You are viewing a plain text version of this content. The canonical link for it is here.
Posted to github@arrow.apache.org by GitBox <gi...@apache.org> on 2021/12/14 12:50:03 UTC
[GitHub] [arrow] pitrou commented on a change in pull request #11945: ARROW-15085: [C++] support credential types in GcsFileSystem
pitrou commented on a change in pull request #11945:
URL: https://github.com/apache/arrow/pull/11945#discussion_r768629719
##########
File path: cpp/src/arrow/filesystem/gcsfs.h
##########
@@ -27,17 +27,74 @@ namespace arrow {
namespace fs {
class GcsFileSystem;
struct GcsOptions;
+class GcsCredentialsProvider;
namespace internal {
// TODO(ARROW-1231) - remove, and provide a public API (static GcsFileSystem::Make()).
std::shared_ptr<GcsFileSystem> MakeGcsFileSystemForTest(const GcsOptions& options);
} // namespace internal
/// Options for the GcsFileSystem implementation.
struct ARROW_EXPORT GcsOptions {
+ std::shared_ptr<GcsCredentialsProvider> credentials;
+
std::string endpoint_override;
std::string scheme;
bool Equals(const GcsOptions& other) const;
+
+ /// \brief Initialize with Google Default Credentials
+ ///
+ /// Create options configured to use [Application Default Credentials][aip/4110]. The
+ /// details of this mechanism are too involved to describe here, but suffice is to say
+ /// that applications can override any defaults using an environment variable
+ /// (`GOOGLE_APPLICATION_CREDENTIALS`), and that the defaults work with most Google
+ /// Cloud Platform deployment environments (GCE, GKE, Cloud Run, etc.), and that have
+ /// the same behavior as the `gcloud` CLI tool on your workstation.
+ ///
+ /// \see https://cloud.google.com/docs/authentication
+ ///
+ /// [aip/4110]: https://google.aip.dev/auth/4110
+ static GcsOptions Defaults();
+
+ /// \brief Initialize with anonymous credentials
+ static GcsOptions Anonymous();
+
+ /// \brief Initialize with access token
+ ///
+ /// These credentials are useful when using an out-of-band mechanism to fetch access
+ /// tokens. Note that access tokens are time limited, you will need to manually refresh
+ /// the tokens created by the out-of-band mechanism.
+ static GcsOptions AccessToken(const std::string& access_token,
+ std::chrono::system_clock::time_point expiration);
+
+ /// \brief Initialize with service account impersonation
+ ///
+ /// Service account impersonation allows one principal (a user or service account) to
+ /// impersonate a service account. It requires that the calling principal has the
+ /// necessary permissions *on* the service account.
+ static GcsOptions ImpersonateServiceAccount(
+ const GcsCredentialsProvider& base_credentials,
+ const std::string& target_service_account);
+
+ /// Creates service account credentials from a JSON object in string form.
+ ///
+ /// The @p json_object is expected to be in the format described by [aip/4112]. Such an
+ /// object contains the identity of a service account, as well as a private key that can
+ /// be used to sign tokens, showing the caller was holding the private key.
+ ///
+ /// In GCP one can create several "keys" for each service account, and these keys are
+ /// downloaded as a JSON "key file". The contents of such a file are in the format
+ /// required by this function. Remember that key files and their contents should be
+ /// treated as any other secret with security implications, think of them as passwords
+ /// (because they are!), don't store them or output them where unauthorized persons may
+ /// read them.
+ ///
+ /// Most applications should probably use default credentials, maybe pointing them to a
+ /// file with these contents. Using this function may be useful when the json object is
+ /// obtained from a Cloud Secret Manager or a similar service.
+ ///
+ /// [aip/4112]: https://google.aip.dev/auth/4112
+ static GcsOptions ServiceAccountCredentials(const std::string& json_object);
Review comment:
`FromServiceAccountCredentials`?
