🚨 Add SSL documentation and check logic for S3 Destination 🚨 #17340
Conversation
github-actions
bot
added
area/connectors
|
NOTE
|
|
/test connector=connectors/s3-destination
Build FailedTest summary info: |
| * @param endpoint URL string representing an accessible S3 bucket | ||
| */ | ||
| public static void testCustomEndpointSecured(final String endpoint) { | ||
| if (!endpoint.contains("s3-accesspoint")) { |
There was a problem hiding this comment.
I think this might be overzealous and also not catch all problematic endpoints? It's possible to self-host an S3-compatible API, which is mostly what this config is used for. And that's considered secure, assuming the connection uses HTTPS. E.g. I might have https://mystorage.edgao.example.com.
But I could also (hypothetically) host my API at http://s3-accesspoint.edgao.example.com - which passes this check, but is not secured.
There was a problem hiding this comment.
also, I think we should only be enforcing this check in cloud. I.e. OSS users might want to use unsecured connections intentionally, and we should allow that to happen. (maybe they're hosting airbyte and S3 within their own network, and are OK with having unsecured traffic within their network)
also also, where is this method actually invoked? I'm guessing you have a local unpushed commit or something?
There was a problem hiding this comment.
Updated the check to validate if https:// is contained in the endpoint. Currently looking into using AdaptiveDestinationRunner on how to get this feature only within cloud and not within OSS users
Also added the method invocation within BaseS3Destination since it accidentally got cleared due to the overhaul of S3 heirarchy 🤦♂️
airbyte-integrations/connectors/destination-s3/src/main/resources/spec.json
Outdated
Show resolved
Hide resolved
|
NOTE
|
ryankfu
force-pushed
the
ryan/add-ssl-s3-destination
branch
from
0c171e6
to
450b054
Compare
|
NOTE
|
|
/test connector=connectors/destination-s3
Build FailedTest summary info: |
| @@ -47,6 +47,7 @@ public AirbyteConnectionStatus check(JsonNode config) { | |||
| S3BaseChecks.attemptS3WriteAndDelete(storageOperations, destinationConfig, destinationConfig.getBucketName()); | |||
| S3BaseChecks.testSingleUpload(s3Client, destinationConfig.getBucketName(), destinationConfig.getBucketPath()); | |||
| S3BaseChecks.testMultipartUpload(s3Client, destinationConfig.getBucketName(), destinationConfig.getBucketPath()); | |||
| S3BaseChecks.testCustomEndpointSecured(destinationConfig.getEndpoint()); | |||
There was a problem hiding this comment.
from what I understand, this will force all uses of S3 connector to use HTTPS even outside of Airbyte Cloud, which is not the intention of the issue. The intention is to force this only in Airbyte Cloud.
There was a problem hiding this comment.
Yes, I haven't pushed up the code that uses the AdaptiveDestinationRunner which will only set the check with custom endpoint for Cloud. I'm currently in the process of getting a local version of MinIO S3 running to test the custom endpoint doesn't fail for OSS users
There was a problem hiding this comment.
I see you pushed the changes that use AdaptiveDestinationRunner, but this part is still here
There was a problem hiding this comment.
Oh good catch, I'll update this
…mentation for insecure settings
…on of secured endpoint
ryankfu
force-pushed
the
ryan/add-ssl-s3-destination
branch
from
56fc138
to
7386e91
Compare
|
NOTE
|
|
/test connector=connectors/destination-s3
Build PassedTest summary info: |
|
NOTE
|
|
Doc looks good to me! Will let technical reviewers approve the PR :) |
There was a problem hiding this comment.
couple tiny nitpicks but otherwise 
(perfect timing @Amruta-Ranade 😂 )
| if (endpoint == null || endpoint.length() == 0) { | ||
| return true; | ||
| } else { | ||
| return endpoint.contains("https://"); |
There was a problem hiding this comment.
