New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NIFI-10760 Add Api key authentication option to ElasticSearchClientServiceImpl #6619
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the improvement @nandorsoma!
The general approach with new properties looks good, I noted several recommendations regarding naming and allowable values.
...ient-service-api/src/main/java/org/apache/nifi/elasticsearch/ElasticSearchClientService.java
Outdated
Show resolved
Hide resolved
...ient-service-api/src/main/java/org/apache/nifi/elasticsearch/ElasticSearchClientService.java
Outdated
Show resolved
Hide resolved
...ient-service-api/src/main/java/org/apache/nifi/elasticsearch/ElasticSearchClientService.java
Outdated
Show resolved
Hide resolved
...ient-service-api/src/main/java/org/apache/nifi/elasticsearch/ElasticSearchClientService.java
Outdated
Show resolved
Hide resolved
...ient-service-api/src/main/java/org/apache/nifi/elasticsearch/ElasticSearchClientService.java
Outdated
Show resolved
Hide resolved
...ient-service/src/main/java/org/apache/nifi/elasticsearch/ElasticSearchClientServiceImpl.java
Outdated
Show resolved
Hide resolved
...ient-service-api/src/main/java/org/apache/nifi/elasticsearch/ElasticSearchClientService.java
Outdated
Show resolved
Hide resolved
...ient-service-api/src/main/java/org/apache/nifi/elasticsearch/ElasticSearchClientService.java
Outdated
Show resolved
Hide resolved
...ient-service/src/main/java/org/apache/nifi/elasticsearch/ElasticSearchClientServiceImpl.java
Outdated
Show resolved
Hide resolved
...ient-service/src/main/java/org/apache/nifi/elasticsearch/ElasticSearchClientServiceImpl.java
Outdated
Show resolved
Hide resolved
|
||
public enum AuthorizationScheme { | ||
BASIC("Basic"), | ||
API_KEY("API key"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should there be an entry for connections using 2-way TLS (pki
Realm in Elasticsearch)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And a NONE
option for unsecured Elasticsearch instances (not that we'd encourage that, but imagine there are plenty of people doing that, particularly in development environments)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would make sense, but we can't add it because we need to provide backward compatibility. What would be the default value in that case? I guess NONE
should be. It would cause confusion if someone upgrades to a newer version and Basic Authentication
is set.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd probably stick with BASIC
being the default as that would mean Username
/Password
remain available by default when adding the Processor to the canvas, which matches the current behaviour and therefore is backwards compatible.
If the user selects NONE
then I guess we'd be hiding the existing Username/Password and new API Key
property inputs (via dependsOn
).
If the user selected PKI
then it would be great if the SSLContext Controller
become mandatory, but I don't think that's currently possible, so in effect this would have the same effect as NONE
on the available processor properties (we don't want to hide SSL Context
if something other than PKI
is selected here, as https
/TLS
might very well still be needed even if it's not used for Auth in Elasticsearch).
One option might be to use some customerValidation
for this though - if the user has selected PKI
, they must also specify an SSL Context
in their processor configuration. Similarly, if NONE
is selected, then we could validate that none of the Username/Password/API Key fields are provided?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With the introduction of the new enum, supporting TLS as an Authorization Scheme sounds like something that could be handled in a subsequent issue.
...arch-client-service-api/src/main/java/org/apache/nifi/elasticsearch/AuthorizationScheme.java
Outdated
Show resolved
Hide resolved
public enum AuthorizationScheme { | ||
BASIC("Basic"), | ||
API_KEY("API key"); | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should jwt
and kerberos
Elasticsearch realms also be supported?
Happy for this to be raised as new follow-on jira ticket(s) for the future if too much to add now - might need some further consideration as these connection types would likely need to use regularly changing tokens rather than more static credentials set on the controller, so wee might need a way of getting that from the Processor or some other sort of token provider controller if/when they exist in future
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would make sense, but as you noted probably in a separate pr.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you happy to raise a new Jira ticket for those once this approach has been approved, as the new ticket could point to how this has been implemented?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree that a separate issue sounds good, as it would provide more opportunity to outline the implementation approach.
need to force push because of the conflict |
9b691dd
to
32bd6f7
Compare
Thank you for the reviews @exceptionfactory and @ChrisSamo632! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for making the adjustments @nandorsoma, the current version looks good!
Do you have any additional feedback @ChrisSamo632? It sounds like there are some possibilities for follow-on improvements, but the current version looks ready.
If the remaining suggestions are captured as follow-on tickets (so we don't forget them), I've no objection to these change being Approved & merged |
Hey @exceptionfactory, @ChrisSamo632! Follow up Jiras (I didn't add NONE as a separate one, but mentioned it in the PKI one): |
Thanks for the confirmation @ChrisSamo632! Thanks for the work on this @nandorsoma, and for writing up the follow-on issues! +1 merging |
This closes apache#6619 Signed-off-by: David Handermann <exceptionfactory@apache.org>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nandorsoma could you take a look at my comment and help us?
final String apiKeyCredentials = String.format("%s:%s", apiKeyId, apiKey); | ||
final String apiKeyAuth = Base64.getEncoder().encodeToString((apiKeyCredentials).getBytes(StandardCharsets.UTF_8)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @nandorsoma , I ran into issues with Elastic Search API auth. Standard HTTP client works well for me, but it did not work with this client implementation. I looked into the code then found some questionable lines. What is API key id doing here? It is a required field, but should it be part of the token? And why does it encode the string once more as we already pass in base64 token string. Could you elaborate?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The id
and key
would be the values returned by Elasticsearch when you create an api key - NiFi requires both of these to construct the Authorization
(ApiKey) header
From your description, it sounds like you are applying the encoded
field from the Elasticsearch response (which is the Base64 encoded id
& key
) - NiFi doesn't currently use that in its approach - if you require that, you could raise a Jira to request it be added (submit a PR of your able) to make that an alternative to providing these existing fields
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, Chris. Feeling enlightened.
Summary
NIFI-10760
Tracking
Please complete the following tracking steps prior to pull request creation.
Issue Tracking
Pull Request Tracking
NIFI-00000
NIFI-00000
Pull Request Formatting
main
branchVerification
Please indicate the verification steps performed prior to pull request creation.
Build
mvn clean install -P contrib-check
Licensing
LICENSE
andNOTICE
filesDocumentation