exceptionfactory commented on code in PR #10278:
URL: https://github.com/apache/nifi/pull/10278#discussion_r2330888690
##########
nifi-extension-bundles/nifi-kafka-bundle/nifi-kafka-shared/src/main/java/org/apache/nifi/kafka/shared/component/KafkaClientComponent.java:
##########
@@ -107,19 +108,56 @@ public interface KafkaClientComponent {
)
.build();
+ PropertyDescriptor AWS_ROLE_SOURCE = new PropertyDescriptor.Builder()
+ .name("AWS Role Source")
+ .description("Select how AWS credentials are sourced for AWS MSK
IAM: Default Profile searches standard locations," +
+ " Specified Profile selects a named profile, or Specified
Role configures a Role ARN and Session Name.")
+ .required(true)
+ .allowableValues(AwsRoleSource.class)
+ .defaultValue(AwsRoleSource.DEFAULT_PROFILE.getValue())
+ .dependsOn(
+ SASL_MECHANISM,
+ SaslMechanism.AWS_MSK_IAM
+ )
+ .build();
+
PropertyDescriptor AWS_PROFILE_NAME = new PropertyDescriptor.Builder()
.name("aws.profile.name")
.displayName("AWS Profile Name")
.description("The Amazon Web Services Profile to select when
multiple profiles are available.")
.dependsOn(
- SASL_MECHANISM,
- SaslMechanism.AWS_MSK_IAM
+ KafkaClientComponent.AWS_ROLE_SOURCE,
+ AwsRoleSource.SPECIFIED_PROFILE
)
.required(false)
.addValidator(StandardValidators.NON_BLANK_VALIDATOR)
.expressionLanguageSupported(ExpressionLanguageScope.FLOWFILE_ATTRIBUTES)
.build();
+ PropertyDescriptor AWS_ASSUME_ROLE_ARN = new PropertyDescriptor.Builder()
+ .name("Assume Role ARN")
+ .description("The AWS Role ARN for cross-account access when using
AWS MSK IAM. Used with Assume Role Session Name.")
+ .required(false)
+ .dependsOn(
+ KafkaClientComponent.AWS_ROLE_SOURCE,
+ AwsRoleSource.SPECIFIED_ROLE
+ )
+ .addValidator(StandardValidators.NON_BLANK_VALIDATOR)
+ .expressionLanguageSupported(ExpressionLanguageScope.NONE)
+ .build();
+
+ PropertyDescriptor AWS_ASSUME_ROLE_SESSION_NAME = new
PropertyDescriptor.Builder()
+ .name("Assume Role Session Name")
Review Comment:
```suggestion
.name("AWS Assume Role Session Name")
```
##########
nifi-extension-bundles/nifi-kafka-bundle/nifi-kafka-shared/src/main/java/org/apache/nifi/kafka/shared/property/AwsRoleSource.java:
##########
@@ -0,0 +1,53 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.kafka.shared.property;
+
+import org.apache.nifi.components.DescribedValue;
+
+/**
+ * AWS Role Source strategy for AWS MSK IAM credentials selection
+ */
+public enum AwsRoleSource implements DescribedValue {
+ DEFAULT_PROFILE("DEFAULT_PROFILE", "Default Profile", "Use the default AWS
credentials provider chain to locate credentials."),
Review Comment:
The `value` property is not needed, and `getValue()` can just return
`name()` of the enum.
##########
nifi-extension-bundles/nifi-kafka-bundle/nifi-kafka-shared/src/main/java/org/apache/nifi/kafka/shared/property/AwsRoleSource.java:
##########
@@ -0,0 +1,53 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.kafka.shared.property;
+
+import org.apache.nifi.components.DescribedValue;
+
+/**
+ * AWS Role Source strategy for AWS MSK IAM credentials selection
+ */
+public enum AwsRoleSource implements DescribedValue {
+ DEFAULT_PROFILE("DEFAULT_PROFILE", "Default Profile", "Use the default AWS
credentials provider chain to locate credentials."),
+ SPECIFIED_PROFILE("SPECIFIED_PROFILE", "Specified Profile", "Use the
configured AWS Profile Name from the default credentials file."),
+ SPECIFIED_ROLE("SPECIFIED_ROLE", "Specified Role", "Assume a specific AWS
Role using the configured Role ARN and Session Name.");
+
+ private final String value;
+ private final String displayName;
+ private final String description;
+
+ AwsRoleSource(final String value, final String displayName, final String
description) {
+ this.value = value;
+ this.displayName = displayName;
+ this.description = description;
+ }
+
+ @Override
+ public String getValue() {
+ return value;
Review Comment:
```suggestion
return name();
```
##########
nifi-extension-bundles/nifi-kafka-bundle/nifi-kafka-shared/src/main/java/org/apache/nifi/kafka/shared/component/KafkaClientComponent.java:
##########
@@ -107,19 +108,56 @@ public interface KafkaClientComponent {
)
.build();
+ PropertyDescriptor AWS_ROLE_SOURCE = new PropertyDescriptor.Builder()
+ .name("AWS Role Source")
+ .description("Select how AWS credentials are sourced for AWS MSK
IAM: Default Profile searches standard locations," +
+ " Specified Profile selects a named profile, or Specified
Role configures a Role ARN and Session Name.")
