You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by jg...@apache.org on 2022/03/02 17:31:18 UTC
[nifi] branch main updated: NIFI-9679 Added access-environment-credentials permission
This is an automated email from the ASF dual-hosted git repository.
jgresock pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new fee7c16 NIFI-9679 Added access-environment-credentials permission
fee7c16 is described below
commit fee7c16732983d1b7f185e23e63105d250bb87ae
Author: exceptionfactory <ex...@apache.org>
AuthorDate: Thu Feb 24 10:08:21 2022 -0500
NIFI-9679 Added access-environment-credentials permission
- Applied new permission restrictions to AWSCredentialsProviderControllerService and GCPCredentialsControllerService
Signed-off-by: Joe Gresock <jg...@gmail.com>
This closes #5796.
---
.../java/org/apache/nifi/components/RequiredPermission.java | 1 +
.../service/AWSCredentialsProviderControllerService.java | 11 +++++++++++
.../credentials/service/GCPCredentialsControllerService.java | 11 +++++++++++
3 files changed, 23 insertions(+)
diff --git a/nifi-api/src/main/java/org/apache/nifi/components/RequiredPermission.java b/nifi-api/src/main/java/org/apache/nifi/components/RequiredPermission.java
index a7cdec8..d931b13 100644
--- a/nifi-api/src/main/java/org/apache/nifi/components/RequiredPermission.java
+++ b/nifi-api/src/main/java/org/apache/nifi/components/RequiredPermission.java
@@ -29,6 +29,7 @@ public enum RequiredPermission {
EXECUTE_CODE("execute-code", "execute code"),
ACCESS_KEYTAB("access-keytab", "access keytab"),
ACCESS_TICKET_CACHE("access-ticket-cache", "access ticket cache"),
+ ACCESS_ENVIRONMENT_CREDENTIALS("access-environment-credentials", "access environment credentials"),
EXPORT_NIFI_DETAILS("export-nifi-details", "export nifi details");
private String permissionIdentifier;
diff --git a/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/service/AWSCredentialsProviderControllerService.java b/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/service/AWSCredentialsProviderControllerService.java
index 1323f9c..476a41c 100644
--- a/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/service/AWSCredentialsProviderControllerService.java
+++ b/nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/service/AWSCredentialsProviderControllerService.java
@@ -23,10 +23,13 @@ import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import org.apache.nifi.annotation.behavior.Restricted;
+import org.apache.nifi.annotation.behavior.Restriction;
import org.apache.nifi.annotation.documentation.CapabilityDescription;
import org.apache.nifi.annotation.documentation.Tags;
import org.apache.nifi.annotation.lifecycle.OnEnabled;
import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.components.RequiredPermission;
import org.apache.nifi.components.ValidationContext;
import org.apache.nifi.components.ValidationResult;
import org.apache.nifi.controller.AbstractControllerService;
@@ -58,6 +61,14 @@ import static org.apache.nifi.processors.aws.credentials.provider.factory.Creden
"Default credentials support EC2 instance profile/role, default user profile, environment variables, etc. " +
"Additional options include access key / secret key pairs, credentials file, named profile, and assume role credentials.")
@Tags({ "aws", "credentials","provider" })
+@Restricted(
+ restrictions = {
+ @Restriction(
+ requiredPermission = RequiredPermission.ACCESS_ENVIRONMENT_CREDENTIALS,
+ explanation = "The default configuration can read environment variables and system properties for credentials"
+ )
+ }
+)
public class AWSCredentialsProviderControllerService extends AbstractControllerService implements AWSCredentialsProviderService {
public static final PropertyDescriptor ASSUME_ROLE_ARN = CredentialPropertyDescriptors.ASSUME_ROLE_ARN;
diff --git a/nifi-nar-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/credentials/service/GCPCredentialsControllerService.java b/nifi-nar-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/credentials/service/GCPCredentialsControllerService.java
index b161e61..fe32d64 100644
--- a/nifi-nar-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/credentials/service/GCPCredentialsControllerService.java
+++ b/nifi-nar-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/main/java/org/apache/nifi/processors/gcp/credentials/service/GCPCredentialsControllerService.java
@@ -18,12 +18,15 @@ package org.apache.nifi.processors.gcp.credentials.service;
import com.google.auth.http.HttpTransportFactory;
import com.google.auth.oauth2.GoogleCredentials;
+import org.apache.nifi.annotation.behavior.Restricted;
+import org.apache.nifi.annotation.behavior.Restriction;
import org.apache.nifi.annotation.documentation.CapabilityDescription;
import org.apache.nifi.annotation.documentation.Tags;
import org.apache.nifi.annotation.lifecycle.OnEnabled;
import org.apache.nifi.components.ConfigVerificationResult;
import org.apache.nifi.components.ConfigVerificationResult.Outcome;
import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.components.RequiredPermission;
import org.apache.nifi.components.ValidationContext;
import org.apache.nifi.components.ValidationResult;
import org.apache.nifi.controller.AbstractControllerService;
@@ -60,6 +63,14 @@ import static org.apache.nifi.processors.gcp.credentials.factory.CredentialPrope
"a credential file, the config generated by `gcloud auth application-default login`, AppEngine/Compute Engine" +
" service accounts, etc.")
@Tags({ "gcp", "credentials","provider" })
+@Restricted(
+ restrictions = {
+ @Restriction(
+ requiredPermission = RequiredPermission.ACCESS_ENVIRONMENT_CREDENTIALS,
+ explanation = "The default configuration can read environment variables and system properties for credentials"
+ )
+ }
+)
public class GCPCredentialsControllerService extends AbstractControllerService implements GCPCredentialsService, VerifiableControllerService {
private static final List<PropertyDescriptor> properties;