Re: [PR] add impersonation_chain support when calling Bigquery Operators in deferrable mode [airflow]

Wed, 17 Jan 2024 01:14:49 -0800 


m1racoli commented on code in PR #36341:
URL: https://github.com/apache/airflow/pull/36341#discussion_r1455033407


##########
airflow/providers/google/cloud/hooks/bigquery.py:
##########
@@ -3247,6 +3259,36 @@ def _format_schema_for_description(schema: dict) -> list:
     return description
 
 
+class ImpersonationToken:
+    """Simulate the interface of gcloud.aio.auth.token.BaseToken and generate 
impersonation_chain access_token."""
+
+    def __init__(self, project_id: str | None, impersonation_chain: str) -> 
None:
+        self.project_id = project_id
+        self.impersonation_chain = impersonation_chain
+
+    async def get_project(self) -> str | None:
+        project = (
+            self.project_id
+            or os.environ.get("GOOGLE_CLOUD_PROJECT")
+            or os.environ.get("GCLOUD_PROJECT")
+            or os.environ.get("APPLICATION_ID")
+        )
+        return project
+
+    async def get(self) -> str | None:
+        creds, _ = google.auth.default()
+
+        target_principal, _ = 
_get_target_principal_and_delegates(self.impersonation_chain)
+        impersonated_creds = impersonated_credentials.Credentials(
+            source_credentials=creds,
+            target_principal=target_principal,
+            target_scopes=["https://www.googleapis.com/auth/cloud-platform";],
+        )
+
+        impersonated_creds.refresh(google_auth_requests.Request())

Review Comment:
   This is need's to be done asynchronously. Otherwise it will block the entire 
triggerer process.



##########
airflow/providers/google/cloud/hooks/bigquery.py:
##########
@@ -3247,6 +3259,36 @@ def _format_schema_for_description(schema: dict) -> list:
     return description
 
 
+class ImpersonationToken:
+    """Simulate the interface of gcloud.aio.auth.token.BaseToken and generate 
impersonation_chain access_token."""
+
+    def __init__(self, project_id: str | None, impersonation_chain: str) -> 
None:
+        self.project_id = project_id
+        self.impersonation_chain = impersonation_chain
+
+    async def get_project(self) -> str | None:
+        project = (
+            self.project_id
+            or os.environ.get("GOOGLE_CLOUD_PROJECT")
+            or os.environ.get("GCLOUD_PROJECT")
+            or os.environ.get("APPLICATION_ID")
+        )
+        return project
+
+    async def get(self) -> str | None:
+        creds, _ = google.auth.default()

Review Comment:
   I would like to add the `GoogleBaseHook.get_credentials()` probably not only 
respects impersonation chain set on hook level, but also on connection level. 
If we can rely on that, then we would need to cover those cases individually.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to