Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

alts: Make GoogleDefaultChannelCredentials take a CallCredentials #8548

Merged
merged 12 commits into from
Nov 15, 2021
Merged

alts: Make GoogleDefaultChannelCredentials take a CallCredentials #8548

Changes from 7 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
6a8ad79
alts: Make ComputeEngineChannelCredentials take a CallCredentials as …
mohanli-ml Sep 22, 2021
189dfce
alts: Make ComputeEngineChannelCredentials take a CallCredentials
mohanli-ml Sep 22, 2021
a3f4724
alts: Make ComputeEngineChannelCredentials take a CallCredentials
mohanli-ml Sep 22, 2021
5f5abaf
Merge branch 'master' into compute-engine-creds
mohanli-ml Oct 1, 2021
2893db7
alts: Make ComputeEngineChannelCredentials take a CallCredentials
mohanli-ml Oct 1, 2021
5153201
alts: Make ComputeEngineChannelCredentials take a CallCredentials
mohanli-ml Oct 1, 2021
0d1fd71
alts: Make ComputeEngineChannelCredentials take a CallCredentials
mohanli-ml Oct 1, 2021
b229d4f
alts: Make GoogleDefaultChannelCredentials take a CallCredentials
mohanli-ml Oct 5, 2021
8cb0153
alts: Make GoogleDefaultChannelCredentials take a CallCredentials
mohanli-ml Oct 5, 2021
045743f
alts: Make GoogleDefaultChannelCredentials take a CallCredentials
mohanli-ml Oct 5, 2021
0d6658e
Merge branch 'master' into compute-engine-creds
mohanli-ml Oct 19, 2021
6b7d3ca
alts: Make GoogleDefaultChannelCredentials take a CallCredentials
mohanli-ml Oct 19, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 46 additions & 21 deletions alts/src/main/java/io/grpc/alts/ComputeEngineChannelCredentials.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,29 +44,54 @@ private ComputeEngineChannelCredentials() {}
* if applicable and using TLS as fallback.
*/
public static ChannelCredentials create() {
ChannelCredentials nettyCredentials =
InternalNettyChannelCredentials.create(createClientFactory());
CallCredentials callCredentials;
if (InternalCheckGcpEnvironment.isOnGcp()) {
callCredentials = MoreCallCredentials.from(ComputeEngineCredentials.create());
} else {
callCredentials = new FailingCallCredentials(
Status.INTERNAL.withDescription(
"Compute Engine Credentials can only be used on Google Cloud Platform"));
}
return CompositeChannelCredentials.create(nettyCredentials, callCredentials);
return newBuilder().build();
}

public static Builder newBuilder() {
return new Builder();
}

private static InternalProtocolNegotiator.ClientFactory createClientFactory() {
SslContext sslContext;
try {
sslContext = GrpcSslContexts.forClient().build();
} catch (SSLException e) {
throw new RuntimeException(e);
/** Builder for {@link ComputeEngineChannelCredentials} instances. */
public static final class Builder {
private CallCredentials callCredentials;

/**
* Receives a call credential so that ComputeEngineChannelCredentials can support non-default
* service account.
*/
public Builder setCallCredentials(CallCredentials callCreds) {
callCredentials = callCreds;
return this;
}

/** Build a ComputeEngineChannelCredentials instance. */
public ChannelCredentials build() {
ChannelCredentials nettyCredentials =
InternalNettyChannelCredentials.create(createClientFactory());
if (!InternalCheckGcpEnvironment.isOnGcp()) {
callCredentials =
new FailingCallCredentials(
Status.INTERNAL.withDescription(
"Compute Engine Credentials can only be used on Google Cloud Platform"));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm... This is a bit interesting, as if the user is providing call credentials we could actually work on non-GCE.

