Skip to content

[xDS] A97 - JWT token file call creds #12242

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

[xDS] A97 - JWT token file call creds #12242

wants to merge 5 commits into from

Conversation

Zgoda91
Copy link

@Zgoda91 Zgoda91 commented Jul 23, 2025

implementing gRFC A97 grpc/proposal#492

@Zgoda91 Zgoda91 force-pushed the A97_jwt_token_call_creds branch 4 times, most recently from a8f76b0 to c781460 Compare July 28, 2025 06:26
@Zgoda91 Zgoda91 marked this pull request as ready for review July 28, 2025 06:27
@Zgoda91
Copy link
Author

Zgoda91 commented Jul 28, 2025

@ejona86 Could you please review this PR when you get a chance? Thanks!

@ejona86 ejona86 self-requested a review August 6, 2025 21:11
ejona86
ejona86 reviewed Aug 6, 2025
View reviewed changes
Copy link
Member

@ejona86 ejona86 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The shape of what I saw looked good. I didn't pay attention to any of the tests yet. I need to look through the provider plumbing more. But wanted to send the comments I have.

@Zgoda91 Zgoda91 force-pushed the A97_jwt_token_call_creds branch from c781460 to 85495b0 Compare August 11, 2025 12:31
@Zgoda91 Zgoda91 force-pushed the A97_jwt_token_call_creds branch from 85495b0 to 9f97bb5 Compare August 11, 2025 12:36
@Zgoda91
Copy link
Author

Zgoda91 commented Aug 11, 2025

@ejona86 PR ready for second round

@ejona86 ejona86 self-requested a review August 20, 2025 20:01
@Zgoda91
Copy link
Author

Zgoda91 commented Sep 11, 2025

@ejona86 kindly reminder about this forgotten piece :)

ejona86
ejona86 reviewed Sep 23, 2025
View reviewed changes
Copy link
Member

@ejona86 ejona86 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just sending what I have.

We're going to want to make a clone of XdsCredentialsRegistry for CallCreds, because they are two different config namespaces, the gRFC says we'd create a new registry, and there's really no reason to provide both call creds and channel creds. However, I see that XdsCredentialsRegistry.getHardCodedClasses() should be deleted; we should just hard-code an empty list to InternalServiceProviders.loadAll(); none of this will be used on Android.

xds/src/test/java/io/grpc/xds/JwtTokenFileTestUtils.java
public static File createValidJwtToken(long expTime)
throws Exception {
File jwtToken = File.createTempFile(new String("jwt.token"), "");
jwtToken.deleteOnExit();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When I mentioned removing the TemporaryFolder usage I was thinking you'd pass in a File (so the caller would be responsible for temporaryFolder.newFile()). deleteOnExit() isn't the worst, but generally a code smell.

xds/src/main/java/io/grpc/xds/JwtTokenFileCallCredentials.java
* limitations under the License.
*/

package io.grpc.xds;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd expect this to be in the same package as JwtTokenFileXdsCredentialsProvider. I'm less concerned with which package, and just that they are co-located.

Things like this directly in io.grpc.xds are ideally package-private. Sometimes we have to make it public, but then we'd take some steps to hide it from the javadoc and mark it as @Internal. There's a few different options. I'm not seeing a need for anything public here (once the package is sorted out).

(I'm not claiming the xds package structure makes sense. io.grpc.xds.client and orca are pretty well separated, but the others are a bit haphazard.)

xds/src/main/java/io/grpc/xds/XdsCredentialsProvider.java
* the call credentials
*
*/
protected abstract CallCredentials newCallCredentials(Map<String, ?> jsonConfig);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very few implementations implement this. Give this a default implementation that returns null?

xds/src/main/java/io/grpc/xds/GrpcBootstrapperImpl.java
}

@Override
protected Object getImplSpecificConfig(Map<String, ?> serverConfig, String serverUri)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You don't need a new method.

protected Object getImplSpecificConfig(Map<String, ?> serverConfig, String serverUri)
      throws XdsInitializationException {
  ChannelCredentials channelCreds = getChannelCredentials(serverConfig, serverUri);
  CallCredentials callCreds = getCallCredentials(serverConfig, serverUri);
  if (callCreds != null) {
    channelCreds = CompositeChannelCredentials.create(channelCreds, callCreds);
  }
  return channelCreds;
}

xds/src/main/java/io/grpc/xds/GrpcXdsTransportFactory.java
.build();
this.callCredentials = callCredentials;

if (callCredentials != null && implSpecificConfig instanceof CompositeChannelCredentials) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You don't need to pull the CallCreds back out. The gRPC Channel is already using them, as they were passed to newChannelBuilder(). Any CallCredentials added later, like in XdsStreamingCall's constructor, will be combined together with the call creds passed to newChannelBuilder().

The callCredentials passed into this method are a bit weird. They could be passed to newChannelBuilder(), but let's just leave them alone.

@ejona86 ejona86 self-requested a review September 23, 2025 23:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ejona86 ejona86 Awaiting requested review from ejona86

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Zgoda91 @ejona86