Programmer-RD-AI commented on code in PR #56228:
URL: https://github.com/apache/airflow/pull/56228#discussion_r2392131702
##########
providers/microsoft/azure/src/airflow/providers/microsoft/azure/hooks/base_azure.py:
##########
@@ -111,22 +119,74 @@ def get_conn(self) -> Any:
self.log.info("Getting connection using a JSON config.")
return get_client_from_json_dict(client_class=self.sdk_client,
config_dict=key_json)
- credentials: ServicePrincipalCredentials |
AzureIdentityCredentialAdapter
+ credentials = self.get_credential(conn=conn)
+
+ return self.sdk_client(
+ credentials=credentials,
+ subscription_id=subscription_id,
+ )
+
+ def get_credential(self, *, conn: Connection | None = None) -> Any:
+ """
+ Get Azure credential object for the connection.
+
+ Azure Identity based credential object (``ClientSecretCredential``,
``DefaultAzureCredential``) can be used to get OAuth token using ``get_token``
method.
+ Older Credential objects (``ServicePrincipalCredentials``,
``AzureIdentityCredentialAdapter``) are supported for backward compatibility.
+
+ :return: The Azure credential object
+ """
+ if not conn:
+ conn = self.get_connection(self.conn_id)
+ tenant = conn.extra_dejson.get("tenantId")
+ credential: (
+ ServicePrincipalCredentials
+ | AzureIdentityCredentialAdapter
+ | ClientSecretCredential
+ | DefaultAzureCredential
+ )
if all([conn.login, conn.password, tenant]):
- self.log.info("Getting connection using specific credentials and
subscription_id.")
- credentials = ServicePrincipalCredentials(
- client_id=conn.login, secret=conn.password, tenant=tenant
- )
+ credential = self._get_client_secret_credential(conn)
else:
- self.log.info("Using DefaultAzureCredential as credential")
- managed_identity_client_id =
conn.extra_dejson.get("managed_identity_client_id")
- workload_identity_tenant_id =
conn.extra_dejson.get("workload_identity_tenant_id")
- credentials = AzureIdentityCredentialAdapter(
+ credential = self._get_default_azure_credential(conn)
+ return credential
+
+ def _get_client_secret_credential(self, conn: Connection):
Review Comment:
Looks like this always returns either ClientSecretCredential or
ServicePrincipalCredentials. Might be good to reflect that in the return type
annotation instead of leaving it implicit. Not critical, but would make it
clearer for readers and type checkers.
```suggestion
def _get_client_secret_credential(self, conn: Connection) ->
ClientSecretCredential | ServicePrincipalCredentials:
```
##########
providers/microsoft/azure/src/airflow/providers/microsoft/azure/hooks/base_azure.py:
##########
@@ -111,22 +119,74 @@ def get_conn(self) -> Any:
self.log.info("Getting connection using a JSON config.")
return get_client_from_json_dict(client_class=self.sdk_client,
config_dict=key_json)
- credentials: ServicePrincipalCredentials |
AzureIdentityCredentialAdapter
+ credentials = self.get_credential(conn=conn)
+
+ return self.sdk_client(
+ credentials=credentials,
+ subscription_id=subscription_id,
+ )
+
+ def get_credential(self, *, conn: Connection | None = None) -> Any:
+ """
+ Get Azure credential object for the connection.
+
+ Azure Identity based credential object (``ClientSecretCredential``,
``DefaultAzureCredential``) can be used to get OAuth token using ``get_token``
method.
+ Older Credential objects (``ServicePrincipalCredentials``,
``AzureIdentityCredentialAdapter``) are supported for backward compatibility.
+
+ :return: The Azure credential object
+ """
+ if not conn:
+ conn = self.get_connection(self.conn_id)
+ tenant = conn.extra_dejson.get("tenantId")
+ credential: (
+ ServicePrincipalCredentials
+ | AzureIdentityCredentialAdapter
+ | ClientSecretCredential
+ | DefaultAzureCredential
+ )
if all([conn.login, conn.password, tenant]):
- self.log.info("Getting connection using specific credentials and
subscription_id.")
- credentials = ServicePrincipalCredentials(
- client_id=conn.login, secret=conn.password, tenant=tenant
- )
+ credential = self._get_client_secret_credential(conn)
else:
- self.log.info("Using DefaultAzureCredential as credential")
- managed_identity_client_id =
conn.extra_dejson.get("managed_identity_client_id")
- workload_identity_tenant_id =
conn.extra_dejson.get("workload_identity_tenant_id")
- credentials = AzureIdentityCredentialAdapter(
+ credential = self._get_default_azure_credential(conn)
+ return credential
+
+ def _get_client_secret_credential(self, conn: Connection):
+ self.log.info("Getting credentials using specific credentials and
subscription_id.")
+ extra_dejson = conn.extra_dejson
+ tenant = extra_dejson.get("tenantId")
+ use_azure_identity_object =
extra_dejson.get("use_azure_identity_object", False)
+ if use_azure_identity_object:
+ return ClientSecretCredential(
+ client_id=conn.login, # type: ignore[arg-type]
+ client_secret=conn.password, # type: ignore[arg-type]
+ tenant_id=tenant, # type: ignore[arg-type]
+ )
+ return ServicePrincipalCredentials(client_id=conn.login,
secret=conn.password, tenant=tenant)
+
+ def _get_default_azure_credential(self, conn: Connection):
+ self.log.info("Using DefaultAzureCredential as credential")
+ extra_dejson = conn.extra_dejson
+ managed_identity_client_id =
extra_dejson.get("managed_identity_client_id")
+ workload_identity_tenant_id =
extra_dejson.get("workload_identity_tenant_id")
+ use_azure_identity_object =
extra_dejson.get("use_azure_identity_object", False)
+ if use_azure_identity_object:
+ return get_sync_default_azure_credential(
managed_identity_client_id=managed_identity_client_id,
workload_identity_tenant_id=workload_identity_tenant_id,
)
-
- return self.sdk_client(
- credentials=credentials,
- subscription_id=subscription_id,
+ return AzureIdentityCredentialAdapter(
+ managed_identity_client_id=managed_identity_client_id,
+ workload_identity_tenant_id=workload_identity_tenant_id,
)
+
+ def get_token(self, *scopes, **kwargs) -> AccessToken:
+ """Request an access token for `scopes`."""
+ credential = self.get_credential()
+ if isinstance(credential, AzureIdentityCredentialAdapter) or
isinstance(
+ credential, AzureIdentityCredentialAdapter
+ ):
+ raise AttributeError(
+ "The azure credential does not support get_token method. "
+ "Please set `use_azure_identity_object: True` in the
connection extra field to use credential that support get_token method."
+ )
+ return credential.get_token(*scopes, **kwargs)
Review Comment:
a small warning here regarding AzureIdentityCredentialAdapter and
AzureIdentityCredentialAdapter not supporting the get token method would be
helpful
##########
providers/microsoft/azure/src/airflow/providers/microsoft/azure/hooks/base_azure.py:
##########
@@ -111,22 +119,74 @@ def get_conn(self) -> Any:
self.log.info("Getting connection using a JSON config.")
return get_client_from_json_dict(client_class=self.sdk_client,
config_dict=key_json)
- credentials: ServicePrincipalCredentials |
AzureIdentityCredentialAdapter
+ credentials = self.get_credential(conn=conn)
+
+ return self.sdk_client(
+ credentials=credentials,
+ subscription_id=subscription_id,
+ )
+
+ def get_credential(self, *, conn: Connection | None = None) -> Any:
+ """
+ Get Azure credential object for the connection.
+
+ Azure Identity based credential object (``ClientSecretCredential``,
``DefaultAzureCredential``) can be used to get OAuth token using ``get_token``
method.
+ Older Credential objects (``ServicePrincipalCredentials``,
``AzureIdentityCredentialAdapter``) are supported for backward compatibility.
+
+ :return: The Azure credential object
+ """
+ if not conn:
+ conn = self.get_connection(self.conn_id)
+ tenant = conn.extra_dejson.get("tenantId")
+ credential: (
+ ServicePrincipalCredentials
+ | AzureIdentityCredentialAdapter
+ | ClientSecretCredential
+ | DefaultAzureCredential
+ )
if all([conn.login, conn.password, tenant]):
- self.log.info("Getting connection using specific credentials and
subscription_id.")
- credentials = ServicePrincipalCredentials(
- client_id=conn.login, secret=conn.password, tenant=tenant
- )
+ credential = self._get_client_secret_credential(conn)
else:
- self.log.info("Using DefaultAzureCredential as credential")
- managed_identity_client_id =
conn.extra_dejson.get("managed_identity_client_id")
- workload_identity_tenant_id =
conn.extra_dejson.get("workload_identity_tenant_id")
- credentials = AzureIdentityCredentialAdapter(
+ credential = self._get_default_azure_credential(conn)
+ return credential
+
+ def _get_client_secret_credential(self, conn: Connection):
+ self.log.info("Getting credentials using specific credentials and
subscription_id.")
+ extra_dejson = conn.extra_dejson
+ tenant = extra_dejson.get("tenantId")
+ use_azure_identity_object =
extra_dejson.get("use_azure_identity_object", False)
+ if use_azure_identity_object:
+ return ClientSecretCredential(
+ client_id=conn.login, # type: ignore[arg-type]
+ client_secret=conn.password, # type: ignore[arg-type]
+ tenant_id=tenant, # type: ignore[arg-type]
+ )
+ return ServicePrincipalCredentials(client_id=conn.login,
secret=conn.password, tenant=tenant)
+
+ def _get_default_azure_credential(self, conn: Connection):
Review Comment:
defining a return type here would be beneficial as well i think
##########
providers/microsoft/azure/src/airflow/providers/microsoft/azure/hooks/base_azure.py:
##########
@@ -96,8 +103,9 @@ def get_conn(self) -> Any:
:return: the authenticated client.
"""
+ if not self.sdk_client:
+ raise ValueError("`sdk_client` must be provided to AzureBaseHook
to use `get_conn` method.")
Review Comment:
i think this check is redundant by making sdk_client we are pretty much
saying its optional right? so then we shouldn't raise a error when its None, i
think reverting this and the constructor change as it was would be better
##########
providers/microsoft/azure/src/airflow/providers/microsoft/azure/hooks/base_azure.py:
##########
@@ -111,22 +119,74 @@ def get_conn(self) -> Any:
self.log.info("Getting connection using a JSON config.")
return get_client_from_json_dict(client_class=self.sdk_client,
config_dict=key_json)
- credentials: ServicePrincipalCredentials |
AzureIdentityCredentialAdapter
+ credentials = self.get_credential(conn=conn)
+
+ return self.sdk_client(
+ credentials=credentials,
+ subscription_id=subscription_id,
+ )
+
+ def get_credential(self, *, conn: Connection | None = None) -> Any:
Review Comment:
Maybe worth tightening the return type here instead of Any, something like a
union of the credential classes (ServicePrincipalCredentials |
AzureIdentityCredentialAdapter | ClientSecretCredential |
DefaultAzureCredential). Not a blocker, but could make the typing clearer.
```suggestion
def get_credential(self, *, conn: Connection | None = None) ->
ServicePrincipalCredentials | AzureIdentityCredentialAdapter |
ClientSecretCredential | DefaultAzureCredential:
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
