ABFS: Support for Shared Access Signatures (SAS)

ABFS supports OAuth and Shared Key but currently lacks support for [Shared Access Signatures (SAS)|https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview].  SAS is a great way to constrain access to a low-privilege ABFS client.  The ABFS client does not need to possess persistent credentials for accessing storage but instead can request temporary, constrained access tokens from a trusted endpoint.  This endpoint can authenticate the caller, make an authorization decision and return a constrained SAS token.  The token may have an expiration, it may be scoped to a specific file or directory, and it may grant an action or set of actions such as read, write, list, or delete.

Azure Storage also has a new identity based SAS scheme in preview named Delegation SAS.  These new Delegation SAS have these advantages over Service SAS:

1) Delegation SAS provide authentication as well as authorization.  The user identity associated with each request will appear in the logs when logging is enabled for the account.

2) Instead of using storage account keys to sign tokens, Delegation SAS relies on keys assigned to each user.  These keys are called user delegation keys.  If a storage account key is leaked, an attacker would have full access to the storage account.  If a user delegation key is leaked, an attacker would only have access to resources that user has access to within the Blob service–for example, the user might only have read access to a specific container.

This feature will add support for the ABFS driver to authenticate against a trusted endpoint. The endpoint will return a SAS which the ABFS driver will use to access Azure storage.  The SAS may be a container or directory SAS to be used for all subsequent operations, and thus cached for the lifetime of the filesystem.  Or it may be a SAS to be used for the current filesystem operation, in this case, the ABFS driver will request a SAS for each operation.