AWS Kinesis Enhancements#279
Conversation
|
I am planning to integrate the backend changes into this PR too. I'll start work on that tomorrow or Wednesday. |
|
@kyleknighted I have begun working on the backend for this. Sorry for the delay! |
|
@kyleknighted I noticed this error in the browser when running this branch:
|
|
@kyleknighted I have begun working on the backend for this again. I'l keep you updated on my progress. |
The initial policy needs to be fully resolved before attempting to assume a role. This is because the initial role must have the sts:AssumeRole permission to assume a role. This also allows any authentication scenario to support assuming a role. This matches the auth logic previously supported in the original AWS plugin.
Allow nullable assume role ARN as it will not always be specified.
|
@kyleknighted Initial testing looks good so far. Noticed one possible issue: Looks like the Assume Role ARN is not being passed in the Streams request (specified in input field, but is not included in the post request JSON payload):
|
|
@danotorrey @kyleknighted @ceruleancee Great work ! If you need any help with any specific task Please keep me posted. I had a chance to look at creating the kinesis input with Claudia's help and we are able to see the log messages. Also, we weren't sure how to test the VPC endpoints(Dynamo DB API Endpoint override ). Is there a Swagger documentation for these end points, that we can access. Thanks. |
|
@lingpri @ceruleancee I investigated and found that there are valid use cases to allow an override endpoint for the IamClient AWS API URL. I feel that we should provide endpoint overrides for all AWS SDK services that we communicate to (just as the PR is currently coded to do).
Please also note that for the security concern of allowing IAM overrides, we are also adding URL white list capability, which allows the user to control which URLs are allowed to be used within Graylog. I will add support for this in a later PR. |
|
@ceruleancee @lingpri This PR is ready to be merged unless you have any other concerns. |
lingpri
left a comment
lingpri
left a comment
There was a problem hiding this comment.
Great Work . Thank you very much for your patience. I enjoyed reviewing the PR .
| import com.google.auto.value.AutoValue; | ||
| import org.graylog.autovalue.WithBeanGetter; | ||
|
|
||
| import javax.annotation.Nullable; |
There was a problem hiding this comment.
delete unneeded importsimport com.fasterxml.jackson.annotation.JsonAutoDetect;import com.fasterxml.jackson.annotation.JsonProperty;import javax.annotation.Nullable;
* Moving CloudWatch and StepAuthorize * Removing unnecessary AuthProvider * cleaner dir paths * cleanup * Render different auth options * ARN field * Swapping fields * Adding Automatic content * cleanup * Remember auth type * Add auth provider using latest SDK version * Add cross account role tester * Resolve the initial policy before attempting to assume a role The initial policy needs to be fully resolved before attempting to assume a role. This is because the initial role must have the sts:AssumeRole permission to assume a role. This also allows any authentication scenario to support assuming a role. This matches the auth logic previously supported in the original AWS plugin. * Use AWSAuthProvider with assume role support for all AWS requests * Flip incorrect logic for when credentials and auto auth are used * Fix failing unit tests Allow nullable assume role ARN as it will not always be specified. * Updating Auth experience * validation and review: * Passing arn with intial streams request * Fix invalid role name * Every auth has arn * update note * Fix incorrect role ARN * Updating button implementation * Review value of undefined * Cleanup auth provider formatting * Remove cross account role test * More auth provider formatting adjustments * Add request support for AWS SDK client endpoint overrides * Specify endpoints at runtime * Add endpoint config fields * Migrate to centralized AWS client initializer Centralized initializer appropriately specifies general properties such as region, auth provider, and override endpoint (if specified). * Migrate to centralized AWS client initializer (part 2) Centralized initializer appropriately specifies general properties such as region, auth provider, and override endpoint (if specified). * Specify SDK override endpoint for each Graylog AWS API endpoint * Consolidate passed AWSRequest arguments Passing individual arguments is verbose and can lead to transposition errors. * Centralize logic for initializing and building AWS SDK clients * Cleanup * Undo unintended Palo Alto formatting changes * Undo unintended Palo Alto formatting changes * Key and secret are not required * Validate override endpoint URIs to avoid silent failure * Update to latest AWS SDK and Kinesis client * Adding VPC Endpoint UI * remove icon size sm * fixed review value of undefined * Validate endpoint URLs * Shared section title styles * Formatting cleanup * Rework API value classes to inherit common properties This removes the many key, secret, arn, and endpoints fields from all request classes. * Migrate the generic AWSRequestImpl to use common fields VIA interface * Add back integrations.protobuf.version variable * Improve roleSessionName logic Do not include "NONE" when access key is not present. * Comment cleanup * Add back test credentials * Cleanup, finish implementing ignored `testCreateNewKinesisStream` test * Fix failing test * Add exception object to error message * Save endpoints at end of wizard setup * Do not save a title, which is deleted anyway when saving the input * Update placeholder for endpoints * Adjust text * Adjust endpoint placeholder * Fix failing test * Add URL validation unit test
5 participants
Overview
This PR makes the following changes for the
graylog-plugin-integrationsAWS Kinesis/CloudWatch input:See #264 for more info.
As part of this change, the Assume Role ARN option was also moved to the first page (previously was tucked-away on a subsequent page, which was too late, since many AWS SDK calls are initiate starting from the first page):
Lots of code was changed to implement these, because many API calls support this functionality, and almost all of them had to be updated :)
Closes #264, #271