🐛Destination-gcs\destination-bigquery(gcs) - updated check() method to handle that user has both storage.objects.create and storage.multipartUploads.create roles

[etsybaev]

What

On write the S3StreamTransferManagerHelper is performing a multipart upload.
On GCS storage.multipartUploads.create permission is required to write an object to the bucket, the check only requires storage.objects.create permission.
If the service account has storage.objects.create permission but not storage.multipartUploads.create the check will pass but the sync will fail.

Recommended reading order:

1. GcsDestination.java
2. DestinationAcceptanceTest.java
   P.S. ignore python files, there are only auto-formatting updates that occurred after running format command ("./gradlew --no-daemon format --scan")

How

Updated check method to check both roles.

!!!!!! TODO once approved !!!!!!!!:

• perform final test for user with missed roles for Multipart upload
• pass PR checklists
• update versions
• update changelog
• publish destination-gcs, destination-bigquery and destination-bigquery-denormalized

Also tested locally on UI:
here is the result for user without multipart upload role (fails with AccessDenied and printed expected roles):

Here is the result for user with all expected roles (verification passed):

User Impact

No breaks backward compatibility expected

Pre-merge Checklist

Expand the relevant checklist and delete the others.

New Connector

Community member or Airbyter

• Community member? Grant edit access to maintainers (instructions)
• Secrets in the connector's spec are annotated with airbyte_secret
• Unit & integration tests added and passing. Community members, please provide proof of success locally e.g: screenshot or copy-paste unit, integration, and acceptance test output. To run acceptance tests for a Python connector, follow instructions in the README. For java connectors run ./gradlew :airbyte-integrations:connectors:<name>:integrationTest.
• Code reviews completed
• Documentation updated
  • Connector's README.md
  • Connector's bootstrap.md. See description and examples
  • docs/SUMMARY.md
  • docs/integrations/<source or destination>/<name>.md including changelog. See changelog example
  • docs/integrations/README.md
  • airbyte-integrations/builds.md
• PR name follows PR naming conventions

Airbyter

If this is a community PR, the Airbyte engineer reviewing this PR is responsible for the below items.

• Create a non-forked branch based on this PR and test the below items on it
• Build is successful
• Credentials added to Github CI. Instructions.
• /test connector=connectors/<name> command is passing.
• New Connector version released on Dockerhub by running the /publish command described here
• After the connector is published, connector added to connector index as described here
• Seed specs have been re-generated by building the platform and committing the changes to the seed spec files, as described here

Updating a connector

Community member or Airbyter

• Grant edit access to maintainers (instructions)
• Secrets in the connector's spec are annotated with airbyte_secret
• Unit & integration tests added and passing. Community members, please provide proof of success locally e.g: screenshot or copy-paste unit, integration, and acceptance test output. To run acceptance tests for a Python connector, follow instructions in the README. For java connectors run ./gradlew :airbyte-integrations:connectors:<name>:integrationTest.
• Code reviews completed
• Documentation updated
  • Connector's README.md
  • Connector's bootstrap.md. See description and examples
  • Changelog updated in docs/integrations/<source or destination>/<name>.md including changelog. See changelog example
• PR name follows PR naming conventions

Airbyter

If this is a community PR, the Airbyte engineer reviewing this PR is responsible for the below items.

• Create a non-forked branch based on this PR and test the below items on it
• Build is successful
• Credentials added to Github CI. Instructions.
• /test connector=connectors/<name> command is passing.
• New Connector version released on Dockerhub by running the /publish command described here
• After the new connector version is published, connector version bumped in the seed directory as described here
• Seed specs have been re-generated by building the platform and committing the changes to the seed spec files, as described here

[alexandertsukanov]

Finished with review, left comments.

[alexandertsukanov]

CC: @etsybaev

[alexandr-shegeda]

LGTM. we can proceed with publishing and merging without airbyte review

[tuliren]

It looks like the worker is not needed?

[etsybaev]

Hi @tuliren.
I've added a new test for insufficient roles verification that calls runCheck method. If fails like this if airbyte-workers haven't been added.

