Skip to content

Remove --impersonate_service_account whenever PipelineOptions are serialized #32031

Merged
tvalentyn merged 2 commits intoapache:masterfrom
tvalentyn:impersonation_fix
Jul 31, 2024
Merged

Remove --impersonate_service_account whenever PipelineOptions are serialized #32031
tvalentyn merged 2 commits intoapache:masterfrom
tvalentyn:impersonation_fix

Conversation

@tvalentyn
Copy link
Copy Markdown
Contributor

@tvalentyn tvalentyn commented Jul 30, 2024

fixes: #32030 - see the issue description for context.

Some IOs capture pipeline options and inadvertently pass them to Dataflow runner:

https://github.com/apache/beam/blob/release-2.56.0/sdks/python/apache_beam/io/gcp/bigquery.py#L723
https://github.com/apache/beam/blob/release-2.56.0/sdks/python/apache_beam/io/gcp/bigquery.py#L1148

Given that more IOs might do this in the future, this PR adds a custom serialization logic to filter out the impersonate_service_account option whenever we serialize pipeline options, similarly to how we filter it out whenever we convert pipeline options into a proto:

beam/sdks/python/apache_beam/runners/dataflow/internal/apiclient.py

Line 281 in e7847c9

options_dict.pop('impersonate_service_account', None)

Thank you for your contribution! Follow this checklist to help us incorporate your contribution quickly and easily:

  • Mention the appropriate issue in your description (for example: addresses #123), if applicable. This will automatically add a link to the pull request in the issue. If you would like the issue to automatically close on merging the pull request, comment fixes #<ISSUE NUMBER> instead.
  • Update CHANGES.md with noteworthy changes.
  • If this contribution is large, please file an Apache Individual Contributor License Agreement.

See the Contributor Guide for more tips on how to make review process smoother.

To check the build health, please visit https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md

GitHub Actions Tests Status (on master branch)

Build python source distribution and wheels
Python tests
Java tests
Go tests

See CI.md for more information about GitHub Actions CI or the workflows README to see a list of phrases to trigger workflows.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Jul 31, 2024

Assigning reviewers. If you would like to opt out of this review, comment assign to next reviewer:

R: @shunping for label python.
R: @kennknowles for label website.

Available commands:

  • stop reviewer notifications - opt out of the automated review tooling
  • remind me after tests pass - tag the comment author after tests pass
  • waiting on author - shift the attention set back to the author (any comment or push by the author will return the attention set to the reviewers)

The PR bot will only process comments in the main thread (not review comments).

@tvalentyn
Copy link
Copy Markdown
Contributor Author

tvalentyn commented Jul 31, 2024

R; @stephenmw

@stephenmw
Copy link
Copy Markdown

stephenmw commented Jul 31, 2024

LGTM

Thanks!

@tvalentyn tvalentyn merged commit 2824944 into apache:master Jul 31, 2024
reeba212 pushed a commit to reeba212/beam that referenced this pull request Dec 4, 2024
@tvalentyn @reeba212
Remove --impersonate_service_account whenever PipelineOptions are s…
e3a0108 
…erialized (apache#32031)

* Remove the impersonate_service_account pipeline option during serialization.

* Update Changes.md
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Next Action: Reviewers python website

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: The --impersonate_service_account pipeline option may be accidentally used at runtime in Python BigQuery IO.

2 participants

@tvalentyn @stephenmw