fix: remove call credentials from call options if DirectPath #3670
Conversation
|
@lqiu96 I've verified this would fix the DirectPath case. No idea about the obscure failure in java-firestore yet. Will add tests next week. I think this approach is promising. |
|
I think this does work for DirectPath. However, doesn't this issue also exist for S2A where both tokens are being passed? Also, this would override any user set CallOption value. |
I was wondering if we could introduce a similar API as
This is by far the simplest approach and doesn't even need to touch how channels are constructed in any other non-DirectPath case (S2A with bound token will also need to be handled later). And somewhat biased by this, I'm hoping we could be a bit opinionated in the DirectPath case to disregard users' call credentials in the call options, given we clearly document this behavior. Note in my other PR, we are overriding the call option value as well. |
I would like this. I'm not able to easily map a way to determine this since I think it would require actually trying to create the CallCredentials and checking if they could be created. I guess that is a possibility we can also try. I was exploring dynamically setting the call options creds in #3671
I would like to be opinionated on this too. However, can you remind me the behavior if something like SACreds were used instead of UserCreds, would DP would work? Would it be possible to override the calloptions creds using DP?
I'm not against this, though I would like to try and see if we can figure a generic solution to tackle sending creds twice, rather than adding one-off fixes for specific flows. |
S2A don't generally take the CallCredentials except for the bound token case introduced in #3591, where
Any creds (SA, Users), as long as allowed right now by DirectPath, should work without any problem with this PR. It's just those creds need to be passed into the TransportChannelProvider to be used in the DirectPath channel creation. We don't enable bound tokens if the given creds are not ComputeEngine ones, but we still pass them as is into So basically, we document that DirectPath does not take in any CallCredentials from the ApiCallContext and we should be good. Is this what you were asking about?
In that case, I wonder if you are open to adding a more generic method to |
I see, so in the case of Mtls (non S2A) and just normal TLS, then the expectation is that CallCredentials should be attached via CallOptions? In that case, I think my assumption that always using ChannelCredentials instead of CallOptions is wrong.
Ok I see, I think I'm on the same page now. In this case only DP and MTLS_S2A would be the cases as you've mentioned above.
Yes I think if we take the opinionated route this what what we should do. The example that I was thinking above was that a user established a DP connection with some SA cred and overrides with a different SA cred via CallOptions (something like what Spanner has: https://github.com/googleapis/java-spanner/blob/7a8a29be40258294cafd13b1df7df5ea349a675d/google-cloud-spanner/src/main/java/com/google/cloud/spanner/spi/v1/GapicSpannerRpc.java#L2037). Is this a behavior that works or would or would it fail/ never worked?
Yeah, this is what the PR above was trying to explore. Adding a new method that determined if the CallCredentials was attached to the channel. When a GAPIC client is initialized, it will try to determine if this was a user set value or set by the client and it will ignore the client set value (but I think I got the logic wrong). |
cb3dc16 to
39489bc
Compare
| if (!isDirectPath) return callOptions; | ||
| // Remove the CallCredentials attached to the callOptions if it's DirectPath. | ||
| return callOptions.withCallCredentials(null); |
There was a problem hiding this comment.
Can this logic reside inside the constructor? I think it would be better for the getter to just return value.
nit: Can the comment be updated to reflect the why. Perhaps something like (probably needs better wording): CallCredentials is stripped from CallOptions because CallCredentials are attached to ChannelCredentials in DirectPath flows. Adding it again would duplicate the headers.
There was a problem hiding this comment.
Done. I also modify the merge logic to respect the isDirectPath of the coming context. Also several cases I take care of here:
- If
withChannelis subsequently called, we attach a CallCreds from the creds back to calloptions and revertisDirectPathto false. - If
withCallOptionsis subsequently called, we strip the CallCreds from it if DirectPath. - If
withCredentialsis subsequently called, we attach its corresponding CallCreds to the calloptions only if non-DirectPath
Please help check if I missed any corner case.
gax-java/gax-grpc/src/main/java/com/google/api/gax/grpc/GrpcCallContext.java
Show resolved
Hide resolved
gax-java/gax-grpc/src/main/java/com/google/api/gax/grpc/GrpcCallContext.java
Outdated
Show resolved
Hide resolved
|
I think the last thing is to update the GrpcCallContext's Thoughts on a small blurb like (re-phrase/ update): For certain flows like DirectPath, the channel is already created with a CallCredentials. Passing in an additional CallCredentials here will not override the ChannelCredential's CallCredential and may cause issues as the CallCredentials is duplicated. These flows will attempt to automatically strip the CallOption's CallCreds. |
|
(Not specific to this PR, but related to fixing this problem for MTLS_S2A)
I think it may be more than this. In order to set
This is due to the fact that for DirectPath: if you can use DirectPath then you will use DirectPath. However, this is not true for S2A, if you can use S2A, you may end up using S2A (you could end up using DirectPath since DP supersedes S2A or you could end up falling back to TLS if you fail to create S2A channel creds). I'll try to put together a PR taking this into account. Edit: Actually I see that #3671 did take this into account. Although I am unclear on how we can make sure createSingleChannel gets called before setting IsCallCredentialAttachedToChannel |
|
For posterity, we confirmed that [:authority: spanner.googleapis.com, :path: /google.spanner.v1.Spanner/BatchCreateSessions, :method: POST, :scheme: https, content-type: application/grpc, te: trailers, user-agent: spanner-java/6.86.0 grpc-java-netty/1.69.0, ..., grpc-accept-encoding: gzip, authorization: Bearer ya29.****, ..., authorization: Bearer 1234, grpc-timeout: 56962080u] The garbage token in the second authorization header didn't cause the call to fail the authn/z. In general, we shouldn't rely on this gRPC implementation detail since it could in theory change the appending order and break everything. This PR will fix the duplication header issue so we are good. |
| return new GrpcCallContext( | ||
| transportChannel.getChannel(), | ||
| credentials, | ||
| transportChannel.isDirectPath() ? callOptions.withCallCredentials(null) : callOptions, |
There was a problem hiding this comment.
Sorry, I meant can we do this logic/ check inside the private constructor? This should only pass the calloptions.
Constructor contains the:
this.callOptions = isDirectPath() ? calloptions.withCallCredentials(null) : callOptions logic
There was a problem hiding this comment.
Ah this makes so much sense! Sorry I don't know what I was thinking. Changed.
|
/gcbrun |
|
/gcbrun |
| @@ -96,6 +96,7 @@ public final class GrpcCallContext implements ApiCallContext { | |||
| private final ImmutableMap<String, List<String>> extraHeaders; | |||
| private final ApiCallContextOptions options; | |||
| private final EndpointContext endpointContext; | |||
| private final boolean isDirectPath; | |||
There was a problem hiding this comment.
Thanks for the info. I thought that referred to canUseDirectPath() which could be invoked multiple times before and after the credentials was set so might be no accurate, but by the time the ClientContext got this boolean from the channel, it should already be final.
There was a problem hiding this comment.
Talked with @surbhigarg92 regarding this to get some more information about the issue. This issue from Spanner's POV is not so much that the canUseDirectPath value that is client is initialized with and used by the TransportChannel is incorrect, it's that Spanner doesn't have a way to get the canUseDirectPath value when initializing the client for Otel.
Spanner was using GrpcSpannerStub.create(StubSettings) and didn't have an easy way to access to TransportChannel's fields (StubSettings only exposes getTransportChannelProvider(). Spanner could use GrpcSpannerStub.create(ClientContext), but that creates the Stub with a new StubSettings and not the one they manually configured.
For them, the DirectPath transportchannel was always created correctly and the value the client uses is correct. They used this workaround to be able to access the field for their use case.
I think their issue is a valid concern, but is different from this.
gax-java/gax-grpc/src/main/java/com/google/api/gax/grpc/GrpcCallContext.java
Outdated
Show resolved
Hide resolved
gax-java/gax-grpc/src/main/java/com/google/api/gax/grpc/GrpcCallContext.java
Outdated
Show resolved
Hide resolved
| @@ -228,7 +250,8 @@ public GrpcCallContext withEndpointContext(EndpointContext endpointContext) { | |||
| options, | |||
| retrySettings, | |||
| retryableCodes, | |||
| endpointContext); | |||
| endpointContext, | |||
There was a problem hiding this comment.
Its unfortunate that we have to change all the places that use the constructor. Ideally, if we had a builder for GrpcCallContext, the code here would be simplified to this.toBuilder().setEndpointContext(endpointContext).build(), and we don't have to change the code here at all.
There was a problem hiding this comment.
Agreed. But I'd prefer to leave the refactoring with a builder out of this PR since it would look cleaner. I can open an issue for it. Let me know what you think.
There was a problem hiding this comment.
SG. Yes please create a separate issue and we can put it in our backlog.
…into grpc-creds-alt
…va into grpc-creds-alt
|
/gcbrun |
|
Thanks for all the reviews. No rush but just in case, please help merge it when you see fit since I don't have the permission. |
🤖 I have created a release *beep* *boop* --- <details><summary>2.55.0</summary> ## [2.55.0](v2.54.0...v2.55.0) (2025-03-12) ### Features * generate showcase using docker image ([#3568](#3568)) ([3857e3f](3857e3f)) * next release from main branch is 2.55.0 ([#3668](#3668)) ([1eda55f](1eda55f)) ### Bug Fixes * remove call credentials from call options if DirectPath ([#3670](#3670)) ([5ede29c](5ede29c)) ### Dependencies * update arrow.version to v18.2.0 ([#3675](#3675)) ([5a555e5](5a555e5)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | org.flywaydb.flyway | plugin | misk/gradle/libs.versions.toml | gradle | minor | `11.7.1` -> `11.8.0` | | [app.cash.tempest:tempest-bom](https://github.com/cashapp/tempest) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `2025.03.17.133301-6c83654` -> `2025.05.02.195945-d393c44` | | [com.mysql:mysql-connector-j](http://dev.mysql.com/doc/connector-j/en/) ([source](https://github.com/mysql/mysql-connector-j)) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `8.3.0` -> `8.4.0` | | [com.google.guava:guava-bom](https://github.com/google/guava) ([source](http://svn.sonatype.org/spice/trunk/oss/oss-parent-9)) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `33.4.0-jre` -> `33.4.8-jre` | | [com.google.api.grpc:proto-google-common-protos](https://github.com/googleapis/sdk-platform-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `2.54.1` -> `2.55.3` | | [com.google.cloud:google-cloud-core-http](https://github.com/googleapis/sdk-platform-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `2.53.1` -> `2.54.3` | | [com.google.apis:google-api-services-storage](http://nexus.sonatype.org/oss-repository-hosting.html) ([source](http://svn.sonatype.org/spice/tags/oss-parent-7)) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `v1-rev20250312-2.0.0` -> `v1-rev20250424-2.0.0` | | [com.google.cloud:google-cloud-spanner](https://github.com/googleapis/java-spanner) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `6.90.0` -> `6.92.0` | | [com.google.cloud:google-cloud-logging](https://github.com/googleapis/java-logging) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `3.22.0` -> `3.22.2` | | [com.google.apis:google-api-services-cloudkms](http://nexus.sonatype.org/oss-repository-hosting.html) ([source](http://svn.sonatype.org/spice/tags/oss-parent-7)) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `v1-rev20250227-2.0.0` -> `v1-rev20250414-2.0.0` | | [com.google.cloud:google-cloud-datastore](https://github.com/googleapis/java-datastore) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `2.27.1` -> `2.28.0` | | [com.google.cloud:google-cloud-core](https://github.com/googleapis/sdk-platform-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `2.53.1` -> `2.54.3` | | [com.google.api:gax](https://github.com/googleapis/sdk-platform-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `2.63.1` -> `2.64.3` | | [com.google.errorprone:error_prone_annotations](https://errorprone.info) ([source](https://github.com/google/error-prone)) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `2.37.0` -> `2.38.0` | | [com.google.protobuf:protoc](https://developers.google.com/protocol-buffers/) ([source](https://github.com/protocolbuffers/protobuf)) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `3.25.6` -> `3.25.7` | | [com.google.protobuf:protobuf-java](https://developers.google.com/protocol-buffers/) ([source](https://github.com/protocolbuffers/protobuf)) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `3.25.6` -> `3.25.7` | | [com.fasterxml.jackson:jackson-bom](https://github.com/FasterXML/jackson-bom) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `2.18.3` -> `2.19.0` | | [com.google.http-client:google-http-client-jackson2](https://github.com/googleapis/google-http-java-client) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.46.3` -> `1.47.0` | | [com.google.http-client:google-http-client](https://github.com/googleapis/google-http-java-client) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.46.3` -> `1.47.0` | | [com.google.auth:google-auth-library-oauth2-http](https://github.com/googleapis/google-auth-library-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.33.1` -> `1.34.0` | | [com.google.auth:google-auth-library-credentials](https://github.com/googleapis/google-auth-library-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.33.1` -> `1.34.0` | | [com.github.docker-java:docker-java-transport-httpclient5](https://github.com/docker-java/docker-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `3.4.2` -> `3.5.0` | | [com.github.docker-java:docker-java-transport](https://github.com/docker-java/docker-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `3.4.2` -> `3.5.0` | | [com.github.docker-java:docker-java-core](https://github.com/docker-java/docker-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `3.4.2` -> `3.5.0` | | [com.github.docker-java:docker-java-api](https://github.com/docker-java/docker-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `3.4.2` -> `3.5.0` | | [com.github.docker-java:docker-java](https://github.com/docker-java/docker-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `3.4.2` -> `3.5.0` | | [com.autonomousapps.dependency-analysis](https://github.com/autonomousapps/dependency-analysis-android-gradle-plugin) | plugin | misk/gradle/libs.versions.toml | gradle | minor | `2.16.0` -> `2.17.0` | | [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `1.48.1` -> `1.48.2` | | [com.datadoghq:dd-trace-ot](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `1.48.1` -> `1.48.2` | | [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.22` -> `2.31.34` | | [software.amazon.awssdk:sqs](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.22` -> `2.31.34` | | [software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.22` -> `2.31.34` | | [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.22` -> `2.31.34` | | [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.22` -> `2.31.35` | | [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.22` -> `2.31.35` | | [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.22` -> `2.31.35` | | [com.amazonaws:aws-java-sdk-sqs](https://aws.amazon.com/sdkforjava) ([source](https://github.com/aws/aws-sdk-java)) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `1.12.782` -> `1.12.783` | | [com.amazonaws:aws-java-sdk-s3](https://aws.amazon.com/sdkforjava) ([source](https://github.com/aws/aws-sdk-java)) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `1.12.782` -> `1.12.783` | | [com.amazonaws:aws-java-sdk-dynamodb](https://aws.amazon.com/sdkforjava) ([source](https://github.com/aws/aws-sdk-java)) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `1.12.782` -> `1.12.783` | | [com.amazonaws:aws-java-sdk-core](https://aws.amazon.com/sdkforjava) ([source](https://github.com/aws/aws-sdk-java)) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `1.12.782` -> `1.12.783` | --- ### Release Notes <details> <summary>mysql/mysql-connector-j (com.mysql:mysql-connector-j)</summary> ### [`v8.4.0`](mysql/mysql-connector-j@8.3.0...8.4.0) [Compare Source](mysql/mysql-connector-j@8.3.0...8.4.0) </details> <details> <summary>googleapis/sdk-platform-java (com.google.api.grpc:proto-google-common-protos)</summary> ### [`v2.55.1`](https://github.com/googleapis/sdk-platform-java/blob/HEAD/CHANGELOG.md#2551-2025-03-12) ##### Dependencies - revert "deps: update arrow.version to v18.2.0" ([#​3694](googleapis/sdk-platform-java#3694)) ([2725744](googleapis/sdk-platform-java@2725744)) ### [`v2.55.0`](https://github.com/googleapis/sdk-platform-java/blob/HEAD/CHANGELOG.md#2550-2025-03-12) ##### Features - generate showcase using docker image ([#​3568](googleapis/sdk-platform-java#3568)) ([3857e3f](googleapis/sdk-platform-java@3857e3f)) - next release from main branch is 2.55.0 ([#​3668](googleapis/sdk-platform-java#3668)) ([1eda55f](googleapis/sdk-platform-java@1eda55f)) ##### Bug Fixes - remove call credentials from call options if DirectPath ([#​3670](googleapis/sdk-platform-java#3670)) ([5ede29c](googleapis/sdk-platform-java@5ede29c)) ##### Dependencies - update arrow.version to v18.2.0 ([#​3675](googleapis/sdk-platform-java#3675)) ([5a555e5](googleapis/sdk-platform-java@5a555e5)) </details> <details> <summary>googleapis/java-spanner (com.google.cloud:google-cloud-spanner)</summary> ### [`v6.92.0`](https://github.com/googleapis/java-spanner/blob/HEAD/CHANGELOG.md#6920-2025-04-29) ##### Features - \[Internal] client-side metrics for afe latency and connectivity error ([#​3819](googleapis/java-spanner#3819)) ([a8dba0a](googleapis/java-spanner@a8dba0a)) - Support begin with AbortedException for manager interface ([#​3835](googleapis/java-spanner#3835)) ([5783116](googleapis/java-spanner@5783116)) ##### Bug Fixes - **deps:** Update the Java code generator (gapic-generator-java) to 2.56.2 ([11bfd90](googleapis/java-spanner@11bfd90)) ##### Dependencies - Update dependency com.google.cloud:sdk-platform-java-config to v3.46.2 ([#​3836](googleapis/java-spanner#3836)) ([2ee7f97](googleapis/java-spanner@2ee7f97)) ### [`v6.91.1`](https://github.com/googleapis/java-spanner/blob/HEAD/CHANGELOG.md#6911-2025-04-21) ##### Bug Fixes - SkipHint in the internal parser skipped too much ([#​3827](googleapis/java-spanner#3827)) ([fbf7b4c](googleapis/java-spanner@fbf7b4c)) ### [`v6.91.0`](https://github.com/googleapis/java-spanner/blob/HEAD/CHANGELOG.md#6910-2025-04-17) ##### Features - \[Internal] open telemetry built in metrics for GRPC ([#​3709](googleapis/java-spanner#3709)) ([cd76c73](googleapis/java-spanner@cd76c73)) - Add java sample for the pre-splitting feature ([#​3713](googleapis/java-spanner#3713)) ([e97b92e](googleapis/java-spanner@e97b92e)) - Add TransactionMutationLimitExceededException as cause to SpannerBatchUpdateException ([#​3723](googleapis/java-spanner#3723)) ([4cf5261](googleapis/java-spanner@4cf5261)) - Built in metrics for afe latency and connectivity error ([#​3724](googleapis/java-spanner#3724)) ([e13a2f9](googleapis/java-spanner@e13a2f9)) - Support unnamed parameters ([#​3820](googleapis/java-spanner#3820)) ([1afd815](googleapis/java-spanner@1afd815)) ##### Bug Fixes - Add default implementations for Interval methods in AbstractStructReader ([#​3722](googleapis/java-spanner#3722)) ([97f4544](googleapis/java-spanner@97f4544)) - Set transaction isolation level had no effect ([#​3718](googleapis/java-spanner#3718)) ([b382999](googleapis/java-spanner@b382999)) ##### Performance Improvements - Cache the key used for OTEL traces and metrics ([#​3814](googleapis/java-spanner#3814)) ([c5a2045](googleapis/java-spanner@c5a2045)) - Optimize parsing in Connection API ([#​3800](googleapis/java-spanner#3800)) ([a2780ed](googleapis/java-spanner@a2780ed)) - Qualify statements without removing comments ([#​3810](googleapis/java-spanner#3810)) ([d358cb9](googleapis/java-spanner@d358cb9)) - Remove all calls to getSqlWithoutComments ([#​3822](googleapis/java-spanner#3822)) ([0e1e14c](googleapis/java-spanner@0e1e14c)) </details> <details> <summary>googleapis/java-logging (com.google.cloud:google-cloud-logging)</summary> ### [`v3.22.2`](https://github.com/googleapis/java-logging/blob/HEAD/CHANGELOG.md#3222-2025-04-25) ##### Dependencies - Update dependency com.google.cloud:sdk-platform-java-config to v3.46.2 ([#​1796](googleapis/java-logging#1796)) ([1f88271](googleapis/java-logging@1f88271)) ### [`v3.22.1`](https://github.com/googleapis/java-logging/blob/HEAD/CHANGELOG.md#3221-2025-04-25) ##### Bug Fixes - **deps:** Update the Java code generator (gapic-generator-java) to 2.56.2 ([7cce5b5](googleapis/java-logging@7cce5b5)) </details> <details> <summary>googleapis/java-datastore (com.google.cloud:google-cloud-datastore)</summary> ### [`v2.28.0`](https://github.com/googleapis/java-datastore/blob/HEAD/CHANGELOG.md#2280-2025-04-29) ##### Features - Java datastore gapic upgrade ([#​1824](googleapis/java-datastore#1824)) ([a296d43](googleapis/java-datastore@a296d43)) ### [`v2.27.2`](https://github.com/googleapis/java-datastore/blob/HEAD/CHANGELOG.md#2272-2025-04-25) ##### Bug Fixes - **deps:** Update the Java code generator (gapic-generator-java) to 2.56.2 ([1210f32](googleapis/java-datastore@1210f32)) ##### Dependencies - Update dependency com.google.cloud:sdk-platform-java-config to v3.46.2 ([#​1823](googleapis/java-datastore#1823)) ([4d2026c](googleapis/java-datastore@4d2026c)) </details> <details> <summary>google/error-prone (com.google.errorprone:error_prone_annotations)</summary> ### [`v2.38.0`](https://github.com/google/error-prone/releases/tag/v2.38.0): Error Prone 2.38.0 New checks: - [`AddNullMarkedToPackageInfo`](https://errorprone.info/bugpattern/AddNullMarkedToPackageInfo): adds [`@org.jspecify.annotations.NullMarked`](https://jspecify.dev/docs/api/org/jspecify/annotations/NullMarked.html) annotation to package-info files - [`IntLiteralCast`](https://errorprone.info/bugpattern/IntLiteralCast): Suggests a literal of the desired type instead of casting an int literal to a long, float, or double - [`MisleadingEmptyVarargs`](https://errorprone.info/bugpattern/MisleadingEmptyVarargs): Discourages calling varargs methods that expect at least one argument with no arguments, like Mockito's `thenThrow` - [`PreconditionsExpensiveString`](https://errorprone.info/bugpattern/PreconditionsExpensiveString): Discourages expensive string formatting in Guava `Preconditions` checks - [`SelfSet`](https://errorprone.info/bugpattern/SelfSet): Detects mistakes like `proto.setFoo(proto.getFoo())` - [`UnnecessaryCopy`](https://errorprone.info/bugpattern/UnnecessaryCopy): detect unnecessary copies of proto Lists and Maps. Closed issues: [#​4924](google/error-prone#4924), [#​4897](google/error-prone#4897), [#​4995](google/error-prone#4995) Full changelog: google/error-prone@v2.37.0...v2.38.0 </details> <details> <summary>googleapis/google-http-java-client (com.google.http-client:google-http-client-jackson2)</summary> ### [`v1.47.0`](https://github.com/googleapis/google-http-java-client/blob/HEAD/CHANGELOG.md#1470-2025-04-28) ##### Features - Next release from main branch is 1.47.0 ([#​2087](googleapis/google-http-java-client#2087)) ([f89cc4c](googleapis/google-http-java-client@f89cc4c)) ##### Bug Fixes - Encode + sign in url with %2B ([#​2094](googleapis/google-http-java-client#2094)) ([1f8aca7](googleapis/google-http-java-client@1f8aca7)) ##### Dependencies - Update github/codeql-action action to v3.28.16 ([#​2057](googleapis/google-http-java-client#2057)) ([4fc3e3a](googleapis/google-http-java-client@4fc3e3a)) </details> <details> <summary>googleapis/google-auth-library-java (com.google.auth:google-auth-library-oauth2-http)</summary> ### [`v1.34.0`](https://github.com/googleapis/google-auth-library-java/blob/HEAD/CHANGELOG.md#1340-2025-04-29) ##### Features - Implement X509 certificate provider ([#​1722](googleapis/google-auth-library-java#1722)) ([4340684](googleapis/google-auth-library-java@4340684)) - Next release from main branch is 1.34.0 ([#​1698](googleapis/google-auth-library-java#1698)) ([fe43815](googleapis/google-auth-library-java@fe43815)) - Next release from main branch is 1.34.0 ([#​1702](googleapis/google-auth-library-java#1702)) ([4507cf9](googleapis/google-auth-library-java@4507cf9)) ##### Bug Fixes - Do not add padding in Client-Side CAB tokens. ([#​1728](googleapis/google-auth-library-java#1728)) ([8a75ccd](googleapis/google-auth-library-java@8a75ccd)) </details> <details> <summary>docker-java/docker-java (com.github.docker-java:docker-java-transport-httpclient5)</summary> ### [`v3.5.0`](https://github.com/docker-java/docker-java/releases/tag/3.5.0) [Compare Source](docker-java/docker-java@3.4.2...3.5.0) ##### Breaking changes - Fix InspectContainerResponse data types to be able to hold an int64 [@​eddumelendez](https://github.com/eddumelendez) ([#​2392](docker-java/docker-java#2392)) - Add some missed options to UpdateContainerCmd [@​MillQK](https://github.com/MillQK) ([#​2389](docker-java/docker-java#2389)) ##### 📈 Enhancements - Add setters for security options and runtimes [@​LarsSven](https://github.com/LarsSven) ([#​2384](docker-java/docker-java#2384)) ##### 🐛 Bug Fixes - Fix possible CME while replacing properties [@​eddumelendez](https://github.com/eddumelendez) ([#​2416](docker-java/docker-java#2416)) ##### Dependencies - Bump com.google.guava:guava from 19.0 to 33.4.6-jre [@​artragis](https://github.com/artragis) ([#​2300](docker-java/docker-java#2300)) - Bump org.awaitility:awaitility from 4.0.1 to 4.3.0 [@​dependabot](https://github.com/dependabot) ([#​2408](docker-java/docker-java#2408)) - Bump org.immutables:value from 2.8.2 to 2.10.1 [@​dependabot](https://github.com/dependabot) ([#​2220](docker-java/docker-java#2220)) - Bump org.apache.commons:commons-compress from 1.21 to 1.27.1 [@​dependabot](https://github.com/dependabot) ([#​2256](docker-java/docker-java#2256)) - Bump org.projectlombok:lombok from 1.18.22 to 1.18.38 [@​dependabot](https://github.com/dependabot) ([#​2210](docker-java/docker-java#2210)) - Bump com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider from 2.10.3 to 2.18.3 [@​dependabot](https://github.com/dependabot) ([#​2281](docker-java/docker-java#2281)) - Bump jackson.version from 2.8.8 to 2.18.3 [@​dependabot](https://github.com/dependabot) ([#​2283](docker-java/docker-java#2283)) - Bump netty.version from 4.1.46.Final to 4.1.119.Final [@​dependabot](https://github.com/dependabot) ([#​2302](docker-java/docker-java#2302)) - Bump org.bouncycastle:bcpkix-jdk18on from 1.76 to 1.80 [@​dependabot](https://github.com/dependabot) ([#​2254](docker-java/docker-java#2254)) - Bump commons-io:commons-io from 2.13.0 to 2.18.0 [@​dependabot](https://github.com/dependabot) ([#​2263](docker-java/docker-java#2263)) - Bump net.java.dev.jna:jna from 5.13.0 to 5.17.0 [@​dependabot](https://github.com/dependabot) ([#​2273](docker-java/docker-java#2273)) - Bump org.apache.commons:commons-lang3 from 3.12.0 to 3.17.0 [@​dependabot](https://github.com/dependabot) ([#​2259](docker-java/docker-java#2259)) - Bump com.github.siom79.japicmp:japicmp-maven-plugin from 0.18.2 to 0.23.1 [@​dependabot](https://github.com/dependabot) ([#​2238](docker-java/docker-java#2238)) - Bump org.junit.jupiter:junit-jupiter from 5.10.0 to 5.12.1 [@​dependabot](https://github.com/dependabot) ([#​2241](docker-java/docker-java#2241)) - Bump junixsocket.version from 2.6.1 to 2.10.1 [@​dependabot](https://github.com/dependabot) ([#​2249](docker-java/docker-java#2249)) - Bump org.apache.httpcomponents.client5:httpclient5 from 5.4.2 to 5.4.3 [@​dependabot](https://github.com/dependabot) ([#​2272](docker-java/docker-java#2272)) - Bump org.assertj:assertj-core from 3.24.2 to 3.27.3 [@​dependabot](https://github.com/dependabot) ([#​2291](docker-java/docker-java#2291)) - Upgrade Apache HttpClient to version 5.4 [@​ok2c](https://github.com/ok2c) ([#​2364](docker-java/docker-java#2364)) </details> <details> <summary>autonomousapps/dependency-analysis-android-gradle-plugin (com.autonomousapps.dependency-analysis)</summary> ### [`v2.17.0`](https://github.com/autonomousapps/dependency-analysis-android-gradle-plugin/blob/HEAD/CHANGELOG.md#Version-2170) - \[Fix]: duplicate class warning doesn't warn about multiple dependencies with same GAV. - \[Fix]: ensure all capabilities are internally sorted; also synthesized dependencies. - \[Fix]: ensure all dependencies are internally sorted. - \[Fix]: ensure output of GraphViewTask is fully sorted (therefore deterministic). - \[Fix]: intermediate android res classes must have meaningful hashCode() functions. - \[Fix]: improve sorting of various build outputs to ensure determinism. </details> <details> <summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary> ### [`v1.48.2`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.48.2): 1.48.2 ##### Components ##### Profiling - 🐛 Bump ddprof-java to 1.24.0 ([#​8717](DataDog/dd-trace-java#8717) - [@​jbachorik](https://github.com/jbachorik)) - Add diagnostic counters for some failed unwinds by [@​jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#202 - Add profiler counters for time spent in stack unwinding by [@​bric3](https://github.com/bric3) in DataDog/java-profiler#195 - Increase number of reserved frames (cherry-pick [`6c0aff4`](DataDog/dd-trace-java@6c0aff4)) by [@​MattAlp](https://github.com/MattAlp) in DataDog/java-profiler#206 - Dwarf and JVMFlag related downports by [@​jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#204 ##### Tracer core - 🐛 Turn off JDK socket support by default ([#​8716](DataDog/dd-trace-java#8716) - [@​mcculls](https://github.com/mcculls)) ##### Instrumentations ##### Akka instrumentation - 🐛 Handle reentrant scope cleanup in Akka/Pekko actor instrumentations ([#​8723](DataDog/dd-trace-java#8723) - [@​mcculls](https://github.com/mcculls)) </details> <details> <summary>aws/aws-sdk-java (com.amazonaws:aws-java-sdk-sqs)</summary> ### [`v1.12.783`](https://github.com/aws/aws-sdk-java/blob/HEAD/CHANGELOG.md#112783-2025-04-29) [Compare Source](aws/aws-sdk-java@1.12.782...1.12.783) #### **Amazon S3** - ### Features - Abort multipart download if object is modified during download. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: 91d7374bcdee536ba58a6cd5ea2b1710688db2c0
This PR eliminates the issue where call credentials get attached twice to a RPC in DirectPath cases. Particularly, when user credentials get used, the problem causes the RPC to fail due to the duplication of the quota project ID (internal-only context: b/364288002).
The approach is to strip the credentials in the callOptions returned by the
GrpcCallContextif theTransportChannelis DirectPath. The side effect is that users won't be able to configure call credentials via theApiCallContextif DirectPath is used.We think this is acceptable because:
TransportChannelProvider.withCredentials(). At a higher level, this is done by configuring theCredentialsProviderin theStubSettingsor theServiceOptions.Tested DirectPath using Spanner
Headers sent
Bearer token is sent twice (first
ya29.***value is valid and second1234is invalid). The second one was attached by customizing the ApiCallContext to send an invalid CallCredentials as part of the CallOptions. The call still succeeded as the first Bearer token in the Metadata is used.