Skip to content

feat: Skip RAB lookup in case of non-email response from MDS.#13331

Open
vverman wants to merge 4 commits into
googleapis:regional-access-boundariesfrom
vverman:skip-rab-lookup-non-email-from-mds
Open

feat: Skip RAB lookup in case of non-email response from MDS.#13331
vverman wants to merge 4 commits into
googleapis:regional-access-boundariesfrom
vverman:skip-rab-lookup-non-email-from-mds

Conversation

@vverman
Copy link
Copy Markdown
Contributor

@vverman vverman commented Jun 2, 2026

In ComputeEngineCredentials when running on GKE platform, the getAccount() call may return a value which isn't an email.

In this case the right behaviour is to skip RAB lookup which is what this PR does.

Added tests.

@vverman vverman marked this pull request as ready for review June 2, 2026 01:10
@vverman vverman requested review from a team as code owners June 2, 2026 01:10
@vverman vverman requested review from lqiu96 and nbayati June 2, 2026 01:10
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates ComputeEngineCredentials to return null for the Regional Access Boundary (RAB) URL if the service account is null or does not contain '@', which can happen with default service accounts in GKE environments. It also updates RegionalAccessBoundaryManager to handle a null URL gracefully, and adds a unit test to verify this behavior. There are no review comments, so I have no feedback to provide.

lqiu96
lqiu96 reviewed Jun 3, 2026
View reviewed changes
Comment thread ...auth-library-java/oauth2_http/java/com/google/auth/oauth2/RegionalAccessBoundaryManager.java
Comment on lines +199 to +202
if (url == null) {
future.set(null);
return;
}
Copy link
Copy Markdown
Member

@lqiu96 lqiu96 Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

qq, can you remind me again why we need to do future.set(null);?

Copy link
Copy Markdown
Contributor Author

@vverman vverman Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was using a SettableFuture as a gate to deduplicate RAB refreshes which let's us set the future to indicate to dependent threads as to the result of the refresh.

However, I realized the same can be done with AtomicBoolean which is more easier to maintain. Hence updated the logic.

@vverman vverman requested a review from lqiu96 June 3, 2026 22:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nbayati nbayati Awaiting requested review from nbayati

@lqiu96 lqiu96 Awaiting requested review from lqiu96

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vverman @lqiu96