自定义身份验证提供程序

Overview

您可以通过实施 com.mongodb.kafka.connect.util.custom.credentials.CustomCredentialProvider接口来添加自定义身份验证提供者。您必须将自定义类 JAR文件放入Kafka Connect部署中的lib文件夹中。

设置以下身份验证属性以配置身份验证提供者：

mongo.custom.auth.mechanism.enable：设立为 true
mongo.custom.auth.mechanism.providerClass：设立为实施类的限定类名
（可选） mongodbaws.auth.mechanism.roleArn：设立为Amazon资源名称 (ARN)

Amazon Web Services IAM 身份验证示例

此示例提供了一个支持Amazon Web Services IAM 的自定义身份验证提供者。以下代码显示了自定义身份验证提供者JAR文件：

package com.mongodb;
import java.util.Map;
import java.util.function.Supplier;
import com.mongodb.kafka.connect.util.custom.credentials.CustomCredentialProvider;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceAsyncClientBuilder;
import com.amazonaws.services.securitytoken.model.AssumeRoleRequest;
import com.amazonaws.services.securitytoken.model.AssumeRoleResult;
import com.amazonaws.services.securitytoken.model.Credentials;
import com.amazonaws.util.StringUtils;
public class SampleAssumeRoleCredential implements CustomCredentialProvider {
  public SampleAssumeRoleCredential() {}
  @Override
  public MongoCredential getCustomCredential(Map<?, ?> map) {
    AWSCredentialsProvider provider = new DefaultAWSCredentialsProviderChain();
    Supplier<AwsCredential> awsFreshCredentialSupplier = () -> {
      AWSSecurityTokenService stsClient = AWSSecurityTokenServiceAsyncClientBuilder.standard()
          .withCredentials(provider)
          .withRegion("us-east-1")
          .build();
      AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest().withDurationSeconds(3600)
          .withRoleArn((String)map.get("mongodbaws.auth.mechanism.roleArn"))
          .withRoleSessionName("Test_Session");
      AssumeRoleResult assumeRoleResult = stsClient.assumeRole(assumeRoleRequest);
      Credentials creds = assumeRoleResult.getCredentials();
      // Add your code to fetch new credentials
      return new AwsCredential(creds.getAccessKeyId(), creds.getSecretAccessKey(), creds.getSessionToken());
    };
    return MongoCredential.createAwsCredential(null, null)
        .withMechanismProperty(MongoCredential.AWS_CREDENTIAL_PROVIDER_KEY, awsFreshCredentialSupplier);
  }
  
  // Validates presence of an ARN
  @Override
  public void validate(Map<?, ?> map) {
    String roleArn = (String) map.get("mongodbaws.auth.mechanism.roleArn");
    if (StringUtils.isNullOrEmpty(roleArn)) {
      throw new RuntimeException("Invalid value set for customProperty");
    }
  }
  // Initializes the custom provider
  @Override
  public void init(Map<?, ?> map) {
  }
}

编译 JAR文件并将其放入部署的lib文件夹中。

注意

要查看可构建包含实施类的完整 JAR 的 pom.xml文件示例，请参阅 Kafka Connector Github存储库自述文件。

接下来，配置源连接器或接收器Connector以包含自定义身份验证方法。以下配置属性定义一个接收器Connector，该连接器使用Kafka Connector MongoDB AtlasAmazon Web ServicesIAM身份验证将到：

{
   "name": "mongo-tutorial-sink",
   "config": {
     "connector.class": "com.mongodb.kafka.connect.MongoSinkConnector",
     "topics": "<topic>",
     "connection.uri": "<connection string>?authSource=%24external&authMechanism=MONGODB-AWS&retryWrites=true&w=majority",
     "key.converter": "org.apache.kafka.connect.storage.StringConverter",
     "value.converter": "org.apache.kafka.connect.json.JsonConverter",
     "value.converter.schemas.enable": false,
     "database": "<db>",
     "collection": "<collection>",
     "mongo.custom.auth.mechanism.enable": "true",
     "mongo.custom.auth.mechanism.providerClass": "com.mongodb.SampleAssumeRoleCredential",
     "mongodbaws.auth.mechanism.roleArn": "<AWS IAM ARN>"
   }
}

在此示例中， roleArn值是有权访问权限MongoDB Atlas的用户群组的 IAM 角色。在Amazon Web Services IAM 控制台中，运行Kafka Connect 的 IAM 帐户对Atlas user组具有 AssumeRole 权限。

后退

MongoDB 基于 AWS 的身份验证

来年

监控