Bob Paulin created NIFI-14163:
---------------------------------
Summary: Enhance GCPCredentialsControllerService to support
domain-wide delegation
Key: NIFI-14163
URL: https://issues.apache.org/jira/browse/NIFI-14163
Project: Apache NiFi
Issue Type: Task
Components: Extensions
Reporter: Bob Paulin
Google Service Accounts can be configured to support Domain-wide Delegation by
a Service Account. When this is configured in the Google Admin Console (see
https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority)
a service account may impersonate a specific user account (the delegate).
For example assume you are using an existing Apache NiFi processors such as
ListGoogleDrive. Using a service account the service account email must be
added to the drive for that drive to be visible to the processor. If
Domain-wide delegation configured and an existing user that already has access
to the drive is specified as the delegate; then the processor will list all
drives available to that user using the service account credential as if the
call were made directly from the delegated user account.
This task is to enhance the existing GCPCredentialsControllerService to allow a
flow designer to select a Delegation Strategy of Delegated Account which would
then require the user to add an account to impersonate. The Controller service
will continue default to the current behavior which is to use the Service
Account's identity.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
