NIFI-12061: add SECRET_NAME parameter to avoid listing all secrets

[grishick]

Summary

NIFI-12061
Add Secret Name parameter to AwsSecretsManagerParameterProvider to allow the provider to work without ListSecrets permission. Original behavior where the provider lists all secrets and matches them to Secret Name Pattern is preserved by leaving Secret Name parameter undefined. The new behavior will skip listing secrets and ignore Secret Name Pattern only if Secret Name is provided. I made this change in Anetac's Nifi fork months ago and we are using it in production.

Related PR to main branch: #9483

Tracking

Please complete the following tracking steps prior to pull request creation.

Issue Tracking

• Apache NiFi Jira issue created

Pull Request Tracking

• Pull Request title starts with Apache NiFi Jira issue number, such as NIFI-12061
• Pull Request commit message starts with Apache NiFi Jira issue number, as such NIFI-12061

Pull Request Formatting

• Pull Request based on current revision of the support/nifi-1.x branch
• Pull Request refers to a feature branch with one commit containing changes

Verification

Please indicate the verification steps performed prior to pull request creation.

Build

• Build completed using mvn clean install -P contrib-check
  • JDK 1.8
  • JDK 11
  • JDK 17

Licensing

• New dependencies are compatible with the Apache License 2.0 according to the License Policy
• New dependencies are documented in applicable LICENSE and NOTICE files

Documentation

• Documentation formatting appears as expected in rendered files

[EndzeitBegins]

Thanks for your contribution @grishick.

Instead of one property overruling the other and SECRET_NAME_PATTERN remaining required even though it may not have any effect, what are your thoughts on introducing a "fetch mode" (or whatever name you see fit)?
With the current rather implicit approach, users might provide a SECRET_NAME_PATTERN of e.g. FOO_* and a SECRET_NAME of BAR simultaneously.
On first look it might not be obvious what the behaviour is; which property overrules which or are the results from both combined?

I'm not familiar with this component, but to me it reads like introducing a different "mode" of fetching secrets.
Personally, I'd think first having to select a "fetch mode" with allowed values "Secret by Name" and "All Secrets by Pattern" (or something along those lines) and only then have the corresponding properties available would be more intuitive.
Additionally, this keeps the door open for other "modes" in the future.

What are your thoughts on this?

Does it make sense to extend the existing documentation of SECRET_NAME_PATTERN to clarify that it's use required the permission to list secrets?

[exceptionfactory]

Thanks for the contribution @grishick, and thanks for the thoughtful feedback @EndzeitBegins.

I concur with the recommendation from @EndzeitBegins. Having an alternative retrieval strategy that avoids having to list all secret names seems useful, but it is important to make the configuration understandable.

With that in mind, a new property named something like Secret Listing Strategy with values of Pattern and Enumerated would be a good way forward. The default value would be Pattern, and the Secret Name Pattern property would depend on having set that strategy.

For the new property, listing only one Secret Name is rather limiting, so instead Secret Names, supporting one or more comma-separated values could be dependent on the Enumerated strategy.

[grishick]

Thanks for the contribution @grishick, and thanks for the thoughtful feedback @EndzeitBegins.

I concur with the recommendation from @EndzeitBegins. Having an alternative retrieval strategy that avoids having to list all secret names seems useful, but it is important to make the configuration understandable.

With that in mind, a new property named something like Secret Listing Strategy with values of Pattern and Enumerated would be a good way forward. The default value would be Pattern, and the Secret Name Pattern property would depend on having set that strategy.

For the new property, listing only one Secret Name is rather limiting, so instead Secret Names, supporting one or more comma-separated values could be dependent on the Enumerated strategy.

I got to agree, this is a better design. Will try to find time to rewrite it.

[grishick]

Thanks for the contribution @grishick, and thanks for the thoughtful feedback @EndzeitBegins.
I concur with the recommendation from @EndzeitBegins. Having an alternative retrieval strategy that avoids having to list all secret names seems useful, but it is important to make the configuration understandable.
With that in mind, a new property named something like Secret Listing Strategy with values of Pattern and Enumerated would be a good way forward. The default value would be Pattern, and the Secret Name Pattern property would depend on having set that strategy.
For the new property, listing only one Secret Name is rather limiting, so instead Secret Names, supporting one or more comma-separated values could be dependent on the Enumerated strategy.

I got to agree, this is a better design. Will try to find time to rewrite it.

I think with the addition of Secret Listing Strategy there is no need for additional Secret Names parameter. Instead, the original Secret Name Patter parameter will be used either as a coma separated list or as a regular expression depending on the listing strategy.

[exceptionfactory]

Thanks for the contribution @grishick, and thanks for the thoughtful feedback @EndzeitBegins.
I concur with the recommendation from @EndzeitBegins. Having an alternative retrieval strategy that avoids having to list all secret names seems useful, but it is important to make the configuration understandable.
With that in mind, a new property named something like Secret Listing Strategy with values of Pattern and Enumerated would be a good way forward. The default value would be Pattern, and the Secret Name Pattern property would depend on having set that strategy.
For the new property, listing only one Secret Name is rather limiting, so instead Secret Names, supporting one or more comma-separated values could be dependent on the Enumerated strategy.

I got to agree, this is a better design. Will try to find time to rewrite it.

I think with the addition of Secret Listing Strategy there is no need for additional Secret Names parameter. Instead, the original Secret Name Patter parameter will be used either as a coma separated list or as a regular expression depending on the listing strategy.

That could probably work, although it may involve changing the name and description of the property. With the dependsOn() builder method, the properties are shown or hidden based on the selected value, so in this case, it may be cleaner to have different properties to avoid any confusion.

[grishick]

Thanks for the contribution @grishick, and thanks for the thoughtful feedback @EndzeitBegins.
I concur with the recommendation from @EndzeitBegins. Having an alternative retrieval strategy that avoids having to list all secret names seems useful, but it is important to make the configuration understandable.
With that in mind, a new property named something like Secret Listing Strategy with values of Pattern and Enumerated would be a good way forward. The default value would be Pattern, and the Secret Name Pattern property would depend on having set that strategy.
For the new property, listing only one Secret Name is rather limiting, so instead Secret Names, supporting one or more comma-separated values could be dependent on the Enumerated strategy.

I got to agree, this is a better design. Will try to find time to rewrite it.

I think with the addition of Secret Listing Strategy there is no need for additional Secret Names parameter. Instead, the original Secret Name Patter parameter will be used either as a coma separated list or as a regular expression depending on the listing strategy.

That could probably work, although it may involve changing the name and description of the property. With the dependsOn() builder method, the properties are shown or hidden based on the selected value, so in this case, it may be cleaner to have different properties to avoid any confusion.

If I add Secret Names in addition to Secret Listing Strategy - would Secret Names and Secret Pattern have required set to true or to false?

[exceptionfactory]

If I add Secret Names in addition to Secret Listing Strategy - would Secret Names and Secret Pattern have required set to true or to false?

They can both be set to required(true), but the framework ensures that only the one associated with the related strategy value will be shown and required.

[exceptionfactory]

Thanks for the initial updates @grishick. Based on the new strategy property, adding a new Secret Names property looks like it would be cleaner and easier to understand than overloading the existing Secret Name Pattern property.

As with other pull requests, please also submit the pull request to the main branch first, and then it can be considered for backporting in a follow-on PR.

[exceptionfactory]

Instead of describing the option in the property description, each value should be an instance of AllowableValue and include a description property.

[EndzeitBegins]

I agree with David to move the description of the options to each option itself respectively.

An alternative approach to using AllowableValue is the declaration of an enum that implements the DescribedValue interface. An example can be found here.
Due to improved type safety at the use site, this approach allows for exhaustive switch expressions, as can be seen here and here for example.

The advantage I see in this approach is that the compiler enforces to handle all options on all use sites, especially as new options are added.

Regardless of the approach you take, moving the descriptions to the options is sensible.

[exceptionfactory]

To avoid confusion, I think it is clearer to keep this property description unchanged, and add a new property with the a corresponding description.

[grishick]

I added dependsOn to SECRET_NAME_PATTERN and added a new property called SECRET_NAMES also with dependsOn option. The new property SECRET_NAMES is expected to be a coma-separated list of AWS secret names. I've also added testFetchTwoSecrets unit test to verify the behavior when SECRET_NAMES is a list.

[grishick]

OK. I'll try to make the changes asap. It's a small change, but integrating it back to Anetac's fork is the tricky part.

[EndzeitBegins]

Thank you for your continued work on this @grishick.

There may have been a mistake due to the force-push, but some of the previous review feedback hasn't been addressed in the latest code version.
I've added some remarks and suggestions.

Additionally, as NiFi 2.0 is almost there, pull-requests should be addressing the main branch first before back porting changes to the support/nifi-1.x branch.

[EndzeitBegins]

You could untangle determining the set of secrets to fetch from the actual fetching in here, turning one intertwined action into two separate steps.

That is,

1. collecting a Set<String> of secretNames (based on either the provided enumeration or by fetching all available secret names and then filtering for those matching the regex), and then
2. using that set to fetch the corresponding secrets.

[grishick]

Good point. Done.

[greg-anetac]

Thank you for your continued work on this @grishick.

There may have been a mistake due to the force-push, but some of the previous review feedback hasn't been addressed in the latest code version. I've added some remarks and suggestions.

Additionally, as NiFi 2.0 is almost there, pull-requests should be addressing the main branch first before back porting changes to the support/nifi-1.x branch.

Roger that. I'll fix the merge. I was waiting to create a PR for main until discussions on this PR settle on implementation approach.

[grishick]

Thank you for your continued work on this @grishick.
There may have been a mistake due to the force-push, but some of the previous review feedback hasn't been addressed in the latest code version. I've added some remarks and suggestions.
Additionally, as NiFi 2.0 is almost there, pull-requests should be addressing the main branch first before back porting changes to the support/nifi-1.x branch.

Roger that. I'll fix the merge. I was waiting to create a PR for main until discussions on this PR settle on implementation approach.

done

[grishick]

Here is a PR for main branch with the same change: #9483

[EndzeitBegins]

Most of David's review comments on #9483 apply here too.

The only things that isn't available for 1.x that comes to my mind is asAllowableValue().
List.of isn't available for Java 8, so the PROPERTIES declaration can stay as is.