Add host_key_policy option to ComputeEngineSSHHook#66746
Merged
potiuk merged 2 commits intoMay 13, 2026
Merged
Conversation
Exposes paramiko's `MissingHostKeyPolicy` choice as a constructor argument so callers can opt into strict host-key verification on the SSH transport. The argument accepts the string aliases `"auto_add"`, `"reject"` and `"warning"` (which map to the matching `paramiko` policy classes) and also passes through any custom `paramiko.MissingHostKeyPolicy` instance — so a caller that wants to pin the remote host's key from GCE guest attributes / instance metadata can plug in a policy that loads it on the fly. The default is `"auto_add"`, preserving the historical behaviour of this hook; no migration is required for existing callers. The previous inline comment claiming the missing host-key check was unrelated to the local private key is removed — it conflated two different concerns and is replaced with a pointer to the new constructor argument. Generated-by: Claude Opus 4.7 (1M context) following the guidelines at https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions
boring-cyborg
Bot
added
area:providers
provider:google
shahar1
reviewed
May 12, 2026
…port @shahar1 review on PR apache#66746: * Add :param host_key_policy: to the ComputeEngineSSHHook docstring so users see the option without reading the source. * Fix the _resolve_host_key_policy() docstring to say ValueError (matches what is actually raised) instead of AirflowException. * Re-raise the unknown-policy ValueError with from None so the KeyError implementation detail doesn't leak into the chained traceback. * Move 'import paramiko' to module top in test_compute_ssh.py; the function-local imports were unnecessary now that the test class is permanent.
shahar1
approved these changes
May 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Expose paramiko's
MissingHostKeyPolicychoice as a constructor argument onComputeEngineSSHHook, so callers can opt into strict host-key verification on the SSH transport. The hook previously hard-codedparamiko.AutoAddPolicy, which means callers who wanted the remote host authenticated had no way to ask for it.The new
host_key_policyargument accepts:"auto_add","reject"and"warning"— mapped to the matchingparamikopolicy classes;paramiko.MissingHostKeyPolicyinstance — so a caller that wants to pin the remote host's key from GCE guest attributes / instance metadata can plug in a policy that loads it on the fly.The default is
"auto_add", preserving the historical behaviour of the hook; no migration is required for existing callers.The previous inline comment that claimed the missing host-key check was unrelated to the local private key is removed — it conflated two different concerns — and replaced with a pointer to the new constructor argument.
Files changed
providers/google/src/airflow/providers/google/cloud/hooks/compute_ssh.py— newhost_key_policyparameter, helper resolver, applied in_connect_to_instance. Misleading comment removed.providers/google/tests/unit/google/cloud/hooks/test_compute_ssh.py— newTestHostKeyPolicyResolutionclass (4 cases: default, string aliases, custom instance, unknown-string error).Test plan
uv run --project providers/google pytest providers/google/tests/unit/google/cloud/hooks/test_compute_ssh.py— 22 / 22 passprek run --from-ref upstream/main --stage pre-commit— cleanMigration
None. Callers that don't pass
host_key_policyget the same paramikoAutoAddPolicybehaviour as before.Was generative AI tooling used to co-author this PR?
Generated-by: Claude Opus 4.7 (1M context) following the guidelines at https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions