diff --git a/tensorboard/uploader/auth.py b/tensorboard/uploader/auth.py index ffbc34039d..6f546471c0 100644 --- a/tensorboard/uploader/auth.py +++ b/tensorboard/uploader/auth.py @@ -46,27 +46,32 @@ ) +# The client "secret" is public by design for installed apps. See +# https://developers.google.com/identity/protocols/OAuth2?csw=1#installed +OAUTH_CLIENT_CONFIG = b""" +{ + "installed": { + "client_id": "373649185512-8v619h5kft38l4456nm2dj4ubeqsrvh6.apps.googleusercontent.com", + "project_id": "hosted-tensorboard-prod", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://oauth2.googleapis.com/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_secret": "pOyAuU2yq2arsM98Bw5hwYtr", + "redirect_uris": [ + "urn:ietf:wg:oauth:2.0:oob", + "http://localhost" + ] + } +} +""" + + # Components of the relative path (within the user settings directory) at which # to store TensorBoard uploader credentials. TENSORBOARD_CREDENTIALS_FILEPATH_PARTS = [ "tensorboard", "credentials", "uploader-creds.json"] -def application_default_credentials(): - """Returns the active Application Default Credentials. - - Returns: - google.auth.credentials.Credentials: the current credentials. - - Raises: - google.auth.exceptions.DefaultCredentialsError: - If no credentials were found, or if the credentials found were invalid. - """ - credentials, project_id = google.auth.default(scopes=OPENID_CONNECT_SCOPES) - del project_id # unused - return credentials - - class CredentialsStore(object): """Private file store for a `google.oauth2.credentials.Credentials`.""" diff --git a/tensorboard/uploader/uploader_main.py b/tensorboard/uploader/uploader_main.py index 9767133c92..82b86beb4d 100644 --- a/tensorboard/uploader/uploader_main.py +++ b/tensorboard/uploader/uploader_main.py @@ -101,13 +101,6 @@ def _define_flags(parser): choices=('local', 'ssl', 'ssl_dev'), help='The type of credentials to use for the gRPC client') - parser.add_argument( - '--auth_type', - type=str, - default='user', - choices=('adc', 'user', 'none'), - help='The type of auth credentials to obtain and add to requests.') - parser.add_argument( '--auth_force_console', action='store_true', @@ -201,6 +194,15 @@ def _run(flags): sys.stderr.write('Logged out of uploader.\n') sys.stderr.flush() return + # TODO(b/141723268): maybe reconfirm Google Account prior to reuse. + credentials = store.read_credentials() + if not credentials: + _prompt_for_user_ack(intent) + client_config = json.loads(auth.OAUTH_CLIENT_CONFIG) + flow = auth.build_installed_app_flow(client_config) + credentials = flow.run(force_console=flags.auth_force_console) + sys.stderr.write('\n') # Extra newline after auth flow messages. + store.write_credentials(credentials) channel_options = None if flags.grpc_creds_type == 'local': @@ -214,27 +216,13 @@ def _run(flags): msg = 'Invalid --grpc_creds_type %s' % flags.grpc_creds_type raise base_plugin.FlagsError(msg) - if flags.auth_type != 'none': - if flags.auth_type == 'user': - # TODO(b/141723268): determine if we should reconfirm the intended Google - # Account used for uploading prior to reusing the stored credentials. - credentials = store.read_credentials() - if not credentials: - _prompt_for_user_ack(intent) - client_config = json.loads(dev_creds.DEV_OAUTH_CLIENT_CONFIG) - flow = auth.build_installed_app_flow(client_config) - credentials = flow.run(force_console=flags.auth_force_console) - sys.stderr.write('\n') # Extra newline after auth flow messages. - store.write_credentials(credentials) - elif flags.auth_type == 'adc': - credentials = auth.application_default_credentials() - channel_creds = grpc.composite_channel_credentials( - channel_creds, auth.id_token_call_credentials(credentials)) + composite_channel_creds = grpc.composite_channel_credentials( + channel_creds, auth.id_token_call_credentials(credentials)) # TODO(@nfelt): In the `_UploadIntent` case, consider waiting until # logdir exists to open channel. channel = grpc.secure_channel( - flags.endpoint, channel_creds, options=channel_options) + flags.endpoint, composite_channel_creds, options=channel_options) with channel: intent.execute(channel)