NIFI-10776 add NONE and PKI AuthorizationSchemes for ElasticSearchClientService#6662
NIFI-10776 add NONE and PKI AuthorizationSchemes for ElasticSearchClientService#6662ChrisSamo632 wants to merge 2 commits intoapache:mainfrom
Conversation
exceptionfactory
left a comment
exceptionfactory
left a comment
There was a problem hiding this comment.
Thanks for the contribution @ChrisSamo632.
Reviewing the changes, are these new Authorization Schemes necessary? NONE is implied in the absence of credentials, and PKI appears to be handled already through the configuration of an SSL Context Service. It seems better to avoid introducing additional settings if they do not impact runtime behavior.
I guess the question is whether people will understand that they can select (for example) BASIC auth but then leave username & password empty in order to get NOONE. Similarly, doing the same but configuring an SSLContextService (with keystore) for PKI auth The added validation simply adds some more guidance to what's already possible, I get that, but is it obvious enough that alternatives are available if we only have a mandatory Authorisation Scheme that only allows BASIC or API_KEY? |
|
Thanks for the reply @ChrisSamo632, good points. Of course this would have been more logical if the Scheme property had been there since the beginning, but adding it later does make it a little more challenging. As it stands, the default Given the complexity of the validation code, I'm not as inclined to add it for informational purposes. Adding Taking a step back, the |
|
@exceptionfactory I see the argument either way I think there are a couple of changes/fixes here with keeping even if the approach is changed (although they could be rolled into other PRs), e.g. fixes for the integration-tests (broken by the previous addition for API_KEY) and a start of unit tests for the controller class There will possibly be other Auth Schemes to add in future, which could swing the argument - Kerberos and JWT are both supported by Elasticsearch and could be configured for use by NiFi (on my list to raise tickets for these). Do you think this changes the argument (for NONE/PKI) at all? |
|
I agree it would be helpful to move this pull request forward to get the integration test improvements. I would also note that we should avoid unit testing exact error message strings, instead it is better to assert that a message contains a particular keyword. The potential for additional schemes is a good point in favor of these additions. Can you take a look at simplifying the custom validation method? I could see the |
@exceptionfactory I've simplified the For the additional |
ChrisSamo632
force-pushed
the
NIFI-10776
branch
from
1b32e1b to
56f1dfd
Compare
exceptionfactory
left a comment
exceptionfactory
left a comment
There was a problem hiding this comment.
Thanks for making the adjustments @ChrisSamo632, the latest version looks good. +1 merging
…lientService This closes apache#6662 Signed-off-by: David Handermann <exceptionfactory@apache.org>
2 participants
Summary
NIFI-10776 add NONE and PKI AuthorizationSchemes for ElasticSearchClientService
Fix the ElasticSearchClientService integration-tests for Elasticsearch 6.x/7.x
Tracking
Please complete the following tracking steps prior to pull request creation.
Issue Tracking
Pull Request Tracking
NIFI-00000NIFI-00000Pull Request Formatting
mainbranchVerification
Please indicate the verification steps performed prior to pull request creation.
Build
mvn clean install -P contrib-checkLicensing
[ ] New dependencies are compatible with the Apache License 2.0 according to the License Policy[ ] New dependencies are documented in applicableLICENSEandNOTICEfilesDocumentation
[ ] Documentation formatting appears as expected in rendered files