I wonder if we are modifying the wrong API, and should be modifying GoogleDefaultChannelCredentials instead. CC @menghanl

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gax-java and google-api-go-client will check the GCP environment before attempting DirectPath, see https://github.com/googleapis/gax-java/blob/main/gax-grpc/src/main/java/com/google/api/gax/grpc/InstantiatingGrpcChannelProvider.java#L336 and https://github.com/googleapis/google-api-go-client/blob/master/transport/grpc/dial.go#L141.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, or we should just add a general purpose API that accepts callCreds.
And both GoogleDefaultCreds and ComputeEngineCreds should be built on that.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think of this? grpc/grpc-go#4830

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gax-java and google-api-go-client will check the GCP environment before attempting DirectPath

So what? That has little to do with the implementation and times it could be used. The point is that this API has no dependency on GCE when you provide the credentials.

And both GoogleDefaultCreds and ComputeEngineCreds should be built on that.

I think that is essentially "GoogleDefaultCreds with passed call creds" like I was suggesting. And it seems that is the approach you took with grpc/grpc-go#4830, so I think we are on the same page.

We should modify GoogleDefaultChannelCredentials in Java instead of ComputeEngineChannelCredentials.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So I have two concerns here:

  1. Your opinion is from the perspective of API design, which makes sense to me. However, if you look from the perspective of DirectPath, since DirectPath can only be used on GCE, removing the checking on GCE in credentials (i.e., using GoogleDefaultCreds instead of ComputeEngineCreds) means that we relies on client libraries (i.e., the two links above) to check the GCE environment. I doubt if this is a good design, and I feel the secure solution here is to rename ComputeEngineCreds in this PR to DirectPathCreds (if ComputeEngineCreds is only used by DirectPath, and if not we can just create a new API), so that it will makes sense that the new API can take call credentials while also have dependency on GCE. WDYT? Also @menghanl

  2. I remember originally we first developed GoogleDefaultCreds, but as client libraries owners wanted to know for sure what mechanism would be used to retrieve the OAuth token, so we then developed ComputeEngineCreds. @apolcyn Alex may have more context here. If after discussing Q1 we still want to use GoogleDefaultCreds for DirectPath, we should reach to client libraries owners as same concerns may still exist.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since DirectPath can only be used on GCE

For 1, as you mention, the only reason ComputeEngineChannelCredentials exists is because the client libraries wanted to convert from their version of ComputeEngine creds and guarantee that GoogleDefaultChannelCredentials didn't use some other sort of cred. GoogleDefaultChannelCredentials was designed to run anywhere.

For 2, if the client libraries are explicitly passing the call credentials they expect to be used, then there's no mis-alignment.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree with 2.

For 1 I want to double check, you think it is OK that DirectPath will use GoogleDefaultChannelCredentials, and since GoogleDefaultChannelCredentials does not do the on GCE check, we rely on client libraries to do the on GCE check, right?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know how I can say this any differently. GoogleDefaultChannelCredentials is fine to use outside of GCE. If client libraries only want to use it for GCE, that is fine and up to them. Both GoogleDefaultChannelCredentials and ComputeEngineChannelCredentials do not require ALTS to work; they will fall back to TLS if anything goes wrong.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, thanks for clarifying. I have updated the PR. PTAL.

}
if (callCredentials == null) {
return CompositeChannelCredentials.create(
nettyCredentials, MoreCallCredentials.from(ComputeEngineCredentials.create()));
}
return CompositeChannelCredentials.create(nettyCredentials, callCredentials);
}

private static InternalProtocolNegotiator.ClientFactory createClientFactory() {
SslContext sslContext;
try {
sslContext = GrpcSslContexts.forClient().build();
} catch (SSLException e) {
throw new RuntimeException(e);
}
return new GoogleDefaultProtocolNegotiatorFactory(
/* targetServiceAccounts= */ ImmutableList.<String>of(),
SharedResourcePool.forResource(HandshakerServiceChannel.SHARED_HANDSHAKER_CHANNEL),
sslContext);
}
return new GoogleDefaultProtocolNegotiatorFactory(
/* targetServiceAccounts= */ ImmutableList.<String>of(),
SharedResourcePool.forResource(HandshakerServiceChannel.SHARED_HANDSHAKER_CHANNEL),
sslContext);
}
}