feat: Add support for Azure Blob Storage and ADLS Gen2 in Hive connector

[mehradpk]

Description

Introduce support for Azure storage backends including Azure Blob Storage (using the wasb:// scheme) and Azure Data Lake Storage Gen2 (using the abfs:// scheme) in the Hive connector.

Key changes:

• Added HiveAzureConfigurationInitializer to inject relevant Azure configurations into Hadoop Configuration

• Introduced HiveAzureConfig to allow catalog-level configuration of Azure properties

• Updated HdfsConfigurationInitializer and HiveConnectorFactory to delegate Azure-specific config setup

• Registered configuration initializer in Hive module

Supports shared key and OAuth2-based authentication.

##Motivation and Context
Several enterprise data lake workloads are hosted on Azure storage platforms. This change allows Presto to directly query data from Azure Blob Storage and ADLS Gen2, bringing Azure compatibility in line with other cloud storage systems like Amazon S3 and Google Cloud Storage.

Impact

• Adds support for Azure cloud storage within the Hive connector

• Introduces new configuration properties under HiveAzureConfig

No breaking changes to existing Hive catalogs or connectors

Test Plan

Test done via Hive Connector.

Contributor checklist

• Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
• PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
• Documented new properties (with its default value), SQL syntax, functions, or other functionality.
• If release notes are required, they follow the release notes guidelines.
• Adequate tests were added if applicable.
• CI passed.

== RELEASE NOTES ==

Hive Connector Changes
* Add support for Azure Blob Storage and Azure Data Lake Storage Gen2 in the Hive connector
* Add support for wasb[s]:// and abfs[s]:// URI schemes
* Add support for shared key and OAuth2 authentication for Azure storage

[prestodb-ci]

@imjalpreet imported this issue as lakehouse/presto #25107

[imjalpreet]

@mehradpk Thank you for the PR, I have taken an initial pass on the PR.

Have you carried out some actual tests with Azure?

[imjalpreet]

nit: this is unused

[mehradpk]

Thank you for reviewing the PR. I have carried out real test with Azure storage account.

The method proxyForHost was unused, so I’ve removed it. It likely came in earlier as part of the ADLS Gen1 support, which has since been removed in this implementation.

[imjalpreet]

As we have already created HiveAzureModule, please re-use that. You can bind it in DeltaConnectorFactory

[mehradpk]

Thanks for the suggestion. I’ve now removed the separate binding and reused the existing HiveAzureModule by binding it in DeltaConnectorFactory as recommended.

[imjalpreet]

Do we allow the same catalog to have both WASB and ABFS configs? Is it supported?

[mehradpk]

Currently, the implementation accepts both WASB and ABFS configs if all their required fields are present. However, there's no specific logic that handles what happens if both are configured — it depends on the Hadoop file system behavior. If we want to restrict using both in a single catalog, I can add a validation check to ensure only one type is configured.

[imjalpreet]

Would you be able to validate what happens if we configure both of them simultaneously? Based on that, we can decide whether or not to restrict this behavior.

[imjalpreet]

Please add a UT for this class

[imjalpreet]

Same here, as we have already created HiveAzureModule, please re-use that. You can bind it in HudiConnectorFactory

[mehradpk]

Updated.

[imjalpreet]

As we have already created HiveAzureModule, please re-use that. You can bind it in InternalIcebergConnectorFactory

[mehradpk]

Code updated.

[imjalpreet]

@mehradpk, can you please help rebase this PR on master? Hadoop Upgrade is merged to master, so we can mark this PR as ready for review. Thanks!

[sourcery-ai]

Reviewer's Guide

Adds Azure Blob Storage (wasb://) and ADLS Gen2 (abfs://) support to the Hive connector by introducing new Azure-specific configuration classes and modules, and integrating them into existing HDFS configuration initializers, connector factories, and tests.

Class diagram for updated HdfsConfigurationInitializer and connector factories

classDiagram
    class HdfsConfigurationInitializer {
        -AzureConfigurationInitializer azureConfigurationInitialize
        +HdfsConfigurationInitializer(..., AzureConfigurationInitializer)
        +updateConfiguration(Configuration)
    }
    HdfsConfigurationInitializer o-- AzureConfigurationInitializer

    class HiveConnectorFactory {
        +create(...)
    }
    HiveConnectorFactory --> HiveAzureModule

    class HiveAzureModule {
        +setup(Binder)
    }
    HiveAzureModule --> HiveAzureConfig
    HiveAzureModule --> HiveAzureConfigurationInitializer

    class IcebergNativeCatalogFactory {
        -AzureConfigurationInitializer azureConfigurationInitialize
        +IcebergNativeCatalogFactory(..., AzureConfigurationInitializer)
        +getHadoopConfiguration()
    }
    IcebergNativeCatalogFactory o-- AzureConfigurationInitializer

    class IcebergNessieCatalogFactory {
        +IcebergNessieCatalogFactory(..., AzureConfigurationInitializer)
    }
    IcebergNessieCatalogFactory o-- AzureConfigurationInitializer

    class IcebergRestCatalogFactory {
        +IcebergRestCatalogFactory(..., AzureConfigurationInitializer)
    }
    IcebergRestCatalogFactory o-- AzureConfigurationInitializer

Loading

File-Level Changes

Change	Details	Files
Introduce Azure configuration and initialization classes	Define HiveAzureConfig for wasb and abfs account, key, and OAuth2 properties Create AzureConfigurationInitializer interface Implement HiveAzureConfigurationInitializer to apply Azure settings to Hadoop Configuration Add HiveAzureModule for Guice binding of Azure config and initializer	HiveAzureConfig.java AzureConfigurationInitializer.java HiveAzureConfigurationInitializer.java HiveAzureModule.java
Extend HDFS and Iceberg initializers to include Azure setup	Add azureConfigurationInitialize parameter to HdfsConfigurationInitializer and Iceberg configuration constructors Invoke azureConfigurationInitialize.updateConfiguration in updateConfiguration methods Propagate Azure initializer through IcebergNativeCatalogFactory, IcebergNessieCatalogFactory, IcebergRestCatalogFactory	HdfsConfigurationInitializer.java IcebergNativeCatalogFactory.java IcebergNessieCatalogFactory.java IcebergRestCatalogFactory.java
Register Azure module in connector factories	Include HiveAzureModule in DeltaConnectorFactory, HiveConnectorFactory, HudiConnectorFactory, and InternalIcebergConnectorFactory chains Bind AzureConfigurationInitializer through HiveConnectorFactory setup	DeltaConnectorFactory.java HiveConnectorFactory.java HudiConnectorFactory.java InternalIcebergConnectorFactory.java
Update tests to inject Azure initializer	Modify HiveTestUtils to instantiate HiveAzureConfigurationInitializer Update Iceberg and Hive file system tests to pass azure initializer where HdfsConfigurationInitializer is constructed	HiveTestUtils.java TestIcebergSmokeHadoop.java TestIcebergSmokeOnS3Hadoop.java TestIcebergSmokeNessie.java TestIcebergSmokeRest.java TestIcebergSmokeRestNestedNamespace.java AbstractTestHiveFileSystemS3.java S3SelectTestHelper.java IcebergDistributedTestBase.java

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes and they look great!

Prompt for AI Agents

Please address the comments from this code review:

## Individual Comments

### Comment 1
<location> `presto-hive/src/main/java/com/facebook/presto/hive/azure/HiveAzureConfigurationInitializer.java:72-77` </location>
<code_context>
+            config.set("fs.abfs.impl", AzureBlobFileSystem.class.getName());
+        }
+
+        if (abfsOAuthClientEndpoint.isPresent() && abfsOAuthClientId.isPresent() && abfsOAuthClientSecret.isPresent()) {
+            config.set(format("fs.azure.account.auth.type.%s.dfs.core.windows.net", abfsStorageAccount.get()), "OAuth");
+            config.set("fs.azure.account.oauth.provider.type", "org.apache.hadoop.fs.azurebfs.oauth2.ClientCredsTokenProvider");
+            config.set(format("fs.azure.account.oauth2.client.endpoint.%s.dfs.core.windows.net", abfsStorageAccount.get()), abfsOAuthClientEndpoint.get());
+            config.set(format("fs.azure.account.oauth2.client.id.%s.dfs.core.windows.net", abfsStorageAccount.get()), abfsOAuthClientId.get());
+            config.set(format("fs.azure.account.oauth2.client.secret.%s.dfs.core.windows.net", abfsStorageAccount.get()), abfsOAuthClientSecret.get());
+        }
+
</code_context>

<issue_to_address>
**issue (bug_risk):** Potential NPE if abfsStorageAccount is not present when setting OAuth config.

Please add an explicit check to ensure abfsStorageAccount is present before calling get(), or include it in the earlier checkArgument for OAuth parameters to prevent a NullPointerException.
</issue_to_address>

### Comment 2
<location> `presto-hive/src/main/java/com/facebook/presto/hive/azure/HiveAzureConfigurationInitializer.java:67-70` </location>
<code_context>
+
+        if (abfsAccessKey.isPresent() && abfsStorageAccount.isPresent()) {
+            config.set(format("fs.azure.account.key.%s.dfs.core.windows.net", abfsStorageAccount.get()), abfsAccessKey.get());
+            config.set("fs.abfs.impl", AzureBlobFileSystem.class.getName());
+        }
+
</code_context>

<issue_to_address>
**suggestion:** Setting 'fs.abfs.impl' may override user configuration.

Check if 'fs.abfs.impl' is already set in the configuration before assigning it, or clearly document that this will override any existing value.

```suggestion
        if (abfsAccessKey.isPresent() && abfsStorageAccount.isPresent()) {
            config.set(format("fs.azure.account.key.%s.dfs.core.windows.net", abfsStorageAccount.get()), abfsAccessKey.get());
            if (config.get("fs.abfs.impl") == null) {
                config.set("fs.abfs.impl", AzureBlobFileSystem.class.getName());
            }
        }
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[steveburnett]

Should any documentation be added? Perhaps some examples? https://github.com/prestodb/presto/blob/master/presto-docs/src/main/sphinx/connector/hive.rst

[mehradpk]

Should any documentation be added? Perhaps some examples? https://github.com/prestodb/presto/blob/master/presto-docs/src/main/sphinx/connector/hive.rst

Yes, documentation should be updated. Since ADLS support is being added, we should document the required configuration properties (e.g., fs.azure.account.key, fs.azure.account.auth.type, etc.), how users can enable it, and any limitations.

I can add a new subsection under the Hive connector.

[sourcery-ai]

New security issues found

[mehradpk]

@imjalpreet All changes addressed. Re-requested review but it may not have triggered properly - could you please review the changes?

@steveburnett Documentation has been added, Could you please review?

[steveburnett]

Thanks for the doc! The content looks good, but there are several formatting errors.

You might find https://github.com/prestodb/presto/tree/master/presto-docs#building-the-documentation and https://github.com/prestodb/presto/tree/master/presto-docs#viewing-the-documentation helpful to run local doc builds and test your documentation format locally.

[steveburnett]

Suggested change

	Configure Azure storage access in your catalog properties file (e.g., ``etc/catalog/hive.properties``).
	Configure Azure storage access in your catalog properties file, such as in ``etc/catalog/hive.properties``.

Avoid Latin abbreviations. See the GitLab documentation style guide recommended word list entry for e.g. for alternatives. I've suggested one alternative here, please revise it if a different alternative fits better.

[mehradpk]

fixed

[steveburnett]

The table in lines 737-757 isn't displaying in the local doc build. See screenshot.

[steveburnett]

suffix should not be within the formatting ticks

[steveburnett]

suffix should not be within the formatting ticks

[steveburnett]

line 765 should be part of the list item above it. See screenshot for how it currently displays in a local doc build.

[steveburnett]

Suggested change

	^^^^^^^^^^
	^^^^^^^^^^^^^^

[steveburnett]

The unordered lists in Authentication Errors, Connection Errors, and Path Errors have formatting errors.

[mehradpk]

fixed all doc related issues.

[imjalpreet]

Thank you, @mehradpk. I finished another round of review. It mostly looks good now, with some minor suggestions.

[imjalpreet]

nit: unrelated, please revert

[mehradpk]

done

[imjalpreet]

Suggested change

	if (wasbAccessKey.isPresent() || wasbStorageAccount.isPresent()) {
	checkArgument(
	wasbAccessKey.isPresent() && wasbStorageAccount.isPresent(),
	"If WASB storage account or access key is set, both must be set");
	}
	checkArgument(
	wasbAccessKey.isPresent() == wasbStorageAccount.isPresent(),
	"If WASB storage account or access key is set, both must be set");

[mehradpk]

updated

[imjalpreet]

abfsStorageAccount.isPresent() is missing in the if condition

[mehradpk]

Refactored this piece of code to handle all scenarios. Previously, including abfsStorageAccount in the OAuth check can result in error if a user intended to use only the access key. Now the code separately validates - access key and OAuth.

[imjalpreet]

Would you be able to validate what happens if we configure both of them simultaneously? Based on that, we can decide whether or not to restrict this behavior.

[imjalpreet]

abfsStorageAccount.isPresent() check is missing here as well

[mehradpk]

added.

[imjalpreet]

We don't need to use AbstractConfigurationAwareModule here, as we are not binding based on the value of any configuration.

You can implement com.google.inject.Module

[mehradpk]

updated

[imjalpreet]

nit: remove commented code

[imjalpreet]

nit: remove commented code

[imjalpreet]

nit: remove commented code

[imjalpreet]

nit: remove commented code

[mehradpk]

@imjalpreet #25107 (comment) --> Yes.

After testing the behavior of the HiveAzureConfigurationInitializer with different configurations:

• ABFS + WASB together: This works perfectly fine. The two are independent, as their configuration properties and endpoints are separate, so having both configured does not cause any issues.

• ABFS - OAuth + AccessKey together: If both are configured, OAuth takes precedence over AccessKey at runtime. But, there’s no fallback to AccessKey if OAuth authentication credentials are not valid, the operation will fail.

[steveburnett]

LGTM! (docs)

Pull updated branch, new local doc build. Looks good, thanks!