Package org.projectnessie.client

Class NessieConfigConstants

java.lang.Object
org.projectnessie.client.NessieConfigConstants
public final class NessieConfigConstants extends Object
Configuration constants for Nessie clients.

  • Field Details

    • CONF_NESSIE_URI

      public static final String CONF_NESSIE_URI
      Config property name ("nessie.uri") for the Nessie service URL.
      See Also:

    • CONF_NESSIE_USERNAME

      @Deprecated public static final String CONF_NESSIE_USERNAME
      Deprecated.
      "basic" HTTP authentication is not considered secure. Use CONF_NESSIE_AUTH_TOKEN instead.
      Username used for the insecure BASIC authentication.
      See Also:

    • CONF_NESSIE_PASSWORD

      @Deprecated public static final String CONF_NESSIE_PASSWORD
      Deprecated.
      "basic" HTTP authentication is not considered secure. Use CONF_NESSIE_AUTH_TOKEN instead.
      Password used for the insecure BASIC authentication.
      See Also:

    • CONF_NESSIE_AUTH_TOKEN

      public static final String CONF_NESSIE_AUTH_TOKEN
      Token used for BEARER authentication.
      See Also:

    • CONF_NESSIE_OAUTH2_ISSUER_URL

      public static final String CONF_NESSIE_OAUTH2_ISSUER_URL
      OAuth2 issuer URL.

      The root URL of the OpenID Connect identity issuer provider, which will be used for discovering supported endpoints and their locations. For Keycloak, this is typically the realm URL: https://<keycloak-server>/realms/<realm-name>.

      Endpoint discovery is performed using the OpenID Connect Discovery metadata published by the issuer. See OpenID Connect Discovery 1.0 for more information.

      Either this property or CONF_NESSIE_OAUTH2_TOKEN_ENDPOINT must be set.

      See Also:

    • CONF_NESSIE_OAUTH2_TOKEN_ENDPOINT

      public static final String CONF_NESSIE_OAUTH2_TOKEN_ENDPOINT
      URL of the OAuth2 token endpoint. For Keycloak, this is typically https://<keycloak-server>/realms/<realm-name>/protocol/openid-connect/token.

      Either this property or CONF_NESSIE_OAUTH2_ISSUER_URL must be set. In case it is not set, the token endpoint will be discovered from the issuer URL, using the OpenID Connect Discovery metadata published by the issuer.

      See Also:

    • CONF_NESSIE_OAUTH2_AUTH_ENDPOINT

      public static final String CONF_NESSIE_OAUTH2_AUTH_ENDPOINT
      URL of the OAuth2 authorization endpoint. For Keycloak, this is typically https://<keycloak-server>/realms/<realm-name>/protocol/openid-connect/auth.

      If using the "authorization_code" grant type, either this property or CONF_NESSIE_OAUTH2_ISSUER_URL must be set. In case it is not set, the authorization endpoint will be discovered from the issuer URL, using the OpenID Connect Discovery metadata published by the issuer.

      See Also:

    • CONF_NESSIE_OAUTH2_DEVICE_AUTH_ENDPOINT

      public static final String CONF_NESSIE_OAUTH2_DEVICE_AUTH_ENDPOINT
      URL of the OAuth2 device authorization endpoint. For Keycloak, this is typically http://<keycloak-server>/realms/<realm-name>/protocol/openid-connect/auth/device.

      If using the "Device Code" grant type, either this property or CONF_NESSIE_OAUTH2_ISSUER_URL must be set.

      See Also:

    • CONF_NESSIE_OAUTH2_GRANT_TYPE_CLIENT_CREDENTIALS

      public static final String CONF_NESSIE_OAUTH2_GRANT_TYPE_CLIENT_CREDENTIALS
      See Also:

    • CONF_NESSIE_OAUTH2_GRANT_TYPE_PASSWORD

      public static final String CONF_NESSIE_OAUTH2_GRANT_TYPE_PASSWORD
      See Also:

    • CONF_NESSIE_OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE

      public static final String CONF_NESSIE_OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE
      See Also:

    • CONF_NESSIE_OAUTH2_GRANT_TYPE_DEVICE_CODE

      public static final String CONF_NESSIE_OAUTH2_GRANT_TYPE_DEVICE_CODE
      See Also:

    • CONF_NESSIE_OAUTH2_GRANT_TYPE

      public static final String CONF_NESSIE_OAUTH2_GRANT_TYPE
      The grant type to use when authenticating against the OAuth2 server. Valid values are: Optional, defaults to "client_credentials".

      Depending on the grant type, different properties must be provided.

      For the "client_credentials" grant type, the following properties must be provided:

      For the "password" grant type, the following properties must be provided:

      For the "authorization_code" grant type, the following properties must be provided:

      For the "device_code" grant type, the following properties must be provided:

      Both client and user must be properly configured with appropriate permissions in the OAuth2 server for the authentication to succeed.

      See Also:

    • CONF_NESSIE_OAUTH2_CLIENT_ID

      public static final String CONF_NESSIE_OAUTH2_CLIENT_ID
      Client ID to use when authenticating against the OAuth2 server. Required if using OAuth2 authentication, ignored otherwise.
      See Also:

    • CONF_NESSIE_OAUTH2_CLIENT_SECRET

      public static final String CONF_NESSIE_OAUTH2_CLIENT_SECRET
      Client secret to use when authenticating against the OAuth2 server. Required if using OAuth2 authentication, ignored otherwise.
      See Also:

    • CONF_NESSIE_OAUTH2_USERNAME

      public static final String CONF_NESSIE_OAUTH2_USERNAME
      Username to use when authenticating against the OAuth2 server. Required if using OAuth2 authentication and "password" grant type, ignored otherwise.
      See Also:

    • CONF_NESSIE_OAUTH2_PASSWORD

      public static final String CONF_NESSIE_OAUTH2_PASSWORD
      Password to use when authenticating against the OAuth2 server. Required if using OAuth2 authentication and the "password" grant type, ignored otherwise.
      See Also:

    • DEFAULT_DEFAULT_ACCESS_TOKEN_LIFESPAN

      public static final String DEFAULT_DEFAULT_ACCESS_TOKEN_LIFESPAN
      See Also:

    • CONF_NESSIE_OAUTH2_DEFAULT_ACCESS_TOKEN_LIFESPAN

      public static final String CONF_NESSIE_OAUTH2_DEFAULT_ACCESS_TOKEN_LIFESPAN
      Default access token lifespan; if the OAuth2 server returns an access token without specifying its expiration time, this value will be used.

      Optional, defaults to "PT1M". Must be a valid ISO-8601 duration.

      See Also:

    • DEFAULT_DEFAULT_REFRESH_TOKEN_LIFESPAN

      public static final String DEFAULT_DEFAULT_REFRESH_TOKEN_LIFESPAN
      See Also:

    • CONF_NESSIE_OAUTH2_DEFAULT_REFRESH_TOKEN_LIFESPAN

      public static final String CONF_NESSIE_OAUTH2_DEFAULT_REFRESH_TOKEN_LIFESPAN
      Default refresh token lifespan. If the OAuth2 server returns a refresh token without specifying its expiration time, this value will be used.

      Optional, defaults to "PT30M". Must be a valid ISO-8601 duration.

      See Also:

    • DEFAULT_REFRESH_SAFETY_WINDOW

      public static final String DEFAULT_REFRESH_SAFETY_WINDOW
      See Also:

    • CONF_NESSIE_OAUTH2_REFRESH_SAFETY_WINDOW

      public static final String CONF_NESSIE_OAUTH2_REFRESH_SAFETY_WINDOW
      Refresh safety window to use; a new token will be fetched when the current token's remaining lifespan is less than this value. Optional, defaults to "PT10S". Must be a valid ISO-8601 duration.
      See Also:

    • DEFAULT_PREEMPTIVE_TOKEN_REFRESH_IDLE_TIMEOUT

      public static final String DEFAULT_PREEMPTIVE_TOKEN_REFRESH_IDLE_TIMEOUT
      See Also:

    • CONF_NESSIE_OAUTH2_PREEMPTIVE_TOKEN_REFRESH_IDLE_TIMEOUT

      public static final String CONF_NESSIE_OAUTH2_PREEMPTIVE_TOKEN_REFRESH_IDLE_TIMEOUT
      Defines for how long the OAuth2 provider should keep the tokens fresh, if the client is not being actively used. Setting this value too high may cause an excessive usage of network I/O and thread resources; conversely, when setting it too low, if the client is used again, the calling thread may block if the tokens are expired and need to be renewed synchronously. Optional, defaults to "PT30S". Must be a valid ISO-8601 duration.
      See Also:

    • DEFAULT_BACKGROUND_THREAD_IDLE_TIMEOUT

      public static final String DEFAULT_BACKGROUND_THREAD_IDLE_TIMEOUT
      See Also:

    • CONF_NESSIE_OAUTH2_BACKGROUND_THREAD_IDLE_TIMEOUT

      public static final String CONF_NESSIE_OAUTH2_BACKGROUND_THREAD_IDLE_TIMEOUT
      Defines how long the background thread should be kept running if the client is not being actively used, or no token refreshes are being executed. Optional, defaults to "PT30S". Setting this value too high will cause the background thread to keep running even if the client is not used anymore, potentially leaking thread and memory resources; conversely, setting it too low could cause the background thread to be restarted too often. Must be a valid ISO-8601 duration.
      See Also:

    • CONF_NESSIE_OAUTH2_CLIENT_SCOPES

      public static final String CONF_NESSIE_OAUTH2_CLIENT_SCOPES
      Space-separated list of scopes to include in each request to the OAuth2 server. Optional, defaults to empty (no scopes).

