How can I create a custom data source credentials provider that for example reads the credentials from a file on the disk? I need a way to set the credentials from code. I guess that's the way to go in Quarkus.
quarkus.datasource.username=I want to set this in the code
quarkus.datasource.password=I want to set this in the code
I only see a hashicorp vault integration. I need a way to do this in a custom credentials provider. I can see that there is a way to set the class that represent your provider but what interface that class should implement?
From the docs:
quarkus.datasource.credentials-provider=?
quarkus.datasource.credentials-provider-type=?
The credentials provider type. It is the #Named value of the credentials provider bean. It is used to discriminate if multiple CredentialsProvider beans are available. For Vault it is: vault-credentials-provider. Not necessary if there is only one credentials provider available.
Can somebody please help with this?
this pattern is now officially supported in https://github.com/quarkusio/quarkus/pull/9032 and documented in https://github.com/quarkusio/quarkus/pull/9552
Interesting. We have designed that contract with only Vault in mind so the interface is called io.quarkus.vault.CredentialsProvider and is in the quarkus-vault-spi module.
That being said, I think you could just add that module to your project (it doesn't have any Vault dependency). Then you could just implement that interface and things should be OK.
Your CredentialsProvider needs to be a CDI bean so you should make it either #Singleton or #ApplicationScoped.
Then you would just need to define a value for quarkus.datasource.credentials-provider=<value here>. The name is passed to the crendentials provider and is used in the case of Vault.
In your case, it just needs to be defined.
If it works for you, could you open an issue in our tracker? I think we should make that interface part of the datasource extension and not Vault specific.
UPDATE: I created an example project here: https://github.com/gsmet/quarkus-credentials-provider . Just run mvn clean install (you need Docker) and you'll see your CredentialsProvider being called.
Yes, o.quarkus.vault.CredentialsProvider is meant to be HashiCorp Vault neutral.
Please see this issue for some guidance: https://github.com/quarkusio/quarkus/issues/6896#issuecomment-581014674
Related
I am using spring-cloud-stream-binder-kinesis, version: 2.0.2.RELEASE.
I was able to successfully use binder and access it locally using the default ContextCredentialsAutoConfiguration mentioned in the KinesisBinderConfiguration.
Now I know this set-up wont work for me because,
The Kinesis data stream is in AWS account 1
The Service is running in AWS account 2
(I have already done the setup of assumed Role so that Account 2 can access streams in account 1 using the assumed role)
However I am not sure how can I override the credentials in binder to use STSAssumeRoleSessionCredentialsProvider
Can someone help please?
The KinesisBinderConfiguration is fully based on the auto-configuration from the Spring Cloud AWS, which provides for us a ContextCredentialsAutoConfiguration and expose an AWSCredentialsProvider bean under the credentialsProvider name if not present yet.
So, probably you just need to have your STSAssumeRoleSessionCredentialsProvider as a bean in your configuration class and give it that credentialsProvider bean name.
I am using Xero's Java SDK to build my application. My application is now facing a requirement of having to work with several Xero private apps, therefore I need to manage and performing authentication (OAuth) via the key certificate file and appropriate consumer key and secret.
I was thinking to very simply store these details in a database table and retrieve them appropriately more or less as in the following:
// create a Xero config instance
Config config = JsonConfig.getInstance();
// build config file - details will be obtained from database
config.setConsumerKey("key");
config.setConsumerSecret("secret");
// this line will have me authenticate with the Xero service using the config file built
XeroClient client = new XeroClient(config);
The problem with this approach is that I am not pointing at the public_privatekey.pfx key file which is another essential element required to authenticate.
The reason why I am not doing so is that the SDK does not seem to support this using the Config instance as shown above - there is no option for me to select the appropriate public_private.pfx file (and neither an option for me to just load the contents of the file). It doesn't make sense to me that an SDK would be missing a feature, therefore questioning my approach; have I overlooked a detail or am I approaching the problem incorrectly?
Take a look at the read me under the heading Customize Request Signing
https://github.com/XeroAPI/Xero-Java/blob/master/README.md
You can provide your own signing mechanism by using the public XeroClient(Config config, SignerFactory signerFactory) constructor. Simply implement the SignerFactory interface with your implementation.
