You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2020/06/11 17:20:40 UTC
[GitHub] [airflow] dgorelik opened a new issue #9236: Allow a Google API credentials object to be provided for GoogleBaseHook
dgorelik opened a new issue #9236:
URL: https://github.com/apache/airflow/issues/9236
**Description**
Allow a a Google API credentials object to be provided for GoogleBaseHook. I think this would be as simple as updating the initializer to set `self._cached_credentials` to a passed-in arg here:
https://github.com/apache/airflow/blob/daed75260903119f8f5dc8ee493778c50b1a6a8f/airflow/providers/google/common/hooks/base_google.py#L156
**Use case / motivation**
This should allow a service accounnt running Airflow to [impersonate another service account](https://google-auth.readthedocs.io/en/latest/reference/google.auth.impersonated_credentials.html), without needing to deal with exported service account keys as the connection ID paradigm seems to require.
Does this change make sense given the Airflow architecture?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj commented on issue #9236: Allow a Google API credentials object to be provided for GoogleBaseHook
Posted by GitBox <gi...@apache.org>.
mik-laj commented on issue #9236:
URL: https://github.com/apache/airflow/issues/9236#issuecomment-644339410
@dgorelik It is related? https://github.com/apache/airflow/issues/8803
@jaketf What do you think about it? Will it be useful to your users?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] dgorelik commented on issue #9236: Allow a Google API credentials object to be provided for GoogleBaseHook
Posted by GitBox <gi...@apache.org>.
dgorelik commented on issue #9236:
URL: https://github.com/apache/airflow/issues/9236#issuecomment-642844288
> I wonder why we can't improve the current implementation of impersonated service? For now, you can interpersonal to another account using delegate_to parameter. This parameter is available in hook and operators, so its use is very easy.
When used with the Google Auth library, `delegate_to` is used for "Domain-wide delegation allows a service account to access user data on behalf of any user in a Google Apps domain without consent from the user." (https://google-auth.readthedocs.io/en/latest/reference/google.oauth2.service_account.html#domain-wide-delegation)
That is, it's not for delegating on behalf of a GCP service account.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] boring-cyborg[bot] commented on issue #9236: Allow a Google API credentials object to be provided for GoogleBaseHook
Posted by GitBox <gi...@apache.org>.
boring-cyborg[bot] commented on issue #9236:
URL: https://github.com/apache/airflow/issues/9236#issuecomment-642821695
Thanks for opening your first issue here! Be sure to follow the issue template!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj commented on issue #9236: Allow a Google API credentials object to be provided for GoogleBaseHook
Posted by GitBox <gi...@apache.org>.
mik-laj commented on issue #9236:
URL: https://github.com/apache/airflow/issues/9236#issuecomment-647092734
I started an internal discussion about support for this feature. However, this is a duplicate, so I close this ticket.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] dgorelik commented on issue #9236: Allow a Google API credentials object to be provided for GoogleBaseHook
Posted by GitBox <gi...@apache.org>.
dgorelik commented on issue #9236:
URL: https://github.com/apache/airflow/issues/9236#issuecomment-644356401
@mik-laj I think this is actually a duplicate of https://github.com/apache/airflow/issues/8803
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj edited a comment on issue #9236: Allow a Google API credentials object to be provided for GoogleBaseHook
Posted by GitBox <gi...@apache.org>.
mik-laj edited a comment on issue #9236:
URL: https://github.com/apache/airflow/issues/9236#issuecomment-642837967
I wonder why we can't improve the current implementation of impersonated service? For now, you can interpersonal to another account using delegate_to parameter. This parameter is available in hook and operators, so its use is very easy.
Using complex objects in Airflow is problematic because they cannot be template fields. It is better when we use primitive objects, such as parameters.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj closed issue #9236: Allow a Google API credentials object to be provided for GoogleBaseHook
Posted by GitBox <gi...@apache.org>.
mik-laj closed issue #9236:
URL: https://github.com/apache/airflow/issues/9236
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] mik-laj commented on issue #9236: Allow a Google API credentials object to be provided for GoogleBaseHook
Posted by GitBox <gi...@apache.org>.
mik-laj commented on issue #9236:
URL: https://github.com/apache/airflow/issues/9236#issuecomment-642837967
I wonder why we can't improve the current implementation of impersonated service? For now, you can interpersonal to another account using delegate_to parameter. This parameter is available in hook and operators, so its use is very easy.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] dgorelik commented on issue #9236: Allow a Google API credentials object to be provided for GoogleBaseHook
Posted by GitBox <gi...@apache.org>.
dgorelik commented on issue #9236:
URL: https://github.com/apache/airflow/issues/9236#issuecomment-642821944
Note: if this idea makes sense, I am happy to send a PR to implement it.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org