##########
File path: cpp/src/arrow/filesystem/gcsfs.h
##########
@@ -27,17 +27,74 @@ namespace arrow {
namespace fs {
class GcsFileSystem;
struct GcsOptions;
+class GcsCredentialsProvider;
namespace internal {
// TODO(ARROW-1231) - remove, and provide a public API (static GcsFileSystem::Make()).
std::shared_ptr<GcsFileSystem> MakeGcsFileSystemForTest(const GcsOptions& options);
} // namespace internal
/// Options for the GcsFileSystem implementation.
struct ARROW_EXPORT GcsOptions {
+ std::shared_ptr<GcsCredentialsProvider> credentials;
+
std::string endpoint_override;
std::string scheme;
bool Equals(const GcsOptions& other) const;
+
+ /// \brief Initialize with Google Default Credentials
+ ///
+ /// Create options configured to use [Application Default Credentials][aip/4110]. The
+ /// details of this mechanism are too involved to describe here, but suffice is to say
+ /// that applications can override any defaults using an environment variable
+ /// (`GOOGLE_APPLICATION_CREDENTIALS`), and that the defaults work with most Google
+ /// Cloud Platform deployment environments (GCE, GKE, Cloud Run, etc.), and that have
+ /// the same behavior as the `gcloud` CLI tool on your workstation.
+ ///
+ /// \see https://cloud.google.com/docs/authentication
+ ///
+ /// [aip/4110]: https://google.aip.dev/auth/4110
+ static GcsOptions Defaults();
+
+ /// \brief Initialize with anonymous credentials
+ static GcsOptions Anonymous();
+
+ /// \brief Initialize with access token
+ ///
+ /// These credentials are useful when using an out-of-band mechanism to fetch access
+ /// tokens. Note that access tokens are time limited, you will need to manually refresh
+ /// the tokens created by the out-of-band mechanism.
+ static GcsOptions AccessToken(const std::string& access_token,
+ std::chrono::system_clock::time_point expiration);
+
+ /// \brief Initialize with service account impersonation
+ ///
+ /// Service account impersonation allows one principal (a user or service account) to
+ /// impersonate a service account. It requires that the calling principal has the
+ /// necessary permissions *on* the service account.
+ static GcsOptions ImpersonateServiceAccount(
Review comment:
Perhaps `FromServiceAccount` or `FromImpersonatedServiceAccount`?
##########
File path: cpp/src/arrow/filesystem/gcsfs.cc
##########
@@ -267,6 +267,18 @@ google::cloud::Options AsGoogleCloudOptions(const GcsOptions& o) {
return options;
}
+class GcsCredentialsProvider {
Review comment:
Nit, but it would probably be enough to make this a simple `struct` with a public member. The attribute wrapping doesn't seem very useful here.
##########
File path: cpp/src/arrow/filesystem/gcsfs.h
##########
@@ -27,17 +27,74 @@ namespace arrow {
namespace fs {
class GcsFileSystem;
struct GcsOptions;
+class GcsCredentialsProvider;
namespace internal {
// TODO(ARROW-1231) - remove, and provide a public API (static GcsFileSystem::Make()).
std::shared_ptr<GcsFileSystem> MakeGcsFileSystemForTest(const GcsOptions& options);
} // namespace internal
/// Options for the GcsFileSystem implementation.
struct ARROW_EXPORT GcsOptions {
+ std::shared_ptr<GcsCredentialsProvider> credentials;
+
std::string endpoint_override;
std::string scheme;
bool Equals(const GcsOptions& other) const;
+
+ /// \brief Initialize with Google Default Credentials
+ ///
+ /// Create options configured to use [Application Default Credentials][aip/4110]. The
+ /// details of this mechanism are too involved to describe here, but suffice is to say
+ /// that applications can override any defaults using an environment variable
+ /// (`GOOGLE_APPLICATION_CREDENTIALS`), and that the defaults work with most Google
+ /// Cloud Platform deployment environments (GCE, GKE, Cloud Run, etc.), and that have
+ /// the same behavior as the `gcloud` CLI tool on your workstation.
+ ///
+ /// \see https://cloud.google.com/docs/authentication
+ ///
+ /// [aip/4110]: https://google.aip.dev/auth/4110
+ static GcsOptions Defaults();
+
+ /// \brief Initialize with anonymous credentials
+ static GcsOptions Anonymous();
+
+ /// \brief Initialize with access token
+ ///
+ /// These credentials are useful when using an out-of-band mechanism to fetch access
+ /// tokens. Note that access tokens are time limited, you will need to manually refresh
+ /// the tokens created by the out-of-band mechanism.
+ static GcsOptions AccessToken(const std::string& access_token,
Review comment:
Perhaps `FromAccessToken`?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org