blob: faefb1ac625de797dca35eedb5aef3800702d1bd [file] [log] [blame]
<!DOCTYPE html>
<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>apache_beam.internal.gcp.auth &mdash; Apache Beam documentation</title>
<link rel="stylesheet" href="../../../../_static/css/theme.css" type="text/css" />
<link rel="index" title="Index"
href="../../../../genindex.html"/>
<link rel="search" title="Search" href="../../../../search.html"/>
<link rel="top" title="Apache Beam documentation" href="../../../../index.html"/>
<link rel="up" title="Module code" href="../../../index.html"/>
<script src="../../../../_static/js/modernizr.min.js"></script>
</head>
<body class="wy-body-for-nav" role="document">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search">
<a href="../../../../index.html" class="icon icon-home"> Apache Beam
</a>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="../../../../search.html" method="get">
<input type="text" name="q" placeholder="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div>
<div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
<ul>
<li class="toctree-l1"><a class="reference internal" href="../../../../apache_beam.coders.html">apache_beam.coders package</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../../apache_beam.internal.html">apache_beam.internal package</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../../apache_beam.io.html">apache_beam.io package</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../../apache_beam.metrics.html">apache_beam.metrics package</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../../apache_beam.options.html">apache_beam.options package</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../../apache_beam.portability.html">apache_beam.portability package</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../../apache_beam.runners.html">apache_beam.runners package</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../../apache_beam.testing.html">apache_beam.testing package</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../../apache_beam.tools.html">apache_beam.tools package</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../../apache_beam.transforms.html">apache_beam.transforms package</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../../apache_beam.typehints.html">apache_beam.typehints package</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../../apache_beam.utils.html">apache_beam.utils package</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../../../../apache_beam.error.html">apache_beam.error module</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../../apache_beam.pipeline.html">apache_beam.pipeline module</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../../apache_beam.pvalue.html">apache_beam.pvalue module</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../../apache_beam.version.html">apache_beam.version module</a></li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
<nav class="wy-nav-top" role="navigation" aria-label="top navigation">
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="../../../../index.html">Apache Beam</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="breadcrumbs navigation">
<ul class="wy-breadcrumbs">
<li><a href="../../../../index.html">Docs</a> &raquo;</li>
<li><a href="../../../index.html">Module code</a> &raquo;</li>
<li>apache_beam.internal.gcp.auth</li>
<li class="wy-breadcrumbs-aside">
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<h1>Source code for apache_beam.internal.gcp.auth</h1><div class="highlight"><pre>
<span></span><span class="c1">#</span>
<span class="c1"># Licensed to the Apache Software Foundation (ASF) under one or more</span>
<span class="c1"># contributor license agreements. See the NOTICE file distributed with</span>
<span class="c1"># this work for additional information regarding copyright ownership.</span>
<span class="c1"># The ASF licenses this file to You under the Apache License, Version 2.0</span>
<span class="c1"># (the &quot;License&quot;); you may not use this file except in compliance with</span>
<span class="c1"># the License. You may obtain a copy of the License at</span>
<span class="c1">#</span>
<span class="c1"># http://www.apache.org/licenses/LICENSE-2.0</span>
<span class="c1">#</span>
<span class="c1"># Unless required by applicable law or agreed to in writing, software</span>
<span class="c1"># distributed under the License is distributed on an &quot;AS IS&quot; BASIS,</span>
<span class="c1"># WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span>
<span class="c1"># See the License for the specific language governing permissions and</span>
<span class="c1"># limitations under the License.</span>
<span class="c1">#</span>
<span class="sd">&quot;&quot;&quot;Dataflow credentials and authentication.&quot;&quot;&quot;</span>
<span class="kn">from</span> <span class="nn">__future__</span> <span class="k">import</span> <span class="n">absolute_import</span>
<span class="kn">import</span> <span class="nn">datetime</span>
<span class="kn">import</span> <span class="nn">json</span>
<span class="kn">import</span> <span class="nn">logging</span>
<span class="kn">import</span> <span class="nn">os</span>
<span class="kn">from</span> <span class="nn">future.moves.urllib.request</span> <span class="k">import</span> <span class="n">Request</span>
<span class="kn">from</span> <span class="nn">future.moves.urllib.request</span> <span class="k">import</span> <span class="n">urlopen</span>
<span class="kn">from</span> <span class="nn">oauth2client.client</span> <span class="k">import</span> <span class="n">GoogleCredentials</span>
