[
https://issues.apache.org/jira/browse/NIFI-1325?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15073186#comment-15073186
]
Mans Singh commented on NIFI-1325:
----------------------------------
@tkurc - I am looking at the AWS credentials api and it looks like there is an
interface - AWSCredentialsProvider which as various types of credential
providers -
(http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/AWSCredentialsProvider.html).
The interface has a refresh method.
Currently, the Nifi AbstractAWSProcessor has a method
protected abstract ClientType createClient(final ProcessContext context, final
AWSCredentials credentials,
final ClientConfiguration config);
If we can change it to
protected abstract ClientType createClient(final ProcessContext context, final
AWSCredentialsProvider credentialsProvider,
final ClientConfiguration config);
Then we change the createClient method in AbstractS3Processor to return
AmazonS3Client with the creds provider rather than with the creds
(http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/s3/AmazonS3Client.html).
Internally, when created with creds the AmazonS3Client creates a static
credentials provider but it can also be instantiated with creds provider (in
our case, like
http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/STSAssumeRoleSessionCredentialsProvider.html).
There is are two other processor AbstractSNSProcessor and AbstractSQSProcessor
in the NIFi Aws components and it can also be refactored to use the creds
provider
(http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/sns/AmazonSNSClient.html,
and
http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/sqs/AmazonSQSClient.html).
There is only one issue - the AbstractAWSProcessor.getCredentails method (which
will change to getCredentialsProvider) returns AnonymousAWSCredentials for
which I could not find a credentials provider, but we can always add one if
required.
This looks like a much more flexible and extensible solution even for other aws
components.
Please let me know your thoughts/recommendations.
> Enhance AWS S3 fetch to access bucket across accounts
> -----------------------------------------------------
>
> Key: NIFI-1325
> URL: https://issues.apache.org/jira/browse/NIFI-1325
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework
> Affects Versions: 0.4.1
> Environment: All
> Reporter: Mans Singh
> Assignee: Tony Kurc
> Priority: Minor
> Labels: easyfix
> Fix For: 0.4.1
>
> Attachments: nifi-1325.patch.zip
>
> Original Estimate: 48h
> Remaining Estimate: 48h
>
> The AWS S3 Fetch Object component does not allow access to bucket across
> accounts. AWS S3 Fetch Object with can be enhanced to provide this
> functionality by using assume role session/credentials
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
