[nifi] branch main updated: NIFI-9679 Added access-environment-credentials permission

[jg...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

jgresock pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git


The following commit(s) were added to refs/heads/main by this push:
     new fee7c16  NIFI-9679 Added access-environment-credentials permission
fee7c16 is described below

commit fee7c16732983d1b7f185e23e63105d250bb87ae
Author: exceptionfactory <ex...@apache.org>
AuthorDate: Thu Feb 24 10:08:21 2022 -0500

    NIFI-9679 Added access-environment-credentials permission
    
    - Applied new permission restrictions to AWSCredentialsProviderControllerService and GCPCredentialsControllerService
    
    Signed-off-by: Joe Gresock <jg...@gmail.com>
    
    This closes #5796.
---
 .../java/org/apache/nifi/components/RequiredPermission.java   |  1 +
 .../service/AWSCredentialsProviderControllerService.java      | 11 +++++++++++
 .../credentials/service/GCPCredentialsControllerService.java  | 11 +++++++++++
 3 files changed, 23 insertions(+)

diff --git a/nifi-api/src/main/java/org/apache/nifi/components/RequiredPermission.java b/nifi-api/src/main/java/org/apache/nifi/components/RequiredPermission.java
index a7cdec8..d931b13 100644
--- a/nifi-api/src/main/java/org/apache/nifi/components/RequiredPermission.java
+++ b/nifi-api/src/main/java/org/apache/nifi/components/RequiredPermission.java
@@ -29,6 +29,7 @@ public enum RequiredPermission {
     EXECUTE_CODE("execute-code", "execute code"),
     ACCESS_KEYTAB("access-keytab", "access keytab"),
     ACCESS_TICKET_CACHE("access-ticket-cache", "access ticket cache"),
+    ACCESS_ENVIRONMENT_CREDENTIALS("access-environment-credentials", "access environment credentials"),
     EXPORT_NIFI_DETAILS("export-nifi-details", "export nifi details");
 
     private String permissionIdentifier;
diff --git a/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/service/AWSCredentialsProviderControllerService.java b/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/service/AWSCredentialsProviderControllerService.java
index 1323f9c..476a41c 100644
--- a/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/service/AWSCredentialsProviderControllerService.java
+++ b/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/service/AWSCredentialsProviderControllerService.java
@@ -23,10 +23,13 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
+import org.apache.nifi.annotation.behavior.Restricted;
+import org.apache.nifi.annotation.behavior.Restriction;
 import org.apache.nifi.annotation.documentation.CapabilityDescription;
 import org.apache.nifi.annotation.documentation.Tags;
 import org.apache.nifi.annotation.lifecycle.OnEnabled;
 import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.components.RequiredPermission;
 import org.apache.nifi.components.ValidationContext;
 import org.apache.nifi.components.ValidationResult;
 import org.apache.nifi.controller.AbstractControllerService;
@@ -58,6 +61,14 @@ import static org.apache.nifi.processors.aws.credentials.provider.factory.Creden
         "Default credentials support EC2 instance profile/role, default user profile, environment variables, etc. " +
         "Additional options include access key / secret key pairs, credentials file, named profile, and assume role credentials.")
 @Tags({ "aws", "credentials","provider" })
+@Restricted(
+        restrictions = {
+                @Restriction(
+                        requiredPermission = RequiredPermission.ACCESS_ENVIRONMENT_CREDENTIALS,
+                        explanation = "The default configuration can read environment variables and system properties for credentials"
+                )
+        }
+)
 public class AWSCredentialsProviderControllerService extends AbstractControllerService implements AWSCredentialsProviderService {
 
     public static final PropertyDescriptor ASSUME_ROLE_ARN = CredentialPropertyDescriptors.ASSUME_ROLE_ARN;
diff --git a/nifi-nar-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/credentials/service/GCPCredentialsControllerService.java b/nifi-nar-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/credentials/service/GCPCredentialsControllerService.java
index b161e61..fe32d64 100644
--- a/nifi-nar-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/credentials/service/GCPCredentialsControllerService.java
+++ b/nifi-nar-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/credentials/service/GCPCredentialsControllerService.java
@@ -18,12 +18,15 @@ package org.apache.nifi.processors.gcp.credentials.service;
 
 import com.google.auth.http.HttpTransportFactory;
 import com.google.auth.oauth2.GoogleCredentials;
+import org.apache.nifi.annotation.behavior.Restricted;
+import org.apache.nifi.annotation.behavior.Restriction;
 import org.apache.nifi.annotation.documentation.CapabilityDescription;
 import org.apache.nifi.annotation.documentation.Tags;
 import org.apache.nifi.annotation.lifecycle.OnEnabled;
 import org.apache.nifi.components.ConfigVerificationResult;
 import org.apache.nifi.components.ConfigVerificationResult.Outcome;
 import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.components.RequiredPermission;
 import org.apache.nifi.components.ValidationContext;
 import org.apache.nifi.components.ValidationResult;
 import org.apache.nifi.controller.AbstractControllerService;
@@ -60,6 +63,14 @@ import static org.apache.nifi.processors.gcp.credentials.factory.CredentialPrope
         "a credential file, the config generated by `gcloud auth application-default login`, AppEngine/Compute Engine" +
         " service accounts, etc.")
 @Tags({ "gcp", "credentials","provider" })
+@Restricted(
+        restrictions = {
+                @Restriction(
+                        requiredPermission = RequiredPermission.ACCESS_ENVIRONMENT_CREDENTIALS,
+                        explanation = "The default configuration can read environment variables and system properties for credentials"
+                )
+        }
+)
 public class GCPCredentialsControllerService extends AbstractControllerService implements GCPCredentialsService, VerifiableControllerService {
 
     private static final List<PropertyDescriptor> properties;