3

在使用 Azure 计算实例并尝试从 Jupyter 实验室连接到工作区时,我经常遇到问题。

使用 InteractiveLoginAuthentication 我收到以下消息:

AuthenticationException: AuthenticationException:
    Message: Could not retrieve user token. Please run 'az login'
    InnerException More than one token matches the criteria. The result is ambiguous.
    ErrorResponse 
{
    "error": {
        "code": "UserError",
        "inner_error": {
            "code": "Authentication"
        },
        "message": "Could not retrieve user token. Please run 'az login'"
    }
}

使用服务主体(SP 是 ML 工作区中的所有者):

WorkspaceException: WorkspaceException:
    Message: No workspaces found with name=xxx in all the subscriptions that you have access to.
    InnerException None
    ErrorResponse 
{
    "error": {
        "message": "No workspaces found with name=xxx in all the subscriptions that you have access to."
    }
}

我在不同的订阅中有另一个工作区,我可以通过将租户作为 InteractiveLoginAuthentication 的额外输入来解决它。这一次,没有机会了。

不过,有趣的是,当我从本地计算机上登录时,我可以通过 InteractiveLoginAuthentication 登录到工作区。

我怀疑某些旧令牌缓存在某处,因此我尝试使用浏览器的“私人浏览”功能。此外,我删除/home/azureuser/.azure/accessTokens.json但没有效果。

也许你们中的一些人以前遇到过这个问题并且有一个想法?

作为参考,我检查了一些网站:

更新

当我运行此代码时:

from azureml.core.authentication import InteractiveLoginAuthentication
interactive_auth = InteractiveLoginAuthentication(tenant_id='xxx')

ws = Workspace.get(name='xxx',
                   subscription_id='xxx',
                   resource_group='xxx',
                   auth=interactive_auth)

我得到以下跟踪:

---------------------------------------------------------------------------
AdalError                                 Traceback (most recent call last)
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in _get_arm_token_with_refresh(profile_object, cloud_type, account_object, config_object, session_object, config_directory, force_reload, resource)
   1820         auth, _, _ = profile_object.get_login_credentials(resource)
-> 1821         access_token = auth._token_retriever()[1]
   1822         if (_get_exp_time(access_token) - time.time()) < _TOKEN_REFRESH_THRESHOLD_SEC:

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/_vendor/azure_cli_core/_profile.py in _retrieve_token()
    525                     return self._creds_cache.retrieve_token_for_user(username_or_sp_id,
--> 526                                                                      account[_TENANT_ID], resource)
    527                 use_cert_sn_issuer = account[_USER_ENTITY].get(_SERVICE_PRINCIPAL_CERT_SN_ISSUER_AUTH)

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/_vendor/azure_cli_core/_profile.py in retrieve_token_for_user(self, username, tenant, resource)
    889         context = self._auth_ctx_factory(self._cloud_type, tenant, cache=self.adal_token_cache)
--> 890         token_entry = context.acquire_token(resource, username, _CLIENT_ID)
    891         if not token_entry:

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/authentication_context.py in acquire_token(self, resource, user_id, client_id)
    144 
--> 145         return self._acquire_token(token_func)
    146 

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/authentication_context.py in _acquire_token(self, token_func, correlation_id)
    127         self.authority.validate(self._call_context)
--> 128         return token_func(self)
    129 

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/authentication_context.py in token_func(self)
    142             token_request = TokenRequest(self._call_context, self, client_id, resource)
--> 143             return token_request.get_token_from_cache_with_refresh(user_id)
    144 

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/token_request.py in get_token_from_cache_with_refresh(self, user_id)
    346         self._user_id = user_id
--> 347         return self._find_token_from_cache()
    348 

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/token_request.py in _find_token_from_cache(self)
    126         cache_query = self._create_cache_query()
--> 127         return self._cache_driver.find(cache_query)
    128 

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/cache_driver.py in find(self, query)
    195                         {"query": log.scrub_pii(query)})
--> 196         entry, is_resource_tenant_specific = self._load_single_entry_from_cache(query)
    197         if entry:

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/cache_driver.py in _load_single_entry_from_cache(self, query)
    123             else:
--> 124                 raise AdalError('More than one token matches the criteria. The result is ambiguous.')
    125 

AdalError: More than one token matches the criteria. The result is ambiguous.

During handling of the above exception, another exception occurred:

AuthenticationException                   Traceback (most recent call last)
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in wrapper(self, *args, **kwargs)
    288                     module_logger.debug("{} acquired lock in {} s.".format(type(self).__name__, duration))
--> 289                 return test_function(self, *args, **kwargs)
    290             except Exception as e:

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in _get_arm_token(self)
    474         else:
--> 475             return self._get_arm_token_using_interactive_auth()
    476 

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in _get_arm_token_using_interactive_auth(self, force_reload, resource)
    589         arm_token = _get_arm_token_with_refresh(profile_object, cloud_type, ACCOUNT, CONFIG, SESSION,
--> 590                                                 get_config_dir(), force_reload=force_reload, resource=resource)
    591         # If a user has specified a tenant id then we need to check if this token is for that tenant.

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in connection_aborted_wrapper(*args, **kwargs)
    325                 try:
--> 326                     return function(*args, **kwargs)
    327                 except AuthenticationException as e:

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in _get_arm_token_with_refresh(profile_object, cloud_type, account_object, config_object, session_object, config_directory, force_reload, resource)
   1829             raise AuthenticationException("Could not retrieve user token. Please run 'az login'",
-> 1830                                           inner_exception=e)
   1831 

AuthenticationException: AuthenticationException:
    Message: Could not retrieve user token. Please run 'az login'
    InnerException More than one token matches the criteria. The result is ambiguous.
    ErrorResponse 
{
    "error": {
        "code": "UserError",
        "inner_error": {
            "code": "Authentication"
        },
        "message": "Could not retrieve user token. Please run 'az login'"
    }
}

During handling of the above exception, another exception occurred:

AdalError                                 Traceback (most recent call last)
/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in _get_arm_token_with_refresh(profile_object, cloud_type, account_object, config_object, session_object, config_directory, force_reload, resource)
   1820         auth, _, _ = profile_object.get_login_credentials(resource)
-> 1821         access_token = auth._token_retriever()[1]
   1822         if (_get_exp_time(access_token) - time.time()) < _TOKEN_REFRESH_THRESHOLD_SEC:

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/_vendor/azure_cli_core/_profile.py in _retrieve_token()
    525                     return self._creds_cache.retrieve_token_for_user(username_or_sp_id,
--> 526                                                                      account[_TENANT_ID], resource)
    527                 use_cert_sn_issuer = account[_USER_ENTITY].get(_SERVICE_PRINCIPAL_CERT_SN_ISSUER_AUTH)

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/_vendor/azure_cli_core/_profile.py in retrieve_token_for_user(self, username, tenant, resource)
    889         context = self._auth_ctx_factory(self._cloud_type, tenant, cache=self.adal_token_cache)
--> 890         token_entry = context.acquire_token(resource, username, _CLIENT_ID)
    891         if not token_entry:

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/authentication_context.py in acquire_token(self, resource, user_id, client_id)
    144 
--> 145         return self._acquire_token(token_func)
    146 

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/authentication_context.py in _acquire_token(self, token_func, correlation_id)
    127         self.authority.validate(self._call_context)
--> 128         return token_func(self)
    129 

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/authentication_context.py in token_func(self)
    142             token_request = TokenRequest(self._call_context, self, client_id, resource)
--> 143             return token_request.get_token_from_cache_with_refresh(user_id)
    144 

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/token_request.py in get_token_from_cache_with_refresh(self, user_id)
    346         self._user_id = user_id
--> 347         return self._find_token_from_cache()
    348 

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/token_request.py in _find_token_from_cache(self)
    126         cache_query = self._create_cache_query()
--> 127         return self._cache_driver.find(cache_query)
    128 

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/cache_driver.py in find(self, query)
    195                         {"query": log.scrub_pii(query)})
--> 196         entry, is_resource_tenant_specific = self._load_single_entry_from_cache(query)
    197         if entry:

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/adal/cache_driver.py in _load_single_entry_from_cache(self, query)
    123             else:
--> 124                 raise AdalError('More than one token matches the criteria. The result is ambiguous.')
    125 

AdalError: More than one token matches the criteria. The result is ambiguous.

During handling of the above exception, another exception occurred:

AuthenticationException                   Traceback (most recent call last)
<ipython-input-2-fd1276999d15> in <module>
      5                    subscription_id='00c983e5-d766-480b-be75-abf95d1a46c3',
      6                    resource_group='BusinessIntelligence',
----> 7                    auth=interactive_auth)

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/workspace.py in get(name, auth, subscription_id, resource_group)
    547 
    548         result_dict = Workspace.list(
--> 549             subscription_id, auth=auth, resource_group=resource_group)
    550         result_dict = {k.lower(): v for k, v in result_dict.items()}
    551         name = name.lower()

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/workspace.py in list(subscription_id, auth, resource_group)
    637         elif subscription_id and resource_group:
    638             workspaces_list = Workspace._list_legacy(
--> 639                 auth, subscription_id=subscription_id, resource_group_name=resource_group)
    640 
    641             Workspace._process_autorest_workspace_list(

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/workspace.py in _list_legacy(auth, subscription_id, resource_group_name, ignore_error)
   1373                 return None
   1374             else:
-> 1375                 raise e
   1376 
   1377     @staticmethod

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/workspace.py in _list_legacy(auth, subscription_id, resource_group_name, ignore_error)
   1367             # azureml._base_sdk_common.workspace.models.workspace.Workspace
   1368             workspace_autorest_list = _commands.list_workspace(
-> 1369                 auth, subscription_id=subscription_id, resource_group_name=resource_group_name)
   1370             return workspace_autorest_list
   1371         except Exception as e:

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/_project/_commands.py in list_workspace(auth, subscription_id, resource_group_name)
    386         if resource_group_name:
    387             list_object = WorkspacesOperations.list_by_resource_group(
--> 388                 auth._get_service_client(AzureMachineLearningWorkspaces, subscription_id).workspaces,
    389                 resource_group_name)
    390             workspace_list = list_object.value

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in _get_service_client(self, client_class, subscription_id, subscription_bound, base_url)
    155         # in the multi-tenant case, which causes confusion.
    156         if subscription_id:
--> 157             all_subscription_list, tenant_id = self._get_all_subscription_ids()
    158             self._check_if_subscription_exists(subscription_id, all_subscription_list, tenant_id)
    159 

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in _get_all_subscription_ids(self)
    497         :rtype: list, str
    498         """
--> 499         arm_token = self._get_arm_token()
    500         return self._get_all_subscription_ids_internal(arm_token)
    501 

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in wrapper(self, *args, **kwargs)
    293                     InteractiveLoginAuthentication(force=True, tenant_id=self._tenant_id)
    294                     # Try one more time
--> 295                     return test_function(self, *args, **kwargs)
    296                 else:
    297                     raise e

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in _get_arm_token(self)
    473             return self._ambient_auth._get_arm_token()
    474         else:
--> 475             return self._get_arm_token_using_interactive_auth()
    476 
    477     @_login_on_failure_decorator(_interactive_auth_lock)

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in _get_arm_token_using_interactive_auth(self, force_reload, resource)
    588         profile_object = Profile(async_persist=False, cloud_type=cloud_type)
    589         arm_token = _get_arm_token_with_refresh(profile_object, cloud_type, ACCOUNT, CONFIG, SESSION,
--> 590                                                 get_config_dir(), force_reload=force_reload, resource=resource)
    591         # If a user has specified a tenant id then we need to check if this token is for that tenant.
    592         if self._tenant_id and fetch_tenantid_from_aad_token(arm_token) != self._tenant_id:

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in connection_aborted_wrapper(*args, **kwargs)
    324             while True:
    325                 try:
--> 326                     return function(*args, **kwargs)
    327                 except AuthenticationException as e:
    328                     if "Connection aborted." in str(e) and attempt <= retries:

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azureml/core/authentication.py in _get_arm_token_with_refresh(profile_object, cloud_type, account_object, config_object, session_object, config_directory, force_reload, resource)
   1828         if not token_about_to_expire:
   1829             raise AuthenticationException("Could not retrieve user token. Please run 'az login'",
-> 1830                                           inner_exception=e)
   1831 
   1832     try:

AuthenticationException: AuthenticationException:
    Message: Could not retrieve user token. Please run 'az login'
    InnerException More than one token matches the criteria. The result is ambiguous.
    ErrorResponse 
{
    "error": {
        "code": "UserError",
        "inner_error": {
            "code": "Authentication"
        },
        "message": "Could not retrieve user token. Please run 'az login'"
    }
}
  • azureml-sdk在版本 1.9.0
  • 我可以从本地计算机连接身份验证。只有当我想在计算实例上工作时才会出现问题。
4

3 回答 3

2

好的,下面是答案:

  • 您在 Azure 上的 A 公司工作。
  • 您可以访问公司 B 的订阅。
  • 问题是:您在 ML-Studio 中与 A 的 AAD 相关联。
  • 您需要指定租户 ID,InteractiveLoginAuthentication如下所示:
interactive_auth = InteractiveLoginAuthentication(tenant_id=tenant_id)

workspace = Workspace.get(name=workspace_name,
                          subscription_id=subscription_id,
                          resource_group=resource_group,
                          auth=interactive_auth)
  • 现在重要的部分:您需要使用 B 公司tenant_id(我一直使用 A 公司,因为我认为那是我的身份验证点)
  • 当然,当您阅读它时,这是显而易见的……就像现在对我一样:)

希望这对您有所帮助。花了我一些时间,但学到了很多;)

于 2020-07-29T14:52:50.720 回答
1

我遇到了同样的问题,下面的代码采用租户 ID 并使用 AZURE ML SDK 使用交互式身份验证工作正常。

import os

import azureml

from azureml.core import Workspace

from azureml.core.authentication import InteractiveLoginAuthentication

interactive_auth = InteractiveLoginAuthentication(tenant_id=" ")

ws = Workspace(subscription_id="",

               resource_group="",

               workspace_name="",

               auth=interactive_auth)

print("Found workspace {} at location {}".format(ws.name, ws.location))

以下是我建议您尝试的另外两种方法:

  1. 从 Azure shell 设置租户 ID 并跳过“auth”参数到 Workspace(...)

    az 帐户集 -s **********

  2. az account set -s ********** 和 python SDK 代码将是

    从 azureml.core.authentication 导入 AzureCliAuthentication

    cli_auth = AzureCliAuthentication()

    将 cli_auth 传递给 auth 参数而不是交互式登录对象

于 2020-06-08T19:07:09.620 回答
0

这通常可能由于两个原因而发生:

  1. 您的令牌不适用于正确的租户。在这种情况下,您需要传递tenantId包含您的工作空间的订阅。该类作为参数ServicePrincipalAuthenticationtenanatId确保传递正确的值。

  2. 该订阅中的工作区的名称带有大写字母。这是大约三个月前修复的 SDK 端错误。确保您使用的是最新的 SDK。

你能分享你正在使用的SDK版本吗?此外,以下错误是否仅发生在计算实例中,或者即使您从不同的机器上运行 SDK 也会发生?

WorkspaceException:WorkspaceException:消息:在您有权访问的所有订阅中找不到名称 = xxx 的工作区。InnerException None ErrorResponse { "error": { "message": "在您有权访问的所有订阅中未找到 name=xxx 的工作区。" } }

带有完整堆栈跟踪的示例代码片段可以帮助我们更好地调查此问题。

于 2020-06-09T16:39:03.797 回答