That looks right to me.
Unfortunately Python client lib, unlike the java client lib
<https://developers.google.com/api-client-library/java/google-api-java-client/reference/1.19.1/com/google/api/client/googleapis/auth/oauth2/GoogleCredential>,
doesn't support generating GoogleCredentials while impersonating another
user/service account.
Otherwise, the code can be much simplified and we only need to deal with
GoogleCrentials.
Happy to take a look at your PR too, just @fenglu-g.
On Thu, Aug 31, 2017 at 6:03 PM, Pras Srinivasan <
pras.sriniva...@glassdoor.com> wrote:
> I'm upgrading from airflow 1.7 to 1.8.2rc4. I noticed that the user
> delegation feature does not work for service accounts when inheriting from
> GoogleCloudBaseHook anymore .
>
> Older versions of this hook used to support delegation when
> SignedJwtAssertionCredentials was being used. Actually, the current code in
> master still has some code left over from when
> SignedJwtAssertionCredentials was being used. Specifically these lines
> (#68-#70) in gcp_api_base_hook.py :
>
> kwargs = {}
> if self.delegate_to:
> kwargs['sub'] = self.delegate_to
>
> However, this information is not used anywhere and the _authorize method
> simply returns a HTTP object without allowing for delegation.
>
> I think the changes that need to be made are:
> 1) Remove lines 68-70
> 2) Add a couple of lines after line #83 that enable returning a delegated
> credential object :
> if self.delegate_to:
> credentials = credentials.create_delegated(self.delegate_to)
>
> Can another dev please review/confirm that my understanding is correct? I'm
> happy to open a JIRA on Apache, as well as submit the fix.
>
> Thanks much!
> Pras
>
