beam-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (BEAM-1070) Service Account Based Authentication Broken
Date Fri, 02 Dec 2016 21:50:58 GMT

    [ https://issues.apache.org/jira/browse/BEAM-1070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15716627#comment-15716627
] 

ASF GitHub Bot commented on BEAM-1070:
--------------------------------------

GitHub user aaltay opened a pull request:

    https://github.com/apache/incubator-beam/pull/1491

    [BEAM-1070] Call from_p12_keyfile() with the correct arguments

    This code path is failing, because a wrong list of arguments is passed.
    Fixing that uncovered that oauth2client depends on pyOpenSSL for this
    call to work. I did not add this dependency to setup.py because, it does
    not install cleanly in all environments.
    
    As a workaround, users who would like to use this authentication method
    could first do a 'pip install pyOpenSSL'. I added a test, that skips if 'pyOpenSSL' is
not installed.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/aaltay/incubator-beam serkey

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/incubator-beam/pull/1491.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1491
    
----
commit db9e3c7b1ec515789b9531e013669ae621646aaf
Author: Ahmet Altay <altay@google.com>
Date:   2016-12-02T21:38:31Z

    Call from_p12_keyfile() with the correct arguments.
    
    This code path is failing, because a wrong list of arguments is passed.
    Fixing that uncovered that oauth2client depends on pyOpenSSL for this
    call to work. I did not add this dependency to setup.py because, it does
    not install cleanly in all environments.
    
    As a workaround, users who would like to use this authentication method
    could first do a 'pip install pyOpenSSL'. I added a test, that skips if 'pyOpenSSL' is
not installed.

----


> Service Account Based Authentication Broken
> -------------------------------------------
>
>                 Key: BEAM-1070
>                 URL: https://issues.apache.org/jira/browse/BEAM-1070
>             Project: Beam
>          Issue Type: Bug
>          Components: sdk-py
>         Environment: CentOS Linux release 7.1.1503 (Core) 
> Python 2.7.5
>            Reporter: Stephen Reichling
>            Assignee: Ahmet Altay
>            Priority: Critical
>
> {{sdks/python/apache_beam/internal/auth.py}} calls into the {{oauth2client.service_account.ServiceAccountCredentials.from_p12_keyfile}}
method with invalid and incorrectly-ordered parameters. Compare the [function signature of
ServiceAccountCredentials.from_p12_keyfile|https://github.com/google/oauth2client/blob/ae73312942d3cf0e98f097dfbb40f136c2a7c463/oauth2client/service_account.py#L300-L303]
with [how it is invoked|https://github.com/apache/incubator-beam/blob/9ded359daefc6040d61a1f33c77563474fcb09b6/sdks/python/apache_beam/internal/auth.py#L150-L154].
This causes a runtime error when one attempts to use a service account to authenticate with
the Google Dataflow APIs.
> The specific problems are:
>  - the {{client_scopes}} variable (a list) is passed as a positional parameter where
the function signature expects the {{private_key_password}} parameter (a string).
>  - a keyed parameter, {{user_agent}}, is passed but no such parameter is defined in the
function signature.
>  - no value is provided for {{private_key_password}}. All p12 key files for service accounts
issued by Google Cloud have the password {{notasecret}} as documented [here|https://support.google.com/cloud/answer/6158849?hl=en#serviceaccounts],
so it's currently not possible to use a Google-issued p12 key file with this implementation.




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message