google-nomulus

mirror of https://github.com/google/nomulus.git synced 2025-05-09 16:28:21 +02:00

History

nickfelt be4c62ccf1 Make BigqueryCommand use application default creds This fixes a long-standing bug b/26016322 to move BigqueryCommand off of using a service account to access the Bigquery API. It's now using Application Default Credentials, which can be easily auto-installed on a machine by running 'gcloud auth application-default login' and clicking through the OAuth consent screen. The old method was a pain because: 1) individual users of the tool each needed to know to download and store a private key for the service account, and specify the key file via a CLI flag 2) BigQuery actions taken via the tool (e.g. load or query jobs) were listed as belonging to the service account, making them harder to find in the UI or for debugging, and difficult to audit (no idea which engineer invoked the tool) 3) within Google, this meant extra whitelisting headaches The new method also isn't perfect because Application Default Credentials obtained via gcloud are supposed to be used primarily for local testing, and don't support setting any custom scopes. However, we don't need custom scopes for this, and the smoother flow is worth it. In the longer term, once the CLI is using OAuth to talk to the app itself, we'll be able to switch to the "best practice" option of also using those credentials for talking to the BigQuery API. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=145120770	2017-01-25 12:21:07 -05:00
..
com/google/testing/builddefs	Restructure Maven dependencies in build	2017-01-09 11:59:04 -05:00
google/registry	Make BigqueryCommand use application default creds	2017-01-25 12:21:07 -05:00

nickfelt be4c62ccf1 Make BigqueryCommand use application default creds

This fixes a long-standing bug b/26016322 to move BigqueryCommand off of using a service account to access the Bigquery API.  It's now using Application Default Credentials, which can be easily auto-installed on a machine by running 'gcloud auth application-default login' and clicking through the OAuth consent screen.

The old method was a pain because:

1) individual users of the tool each needed to know to download and store a private key for the service account, and specify the key file via a CLI flag
2) BigQuery actions taken via the tool (e.g. load or query jobs) were listed as belonging to the service account, making them harder to find in the UI or for debugging, and difficult to audit (no idea which engineer invoked the tool)
3) within Google, this meant extra whitelisting headaches

The new method also isn't perfect because Application Default Credentials obtained via gcloud are supposed to be used primarily for local testing, and don't support setting any custom scopes.  However, we don't need custom scopes for this, and the smoother flow is worth it.

In the longer term, once the CLI is using OAuth to talk to the app itself, we'll be able to switch to the "best practice" option of also using those credentials for talking to the BigQuery API.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=145120770

2017-01-25 12:21:07 -05:00

com/google/testing/builddefs

Restructure Maven dependencies in build

2017-01-09 11:59:04 -05:00

google/registry

Make BigqueryCommand use application default creds

2017-01-25 12:21:07 -05:00