You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2020/08/06 20:58:47 UTC

[GitHub] [airflow] jaketf commented on issue #9461: Unclear documentation for the delegate_to parameter

jaketf commented on issue #9461:
URL: https://github.com/apache/airflow/issues/9461#issuecomment-670188547


   Taking a look at the code now it seems we have this common [GoogleBaseHook](https://github.com/apache/airflow/blob/d79e7221de76f01b5cd36c15224b59e8bb451c90/airflow/providers/google/common/hooks/base_google.py#L125) used by hooks for gsuite and cloud. This `delegate_to` seems not really not useful for cloud, and I don't think the scenario 2 of delegating to a human user to impersonate a service account is an advisable pattern / one worth supporting in airflow core. I think `delegate_to` should be removed / deprecated from the Google Cloud Hooks / Operators to avoid confusion.
   
   To play devil's advocate: There may be use cases where users expect `delegate_to` to attribute API calls (e.g. a BQ Query) to the delegated human user. Again, I don't think I'd recommend this as an auditing posture as anyone could throw jake@foo.com into the `delegate_to` and bootstrap my IAM permissions. IMO This seems like something we shouldn't support.  


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org