+ .required(true)
+ .allowableValues(AwsRoleSource.class)
+ .defaultValue(AwsRoleSource.DEFAULT_PROFILE.getValue())
Review Comment:
```suggestion
.defaultValue(AwsRoleSource.DEFAULT_PROFILE)
```
##########
nifi-extension-bundles/nifi-kafka-bundle/nifi-kafka-shared/src/main/java/org/apache/nifi/kafka/shared/component/KafkaClientComponent.java:
##########
@@ -107,19 +108,56 @@ public interface KafkaClientComponent {
)
.build();
+ PropertyDescriptor AWS_ROLE_SOURCE = new PropertyDescriptor.Builder()
+ .name("AWS Role Source")
+ .description("Select how AWS credentials are sourced for AWS MSK
IAM: Default Profile searches standard locations," +
+ " Specified Profile selects a named profile, or Specified
Role configures a Role ARN and Session Name.")
+ .required(true)
+ .allowableValues(AwsRoleSource.class)
+ .defaultValue(AwsRoleSource.DEFAULT_PROFILE.getValue())
+ .dependsOn(
+ SASL_MECHANISM,
+ SaslMechanism.AWS_MSK_IAM
+ )
+ .build();
+
PropertyDescriptor AWS_PROFILE_NAME = new PropertyDescriptor.Builder()
.name("aws.profile.name")
.displayName("AWS Profile Name")
.description("The Amazon Web Services Profile to select when
multiple profiles are available.")
.dependsOn(
- SASL_MECHANISM,
- SaslMechanism.AWS_MSK_IAM
+ KafkaClientComponent.AWS_ROLE_SOURCE,
+ AwsRoleSource.SPECIFIED_PROFILE
)
.required(false)
.addValidator(StandardValidators.NON_BLANK_VALIDATOR)
.expressionLanguageSupported(ExpressionLanguageScope.FLOWFILE_ATTRIBUTES)
.build();
+ PropertyDescriptor AWS_ASSUME_ROLE_ARN = new PropertyDescriptor.Builder()
+ .name("Assume Role ARN")
+ .description("The AWS Role ARN for cross-account access when using
AWS MSK IAM. Used with Assume Role Session Name.")
+ .required(false)
Review Comment:
This can be set to `true` since it depends on the Specified Role option.
##########
nifi-extension-bundles/nifi-kafka-bundle/nifi-kafka-shared/src/main/java/org/apache/nifi/kafka/shared/component/KafkaClientComponent.java:
##########
@@ -107,19 +108,56 @@ public interface KafkaClientComponent {
)
.build();
+ PropertyDescriptor AWS_ROLE_SOURCE = new PropertyDescriptor.Builder()
+ .name("AWS Role Source")
+ .description("Select how AWS credentials are sourced for AWS MSK
IAM: Default Profile searches standard locations," +
+ " Specified Profile selects a named profile, or Specified
Role configures a Role ARN and Session Name.")
+ .required(true)
+ .allowableValues(AwsRoleSource.class)
+ .defaultValue(AwsRoleSource.DEFAULT_PROFILE.getValue())
+ .dependsOn(
+ SASL_MECHANISM,
+ SaslMechanism.AWS_MSK_IAM
+ )
+ .build();
+
PropertyDescriptor AWS_PROFILE_NAME = new PropertyDescriptor.Builder()
.name("aws.profile.name")
.displayName("AWS Profile Name")
.description("The Amazon Web Services Profile to select when
multiple profiles are available.")
