turcsanyip commented on code in PR #10482:
URL: https://github.com/apache/nifi/pull/10482#discussion_r2814172422
##########
nifi-extension-bundles/nifi-azure-bundle/nifi-azure-services-api/src/main/java/org/apache/nifi/services/azure/storage/AzureStorageCredentialsDetails_v12.java:
##########
@@ -169,14 +181,32 @@ public static AzureStorageCredentialsDetails_v12
createWithServicePrincipal(
String servicePrincipalClientId,
String servicePrincipalClientSecret,
ProxyOptions proxyOptions) {
- return new AzureStorageCredentialsDetails_v12(accountName,
endpointSuffix, AzureStorageCredentialsType.SERVICE_PRINCIPAL, null, null, null,
- servicePrincipalTenantId, servicePrincipalClientId,
servicePrincipalClientSecret, null, proxyOptions);
+ return new AzureStorageCredentialsDetails_v12(accountName,
endpointSuffix, AzureStorageCredentialsType.SERVICE_PRINCIPAL,
+ null, null, null, servicePrincipalTenantId,
servicePrincipalClientId, servicePrincipalClientSecret, null, null,
proxyOptions);
}
public static AzureStorageCredentialsDetails_v12 createWithAccessToken(
String accountName,
String endpointSuffix,
AccessToken accessToken) {
- return new AzureStorageCredentialsDetails_v12(accountName,
endpointSuffix, AzureStorageCredentialsType.ACCESS_TOKEN, null, null, null,
null, null, null, accessToken, null);
+ return new AzureStorageCredentialsDetails_v12(accountName,
endpointSuffix, AzureStorageCredentialsType.IDENTITY_FEDERATION,
+ null, null, null, null, null, null, accessToken, null, null);
+ }
+
+ public static AzureStorageCredentialsDetails_v12 createWithAccessToken(
+ String accountName,
+ String endpointSuffix,
+ AccessToken accessToken,
+ AzureIdentityFederationTokenProvider identityTokenProvider) {
+ return new AzureStorageCredentialsDetails_v12(accountName,
endpointSuffix, AzureStorageCredentialsType.IDENTITY_FEDERATION, null, null,
null,
+ null, null, null, accessToken, identityTokenProvider, null);
+ }
Review Comment:
This method is not needed and can be deleted. Either token provider or
access token is used.
##########
nifi-extension-bundles/nifi-azure-bundle/nifi-azure-processors/src/main/java/org/apache/nifi/processors/azure/storage/queue/AbstractAzureQueueStorage_v12.java:
##########
@@ -176,9 +175,9 @@ private void processCredentials(final QueueClientBuilder
clientBuilder, final Az
.clientSecret(storageCredentialsDetails.getServicePrincipalClientSecret())
.build());
break;
- case ACCESS_TOKEN:
- TokenCredential credential = tokenRequestContext ->
Mono.just(storageCredentialsDetails.getAccessToken());
- clientBuilder.credential(credential);
+ case IDENTITY_FEDERATION:
+ final AzureIdentityFederationTokenProvider
identityTokenProvider = storageCredentialsDetails.getIdentityTokenProvider();
+
clientBuilder.credential(identityTokenProvider.getCredentials());
Review Comment:
Please keep the original ACCESS_TOKEN case as well.
##########
nifi-extension-bundles/nifi-azure-bundle/nifi-azure-services-api/src/main/java/org/apache/nifi/services/azure/storage/AzureStorageCredentialsDetails_v12.java:
##########
@@ -169,14 +181,32 @@ public static AzureStorageCredentialsDetails_v12
createWithServicePrincipal(
String servicePrincipalClientId,
String servicePrincipalClientSecret,
ProxyOptions proxyOptions) {
- return new AzureStorageCredentialsDetails_v12(accountName,
endpointSuffix, AzureStorageCredentialsType.SERVICE_PRINCIPAL, null, null, null,
- servicePrincipalTenantId, servicePrincipalClientId,
servicePrincipalClientSecret, null, proxyOptions);
+ return new AzureStorageCredentialsDetails_v12(accountName,
endpointSuffix, AzureStorageCredentialsType.SERVICE_PRINCIPAL,
+ null, null, null, servicePrincipalTenantId,
servicePrincipalClientId, servicePrincipalClientSecret, null, null,
proxyOptions);
}
public static AzureStorageCredentialsDetails_v12 createWithAccessToken(
String accountName,
String endpointSuffix,
AccessToken accessToken) {
- return new AzureStorageCredentialsDetails_v12(accountName,
endpointSuffix, AzureStorageCredentialsType.ACCESS_TOKEN, null, null, null,
null, null, null, accessToken, null);
+ return new AzureStorageCredentialsDetails_v12(accountName,
endpointSuffix, AzureStorageCredentialsType.IDENTITY_FEDERATION,
Review Comment:
```suggestion
return new AzureStorageCredentialsDetails_v12(accountName,
endpointSuffix, AzureStorageCredentialsType.ACCESS_TOKEN,
```
##########
nifi-extension-bundles/nifi-azure-bundle/nifi-azure-processors/src/main/resources/docs/org.apache.nifi.services.azure.StandardAzureIdentityFederationTokenProvider/additionalDetails.md:
##########
@@ -0,0 +1,55 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+# StandardAzureIdentityFederationTokenProvider
+
+The *StandardAzureIdentityFederationTokenProvider* provides Azure
`TokenCredential` for workload identity federation. It exchanges tokens from
external identity providers for Azure AD credentials using Azure Identity SDK's
`ClientAssertionCredential`. This approach provides built-in token caching,
automatic refresh, and robust error handling.
+
+Components such as the ADLS and Azure Storage credentials controller services
reference this provider when the **Credentials Type** is set to **Access
Token**.
Review Comment:
```suggestion
Components such as the ADLS and Azure Storage credentials controller
services reference this provider when the **Credentials Type** is set to
**Identity Federation**.
```
##########
nifi-extension-bundles/nifi-azure-bundle/nifi-azure-services-api/src/main/java/org/apache/nifi/services/azure/storage/AzureStorageCredentialsType.java:
##########
@@ -24,7 +24,7 @@ public enum AzureStorageCredentialsType implements
DescribedValue {
SAS_TOKEN("SAS Token", "SAS (Shared Access Signature) Token generated for
accessing resources in the storage account"),
MANAGED_IDENTITY("Managed Identity", "Azure Virtual Machine Managed
Identity (it can only be used when NiFi is running on Azure)"),
SERVICE_PRINCIPAL("Service Principal", "Azure Active Directory Service
Principal with Client Id / Client Secret of a registered application"),
- ACCESS_TOKEN("Access Token", "Access Token provided by custom controller
service implementations");
+ IDENTITY_FEDERATION("Identity Federation", "Azure credential obtained via
workload identity federation using an external identity token");
Review Comment:
Please keep the original bare ACCESS_TOKEN option as well. In my earlier
comment I mentioned _"Separating the Identity Federation and the Access Token
options"_ but I meant to keep ACCESS_TOKEN as-is and add Identity Federation as
a new option.
##########
nifi-extension-bundles/nifi-azure-bundle/nifi-azure-processors/src/main/java/org/apache/nifi/processors/azure/storage/utils/BlobServiceClientFactory.java:
##########
@@ -73,12 +72,12 @@ private void configureCredential(final
BlobServiceClientBuilder clientBuilder, f
.clientSecret(credentialsDetails.getServicePrincipalClientSecret())
.httpClient(new NettyAsyncHttpClientBuilder()
.proxy(credentialsDetails.getProxyOptions())
- .build())
+ .build())
.build());
break;
- case ACCESS_TOKEN:
- TokenCredential credential = tokenRequestContext ->
Mono.just(credentialsDetails.getAccessToken());
- clientBuilder.credential(credential);
+ case IDENTITY_FEDERATION:
+ final AzureIdentityFederationTokenProvider
identityTokenProvider = credentialsDetails.getIdentityTokenProvider();
+
clientBuilder.credential(identityTokenProvider.getCredentials());
Review Comment:
Please keep the original ACCESS_TOKEN case as well.
##########
nifi-extension-bundles/nifi-azure-bundle/nifi-azure-processors/src/main/resources/docs/org.apache.nifi.services.azure.storage.ADLSCredentialsControllerService/additionalDetails.md:
##########
@@ -15,6 +15,12 @@
# ADLSCredentialsControllerService
+### Azure Identity Federation Token Provider
+
+When the **Credentials Type** property is set to `Access Token`, configure the
**Azure Identity Federation Token Provider** with a controller service capable
of exchanging workload identity tokens for Azure AD access tokens. The provider
must return an `access_token` issued by Microsoft Entra ID (for example using
the `StandardAzureIdentityFederationTokenProvider`). The access token is
converted to the Azure SDK representation and cached in memory until it expires.
Review Comment:
```suggestion
When the **Credentials Type** property is set to `Identity Federation`,
configure the **Azure Identity Federation Token Provider** with a controller
service capable of exchanging workload identity tokens for Azure AD access
tokens. The provider must return an `access_token` issued by Microsoft Entra ID
(for example using the `StandardAzureIdentityFederationTokenProvider`). The
access token is converted to the Azure SDK representation and cached in memory
until it expires.
```
##########
nifi-extension-bundles/nifi-azure-bundle/nifi-azure-processors/src/main/java/org/apache/nifi/processors/azure/storage/CopyAzureBlobStorage_v12.java:
##########
@@ -364,9 +364,9 @@ private static AzureStorageCredentialsService_v12
getCopyFromCredentialsService(
private static HttpAuthorization getHttpAuthorization(final
AzureStorageCredentialsDetails_v12 credentialsDetails) {
switch (credentialsDetails.getCredentialsType()) {
- case ACCESS_TOKEN -> {
- TokenCredential credential = tokenRequestContext ->
Mono.just(credentialsDetails.getAccessToken());
- return getHttpAuthorizationFromTokenCredential(credential);
+ case IDENTITY_FEDERATION -> {
+ final AzureIdentityFederationTokenProvider
identityTokenProvider = credentialsDetails.getIdentityTokenProvider();
+ return
getHttpAuthorizationFromTokenCredential(identityTokenProvider.getCredentials());
Review Comment:
Please keep the original ACCESS_TOKEN case as well.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