      The scope names will not be validated by the Nessie client; make sure they are valid according to RFC 6749 Section 3.3.

      See Also:

    • CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_ENABLED

      public static final String CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_ENABLED
      Enable OAuth2 token exchange. If enabled, each access token obtained from the OAuth2 server will be exchanged for a new token, using the token endpoint and the token exchange grant type, as defined in RFC 8693.
      See Also:

    • CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_ISSUER_URL

      public static final String CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_ISSUER_URL
      For token exchanges only. The root URL of an alternate OpenID Connect identity issuer provider, to use when exchanging tokens only.

      If neither this property nor "nessie.authentication.oauth2.token-exchange.token-endpoint" are defined, the global token endpoint will be used. This means that the same authorization server will be used for both the initial token request and the token exchange.

      Endpoint discovery is performed using the OpenID Connect Discovery metadata published by the issuer. See OpenID Connect Discovery 1.0 for more information.

      See Also:

    • CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_TOKEN_ENDPOINT

      public static final String CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_TOKEN_ENDPOINT
      For token exchanges only. The URL of an alternate OAuth2 token endpoint to use when exchanging tokens only.

      If neither this property nor "nessie.authentication.oauth2.token-exchange.issuer-url" are defined, the global token endpoint will be used. This means that the same authorization server will be used for both the initial token request and the token exchange.

      See Also:

    • CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_CLIENT_ID

      public static final String CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_CLIENT_ID
      For token exchanges only. An alternate client ID to use. If not provided, the global client ID will be used. If provided, and if the client is confidential, then its secret must be provided as well with "nessie.authentication.oauth2.token-exchange.client-secret" – the global client secret will NOT be used.
      See Also:

    • CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_CLIENT_SECRET

      public static final String CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_CLIENT_SECRET
      For token exchanges only. The client secret to use, if "nessie.authentication.oauth2.token-exchange.client-id" is defined and the token exchange client is confidential.
      See Also:

    • CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_RESOURCE

      public static final String CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_RESOURCE
      For token exchanges only. A URI that indicates the target service or resource where the client intends to use the requested security token. Optional.
      See Also:

    • CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_AUDIENCE

      public static final String CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_AUDIENCE
      For token exchanges only. The logical name of the target service where the client intends to use the requested security token. This serves a purpose similar to the resource parameter but with the client providing a logical name for the target service.
      See Also:

    • CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_SCOPES

      public static final String CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_SCOPES
      For token exchanges only. Space-separated list of scopes to include in each token exchange request to the OAuth2 server. Optional. If undefined, the global scopes configured through "nessie.authentication.oauth2.client-scopes" will be used. If defined and null or empty, no scopes will be used.

      The scope names will not be validated by the Nessie client; make sure they are valid according to RFC 6749 Section 3.3.

      See Also:

    • CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_SUBJECT_TOKEN

      public static final String CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_SUBJECT_TOKEN
      For token exchanges only. The subject token to exchange. This can take 3 kinds of values:
      • The value "current_access_token", if the client should use its current access token;
      • The value "current_refresh_token", if the client should use its current refresh token (if available);
      • An arbitrary token: in this case, the client will always use the static token provided here.
      The default is to use the current access token.
      See Also:

    • CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_SUBJECT_TOKEN_TYPE

      public static final String CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_SUBJECT_TOKEN_TYPE
      For token exchanges only. The type of the subject token. Must be a valid URN. The default is either urn:ietf:params:oauth:token-type:access_token or urn:ietf:params:oauth:token-type:refresh_token, depending on the value of "nessie.authentication.oauth2.token-exchange.subject-token".

      If the client is configured to use its access or refresh token as the subject token, please note that if an incorrect token type is provided here, the token exchange could fail.

