You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2022/10/18 15:55:09 UTC
[GitHub] [nifi] exceptionfactory commented on a diff in pull request #6545: NIFI-9697: Implemented AzureKeyVaultSecretsParameterProvider and Azur…
exceptionfactory commented on code in PR #6545:
URL: https://github.com/apache/nifi/pull/6545#discussion_r998427082
##########
nifi-nar-bundles/nifi-azure-bundle/nifi-azure-parameter-providers/src/main/java/org/apache/nifi/parameter/azure/AzureKeyVaultSecretsParameterProvider.java:
##########
@@ -0,0 +1,201 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.parameter.azure;
+
+import com.azure.security.keyvault.secrets.SecretClient;
+import com.azure.security.keyvault.secrets.SecretClientBuilder;
+import com.azure.security.keyvault.secrets.models.KeyVaultSecret;
+import com.azure.security.keyvault.secrets.models.SecretProperties;
+import org.apache.nifi.annotation.documentation.CapabilityDescription;
+import org.apache.nifi.annotation.documentation.Tags;
+import org.apache.nifi.components.ConfigVerificationResult;
+import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.controller.ConfigurationContext;
+import org.apache.nifi.logging.ComponentLog;
+import org.apache.nifi.parameter.AbstractParameterProvider;
+import org.apache.nifi.parameter.Parameter;
+import org.apache.nifi.parameter.ParameterDescriptor;
+import org.apache.nifi.parameter.ParameterGroup;
+import org.apache.nifi.parameter.VerifiableParameterProvider;
+import org.apache.nifi.processor.util.StandardValidators;
+import org.apache.nifi.services.azure.AzureCredentialsService;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.regex.Pattern;
+
+/**
+ * Reads secrets from Azure Key Vault Secrets to provide parameter values. Secrets must be created similar to the following Azure cli command: <br/><br/>
+ * <code>az keyvault secret set --vault-name <your-unique-keyvault-name> --name <parameter-name> --value <parameter-value>
+ * --tags group-name=<group-name></code> <br/><br/>
+ * @see <a href="https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-cli">Azure Key Vault Secrets</a>
+ */
+@Tags({"azure", "keyvault", "key", "vault", "secrets"})
+@CapabilityDescription("Fetches parameters from Azure Key Vault Secrets. Each secret becomes a Parameter, which can map to a Parameter Context, with " +
+ "key/value pairs in the secret mapping to Parameters in the group.")
+public class AzureKeyVaultSecretsParameterProvider extends AbstractParameterProvider implements VerifiableParameterProvider {
+ public static final PropertyDescriptor AZURE_CREDENTIALS_SERVICE = new PropertyDescriptor.Builder()
+ .name("azure-credentials-service")
+ .displayName("Azure Credentials Service")
+ .description("Controller service used to obtain Azure credentials to be used with Key Vault client")
+ .required(true)
+ .identifiesControllerService(AzureCredentialsService.class)
+ .build();
+ public static final PropertyDescriptor KEY_VAULT_URL = new PropertyDescriptor.Builder()
+ .name("key-vault-url")
+ .displayName("Key Vault URL")
+ .description("Key Vault URL to fetch secrets from")
+ .required(true)
+ .addValidator(StandardValidators.NON_EMPTY_VALIDATOR)
+ .build();
+ public static final PropertyDescriptor GROUP_NAME_PATTERN = new PropertyDescriptor.Builder()
+ .name("group-name-pattern")
+ .displayName("Group Name Pattern")
+ .description("A Regular Expression matching on the 'group-name' label value that identifies Secrets whose parameters should be fetched. " +
+ "Any secrets without a 'group-name' label value that matches this Regex will not be fetched.")
+ .addValidator(StandardValidators.REGULAR_EXPRESSION_VALIDATOR)
+ .required(true)
+ .defaultValue(".*")
+ .build();
+
+ public static final String PARAMETER_GROUP_NAME = "group-name";
+
+ private static final List<PropertyDescriptor> properties;
+
+ static {
+ final List<PropertyDescriptor> props = new ArrayList<>();
+ props.add(AZURE_CREDENTIALS_SERVICE);
+ props.add(KEY_VAULT_URL);
+ props.add(GROUP_NAME_PATTERN);
+ properties = Collections.unmodifiableList(props);
+ }
+
+ @Override
+ protected List<PropertyDescriptor> getSupportedPropertyDescriptors() {
+ return properties;
+ }
+
+ @Override
+ public List<ParameterGroup> fetchParameters(final ConfigurationContext context) throws IOException {
+ final SecretClient secretClient = configureSecretClient(context);
+ final List<KeyVaultSecret> secrets = getAllSecrets(secretClient);
+ final List<ParameterGroup> groups = getParameterGroupsFromSecrets(context, secrets);
+ return groups;
+ }
+
+ @Override
+ public List<ConfigVerificationResult> verify(final ConfigurationContext context, final ComponentLog verificationLogger) {
+ final List<ConfigVerificationResult> results = new ArrayList<>();
+
+ try {
+ final List<ParameterGroup> parameterGroups = fetchParameters(context);
+ int parameterCount = 0;
+ for (final ParameterGroup group : parameterGroups) {
+ parameterCount += group.getParameters().size();
+ }
+ results.add(new ConfigVerificationResult.Builder()
+ .outcome(ConfigVerificationResult.Outcome.SUCCESSFUL)
+ .verificationStepName("Fetch Parameters")
+ .explanation(String.format("Fetched secret keys [%d] as parameters, across groups [%d]",
+ parameterCount, parameterGroups.size()))
+ .build());
+ } catch (final Exception e) {
+ verificationLogger.error("Failed to fetch parameters", e);
+ results.add(new ConfigVerificationResult.Builder()
+ .outcome(ConfigVerificationResult.Outcome.FAILED)
+ .verificationStepName("Fetch Parameters")
+ .explanation("Failed to fetch parameters: " + e.getMessage())
+ .build());
+ }
+ return results;
+ }
+
+ private List<KeyVaultSecret> getAllSecrets(final SecretClient secretClient) {
+ final List<KeyVaultSecret> secrets = new ArrayList<>();
+
+ for (final SecretProperties secretProperties : secretClient.listPropertiesOfSecrets()) {
+ KeyVaultSecret secretWithValue = secretClient.getSecret(secretProperties.getName(), secretProperties.getVersion());
+ final String name = secretWithValue.getName();
+ final String value = secretWithValue.getValue();
+ secrets.add(secretWithValue);
+ getLogger().debug("Retrieved Secret [{}] with value [{}]", name, value);
Review Comment:
This log should be removed, Secret Values should never be logged.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org