Enable HTTP Sink with aws sigv4 auth mode only#6747
Conversation
Signed-off-by: Kondaka <krishkdk@amazon.com>
kkondaka
requested review from
KarstenSchnitter,
dinujoh,
dlvenable,
engechas,
graytaylor0,
oeyh,
san81,
sb2k16 and
srikanthjg
as code owners
✅ License Header Check PassedAll newly added files have proper license headers. Great work! 🎉 |
dlvenable
left a comment
dlvenable
left a comment
There was a problem hiding this comment.
Nice improvement @kkondaka . It will be good to get this sink ready to use! I have a number of suggestions. Overall we should be sure this is a generic sink and not so tightly coupled with AWS/SigV4.
One alternative is to create an aws_http sink. But I think some code clean up will make that unnecessary.
| private PluginModel codec; | ||
|
|
||
| @JsonProperty("http_method") | ||
| private HTTPMethodOptions httpMethod = HTTPMethodOptions.POST; |
There was a problem hiding this comment.
I thought about it but since we are not using now, decided to keep it out. We can always add things that are needed back when they are needed.
| } | ||
|
|
||
| public HttpEndPointResponse send(final byte[] payload) { | ||
| HttpEndPointResponse response = null; |
There was a problem hiding this comment.
Let's also rename this class to HttpEndpointResponse since this is a single word - "endpoint."
|
|
||
| import com.fasterxml.jackson.annotation.JsonProperty; | ||
|
|
||
| public class BasicAuthCredentials { |
There was a problem hiding this comment.
I think removing a lot of the authentication options is good. But we should at least support basic auth. Otherwise nobody can use this other than with AWS. If we start here, we can look for community contributions for expanded support.
There was a problem hiding this comment.
We should also support unauthenticated requests.
There was a problem hiding this comment.
Requests are unauthenticated when "aws:" is not used. There is already integration tests that shows that path works.
|
|
||
| SdkHttpFullRequest signRequest(final SdkHttpFullRequest unsignedRequest) { | ||
| if (credentialsProvider == null || credentialsProvider.resolveCredentials() == null) { | ||
| return null; |
There was a problem hiding this comment.
If we fail to load credentials this will give an NPE, right? We should have a better way to fail.
|
|
||
| private SdkHttpFullRequest createSdkHttpRequest(final String url, @Nonnull final byte[] payload) { | ||
| final SdkHttpFullRequest.Builder builder = SdkHttpFullRequest.builder() | ||
| .method(SdkHttpMethod.POST) |
There was a problem hiding this comment.
This should be configurable. It is an easy config to offer.
Also, this and the URI should be provided by the HttpSinkSender and then used by the suggested decorator. That is, don't mix the concerns of determining the method/URI with the concern of signing.
There was a problem hiding this comment.
Agreed. But do not need it initially. I will do it in a follow-up PR
There was a problem hiding this comment.
I think we can add additional configurations later. But we shouldn't leave the code in a state where two things that don't need to be connected are. Specifically having the AWS SDK code in HttpSinkSender. Let's just decouple that and we should be good to go.
|
|
||
| public class HttpSinkSender { | ||
| private static final Logger LOG = LoggerFactory.getLogger(HttpSinkSender.class); | ||
| private static final String HTTP_METHOD = "post"; |
| } | ||
|
|
||
|
|
||
| if (config.getCustomHeaderOptions() != null) { |
There was a problem hiding this comment.
I think the Codecs should ideally offer a MIME type interface.
Optional<String> getMimeType();
Then the codec can provide a default MIME type to use in the Content-Type header.
This would work well for the json codec.
However it might not work for all. I think ND-JSON doesn't have a MIME type. Maybe application/jsonl or application/x-ndjson. We should still override it with custom headers.
There was a problem hiding this comment.
Let's look at this in a follow-up PR
| this.estimatedSize = calculateSize(event, codec, codecContext); | ||
| } | ||
|
|
||
| private long calculateSize(final Event event, final OutputCodec codec, final OutputCodecContext codecContext) throws IOException { |
There was a problem hiding this comment.
The event is serialized once in calculateSize() for size estimation, then again in flush() for actual sending. Consider caching the serialized bytes from the size calculation and reusing them during flush, or using a cheaper estimation like event.toJsonString().length()
There was a problem hiding this comment.
Yes, this is a known issue. We cannot use event.toJsonString().length() because the codec is not always json.
There was a problem hiding this comment.
One way to improve this is to store the OutputStream from calculateSize() and reuse it in flush(), not sure if that would work. But something to look into in future.
Signed-off-by: Kondaka <krishkdk@amazon.com>
dlvenable
left a comment
dlvenable
left a comment
There was a problem hiding this comment.
Two things before merging:
- Let's require the
service_namebecause this is a generichttpsink that should be able to send to any AWS SigV4 service. It isn't just for API Gateway. - Let's remove the AWS code from
HttpSinkSender. This way if the community wants to extend the authentication options there is no need to extract this AWS code which isn't tested in an integration environment. This will give more confidence.
Signed-off-by: Kondaka <krishkdk@amazon.com>
| @JsonProperty("connection_timeout") | ||
| private Duration connectionTimeout = DEFAULT_CONNECTION_TIMEOUT; | ||
|
|
||
| @JsonProperty("aws_sigv4_service_name") |
There was a problem hiding this comment.
Do we have an aws: block? If so, I think we can just make this service_name under that block. We can follow on with this change or discuss further before the PR.
There was a problem hiding this comment.
There is an aws block. Would be better to move this under that
| } | ||
|
|
||
| @Override | ||
| public boolean isReady() { |
There was a problem hiding this comment.
Doesn't have to be in this PR but would be good to consider implementing graceful shutdown where we flush everything in the sink before exiting.
4 participants
Description
Enable HTTP Sink with aws sigv4 auth mode only.
Modified HTTP sink code to use only aws auth mode only.
Removed other auth options
Issues Resolved
Resolves #[Issue number to be closed when this PR is merged]
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.