NIFI-10760 Add Api key authentication option to ElasticSearchClientServiceImpl #6619
Conversation
There was a problem hiding this comment.
Thanks for the improvement @nandorsoma!
The general approach with new properties looks good, I noted several recommendations regarding naming and allowable values.
...ient-service-api/src/main/java/org/apache/nifi/elasticsearch/ElasticSearchClientService.java
Outdated
Show resolved
Hide resolved
...ient-service-api/src/main/java/org/apache/nifi/elasticsearch/ElasticSearchClientService.java
Outdated
Show resolved
Hide resolved
...ient-service-api/src/main/java/org/apache/nifi/elasticsearch/ElasticSearchClientService.java
Outdated
Show resolved
Hide resolved
...ient-service-api/src/main/java/org/apache/nifi/elasticsearch/ElasticSearchClientService.java
Outdated
Show resolved
Hide resolved
...ient-service-api/src/main/java/org/apache/nifi/elasticsearch/ElasticSearchClientService.java
Outdated
Show resolved
Hide resolved
...ient-service/src/main/java/org/apache/nifi/elasticsearch/ElasticSearchClientServiceImpl.java
Outdated
Show resolved
Hide resolved
...ient-service-api/src/main/java/org/apache/nifi/elasticsearch/ElasticSearchClientService.java
Outdated
Show resolved
Hide resolved
...ient-service-api/src/main/java/org/apache/nifi/elasticsearch/ElasticSearchClientService.java
Outdated
Show resolved
Hide resolved
...ient-service/src/main/java/org/apache/nifi/elasticsearch/ElasticSearchClientServiceImpl.java
Outdated
Show resolved
Hide resolved
...ient-service/src/main/java/org/apache/nifi/elasticsearch/ElasticSearchClientServiceImpl.java
Outdated
Show resolved
Hide resolved
|
|
||
| public enum AuthorizationScheme { | ||
| BASIC("Basic"), | ||
| API_KEY("API key"); |
There was a problem hiding this comment.
Should there be an entry for connections using 2-way TLS (pki Realm in Elasticsearch)?
There was a problem hiding this comment.
And a NONE option for unsecured Elasticsearch instances (not that we'd encourage that, but imagine there are plenty of people doing that, particularly in development environments)
There was a problem hiding this comment.
It would make sense, but we can't add it because we need to provide backward compatibility. What would be the default value in that case? I guess NONE should be. It would cause confusion if someone upgrades to a newer version and Basic Authentication is set.
There was a problem hiding this comment.
I'd probably stick with BASIC being the default as that would mean Username/Password remain available by default when adding the Processor to the canvas, which matches the current behaviour and therefore is backwards compatible.
If the user selects NONE then I guess we'd be hiding the existing Username/Password and new API Key property inputs (via dependsOn).
If the user selected PKI then it would be great if the SSLContext Controller become mandatory, but I don't think that's currently possible, so in effect this would have the same effect as NONE on the available processor properties (we don't want to hide SSL Context if something other than PKI is selected here, as https/TLS might very well still be needed even if it's not used for Auth in Elasticsearch).
One option might be to use some customerValidation for this though - if the user has selected PKI, they must also specify an SSL Context in their processor configuration. Similarly, if NONE is selected, then we could validate that none of the Username/Password/API Key fields are provided?
There was a problem hiding this comment.
With the introduction of the new enum, supporting TLS as an Authorization Scheme sounds like something that could be handled in a subsequent issue.
...arch-client-service-api/src/main/java/org/apache/nifi/elasticsearch/AuthorizationScheme.java
Outdated
Show resolved
Hide resolved
| public enum AuthorizationScheme { | ||
| BASIC("Basic"), | ||
| API_KEY("API key"); | ||
|
|
There was a problem hiding this comment.
Should jwt and kerberos Elasticsearch realms also be supported?
Happy for this to be raised as new follow-on jira ticket(s) for the future if too much to add now - might need some further consideration as these connection types would likely need to use regularly changing tokens rather than more static credentials set on the controller, so wee might need a way of getting that from the Processor or some other sort of token provider controller if/when they exist in future
There was a problem hiding this comment.
It would make sense, but as you noted probably in a separate pr.
There was a problem hiding this comment.
Are you happy to raise a new Jira ticket for those once this approach has been approved, as the new ticket could point to how this has been implemented?
There was a problem hiding this comment.
I agree that a separate issue sounds good, as it would provide more opportunity to outline the implementation approach.
|
need to force push because of the conflict |
nandorsoma
force-pushed
the
NIFI-10760
branch
from
9b691dd
to
32bd6f7
Compare
|
Thank you for the reviews @exceptionfactory and @ChrisSamo632! |
There was a problem hiding this comment.
Thanks for making the adjustments @nandorsoma, the current version looks good!
Do you have any additional feedback @ChrisSamo632? It sounds like there are some possibilities for follow-on improvements, but the current version looks ready.
If the remaining suggestions are captured as follow-on tickets (so we don't forget them), I've no objection to these change being Approved & merged |
|
Hey @exceptionfactory, @ChrisSamo632! Follow up Jiras (I didn't add NONE as a separate one, but mentioned it in the PKI one): |
|
Thanks for the confirmation @ChrisSamo632! Thanks for the work on this @nandorsoma, and for writing up the follow-on issues! +1 merging |
This closes apache#6619 Signed-off-by: David Handermann <exceptionfactory@apache.org>
There was a problem hiding this comment.
@nandorsoma could you take a look at my comment and help us?
| final String apiKeyCredentials = String.format("%s:%s", apiKeyId, apiKey); | ||
| final String apiKeyAuth = Base64.getEncoder().encodeToString((apiKeyCredentials).getBytes(StandardCharsets.UTF_8)); |
There was a problem hiding this comment.
Hi @nandorsoma , I ran into issues with Elastic Search API auth. Standard HTTP client works well for me, but it did not work with this client implementation. I looked into the code then found some questionable lines. What is API key id doing here? It is a required field, but should it be part of the token? And why does it encode the string once more as we already pass in base64 token string. Could you elaborate?
There was a problem hiding this comment.
The id and key would be the values returned by Elasticsearch when you create an api key - NiFi requires both of these to construct the Authorization (ApiKey) header
From your description, it sounds like you are applying the encoded field from the Elasticsearch response (which is the Base64 encoded id & key) - NiFi doesn't currently use that in its approach - if you require that, you could raise a Jira to request it be added (submit a PR of your able) to make that an alternative to providing these existing fields
There was a problem hiding this comment.
Thanks, Chris. Feeling enlightened.
Summary
NIFI-10760
Tracking
Please complete the following tracking steps prior to pull request creation.
Issue Tracking
Pull Request Tracking
NIFI-00000NIFI-00000Pull Request Formatting
mainbranchVerification
Please indicate the verification steps performed prior to pull request creation.
Build
mvn clean install -P contrib-checkLicensing
LICENSEandNOTICEfilesDocumentation