Add Confluence Data Center support with allow_local_address and beare…#6769
Conversation
srikanthpadakanti
requested review from
KarstenSchnitter,
dinujoh,
dlvenable,
engechas,
graytaylor0,
kkondaka,
oeyh,
san81,
sb2k16 and
srikanthjg
as code owners
…r token auth Make address validation configurable via allow_local_address (default false) so Confluence Data Center on internal networks is supported. Add bearer token authentication for Personal Access Tokens used by Data Center deployments. Resolves opensearch-project#6496 Signed-off-by: Srikanth Padakanti <srikanth_padakanti@apple.com>
srikanthpadakanti
force-pushed
the
confluence-data-center-6496-public
branch
from
99de791 to
f257f0f
Compare
|
Hi @dlvenable @kkondaka Please review this. Thanks. |
dlvenable
left a comment
dlvenable
left a comment
There was a problem hiding this comment.
Thanks @srikanthpadakanti for the contribution! I have a few comments and questions.
|
|
||
| @AssertTrue(message = "Authentication config should have either basic or oauth2") | ||
| @JsonProperty("bearer_token") | ||
| private String bearerToken; |
There was a problem hiding this comment.
For OAuth2, we use PluginConfigVariable. This allows us to refresh the credentials from the Jira/Confluence source plugins themselves. Do you think this is relevant for bearer tokens?
Either way, this can support reading from secrets managers.
There was a problem hiding this comment.
Agreed on PluginConfigVariable, Will address in a follow-up since PATs don't need refresh, but secrets manager reads are valuable. Keeping scope tight for this PR.
Otherwise if you want me to implement it now, I can change String bearerToken to PluginConfigVariable bearerToken and update all usages. What do you prefer?
There was a problem hiding this comment.
We support two forms of refresh:
- Somebody outside of Data Prepper updates the secret in something like AWS Secrets Manager
- Data Prepper refreshes the secrete and updates the secret in AWS Secrets Manager
For OAuth2, we support number 2.
For RDS, OpenSearch, etc. we only support 1. I think we want to support 1 here as well.
There was a problem hiding this comment.
I think we can do this in a follow on as well.
There was a problem hiding this comment.
Agreed. Will implement PluginConfigVariable for bearer token in a follow-up PR to support secrets manager reads (form 1). Keeping this PR scoped to the Data Center connectivity feature.
Here's the follow up issue #6844 to track
…t values, wire JiraRestClient Signed-off-by: Srikanth Padakanti <srikanth_padakanti@apple.com>
3 participants
Description
Two changes to support Confluence Data Center deployments:
1. Configurable address validation (
allow_local_address)The existing
AddressValidation.validateInetAddress()rejects all local/private IPs, which blocks Confluence Data Center running on internalnetworks. Added a boolean config
allow_local_address(defaults tofalse) that skips site-local, loopback, and link-local checks when enabled.Multicast and any-local addresses are still rejected regardless.
Confluence Data Center uses Personal Access Tokens (PAT) for authentication. Added bearer_token as a third auth option alongside basic and oauth2.
Only one auth method can be configured at a time.
Changes are in atlassian-commons so Jira Data Center also benefits from the same allow_local_address and bearer token support.
Issues Resolved
Resolves #6496
#6496
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.