binder: Let servers load their SecurityPolicy asynchronously#12874
Open
jdcormie wants to merge 1 commit into
Open
binder: Let servers load their SecurityPolicy asynchronously#12874jdcormie wants to merge 1 commit into
jdcormie wants to merge 1 commit into
Conversation
Android IPC servers can't defer "listening" while some slow or async initialization process completes. Instead, Android *tells* a server to initialize itself just-in-time for the first client connection. And this instruction arrives as a callback to Service#onCreate() then Service#onBind() on the app's main thread, where blocking to load a security policy would risk an "Application Not Responding" (ANR) error.
Member
Author
|
@groakley I can't seem to assign this to you but as creator of the existing composite security policies could you please review? |
groakley
reviewed
Jun 30, 2026
| */ | ||
| @ExperimentalApi("https://github.com/grpc/grpc-java/issues/8022") | ||
| public static AsyncSecurityPolicy fromFuture( | ||
| final ListenableFuture<? extends AsyncSecurityPolicy> futurePolicy) { |
Contributor
There was a problem hiding this comment.
Our team normally writes this kind of API to accept an AsyncCallable rather than a ListenableFuture for a few reasons:
- Defers work as long as possible. With the current signature, creating the SecurityPolicy still requires you to kick off work, even if you don't block on it. With AsyncCallable, starting that work is deferred until checkAuthorizationAsync is called. (If you are intentionally pre-warming, it's still possible to get that behavior with the
AsyncCallablesignature.) - If the work represented by the
ListenableFuturecan fail transiently, it will be retried the next time checkAuthorizationAsync is called and may have a chance to succeed. - If the work represented by the
ListenableFuturecan be cancelled externally, this policy gets "stuck" forever in the cancelled state.
Drawbacks:
- If you want to avoid duplicate work, you will need the
AsyncCallableyou pass in to do that deduplication. There is a utility class for this.
| * @param futurePolicy The future that will resolve to the delegate security policy. | ||
| */ | ||
| @ExperimentalApi("https://github.com/grpc/grpc-java/issues/8022") | ||
| public static AsyncSecurityPolicy fromFuture( |
Contributor
There was a problem hiding this comment.
Futures.transform (and similar methods) that don't take an explicit executor are disallowed in google3. I assume Guava would have done the same in open source if that had been at all viable to change after-the-fact in external. I'd rather not introduce new methods that use that use an implicit directExecutor() for the same reasons. I'd prefer just have the other method signature that takes an Executor.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Android IPC servers can't defer "listening" while some slow or async initialization process completes. Instead, Android tells a server to initialize itself just-in-time for the first client connection. And this instruction arrives as a callback to Service#onCreate() then Service#onBind() on the app's main thread, where blocking to load a security policy would risk an "Application Not Responding" (ANR) error.
For demonstration of need see CL/918859271.