You can also provide a RsaSignerFactory using the public RsaSignerFactory(InputStream privateKeyInputStream, String privateKeyPassword) constructor to fetch keys from any InputStream.
I want to replace Basic Authentication for Spring Cloud Config Server with oAuth implementation. Let's leave Config Server alone for now and focus on changes for Config Client. Obviously I don't want to write my own implementation for whole thing, but instead execute my own logic and fallback on standard Config Client. Also I have to pack my changes into library since I will use it in multiple micro-services.
Long story short I want to achieve following:
1a. Create custom Starter which will contain Spring Cloud Config Client as dependency. Is it even doable or necessary?
or
1b. Create custom Starter with only my custom logic which will be executed before Spring Cloud Config Client. In this case each micro-service will have Spring Cloud Config Client and custom Starter as dependencies. How can I manage execution order and inject custom logic results into Config Client?
2.Introduce new bootstrap settings. e.g. spring.cloud.config.custom.username and spring.cloud.config.custom.password (Optional).
3.Introduce custom annotation for custom Starter. e.g. #enableCustomConfigClient (Optional).
I started with building custom Starter with following code in /resources/META-INF/spring.factories:
# Bootstrap components
org.springframework.cloud.bootstrap.BootstrapConfiguration=\
com.example.greeter.config.ConfigClientBootstrapConfiguration
But this code invoked after profile is set, not the first thing like Config Client does.
Any suggestions and especially code samples are appreciated. Thanks!
Posting approach I chose for future reference.
Create new package which will be executed on top of / before Spring Cloud Config Client. Two main features here:
Create file src/main/resources/META-INF/spring.factories with org.springframework.cloud.bootstrap.BootstrapConfiguration={YOUR_CLASS}
In {YOUR_CLASS} apply custom logic. Don't forget to use #org.springframework.core.annotation.Order({YOUR_PRECEDENCE}) and fact that Ordered.LOWEST_PRECEDENCE will be executed first
Build jar from previous step and include it into your project (as local file or via artifactory)
Add Custom logic to Spring Cloud Config Server so it can use JWT.
Working example is here: https://github.com/ka4ok85/spring-cloud-config-client-jwt
Can I use Spring Security annotations in my ZKGrails composers to secure the ajax-callbacks, or can/do i have to inject springSecurityService (and check the principal's authorities, in every method manually)?
Update: According to http://felipecypriano.com/2009/10/26/tweak-zk-to-make-event-processing-call-groovys-invokemethod/ , the annotations should work, and I found the modification mentioned in this post in the current ZKGrails plugin version (1.0.4). Still, when I try to secure methods in my composer, they remain fully accessible.
Because "#Secured" annotation is not supported by spring security plug-in. I think you should implement your own method interceptor according http://felipecypriano.com/2009/10/19/enable-secured-annotation-with-grails-spring-security-plugin/ to enable it.
I have a SpringBoot application and deploying it in PCF where app is trying to connect Oracle 12c Database using PCF User Provided Services but it failing with this error Failed to determine a suitable driver class
build.gradle code:
and here are the configuration that I used in CUP service:
Service binding is happening properly. I can see the same details under VCAP_SERVICES in Environment Variables.
Error:
Short Answer: I think you want the uri to be oracle://... Strip off the jdbc: part. The Spring Autoreconfiguration code that gets injected by the Java buildpack will look at the prefix on the URI, so it needs oracle:// to know it's an Oracle link.
Long Answer: You probably don't want to depend on the injected Spring Autoreconfiguration. When it just works, it's great, but it can be difficult to understand what it's doing when it doesn't work.
It is better to use Spring Cloud Connector or even better, as all signs point to this replacing Spring Cloud Connector, use java-cfenv. For details on java-cfenv, see this blog post.
Spring Cloud Connector has the same issue I mentioned above as the Spring Autoreconfiguration, except that it will pretty clearly tell you when it doesn't recognize a bound service. Anyway, if you decide to use SCC, make sure you prefix the URI with oracle://.
If you use java-cfenv, it's more flexible so it's really up to you what properties and values you inject through the service.
Hope that helps!