feat: add x-goog-user-project header from quota_project_id field#21324
feat: add x-goog-user-project header from quota_project_id field#21324jiangtaoli2016 merged 1 commit intogrpc:masterfrom
Conversation
|
Thanks @tmatsuo for the contribution. Ping me when this is ready for review. |
|
Sorry, we changed the field to LGTM though |
|
Added some test cases. I think it's ready for review. Can you take a look? Also, I can not add the labels. Can you add some labels for mergeable check? Thanks! |
|
ASAN build caught the memory leak. I'll fix that with the next commit |
|
@jiangtaoli2016 I believe the memory leak has been fixed. |
jiangtaoli2016
left a comment
There was a problem hiding this comment.
Thanks @tmatsuo for implementation. Looks good over all. A couple of minor comments.
tmatsuo
left a comment
There was a problem hiding this comment.
Thanks for the review. I think I addressed the comments. PTAL
|
Please wait for @apolcyn review. |
|
@jiangtaoli2016 Thanks. I have a question w.r.t. squashing. Do you use "Squash and merge" feature on this repo, or should I locally squash commits and force push the new change? |
|
@apolcyn friendly ping |
| "{ \"client_id\": \"32555999999.apps.googleusercontent.com\"," | ||
| " \"client_secret\": \"EmssLNjJy1332hD4KFsecret\"," | ||
| " \"refresh_token\": \"1/Blahblasj424jladJDSGNf-u4Sua3HDA2ngjd42\"," | ||
| " \"quota_project_id\": \"my-quota-project-id\"," |
There was a problem hiding this comment.
question: quota_project _id could also be a number, right?
There was a problem hiding this comment.
It is always a string.
"project ID" is always a string
"project number" is always a number
There was a problem hiding this comment.
When I read the spec, it was fluid. However, is it really a problem if we treat numeric ID as a string?
There was a problem hiding this comment.
go/adc-spec is a (very) draft spec for the JSON file, and we've specified it as a string.
If in the future we need to support project numbers (and not treat the number as a string), it'll be a separate field, "quota_project_number".
| grpc_call_credentials* creds = grpc_google_refresh_token_credentials_create( | ||
| test_refresh_token_with_quota_project_id_str, nullptr); | ||
|
|
||
| /* First request: http put should be called. */ |
There was a problem hiding this comment.
nit: this comment is a little confusing, is it accurate? I don't think PUT requests are ever performed, in any case, if I'm correct?
| result.type = GRPC_AUTH_JSON_TYPE_AUTHORIZED_USER; | ||
|
|
||
| // quota_project_id is optional, so we don't check the result of the copy. | ||
| grpc_copy_json_string_property(json, "quota_project_id", |
There was a problem hiding this comment.
Related to below comment in test.
I've seen some docs that say that this can be a string or a numberic project ID. Does the format used for the refresh token credentials only allow the human readable project name format? If number format is also a possibility, then parsing may need adjusting.
There was a problem hiding this comment.
@broady Can you confirm?
However, do you think it is problematic if we treat a numeric ID as a string?
There was a problem hiding this comment.
Answered below. It's always a string. Project number will not be in this field.
| void grpc_google_refresh_token_credentials::add_additional_metadata( | ||
| grpc_credentials_mdelem_array* md_array) { | ||
| if (refresh_token_.quota_project_id != nullptr) { | ||
| grpc_mdelem quota_project_md = GRPC_MDNULL; |
There was a problem hiding this comment.
nit: unnecessary line, it can be set to grpc_mdelem_from_slices
| void grpc_google_refresh_token_credentials::add_additional_metadata( | ||
| grpc_credentials_mdelem_array* md_array) { | ||
| if (refresh_token_.quota_project_id != nullptr) { | ||
| grpc_mdelem quota_project_md = GRPC_MDNULL; |
| grpc_call_credentials* creds = grpc_google_refresh_token_credentials_create( | ||
| test_refresh_token_with_quota_project_id_str, nullptr); | ||
|
|
||
| /* First request: http put should be called. */ |
| "{ \"client_id\": \"32555999999.apps.googleusercontent.com\"," | ||
| " \"client_secret\": \"EmssLNjJy1332hD4KFsecret\"," | ||
| " \"refresh_token\": \"1/Blahblasj424jladJDSGNf-u4Sua3HDA2ngjd42\"," | ||
| " \"quota_project_id\": \"my-quota-project-id\"," |
There was a problem hiding this comment.
When I read the spec, it was fluid. However, is it really a problem if we treat numeric ID as a string?
apolcyn
left a comment
There was a problem hiding this comment.
minor comments.
A couple question on the feature:
- I believe the way to use "x-goog-user-project" so far has been to just set it manually; is there possibility that when the
quota_projectfield is added to json auth files for the first time, that it can conflict with such usage? - Is the
quota_project_idvalue that is added to auth json files just specified by user?
| grpc_polling_entity* pollent, grpc_auth_metadata_context /*context*/, | ||
| grpc_credentials_mdelem_array* md_array, grpc_closure* on_request_metadata, | ||
| grpc_error** /*error*/) { | ||
| add_additional_metadata(md_array); |
There was a problem hiding this comment.
naming nit: can we prefix this with maybe, i.e. change to maybe_add_additional_metadata
| // auth_refresh_token parsing. | ||
| typedef struct { | ||
| struct grpc_auth_refresh_token { | ||
| grpc_auth_refresh_token() : quota_project_id(nullptr) {} |
There was a problem hiding this comment.
nit: can remove this line and set quota_project_id = nullptr below
tmatsuo
left a comment
There was a problem hiding this comment.
I believe the way to use "x-goog-user-project" so far has been to just set it manually; is there possibility that when the quota_project field is added to json auth files for the first time, that it can conflict with such usage?
I don't think it's a problem.
Is the quota_project_id value that is added to auth json files just specified by user?
Mainly this is auto selected by gcloud sdk depending on the user configuration (config->project).
Adding @broady to confirm.
| grpc_polling_entity* pollent, grpc_auth_metadata_context /*context*/, | ||
| grpc_credentials_mdelem_array* md_array, grpc_closure* on_request_metadata, | ||
| grpc_error** /*error*/) { | ||
| add_additional_metadata(md_array); |
| // auth_refresh_token parsing. | ||
| typedef struct { | ||
| struct grpc_auth_refresh_token { | ||
| grpc_auth_refresh_token() : quota_project_id(nullptr) {} |
|
After doing some experiment, it turns out that, if you specify context.AddMetadata("x-goog-user-project", "some-other-project");and if the auth json file contains In this case, it seems like those values are combined with a comma and I'm getting an error message as follows
The initial thing came to mind was to check contents of the md_array and only add So I'm not sure how to handle this case. Is there a nice way to disallow duplicated keys in metadata? |
Unfortunately, I'm not sure that there is, at least from within the the oauth2 credentials implementation. It may be possible to do some sort of header interception for this e.g. within the But I'm also wondering if handling that is really necessary, this is why I wonder "how is the quota_project_id" being set within the auth json files. If "quota_project_id" being filled into auth json files is an opt-in thing, then maybe we don't need to handle this, since onus is on the user to not do something that will conflict with their code. OTOH if it's going to be filled in transparently, then it could perhaps cause problems for existing code. What do you think? |
|
@apolcyn Thanks. I don't think the change will be an opt-in. However, currently x-goog-user-project metadata header is not documented anywhere. Also the auth json file with the type I'm on the fence. I'll take a look at the |
|
I agree. It's very unlikely to cause an issue in practice.
|
|
@apolcyn @jiangtaoli2016 |
|
Adding one-off check on generic client_auth_filter seems hacky. |
|
@jiangtaoli2016 |
|
@jiangtaoli2016 The last commit added |
I don't think it's possible to put the check in |
|
PTAL with the last commit. The code is now little bit more generic and cleaner. |
jiangtaoli2016
left a comment
There was a problem hiding this comment.
Sorry for delay. Thanks @tmatsuo for revision.
556ddb3 to
0c66117
Compare
|
@apolcyn I have just squashed the commits. Do you mind taking a look and merge it if it looks ok? |
0c66117 to
9bed17b
Compare
|
@yashykt friendly ping |
|
@jiangtaoli2016 It's approved. Can you go ahead and merge this? |
|
test failures unrelated. |
feat: add x-goog-user-project header from quota_project_id field
fixes #21225