[BEAM-12641] Use google-auth instead of oauth2client for GCP auth

[chunyang]

This change switches the GCP auth library from oauth2client to google-auth. google-auth-httplib2 library is used to provide authorized HTTP clients that work with the existing vendored libraries for BigQuery, GCS, etc.

I'm interested in this migration because of the need to use custom token URIs for issuing service account tokens--it's supported by google-auth but not oauth2client.

dev list discussion thread: https://lists.apache.org/x/thread.html/r4345315bfa80c6181138d556317a45d7692cd2b37d1d341238e5440a@%3Cdev.beam.apache.org%3E

---

Thank you for your contribution! Follow this checklist to help us incorporate your contribution quickly and easily:

• Choose reviewer(s) and mention them in a comment (R: @username).
• Format the pull request title like [BEAM-XXX] Fixes bug in ApproximateQuantiles, where you replace BEAM-XXX with the appropriate JIRA issue, if applicable. This will automatically link the pull request to the issue.
• Update CHANGES.md with noteworthy changes.
• If this contribution is large, please file an Apache Individual Contributor License Agreement.

See the Contributor Guide for more tips on how to make review process smoother.

ValidatesRunner compliance status (on master branch)

Lang	ULR	Dataflow	Flink	Samza	Spark	Twister2
Go	---			---		---
Java
Python	---			---		---
XLang				---		---

Examples testing status on various runners

Lang	ULR	Dataflow	Flink	Samza	Spark	Twister2
Go	---	---	---	---	---	---	---
Java	---		---	---	---	---	---
Python	---	---	---	---	---	---	---
XLang	---	---	---	---	---	---	---

Post-Commit SDK/Transform Integration Tests Status (on master branch)

Go	Java	Python

Pre-Commit Tests Status (on master branch)

---	Java	Python	Go	Website	Whitespace	Typescript
Non-portable
Portable	---			---	---	---

See .test-infra/jenkins/README for trigger phrase, status and link of all Jenkins jobs.

GitHub Actions Tests Status (on master branch)

See CI.md for more information about GitHub Actions CI.

[codecov]

Codecov Report

Merging #15004 (e1eadbe) into master (eeccbb0) will increase coverage by 9.68%.
The diff coverage is 70.83%.

@@            Coverage Diff             @@
##           master   #15004      +/-   ##
==========================================
+ Coverage   73.94%   83.63%   +9.68%     
==========================================
  Files         667      453     -214     
  Lines       88071    63264   -24807     
==========================================
- Hits        65128    52912   -12216     
+ Misses      21832    10352   -11480     
+ Partials     1111        0    -1111     

Flag	Coverage Δ
go	?
python	83.63% <70.83%> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
sdks/python/apache_beam/internal/gcp/auth.py	81.03% <70.83%> (-0.45%)	⬇️
...ks/python/apache_beam/runners/worker/data_plane.py	87.50% <0.00%> (-1.71%)	⬇️
...thon/apache_beam/runners/worker/sdk_worker_main.py	74.12% <0.00%> (-1.40%)	⬇️
...n/apache_beam/runners/interactive/cache_manager.py	87.58% <0.00%> (-1.01%)	⬇️
sdks/python/apache_beam/internal/metrics/metric.py	90.00% <0.00%> (-1.00%)	⬇️
sdks/python/apache_beam/coders/coder_impl.py	93.97% <0.00%> (-0.31%)	⬇️
...s/interactive/dataproc/dataproc_cluster_manager.py	88.32% <0.00%> (-0.26%)	⬇️
...eam/runners/interactive/interactive_environment.py	90.51% <0.00%> (-0.23%)	⬇️
...apache_beam/runners/dataflow/internal/apiclient.py	77.27% <0.00%> (-0.13%)	⬇️
sdks/python/apache_beam/coders/coders.py	87.98% <0.00%> (-0.12%)	⬇️
... and 225 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update eeccbb0...e1eadbe. Read the comment docs.

[aaltay]

As a reference, I was referred to: https://github.com/googleapis/google-auth-library-python-httplib2 as how some other libraries went through a similar transition.

[chunyang]

Thanks! I wasn't aware that library existed, will see if I can incorporate it.

[aaltay]

R: @tvalentyn - Could you review this? Do you see any issues with Dataflow internals related to this?

[pabloem]

What's the status of this PR? @tvalentyn @chunyang

[chunyang]

@pabloem I'm waiting for a review, I heard that this change may not be compatible with the internal repo at Google, but hope @tvalentyn can confirm/deny. On my side I need to look at the Python PreCommit failure. It seems unrelated to me at first glance.

[tvalentyn]

Thanks @chunyang for working on this and your patience with this change. Adding a dependency on google-auth-httplib2 should be possible, looking closer at the change.

