This is an automated email from the ASF dual-hosted git repository.
mthomsen pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new ee91341 NIFI-7497 Adding support for AWS Credentials Assume Role to
be able to set the STS Endpoint NIFI-7497 Updating property description per
comment
ee91341 is described below
commit ee91341ec3ce6009b6632d624defe00bd9b082ea
Author: neptunesalt <[email protected]>
AuthorDate: Sat May 30 17:12:23 2020 -0400
NIFI-7497 Adding support for AWS Credentials Assume Role to be able to set
the STS Endpoint
NIFI-7497 Updating property description per comment
This closes #4309
Signed-off-by: Mike Thomsen <[email protected]>
---
.../provider/factory/CredentialPropertyDescriptors.java | 12 +++++++++++-
.../strategies/AssumeRoleCredentialsStrategy.java | 16 +++++++++++++++-
.../service/AWSCredentialsProviderControllerService.java | 2 ++
.../credentials/provider/factory/MockAWSProcessor.java | 4 +++-
.../provider/factory/TestCredentialsProviderFactory.java | 8 ++++++++
5 files changed, 39 insertions(+), 3 deletions(-)
diff --git
a/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-abstract-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/factory/CredentialPropertyDescriptors.java
b/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-abstract-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/factory/CredentialPropertyDescriptors.java
index 00f4e62..fa4c1df 100644
---
a/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-abstract-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/factory/CredentialPropertyDescriptors.java
+++
b/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-abstract-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/factory/CredentialPropertyDescriptors.java
@@ -177,6 +177,16 @@ public class CredentialPropertyDescriptors {
.required(false)
.addValidator(StandardValidators.POSITIVE_INTEGER_VALIDATOR)
.sensitive(false)
- .description("Proxy pot for cross-account access, if needed within
your environment. This will configure a proxy to request for temporary access
keys into another AWS account")
+ .description("Proxy port for cross-account access, if needed
within your environment. This will configure a proxy to request for temporary
access keys into another AWS account")
+ .build();
+
+ public static final PropertyDescriptor ASSUME_ROLE_STS_ENDPOINT = new
PropertyDescriptor.Builder()
+ .name("assume-role-sts-endpoint")
+ .displayName("Assume Role STS Endpoint")
+ .expressionLanguageSupported(ExpressionLanguageScope.NONE)
+ .required(false)
+ .addValidator(StandardValidators.NON_EMPTY_VALIDATOR)
+ .sensitive(false)
+ .description("The default AWS Security Token Service (STS)
endpoint (\"sts.amazonaws.com\") works for all accounts that are not for China
(Beijing) region or GovCloud. You only need to set this property to
\"sts.cn-north-1.amazonaws.com.cn\" when you are requesting session credentials
for services in China(Beijing) region or to \"sts.us-gov-west-1.amazonaws.com\"
for GovCloud.")
.build();
}
diff --git
a/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/factory/strategies/AssumeRoleCredentialsStrategy.java
b/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/factory/strategies/AssumeRoleCredentialsStrategy.java
index 2a52dc9..adbfda9 100644
---
a/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/factory/strategies/AssumeRoleCredentialsStrategy.java
+++
b/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/factory/strategies/AssumeRoleCredentialsStrategy.java
@@ -29,6 +29,7 @@ import static
org.apache.nifi.processors.aws.credentials.provider.factory.Creden
import static
org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_NAME;
import static
org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_PROXY_PORT;
import static
org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_PROXY_HOST;
+import static
org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_STS_ENDPOINT;
import
org.apache.nifi.processors.aws.credentials.provider.factory.CredentialsStrategy;
import com.amazonaws.ClientConfiguration;
@@ -51,7 +52,7 @@ public class AssumeRoleCredentialsStrategy extends
AbstractCredentialsStrategy {
super("Assume Role", new PropertyDescriptor[] {
ASSUME_ROLE_ARN,
ASSUME_ROLE_NAME,
- MAX_SESSION_TIME,
+ MAX_SESSION_TIME
});
}
@@ -90,6 +91,7 @@ public class AssumeRoleCredentialsStrategy extends
AbstractCredentialsStrategy {
final boolean assumeRoleExternalIdIsSet =
validationContext.getProperty(ASSUME_ROLE_EXTERNAL_ID).isSet();
final boolean assumeRoleProxyHostIsSet =
validationContext.getProperty(ASSUME_ROLE_PROXY_HOST).isSet();
final boolean assumeRoleProxyPortIsSet =
validationContext.getProperty(ASSUME_ROLE_PROXY_PORT).isSet();
+ final boolean assumeRoleSTSEndpointIsSet =
validationContext.getProperty(ASSUME_ROLE_STS_ENDPOINT).isSet();
final Collection<ValidationResult> validationFailureResults = new
ArrayList<ValidationResult>();
@@ -112,6 +114,14 @@ public class AssumeRoleCredentialsStrategy extends
AbstractCredentialsStrategy {
.explanation("Assume role requires both arn and name to be
set with External ID")
.build());
}
+
+ // STS Endpoint should only be provided with viable Assume Role ARN
and Name
+ if (assumeRoleSTSEndpointIsSet && (!assumeRoleArnIsSet ||
!assumeRoleNameIsSet)) {
+ validationFailureResults.add(new
ValidationResult.Builder().input("Assume Role STS Endpoint")
+ .valid(false)
+ .explanation("Assume role requires both arn and name to be
set with STS Endpoint")
+ .build());
+ }
// Both proxy host and proxy port are required if present
if (assumeRoleProxyHostIsSet ^ assumeRoleProxyPortIsSet){
@@ -138,6 +148,7 @@ public class AssumeRoleCredentialsStrategy extends
AbstractCredentialsStrategy {
rawMaxSessionTime = (rawMaxSessionTime != null) ? rawMaxSessionTime :
MAX_SESSION_TIME.getDefaultValue();
final Integer maxSessionTime =
Integer.parseInt(rawMaxSessionTime.trim());
final String assumeRoleExternalId =
properties.get(ASSUME_ROLE_EXTERNAL_ID);
+ final String assumeRoleSTSEndpoint =
properties.get(ASSUME_ROLE_STS_ENDPOINT);
STSAssumeRoleSessionCredentialsProvider.Builder builder;
ClientConfiguration config = new ClientConfiguration();
@@ -150,6 +161,9 @@ public class AssumeRoleCredentialsStrategy extends
AbstractCredentialsStrategy {
}
AWSSecurityTokenService securityTokenService = new
AWSSecurityTokenServiceClient(primaryCredentialsProvider, config);
+ if (assumeRoleSTSEndpoint != null && !assumeRoleSTSEndpoint.isEmpty())
{
+ securityTokenService.setEndpoint(assumeRoleSTSEndpoint);
+ }
builder = new STSAssumeRoleSessionCredentialsProvider
.Builder(assumeRoleArn, assumeRoleName)
.withStsClient(securityTokenService)
diff --git
a/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/service/AWSCredentialsProviderControllerService.java
b/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/service/AWSCredentialsProviderControllerService.java
index a5f4e04..fcb9dc7 100644
---
a/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/service/AWSCredentialsProviderControllerService.java
+++
b/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/service/AWSCredentialsProviderControllerService.java
@@ -41,6 +41,7 @@ import static
org.apache.nifi.processors.aws.credentials.provider.factory.Creden
import static
org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_EXTERNAL_ID;
import static
org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_PROXY_PORT;
import static
org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_PROXY_HOST;
+import static
org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_STS_ENDPOINT;
import static
org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.CREDENTIALS_FILE;
import static
org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.PROFILE_NAME;
import static
org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.SECRET_KEY;
@@ -79,6 +80,7 @@ public class AWSCredentialsProviderControllerService extends
AbstractControllerS
props.add(ASSUME_ROLE_EXTERNAL_ID);
props.add(ASSUME_ROLE_PROXY_HOST);
props.add(ASSUME_ROLE_PROXY_PORT);
+ props.add(ASSUME_ROLE_STS_ENDPOINT);
properties = Collections.unmodifiableList(props);
}
diff --git
a/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/credentials/provider/factory/MockAWSProcessor.java
b/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/credentials/provider/factory/MockAWSProcessor.java
index 5c7d57b..81ccb92 100644
---
a/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/credentials/provider/factory/MockAWSProcessor.java
+++
b/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/credentials/provider/factory/MockAWSProcessor.java
@@ -39,6 +39,7 @@ import static
org.apache.nifi.processors.aws.credentials.provider.factory.Creden
import static
org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_NAME;
import static
org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.MAX_SESSION_TIME;
import static
org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_EXTERNAL_ID;
+import static
org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_STS_ENDPOINT;
import com.amazonaws.auth.AWSCredentialsProvider;
import org.apache.nifi.processors.aws.AbstractAWSCredentialsProviderProcessor;
@@ -61,7 +62,8 @@ public class MockAWSProcessor extends
AbstractAWSCredentialsProviderProcessor<Am
MAX_SESSION_TIME,
ASSUME_ROLE_EXTERNAL_ID,
ASSUME_ROLE_PROXY_HOST,
- ASSUME_ROLE_PROXY_PORT
+ ASSUME_ROLE_PROXY_PORT,
+ ASSUME_ROLE_STS_ENDPOINT
);
@Override
diff --git
a/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/credentials/provider/factory/TestCredentialsProviderFactory.java
b/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/credentials/provider/factory/TestCredentialsProviderFactory.java
index f26ce81..3e48e6b 100644
---
a/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/credentials/provider/factory/TestCredentialsProviderFactory.java
+++
b/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/credentials/provider/factory/TestCredentialsProviderFactory.java
@@ -161,6 +161,14 @@ public class TestCredentialsProviderFactory {
runner.setProperty(CredentialPropertyDescriptors.ASSUME_ROLE_EXTERNAL_ID,
"BogusExternalId");
runner.assertNotValid();
}
+
+ @Test
+ public void testAssumeRoleSTSEndpointMissingArnAndName() throws Throwable {
+ final TestRunner runner =
TestRunners.newTestRunner(MockAWSProcessor.class);
+ runner.setProperty(CredentialPropertyDescriptors.CREDENTIALS_FILE,
"src/test/resources/mock-aws-credentials.properties");
+
runner.setProperty(CredentialPropertyDescriptors.ASSUME_ROLE_STS_ENDPOINT,
"BogusSTSEndpoint");
+ runner.assertNotValid();
+ }
@Test
public void testAnonymousCredentials() throws Throwable {
