Class FileDataSourceConfiguration
java.lang.Object
org.elasticsearch.xpack.esql.datasources.spi.DataSourceConfiguration
org.elasticsearch.xpack.esql.datasources.spi.FileDataSourceConfiguration
Base configuration for file-based external sources (S3, GCS, Azure). Handles the
auth
mode and the cross-field rules that bind it to the credential fields.
auth is an explicit mode switch with these canonical values:
auto(the default whenauthis omitted) — resolve the mode from the fields present: federated authentication settings →federated_identity, a stored secret →static_credentials(theauthvalue itself staysautoand is not rewritten). A credential-lessautoconfig is unresolvable and is rejected at create time byvalidate(org.elasticsearch.common.ValidationException)— not deferred to the storage provider. Never resolves toanonymousormanaged_identity— those are opt-in only.anonymous— public / unauthenticated access (no credentials).static_credentials— a stored long-lived secret.federated_identity— issuer-minted OIDC federation (federated settings such as a role ARN + audience).managed_identity— the node's ambient cloud identity (instance profile / IMDS / metadata server); gated by a cluster setting.
Backwards compatibility: the former value names none and workload_identity
are still accepted, canonicalized to anonymous and managed_identity on parse (so a
stored configuration and every later read hold the canonical value), and each use emits a
deprecation warning. See normalize(Map) and DEPRECATED_AUTH_ALIASES.
Credential-conflict detection is automatic — any field marked
secret or
federated auth that has a value set is treated as
an authentication setting, and the two kinds cannot be combined.
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic enumThe resolved credential-selection mode a provider builds a mechanism for. -
Field Summary
FieldsModifier and TypeFieldDescriptionprotected static final DataSourceConfigDefinitionstatic final StringError shown whenauth=managed_identityis requested while the cluster setting is disabled.Fields inherited from class org.elasticsearch.xpack.esql.datasources.spi.DataSourceConfiguration
DEPRECATED_AUTH_LOG_KEY_PREFIX, DEPRECATED_AUTH_MESSAGE -
Constructor Summary
ConstructorsModifierConstructorDescriptionprotectedFileDataSourceConfiguration(Map<String, Object> raw, Map<String, DataSourceConfigDefinition> fieldDefs) protectedFileDataSourceConfiguration(Map<String, Object> raw, Map<String, DataSourceConfigDefinition> fieldDefs, Set<String> preexistingSecretKeys) LikeFileDataSourceConfiguration(Map, Map), but for a PUT-as-update; seeDataSourceConfiguration(Map, Map, Set). -
Method Summary
Modifier and TypeMethodDescriptionauth()abstract booleanReturns true when the configuration carries a complete static credential.booleanbooleanReturns true whenauth=federated_identityis explicitly set.booleanReturns true whenauth=managed_identityis set, directing the provider to use the node's ambient credentials.static booleanisManagedIdentityAuth(Object authValue) Returns true when the rawauthvalue selects managed-identity.booleanReturns true whenauth=static_credentialsis explicitly set.protected voidSubclass hook to canonicalize parsed values before they are frozen — e.g.The resolved mode, for providers to switch on.Resolves the credential-selection mode.abstract StringPer-CSP message naming the credential fields that would make anautoconfig resolvable.protected final voidvalidate(ValidationException errors) Cross-field validation.protected voidSubclass hook for datasource-specific credential validation.Methods inherited from class org.elasticsearch.xpack.esql.datasources.spi.DataSourceConfiguration
buildRawMap, equals, filterAndConstruct, filterKnown, get, hasAnyExplicitSecretValue, hasAnySecretValue, hasFederatedAuth, hashCode, hasStoredSecret, toMap, toStoredSettings
-
Field Details
-
AUTH
-
MANAGED_IDENTITY_DISABLED_MESSAGE
Error shown whenauth=managed_identityis requested while the cluster setting is disabled. Shared between the CRUD validator (FileDataSourceValidator.validateDatasource(java.util.Map<java.lang.String, java.lang.Object>)) and the inline-WITH gate inStorageProviderRegistryso both paths report the same message.- See Also:
-
-
Constructor Details
-
FileDataSourceConfiguration
-
FileDataSourceConfiguration
protected FileDataSourceConfiguration(Map<String, Object> raw, Map<String, DataSourceConfigDefinition> fieldDefs, Set<String> preexistingSecretKeys) LikeFileDataSourceConfiguration(Map, Map), but for a PUT-as-update; seeDataSourceConfiguration(Map, Map, Set).
-
-
Method Details
-
normalize
Description copied from class:DataSourceConfigurationSubclass hook to canonicalize parsed values before they are frozen — e.g. mapping a deprecated enum alias to its current value so the stored configuration (and every later read) holds the canonical form. Runs after unknown-field rejection and case-insensitive lowering, beforeDataSourceConfiguration.validate(org.elasticsearch.common.ValidationException). The default is a no-op. LikeDataSourceConfiguration.validate(org.elasticsearch.common.ValidationException), this is a virtual call during construction, so overrides must touch only the supplied map and static data, never instance fields.- Overrides:
normalizein classDataSourceConfiguration
-
validate
Description copied from class:DataSourceConfigurationCross-field validation. Accumulate errors into the provided exception.- Specified by:
validatein classDataSourceConfiguration
-
validateCredentials
Subclass hook for datasource-specific credential validation. -
hasCredentials
public abstract boolean hasCredentials()Returns true when the configuration carries a complete static credential. The exact required field combination is CSP-specific (e.g. S3 access_key+secret_key; Azure connection_string or account+key/sas_token). Used byvalidate(org.elasticsearch.common.ValidationException)to enforceauth=static_credentialscompleteness and by the providers to select the static-credential path. -
auth
-
isAnonymous
public boolean isAnonymous() -
isStaticCredentials
public boolean isStaticCredentials()Returns true whenauth=static_credentialsis explicitly set. -
isFederatedIdentity
public boolean isFederatedIdentity()Returns true whenauth=federated_identityis explicitly set. -
isManagedIdentity
public boolean isManagedIdentity()Returns true whenauth=managed_identityis set, directing the provider to use the node's ambient credentials. -
resolveAuthModeOrNull
Resolves the credential-selection mode. An explicitauthvalue maps straight to its mode — no field inference. Onlyauto/omitted infers the mode from the fields present, which is the single inference site in the datasource stack. Returnsnullonly for an unresolvableautoconfig (no complete credential and no federated settings);validate(org.elasticsearch.common.ValidationException)rejects that at create time, so any validated config always resolves to a non-null mode. -
resolveAuthMode
The resolved mode, for providers to switch on. Throws for the unresolvable-autocase, which is unreachable for a config that passedvalidate(org.elasticsearch.common.ValidationException)(defense-in-depth). -
unresolvedAuthMessage
Per-CSP message naming the credential fields that would make anautoconfig resolvable. Used byvalidate(org.elasticsearch.common.ValidationException)for the create-time rejection and byresolveAuthMode()'s defensive throw. -
isManagedIdentityAuth
Returns true when the rawauthvalue selects managed-identity. Shared so the inline-WITH gate inStorageProviderRegistry(which inspects an unparsed config map) andisManagedIdentity()agree on what counts asauth=managed_identityinstead of each re-implementing the comparison. Accepts the deprecatedworkload_identityalias too, because the inline-WITH gate sees the raw value before it has been canonicalized.
-