NIFI-15998 Add DatabasePasswordProvider support to CaptureChangeMySQL

[yagipy]

Summary

NIFI-15998

Tracking

Please complete the following tracking steps prior to pull request creation.

Issue Tracking

• Apache NiFi Jira issue created

Pull Request Tracking

• Pull Request title starts with Apache NiFi Jira issue number, such as NIFI-00000
• Pull Request commit message starts with Apache NiFi Jira issue number, as such NIFI-00000
• Pull request contains commits signed with a registered key indicating Verified status

Pull Request Formatting

• Pull Request based on current revision of the main branch
• Pull Request refers to a feature branch with one commit containing changes

Verification

Please indicate the verification steps performed prior to pull request creation.

Build

• Build completed using ./mvnw clean install -P contrib-check
  • JDK 21
  • JDK 25

Licensing

• New dependencies are compatible with the Apache License 2.0 according to the License Policy
• New dependencies are documented in applicable LICENSE and NOTICE files

Documentation

• Documentation formatting appears as expected in rendered files

[yagipy]

Rebased.

[yagipy]

Fixed CI.

[pvillard31]

The binlog client password is resolved only once at setup, while the JDBC connection re-fetches it on each connection. For a provider that returns short lived tokens (like RDS IAM), should the binlog connection also refresh the password when it reconnects?

[pvillard31]

This request context jdbcUrl is built from the raw MySQL Nodes value, so with multiple hosts it becomes jdbc:mysql://h1:3306,h2:3306. Should we pass the actual connected host so providers that sign per host (RDS IAM) work without needing the optional endpoint override?

[pvillard31]

Could the empty token and null token tests be merged into one parameterized test, since they assert the same branch and the same message?