diff --git a/source/includes/security/AwsAssumeRoleCredentialProvider.java b/source/includes/security/AwsAssumeRoleCredentialProvider.java index 19243f57..f72ae758 100644 --- a/source/includes/security/AwsAssumeRoleCredentialProvider.java +++ b/source/includes/security/AwsAssumeRoleCredentialProvider.java @@ -1,6 +1,22 @@ -public class AwsAssumeRoleCredentialProvider implements CustomCredentialProvider { +package com.mongodb; - public AwsAssumeRoleCredentialProvider() {} +import java.util.Map; +import java.util.function.Supplier; + +import com.mongodb.kafka.connect.util.custom.credentials.CustomCredentialProvider; + +import com.amazonaws.auth.AWSCredentialsProvider; +import com.amazonaws.auth.DefaultAWSCredentialsProviderChain; +import com.amazonaws.services.securitytoken.AWSSecurityTokenService; +import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceAsyncClientBuilder; +import com.amazonaws.services.securitytoken.model.AssumeRoleRequest; +import com.amazonaws.services.securitytoken.model.AssumeRoleResult; +import com.amazonaws.services.securitytoken.model.Credentials; +import com.amazonaws.util.StringUtils; + +public class SampleAssumeRoleCredential implements CustomCredentialProvider { + + public SampleAssumeRoleCredential() {} @Override public MongoCredential getCustomCredential(Map map) { AWSCredentialsProvider provider = new DefaultAWSCredentialsProviderChain(); @@ -20,7 +36,7 @@ public MongoCredential getCustomCredential(Map map) { return MongoCredential.createAwsCredential(null, null) .withMechanismProperty(MongoCredential.AWS_CREDENTIAL_PROVIDER_KEY, awsFreshCredentialSupplier); } - + // Validates presence of an ARN @Override public void validate(Map map) { diff --git a/source/security-and-authentication/custom-auth.txt b/source/security-and-authentication/custom-auth.txt index 18f23ea6..966c5bf1 100644 --- a/source/security-and-authentication/custom-auth.txt +++ b/source/security-and-authentication/custom-auth.txt @@ -22,51 +22,63 @@ Overview You can add a custom authentication provider by implementing the ``com.mongodb.kafka.connect.util.custom.credentials.CustomCredentialProvider`` -interface. You can use this feature to write an authentication provider -in Java to use in your connector configuration. +interface. You must place your custom class JAR file in the ``lib`` folder +in your {+kafka-connect+} deployment. -To enable this feature, set the following authentication -properties: +Set following authentication properties to configure the authentication +provider: - ``mongo.custom.auth.mechanism.enable``: set to ``true`` - ``mongo.custom.auth.mechanism.providerClass``: set to the qualified class name of the implementation class - *(Optional)* ``mongodbaws.auth.mechanism.roleArn``: set to an Amazon Resource Name (ARN) -Example -------- +AWS IAM Authentication Example +------------------------------ -This section provides a sample authentication provider implementation -class and the corresponding configuration properties and values to -implement the provider. - -The following sample configuration file specifies the -``MONGODB-AWS`` authentication method, adds a custom authentication -provider, and provides an ARN: - -.. code-block:: ini - - connection.uri=/?authMechanism=MONGODB-AWS - mongo.custom.auth.mechanism.enable=true - mongo.custom.auth.mechanism.providerClass=sample.AwsAssumeRoleCredentialProvider - mongodbaws.auth.mechanism.roleArn=arn:aws:iam:::role/ - -The ``AwsAssumeRoleCredentialProvider`` class defines ``init()`` and -``validate()`` methods that are called when the connector initializes. -The ``getCustomCredential()`` method returns an object of type -``com.mongodb.MongoCredential`` that is used by the ``MongoClient`` -constructed for the connector. The following code defines the custom -authentication provider: +This example provides a custom authentication provider that supports AWS +IAM. The following code shows the custom authentication +provider JAR file: .. literalinclude:: /includes/security/AwsAssumeRoleCredentialProvider.java :language: java -In this example, the ``sample.AwsAssumeRoleCredentialProvider`` -implementation class must be available on the classpath. The -authentication provider class reads the ARN you specify in the -``roleArn`` property. +Compile the JAR file and place it in the ``lib`` folder in your +deployment. + +.. note:: + + To view an example of a ``pom.xml`` file that can build the complete JAR containing + the implementation class, see the `Kafka Connector GitHub repository + README file + `__. -To view an example of a ``pom.xml`` file that can build the complete JAR containing -the implementation class, see the `Kafka Connector GitHub repository -README file -`__. +Next, configure your source or sink connector to include the custom +authentication method. The following configuration properties define a +sink connector that connects the {+connector-short+} to MongoDB Atlas +by using AWS IAM authentication: + +.. code-block:: ini + :emphasize-lines: 13-15 + + { + "name": "mongo-tutorial-sink", + "config": { + "connector.class": "com.mongodb.kafka.connect.MongoSinkConnector", + "topics": "", + "connection.uri": "?authSource=%24external&authMechanism=MONGODB-AWS&retryWrites=true&w=majority", + "key.converter": "org.apache.kafka.connect.storage.StringConverter", + "value.converter": "org.apache.kafka.connect.json.JsonConverter", + "value.converter.schemas.enable": false, + "database": "", + "collection": "", + "mongo.custom.auth.mechanism.enable":"true", + "mongo.custom.auth.mechanism.providerClass":"com.mongodb.SampleAssumeRoleCredential", + "mongodbaws.auth.mechanism.roleArn":"arn:aws:iam::99999999:role/KafkaAtlasRole" + } + } + +In this example, the ``roleArn`` value is the IAM Role of the user group that has +access to MongoDB Atlas. In the AWS IAM console, we gave ``AssumeRole`` +permissions on the IAM account that is running {+kafka-connect+} to this +Atlas Group IAM Role.