updates

mongodb · Jun 13, 2024 · 3aaeb6d · 3aaeb6d
1 parent 6822c37
commit 3aaeb6d
Show file tree

Hide file tree

Showing 4 changed files with 118 additions and 91 deletions.
diff --git a/source/includes/security/AwsAssumeRoleCredentialProvider.java b/source/includes/security/AwsAssumeRoleCredentialProvider.java
@@ -0,0 +1,38 @@
+public class AwsAssumeRoleCredentialProvider implements CustomCredentialProvider {
+
+  public AwsAssumeRoleCredentialProvider() {}
+  @Override
+  public MongoCredential getCustomCredential(Map<?, ?> map) {
+    AWSCredentialsProvider provider = new DefaultAWSCredentialsProviderChain();
+    Supplier<AwsCredential> awsFreshCredentialSupplier = () -> {
+      AWSSecurityTokenService stsClient = AWSSecurityTokenServiceAsyncClientBuilder.standard()
+          .withCredentials(provider)
+          .withRegion("us-east-1")
+          .build();
+      AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest().withDurationSeconds(3600)
+          .withRoleArn((String)map.get("mongodbaws.auth.mechanism.roleArn"))
+          .withRoleSessionName("Test_Session");
+      AssumeRoleResult assumeRoleResult = stsClient.assumeRole(assumeRoleRequest);
+      Credentials creds = assumeRoleResult.getCredentials();
+      // Add your code to fetch new credentials
+      return new AwsCredential(creds.getAccessKeyId(), creds.getSecretAccessKey(), creds.getSessionToken());
+    };
+    return MongoCredential.createAwsCredential(null, null)
+        .withMechanismProperty(MongoCredential.AWS_CREDENTIAL_PROVIDER_KEY, awsFreshCredentialSupplier);
+  }
+
+  // Validates presence of an ARN
+  @Override
+  public void validate(Map<?, ?> map) {
+    String roleArn = (String) map.get("mongodbaws.auth.mechanism.roleArn");
+    if (StringUtils.isNullOrEmpty(roleArn)) {
+      throw new RuntimeException("Invalid value set for customProperty");
+    }
+  }
+
+  // Initializes the custom provider
+  @Override
+  public void init(Map<?, ?> map) {
+
+  }
+}
diff --git a/source/security-and-authentication.txt b/source/security-and-authentication.txt
@@ -10,10 +10,11 @@ Security and Authentication
 
    SSL/TLS and X.509 Certificates </security-and-authentication/tls-and-x509>
    MongoDB AWS-based Authentication </security-and-authentication/mongodb-aws-auth>
+   Custom Authentication Provider </security-and-authentication/custom-auth>
 
 Read the following sections to learn how to secure communications between MongoDB 
 and the {+connector+}:
 
-- :doc:`Encrypt the Messages Your Connector Sends with SSL/TLS </security-and-authentication/tls-and-x509>`
-- :doc:`Authenticate Your Connector with MongoDB using Amazon Web Services </security-and-authentication/mongodb-aws-auth>`
-
+- :ref:`Encrypt the Messages Your Connector Sends with SSL/TLS <kafka-configure-ssl>`
+- :ref:`Authenticate Your Connector with MongoDB using Amazon Web Services <kafka-mongodb-aws>`
+- :ref:`Implement a Custom Authentication Provider <kafka-custom-auth>`
diff --git a/source/security-and-authentication/custom-auth.txt b/source/security-and-authentication/custom-auth.txt
@@ -0,0 +1,72 @@
+.. _kafka-custom-auth:
+
+==============================
+Custom Authentication Provider
+==============================
+
+.. facet::
+   :name: genre
+   :values: reference
+
+.. meta::
+   :keywords: credentials, implementation class, custom class
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 2
+   :class: singlecol
+
+Overview
+--------
+
+You can add a custom authentication provider by implementing the
+``com.mongodb.kafka.connect.util.custom.credentials.CustomCredentialProvider``
+interface. You can use a custom authentication provider with any of the
+supported authentication mechanisms.
+
+To enable this feature, set the following authentication
+properties:
+
+- ``mongo.custom.auth.mechanism.enable``: set to ``true``
+- ``mongo.custom.auth.mechanism.providerClass``: set to the qualified
+  class name of the implementation class
+- *(Optional)* ``mongodbaws.auth.mechanism.roleArn``: set to an Amazon Resource Name (ARN)
+
+Example
+-------
+
+This section provides a sample authentication provider implementation
+class and the corresponding configuration properties and values to
+implement the provider.
+
+The following sample configuration file specifies the
+``MONGODB-AWS`` authentication method, adds a custom authentication
+provider, and provides an ARN:
+
+.. code-block:: ini
+
+   connection.uri=<connection string>/?authMechanism=MONGODB-AWS
+   mongo.custom.auth.mechanism.enable=true
+   mongo.custom.auth.mechanism.providerClass=sample.AwsAssumeRoleCredentialProvider
+   mongodbaws.auth.mechanism.roleArn=arn:aws:iam::<account ID>:role/<role name>
+
+The ``AwsAssumeRoleCredentialProvider`` class defines ``init()`` and
+``validate()`` methods that are called when the connector initializes.
+The ``getCustomCredential()`` method returns an object of type
+``com.mongodb.MongoCredential`` that is used by the ``MongoClient``
+constructed for the connector. The following code defines the custom
+authentication provider:
+
+.. literalinclude:: /includes/security/AwsAssumeRoleCredentialProvider.java
+   :language: java
+
+In this example, the ``sample.AwsAssumeRoleCredentialProvider``
+implementation class must be available on the classpath. The
+authentication provider class reads the ARN you specify in the
+``roleArn`` property.
+
+To view an example of a ``pom.xml`` file that can build the complete JAR containing
+the implementation class, see the `Kafka Connector GitHub repository
+README file
+<https://github.com/mongodb/mongo-kafka/blob/master/README.md#pom-file-to-build-the-sample-customroleprovider-into-a-jar>`__.
diff --git a/source/security-and-authentication/mongodb-aws-auth.txt b/source/security-and-authentication/mongodb-aws-auth.txt
@@ -79,92 +79,8 @@ replace:
          and placeholder value.
        | *Optional*
 
-Custom Authentication Provider
-------------------------------
+.. tip:: Custom Authentication Provider
 
-You can add a custom authentication provider by implementing the
-``com.mongodb.kafka.connect.util.custom.credentials.CustomCredentialProvider``
-interface. To enable this feature, set the following authentication
-properties:
-
-- ``mongo.custom.auth.mechanism.enable``: set to ``true``
-- ``mongo.custom.auth.mechanism.providerClass``: set to the qualified
-  class name of the implementation class
-
-Depending on the design of your implementation class, you might also
-set the ``mongodbaws.auth.mechanism.roleArn`` property, which
-provides the Amazon Resource Name (ARN).
-
-Example
-~~~~~~~
-
-This section provides a sample authentication provider implementation
-class and the corresponding configuration properties and values to
-implement the provider.
-
-The following code specifies the configuration properties to use the
-``MONGODB-AWS`` authentication method and add a custom authentication
-provider:
-
-.. code-block:: ini
-
-   connection.uri=<connection string>/?authMechanism=MONGODB-AWS
-   mongo.custom.auth.mechanism.enable=true
-   mongo.custom.auth.mechanism.providerClass=sample.AwsAssumeRoleCredentialProvider
-   mongodbaws.auth.mechanism.roleArn=arn:aws:iam::<account ID>:role/<role name>
-
-The ``AwsAssumeRoleCredentialProvider`` class defines ``init()`` and
-``validate()`` methods that are called when the connector initializes.
-The ``getCustomCredential()`` method returns an object of type
-``com.mongodb.MongoCredential`` that is used by the ``MongoClient``
-constructed for the connector. The following code defines the custom
-authentication provider:
-
-.. code-block:: java
-
-   public class AwsAssumeRoleCredentialProvider implements CustomCredentialProvider {
-
-     public AwsAssumeRoleCredentialProvider() {}
-     @Override
-     public MongoCredential getCustomCredential(Map<?, ?> map) {
-       AWSCredentialsProvider provider = new DefaultAWSCredentialsProviderChain();
-       Supplier<AwsCredential> awsFreshCredentialSupplier = () -> {
-         AWSSecurityTokenService stsClient = AWSSecurityTokenServiceAsyncClientBuilder.standard()
-             .withCredentials(provider)
-             .withRegion("us-east-1")
-             .build();
-         AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest().withDurationSeconds(3600)
-             .withRoleArn((String)map.get("mongodbaws.auth.mechanism.roleArn"))
-             .withRoleSessionName("Test_Session");
-         AssumeRoleResult assumeRoleResult = stsClient.assumeRole(assumeRoleRequest);
-         Credentials creds = assumeRoleResult.getCredentials();
-         // Add your code to fetch new credentials
-         return new AwsCredential(creds.getAccessKeyId(), creds.getSecretAccessKey(), creds.getSessionToken());
-       };
-       return MongoCredential.createAwsCredential(null, null)
-           .withMechanismProperty(MongoCredential.AWS_CREDENTIAL_PROVIDER_KEY, awsFreshCredentialSupplier);
-     }
-
-     @Override
-     public void validate(Map<?, ?> map) {
-       String roleArn = (String) map.get("mongodbaws.auth.mechanism.roleArn");
-       if (StringUtils.isNullOrEmpty(roleArn)) {
-         throw new RuntimeException("Invalid value set for customProperty");
-       }
-     }
-
-     @Override
-     public void init(Map<?, ?> map) {
-
-     }
-   }
-
-In this example, the ``sample.AwsAssumeRoleCredentialProvider``
-implementation class must be available on the classpath. The
-authentication provider class reads the ARN you specify in the
-``roleArn`` property.
-
-To view an example of a ``pom.xml`` file that can build the complete JAR containing
-the implementation class, see the `Kafka Connector GitHub repository
-README file
-<https://github.com/mongodb/mongo-kafka/blob/master/README.md#pom-file-to-build-the-sample-customroleprovider-into-a-jar>`__.
+   You can create and use a custom authentication provider to support
+   AWS IAM authentication. To learn more, see the
+   :ref:`kafka-custom-auth` guide.