AWS RDS token based password provider#9518
Conversation
himanshug
force-pushed
the
aws_pwd_provider
branch
from
7d33814 to
5cef48e
Compare
|
Update: This patch has been successfully running on few Druid clusters using AWS Aurora RDS DB clusters and accessing same without password but using ephemeral AWS IAM tokens. |
|
@himanshug thanks for the update. I removed the |
|
removing I actually thought of putting the new Anyways, It is totally possible to put |
|
Thanks, I will review soon. |
| <parent> | ||
| <groupId>org.apache.druid</groupId> | ||
| <artifactId>druid</artifactId> | ||
| <version>0.18.0-SNAPSHOT</version> |
There was a problem hiding this comment.
Would you mind updating the version to 0.19.0-SNAPSHOT?
|
This pull request has been marked as stale due to 60 days of inactivity. It will be closed in 4 weeks if no further activity occurs. If you think that's incorrect or this pull request should instead be reviewed, please simply write any comment. Even if closed, you can still revive the PR at any time or discuss it on the dev@druid.apache.org list. Thank you for your contributions. |
|
un-stale ! |
jihoonson
left a comment
jihoonson
left a comment
There was a problem hiding this comment.
@himanshug thank you for your patience. I finally reviewed. The PR LGTM overall, but have left some comments about documentation. I'm also wondering if we can easily add some integration tests which might not be running on Travis, but can be run manually.
|
|
||
| import java.util.List; | ||
|
|
||
| public class AWSModule implements DruidModule |
| * This class exists so that PasswordProvider is asked for password every time a brand new connection is established | ||
| * with DB. PasswordProvider impls such as based on AWS tokens refresh the underlying token periodically since | ||
| * each token is valid for a certain period of time only. | ||
| * So, This class overrides[ummm copies] the methods from base class in order to keep track of connection properties |
There was a problem hiding this comment.
Haha, would you fix ummm copies?
There was a problem hiding this comment.
not sure if there is anything to fix as of now , BasicDataSource isn't open enough for extension to let us dynamically get password from config everytime a new connection is setup.
There was a problem hiding this comment.
Oh, I just assumed that you wanted to add a link instead of ummm copies. It would be enough to just remove it if there is nothing to fix.
There was a problem hiding this comment.
i see :) , updated the comment to hopefully remove the link confusion
| This module provides AWS RDS token [password provider](../../operations/password-provider.md) provides temp token for accessing AWS RDS DB cluster. | ||
|
|
||
| ```json | ||
| { "type": "awsrdstoken", "user": "USER", "host": "HOST", "port": PORT, "region": "AWS_REGION" } |
|
@jihoonson thanks, I will merge it with master and get the build to pass so as to make it merge-able. easiest way to manually test this is to deploy coordinator node on ec2 instance if coordinator starts successfully then it is good. manual integration test should also be possible, but steps to run such integration would still be to deploy some code inside an ec2 instance which can exercise the code here. integration test would be a nice addition though as a future PR specially as and when this extension gets wider adoption. |
|
@jihoonson I think it is ready now. |
jihoonson
left a comment
jihoonson
left a comment
There was a problem hiding this comment.
LGTM. Thanks @himanshug!
clintropolis
left a comment
clintropolis
left a comment
There was a problem hiding this comment.
overall lgtm, sorry this one slipped through the cracks for so long
| } | ||
|
|
||
| if (driverToUse == null) { | ||
| throw new RE("WTH! Couln't find a Driver"); |
There was a problem hiding this comment.
nit: i think we've been trying to tone it down and be professional and shit 😛 , related #10270
There was a problem hiding this comment.
changed, I thought "WTF" to "WTH" transition was that :)
| ~ under the License. | ||
| --> | ||
|
|
||
| This module provides AWS RDS token [password provider](../../operations/password-provider.md) provides temp token for accessing AWS RDS DB cluster. |
There was a problem hiding this comment.
to prevent confusion, should we more explicitly call out that this is not a metadata connector itself and just provides auth to be used by the extension that is appropriate for the RDS instance type?
There was a problem hiding this comment.
reworded to hopefully remove the confusion
| To use this extension, make sure you [include](../../development/extensions.md#loading-extensions) it in your config file: | ||
|
|
||
| ``` | ||
| druid.extensions.loadList=["druid-aws-rds-extensions"] |
There was a problem hiding this comment.
likewise i guess it is unrealistic that you would have a load list with only this extension, maybe should include mysql or postgres here, though maybe this doesn't need spelled out and is ok as it is...
…Ext.java Co-authored-by: Clint Wylie <cjwylie@gmail.com>
|
thanks @clintropolis |
* refresh db pwd * aws iam token password provider * fix analyze-dependencies build * fix doc build * add ut for BasicDataSourceExt * more doc updates * more doc update * moving aws token password provider to new extension * remove duplicate changes * make all config inline * extension docs * refresh db password in SQL Firehose code path as well * add ut * fix build * add new extension to distribution * rds lib is not provided * fix license build * add version to license * change parent version to 0.19.0-snapshot * address review comments * fix core/ code coverage * Update server/src/main/java/org/apache/druid/metadata/BasicDataSourceExt.java Co-authored-by: Clint Wylie <cjwylie@gmail.com> * address review comments * fix spellchecker * remove inadvertant website file change Co-authored-by: Clint Wylie <cjwylie@gmail.com>
| libraries: | ||
| - com.amazonaws: aws-java-sdk-rds |
There was a problem hiding this comment.
Hi @himanshug, did you adopt source code from the AWS SDK? If so, source_paths field should be added. Otherwise, license_category should be binary.
There was a problem hiding this comment.
source code is not copied here , I guess this should be "binary" , yes. .. will update.
| } | ||
|
|
||
| @Override | ||
| protected ConnectionFactory createConnectionFactory() throws SQLException |
There was a problem hiding this comment.
@himanshug Did you adopt this source code from org.apache.commons.dbcp2.BasicDataSource? If so, it should be added in the licenses.yaml file.
There was a problem hiding this comment.
yeah, most code in this file is copied from org.apache.commons.dbcp2.BasicDataSource , will send a PR shortly.
… password provider in PR apache#9518
4 participants
Description
Adds a new
PasswordProviderimpl to access AWS RDS DB instances using temporary AWS tokens. Since these tokens expire periodically, additional changes are made to askPasswordProviderfor password every time a new DB connection is established.This PR has:
Key changed/added classes in this PR
AWSRDSTokenPasswordProviderBasicDataSourceExt