-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🚨 Add SSL documentation and check logic for S3 Destination 🚨 #17340
Conversation
NOTE
|
/test connector=connectors/s3-destination
Build FailedTest summary info:
|
* @param endpoint URL string representing an accessible S3 bucket | ||
*/ | ||
public static void testCustomEndpointSecured(final String endpoint) { | ||
if (!endpoint.contains("s3-accesspoint")) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this might be overzealous and also not catch all problematic endpoints? It's possible to self-host an S3-compatible API, which is mostly what this config is used for. And that's considered secure, assuming the connection uses HTTPS. E.g. I might have https://mystorage.edgao.example.com
.
But I could also (hypothetically) host my API at http://s3-accesspoint.edgao.example.com
- which passes this check, but is not secured.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also, I think we should only be enforcing this check in cloud. I.e. OSS users might want to use unsecured connections intentionally, and we should allow that to happen. (maybe they're hosting airbyte and S3 within their own network, and are OK with having unsecured traffic within their network)
also also, where is this method actually invoked? I'm guessing you have a local unpushed commit or something?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated the check to validate if https://
is contained in the endpoint. Currently looking into using AdaptiveDestinationRunner
on how to get this feature only within cloud and not within OSS users
Also added the method invocation within BaseS3Destination
since it accidentally got cleared due to the overhaul of S3 heirarchy 🤦♂️
airbyte-integrations/connectors/destination-s3/src/main/resources/spec.json
Outdated
Show resolved
Hide resolved
NOTE
|
0c171e6
to
450b054
Compare
NOTE
|
/test connector=connectors/destination-s3
Build FailedTest summary info:
|
@@ -47,6 +47,7 @@ public AirbyteConnectionStatus check(JsonNode config) { | |||
S3BaseChecks.attemptS3WriteAndDelete(storageOperations, destinationConfig, destinationConfig.getBucketName()); | |||
S3BaseChecks.testSingleUpload(s3Client, destinationConfig.getBucketName(), destinationConfig.getBucketPath()); | |||
S3BaseChecks.testMultipartUpload(s3Client, destinationConfig.getBucketName(), destinationConfig.getBucketPath()); | |||
S3BaseChecks.testCustomEndpointSecured(destinationConfig.getEndpoint()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
from what I understand, this will force all uses of S3 connector to use HTTPS even outside of Airbyte Cloud, which is not the intention of the issue. The intention is to force this only in Airbyte Cloud.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I haven't pushed up the code that uses the AdaptiveDestinationRunner
which will only set the check with custom endpoint for Cloud. I'm currently in the process of getting a local version of MinIO S3 running to test the custom endpoint doesn't fail for OSS users
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see you pushed the changes that use AdaptiveDestinationRunner, but this part is still here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh good catch, I'll update this
…mentation for insecure settings
…on of secured endpoint
56fc138
to
7386e91
Compare
NOTE
|
/test connector=connectors/destination-s3
Build PassedTest summary info:
|
NOTE
|
Doc looks good to me! Will let technical reviewers approve the PR :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
couple tiny nitpicks but otherwise
(perfect timing @Amruta-Ranade 😂 )
if (endpoint == null || endpoint.length() == 0) { | ||
return true; | ||
} else { | ||
return endpoint.contains("https://"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nitpick:
return endpoint.contains("https://"); | |
return endpoint.startsWith("https://"); |
maybe we should be using a proper url parser, but that feels kind of overkill here
final S3DestinationConfig destinationConfig = this.configFactory.getS3DestinationConfig(config, super.storageProvider()); | ||
|
||
if (!S3BaseChecks.testCustomEndpointSecured(destinationConfig.getEndpoint())) { | ||
return new AirbyteConnectionStatus() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nitpick: add a comment explaining why we do an early return instead of returning the list of this status + super.check(config)
import org.junit.jupiter.api.BeforeEach; | ||
import org.junit.jupiter.api.Test; | ||
|
||
public class S3DestinationStrictEncryptTest { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice, solid test cases :)
/publish connector=connectors/destination-s3 run-tests=false
if you have connectors that successfully published but failed definition generation, follow step 4 here |
NOTE
|
…hq#17340) * Adds logic to fail upon non-deterministic custom S3 endpoint and documentation for insecure settings * Reused config factory settings to a single static variable * Updated error message and example in the spec.json to match expectation of secured endpoint * Added validation check within the base s3 * Integrated AdaptiveDestinationRunner with S3Destination * Reduced visibility for testing and fixed AdaptiveDestinationRunner issue * Adds speicifc secure protocol with S3 and empty endpoint check * Bumps docker version and adds comments and clearer string methods * auto-bump connector version [ci skip] Co-authored-by: Octavia Squidington III <octavia-squidington-iii@users.noreply.github.com>
What
Closes #16301
Adds documentation for customers to secure their S3 destination connection. This follows after concerns brought up in this slack thread which also references how other companies emphasis the need for customers to enforce only encrypted traffic for their S3 buckets/clusters
There is also a new "check" assertion that requires users to use "HTTPS only" custom endpoints as referred to by the original spec.json and here
How
Documentation for users to follow the shared responsibility model that AWS employs for securing a S3 destination endpoint and removes the ability for users to use a custom endpoint that is not always HTTPS only
Removal of the line within
constants.ts
will revert the hiding of the destination connector within the UI. S3 destination still exists, only that it was previously hidden within the UI and so users could not update their connections if desiredRecommended reading order
S3BaseChecks.java
S3DestinationTest.java
s3.md
constants.ts
spec.json
🚨 User Impact 🚨
Are there any breaking changes? What is the end result perceived by the user? If yes, please merge this PR with the 🚨🚨 emoji so changelog authors can further highlight this if needed.
This can potentially break users if they were using a custom endpoint that was not always HTTPS only
Pre-merge Checklist
Expand the relevant checklist and delete the others.
New Connector
Community member or Airbyter
airbyte_secret
./gradlew :airbyte-integrations:connectors:<name>:integrationTest
.README.md
bootstrap.md
. See description and examplesdocs/integrations/<source or destination>/<name>.md
including changelog. See changelog exampledocs/integrations/README.md
airbyte-integrations/builds.md
Airbyter
If this is a community PR, the Airbyte engineer reviewing this PR is responsible for the below items.
/test connector=connectors/<name>
command is passing/publish
command described hereUpdating a connector
Community member or Airbyter
airbyte_secret
./gradlew :airbyte-integrations:connectors:<name>:integrationTest
.README.md
bootstrap.md
. See description and examplesdocs/integrations/<source or destination>/<name>.md
including changelog. See changelog exampleAirbyter
If this is a community PR, the Airbyte engineer reviewing this PR is responsible for the below items.
/test connector=connectors/<name>
command is passing/publish
command described hereConnector Generator
-scaffold
in their name) have been updated with the latest scaffold by running./gradlew :airbyte-integrations:connector-templates:generator:testScaffoldTemplates
then checking in your changesTests
Unit
Put your unit tests output here.
Integration
Put your integration tests output here.
Acceptance
Put your acceptance tests output here.