<span class="kn">from</span> <span class="nn">oauth2client.client</span> <span class="k">import</span> <span class="n">OAuth2Credentials</span>
<span class="kn">from</span> <span class="nn">apache_beam.utils</span> <span class="k">import</span> <span class="n">retry</span>
<span class="c1"># When we are running in GCE, we can authenticate with VM credentials.</span>
<span class="n">is_running_in_gce</span> <span class="o">=</span> <span class="kc">False</span>
<span class="c1"># When we are running in GCE, this value is set based on worker startup</span>
<span class="c1"># information.</span>
<span class="n">executing_project</span> <span class="o">=</span> <span class="kc">None</span>
<div class="viewcode-block" id="set_running_in_gce"><a class="viewcode-back" href="../../../../apache_beam.internal.gcp.auth.html#apache_beam.internal.gcp.auth.set_running_in_gce">[docs]</a><span class="k">def</span> <span class="nf">set_running_in_gce</span><span class="p">(</span><span class="n">worker_executing_project</span><span class="p">):</span>
<span class="sd">&quot;&quot;&quot;For internal use only; no backwards-compatibility guarantees.</span>
<span class="sd"> Informs the authentication library that we are running in GCE.</span>
<span class="sd"> When we are running in GCE, we have the option of using the VM metadata</span>
<span class="sd"> credentials for authentication to Google services.</span>
<span class="sd"> Args:</span>
<span class="sd"> worker_executing_project: The project running the workflow. This information</span>
<span class="sd"> comes from worker startup information.</span>
<span class="sd"> &quot;&quot;&quot;</span>
<span class="k">global</span> <span class="n">is_running_in_gce</span>
<span class="k">global</span> <span class="n">executing_project</span>
<span class="n">is_running_in_gce</span> <span class="o">=</span> <span class="kc">True</span>
<span class="n">executing_project</span> <span class="o">=</span> <span class="n">worker_executing_project</span></div>
<div class="viewcode-block" id="AuthenticationException"><a class="viewcode-back" href="../../../../apache_beam.internal.gcp.auth.html#apache_beam.internal.gcp.auth.AuthenticationException">[docs]</a><span class="k">class</span> <span class="nc">AuthenticationException</span><span class="p">(</span><span class="n">retry</span><span class="o">.</span><span class="n">PermanentException</span><span class="p">):</span>
<span class="k">pass</span></div>
<span class="k">class</span> <span class="nc">_GCEMetadataCredentials</span><span class="p">(</span><span class="n">OAuth2Credentials</span><span class="p">):</span>
<span class="sd">&quot;&quot;&quot;For internal use only; no backwards-compatibility guarantees.</span>
<span class="sd"> Credential object initialized using access token from GCE VM metadata.&quot;&quot;&quot;</span>
<span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">user_agent</span><span class="o">=</span><span class="kc">None</span><span class="p">):</span>
<span class="sd">&quot;&quot;&quot;Create an instance of GCEMetadataCredentials.</span>
<span class="sd"> These credentials are generated by contacting the metadata server on a GCE</span>
<span class="sd"> VM instance.</span>
<span class="sd"> Args:</span>
<span class="sd"> user_agent: string, The HTTP User-Agent to provide for this application.</span>
<span class="sd"> &quot;&quot;&quot;</span>
<span class="nb">super</span><span class="p">(</span><span class="n">_GCEMetadataCredentials</span><span class="p">,</span> <span class="bp">self</span><span class="p">)</span><span class="o">.</span><span class="fm">__init__</span><span class="p">(</span>
<span class="kc">None</span><span class="p">,</span> <span class="c1"># access_token</span>
<span class="kc">None</span><span class="p">,</span> <span class="c1"># client_id</span>
<span class="kc">None</span><span class="p">,</span> <span class="c1"># client_secret</span>
<span class="kc">None</span><span class="p">,</span> <span class="c1"># refresh_token</span>
<span class="n">datetime</span><span class="o">.</span><span class="n">datetime</span><span class="p">(</span><span class="mi">2010</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">),</span> <span class="c1"># token_expiry, set to time in past.</span>
<span class="kc">None</span><span class="p">,</span> <span class="c1"># token_uri</span>
<span class="n">user_agent</span><span class="p">)</span>
<span class="nd">@retry</span><span class="o">.</span><span class="n">with_exponential_backoff</span><span class="p">(</span>
<span class="n">retry_filter</span><span class="o">=</span><span class="n">retry</span><span class="o">.</span><span class="n">retry_on_server_errors_and_timeout_filter</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">_refresh</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">http_request</span><span class="p">):</span>
<span class="n">refresh_time</span> <span class="o">=</span> <span class="n">datetime</span><span class="o">.</span><span class="n">datetime</span><span class="o">.</span><span class="n">utcnow</span><span class="p">()</span>
<span class="n">metadata_root</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">environ</span><span class="o">.</span><span class="n">get</span><span class="p">(</span>
<span class="s1">&#39;GCE_METADATA_ROOT&#39;</span><span class="p">,</span> <span class="s1">&#39;metadata.google.internal&#39;</span><span class="p">)</span>
<span class="n">token_url</span> <span class="o">=</span> <span class="p">(</span><span class="s1">&#39;http://</span><span class="si">{}</span><span class="s1">/computeMetadata/v1/instance/service-accounts/&#39;</span>
