Add support for new setAllowHardBoundTokens field. #3467
Conversation
|
cc: @rockspore |
| @@ -126,6 +127,7 @@ public final class InstantiatingGrpcChannelProvider implements TransportChannelP | |||
| @Nullable private final Boolean allowNonDefaultServiceAccount; | |||
| @VisibleForTesting final ImmutableMap<String, ?> directPathServiceConfig; | |||
| @Nullable private final MtlsProvider mtlsProvider; | |||
| @Nullable private final ArrayList<String> allowedValues; | |||
There was a problem hiding this comment.
Should this variable name be more specific? Reading it alone doesn't tell you where these values will be used.
There was a problem hiding this comment.
Thanks for calling this out! I updated this variable name to allowedHardBoundTokenTypes, WDYT?
|
What is the usage of this new |
| @@ -97,6 +98,9 @@ public interface TransportChannelProvider { | |||
| */ | |||
| TransportChannelProvider withEndpoint(String endpoint); | |||
|
|
|||
| /** Sets the allowed hard bound token types. */ | |||
| TransportChannelProvider setAllowHardBoundTokens(ArrayList<String> allowedValues); | |||
There was a problem hiding this comment.
I think this field is going to be only used by gRPC transport per the internal doc? And the teams that would use it are all handwritten libraries? If that's the case, I think they are likely going to initialize an InstantiatingGrpcChannelProvider in their repo directly and pass it to Gax, so can we only add this to InstantiatingGrpcChannelProvider?
There was a problem hiding this comment.
I think this field is going to be only used by gRPC transport per the internal doc?
That is correct, hard bound tokens is only for gRPC.
I think they are likely going to initialize an
InstantiatingGrpcChannelProviderin their repo directly and pass it to Gax, so can we only add this toInstantiatingGrpcChannelProvider?
I think this will work since I believe the libraries separate their logic for HTTP and gRPC, so they don't end up using the interface TransportChannelProvider. Looking at GCS for example, this is the case
@rockspore can you confirm that the places you want to use this setting are using the InstantiatingGrpcChannelProvider directly, not the interface TransportChannelProvider?
There was a problem hiding this comment.
For Cloud Spanner, I found this so it seems to be the case too, although I don't see where it gets called by default.
So yeah it should be good if we only do this in InstantiatingGrpcChannelProvider, as long as we have a way to set these default values eventually to all auto-generated clients.
There was a problem hiding this comment.
@rockspore The link you referred to is a generated default instance of InstantiatingGrpcChannelProvider, which I believe will be overridden later in their handwritten code.
Either way, they are using InstantiatingGrpcChannelProvider directly not the interface. And since it is used within InstantiatingGrpcChannelProvider only, we don't need to expose a getter for it either. Hence it should be fine if we only add it to InstantiatingGrpcChannelProvider.
There was a problem hiding this comment.
Thanks for the details! It makes perfect sense.
There was a problem hiding this comment.
Thanks all for the discussion! Done in 60dafd0
I believe we discussed this in the chat offline. To summarize it'll be used by clients (libraries) to indicate if they want MTLS / Directpath bound tokens. Please let me know if there is anything we can make more clear. |
product-auto-label
bot
added
size: s
gax-java/gax-grpc/src/main/java/com/google/api/gax/grpc/InstantiatingGrpcChannelProvider.java
Outdated
Show resolved
Hide resolved
gax-java/gax-grpc/src/main/java/com/google/api/gax/grpc/InstantiatingGrpcChannelProvider.java
Outdated
Show resolved
Hide resolved
| @@ -700,6 +708,11 @@ public Builder setEndpoint(String endpoint) { | |||
| return this; | |||
| } | |||
|
|
|||
| public Builder setAllowHardBoundTokenTypes(ArrayList<String> allowedValues) { | |||
There was a problem hiding this comment.
Do we expect customers to set this? Or only internal teams like Spanner/Storage to set it? If it is the latter, can we mark this method as @InternalApi?
There was a problem hiding this comment.
Right we don't want external customers to set it.
There was a problem hiding this comment.
We only expect internal teams to set this field, marked as @InternalApi in e193cc9
product-auto-label
bot
added
size: xs
gax-java/gax-grpc/src/main/java/com/google/api/gax/grpc/InstantiatingGrpcChannelProvider.java
Show resolved
Hide resolved
| @@ -700,6 +703,12 @@ public Builder setEndpoint(String endpoint) { | |||
| return this; | |||
| } | |||
|
|
|||
| @InternalApi | |||
| public Builder setAllowHardBoundTokenTypes(List<String> allowedValues) { | |||
There was a problem hiding this comment.
What are the possible values of allowedValues? I think there are only two possible values so far per internal doc, if that's the case, can they be Enums so it's less error prone?
There was a problem hiding this comment.
Yes we can capture the allowed values in an enum. Done in 0e40f22
product-auto-label
bot
added
size: s
| * <p>allowedValues is {HardBoundTokenTypes.ALTS}: If DirectPath is used to create the channel, | ||
| * use hard ALTS-bound tokens for requests sent on that channel. | ||
| * | ||
| * <p>allowedValues is {HardBoundTokenTypes.MTLS_S2A}: If MTLS via S2A is used to create the | ||
| * channel, use hard MTLS-bound tokens for requests sent on that channel. | ||
| * | ||
| * <p>allowedValues is {HardBoundTokenTypes.ALTS, HardBoundTokenTypes.MTLS_S2A}: if DirectPath | ||
| * is used to create the channel, use hard ALTS-bound tokens for requests sent on that channel. | ||
| * If MTLS via S2A is used to create the channel, use hard MTLS-bound tokens for requests sent | ||
| * on that channel. |
There was a problem hiding this comment.
These logic is not part of this setter, I suppose is part of a subsequent PR? Perhaps move this explanation there. In the future, if this logic changes, it is easy to miss updating here.
There was a problem hiding this comment.
Agree that maybe the detailed explanation can be moved to the subsequent PR. The public doc for this method should be more like "What is HardBoundTokenTypes?", not "What would happen if we set HardBoundTokenTypes to different values?". But if listing the different behavior is the best way to explain "What is HardBoundTokenTypes?", I think this is OK too.
| * or S2A is used to estabilsh a connection to Google APIs. | ||
| * | ||
| */ | ||
| public enum HardBoundTokenTypes { |
There was a problem hiding this comment.
Does it make sense to also mark this as internal?
There was a problem hiding this comment.
Agree on making this internal as well.
Thinking twice about it though, I see that it is an Experimental feature, is it that we will always set the tokens to certain values? Or it's just this feature is not stable yet, internal teams could still set this to different values? If it's the former, then we don't have to introduce another public enum since they would be obsolete soon.
Introduce new
setAllowHardBoundTokensfield.