Fabric Entra Id Auth Integration (#45890)

* fix flaky test with endLSN

* fix flaky test with endLSN

* account data resolver fabric

* move account data resolver to other project

* revert unrelated changes

* Changed pom file to work for spark 3.4 or 3.5, updated readme, removed logging for empty response

* update changelog

* update README.md

* fix tests

* fix analyze

* fix analyze

* fix analyze

* fix analyze

* fix analyze

* react to comments

* react to comments

* fix analyze

* removed old line from README

* react to comments

* fix bug where sometimes config key is lowercased

* changes after testing

* revert cosmos pom

* revert cosmos pom

* update dependencies

* update useragent tests

* react to comments

* revert extra line and comma

* react to comments

* fix tests

* Update Readme and react to comments

* fix tests

* depend on current version

* react to comments

* fix tests

* fix tests

* name change

* remove changelog from unrelated runtimes

* revert unnecessary comma

* fix build issue

* fix build issue

* fix build issue

Author: tvaron3

.vscode/cspell.json

@@ -104,6 +104,7 @@
     "sdk/cosmos/azure-cosmos-spark_3-4_2-12/**",
     "sdk/cosmos/azure-cosmos-spark_3-5_2-12/**",
     "sdk/cosmos/azure-cosmos-spark-account-data-resolver-sample/**",
+    "sdk/cosmos/fabric-cosmos-spark-auth_3/**",
     "sdk/cosmos/azure-cosmos-encryption/**",
     "sdk/cosmos/azure-cosmos-spark_3_2-12/**",
     "sdk/spring/azure-spring-data-cosmos/**",

eng/.docsettings.yml

@@ -81,6 +81,7 @@ known_content_issues:
   - ['sdk/cosmos/azure-cosmos-spark_3-4_2-12/README.md', '#3113']
   - ['sdk/cosmos/azure-cosmos-spark_3-5_2-12/README.md', '#3113']
   - ['sdk/cosmos/azure-cosmos-spark-account-data-resolver-sample/README.md', '#3113']
+  - ['sdk/cosmos/fabric-cosmos-spark-auth_3/README.md', '#3113']
   - ['sdk/cosmos/azure-cosmos-spark_3_2-12/dev/README.md', '#3113']
   - ['sdk/cosmos/azure-cosmos-spark_3_2-12/docs/catalog-api.md', '#3113']
   - ['sdk/cosmos/azure-cosmos-spark_3_2-12/docs/configuration-reference.md', '#3113']

eng/versioning/external_dependencies.txt

@@ -252,6 +252,7 @@ cosmos_org.mpierce.metrics.reservoir:hdrhistogram-metrics-reservoir;1.1.0
 cosmos_org.hdrhistogram:HdrHistogram;2.1.12
 cosmos_com.fasterxml.jackson.core:jackson-databind;2.15.2
 cosmos_com.fasterxml.jackson.module:jackson-module-scala_2.12;2.15.2
+cosmos_com.microsoft.azure.synapse:synapseutils_2.12;1.5.4
 
 ## Cosmos Spark connector under sdk\cosmos\azure-cosmos-spark_3-<version>_2-12\pom.xml
 # Cosmos Spark connector runtime dependencies - provided by Spark runtime/host

eng/versioning/version_client.txt

@@ -110,6 +110,7 @@ com.azure.cosmos.spark:azure-cosmos-spark_3-3_2-12;4.37.2;4.38.0-beta.1
 com.azure.cosmos.spark:azure-cosmos-spark_3-4_2-12;4.37.2;4.38.0-beta.1
 com.azure.cosmos.spark:azure-cosmos-spark_3-5_2-12;4.37.2;4.38.0-beta.1
 com.azure.cosmos.spark:azure-cosmos-spark-account-data-resolver-sample;1.0.0-beta.1;1.0.0-beta.1
+com.azure.cosmos.spark:fabric-cosmos-spark-auth_3;1.0.0-beta.1;1.0.0-beta.1
 com.azure:azure-cosmos-test;1.0.0-beta.13;1.0.0-beta.14
 com.azure:azure-cosmos-tests;1.0.0-beta.1;1.0.0-beta.1
 com.azure.cosmos.kafka:azure-cosmos-kafka-connect;2.4.0;2.5.0-beta.1

sdk/cosmos/azure-cosmos-encryption/README.md

@@ -43,10 +43,10 @@ A few important properties are defined at the level of the container, among them
 