But you're right, that this is not required for the whole project, moved it to integrationTestJavaImplementation dependency.
Thanks

[etsybaev]

/test connector=connectors/destination-gcs

🕑 connectors/destination-gcs https://github.com/airbytehq/airbyte/actions/runs/1678649927
✅ connectors/destination-gcs https://github.com/airbytehq/airbyte/actions/runs/1678649927
No Python unittests run

[etsybaev]

/test connector=connectors/destination-gcs

🕑 connectors/destination-gcs https://github.com/airbytehq/airbyte/actions/runs/1678759003
✅ connectors/destination-gcs https://github.com/airbytehq/airbyte/actions/runs/1678759003
No Python unittests run

[etsybaev]

/publish connector=connectors/destination-gcs

🕑 connectors/destination-gcs https://github.com/airbytehq/airbyte/actions/runs/1678835314
✅ connectors/destination-gcs https://github.com/airbytehq/airbyte/actions/runs/1678835314

[etsybaev]

/test connector=connectors/destination-bigquery

🕑 connectors/destination-bigquery https://github.com/airbytehq/airbyte/actions/runs/1678911770
✅ connectors/destination-bigquery https://github.com/airbytehq/airbyte/actions/runs/1678911770
Python tests coverage:

	 ---------- coverage: platform linux, python 3.8.10-final-0 -----------
	 Name                                                              Stmts   Miss  Cover
	 -------------------------------------------------------------------------------------
	 main_dev_transform_catalog.py                                         3      3     0%
	 main_dev_transform_config.py                                          3      3     0%
	 normalization/__init__.py                                             4      0   100%
	 normalization/destination_type.py                                    13      0   100%
	 normalization/transform_catalog/__init__.py                           2      0   100%
	 normalization/transform_catalog/catalog_processor.py                143     77    46%
	 normalization/transform_catalog/destination_name_transformer.py     155      8    95%
	 normalization/transform_catalog/reserved_keywords.py                 13      0   100%
	 normalization/transform_catalog/stream_processor.py                 520    333    36%
	 normalization/transform_catalog/table_name_registry.py              174     34    80%
	 normalization/transform_catalog/transform.py                         45     26    42%
	 normalization/transform_catalog/utils.py                             33      7    79%
	 normalization/transform_config/__init__.py                            2      0   100%
	 normalization/transform_config/transform.py                         148     34    77%
	 -------------------------------------------------------------------------------------
	 TOTAL                                                              1258    525    58%

[etsybaev]

/test connector=connectors/destination-bigquery-denormalized

🕑 connectors/destination-bigquery-denormalized https://github.com/airbytehq/airbyte/actions/runs/1678913040
❌ connectors/destination-bigquery-denormalized https://github.com/airbytehq/airbyte/actions/runs/1678913040
🐛

🕑 connectors/destination-bigquery-denormalized https://github.com/airbytehq/airbyte/actions/runs/1678913040
❌ connectors/destination-bigquery-denormalized https://github.com/airbytehq/airbyte/actions/runs/1678913040
🐛

🕑 connectors/destination-bigquery-denormalized https://github.com/airbytehq/airbyte/actions/runs/1678913040
❌ connectors/destination-bigquery-denormalized https://github.com/airbytehq/airbyte/actions/runs/1678913040
🐛

[etsybaev]

/publish connector=connectors/destination-bigquery

🕑 connectors/destination-bigquery https://github.com/airbytehq/airbyte/actions/runs/1679024050
✅ connectors/destination-bigquery https://github.com/airbytehq/airbyte/actions/runs/1679024050

[etsybaev]

The bigquery-denormalized connector currently seems to have broken integration tests after recent merging another PR. So the version will be bumped as part of its fixing

[mjaggard]

@etsybaev This change seems to require either storage.multipartUploads.listParts or storage.multipartUploads.list or both. Without them but with the listed permissions I got Access Denied when trying to add a destination.

[tuliren]

@etsybaev This change seems to require either storage.multipartUploads.listParts or storage.multipartUploads.list or both. Without them but with the listed permissions I got Access Denied when trying to add a destination.

@mjaggard, the listParts and list should not be necessary. Only the following permissions are required:

Here is the doc:

This user or account will require the following permissions for the bucket:

storage.multipartUploads.abort
storage.multipartUploads.create
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list

[tuliren]

Actually let me double check that our integration test is using a service account that only has these six permissions.

[tuliren]

The integration test passed locally with the six permissions, but failed on CI. I will look into it. #9631

[tuliren]

I did not have time to fully investigate this last week. Will do it on Monday.