This is an automated email from the ASF dual-hosted git repository.
ash pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new 7727db55b7e Mark Google Oauth2 backend as Airflow 2 only (#47622)
7727db55b7e is described below
commit 7727db55b7ef27084e8ab04d241049ff3c579d02
Author: Ash Berlin-Taylor <[email protected]>
AuthorDate: Wed Mar 12 09:36:06 2025 +0000
Mark Google Oauth2 backend as Airflow 2 only (#47622)
And remove the default config options in Airflow 3.
Just to make it not be an import error in case anyone does import it in
Airflow 3 I have adjusted the provider code to have fallbacks specified.
---
airflow/config_templates/config.yml | 18 ------------------
.../google/docs/api-auth-backend/google-openid.rst | 2 ++
.../google/common/auth_backend/google_openid.py | 11 ++++++++++-
3 files changed, 12 insertions(+), 19 deletions(-)
diff --git a/airflow/config_templates/config.yml
b/airflow/config_templates/config.yml
index b9b717093a8..699fe1e549d 100644
--- a/airflow/config_templates/config.yml
+++ b/airflow/config_templates/config.yml
@@ -1391,24 +1391,6 @@ api:
example: ~
version_added: 2.0.0
default: "100"
- google_oauth2_audience:
- description: The intended audience for JWT token credentials used for
authorization.
- This value must match on the client and server sides.
- If empty, audience will not be tested.
- type: string
- version_added: 2.0.0
- example: project-id-random-value.apps.googleusercontent.com
- default: ""
- google_key_path:
- description: |
- Path to Google Cloud Service Account key file (JSON). If omitted,
authorization based on
- `the Application Default Credentials
-
<https://cloud.google.com/docs/authentication/production#finding_credentials_automatically>`__
will
- be used.
- type: string
- version_added: 2.0.0
- example: /files/service-account-json
- default: ""
access_control_allow_headers:
description: |
Used in response to a preflight request to indicate which HTTP
diff --git a/providers/google/docs/api-auth-backend/google-openid.rst
b/providers/google/docs/api-auth-backend/google-openid.rst
index 303e81869d1..03885876cbe 100644
--- a/providers/google/docs/api-auth-backend/google-openid.rst
+++ b/providers/google/docs/api-auth-backend/google-openid.rst
@@ -18,6 +18,8 @@
Google OpenID authentication
''''''''''''''''''''''''''''
+.. note:: This authentication mechanism only works for Airflow 2.x
+
You can also configure
`Google OpenID
<https://developers.google.com/identity/protocols/oauth2/openid-connect>`__
for authentication. To enable it, set the following option in the
configuration:
diff --git
a/providers/google/src/airflow/providers/google/common/auth_backend/google_openid.py
b/providers/google/src/airflow/providers/google/common/auth_backend/google_openid.py
index 4a3f45fa4a3..e18e90af6a8 100644
---
a/providers/google/src/airflow/providers/google/common/auth_backend/google_openid.py
+++
b/providers/google/src/airflow/providers/google/common/auth_backend/google_openid.py
@@ -32,12 +32,16 @@ from google.auth.transport.requests import AuthorizedSession
from google.oauth2 import service_account
from airflow.configuration import conf
+from airflow.exceptions import AirflowProviderDeprecationWarning
+from airflow.providers.google.common.deprecated import deprecated
from airflow.providers.google.common.utils.id_token_credentials import
get_default_id_token_credentials
log = logging.getLogger(__name__)
_GOOGLE_ISSUERS = ("accounts.google.com", "https://accounts.google.com";)
-AUDIENCE = conf.get("api", "google_oauth2_audience")
+AUDIENCE = conf.get(
+ "api", "google_oauth2_audience",
fallback="project-id-random-value.apps.googleusercontent.com"
+)
def create_client_session():
@@ -52,6 +56,11 @@ def create_client_session():
return AuthorizedSession(credentials=id_token_credentials)
+@deprecated(
+ planned_removal_release="apache-airflow-providers-google==15.0.0",
+ reason="Auth backends are not supported on Airflow 3, and this entire
module will be removed",
+ category=AirflowProviderDeprecationWarning,
+)
def init_app(_):
"""Initialize authentication."""