[tvalentyn]

I think this path was used to authenticate requests originating from GCE VMs, and we had it so that when Beam SDK is running Dataflow workers, the requests to GCP were authenticated just because the SDK is running on GCE VM.
I wonder how this will work with the new dependency.

[chunyang]

Thanks for the review @tvalentyn. My understanding is that the google.auth.default() call in line 151 will attempt to find credentials on GCE VMs using the instance Metadata Server so we don't need a special case within the Beam code. Is this something we can check via the existing integration tests?

https://github.com/googleapis/google-auth-library-python/blob/08c987d0215c9d3e230efe5b7c13e6b8197267bc/google/auth/_default.py#L386-L389

[tvalentyn]

Run Python 3.7 PostCommit

[tvalentyn]

Yes, we should be able to check the behavior in postcommit integration tests.

[tvalentyn]

Run Python 3.7 PostCommit

[tvalentyn]

Run Python 3.7 PostCommit

[chunyang]

Oops sorry, I broke the postcommit. Fix pending in #15584

[chunyang]

Run Python 3.7 PostCommit

[tvalentyn]

That's good to know, thanks for sharing. We have a plan to complete this migration as well.

[yeandy]

Hi @chunyang, I will be doing internal verification for these changes. It seems that I don't have permission to push to your fork/branch. Please rebase or merge master. Can you give me access to this PR? In the meantime, I'll create temp PR to test internally.

[chunyang]

Hi @yeandy, I merged master and added you as a collaborator on my fork. Is that enough permissions?

[yeandy]

Thanks, that should work.

[yeandy]

I've done the internal verification, and everything seems to work fine.

Before final approval/merge, I have a few questions @tvalentyn.

• Do we want to also remove oauth2client from the four base_image_requirements.txt files under the sdks/python/container/py3* directories too?
• And do we still need oath2client in deps_urls_py.yaml?

[yeandy]

Why has this been bumped?

[chunyang]

I ran into an error running tests locally when I didn't bump the version (see commit 0bd2c24). However, I don't think Jenkins had the same problem. We can probably revert this bump to minimize the change set?

[yeandy]

Yes, I think we can revert this back.

[tvalentyn]

Yes, we should regenerate the container dependencies, can be done in separate commit/pr, or you can follow https://s.apache.org/beam-python-requirements-generate and push more commits to this branch.

we can remove the entry in deps_urls_py.yaml in the same change.

[tvalentyn]

Running s.apache.org/beam-python-requirements-generate currently requires a linux machine. some deps are not installable on macos.

[yeandy]

Thanks for the info! I'll start regenerating them.

[yeandy]

R: @tvalentyn PTAL. Regenerated requirements, removed oauth2client from dep_urls_py.yaml, and bumped distlib version back down.

[tvalentyn]

Happy to merge when tests pass, thanks all.

[yeandy]

Was just reviewing again, and not sure why, but oauth2client is still in the base_image_requirements.txt files, even though I generated them with oauth2client>=2.0.1,<5 deleted from setup.py. Maybe I did the generation incorrectly?

[tvalentyn]

is it a transitive dep of some other dep? you can install pipdeptree to check.

[yeandy]

Seems that it's a dependency of google-apitools

google-apitools==0.5.31
  - fasteners [required: >=0.14, installed: 0.16.3]
    - six [required: Any, installed: 1.16.0]
  - httplib2 [required: >=0.8, installed: 0.19.1]
    - pyparsing [required: >=2.4.2,<3, installed: 2.4.7]
  - oauth2client [required: >=1.4.12, installed: 4.1.3]
    - httplib2 [required: >=0.9.1, installed: 0.19.1]
      - pyparsing [required: >=2.4.2,<3, installed: 2.4.7]
    - pyasn1 [required: >=0.1.7, installed: 0.4.8]
    - pyasn1-modules [required: >=0.0.5, installed: 0.2.8]
      - pyasn1 [required: >=0.4.6,<0.5.0, installed: 0.4.8]
    - rsa [required: >=3.1.4, installed: 4.8]
      - pyasn1 [required: >=0.1.3, installed: 0.4.8]
    - six [required: >=1.6.1, installed: 1.16.0]
  - six [required: >=1.12.0, installed: 1.16.0]

[yeandy]

@tvalentyn If I'm understanding this correctly, this doesn't require any additional regeneration, right?

[tvalentyn]

Run Portable_Python PreCommit

[tvalentyn]

Run PythonDocker PreCommit

[tvalentyn]

Run Python PreCommit

[tvalentyn]

@tvalentyn If I'm understanding this correctly, this doesn't require any additional regeneration, right?

right

[tvalentyn]

We need to revert the change to dep_urls_py.yaml.

[tvalentyn]

retest this please

[tvalentyn]

hmm. not seeing test signals for some reason, might be a github issue

[tvalentyn]

ok, triggered now.

[aaltay]

Congratulations! And thank you both!