工作区身份验证:多个令牌与条件匹配
Posted
技术标签:
【中文标题】工作区身份验证:多个令牌与条件匹配【英文标题】:Workspace Authentication: More than one token matches the criteria 【发布时间】:2020-09-27 08:50:40 【问题描述】:在使用 Azure 计算实例并尝试从 Jupyter 实验室连接到工作区时,我经常遇到问题。
使用 InteractiveLoginAuthentication 我收到以下消息:
AuthenticationException: AuthenticationException:
Message: Could not retrieve user token. Please run 'az login'
InnerException More than one token matches the criteria. The result is ambiguous.
ErrorResponse
"error":
"code": "UserError",
"inner_error":
"code": "Authentication"
,
"message": "Could not retrieve user token. Please run 'az login'"
使用服务主体(SP 是 ML 工作区中的所有者):
WorkspaceException: WorkspaceException:
Message: No workspaces found with name=xxx in all the subscriptions that you have access to.
InnerException None
ErrorResponse
"error":
"message": "No workspaces found with name=xxx in all the subscriptions that you have access to."
我在不同的订阅中有另一个工作区,我可以通过将租户作为 InteractiveLoginAuthentication 的额外输入来解决它。这一次,没有机会了。
不过,有趣的是,我可以在本地计算机上通过 InteractiveLoginAuthentication 登录到工作区。
我怀疑某些旧令牌缓存在某处,因此我尝试使用浏览器的“私人浏览”功能。此外,我删除了/home/azureuser/.azure/accessTokens.json,但没有效果。
也许你们中的一些人以前遇到过这个问题并且有一个想法?
作为参考,我检查了一些网站:
https://docs.microsoft.com/en-us/azure/machine-learning/how-to-setup-authentication https://github.com/Azure/MachineLearningNotebooks/blob/master/how-to-use-azureml/manage-azureml-service/authentication-in-azureml/authentication-in-azureml.ipynb https://github.com/Azure/azure-cli/issues/4618 https://github.com/Azure/azure-cli/issues/6147更新
当我运行这段代码时:
from azureml.core.authentication import InteractiveLoginAuthentication
interactive_auth = InteractiveLoginAuthentication(tenant_id='xxx')
ws = Workspace.get(name='xxx',
subscription_id='xxx',
resource_group='xxx',
auth=interactive_auth)
我得到以下跟踪:
---------------------------------------------------------------------------
AdalError Traceback (most recent call last)
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in _get_arm_token_with_refresh(profile_object, cloud_type, account_object, config_object, session_object, config_directory, force_reload, resource)
1820 auth, _, _ = profile_object.get_login_credentials(resource)
-> 1821 access_token = auth._token_retriever()[1]
1822 if (_get_exp_time(access_token) - time.time()) < _TOKEN_REFRESH_THRESHOLD_SEC:
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/_vendor/azure_cli_core/_profile.py in _retrieve_token()
525 return self._creds_cache.retrieve_token_for_user(username_or_sp_id,
--> 526 account[_TENANT_ID], resource)
527 use_cert_sn_issuer = account[_USER_ENTITY].get(_SERVICE_PRINCIPAL_CERT_SN_ISSUER_AUTH)
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/_vendor/azure_cli_core/_profile.py in retrieve_token_for_user(self, username, tenant, resource)
889 context = self._auth_ctx_factory(self._cloud_type, tenant, cache=self.adal_token_cache)
--> 890 token_entry = context.acquire_token(resource, username, _CLIENT_ID)
891 if not token_entry:
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/authentication_context.py in acquire_token(self, resource, user_id, client_id)
144
--> 145 return self._acquire_token(token_func)
146
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/authentication_context.py in _acquire_token(self, token_func, correlation_id)
127 self.authority.validate(self._call_context)
--> 128 return token_func(self)
129
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/authentication_context.py in token_func(self)
142 token_request = TokenRequest(self._call_context, self, client_id, resource)
--> 143 return token_request.get_token_from_cache_with_refresh(user_id)
144
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/token_request.py in get_token_from_cache_with_refresh(self, user_id)
346 self._user_id = user_id
--> 347 return self._find_token_from_cache()
348
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/token_request.py in _find_token_from_cache(self)
126 cache_query = self._create_cache_query()
--> 127 return self._cache_driver.find(cache_query)
128
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/cache_driver.py in find(self, query)
195 "query": log.scrub_pii(query))
--> 196 entry, is_resource_tenant_specific = self._load_single_entry_from_cache(query)
197 if entry:
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/cache_driver.py in _load_single_entry_from_cache(self, query)
123 else:
--> 124 raise AdalError('More than one token matches the criteria. The result is ambiguous.')
125
AdalError: More than one token matches the criteria. The result is ambiguous.
During handling of the above exception, another exception occurred:
AuthenticationException Traceback (most recent call last)
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in wrapper(self, *args, **kwargs)
288 module_logger.debug(" acquired lock in s.".format(type(self).__name__, duration))
--> 289 return test_function(self, *args, **kwargs)
290 except Exception as e:
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in _get_arm_token(self)
474 else:
--> 475 return self._get_arm_token_using_interactive_auth()
476
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in _get_arm_token_using_interactive_auth(self, force_reload, resource)
589 arm_token = _get_arm_token_with_refresh(profile_object, cloud_type, ACCOUNT, CONFIG, SESSION,
--> 590 get_config_dir(), force_reload=force_reload, resource=resource)
591 # If a user has specified a tenant id then we need to check if this token is for that tenant.
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in connection_aborted_wrapper(*args, **kwargs)
325 try:
--> 326 return function(*args, **kwargs)
327 except AuthenticationException as e:
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in _get_arm_token_with_refresh(profile_object, cloud_type, account_object, config_object, session_object, config_directory, force_reload, resource)
1829 raise AuthenticationException("Could not retrieve user token. Please run 'az login'",
-> 1830 inner_exception=e)
1831
AuthenticationException: AuthenticationException:
Message: Could not retrieve user token. Please run 'az login'
InnerException More than one token matches the criteria. The result is ambiguous.
ErrorResponse
"error":
"code": "UserError",
"inner_error":
"code": "Authentication"
,
"message": "Could not retrieve user token. Please run 'az login'"
During handling of the above exception, another exception occurred:
AdalError Traceback (most recent call last)
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in _get_arm_token_with_refresh(profile_object, cloud_type, account_object, config_object, session_object, config_directory, force_reload, resource)
1820 auth, _, _ = profile_object.get_login_credentials(resource)
-> 1821 access_token = auth._token_retriever()[1]
1822 if (_get_exp_time(access_token) - time.time()) < _TOKEN_REFRESH_THRESHOLD_SEC:
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/_vendor/azure_cli_core/_profile.py in _retrieve_token()
525 return self._creds_cache.retrieve_token_for_user(username_or_sp_id,
--> 526 account[_TENANT_ID], resource)
527 use_cert_sn_issuer = account[_USER_ENTITY].get(_SERVICE_PRINCIPAL_CERT_SN_ISSUER_AUTH)
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/_vendor/azure_cli_core/_profile.py in retrieve_token_for_user(self, username, tenant, resource)
889 context = self._auth_ctx_factory(self._cloud_type, tenant, cache=self.adal_token_cache)
--> 890 token_entry = context.acquire_token(resource, username, _CLIENT_ID)
891 if not token_entry:
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/authentication_context.py in acquire_token(self, resource, user_id, client_id)
144
--> 145 return self._acquire_token(token_func)
146
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/authentication_context.py in _acquire_token(self, token_func, correlation_id)
127 self.authority.validate(self._call_context)
--> 128 return token_func(self)
129
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/authentication_context.py in token_func(self)
142 token_request = TokenRequest(self._call_context, self, client_id, resource)
--> 143 return token_request.get_token_from_cache_with_refresh(user_id)
144
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/token_request.py in get_token_from_cache_with_refresh(self, user_id)
346 self._user_id = user_id
--> 347 return self._find_token_from_cache()
348
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/token_request.py in _find_token_from_cache(self)
126 cache_query = self._create_cache_query()
--> 127 return self._cache_driver.find(cache_query)
128
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/cache_driver.py in find(self, query)
195 "query": log.scrub_pii(query))
--> 196 entry, is_resource_tenant_specific = self._load_single_entry_from_cache(query)
197 if entry:
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/cache_driver.py in _load_single_entry_from_cache(self, query)
123 else:
--> 124 raise AdalError('More than one token matches the criteria. The result is ambiguous.')
125
AdalError: More than one token matches the criteria. The result is ambiguous.
During handling of the above exception, another exception occurred:
AuthenticationException Traceback (most recent call last)
<ipython-input-2-fd1276999d15> in <module>
5 subscription_id='00c983e5-d766-480b-be75-abf95d1a46c3',
6 resource_group='BusinessIntelligence',
----> 7 auth=interactive_auth)
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/workspace.py in get(name, auth, subscription_id, resource_group)
547
548 result_dict = Workspace.list(
--> 549 subscription_id, auth=auth, resource_group=resource_group)
550 result_dict = k.lower(): v for k, v in result_dict.items()
551 name = name.lower()
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/workspace.py in list(subscription_id, auth, resource_group)
637 elif subscription_id and resource_group:
638 workspaces_list = Workspace._list_legacy(
--> 639 auth, subscription_id=subscription_id, resource_group_name=resource_group)
640
641 Workspace._process_autorest_workspace_list(
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/workspace.py in _list_legacy(auth, subscription_id, resource_group_name, ignore_error)
1373 return None
1374 else:
-> 1375 raise e
1376
1377 @staticmethod
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/workspace.py in _list_legacy(auth, subscription_id, resource_group_name, ignore_error)
1367 # azureml._base_sdk_common.workspace.models.workspace.Workspace
1368 workspace_autorest_list = _commands.list_workspace(
-> 1369 auth, subscription_id=subscription_id, resource_group_name=resource_group_name)
1370 return workspace_autorest_list
1371 except Exception as e:
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/_project/_commands.py in list_workspace(auth, subscription_id, resource_group_name)
386 if resource_group_name:
387 list_object = WorkspacesOperations.list_by_resource_group(
--> 388 auth._get_service_client(AzureMachineLearningWorkspaces, subscription_id).workspaces,
389 resource_group_name)
390 workspace_list = list_object.value
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in _get_service_client(self, client_class, subscription_id, subscription_bound, base_url)
155 # in the multi-tenant case, which causes confusion.
156 if subscription_id:
--> 157 all_subscription_list, tenant_id = self._get_all_subscription_ids()
158 self._check_if_subscription_exists(subscription_id, all_subscription_list, tenant_id)
159
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in _get_all_subscription_ids(self)
497 :rtype: list, str
498 """
--> 499 arm_token = self._get_arm_token()
500 return self._get_all_subscription_ids_internal(arm_token)
501
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in wrapper(self, *args, **kwargs)
293 InteractiveLoginAuthentication(force=True, tenant_id=self._tenant_id)
294 # Try one more time
--> 295 return test_function(self, *args, **kwargs)
296 else:
297 raise e
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in _get_arm_token(self)
473 return self._ambient_auth._get_arm_token()
474 else:
--> 475 return self._get_arm_token_using_interactive_auth()
476
477 @_login_on_failure_decorator(_interactive_auth_lock)
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in _get_arm_token_using_interactive_auth(self, force_reload, resource)
588 profile_object = Profile(async_persist=False, cloud_type=cloud_type)
589 arm_token = _get_arm_token_with_refresh(profile_object, cloud_type, ACCOUNT, CONFIG, SESSION,
--> 590 get_config_dir(), force_reload=force_reload, resource=resource)
591 # If a user has specified a tenant id then we need to check if this token is for that tenant.
592 if self._tenant_id and fetch_tenantid_from_aad_token(arm_token) != self._tenant_id:
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in connection_aborted_wrapper(*args, **kwargs)
324 while True:
325 try:
--> 326 return function(*args, **kwargs)
327 except AuthenticationException as e:
328 if "Connection aborted." in str(e) and attempt <= retries:
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in _get_arm_token_with_refresh(profile_object, cloud_type, account_object, config_object, session_object, config_directory, force_reload, resource)
1828 if not token_about_to_expire:
1829 raise AuthenticationException("Could not retrieve user token. Please run 'az login'",
-> 1830 inner_exception=e)
1831
1832 try:
AuthenticationException: AuthenticationException:
Message: Could not retrieve user token. Please run 'az login'
InnerException More than one token matches the criteria. The result is ambiguous.
ErrorResponse
"error":
"code": "UserError",
"inner_error":
"code": "Authentication"
,
"message": "Could not retrieve user token. Please run 'az login'"
azureml-sdk 在版本 1.9.0
我可以从本地计算机连接身份验证。仅当我想处理计算实例时才会出现问题。
【问题讨论】:
【参考方案1】:好的,答案如下:
您在 Azure 上的 A 公司工作。 您可以访问公司 B 的订阅。 问题是:您在 ML-Studio 中与 A 的 AAD 相关联。 您需要在InteractiveLoginAuthentication 中指定租户ID,如下所示:
interactive_auth = InteractiveLoginAuthentication(tenant_id=tenant_id)
workspace = Workspace.get(name=workspace_name,
subscription_id=subscription_id,
resource_group=resource_group,
auth=interactive_auth)
tenant_id(我一直使用 A 公司的,因为我认为那是我的身份验证点)
当然,这在您阅读时是显而易见的……就像现在对我一样 :)
希望这对您有所帮助。花了我一些时间,但学到了很多;)
【讨论】:
请问如何获取tenant_id?这是否涉及天蓝色广告?我在浏览器中创建了一个工作区,但有类似的问题(虽然我使用 R)。谢谢。【参考方案2】:我遇到了同样的问题,下面的代码采用租户 ID 并使用 AZURE ML SDK 的交互式身份验证工作正常。
import os
import azureml
from azureml.core import Workspace
from azureml.core.authentication import InteractiveLoginAuthentication
interactive_auth = InteractiveLoginAuthentication(tenant_id=" ")
ws = Workspace(subscription_id="",
resource_group="",
workspace_name="",
auth=interactive_auth)
print("Found workspace at location ".format(ws.name, ws.location))
以下是我建议您尝试的另外两种方法:
从 Azure shell 设置租户 ID 并跳过“auth”参数到 Workspace(...)
az 帐号设置 -s **********
az account set -s ********** 和 python SDK 代码将是
从 azureml.core.authentication 导入 AzureCliAuthentication
cli_auth = AzureCliAuthentication()
将 cli_auth 传递给 auth 参数而不是交互式登录对象
【讨论】:
感谢您的回答。除了az account set -s ********** 之外,尝试了所有组合到一个 ServicePrincipal,将尝试。【参考方案3】:
这通常有两个原因:
您的令牌不适用于正确的租户。在这种情况下,您需要传递包含您的工作区的订阅的tenantId。 ServicePrincipalAuthentication 类将 tenanatId 作为参数。确保传递正确的值。
该订阅中的工作区的名称带有大写字母。这是大约三个月前修复的 SDK 端错误。确保您使用的是最新的 SDK。
你能分享你正在使用的 SDK 版本吗?此外,以下错误是否仅发生在计算实例中,或者即使您从不同的机器上运行 SDK 也会发生?
工作区异常:工作区异常: 消息:在您有权访问的所有订阅中找不到名称=xxx 的工作区。 内部异常无 错误响应 “错误”: "message": "在您有权访问的所有订阅中没有找到 name=xxx 的工作区。"
示例代码 sn-p 以及完整的堆栈跟踪可能有助于我们更好地调查此问题。
【讨论】:
嘿,抱歉耽搁了。它只发生在计算实例中。当我在本地机器上执行此操作时,我可以完美地连接和验证。 用更多细节和完整跟踪更新了我的问题。 是的,工作区名称有几个大写字母。以上是关于工作区身份验证:多个令牌与条件匹配的主要内容,如果未能解决你的问题,请参考以下文章
身份验证控制器中的 Laravel 5.2 Web 中间件导致 csrf 令牌不匹配
Spring Boot with Spring Boot:将基本身份验证与JWT令牌身份验证相结合[复制]
如何使 Django REST JWT 身份验证与多个 Web 服务器一起扩展?