Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

ENH: Clear authentication defaults with more fine-grained control

See original GitHub issue

We have about 220 lines of code which handles authentication - do we need that? Generally the answer to “do we need something we do a lot of” is ‘Yes’, but asking regardless

My prior is that we could:

Check if creds are passed by the user
Otherwise pass nothing through to the Google libraries, and let them manage the defaults

That would reduced the code we needed to maintain and conform to standards - Google have very reasonable defaults, and we make it harder for those to flow through - e.g. PANDAS_GBQ_CREDENTIALS_FILE is non-standard, every other implementation uses GOOGLE_APPLICATION_CREDENTIALS, so users need to have an additional setting to use this library

Issue Analytics

State:
Created 6 years ago
Comments:8 (2 by maintainers)

Top GitHub Comments

1reaction

tswastcommented, Feb 27, 2018

I definitely think there is room for improvement here. My ideal flow would be:

Use credentials as explicitly passed by the user.
- Passing in the bytes of the JSON file as currently done for backwards compatibility.
- Passing in a Credentials object from google-auth.
Try to load cached user-auth credentials.
Use service account from PANDAS_GBQ_CREDENTIALS_FILE env var. (Should we keep doing this?)
Try to create default credentials using google-auth.
Do three-legged OAuth to get user credentials.

Note that google-auth default credentials does not do three-legged OAuth, so I think that’s an area where pandas-gbq will need to keep some auth code around.

Edit: Swapped items (1) and (2) so that explicitly passed credentials are always used first. Also, current behavior does default credentials before PANDAS_GBQ_CREDENTIALS_FILE. If we keep PANDAS_GBQ_CREDENTIALS_FILE around, we should prefer it to default credentials.

0reactions

tswastcommented, Apr 7, 2018

I have fleshed out a design that accounts for this feedback at #161. Closing this issue as a duplicate of that proposal.

Top Results From Across the Web

server: turn `--insecure` flag into more fine-grained controls · Issue ...

We're running Cockroach in single-tenant environments (i.e. don't care about per-user credentials etc.) over purely private networks (secure by default). In ...

Manage personal access tokens - Azure Databricks

Manage token-based authentication for Azure Databricks REST API clients. ... API 2.0 to control token usage at a more fine-grained level.

A Reference Architecture for Fine-Grained Access ... - InfoQ

A new access management architecture with a focus on a non-repudiable user identity, short-lived certificates or tokens, and a centralized fine- ...

Managing client configuration defaults - 11.2 - Documentation

On the Client Configuration Defaults tab, specify the default settings that are proprietary to PingFederate for clients created with the OAuth 2.0 Dynamic ......

Adding Windows Domain Authentication Method - Portnox

At the same time, ZTNA enables more granular and extensive network access control policies, improved scalability, and greater simplicity.