Enable auth via oauth2client: 3LO, Implicit from Environ, p12 and JSON service account

[silvolu]

Please leave this on hold until we move the credential dance into oauth2client and update apitools, I will update this issue tomorrow.

Things to be done (added by @dhermes):

• Use oauth2client.client.GoogleCredentials.get_application_default(). This still is "open" due to Detecting GCE sometimes takes forever. oauth2client#93
• Cover GAE service accounts (done via implicit in get_application_default)
• Cover GCE service accounts (done via implicit in get_application_default)
• Cover JSON service account credentials (done via implicit in get_application_default)
• Cover 3LO for people just getting started (Adding 3-legged auth for users getting started. #539)
• Cover p12 service account credentials (moved in 404 error on the 'pip install cloud' step of Datastore Quickstart #412 to gcloud.credentials.get_for_service_account_p12)

[silvolu]

I've been talking with @craigcitro this morning about moving parts of the credentials dance implemented in apitools into the oauth2client, I'll work on that this afternoon.

[dhermes]

w00t

I'm happy to help do this, I have done a fair amount of work in oauth2client.

[silvolu]

If you want to do it, it's all yours :)

[craigcitro]

+1, happy to accept pull requests -- as a heads-up, i'm about to do a giant merge over in oauth2client.

[dhermes]

@craigcitro

1. Can you ping this issue when the giant merge occurs?
2. I'd need a better understanding of what is happening in apitools before tackling, so as not to reinvent the wheel.
3. I am time-constrained so would need to prioritize. However in my experience auth takes a disproportionate amount of time for devs and we should work very hard to minimize it.

[silvolu]

@dhermes for 2) we can VC if you want, I'm busy now but I'll be free in the afternoon.
For 3), I'm happy to do it if you don't have time for it, just let me know!

[craigcitro]

giant merge is done, oauth2client now supports python3 at HEAD. (w00t!)

[dhermes]

@craigcitro is googleapis/google-api-python-client@0bf61f2 the relevant commit? I assume the October 15 date is because that's when you committed it locally?

[craigcitro]

nope, googleapis/oauth2client@0dacff1 -- oauth2client is in its own repo now.

[dhermes]

DERP. My bad.

[dhermes]

@silvolu just had a chat with @craigcitro and hope to tackle this soon.

Luckily most is handled by GoogleCredentials.get_application_default() but there are some rough edges to work around.

[dhermes]

I'll try to tackle 3LO with a user-flow this week.

[dhermes]

@silvolu Adding 3LO is as simple as documenting

gcloud auth login

and then telling them to call

from gcloud import credentials
creds = credentials.get_credentials()

If using just Datastore it's even more "just works":

from gcloud import datastore
datastore.set_defaults()

Where do you think this should go?

[silvolu]

In the gcloud-node docs the auth bits are in the snippets contained in the 'getting started with gcloud' section, but I think this is more relevant to using the demos we provide with gcloud-python, so it should probably go in the 'API x in 10 seconds' sections. @jgeewax ?

[jgeewax]

Would it make sense to have an "Authentication" section at the same hierarchy level as each of the services ?

If I'm a developer and I'm trying to get set up, the "... in 10 seconds" pages are great, but I might want more detail about stuff. 3LO is a "more detail" thing. "... in 10 seconds" would be how the typical person does this (and typically, I'd use a service account with 2LO).

Thoughts?

[silvolu]

"... in 10 seconds" would be how the typical person does this (and typically, I'd use a service account with 2LO).

It's currently showing how to use the demo, which is why it's where it makes sense to use 3LO (authorized with gcloud cli and reuse credentials vs create project, download key etc)

[jgeewax]

Might be worthwhile to toss in:

If I already have the Cloud SDK and the goal is "quickest way to get code actually working", then the gcloud auth login + datastore.set_defaults() is the fastest option. If they don't already have the SDK (which a lot of people don't -- nor do they want it...) then this is not the fastest way to get this moving.

Further, if we're measuring time from pip install to "running code on a server somewhere", then they'll have to use 2LO anyway, so they'll have to create a service account, pull down the key, and write code that uses that key (assuming they are not on GAE or GCE).

I'm in the group where I expect that talking to some outside service needs a "config.py" file of some sort (ie Django with settings.py) -- and I want to get that done right away. If there's magical "oh don't worry we hooked all the stuff together" then come deployment time I'm not the happiest camper because learning time is supposed to be coming to an end (maybe I'm the exception here). There's the edge case of "if I'm running in GCE", but unfortunately it is absurdly easy to screw this up (you have to click Advanced on your image at creation time and make sure that Datastore and whatever else is enabled -- otherwise you have to start over...)

Because of that, I'd want to highlight 2LO as "the way" to do this (including the "get a service account, pull down a JSON file, etc), and document 3LO as well, but not right in your face in the "... in 10 seconds" route.

Tell me if I'm totally crazy on this.