed source handling.
dali/ft/filecopy.cpp	Uses saved descriptor to resolve source plane/path/stripe when IDistributedFile is absent.
common/remote/hooks/azure/azurefile.cpp	Sets ShareTokenIntent when using token auth for Azure Files clients.
common/remote/hooks/azure/azureapiutils.cpp	Caches managed identity credential to avoid repeated IMDS token requests.
common/remote/hooks/azure/azureapi.cpp	Adds managed-identity aware clients, directory creation for Azure Files, delegation SAS generation, and path normalization.

[Copilot]

BlobServiceClient::GetUserDelegationKey is typically the 2-parameter overload (start + expiry). Calling it with only expiresOn is likely to fail to compile (or use an unintended overload if the SDK differs). Use the overload that supplies both startsOn and expiresOn (and consider a small clock-skew buffer for startsOn) to ensure the delegation SAS generation works reliably.

Suggested change

	// Request a delegation key valid for 1 hour
	auto expiresOn = Azure::DateTime(std::chrono::system_clock::now() + std::chrono::hours(1));
	auto userDelegationKey = serviceClient.GetUserDelegationKey(expiresOn).Value;
	// Request a delegation key valid for 1 hour, with a small clock-skew buffer on the start time
	auto now = std::chrono::system_clock::now();
	auto startsOn = Azure::DateTime(now - std::chrono::minutes(5));
	auto expiresOn = Azure::DateTime(now + std::chrono::hours(1));
	auto userDelegationKey = serviceClient.GetUserDelegationKey(startsOn, expiresOn).Value;

[jackdelv]

It uses this overload

/**
     * @brief Retrieves a key that can be used to delegate Active Directory authorization to
     * shared access signatures.
     *
     * @param expiresOn Expiration of the key's validity. The time should be specified in UTC, and
     * will be truncated to second.
     * @param options Optional parameters to execute this function.
     * @param context Context for cancelling long running operations.
     * @return A deserialized UserDelegationKey instance.
     */
    Azure::Response<Models::UserDelegationKey> GetUserDelegationKey(
        const Azure::DateTime& expiresOn,
        const GetUserDelegationKeyOptions& options = GetUserDelegationKeyOptions(),
        const Azure::Core::Context& context = Azure::Core::Context()) const;

[ghalliday]

Thoughts on the clock skew? The idea is that if clocks are out of sync the token will still work as long as they are not too far out of sync,

[jackdelv]

I don't think clock skew would be an issue unless it could be skewed by more than an hour, right?

[ghalliday]

What it is trying to solve is if the time on local computer is slightly ahead of the resource you are requesting:

You request a key which can be used from 15:00:00 to 16:00:00. It is immediately sent to a resource where the time is a second out - 14:59:59. Because the time doesn't fit into the range that is requested it would be refused.

[Copilot]

In the non-distributed source branch, stripe selection depends on @lfnHash. If @lfnHash is not present in the descriptor properties (defaulting to 0), stripe calculation will deterministically pick the wrong device for most files, causing source lookups/copies to fail or read the wrong blob. Consider requiring @lfnHash to be present (throw if missing) or deriving the hash from a reliable identifier available in the descriptor (e.g., logical name) to keep stripe mapping correct.

Suggested change

	unsigned lfnHash = savedSource->queryProperties().getPropInt("@lfnHash");
	unsigned numDevices = storagePlane->numDevices();
	sourceStripeNum = calcStripeNumber(srcPart->queryPartIndex(), lfnHash, numDevices);
	int lfnHash = savedSource->queryProperties().getPropInt("@lfnHash", -1);
	if (lfnHash < 0)
	{
	const char *logicalName = savedSource->queryLogicalName();
	if (isEmptyString(logicalName))
	throw makeStringException(DFSERR_StripeSelectionFailed, "Missing @lfnHash and logical name when determining source stripe");
	lfnHash = (int)hashc((const unsigned char *)logicalName, 0, strlen(logicalName));
	}
	unsigned numDevices = storagePlane->numDevices();
	sourceStripeNum = calcStripeNumber(srcPart->queryPartIndex(), (unsigned)lfnHash, numDevices);

[jackdelv]

Will add fallback to build hash if missing from properties.

[Copilot]

The document uses mixed forms for the striped attribute (striped="true" in the XML example vs striped=1 in the bullet), which could confuse readers copying configuration. Pick one form and keep it consistent with the expected environment.xml schema/examples used elsewhere in the repo.

[jackdelv]

Will change to 1 to be consistent

[github-actions]

🔄 Upmerge Test Results

Status: ✅ All branches merged successfully
PR: #21136 - HPCC-36059 Enable copy using Azure API
Base Branch: candidate-10.0.x
Test Time: 2026-03-24 16:21:44 UTC

✅ Successful Branches (2)

• candidate-10.2.x
• master
  This comment was automatically generated by the upmerge test workflow.

[github-actions]

🔄 Upmerge Test Results

Status: ✅ All branches merged successfully
PR: #21136 - HPCC-36059 Enable copy using Azure API
Base Branch: candidate-10.0.x
Test Time: 2026-03-24 19:19:27 UTC

✅ Successful Branches (2)

• candidate-10.2.x
• master
  This comment was automatically generated by the upmerge test workflow.

[ghalliday]

Comments from a separate copilot review:

1. Critical Bug: Dropped SAS Token in ensureParentDirectories()
   When useManagedIdentity is false, Azure authentication relies on a Shared Access Signature (SAS) token embedded in the URL as a query string.
   In ensureParentDirectories(), dirUrl is built exclusively using the scheme, host, and path components:

This inadvertently drops the query string (parsed.GetQuery()) containing the SAS token from the URL. Consequently, Shares::ShareDirectoryClient(dirUrl, clientOptions) is created without credentials and without a SAS token, causing CreateIfNotExists() to always fail with a 403 Authorization error for non-managed identity flows.

Fix: Extract the query string from the parsed URL and re-append it when instantiating ShareDirectoryClient:

2. Inefficiency: Re-fetching the User Delegation Key
   While the TokenCredential is properly cached to prevent token endpoint rate limiting, generateUserDelegationSas() introduces a new rate-limit risk:

GetUserDelegationKey causes a synchronous blocking network request to the Azure Storage REST API. Because this is called from getCopyClient for every file part, spraying a file with 400 parts will result in 400 redundant, serial HTTP network requests. This will significantly slow down the start of the copy and risk hitting Azure Blob Storage rate limitations.

Fix: A UserDelegationKey is inherently designed to create multiple SAS tokens (valid for up to an hour). It should be cached to reuse across all parts, at minimum scoped to the CAzureApiCopyClient lifetime, or globally cached based on the accountName.

Please review the comments.

[ghalliday]

I wonder if this should be common to jlib. I have a related idea to only try and create the parent directory if a call to create fails. 90% of the time it will already exist.

[jackdelv]

I think only creating parent if create fails would be a good idea.

[ghalliday]

@jakesmith thoughts?
This could probably be a global variable within this module if the associated entries timed out. Something to revisit.

[ghalliday]

Thoughts on the clock skew? The idea is that if clocks are out of sync the token will still work as long as they are not too far out of sync,

[github-actions]

🔄 Upmerge Test Results

Status: ✅ All branches merged successfully
PR: #21136 - HPCC-36059 Enable copy using Azure API
Base Branch: candidate-10.0.x
Test Time: 2026-03-25 20:55:29 UTC

✅ Successful Branches (2)

• candidate-10.2.x
• master
  This comment was automatically generated by the upmerge test workflow.

[ghalliday]

code structure: Whenever you have code which references the same object multiple times it is worth wondering if it should be converted into a method of the object. In this case:

class CreatedDirsCache
{
    bool contains(const char * path) const
    {
        CriticalBlock block(lock);
        return dirs.count(path) != 0;
   }

It is better encapsulated, and allows for cleaner reuse. Same goes for insert logic.

[jackdelv]

Added contains and insert methods

[ghalliday]

How big is a Blobs::Models::UserDelegationKey? As it stands this will clone the object each time it is returned. Should this use a shared pointer?

Do you need to return a pair, or can you use the SignedExpiresOn member of the delegation key?

[jackdelv]

It's not large (5 std::strings and 2 DateTime objects), but could use a shared pointer to avoid copying every time. Also, it doesn't need to return a pair as it can use the SignedExpiresOn member. Will add shared_ptr and remove std::pair.

[ghalliday]

You could use

if (!startsWith(sourcePath, planePrefix))

[jackdelv]

Changed

[ghalliday]

This should really be a member function IFileDescriptor::getFilenameHash(). Possibly better in a separate PR though to avoid holding this up.

[jackdelv]

I agree and could use same logic if lfnHash is missing from properties and build it from the trace name.

[github-actions]

🔄 Upmerge Test Results

Status: ✅ All branches merged successfully
PR: #21136 - HPCC-36059 Enable copy using Azure API
Base Branch: candidate-10.0.x
Test Time: 2026-03-31 19:17:35 UTC

✅ Successful Branches (2)

• candidate-10.2.x
• master
  This comment was automatically generated by the upmerge test workflow.

[ghalliday]

@jackdelv looks very close.
One comment about a thrown exception.
The other question is what did you think about copilot's comment on clock jitter. I think its comment was based on the idea that the clocks could be out of sync, so if it was requested from a node that had a clock that was ahead, and it was then used somewhere where it was behind it could be tagged as invalid.
I don't know if that is an issue or not.

[ghalliday]

Should this throw makeStringExceptionV() instead - so that other items will catch it cleanly?

[github-actions]

🔄 Upmerge Test Results

Status: ✅ All branches merged successfully
PR: #21136 - HPCC-36059 Enable copy using Azure API
Base Branch: candidate-10.0.x
Test Time: 2026-04-13 09:38:07 UTC

✅ Successful Branches (2)

• candidate-10.2.x
• master
  This comment was automatically generated by the upmerge test workflow.

[jackdelv]

@ghalliday I do think the clocks being slightly out of sync could cause issues. I added the StartOn option to back date the key that is created by 5 mins. Also, I added a throw makeStringExceptionV and left the IERRLOG. Was that what you meant?