nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Gresock <jgres...@gmail.com>
Subject Re: AWS processor credentials question
Date Thu, 13 Apr 2017 16:04:16 GMT
My thought was to make the default value be set to "True" (to allow
anonymous credentials), which would make the default behavior exactly the
same as the current behavior.

We'd prefer to use the EC2 instance profile instead of having the
controller service, since it relies on a file sitting on the file system
and requires you to manage rotating the keys.  With EC2 instance profiles,
they manage the keys for you and it's theoretically more secure.



On Thu, Apr 13, 2017 at 11:41 AM, James Wing <jvwing@gmail.com> wrote:

> Joe,
>
> Does the AWSCredentialsProviderControllerService work for you?  It can
> provide default credentials.
>
> I agree with you that it would be better if individual processors used
> "Default Credentials" as their unconfigured default rather than "Anonymous
> Credentials".  The difficulty here is that changing the unconfigured
> default will theoretically change the behavior of any flow that upgrades,
> without notice.  I'm certainly skeptical about Anonymous credentials, if
> anyone uses them, and if this is an actual problem for actual users.  But
> it's a theoretical migration problem, possibly incompatible with a minor
> release.
>
> Thanks,
>
> James
>
> On Thu, Apr 13, 2017 at 6:40 AM, Joe Gresock <jgresock@gmail.com> wrote:
>
> > Ok, I submitted a PR [1] for this ticket.  The change is only additive
> and
> > should be non-invasive to existing processors.  If one of you could
> review
> > it, it might even be nice to get into the 1.2.0 build.
> >
> > [1] https://github.com/apache/nifi/pull/1671
> >
> > On Thu, Apr 13, 2017 at 10:33 AM, Joe Gresock <jgresock@gmail.com>
> wrote:
> >
> > > Actually it's a little more complicated than the code I suggested,
> since
> > > DefaultAWSCredentialsProviderChain.getInstance() is an
> > > AWSCredentialsProvider, not an AWSCredentials object.  But the idea
> would
> > > be similar.
> > >
> > > On Thu, Apr 13, 2017 at 10:21 AM, Joe Gresock <jgresock@gmail.com>
> > wrote:
> > >
> > >> AWS-related devs (I'm looking at James Wing and Adam Lamar),
> > >>
> > >> I just added [1] to propose allowing AWS processors to specify whether
> > to
> > >> use anonymous credentials or to use the default AWS client credentials
> > >> provider chain.  The driver for this is that we would like to use EC2
> > >> instance profiles with the NiFi AWS processors, but this is not
> > currently
> > >> possible because NiFi passes in AnonymousAWSCredentials to the AWS
> > client
> > >> constructor if no credentials are explicitly configured in the
> > processor.
> > >> If we use the DefaultAWSCredentialsProviderChain.getInstance(), I
> think
> > >> it would find our EC2 instance profile.
> > >>
> > >> My question to you is how you'd like to see this implemented.  Shall
> we
> > >> add a property to AbstractAWSProcessor called "Allow Anonymous
> > >> Credentials"?  Then in AbstractAWSProcessor.
> > getCredentials(ProcessContext
> > >> context), the return statement could be:
> > >>
> > >> return allowAnonymousCredentials
> > >>      ? new AnonymousAWSCredentials
> > >>      : DefaultAWSCredentialsProviderChain.getInstance();
> > >>
> > >> I thought I'd ask here first, because I see many of the AWS methods
> > >> marked Deprecated, and I didn't want to start adding code if it was
> > going
> > >> to go away soon.
> > >>
> > >> [1] https://issues.apache.org/jira/browse/NIFI-3703
> > >>
> > >> Thanks,
> > >> Joe
> > >>
> > >> --
> > >> I know what it is to be in need, and I know what it is to have plenty.
> > I
> > >> have learned the secret of being content in any and every situation,
> > >> whether well fed or hungry, whether living in plenty or in want.  I
> can
> > >> do all this through him who gives me strength.    *-Philippians
> 4:12-13*
> > >>
> > >
> > >
> > >
> > > --
> > > I know what it is to be in need, and I know what it is to have
> plenty.  I
> > > have learned the secret of being content in any and every situation,
> > > whether well fed or hungry, whether living in plenty or in want.  I can
> > > do all this through him who gives me strength.    *-Philippians
> 4:12-13*
> > >
> >
> >
> >
> > --
> > I know what it is to be in need, and I know what it is to have plenty.  I
> > have learned the secret of being content in any and every situation,
> > whether well fed or hungry, whether living in plenty or in want.  I can
> do
> > all this through him who gives me strength.    *-Philippians 4:12-13*
> >
>



-- 
I know what it is to be in need, and I know what it is to have plenty.  I
have learned the secret of being content in any and every situation,
whether well fed or hungry, whether living in plenty or in want.  I can do
all this through him who gives me strength.    *-Philippians 4:12-13*

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message