Stephen Reichling created BEAM-1070:
---------------------------------------
Summary: Service Account Based Authentication Broken
Key: BEAM-1070
URL: https://issues.apache.org/jira/browse/BEAM-1070
Project: Beam
Issue Type: Bug
Components: sdk-py
Environment: CentOS Linux release 7.1.1503 (Core)
Python 2.7.5
Reporter: Stephen Reichling
Assignee: Frances Perry
Priority: Critical
{{sdks/python/apache_beam/internal/auth.py}} calls into the
{{oauth2client.service_account.ServiceAccountCredentials.from_p12_keyfile}}
method with invalid and incorrectly-ordered parameters. Compare the [function
signature of
ServiceAccountCredentials.from_p12_keyfile|https://github.com/google/oauth2client/blob/ae73312942d3cf0e98f097dfbb40f136c2a7c463/oauth2client/service_account.py#L300-L303]
with [how it is
invoked|https://github.com/apache/incubator-beam/blob/9ded359daefc6040d61a1f33c77563474fcb09b6/sdks/python/apache_beam/internal/auth.py#L150-L154].
This causes a runtime error when one attempts to use a service account to
authenticate with the Google Dataflow APIs.
The specific problems are:
- the {{client_scopes}} variable (a list) is passed as a positional parameter
where the function signature expects the {{private_key_password}} parameter (a
string).
- a keyed parameter, {{user_agent}}, is passed but no such parameter is
defined in the function signature.
- no value is provided for {{private_key_password}}. All p12 key files for
service accounts issued by Google Cloud have the password {{notasecret}} as
documented
[here|https://support.google.com/cloud/answer/6158849?hl=en#serviceaccounts],
so it's currently not possible to use a Google-issued p12 key file with this
implementation.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
