This is an automated email from the ASF dual-hosted git repository.
jgresock pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new fee7c16 NIFI-9679 Added access-environment-credentials permission
fee7c16 is described below
commit fee7c16732983d1b7f185e23e63105d250bb87ae
Author: exceptionfactory <[email protected]>
AuthorDate: Thu Feb 24 10:08:21 2022 -0500
NIFI-9679 Added access-environment-credentials permission
- Applied new permission restrictions to
AWSCredentialsProviderControllerService and GCPCredentialsControllerService
Signed-off-by: Joe Gresock <[email protected]>
This closes #5796.
---
.../java/org/apache/nifi/components/RequiredPermission.java | 1 +
.../service/AWSCredentialsProviderControllerService.java | 11 +++++++++++
.../credentials/service/GCPCredentialsControllerService.java | 11 +++++++++++
3 files changed, 23 insertions(+)
diff --git
a/nifi-api/src/main/java/org/apache/nifi/components/RequiredPermission.java
b/nifi-api/src/main/java/org/apache/nifi/components/RequiredPermission.java
index a7cdec8..d931b13 100644
--- a/nifi-api/src/main/java/org/apache/nifi/components/RequiredPermission.java
+++ b/nifi-api/src/main/java/org/apache/nifi/components/RequiredPermission.java
@@ -29,6 +29,7 @@ public enum RequiredPermission {
EXECUTE_CODE("execute-code", "execute code"),
ACCESS_KEYTAB("access-keytab", "access keytab"),
ACCESS_TICKET_CACHE("access-ticket-cache", "access ticket cache"),
+ ACCESS_ENVIRONMENT_CREDENTIALS("access-environment-credentials", "access
environment credentials"),
EXPORT_NIFI_DETAILS("export-nifi-details", "export nifi details");
private String permissionIdentifier;
diff --git
a/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/service/AWSCredentialsProviderControllerService.java
b/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/service/AWSCredentialsProviderControllerService.java
index 1323f9c..476a41c 100644
---
a/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/service/AWSCredentialsProviderControllerService.java
+++
b/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/service/AWSCredentialsProviderControllerService.java
@@ -23,10 +23,13 @@ import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import org.apache.nifi.annotation.behavior.Restricted;
+import org.apache.nifi.annotation.behavior.Restriction;
import org.apache.nifi.annotation.documentation.CapabilityDescription;
import org.apache.nifi.annotation.documentation.Tags;
import org.apache.nifi.annotation.lifecycle.OnEnabled;
import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.components.RequiredPermission;
import org.apache.nifi.components.ValidationContext;
import org.apache.nifi.components.ValidationResult;
import org.apache.nifi.controller.AbstractControllerService;
@@ -58,6 +61,14 @@ import static
org.apache.nifi.processors.aws.credentials.provider.factory.Creden
"Default credentials support EC2 instance profile/role, default user
profile, environment variables, etc. " +
"Additional options include access key / secret key pairs, credentials
file, named profile, and assume role credentials.")
@Tags({ "aws", "credentials","provider" })
+@Restricted(
+ restrictions = {
+ @Restriction(
+ requiredPermission =
RequiredPermission.ACCESS_ENVIRONMENT_CREDENTIALS,
+ explanation = "The default configuration can read
environment variables and system properties for credentials"
+ )
+ }
+)
public class AWSCredentialsProviderControllerService extends
AbstractControllerService implements AWSCredentialsProviderService {
public static final PropertyDescriptor ASSUME_ROLE_ARN =
CredentialPropertyDescriptors.ASSUME_ROLE_ARN;
diff --git
a/nifi-nar-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/credentials/service/GCPCredentialsControllerService.java
b/nifi-nar-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/credentials/service/GCPCredentialsControllerService.java
index b161e61..fe32d64 100644
---
a/nifi-nar-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/credentials/service/GCPCredentialsControllerService.java
+++
b/nifi-nar-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/credentials/service/GCPCredentialsControllerService.java
@@ -18,12 +18,15 @@ package org.apache.nifi.processors.gcp.credentials.service;
import com.google.auth.http.HttpTransportFactory;
import com.google.auth.oauth2.GoogleCredentials;
+import org.apache.nifi.annotation.behavior.Restricted;
+import org.apache.nifi.annotation.behavior.Restriction;
import org.apache.nifi.annotation.documentation.CapabilityDescription;
import org.apache.nifi.annotation.documentation.Tags;
import org.apache.nifi.annotation.lifecycle.OnEnabled;
import org.apache.nifi.components.ConfigVerificationResult;
import org.apache.nifi.components.ConfigVerificationResult.Outcome;
import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.components.RequiredPermission;
import org.apache.nifi.components.ValidationContext;
import org.apache.nifi.components.ValidationResult;
import org.apache.nifi.controller.AbstractControllerService;
@@ -60,6 +63,14 @@ import static
org.apache.nifi.processors.gcp.credentials.factory.CredentialPrope
"a credential file, the config generated by `gcloud auth
application-default login`, AppEngine/Compute Engine" +
" service accounts, etc.")
@Tags({ "gcp", "credentials","provider" })
+@Restricted(
+ restrictions = {
+ @Restriction(
+ requiredPermission =
RequiredPermission.ACCESS_ENVIRONMENT_CREDENTIALS,
+ explanation = "The default configuration can read
environment variables and system properties for credentials"
+ )
+ }
+)
public class GCPCredentialsControllerService extends AbstractControllerService
implements GCPCredentialsService, VerifiableControllerService {
private static final List<PropertyDescriptor> properties;