      See Also:

    • CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_ACTOR_TOKEN

      public static final String CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_ACTOR_TOKEN
      For token exchanges only. The actor token to exchange. This can take 4 kinds of values:
      • The value "no_token", if the client should not include any actor token in the exchange request;
      • The value "current_access_token", if the client should use its current access token;
      • The value "current_refresh_token", if the client should use its current refresh token (if available);
      • An arbitrary token: in this case, the client will always use the static token provided here.
      The default is to not include any actor token.
      See Also:

    • CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_ACTOR_TOKEN_TYPE

      public static final String CONF_NESSIE_OAUTH2_TOKEN_EXCHANGE_ACTOR_TOKEN_TYPE
      For token exchanges only. The type of the actor token. Must be a valid URN. The default is either urn:ietf:params:oauth:token-type:access_token or urn:ietf:params:oauth:token-type:refresh_token, depending on the value of "nessie.authentication.oauth2.token-exchange.actor-token".

      If the client is configured to use its access or refresh token as the actor token, please note that if an incorrect token type is provided here, the token exchange could fail.

      See Also:

    • CONF_NESSIE_OAUTH2_AUTHORIZATION_CODE_FLOW_WEB_PORT

      public static final String CONF_NESSIE_OAUTH2_AUTHORIZATION_CODE_FLOW_WEB_PORT
      Port of the OAuth2 authorization code flow web server.

      When running a client inside a container make sure to specify a port and forward the port to the container host.

      The port used for the internal web server that listens for the authorization code callback. This is only used if the grant type to use is "authorization_code".

      Optional; if not present, a random port will be used.

      See Also:

    • CONF_NESSIE_OAUTH2_AUTHORIZATION_CODE_FLOW_TIMEOUT

      public static final String CONF_NESSIE_OAUTH2_AUTHORIZATION_CODE_FLOW_TIMEOUT
      Defines how long the client should wait for the authorization code flow to complete. This is only used if the grant type to use is "authorization_code". Optional, defaults to "PT5M".
      See Also:

    • DEFAULT_AUTHORIZATION_CODE_FLOW_TIMEOUT

      public static final String DEFAULT_AUTHORIZATION_CODE_FLOW_TIMEOUT
      See Also:

    • CONF_NESSIE_OAUTH2_DEVICE_CODE_FLOW_TIMEOUT

      public static final String CONF_NESSIE_OAUTH2_DEVICE_CODE_FLOW_TIMEOUT
      Defines how long the client should wait for the device code flow to complete. This is only used if the grant type to use is "device_code". Optional, defaults to "PT5M".
      See Also:

    • DEFAULT_DEVICE_CODE_FLOW_TIMEOUT

      public static final String DEFAULT_DEVICE_CODE_FLOW_TIMEOUT
      See Also:

    • CONF_NESSIE_OAUTH2_DEVICE_CODE_FLOW_POLL_INTERVAL

      public static final String CONF_NESSIE_OAUTH2_DEVICE_CODE_FLOW_POLL_INTERVAL
      Defines how often the client should poll the OAuth2 server for the device code flow to complete. This is only used if the grant type to use is "device_code". Optional, defaults to "PT5S".
      See Also:

    • DEFAULT_DEVICE_CODE_FLOW_POLL_INTERVAL

      public static final String DEFAULT_DEVICE_CODE_FLOW_POLL_INTERVAL
      See Also:

    • CONF_NESSIE_AWS_REGION

      public static final String CONF_NESSIE_AWS_REGION
      AWS region used for AWS authentication, must be configured to the same region as the Nessie setver.
      See Also:

    • CONF_NESSIE_AWS_PROFILE

      public static final String CONF_NESSIE_AWS_PROFILE
      AWS profile name used for AWS authentication (optional).
      See Also:

    • CONF_NESSIE_AUTH_TYPE

      public static final String CONF_NESSIE_AUTH_TYPE
      ID of the authentication provider to use, default is no authentication.

      Valid values are BASIC, BEARER, OAUTH2 and AWS.

      The value is matched against the values returned as the supported auth-type by implementations of NessieAuthenticationProvider across all available authentication providers.

      Note that "basic" HTTP authentication is not considered secure, use BEARER instead.

      See Also:

    • CONF_NESSIE_REF

      public static final String CONF_NESSIE_REF
      Name of the initial Nessie reference, usually main.
      See Also:

    • CONF_NESSIE_REF_HASH

      public static final String CONF_NESSIE_REF_HASH
      Commit ID (hash) on "nessie.ref", usually not specified.
      See Also:

    • CONF_NESSIE_TRACING

      public static final String CONF_NESSIE_TRACING
      Enable adding the HTTP headers of an active OpenTracing span to all Nessie requests. Disabled by default.
      See Also:

    • CONF_READ_TIMEOUT

      public static final String CONF_READ_TIMEOUT
      Network level read timeout in milliseconds. When running with Java 11, this becomes a request timeout. Default is 25000 ms.
      See Also:

    • CONF_CONNECT_TIMEOUT

      public static final String CONF_CONNECT_TIMEOUT
      Network level connect timeout in milliseconds, default is 5000.
      See Also:

    • CONF_NESSIE_DISABLE_COMPRESSION

      public static final String CONF_NESSIE_DISABLE_COMPRESSION
      Config property name ("nessie.transport.disable-compression") to disable compression on the network layer, if set to true.
      See Also:

    • CONF_NESSIE_CLIENT_NAME

      public static final String CONF_NESSIE_CLIENT_NAME
      Name of the Nessie client to use. If not specified, the implementation prefers the new Java HTTP client (JavaHttp), if running on Java 11 or newer, or the Java URLConnection client. The Apache HTTP client (ApacheHttp) can be used, if it has been made available on the classpath.
      See Also:

    • CONF_NESSIE_CLIENT_BUILDER_IMPL

      @Deprecated public static final String CONF_NESSIE_CLIENT_BUILDER_IMPL
      Deprecated.
      Prefer using Nessie client implementation names, configured via "nessie.client-builder-name".
      Similar to "nessie.client-builder-name", but uses a class name.
      See Also:

    • CONF_NESSIE_SSL_NO_CERTIFICATE_VERIFICATION

      public static final String CONF_NESSIE_SSL_NO_CERTIFICATE_VERIFICATION
      Optional, disables certificate verifications, if set to true. Can be useful for testing purposes, not recommended for production systems.
      See Also:

    • CONF_NESSIE_SSL_CIPHER_SUITES

      public static final String CONF_NESSIE_SSL_CIPHER_SUITES
      Optional, list of comma-separated cipher suites for SSL connections.

      This parameter only works on Java 11 and newer with the Java HTTP client.

      See Also:

    • CONF_NESSIE_SSL_PROTOCOLS

      public static final String CONF_NESSIE_SSL_PROTOCOLS
      Optional, list of comma-separated protocols for SSL connections.

      This parameter only works on Java 11 and newer with the Java HTTP client.

      See Also:

    • CONF_NESSIE_SNI_HOSTS

      public static final String CONF_NESSIE_SNI_HOSTS
      Optional, comma-separated list of SNI host names for SSL connections.

      This parameter only works on Java 11 and newer with the Java HTTP client.

      See Also:

    • CONF_NESSIE_SNI_MATCHER

      public static final String CONF_NESSIE_SNI_MATCHER
      Optional, a single SNI matcher for SSL connections.

      Takes a single SNI hostname matcher, a regular expression representing the SNI hostnames to match.

      This parameter only works on Java 11 and newer with the Java HTTP client.

      See Also:

    • CONF_NESSIE_HTTP_2

      public static final String CONF_NESSIE_HTTP_2
      Optional, allow HTTP/2 upgrade, if set to true.

      This parameter only works on Java 11 and newer with the Java HTTP client.

      See Also:

    • CONF_NESSIE_HTTP_REDIRECT

      public static final String CONF_NESSIE_HTTP_REDIRECT
      Optional, specify how redirects are handled.
      • NEVER: Never redirect.
      • ALWAYS: Always redirect.
      • NORMAL: Always redirect, except from HTTPS URLs to HTTP URLs.

      This parameter only works on Java 11 and newer with the Java HTTP client.

      See Also:

    • CONF_FORCE_URL_CONNECTION_CLIENT

      @Deprecated public static final String CONF_FORCE_URL_CONNECTION_CLIENT
      Deprecated.
      Use CONF_NESSIE_CLIENT_NAME with the value URLConnection.
      Optional, when running on Java 11 force the use of the old URLConnection based client for HTTP, if set to true.
      See Also:

    • CONF_ENABLE_API_COMPATIBILITY_CHECK

      public static final String CONF_ENABLE_API_COMPATIBILITY_CHECK
      Enables API compatibility check when creating the Nessie client. The default is true.

      You can also control this setting by setting the system property nessie.client.enable-api-compatibility-check to true or false.

      See Also:

    • CONF_NESSIE_CLIENT_API_VERSION

      public static final String CONF_NESSIE_CLIENT_API_VERSION
      Explicitly specify the Nessie API version number to use. The default for this setting depends on the client being used.
      See Also:

    • DEFAULT_READ_TIMEOUT_MILLIS

      public static final int DEFAULT_READ_TIMEOUT_MILLIS
      See Also:

    • DEFAULT_CONNECT_TIMEOUT_MILLIS

      public static final int DEFAULT_CONNECT_TIMEOUT_MILLIS
      See Also: