feat(auth): Add support for Regional Access Boundaries#13559
Conversation
googleapis#12787) Migrates RAB changes from the older repo -> https://github.com/googleapis/google-auth-library-java/tree/feat-tb-sa
…gleapis#12867) 1. The RAB refresh uses a direct executor with a fixed thread pool as opposed to instantiating a new thread each time. 2. The RAB env gate -> GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT has been removed. This means RAB refresh triggers by default. 3. Added other fixes/suggestions made in the previous Java [PR](googleapis/google-auth-library-java#1880).
…oogleapis#13331) In ComputeEngineCredentials when running on GKE platform, the getAccount() call may return a value which isn't an email. In this case the right behaviour is to skip RAB lookup which is what this PR does. Added tests.
vverman
added
the
do not merge
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces support for Regional Access Boundaries (RAB) by adding RegionalAccessBoundary, RegionalAccessBoundaryManager, and RegionalAccessBoundaryProvider to manage, cache, and asynchronously refresh allowed locations. This functionality is integrated across various credential classes to attach the x-allowed-locations header to outgoing requests. Feedback on the changes suggests catching IllegalStateException in RegionalAccessBoundaryManager to permanently skip RAB lookups on configuration errors and avoiding a redundant HashMap copy in GoogleCredentials.getAdditionalHeaders().
| } catch (Exception e) { | ||
| handleRefreshFailure(e); |
There was a problem hiding this comment.
If getRegionalAccessBoundaryUrl() throws an IllegalStateException due to a permanent configuration error (such as an invalid or null audience), catching it as a general exception and triggering a cooldown retry is inefficient because the configuration will never become valid. Catching IllegalStateException specifically to log a warning and set skipRAB to true prevents futile background retries.
} catch (IllegalStateException e) {
log(
LOGGER_PROVIDER,
Level.WARNING,
null,
"Permanent configuration error detected. Skipping future Regional Access Boundary refreshes: "
+ e.getMessage());
skipRAB.set(true);
} catch (Exception e) {
handleRefreshFailure(e);| @Override | ||
| protected Map<String, List<String>> getAdditionalHeaders() { | ||
| Map<String, List<String>> headers = super.getAdditionalHeaders(); | ||
| Map<String, List<String>> headers = new HashMap<>(super.getAdditionalHeaders()); |
There was a problem hiding this comment.
Creating a new HashMap copy of super.getAdditionalHeaders() is redundant because addQuotaProjectIdToRequestMetadata does not modify the passed map directly; instead, it returns a new ImmutableMap if modifications are needed. We can pass the original map directly to avoid unnecessary object allocation.
| Map<String, List<String>> headers = new HashMap<>(super.getAdditionalHeaders()); | |
| Map<String, List<String>> headers = super.getAdditionalHeaders(); |
1 participant
The Regional Access Boundaries PR to main. Contains all the changes merged to the feature branch "regional-access-boundaries" rebased on top of main.