feat: add support for new setAllowHardBoundTokens field. #3467
Conversation
|
cc: @rockspore |
| @@ -126,6 +127,7 @@ public final class InstantiatingGrpcChannelProvider implements TransportChannelP | |||
| @Nullable private final Boolean allowNonDefaultServiceAccount; | |||
| @VisibleForTesting final ImmutableMap<String, ?> directPathServiceConfig; | |||
| @Nullable private final MtlsProvider mtlsProvider; | |||
| @Nullable private final ArrayList<String> allowedValues; | |||
There was a problem hiding this comment.
Should this variable name be more specific? Reading it alone doesn't tell you where these values will be used.
There was a problem hiding this comment.
Thanks for calling this out! I updated this variable name to allowedHardBoundTokenTypes, WDYT?
|
What is the usage of this new |
| @@ -97,6 +98,9 @@ public interface TransportChannelProvider { | |||
| */ | |||
| TransportChannelProvider withEndpoint(String endpoint); | |||
|
|
|||
| /** Sets the allowed hard bound token types. */ | |||
| TransportChannelProvider setAllowHardBoundTokens(ArrayList<String> allowedValues); | |||
There was a problem hiding this comment.
I think this field is going to be only used by gRPC transport per the internal doc? And the teams that would use it are all handwritten libraries? If that's the case, I think they are likely going to initialize an InstantiatingGrpcChannelProvider in their repo directly and pass it to Gax, so can we only add this to InstantiatingGrpcChannelProvider?
There was a problem hiding this comment.
I think this field is going to be only used by gRPC transport per the internal doc?
That is correct, hard bound tokens is only for gRPC.
I think they are likely going to initialize an
InstantiatingGrpcChannelProviderin their repo directly and pass it to Gax, so can we only add this toInstantiatingGrpcChannelProvider?
I think this will work since I believe the libraries separate their logic for HTTP and gRPC, so they don't end up using the interface TransportChannelProvider. Looking at GCS for example, this is the case
@rockspore can you confirm that the places you want to use this setting are using the InstantiatingGrpcChannelProvider directly, not the interface TransportChannelProvider?
There was a problem hiding this comment.
For Cloud Spanner, I found this so it seems to be the case too, although I don't see where it gets called by default.
So yeah it should be good if we only do this in InstantiatingGrpcChannelProvider, as long as we have a way to set these default values eventually to all auto-generated clients.
There was a problem hiding this comment.
@rockspore The link you referred to is a generated default instance of InstantiatingGrpcChannelProvider, which I believe will be overridden later in their handwritten code.
Either way, they are using InstantiatingGrpcChannelProvider directly not the interface. And since it is used within InstantiatingGrpcChannelProvider only, we don't need to expose a getter for it either. Hence it should be fine if we only add it to InstantiatingGrpcChannelProvider.
There was a problem hiding this comment.
Thanks for the details! It makes perfect sense.
There was a problem hiding this comment.
Thanks all for the discussion! Done in 60dafd0
I believe we discussed this in the chat offline. To summarize it'll be used by clients (libraries) to indicate if they want MTLS / Directpath bound tokens. Please let me know if there is anything we can make more clear. |
product-auto-label
bot
added
size: s
gax-java/gax-grpc/src/main/java/com/google/api/gax/grpc/InstantiatingGrpcChannelProvider.java
Outdated
Show resolved
Hide resolved
gax-java/gax-grpc/src/main/java/com/google/api/gax/grpc/InstantiatingGrpcChannelProvider.java
Outdated
Show resolved
Hide resolved
gax-java/gax-grpc/src/main/java/com/google/api/gax/grpc/InstantiatingGrpcChannelProvider.java
Outdated
Show resolved
Hide resolved
product-auto-label
bot
added
size: xs
gax-java/gax-grpc/src/main/java/com/google/api/gax/grpc/InstantiatingGrpcChannelProvider.java
Show resolved
Hide resolved
gax-java/gax-grpc/src/main/java/com/google/api/gax/grpc/InstantiatingGrpcChannelProvider.java
Outdated
Show resolved
Hide resolved
product-auto-label
bot
added
size: s
| * <p>allowedValues is {HardBoundTokenTypes.ALTS}: If DirectPath is used to create the channel, | ||
| * use hard ALTS-bound tokens for requests sent on that channel. | ||
| * | ||
| * <p>allowedValues is {HardBoundTokenTypes.MTLS_S2A}: If MTLS via S2A is used to create the | ||
| * channel, use hard MTLS-bound tokens for requests sent on that channel. | ||
| * | ||
| * <p>allowedValues is {HardBoundTokenTypes.ALTS, HardBoundTokenTypes.MTLS_S2A}: if DirectPath | ||
| * is used to create the channel, use hard ALTS-bound tokens for requests sent on that channel. | ||
| * If MTLS via S2A is used to create the channel, use hard MTLS-bound tokens for requests sent | ||
| * on that channel. |
There was a problem hiding this comment.
These logic is not part of this setter, I suppose is part of a subsequent PR? Perhaps move this explanation there. In the future, if this logic changes, it is easy to miss updating here.
