[
https://issues.apache.org/jira/browse/NIFI-15205?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18037896#comment-18037896
]
ASF subversion and git services commented on NIFI-15205:
--------------------------------------------------------
Commit d41f22491bdcab92201f82110d43feac8a90cb10 in nifi's branch
refs/heads/main from Pierre Villard
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=d41f22491b ]
NIFI-15205 Fixed migration logic for new Authentication Strategy properties in
EventHub components (#10514)
Signed-off-by: David Handermann <[email protected]>
> Fix migration logic for new Authentication Strategy properties in EventHub
> components
> -------------------------------------------------------------------------------------
>
> Key: NIFI-15205
> URL: https://issues.apache.org/jira/browse/NIFI-15205
> Project: Apache NiFi
> Issue Type: Bug
> Components: Extensions
> Affects Versions: 2.7.0
> Reporter: Pierre Villard
> Assignee: Pierre Villard
> Priority: Major
> Fix For: 2.7.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> In NIFI-15178, we introduced new properties to define the authentication
> strategy when using the EventHub components. This should effectively be a
> no-op from a user perspective as we handle the migration logic to set the
> proper value of these new properties based on existing configuration.
> However while reviewing the work done in NIFI-15200, it appears that the
> implemented logic was not enough.
> In the original Event Hub refactor (NIFI-15178), we added the new
> Authentication Strategy/Blob Storage Authentication Strategy descriptors but
> migrated legacy configs only when those descriptors were absent. NiFi’s
> migration framework calls migrateProperties() twice: the second run provides
> the union of old + new descriptors, pre-populated with default values.
> Because we keyed off “descriptor missing” rather than “descriptor still
> default even though legacy settings exist,” the second execution skipped our
> mapping logic and overwrote any decisions from the first execution. The net
> effect for real deployments is that processors configured with Managed
> Identity or SAS credentials reverted to whatever default the new descriptor
> declared (Managed Identity for Event Hubs auth, Storage Account Key for blob
> checkpoints), silently breaking existing flows after upgrade.
> The logic needs to be improved with:
> * Rename and isolate the legacy flag -
> AzureEventHubUtils.LEGACY_USE_MANAGED_IDENTITY_PROPERTY_NAME replaces the old
> descriptor so it’s clear this value is only for migration; it’s removed at
> the end of migrateProperties().
> * Recompute only when appropriate – Each processor now reads the raw value
> of Authentication Strategy (and for Consume, also Blob Storage Authentication
> Strategy). We recompute when the value is missing or still equal to the
> default while legacy properties (the boolean flag or SAS inputs) are present.
> When we derive a SAS-based strategy, we only do so if we actually detect
> shared access credentials; otherwise we retain Managed Identity. This mirrors
> the GCPCredentials fix: legacy data wins over a defaulted descriptor.
> * Add regression coverage – The processor tests now include explicit
> migration scenarios ensuring (a) SAS credentials override a defaulted Managed
> Identity strategy and (b) a legacy SAS token causes the blob strategy to flip
> to SHARED_ACCESS_SIGNATURE. These tests would have failed with the previous
> logic, so they guard against regression.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
