airflow-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pras Srinivasan <pras.sriniva...@glassdoor.com>
Subject User delegation does not work on current GoogleCloudBaseHook
Date Fri, 01 Sep 2017 01:03:34 GMT
I'm upgrading from airflow 1.7 to 1.8.2rc4. I noticed that the user
delegation feature does not work for service accounts when inheriting from
GoogleCloudBaseHook anymore .

Older versions of this hook used to support delegation when
SignedJwtAssertionCredentials was being used. Actually, the current code in
master still has some code left over from when
SignedJwtAssertionCredentials was being used. Specifically these lines
(#68-#70) in gcp_api_base_hook.py :

        kwargs = {}
        if self.delegate_to:
            kwargs['sub'] = self.delegate_to

However, this information is not used anywhere and the _authorize method
simply returns a HTTP object without allowing for delegation.

I think the changes that need to be made are:
1) Remove lines 68-70
2) Add a couple of lines after line #83 that enable returning a delegated
credential object :
        if self.delegate_to:
            credentials = credentials.create_delegated(self.delegate_to)

Can another dev please review/confirm that my understanding is correct? I'm
happy to open a JIRA on Apache, as well as submit the fix.

Thanks much!
Pras

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message