Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pubsub: simple subscribers require permission pubsub.subscriptions.get since v1.10.2 #3947

Closed
p-jahn opened this issue Apr 15, 2021 · 3 comments · Fixed by #3985
Closed

pubsub: simple subscribers require permission pubsub.subscriptions.get since v1.10.2 #3947

p-jahn opened this issue Apr 15, 2021 · 3 comments · Fixed by #3985
Assignees
@hongalex
Labels
api: pubsub Issues related to the Pub/Sub API. priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. 🚨 This issue needs some love. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@p-jahn
Copy link

p-jahn commented Apr 15, 2021
edited

Client

PubSub

Environment

  • Alpine Docker on GKE
  • Service using a service account that has roles/pubsub.subscriber IAM membership for my subscription

Go Environment

go version go1.16.2

Code

package main

import (
	"context"
	"log"
	"os/signal"

	"cloud.google.com/go/pubsub"
)

func main() {
	ctx := context.Background()
	client, err := pubsub.NewClient(ctx, "my-project")	
	if err != nil {
		log.Fatal("failed to create client:", err)
	}

	rxCtx, stop := signal.NotifyContext(ctx, os.Interrupt)
	defer stop()

	sub := client.Subscription("my-subscription")
	err = sub.Receive(rxCtx, func(_ context.Context, msg *pubsub.Message) {
		log.Println("received a message:", msg.ID)
		msg.Ack()
	})

	if err != nil {
		log.Fatal("failed to receive:", err)
	}
}

Expected behavior

I can receive messages

Actual behavior

failed to receive: sub.Config err: rpc error: code = PermissionDenied desc = User not authorized to perform this action.

Additional context

Started after upgrading to v1.10.2.

Looks to be introduced by the Subscription.Config(context.Context) call in fix for #3884.

Subscription.Config() requires pubsub.subscriptions.get permission for

// Config fetches the current configuration for the subscription.
func (s *Subscription) Config(ctx context.Context) (SubscriptionConfig, error) {
	pbSub, err := s.c.subc.GetSubscription(ctx, &pb.GetSubscriptionRequest{Subscription: s.name})
...
@p-jahn p-jahn added the triage me I really want to be triaged. label Apr 15, 2021
@product-auto-label product-auto-label bot added the api: pubsub Issues related to the Pub/Sub API. label Apr 15, 2021
@yoshi-automation yoshi-automation added the 🚨 This issue needs some love. label Apr 20, 2021
@hongalex
Copy link
Member

hongalex commented Apr 21, 2021
edited

Apologies for the delay in addressing this. As you pointed out, this was caused by #3886, so that when subscribing from subscriptions without ordering keys enabled, your messages will not be delivered in order. This might be useful for performance reasons.

I'll open a PR to check for config and if this call fails, just default to checking the ordering keys field of the received message. In the meantime, please add roles/pubsub.viewer or roles/viewer permissions to the service account. For more info, see access control.

@hongalex hongalex mentioned this issue Apr 21, 2021
Merged
@hongalex hongalex added priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. labels Apr 22, 2021
@yoshi-automation yoshi-automation removed the triage me I really want to be triaged. label Apr 22, 2021
@p-jahn
Copy link
Author

p-jahn commented Apr 23, 2021

Thanks for the fix @hongalex 💯

@hongalex
Copy link
Member

This has been released in cloud.google.com/go/pubsub v1.10.3.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hongalex hongalex

Labels
api: pubsub Issues related to the Pub/Sub API. priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. 🚨 This issue needs some love. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(pubsub): make config call permission error in Receive transparent hongalex/google-cloud-go
3 participants
@hongalex @p-jahn @yoshi-automation