airflow-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pras Srinivasan <pras.sriniva...@glassdoor.com>
Subject Re: User delegation does not work on current GoogleCloudBaseHook
Date Fri, 01 Sep 2017 15:07:33 GMT
Thank you @fenglu-g!

I agree, Google does not make it clear why they made a choice to move away
from implementing delegation while credentials are being inited in the
python. Especially when the java version still supports it. Though, I can
see how by making it a method, a dev can now reuse the same credentials
object to delegate between multiple users during the same session.

On Thu, Aug 31, 2017 at 11:07 PM, Feng Lu <fenglu@google.com.invalid> wrote:

> That looks right to me.
>
> Unfortunately Python client lib, unlike the java client lib
> <https://developers.google.com/api-client-library/java/
> google-api-java-client/reference/1.19.1/com/google/
> api/client/googleapis/auth/oauth2/GoogleCredential>,
> doesn't support generating GoogleCredentials while impersonating another
> user/service account.
> Otherwise, the code can be much simplified and we only need to deal with
> GoogleCrentials.
>
> Happy to take a look at your PR too, just @fenglu-g.
>
> On Thu, Aug 31, 2017 at 6:03 PM, Pras Srinivasan <
> pras.srinivasan@glassdoor.com> wrote:
>
> > I'm upgrading from airflow 1.7 to 1.8.2rc4. I noticed that the user
> > delegation feature does not work for service accounts when inheriting
> from
> > GoogleCloudBaseHook anymore .
> >
> > Older versions of this hook used to support delegation when
> > SignedJwtAssertionCredentials was being used. Actually, the current code
> in
> > master still has some code left over from when
> > SignedJwtAssertionCredentials was being used. Specifically these lines
> > (#68-#70) in gcp_api_base_hook.py :
> >
> >         kwargs = {}
> >         if self.delegate_to:
> >             kwargs['sub'] = self.delegate_to
> >
> > However, this information is not used anywhere and the _authorize method
> > simply returns a HTTP object without allowing for delegation.
> >
> > I think the changes that need to be made are:
> > 1) Remove lines 68-70
> > 2) Add a couple of lines after line #83 that enable returning a delegated
> > credential object :
> >         if self.delegate_to:
> >             credentials = credentials.create_delegated(self.delegate_to)
> >
> > Can another dev please review/confirm that my understanding is correct?
> I'm
> > happy to open a JIRA on Apache, as well as submit the fix.
> >
> > Thanks much!
> > Pras
> >
>



-- 
Pras

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message