There was a problem hiding this comment.
Agree that maybe the detailed explanation can be moved to the subsequent PR. The public doc for this method should be more like "What is HardBoundTokenTypes?", not "What would happen if we set HardBoundTokenTypes to different values?". But if listing the different behavior is the best way to explain "What is HardBoundTokenTypes?", I think this is OK too.
There was a problem hiding this comment.
Thanks for calling this out! Looking at this again agreed that the behavior of setting the field to different values should be paired with the logic. Updated the javadoc to specify what the field means. Also made the enum javadoc a bit more specific.
| * or S2A is used to estabilsh a connection to Google APIs. | ||
| * | ||
| */ | ||
| public enum HardBoundTokenTypes { |
There was a problem hiding this comment.
Does it make sense to also mark this as internal?
There was a problem hiding this comment.
Agree on making this internal as well.
Thinking twice about it though, I see that it is an Experimental feature, is it that we will always set the tokens to certain values? Or it's just this feature is not stable yet, internal teams could still set this to different values? If it's the former, then we don't have to introduce another public enum since they would be obsolete soon.
There was a problem hiding this comment.
Agreed that this should be marked as Internal Api, since this is intended to be set by client libraries. Done in 591ef68
This is being marked as experimental for now, since we are in progress of adding the related logic (e.g #3548, #3572) and then piloting, as discussed in the internal doc + chat. When the feature is non-experimental, the field (allowedHardBoundTokenTypes) will be set for all gapics to include both (MTLS_S2A and ALTS), however handwritten libraries will continue to set this field (allowedHardBoundTokenTypes) themselves in their handwritten layer (e.g. GCS). Additionally, when it is non-experimental, gapics + handwritten libraries will have the option to override the default value of the allowedHardBoundTokenTypes. I think the enum helps to proves clarity on the options.
Added to |
JFYI, this will be more meaningfully tested in #3572 (not ready for review yet) and later on when MTLS logic is added. |
Since we don't expose a getter and we don't need one, I think this is good enough for now. I guess we are going to test in the subsequent PR that the channel would be created differently when passing different values? |
|
@blakeli0, One thing: when we are setting this field from the gapic generator, is it ok to have this enum? IIUC the gapic generator would then have to depend on gax-grpc in order to be able to set the field to {MTLS_S2A, ALTS} for example. Is this ok? If not, should we switch this back to a string? cc: @lqiu96, @zhumin8 since I recall we discussed these changes to gapic generator in the internal doc. |
That's correct. @rockspore 's #3572 for example will likely introduce some tests that make sure that the correct credential (one that can fetch hard ALTS bound tokens) is created when this list includes ALTS and when DirectPath gets picked. |
|
/gcbrun |
Yes it does. Using java-language as an example, the generated code would likely be added to this method. |
Thanks for the code pointer! |
There was a problem hiding this comment.
LGTM. Please change the PR title to follow the conventional commits.
rmehta19
changed the title
Done. |
🤖 I have created a release *beep* *boop* --- <details><summary>2.52.0</summary> ## [2.52.0](v2.51.1...v2.52.0) (2025-01-24) ### Features * add support for new setAllowHardBoundTokens field. ([#3467](#3467)) ([38431a2](38431a2)) * revert [#3400](#3400): reintroduce experimental S2A integration in client libraries grpc transport ([#3548](#3548)) ([65a0f11](65a0f11)) ### Dependencies * update dependency com.google.api-client:google-api-client-bom to v2.7.2 ([#3578](#3578)) ([f6e5ad9](f6e5ad9)) * update dependency commons-codec:commons-codec to v1.17.2 ([#3557](#3557)) ([07ce801](07ce801)) * update dependency gitpython to v3.1.44 ([#3559](#3559)) ([e924db0](e924db0)) * update dependency org.checkerframework:checker-qual to v3.48.4 ([#3560](#3560)) ([a4726e9](a4726e9)) * update dependency smmap to v5.0.2 ([#3561](#3561)) ([6cd5d0d](6cd5d0d)) * update docker.io/library/alpine docker tag to v3.21.1 ([#3551](#3551)) ([edd5a4c](edd5a4c)) * update docker.io/library/alpine docker tag to v3.21.2 ([#3580](#3580)) ([f577ecd](f577ecd)) * update docker.io/library/maven:3.9.9-eclipse-temurin-11-alpine docker digest to 9a259c6 ([#3554](#3554)) ([eb2cbd6](eb2cbd6)) * update docker.io/library/python:3.13.1-alpine3.20 docker digest to 9ab3b6e ([#3555](#3555)) ([40a74fe](40a74fe)) * update google auth library dependencies to v1.31.0 ([#3577](#3577)) ([7fa879a](7fa879a)) * update googleapis/java-cloud-bom digest to c7c443f ([#3579](#3579)) ([fcf40b7](fcf40b7)) * update repo-automation-bots digest to 0a12b5d ([#3464](#3464)) ([b9c9d21](b9c9d21)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
Introduce new
setAllowHardBoundTokensfield.