 ## Examples
 The following section provides several code snippets covering some of the most common Cosmos Encryption API tasks, including:
-* [Create Cosmos Encryption Client](#create-cosmos-encryption-client "Create Cosmos Encryption Client")
-* [Create Cosmos Encryption Database](#create-cosmos-encryption-database "Create Encryption Database")
-* [Create Encryption Container](#create-cosmos-encryption-container "Create Encryption Container")
-* [CRUD operation on Items](#crud-operation-on-items "CRUD operation on Items")
+* [Create Cosmos Encryption Client](#create-cosmos-encryption-client)
+* [Create Cosmos Encryption Database](#create-cosmos-encryption-database)
+* [Create Encryption Container](#create-cosmos-encryption-container)
+* [CRUD operation on Items](#crud-operation-on-items)
 
 ### Create Cosmos Encryption Client
 
@@ -225,6 +225,3 @@ or contact [[email protected]][coc_contact] with any additional questions o
 [sql_api_query]: https://learn.microsoft.com/azure/cosmos-db/sql-api-sql-query
 [getting_started_encryption]: https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/cosmos/azure-cosmos-encryption/src/samples/java/com/azure/cosmos/encryption/
 [quickstart]: https://learn.microsoft.com/azure/cosmos-db/create-sql-api-java?tabs=sync
-
-
-

sdk/cosmos/azure-cosmos-spark_3-5_2-12/CHANGELOG.md

@@ -9,6 +9,7 @@
 #### Bugs Fixed
 
 #### Other Changes
+* Added compatibility with CosmosDB Fabric Native Accounts using the `FabricAccountDataResolver` for authentication. - See [PR 45890](https://github.com/Azure/azure-sdk-for-java/pull/45890)
 
 ### 4.37.2 (2025-05-14)
 

sdk/cosmos/azure-cosmos-spark_3_2-12/docs/AAD-Auth.md

@@ -88,7 +88,7 @@ Due to the fact that support for system managed identities and token/secret APIs
 | `spark.cosmos.account.subscriptionId`         | None        | The `SubscriptionId` of the Azure Cosmos DB account resource specified under `spark.cosmos.accountEndpoint`. This parameter is required for all management operations when using AAD / Microsoft Entra ID authentication.                                          |
 | `spark.cosmos.account.tenantId`               | None        | The `AAD TenantId` of the Azure Cosmos DB account resource specified under `spark.cosmos.accountEndpoint`. This parameter is required for all management operations when using AAD / Microsoft Entra ID authentication.                                            |
 | `spark.cosmos.account.resourceGroupName`      | None        | The  simple resource group name (not the full qualified one) of the Azure Cosmos DB account resource specified under `spark.cosmos.accountEndpoint`. This parameter is required for all management operations when using AAD / Microsoft Entra ID  authentication. |
-| `your.own.custom.property`                    |             | You can add add an duse custom properties for the configuration of your custom `AccountDataResolver` implementation.                                                                                                                                               |
+| `your.own.custom.property`                    |             | You can add and use custom properties for the configuration of your custom `AccountDataResolver` implementation.                                                                                                                                                   |
 
 ### Implementation of a custom `AccountDataResolver`
 

sdk/cosmos/azure-cosmos-spark_3_2-12/src/main/scala/com/azure/cosmos/spark/CosmosClientCache.scala

@@ -157,6 +157,20 @@ private[spark] object CosmosClientCache extends BasicLoggingTrait {
     }
   }
 
