auth refactor #58
auth refactor #58
Conversation
|
So far, I have confirmed manually that using The attribute Note that for now, |
|
(ps: tests pass locally in direct mode, since in the common case, the connection is not affected at all by these changes) |
gcsfs/core.py
Outdated
| following order: gcloud CLI default, gcsfs cached token, google compute | ||
| metadata service, anonymous. | ||
| - ``token='gtoken'``, your default gcloud credentials will be used, which | ||
| are typically established by doing ``gcloud login`` in a terminal. |
There was a problem hiding this comment.
Is gtoken a standard term?
There was a problem hiding this comment.
No, but I wanted something different from the previously provided "cloud" term. "gcloud" might otherwise have been more reasonable.
gcsfs/core.py
Outdated
| - ``token='gtoken'``, your default gcloud credentials will be used, which | ||
| are typically established by doing ``gcloud login`` in a terminal. | ||
| - ``token=='cache'``, credentials from previoudly successful gcsfs | ||
| authentication will be used (use this after "browser" auth succeeded) |
| This may be at | ||
| ``~/.config/gcloud/application_default_credentials.json``, | ||
| `` ~/.config/gcloud/credentials``, or | ||
| ``~\AppData\Roaming\gcloud\credentials``, etc. |
There was a problem hiding this comment.
Might we also provide the token explicitly as a dictionary?
There was a problem hiding this comment.
Yes, you can provide a dictionary - it does say that, but could provide an example.
gcsfs/core.py
Outdated
| method = 'token' | ||
| if method is None: | ||
| for meth in ['gtoken', 'cache', 'cloud', 'anon']: | ||
| self.connect(method=meth) |
There was a problem hiding this comment.
Perhaps this should return success or failure? Perhaps it should raise and we should try-except around it?
There was a problem hiding this comment.
Basically, if self.token remains unset (None), auth failed for that method. I had tried return True/False, but it felt pretty ugly. The exception is 'anon', so that could instead give self.token=False or other special value.
|
cc @asford |
|
I'm trying this out locally and running into a couple of small problems:
gcsfs/tests/test_core.py::test_simple FAILED
==================================================== FAILURES =====================================================
___________________________________________________ test_simple ___________________________________________________
token_restore = None
@my_vcr.use_cassette(match=['all'])
def test_simple(token_restore):
assert not GCSFileSystem.tokens
> gcs = GCSFileSystem(TEST_PROJECT, token=GOOGLE_TOKEN)
gcsfs/tests/test_core.py:18:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
gcsfs/core.py:188: in __init__
self.connect(method=token)
gcsfs/core.py:316: in connect
self.__getattribute__('_connect_' + method)()
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
self = <gcsfs.core.GCSFileSystem object at 0x7fc407596978>
def _connect_token(self):
> if 'type' in self.token or isinstance(self.token, str):
E TypeError: argument of type 'NoneType' is not iterable
2. There are merge conflicts with the fuse branch, though I can guess at how to merge short-term |
|
I'm testing a bit now on a GCE instance I use as a dev box. On this machine I've the compute sdk installed, but I'm using the service account for credentials: In this context This currently breaks the current My recommendation, though it's a bit of a refactor, would be to store the credential object returned from |
|
I've tested again after setting the application default credentials to my user account via Given that behavior, my current recommendation would be to hold the credential object returned by the In a broader sense, I would suggest emphasizing use of the default app credentials instead of obtaining and directly caching a credential object for |
|
@martindurant How quickly are you trying to turn this around? If you can wait until tomorrow I can open a PR-onto-this-PR that implements the 'application-default' behavior I've described above. As it stands now the strategy of unpacking the credential object returned by |
|
(for context @asford I've asked @martindurant to accelerate some work here for an upcoming conference talk this coming Monday) |
|
This is fine with me. @asford might have other thoughts.
…On Thu, Jan 4, 2018 at 2:55 PM, Martin Durant ***@***.***> wrote:
@asford <https://github.com/asford> , @mrocklin
<https://github.com/mrocklin> , would it be a good idea to merge this, to
allow for the service account PR to follow and fix merge conflicts in the
fuse branch (I can handle that).
Again, vcr tests can wait, but should be re-recorded and working before
release.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#58 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AASszOyihI0vQXGkpJsow_6zcOx6D4D2ks5tHTrZgaJpZM4RTXfZ>
.
|
|
No problem with that plan on my end, we've all been there. Let's plan you merging what's needed for your talk on Monday. I can setup a follow-up PR that handles application default credentials afterward. In light of that, can we agree that the internal API implemented here may need to change to reflect the final authorization story> I think we'll be able to continue supporting all the named token modes ( @martindurant As a side note, it may be better if |
|
@asford , I specifically decided against Note as another point for follow up, |
auth refactor
Fixes #54
Fixes #56
Trying to turn this around quickly, reviews welcome. Some of the auth modes will not be testable in typical CI or locally.