Skip to content

Feature/storage/bifrost create session#48940

Draft
browndav-msft wants to merge 79 commits intoAzure:feature/storage/bifrostfrom
browndav-msft:feature/storage/bifrost-createSession
Draft

Feature/storage/bifrost create session#48940
browndav-msft wants to merge 79 commits intoAzure:feature/storage/bifrostfrom
browndav-msft:feature/storage/bifrost-createSession

Conversation

@browndav-msft
Copy link
Copy Markdown
Member

@browndav-msft browndav-msft commented Apr 26, 2026

move all commits from bifrost-base/createSession

@browndav-msft
generate base files based on swagger docs
a8e418c
@browndav-msft
create live tests for createSession
92ea65a 
- downgrade blobserviceversion to 2026_04_06
- change AZURE_LIVE_TEST_SERVICE_VERSION to V2026_04_06 in ci.system.properties in azure-storage-common
- create both sync and async
@browndav-msft
add recordings
d90ea8e
@browndav-msft
create new files based on swagger update
5c81715
@browndav-msft
add two params to BlobContainerClient#createSessionWithResponse
dab6ac3
@browndav-msft
add sanitizers for SessionToken and SessionKey to BlobTestBase
06bbceb
@browndav-msft
add recording for createSessionReturnsTokenAndKey
dd12bfd
@browndav-msft
create StorageSessionCredential with isExpired
a201609
@browndav-msft
create BlobSessionClient so that BlobSessionProvider takes it as a de…
ed36a92 
…p instead of ContainersImpl
@browndav-msft
create BlobSEssionClient with tests
183216a
@browndav-msft
add recorings for BlobSessionClient
14d51e5
@browndav-msft
fix BlobContainerAsyncClient to match new swagger, add new recording
cee223e
@browndav-msft
add SessionProvider and SessionProviderTest
53edfce
@browndav-msft
add accountName to BlobSessionClient
ba27517
@browndav-msft
add accountName to StorageSessionCredential and SesionTestHelper
7b1e62f
@browndav-msft
wip
a5033bd
@browndav-msft
change sessionprovider to SEssionTokenCredentialPolicy
651fc0f
@browndav-msft
wip
5173527
@browndav-msft
move session tests from containerapi to blobsessionclienttests
2ae4c4d
@browndav-msft
fix blobsessiontests and add place holder for end-to-end tests in con…
dc0609e 
…tainerapitests
@browndav-msft
add recordings for blobsessionclient
d2f1e0d
@browndav-msft
linting
70b0552
@browndav-msft
refactor cache into separate class so it follows BearerTokenAuthentic…
cf7f3d3 
…ationPolicy + AccessTokenCache pattern
@browndav-msft
add 503 fallback
7954161
@browndav-msft
add tests for udsas, but disabled for now
5427d79
@browndav-msft
refactor createContext to use hardcoded endpoint
cce1e4e
@browndav-msft
add SessionMode and tests for SessionMode
ce166ec
@browndav-msft
add sessionOptions to buildPipeline, add null to builders not using s…
7a5ee36 
…essions
@browndav-msft
move SessionTokenCredentialPolicy ahead of StorageBearerTokenChalleng…
a4c9e43 
…eAuthorizationPolicy
@browndav-msft
fix linting issues
96e2dd7
@browndav-msft
add overloaded oauth in blobtestbase to be able to add sessionoptions
0ef51e6
@browndav-msft
add overloaded getOAuthServiceAsyncClient to be able to pass session …
b7e8243 
…options
@browndav-msft
add custom buildStringToSign to remove 0 from get requests
e54db67
@browndav-msft
readd versions
e7b935c
@browndav-msft
readd ci.system.properties
9d599d7
@browndav-msft
change session options check for null in BuilderHelper which affected…
2cd768c 
… other tests
@browndav-msft
add recordings for create sessions, change time to testResource time
7754d50
@browndav-msft
add requestInspectionPolicy and overloaded getoauth client in base test
d01f8f0
@browndav-msft
fix null sessionsoptions issue
26965a5
@browndav-msft
add fix in storagesessioncredntial for query params
9c5018f
@browndav-msft
add SessionTokenCredPolicy to checks for anonymousAccess
4e90c72
@browndav-msft
remove constructor for BlobSessionClients that uses parse url
c819991
@browndav-msft
linting issues, remove SessionOptions from service methods
a988e5b
@browndav-msft
add comments to policyrefreshNearExpiry test
84061e8
@browndav-msft
fix linting issues
edc4ebe
@browndav-msft
add check for container name
a66b67f
@github-actions github-actions Bot added the Storage Storage Service (Queues, Blobs, Files) label Apr 26, 2026
ibrandes
ibrandes reviewed Apr 26, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@ibrandes ibrandes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

overall, this looks really good! i left a couple comments about future refactoring before its beta release that can be addressed later on down the line. i'd also like to do a deeper dive into some of the caching and credential logic before beta release, but right now, i think it's in a good state for the private drop.

Comment thread ...storage-blob/src/main/java/com/azure/storage/blob/implementation/util/BlobSessionClient.java Outdated
Comment thread sdk/storage/azure-storage-blob/src/main/java/com/azure/storage/blob/models/SessionMode.java
Comment thread ...ain/java/com/azure/storage/common/policy/StorageBearerTokenChallengeAuthorizationPolicy.java
Comment thread ...b/src/main/java/com/azure/storage/blob/implementation/util/SessionTokenCredentialPolicy.java
Comment thread sdk/storage/azure-storage-blob/src/main/java/com/azure/storage/blob/BlobClientBuilder.java Outdated
: BuilderHelper.buildPipeline(storageSharedKeyCredential, tokenCredential, azureSasCredential, sasToken,
endpoint, retryOptions, coreRetryOptions, logOptions, clientOptions, httpClient, perCallPolicies,
perRetryPolicies, configuration, audience, LOGGER);
perRetryPolicies, configuration, audience, LOGGER, null, null);
Copy link
Copy Markdown
Member

@ibrandes ibrandes Apr 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also for my own knowledge - why don't we pass in sessionOptions here?

Copy link
Copy Markdown
Member Author

@browndav-msft browndav-msft Apr 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The sessions are supposed to be container scoped. If we passed sessionOptions to a blob, we wouldn't have any way to set it, so I think we'd have to expose a setter for sessionOptions. But creating a session for a single blob would just be overhead, I think. Unless I'm thinking about this all wrong.

Copy link
Copy Markdown
Member

@gapra-msft gapra-msft Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its a valid scenario to create a session for a single blob. What if you are doing a very large blob download with many buffered download calls?

Copy link
Copy Markdown
Member Author

@browndav-msft browndav-msft Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay. I'll read through this and make the change.

Comment thread sdk/storage/azure-storage-blob/src/main/java/com/azure/storage/blob/BlobContainerClient.java
Comment thread ...ure-storage-blob/src/main/java/com/azure/storage/blob/implementation/util/BuilderHelper.java Outdated
Comment thread ...ure-storage-blob/src/main/java/com/azure/storage/blob/implementation/util/BuilderHelper.java Outdated
Comment thread ...storage-blob/src/main/java/com/azure/storage/blob/implementation/util/BlobSessionClient.java
Comment on lines +40 to +56
Mono<StorageSessionCredential> createSessionAsync() {
CreateSessionConfiguration config
= new CreateSessionConfiguration().setAuthenticationType(AuthenticationType.HMAC);

return azureBlobStorage.getContainers()
.createSessionWithResponseAsync(containerName, config, null, null)
.map(this::toCredential);
}

StorageSessionCredential createSessionSync() {
CreateSessionConfiguration config
= new CreateSessionConfiguration().setAuthenticationType(AuthenticationType.HMAC);

Response<CreateSessionResponse> response = azureBlobStorage.getContainers()
.createSessionWithResponse(containerName, config, null, null, Context.NONE);
return toCredential(response);
}
Copy link
Copy Markdown
Member

@ibrandes ibrandes Apr 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

across this whole feature, there are 3 separate API calls. i think it would be worth it to create a small internal sync and async helper somewhere builds the config and maps the response that is shared by BlobSessionClient and container clients. by doing this, we can potentially avoid diverging code paths by having everything in the same place.

Copy link
Copy Markdown
Member Author

@browndav-msft browndav-msft Apr 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ibrandes should I refactor this now or for the beta?

Comment thread ...b/src/main/java/com/azure/storage/blob/implementation/util/SessionTokenCredentialPolicy.java
* parameter, while in {@link SessionMode#SINGLE_SPECIFIED_CONTAINER} mode);
* {@link AuthStrategy#USE_BEARER_TOKEN} otherwise.
*/
AuthStrategy analyzeRequest(HttpPipelineCallContext context) {
Copy link
Copy Markdown
Member

@ibrandes ibrandes Apr 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also out of scope for this PR, but a refactoring change we should consider before the beta release:

this method was kind of hard to follow, it would be good to extract request eligibility logic from it. the current logic is deterministic and stateless (mode, method, URL shape, comp, container match), so it can live in a small pure utility (e.g., SessionEligibility)

by doing this, it should be easier to do isolated unit testing on it, and if AUTO behavior ever evolves, it will be easier to update.

Copy link
Copy Markdown
Member Author

@browndav-msft browndav-msft Apr 26, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool. I'll do this for the beta

@ibrandes
Copy link
Copy Markdown
Member

ibrandes commented Apr 27, 2026

/azp run java - storage - ci

@azure-pipelines
Copy link
Copy Markdown

azure-pipelines Bot commented Apr 27, 2026

No pipelines are associated with this pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gapra-msft gapra-msft gapra-msft left review comments

@ibrandes ibrandes ibrandes left review comments

@alzimmermsft alzimmermsft Awaiting requested review from alzimmermsft alzimmermsft will be requested when the pull request is marked ready for review alzimmermsft is a code owner

@gunjansingh-msft gunjansingh-msft Awaiting requested review from gunjansingh-msft gunjansingh-msft will be requested when the pull request is marked ready for review gunjansingh-msft is a code owner

@kyleknap kyleknap Awaiting requested review from kyleknap kyleknap will be requested when the pull request is marked ready for review kyleknap is a code owner

@seanmcc-msft seanmcc-msft Awaiting requested review from seanmcc-msft seanmcc-msft will be requested when the pull request is marked ready for review seanmcc-msft is a code owner

Assignees

No one assigned

Labels

Storage Storage Service (Queues, Blobs, Files)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@browndav-msft @ibrandes @gapra-msft