nitpick:
| return endpoint.contains("https://"); | |
| return endpoint.startsWith("https://"); |
maybe we should be using a proper url parser, but that feels kind of overkill here
| final S3DestinationConfig destinationConfig = this.configFactory.getS3DestinationConfig(config, super.storageProvider()); | ||
|
|
||
| if (!S3BaseChecks.testCustomEndpointSecured(destinationConfig.getEndpoint())) { | ||
| return new AirbyteConnectionStatus() |
There was a problem hiding this comment.
nitpick: add a comment explaining why we do an early return instead of returning the list of this status + super.check(config)
| import org.junit.jupiter.api.BeforeEach; | ||
| import org.junit.jupiter.api.Test; | ||
|
|
||
| public class S3DestinationStrictEncryptTest { |
|
/publish connector=connectors/destination-s3 run-tests=false
if you have connectors that successfully published but failed definition generation, follow step 4 here |
|
NOTE
|
…hq#17340) * Adds logic to fail upon non-deterministic custom S3 endpoint and documentation for insecure settings * Reused config factory settings to a single static variable * Updated error message and example in the spec.json to match expectation of secured endpoint * Added validation check within the base s3 * Integrated AdaptiveDestinationRunner with S3Destination * Reduced visibility for testing and fixed AdaptiveDestinationRunner issue * Adds speicifc secure protocol with S3 and empty endpoint check * Bumps docker version and adds comments and clearer string methods * auto-bump connector version [ci skip] Co-authored-by: Octavia Squidington III <octavia-squidington-iii@users.noreply.github.com>
What
Closes #16301
Adds documentation for customers to secure their S3 destination connection. This follows after concerns brought up in this slack thread which also references how other companies emphasis the need for customers to enforce only encrypted traffic for their S3 buckets/clusters
There is also a new "check" assertion that requires users to use "HTTPS only" custom endpoints as referred to by the original spec.json and here
How
Documentation for users to follow the shared responsibility model that AWS employs for securing a S3 destination endpoint and removes the ability for users to use a custom endpoint that is not always HTTPS only
Removal of the line within
constants.tswill revert the hiding of the destination connector within the UI. S3 destination still exists, only that it was previously hidden within the UI and so users could not update their connections if desiredRecommended reading order
S3BaseChecks.javaS3DestinationTest.javas3.mdconstants.tsspec.json🚨 User Impact 🚨
Are there any breaking changes? What is the end result perceived by the user? If yes, please merge this PR with the 🚨🚨 emoji so changelog authors can further highlight this if needed.
This can potentially break users if they were using a custom endpoint that was not always HTTPS only
Pre-merge Checklist
Expand the relevant checklist and delete the others.
New Connector
Community member or Airbyter
airbyte_secret./gradlew :airbyte-integrations:connectors:<name>:integrationTest.README.mdbootstrap.md. See description and examplesdocs/integrations/<source or destination>/<name>.mdincluding changelog. See changelog exampledocs/integrations/README.mdairbyte-integrations/builds.mdAirbyter
If this is a community PR, the Airbyte engineer reviewing this PR is responsible for the below items.
/test connector=connectors/<name>command is passing/publishcommand described hereUpdating a connector
Community member or Airbyter
airbyte_secret./gradlew :airbyte-integrations:connectors:<name>:integrationTest.README.mdbootstrap.md. See description and examplesdocs/integrations/<source or destination>/<name>.mdincluding changelog. See changelog exampleAirbyter
If this is a community PR, the Airbyte engineer reviewing this PR is responsible for the below items.
/test connector=connectors/<name>command is passing/publishcommand described hereConnector Generator
-scaffoldin their name) have been updated with the latest scaffold by running./gradlew :airbyte-integrations:connector-templates:generator:testScaffoldTemplatesthen checking in your changesTests
Unit
Put your unit tests output here.
Integration
Put your integration tests output here.
Acceptance
Put your acceptance tests output here.