Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(bigquery): support IAM conditions in datasets in Java client. #3602

Merged
merged 8 commits into from
Jan 2, 2025

Conversation

whuffman36
Copy link
Contributor

@whuffman36 whuffman36 commented Dec 9, 2024

This PR enables the use of IAM conditions when accessing a dataset through the create, update, and get API endpoints. The following changes are necessary:

  • Add in a new Expr type in the Acl class for expressing the access conditions
  • Create a new DatasetOption field to set the access policy version
  • Set the access policy version before sending the rpc to the backend when applicable

Buganizer link: b/374156746

@product-auto-label product-auto-label bot added size: m Pull request size is medium. api: bigquery Issues related to the googleapis/java-bigquery API. labels Dec 9, 2024
@product-auto-label product-auto-label bot added size: l Pull request size is large. and removed size: m Pull request size is medium. labels Dec 10, 2024
@whuffman36 whuffman36 marked this pull request as ready for review December 10, 2024 02:50
@whuffman36 whuffman36 requested a review from a team as a code owner December 10, 2024 02:50
@whuffman36 whuffman36 requested review from Neenu1995, shollyman and PhongChuong and removed request for Neenu1995 December 10, 2024 02:50
@whuffman36 whuffman36 self-assigned this Dec 10, 2024
bqExpr.getExpression(), bqExpr.getTitle(), bqExpr.getDescription(), bqExpr.getLocation());
}

@Override
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Include toString() as well as the normal methods like equals and hashcode?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, updated to have toString() method.

}
}
if (accessPolicyVersion != null) {
return bigquery
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: I worry here is if there's a divergence between this chain and the default execute(). Is it worth doing a single chain of builders with a conditional? Same with this pattern in the other RPCs (create, patch, etc).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes that approach seems cleaner. I updated the conditional to toggle only the access policy version instead of creating an entirely new RPC.

@Test
public void testGetDatasetWithAccessPolicyVersion() {
String accessPolicyDataset = RemoteBigQueryHelper.generateDatasetName();
User user = new User("[email protected]");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's use a managed identity for this kind of thing rather than your own identity, particular for an IT test. Same for the other tests that use your identity directly.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've updated the user to use a default bigquery account for now. I found the account in my test project and I'm not sure if every test account follows the same naming pattern. We discussed a bit offline but this works as a workaround for the time being until we figure out how to integrate a managed account.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It appears that not all projects have the test account, as the integration tests failed due to the account not existing in the project. Looking into https://g3doc.corp.google.com/company/teams/eip-cloud/overground/user-guide/policies/org/iam.allowedPolicyMemberDomains.md?cl=head

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like using the default credentials works in this test project, it was just failing in my personal test project. The tests are using the default managed identity now.

Use service account in integration test instead of hardcoded
personal account.

Change Database API calls to only have one branch, toggling only
the access policy version in a conditional.
Copy link
Contributor

@PhongChuong PhongChuong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the the changes.

@whuffman36 whuffman36 merged commit 6696a9c into main Jan 2, 2025
17 checks passed
@whuffman36 whuffman36 deleted the iam-conditions branch January 2, 2025 21:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
api: bigquery Issues related to the googleapis/java-bigquery API. size: l Pull request size is large.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants