Skip to content

Conversation

@rmehta19
Copy link
Contributor

No description provided.

@conventional-commit-lint-gcf
Copy link

conventional-commit-lint-gcf bot commented Nov 27, 2024

🤖 I detect that the PR title and the commit message differ and there's only one commit. To use the PR title for the commit history, you can use Github's automerge feature with squashing, or use automerge label. Good luck human!

-- conventional-commit-lint bot
https://conventionalcommits.org/

@product-auto-label product-auto-label bot added the size: xs Pull request size is extra small. label Nov 27, 2024
rmehta19 added a commit to rmehta19/sdk-platform-java that referenced this pull request Jan 7, 2025
rmehta19 added a commit to rmehta19/sdk-platform-java that referenced this pull request Jan 7, 2025
@product-auto-label product-auto-label bot added size: s Pull request size is small. and removed size: xs Pull request size is extra small. labels Jan 7, 2025
@rmehta19
Copy link
Contributor Author

rmehta19 commented Jan 7, 2025

Closing this and patching this into #3548

@rmehta19 rmehta19 closed this Jan 7, 2025
@rmehta19 rmehta19 reopened this Jan 7, 2025
@rmehta19
Copy link
Contributor Author

rmehta19 commented Jan 7, 2025

Closing this and patching this into #3548

@rmehta19 rmehta19 closed this Jan 7, 2025
lqiu96 pushed a commit that referenced this pull request Jan 24, 2025
…t libraries grpc transport (#3548)

**Revert #3400.**

**This PR re-introduces the S2A integration the Java Cloud SDK
(initially introduced in #3326, and temporarily reverted in #3400).**

**This PR does this by reverting #3400 with the following patches:**
- load the S2A APIs via reflection. This allows us to merge the code
while the [S2A API is still experimental in
gRPC-Java](https://github.com/grpc/grpc-java/blob/master/s2a/src/main/java/io/grpc/s2a/S2AChannelCredentials.java)
without introducing a diamond dependency conflict. Once the S2A APIs are
stable, the reflection logic can be removed and the S2A API can be used
directly (via a dependency on S2A API)
- fix NPE (#3401)
- use a different env var name for enabling the feature


**Below is the original description from #3326**

Modify the Client Libraries gRPC Channel builder to use mTLS via S2A if
the experimental environment variable is set, S2A is available (We check
this by using [SecureSessionAgent
utility](https://github.com/googleapis/google-auth-library-java/blob/main/oauth2_http/java/com/google/auth/oauth2/SecureSessionAgent.java)),
and a few more conditions (see `shouldUseS2A`).

Following https://google.aip.dev/auth/4115, Only attempt to use S2A
after DirectPath and DCA (https://google.aip.dev/auth/4114) are ruled
out as options. If conditions to use S2A are not met (env variable not
set, or S2A is not running in environment, etc (`shouldUseS2A` returns
false)), fall back to default TLS connection.

When we are creating S2A-enabled Grpc Channel Credentials, we first try
to secure the connection between the client and the S2A via MTLS, using
[MTLS-MDS](https://cloud.google.com/compute/docs/metadata/overview#https-mds)
credentials. If MTLS-MDS credentials can't be loaded, then we fallback
to a plaintext connection between the client and S2A.

The parallel go implementation : googleapis/google-api-go-client#1874
(now lives here:
https://github.com/googleapis/google-cloud-go/blob/main/auth/internal/transport/cba.go)

S2A Java client: https://github.com/grpc/grpc-java/tree/master/s2a

Resolving b/376258193 means that S2A.java is no longer experimental
lqiu96 pushed a commit that referenced this pull request Feb 20, 2025
…t libraries grpc transport (#3548)

**Revert #3400.**

**This PR re-introduces the S2A integration the Java Cloud SDK
(initially introduced in #3326, and temporarily reverted in #3400).**

**This PR does this by reverting #3400 with the following patches:**
- load the S2A APIs via reflection. This allows us to merge the code
while the [S2A API is still experimental in
gRPC-Java](https://github.com/grpc/grpc-java/blob/master/s2a/src/main/java/io/grpc/s2a/S2AChannelCredentials.java)
without introducing a diamond dependency conflict. Once the S2A APIs are
stable, the reflection logic can be removed and the S2A API can be used
directly (via a dependency on S2A API)
- fix NPE (#3401)
- use a different env var name for enabling the feature


**Below is the original description from #3326**

Modify the Client Libraries gRPC Channel builder to use mTLS via S2A if
the experimental environment variable is set, S2A is available (We check
this by using [SecureSessionAgent
utility](https://github.com/googleapis/google-auth-library-java/blob/main/oauth2_http/java/com/google/auth/oauth2/SecureSessionAgent.java)),
and a few more conditions (see `shouldUseS2A`).

Following https://google.aip.dev/auth/4115, Only attempt to use S2A
after DirectPath and DCA (https://google.aip.dev/auth/4114) are ruled
out as options. If conditions to use S2A are not met (env variable not
set, or S2A is not running in environment, etc (`shouldUseS2A` returns
false)), fall back to default TLS connection.

When we are creating S2A-enabled Grpc Channel Credentials, we first try
to secure the connection between the client and the S2A via MTLS, using
[MTLS-MDS](https://cloud.google.com/compute/docs/metadata/overview#https-mds)
credentials. If MTLS-MDS credentials can't be loaded, then we fallback
to a plaintext connection between the client and S2A.

The parallel go implementation : googleapis/google-api-go-client#1874
(now lives here:
https://github.com/googleapis/google-cloud-go/blob/main/auth/internal/transport/cba.go)

S2A Java client: https://github.com/grpc/grpc-java/tree/master/s2a

Resolving b/376258193 means that S2A.java is no longer experimental
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size: s Pull request size is small.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant