Skip to content
This repository has been archived by the owner on Sep 26, 2023. It is now read-only.

feat: add allowNonDefaultServiceAccount option for DirectPath #1433

Merged
merged 3 commits into from Aug 5, 2021
Merged

feat: add allowNonDefaultServiceAccount option for DirectPath #1433

merged 3 commits into from Aug 5, 2021

Conversation

mohanli-ml
Copy link
Contributor

@mohanli-ml mohanli-ml commented Jul 23, 2021
edited

Add an option allowNonDefaultServiceAccount for cloud services to bypass the check that credential must be retrieved from the metadata server, which implicitly requires using the default service account. In this way, non-default service account can be used for DirectPath.

@mohanli-ml mohanli-ml requested review from a team as code owners July 23, 2021 04:22
@google-cla google-cla bot added the cla: yes This human has signed the Contributor License Agreement. label Jul 23, 2021
vam-google
vam-google approved these changes Aug 3, 2021
View reviewed changes
Copy link
Contributor

@vam-google vam-google left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, with a minor comment

gax-grpc/src/main/java/com/google/api/gax/grpc/InstantiatingGrpcChannelProvider.java
if (allowNonDefaultServiceAccount != null) {
return allowNonDefaultServiceAccount;
}
return credentials instanceof ComputeEngineCredentials;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need this? I see there is already the isOnComputeEngine() method, so ideally we want to keep compute-engine specific check in one place. Also, this method (isNonDefaultServiceAccountAllowed()) is used only in conjunction with isOnComputeEngine() on line 324 of this file).

Copy link
Contributor Author

@mohanli-ml mohanli-ml Aug 3, 2021
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry the name might be misleading:

  1. isOnComputeEngine() checks the environment of the VM as DirectPath is allowed on Compute Engine/GKE but not App Engine.

  2. isNonDefaultServiceAccountAllowed() checks which service account the VM is using to access DirectPath. credential is instance of ComputeEngineCredentials guarantees that the VM is using the default service account (because the credential is retrieved from the metadata server), but it can not guarantee the environment (i.e., ComputeEngineCredentials can also be used on App Engine).

Based on the above understanding I think the two checks are different and should be kept.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

@mohanli-ml
Copy link
Contributor Author

I updated the code. If the option is not set, or set to false, the code behavior should be the same as currently it is.

@vam-google vam-google merged commit 209b494 into googleapis:master Aug 5, 2021
gcf-merge-on-green bot pushed a commit that referenced this pull request Aug 11, 2021
@release-please
chore: release 2.1.0 (#1449)
a069701 
🤖 I have created a release \*beep\* \*boop\*
---
## [2.1.0](https://www.github.com/googleapis/gax-java/compare/v2.0.0...v2.1.0) (2021-08-11)


### Features

* add allowNonDefaultServiceAccount option for DirectPath ([#1433](https://www.github.com/googleapis/gax-java/issues/1433)) ([209b494](https://www.github.com/googleapis/gax-java/commit/209b4944feba1c62be2c9de4545e3b01a806b738))


### Bug Fixes

* fix httpjson executor ([#1448](https://www.github.com/googleapis/gax-java/issues/1448)) ([8f48b70](https://www.github.com/googleapis/gax-java/commit/8f48b7027b95e8e75872d1f9dac537ea697d0acc))
* make closeAsync don't interrupt running thread ([#1446](https://www.github.com/googleapis/gax-java/issues/1446)) ([7c6c298](https://www.github.com/googleapis/gax-java/commit/7c6c29824487346d444730388ea6967408692696))


### Dependencies

* update dependency com.google.api:api-common to v2.0.1 ([#1452](https://www.github.com/googleapis/gax-java/issues/1452)) ([a52f16f](https://www.github.com/googleapis/gax-java/commit/a52f16f6cef8340357acb374ff31c8a6f248403c))
---


This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@vam-google vam-google vam-google approved these changes

Assignees
No one assigned
Labels
cla: yes This human has signed the Contributor License Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mohanli-ml @vam-google