[jira] [Commented] (NIFI-14163) Enhance GCPCredentialsControllerService to support domain-wide delegation

Thu, 16 Jan 2025 04:58:05 -0800 


    [ 
https://issues.apache.org/jira/browse/NIFI-14163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17913720#comment-17913720
 ] 

ASF subversion and git services commented on NIFI-14163:
--------------------------------------------------------

Commit 2a30b01b6799b39b7de18e6fd5868a5061a0de03 in nifi's branch 
refs/heads/main from Bob Paulin
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=2a30b01b67 ]

NIFI-14163: Enhance GCP Credential to use delegate user

Signed-off-by: Pierre Villard <[email protected]>

This closes #9635.


> Enhance GCPCredentialsControllerService to support domain-wide delegation
> -------------------------------------------------------------------------
>
>                 Key: NIFI-14163
>                 URL: https://issues.apache.org/jira/browse/NIFI-14163
>             Project: Apache NiFi
>          Issue Type: Task
>          Components: Extensions
>            Reporter: Bob Paulin
>            Priority: Major
>          Time Spent: 1h 20m
>  Remaining Estimate: 0h
>
> Google Service Accounts can be configured to support Domain-wide Delegation 
> by a Service Account.  When this is configured in the Google Admin Console 
> (see 
> https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority)
>  a service account may impersonate a specific user account (the delegate).  
> For example assume you are using an existing Apache NiFi processors such as 
> ListGoogleDrive.  Using a service account the service account email must be 
> added to the drive for that drive to be visible to the processor.  If 
> Domain-wide delegation configured and an existing user that already has 
> access to the drive is specified as the delegate; then the processor will 
> list all drives available to that user using the service account credential 
> as if the call were made directly from the delegated user account.
>  
> This task is to enhance the existing GCPCredentialsControllerService to allow 
> a flow designer to select a Delegation Strategy of Delegated Account which 
> would then require the user to add an account to impersonate.  The Controller 
> service will continue default to the current behavior which is to use the 
> Service Account's identity.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to