-
Notifications
You must be signed in to change notification settings - Fork 231
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: service sccount to service account impersonation to support universe domain #1528
Conversation
…orrectly tests intended codepath.
oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java
Outdated
Show resolved
Hide resolved
oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java
Outdated
Show resolved
Hide resolved
} catch (IOException e) { | ||
throw new IOException("Unable to refresh sourceCredentials", e); | ||
// skip for nonGDU because it uses self-signed JWT | ||
// and will get refreshed at initialize request step |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm still not sure why this call is required for GDU but not required for nonGDU, is there any feature that is only supported in GDU?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am convinced that this is not needed for nonGDU, reasons in description above.
For GDU, I am not 100% convinced that this is required before initialize step. But out of precautious, I do not want to change the flow for GDU in this pr. I will raise a separate issue to investigate for GDU flow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
to answer Blake's question - GDU has token endpoint, nonGDU does not :)
SSJ is a primary flow is GDU now as well. This should be a fallback scenario if SSJ is disabled, execute conditionally if SSJ flag is disabled.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated condition to also skip for GDU SSJ flow.
oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java
Outdated
Show resolved
Hide resolved
oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java
Outdated
Show resolved
Hide resolved
@@ -724,6 +787,12 @@ public Calendar getCalendar() { | |||
return this.calendar; | |||
} | |||
|
|||
@Override | |||
public Builder setUniverseDomain(String universeDomain) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we have to override this method as it is already public in the parent. I noticed that it seems we are overriding the builder methods in other subclasses of the builder, but I think that was a mistake.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I debated this in my mind. One benefit I see overriding the setter allows for a fluent builder API where method calls can be chained without requiring explicit casting to ImpersonatedCredentials. In this case, I feel it provides a slightly better experience for users setting explicit UD
So user can do
ImpersonatedCredentials.newBuilder()
.setUniverseDomain("explicit.domain.com");
instead of casting:
(ImpersonatedCredentials) ImpersonatedCredentials.newBuilder()
.setUniverseDomain("explicit.domain.com");
While generally it's best to avoid overriding public methods if possible, override setters in Builders is kind of a special case and more acceptable. .e.g. overriding Builder setters seems to be a pattern in other libraries like Guava (example)
One other concern is removing other overrides in other credential classes will be breaking change to customers code.
That said, I don't feel too strongly about this, and I believe exposing this setter is not a hard requirement for now. If you have any other concerns, I can remove this for now. What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think customers have to cast the credential to ImpersonatedCredentials
to setUniverseDomain()
, I verified in my local that it works. Can you please double check it?
For the Guava example, yes they are doing it because there are some additional logics, but we are not doing anything special other than calling super.setUniverseDomain()
. So I think we can delete it at this moment and add it later if needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Confirming that explicit overrides were added to avoid casting.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Min and I confirmed that we do need explicit casting right now. However, the problem is that the parent builder's setters should return the child types. I created a demo PR for a potential fix. Also see how protobuf's GeneratedMessageV3 does it.
That being said, this should be separate problem to solve, so it's OK to override the parent's setters right now.
super.getRequestMetadata(uri, executor, callback); | ||
} | ||
} catch (IOException e) { | ||
// Wrap it here to avoid breaking change. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What would be a breaking change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added to comment, to throw IOException would be breaking.
@@ -266,8 +266,8 @@ protected boolean isExplicitUniverseDomain() { | |||
* @return true if universeDomain equals to {@link Credentials#GOOGLE_DEFAULT_UNIVERSE}, false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
update docs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall looks good, there is a pending discussion on explicit UD
…lso allow method chaining without casting.
…de but also allow method chaining without casting." This reverts commit 78d3a03.
…ches the source credential, otherwise throw.
@blakeli0 @TimurSadykov Can you please take another look? Changes since you last reviewed: note: kokoro tests are failing because trampoline is disabled at the moment. |
Quality Gate passedIssues Measures |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
for context: b/340602527
Changes in this pr:
Override
getUniverseDomain()
to grab source credentials’s universe domain (UD) by default. Always use source credentials UD, not explicit provided UD. (In current design, impersonated credentials may not have universe domain in the outer layer. relay on UD from source credential. This may change in future)Fix
isDefaultUniverseDomain()
inGoogleCredentials
to account forgetUniverseDomain()
overrides in child classes.In refreshAccessToken(), use endpoint url pattern to account for TPC case.
Throw IllegalStateException if UD is explicitly set (with parent class setter) and not matching source credential's UD
Fix toBuilder() to invoke super, and fix related issue with createScoped. (see fix: Invalidate the SA's AccessToken when createScoped() is called #1489, fix: ComputeEngineCredentials.createScoped should invalidate existing AccessToken #1428); Also fix equals() to compare super first.
Not in this pr:
sa-to-sa impersonation is successfully E2E tested for TPC usage according to go/prptst-testing-service-account-impersonation.