+  private def validateAadConfigs(cosmosClientConfiguration: CosmosClientConfiguration): Boolean = {
+    val shouldLog = !(cosmosClientConfiguration.resourceGroupName.isDefined &&
+      cosmosClientConfiguration.subscriptionId.isDefined &&
+      cosmosClientConfiguration.tenantId.isDefined)
+    if (shouldLog) {
+      logWarning(
+        "To create Databases, Containers and other resources in Cosmos DB using Microsoft Entra ID, " +
+          "you need to provide resourceGroupName, subscriptionId and tenantId in the configuration. " +
+          "Otherwise, the Cosmos Catalog will not be able to create resources."
+      )
+    }
+    shouldLog
+  }
+
   private[this] def syncCreate(cosmosClientConfiguration: CosmosClientConfiguration,
                                cosmosClientStateHandle: Option[CosmosClientMetadataCachesSnapshot],
                                ownerInfo: OwnerInfo)
@@ -170,17 +184,20 @@ private[spark] object CosmosClientCache extends BasicLoggingTrait {
         var sparkCatalogClient: CosmosCatalogClient = CosmosCatalogCosmosSDKClient(cosmosAsyncClient)
         // When using AAD auth, cosmos catalog will change to use management sdk instead of cosmos sdk
         cosmosClientConfiguration.authConfig match {
-            case aadAuthConfig: CosmosServicePrincipalAuthConfig =>
-                sparkCatalogClient =
-                    CosmosCatalogManagementSDKClient(
-                        cosmosClientConfiguration.resourceGroupName.get,
-                        cosmosClientConfiguration.databaseAccountName,
-                        createCosmosManagementClient(
-                            cosmosClientConfiguration.subscriptionId.get,
-                            new AzureEnvironment(cosmosClientConfiguration.azureEnvironmentEndpoints),
-                            aadAuthConfig),
-                        cosmosAsyncClient)
-            case managedIdentityAuth: CosmosManagedIdentityAuthConfig =>
+          case aadAuthConfig: CosmosServicePrincipalAuthConfig =>
+            if (!validateAadConfigs(cosmosClientConfiguration)) {
+              sparkCatalogClient =
+                CosmosCatalogManagementSDKClient(
+                  cosmosClientConfiguration.resourceGroupName.get,
+                  cosmosClientConfiguration.databaseAccountName,
+                  createCosmosManagementClient(
+                    cosmosClientConfiguration.subscriptionId.get,
+                    new AzureEnvironment(cosmosClientConfiguration.azureEnvironmentEndpoints),
+                    aadAuthConfig),
+                  cosmosAsyncClient)
+            }
+          case managedIdentityAuth: CosmosManagedIdentityAuthConfig =>
+            if (!validateAadConfigs(cosmosClientConfiguration)) {
               sparkCatalogClient =
                 CosmosCatalogManagementSDKClient(
                   cosmosClientConfiguration.resourceGroupName.get,
@@ -190,7 +207,9 @@ private[spark] object CosmosClientCache extends BasicLoggingTrait {
                     new AzureEnvironment(cosmosClientConfiguration.azureEnvironmentEndpoints),
                     managedIdentityAuth),
                   cosmosAsyncClient)
-            case accessTokenProviderAuth: CosmosAccessTokenAuthConfig =>
+            }
+          case accessTokenProviderAuth: CosmosAccessTokenAuthConfig =>
+            if (!validateAadConfigs(cosmosClientConfiguration)) {
               sparkCatalogClient =
                 CosmosCatalogManagementSDKClient(
                   cosmosClientConfiguration.resourceGroupName.get,
@@ -200,7 +219,8 @@ private[spark] object CosmosClientCache extends BasicLoggingTrait {
                     new AzureEnvironment(cosmosClientConfiguration.azureEnvironmentEndpoints),
                     accessTokenProviderAuth),
                   cosmosAsyncClient)
-            case _ =>
+            }
+          case _ =>
         }
 
         val epochNowInMs = Instant.now.toEpochMilli
@@ -822,7 +842,10 @@ private[spark] object CosmosClientCache extends BasicLoggingTrait {
   private[this] def createCosmosManagementClient(subscriptionId: String,
                                                  azureEnvironment: AzureEnvironment,
                                                  authConfig: CosmosAccessTokenAuthConfig): CosmosManager = {
-    val azureProfile = new AzureProfile(authConfig.tenantId, subscriptionId, azureEnvironment)
+    val tenantId = authConfig.tenantId.getOrElse(
+      throw new IllegalArgumentException("Tenant ID must be provided for CosmosAccessTokenAuthConfig")
+    )
+    val azureProfile = new AzureProfile(tenantId, subscriptionId, azureEnvironment)
 
     CosmosManager.authenticate(createTokenCredential(authConfig), azureProfile)
   }

sdk/cosmos/azure-cosmos-spark_3_2-12/src/main/scala/com/azure/cosmos/spark/CosmosClientConfiguration.scala

@@ -65,6 +65,7 @@ private[spark] object CosmosClientConfiguration {
     if (runtimeInfo.isDefined) {
       applicationName = s"$applicationName|${runtimeInfo.get}"
     }
+    applicationName = applicationName.replace("@", " ")
 
     val customApplicationNameSuffix = cosmosAccountConfig.applicationName
     if (customApplicationNameSuffix.isDefined){

sdk/cosmos/azure-cosmos-spark_3_2-12/src/main/scala/com/azure/cosmos/spark/CosmosConfig.scala

@@ -767,16 +767,6 @@ private object CosmosAccountConfig extends BasicLoggingTrait {
     assert(accountName.isDefined, s"Parameter '${CosmosConfigNames.AccountEndpoint}' is missing.")
     assert(azureEnvironmentOpt.isDefined, s"Parameter '${CosmosConfigNames.AzureEnvironment}' is missing.")
 
-    authConfig match {
-        case _: CosmosServicePrincipalAuthConfig =>
-        case _: CosmosManagedIdentityAuthConfig =>
-        case _: CosmosAccessTokenAuthConfig =>
-            assert(subscriptionIdOpt.isDefined, s"Parameter '${CosmosConfigNames.SubscriptionId}' is missing.")
-            assert(resourceGroupNameOpt.isDefined, s"Parameter '${CosmosConfigNames.ResourceGroupName}' is missing.")
-            assert(tenantIdOpt.isDefined, s"Parameter '${CosmosConfigNames.TenantId}' is missing.")
-        case  _ =>
-    }
-
     if (preferredRegionsListOpt.isDefined) {
       // scalastyle:off null
       var uri : URI = null
@@ -872,7 +862,7 @@ private case class CosmosManagedIdentityAuthConfig( tenantId: String,
                                                      clientId: Option[String],
                                                      resourceId: Option[String]) extends CosmosAuthConfig
 
-private case class CosmosAccessTokenAuthConfig(tenantId: String, tokenProvider: List[String] => CosmosAccessToken)
+private case class CosmosAccessTokenAuthConfig(tenantId: Option[String], tokenProvider: List[String] => CosmosAccessToken)
   extends CosmosAuthConfig
 
 private object CosmosAuthConfig {
@@ -970,7 +960,6 @@ private object CosmosAuthConfig {
                 clientSecret,
                 clientCert)
         } else if (authType.get == CosmosAuthType.AccessToken) {
-          assert(tenantId.isDefined, s"Parameter '${CosmosConfigNames.TenantId}' is missing.")
           val accountDataResolverServiceName : Option[String] = CaseInsensitiveMap(cfg).get(CosmosConfigNames.AccountDataResolverServiceName)
           val accountDataResolver = CosmosConfig.getAccountDataResolver(accountDataResolverServiceName)
           if (accountDataResolver.isEmpty) {
@@ -987,7 +976,7 @@ private object CosmosAuthConfig {
                 "returns an access token provider in the 'getAccessTokenProvider' method.")
           }
 
-          CosmosAccessTokenAuthConfig(tenantId.get, accessTokenProvider.get)
+          CosmosAccessTokenAuthConfig(tenantId, accessTokenProvider.get)
         } else {
           throw new IllegalArgumentException(s"Unknown auth type '${authType.get}'.")
         }