nicusX commented on code in PR #1: URL: https://github.com/apache/flink-connector-prometheus/pull/1#discussion_r1489791182
########## amp-request-signer/src/main/java/org/apache/flink/connector/prometheus/sink/aws/AmazonManagedPrometheusWriteRequestSigner.java: ########## @@ -0,0 +1,98 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.flink.connector.prometheus.sink.aws; + +import org.apache.flink.connector.prometheus.sink.PrometheusRequestSigner; +import org.apache.flink.util.Preconditions; + +import com.amazonaws.auth.AWSCredentials; +import com.amazonaws.auth.AWSSessionCredentials; +import com.amazonaws.auth.DefaultAWSCredentialsProviderChain; +import com.amazonaws.util.BinaryUtils; +import org.apache.commons.lang3.StringUtils; + +import java.net.MalformedURLException; +import java.net.URL; +import java.util.Map; + +/** Sign a Remote-Write request to Amazon Managed Service for Prometheus (AMP). */ +public class AmazonManagedPrometheusWriteRequestSigner implements PrometheusRequestSigner { + + private final URL remoteWriteUrl; + private final String awsRegion; + + /** + * Constructor. + * + * @param remoteWriteUrl URL of the remote-write endpoint + * @param awsRegion Region of the AMP workspace + */ + public AmazonManagedPrometheusWriteRequestSigner(String remoteWriteUrl, String awsRegion) { + Preconditions.checkArgument( + StringUtils.isNotBlank(awsRegion), "Missing or blank AMP workspace region"); + Preconditions.checkNotNull( + StringUtils.isNotBlank(remoteWriteUrl), + "Missing or blank AMP workspace remote-write URL"); + this.awsRegion = awsRegion; + try { + this.remoteWriteUrl = new URL(remoteWriteUrl); + } catch (MalformedURLException e) { + throw new IllegalArgumentException( + "Invalid AMP remote-write URL: " + remoteWriteUrl, e); + } + } + + /** + * Add the additional Http request headers required by Amazon Managed Prometheus: + * 'x-amz-content-sha256', 'Host', 'X-Amz-Date', 'x-amz-security-token' and 'Authorization`. + * + * @param requestHeaders original Http request headers. It must be mutable. For efficiency, any + * new header is added to the map, instead of making a copy. + * @param requestBody request body, already compressed + */ + @Override + public void addSignatureHeaders(Map<String, String> requestHeaders, byte[] requestBody) { + byte[] contentHash = AWS4SignerBase.hash(requestBody); + String contentHashString = BinaryUtils.toHex(contentHash); + requestHeaders.put( + "x-amz-content-sha256", + contentHashString); // this header must be included before generating the + // Authorization header + + DefaultAWSCredentialsProviderChain credsChain = new DefaultAWSCredentialsProviderChain(); Review Comment: Actually, I reverted the change. Just passing a credentials provider instance obviously doesn't work, not being serializable. Making the credentials provider customisable would mean either: 1. Copying the implementation of `org.apache.flink.connector.aws.util.AWSGeneralUtil` from `flink-connector-aws-base` and using it to create the credential provider at runtime, based on configuration, or 2. Including `flink-connector-aws-base` as a dependency. But this would bring in a number of transitive dependencies that are not used. The only AWS SDK dependencies in this connector are in this signer, and only to get the credentials. Also, `flink-connector-aws-base` uses sdk2, while this signer uses sdk1. We discussed with @hlteoh37 that porting to sdk2 is nice to have but not a priority for the first release. Considering `DefaultAWSCredentialsProviderChain` will already cover almost every possible authentication scenario when a Flink application will be writing to AMP, I would not consider configurable credentials provider a priority for the first release, and wait if any actual user will need it. Happy to discuss. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@flink.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
