fix: do not use the GAE APIs on gen2+ runtimes #807
Conversation
google-cla
bot
added
the
cla: yes
zevdg
force-pushed
the
gae-gen2-apis
branch
2 times, most recently
from
d0490ce
to
f4f3f0f
Compare
|
It's worth noting that this change could be disruptive if a user migrates their app from GAE gen1 to GAE gen2 with a version of google.auth that doesn't include this change. Then, instead of the ADC changing when they upgrade runtimes as the spec dictates, their ADC would change when they upgrade this library to include this change. As such, any migration guides should encourage users to upgrade this library to the latest py2-compatible version BEFORE migrating to gen2. Conversely, if we do not make this change, then gen2 users could run into the opposite problem. Their ADC could suddenly start returning an app_engine.Credential instead of a compute_engine.Credential if they (or one of their dependencies) adds appengine-python-standard to their requirements.txt. The sooner we land this change, the less people will be affected by either of those scenarios. |
busunkim96
added
the
kokoro:run
yoshi-kokoro
removed
the
kokoro:run
busunkim96
added
the
kokoro:run
yoshi-kokoro
removed
the
kokoro:run
busunkim96
changed the title
busunkim96
added
automerge
yoshi-kokoro
removed
the
kokoro:force-run
busunkim96
added
the
kokoro:force-run
yoshi-kokoro
removed
the
kokoro:force-run
|
@zevdg Kokoro build failed because coverage test failed. It seems we need some additional unit tests to cover google/auth/_default.py line 243-245 and 251-255. |
|
Merge-on-green attempted to merge your PR for 6 hours, but it was not mergeable because either one of your required status checks failed, one of your required reviews was not approved, or there is a do not merge label. Learn more about your required status checks here: https://help.github.com/en/github/administering-a-repository/enabling-required-status-checks. You can remove and reapply the label to re-run the bot. |
gcf-merge-on-green
bot
removed
the
automerge
Currently, this library uses the App Engine API in all environments if it can be imported successfully. This assumption made sense when the API was only available on gen1, but this is no longer the case. See https://github.com/GoogleCloudPlatform/appengine-python-standard In order to comply with AIP-4115, we must treat GAE gen2+ as a "compute engine equivalent environment" even if the GAE APIs are importable. In other words, google.auth.default() must never return an app_engine.Credental on GAE gen2+.Currently, this library uses the App Engine API in all environments if it can be imported successfully. This assumption made sense when the API was only available on gen1, but this is no longer the case. See https://github.com/GoogleCloudPlatform/appengine-python-standard In order to comply with AIP-4115, we must treat GAE gen2+ as a "compute engine equivalent environment" even if the GAE APIs are importable. In other words, google.auth.default() should not return an app_engine.Credental on GAE gen2+.
busunkim96
added
automerge
yoshi-kokoro
removed
the
kokoro:force-run
busunkim96
added
the
kokoro:force-run
yoshi-kokoro
removed
the
kokoro:force-run
busunkim96
added
the
kokoro:force-run
yoshi-kokoro
removed
the
kokoro:force-run
gcf-merge-on-green
bot
removed
the
automerge
Currently, this library uses the App Engine credentials in all environments if
the APIs can be imported successfully. This assumption made sense when
the API was only available on gen1, but this is no longer the case.
See https://github.com/GoogleCloudPlatform/appengine-python-standard
In order to comply with AIP-4115, we must treat GAE gen2+ as a "compute
engine equivalent environment" even if the GAE APIs are importable.
In other words, google.auth.default() should not return an
app_engine.Credental on GAE gen2+.