<span class="s1">&#39;default/token&#39;</span><span class="p">)</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">metadata_root</span><span class="p">)</span>
<span class="n">req</span> <span class="o">=</span> <span class="n">Request</span><span class="p">(</span><span class="n">token_url</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="s1">&#39;Metadata-Flavor&#39;</span><span class="p">:</span> <span class="s1">&#39;Google&#39;</span><span class="p">})</span>
<span class="n">token_data</span> <span class="o">=</span> <span class="n">json</span><span class="o">.</span><span class="n">loads</span><span class="p">(</span><span class="n">urlopen</span><span class="p">(</span><span class="n">req</span><span class="p">)</span><span class="o">.</span><span class="n">read</span><span class="p">())</span>
<span class="bp">self</span><span class="o">.</span><span class="n">access_token</span> <span class="o">=</span> <span class="n">token_data</span><span class="p">[</span><span class="s1">&#39;access_token&#39;</span><span class="p">]</span>
<span class="bp">self</span><span class="o">.</span><span class="n">token_expiry</span> <span class="o">=</span> <span class="p">(</span><span class="n">refresh_time</span> <span class="o">+</span>
<span class="n">datetime</span><span class="o">.</span><span class="n">timedelta</span><span class="p">(</span><span class="n">seconds</span><span class="o">=</span><span class="n">token_data</span><span class="p">[</span><span class="s1">&#39;expires_in&#39;</span><span class="p">]))</span>
<div class="viewcode-block" id="get_service_credentials"><a class="viewcode-back" href="../../../../apache_beam.internal.gcp.auth.html#apache_beam.internal.gcp.auth.get_service_credentials">[docs]</a><span class="k">def</span> <span class="nf">get_service_credentials</span><span class="p">():</span>
<span class="sd">&quot;&quot;&quot;For internal use only; no backwards-compatibility guarantees.</span>
<span class="sd"> Get credentials to access Google services.&quot;&quot;&quot;</span>
<span class="n">user_agent</span> <span class="o">=</span> <span class="s1">&#39;beam-python-sdk/1.0&#39;</span>
<span class="k">if</span> <span class="n">is_running_in_gce</span><span class="p">:</span>
<span class="c1"># We are currently running as a GCE taskrunner worker.</span>
<span class="c1">#</span>
<span class="c1"># TODO(ccy): It&#39;s not entirely clear if these credentials are thread-safe.</span>
<span class="c1"># If so, we can cache these credentials to save the overhead of creating</span>
<span class="c1"># them again.</span>
<span class="k">return</span> <span class="n">_GCEMetadataCredentials</span><span class="p">(</span><span class="n">user_agent</span><span class="o">=</span><span class="n">user_agent</span><span class="p">)</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">client_scopes</span> <span class="o">=</span> <span class="p">[</span>
<span class="s1">&#39;https://www.googleapis.com/auth/bigquery&#39;</span><span class="p">,</span>
<span class="s1">&#39;https://www.googleapis.com/auth/cloud-platform&#39;</span><span class="p">,</span>
<span class="s1">&#39;https://www.googleapis.com/auth/devstorage.full_control&#39;</span><span class="p">,</span>
<span class="s1">&#39;https://www.googleapis.com/auth/userinfo.email&#39;</span><span class="p">,</span>
<span class="s1">&#39;https://www.googleapis.com/auth/datastore&#39;</span>
<span class="p">]</span>
<span class="k">try</span><span class="p">:</span>
<span class="n">credentials</span> <span class="o">=</span> <span class="n">GoogleCredentials</span><span class="o">.</span><span class="n">get_application_default</span><span class="p">()</span>
<span class="n">credentials</span> <span class="o">=</span> <span class="n">credentials</span><span class="o">.</span><span class="n">create_scoped</span><span class="p">(</span><span class="n">client_scopes</span><span class="p">)</span>
<span class="n">logging</span><span class="o">.</span><span class="n">debug</span><span class="p">(</span><span class="s1">&#39;Connecting using Google Application Default &#39;</span>
<span class="s1">&#39;Credentials.&#39;</span><span class="p">)</span>
<span class="k">return</span> <span class="n">credentials</span>
<span class="k">except</span> <span class="ne">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span>
<span class="n">logging</span><span class="o">.</span><span class="n">warning</span><span class="p">(</span>
<span class="s1">&#39;Unable to find default credentials to use: </span><span class="si">%s</span><span class="se">\n</span><span class="s1">&#39;</span>
<span class="s1">&#39;Connecting anonymously.&#39;</span><span class="p">,</span> <span class="n">e</span><span class="p">)</span>
<span class="k">return</span> <span class="kc">None</span></div>
</pre></div>
</div>
<div class="articleComments">
</div>
</div>
<footer>
<hr/>
<div role="contentinfo">
<p>
&copy; Copyright .
</p>
</div>
Built with <a href="http://sphinx-doc.org/">Sphinx</a> using a <a href="https://github.com/snide/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
</div>
</div>
</section>
</div>
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT:'../../../../',
VERSION:'',
COLLAPSE_INDEX:false,
FILE_SUFFIX:'.html',
HAS_SOURCE: true,
SOURCELINK_SUFFIX: '.txt'
};
</script>
<script type="text/javascript" src="../../../../_static/jquery.js"></script>
<script type="text/javascript" src="../../../../_static/underscore.js"></script>
<script type="text/javascript" src="../../../../_static/doctools.js"></script>
<script type="text/javascript" src="../../../../_static/js/theme.js"></script>
<script type="text/javascript">
jQuery(function () {
SphinxRtdTheme.StickyNav.enable();
});
</script>
</body>
</html>