.dependsOn(
- SASL_MECHANISM,
- SaslMechanism.AWS_MSK_IAM
+ KafkaClientComponent.AWS_ROLE_SOURCE,
+ AwsRoleSource.SPECIFIED_PROFILE
)
.required(false)
.addValidator(StandardValidators.NON_BLANK_VALIDATOR)
.expressionLanguageSupported(ExpressionLanguageScope.FLOWFILE_ATTRIBUTES)
.build();
+ PropertyDescriptor AWS_ASSUME_ROLE_ARN = new PropertyDescriptor.Builder()
+ .name("Assume Role ARN")
Review Comment:
Recommend adding `AWS` for clarity:
```suggestion
.name("AWS Assume Role ARN")
```
##########
nifi-extension-bundles/nifi-kafka-bundle/nifi-kafka-shared/src/main/java/org/apache/nifi/kafka/shared/login/AwsMskIamLoginConfigProvider.java:
##########
@@ -30,17 +31,31 @@ public class AwsMskIamLoginConfigProvider implements
LoginConfigProvider {
private static final String MODULE_CLASS =
"software.amazon.msk.auth.iam.IAMLoginModule";
private static final String AWS_PROFILE_NAME_KEY = "awsProfileName";
+ private static final String ROLE_ARN_KEY = "awsRoleArn";
+ private static final String ROLE_SESSION_NAME_KEY = "awsRoleSessionName";
@Override
public String getConfiguration(PropertyContext context) {
+ final AwsRoleSource roleSource =
context.getProperty(KafkaClientComponent.AWS_ROLE_SOURCE).asAllowableValue(AwsRoleSource.class);
final String awsProfileName =
context.getProperty(KafkaClientComponent.AWS_PROFILE_NAME).evaluateAttributeExpressions().getValue();
+ final String assumeRoleArn =
context.getProperty(KafkaClientComponent.AWS_ASSUME_ROLE_ARN).getValue();
+ final String assumeRoleSessionName =
context.getProperty(KafkaClientComponent.AWS_ASSUME_ROLE_SESSION_NAME).getValue();
Review Comment:
Since these are dependent values, they should be retrieved inside of the
conditional check for Specified Role.
##########
nifi-extension-bundles/nifi-kafka-bundle/nifi-kafka-shared/src/main/java/org/apache/nifi/kafka/shared/login/AwsMskIamLoginConfigProvider.java:
##########
@@ -30,17 +31,31 @@ public class AwsMskIamLoginConfigProvider implements
LoginConfigProvider {
private static final String MODULE_CLASS =
"software.amazon.msk.auth.iam.IAMLoginModule";
private static final String AWS_PROFILE_NAME_KEY = "awsProfileName";
+ private static final String ROLE_ARN_KEY = "awsRoleArn";
+ private static final String ROLE_SESSION_NAME_KEY = "awsRoleSessionName";
@Override
public String getConfiguration(PropertyContext context) {
+ final AwsRoleSource roleSource =
context.getProperty(KafkaClientComponent.AWS_ROLE_SOURCE).asAllowableValue(AwsRoleSource.class);
final String awsProfileName =
context.getProperty(KafkaClientComponent.AWS_PROFILE_NAME).evaluateAttributeExpressions().getValue();
+ final String assumeRoleArn =
context.getProperty(KafkaClientComponent.AWS_ASSUME_ROLE_ARN).getValue();
+ final String assumeRoleSessionName =
context.getProperty(KafkaClientComponent.AWS_ASSUME_ROLE_SESSION_NAME).getValue();
final LoginConfigBuilder builder = new
LoginConfigBuilder(MODULE_CLASS, REQUIRED);
- if (StringUtils.isNotBlank(awsProfileName)) {
+ if (roleSource == AwsRoleSource.SPECIFIED_PROFILE &&
StringUtils.isNotBlank(awsProfileName)) {
builder.append(AWS_PROFILE_NAME_KEY, awsProfileName);
}
+ if (roleSource == AwsRoleSource.SPECIFIED_ROLE) {
+ if (StringUtils.isNotBlank(assumeRoleArn)) {
+ builder.append(ROLE_ARN_KEY, assumeRoleArn);
+ }
+ if (StringUtils.isNotBlank(assumeRoleSessionName)) {
+ builder.append(ROLE_SESSION_NAME_KEY, assumeRoleSessionName);
+ }
Review Comment:
The `isNotBlank()` checks look like they can be removed by requiring the
properties.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
