- Notifications
You must be signed in to change notification settings - Fork69
fix: remove call credentials from call options if DirectPath#3670
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
rockspore commentedMar 1, 2025
@lqiu96 I've verified this would fix the DirectPath case. No idea about the obscure failure in java-firestore yet. Will add tests next week. I think this approach is promising. |
lqiu96 commentedMar 3, 2025
I think this does work for DirectPath. However, doesn't this issue also exist for S2A where both tokens are being passed? Also, this would override any user set CallOption value. |
rockspore commentedMar 3, 2025
I was wondering if we could introduce a similar API as
This is by far the simplest approach and doesn't even need to touch how channels are constructed in any other non-DirectPath case (S2A with bound token will also need to be handled later). And somewhat biased by this, I'm hoping we could be a bit opinionated in the DirectPath case to disregard users' call credentials in the call options, given we clearly document this behavior. Note in my other PR, we are overriding the call option value as well. |
lqiu96 commentedMar 3, 2025
I would like this. I'm not able to easily map a way to determine this since I think it would require actually trying to create the CallCredentials and checking if they could be created. I guess that is a possibility we can also try. I was exploring dynamically setting the call options creds in#3671
I would like to be opinionated on this too. However, can you remind me the behavior if something like SACreds were used instead of UserCreds, would DP would work? Would it be possible to override the calloptions creds using DP?
I'm not against this, though I would like to try and see if we can figure a generic solution to tackle sending creds twice, rather than adding one-off fixes for specific flows. |
rockspore commentedMar 3, 2025
S2A don't generally take the CallCredentials except for the bound token case introduced in#3591, where
Any creds (SA, Users), as long as allowed right now by DirectPath, should work without any problem with this PR. It's just those creds need to be passed into the TransportChannelProvider to be used in the DirectPath channel creation. We don't enable bound tokens if the given creds are not ComputeEngine ones, but we still pass them as is into So basically, we document that DirectPath does not take in any CallCredentials from the ApiCallContext and we should be good. Is this what you were asking about?
In that case, I wonder if you are open to adding a more generic method to |
lqiu96 commentedMar 3, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
I see, so in the case of Mtls (non S2A) and just normal TLS, then the expectation is that CallCredentials should be attached via CallOptions? In that case, I think my assumption that always using ChannelCredentials instead of CallOptions is wrong.
Ok I see, I think I'm on the same page now. In this case only DP and MTLS_S2A would be the cases as you've mentioned above.
Yes I think if we take the opinionated route this what what we should do. The example that I was thinking above was that a user established a DP connection with some SA cred and overrides with a different SA cred via CallOptions (something like what Spanner has:https://github.com/googleapis/java-spanner/blob/7a8a29be40258294cafd13b1df7df5ea349a675d/google-cloud-spanner/src/main/java/com/google/cloud/spanner/spi/v1/GapicSpannerRpc.java#L2037). Is this a behavior that works or would or would it fail/ never worked?
Yeah, this is what the PR above was trying to explore. Adding a new method that determined if the CallCredentials was attached to the channel. When a GAPIC client is initialized, it will try to determine if this was a user set value or set by the client and it will ignore the client set value (but I think I got the logic wrong). |
| if (!isDirectPath)returncallOptions; | ||
| // Remove the CallCredentials attached to the callOptions if it's DirectPath. | ||
| returncallOptions.withCallCredentials(null); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Can this logic reside inside the constructor? I think it would be better for the getter to just return value.
nit: Can the comment be updated to reflect thewhy. Perhaps something like (probably needs better wording):CallCredentials is stripped from CallOptions because CallCredentials are attached to ChannelCredentials in DirectPath flows. Adding it again would duplicate the headers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Done. I also modify the merge logic to respect the isDirectPath of the coming context. Also several cases I take care of here:
- If
withChannelis subsequently called, we attach a CallCreds from the creds back to calloptions and revertisDirectPathto false. - If
withCallOptionsis subsequently called, we strip the CallCreds from it if DirectPath. - If
withCredentialsis subsequently called, we attach its corresponding CallCreds to the calloptions only if non-DirectPath
Please help check if I missed any corner case.
gax-java/gax-grpc/src/main/java/com/google/api/gax/grpc/GrpcCallContext.javaShow resolvedHide resolved
Uh oh!
There was an error while loading.Please reload this page.
gax-java/gax-grpc/src/main/java/com/google/api/gax/grpc/GrpcCallContext.java OutdatedShow resolvedHide resolved
Uh oh!
There was an error while loading.Please reload this page.
lqiu96 commentedMar 4, 2025
I think the last thing is to update the GrpcCallContext's Thoughts on a small blurb like (re-phrase/ update): For certain flows like DirectPath, the channel is already created with a CallCredentials. Passing in an additional CallCredentials here will not override the ChannelCredential's CallCredential and may cause issues as the CallCredentials is duplicated. These flows will attempt to automatically strip the CallOption's CallCreds. |
rmehta19 commentedMar 5, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
(Not specific to this PR, but related to fixing this problem for MTLS_S2A)
I think it may be more than this. In order to set
This is due to the fact that for DirectPath: if youcan use DirectPath then youwill use DirectPath. However, this is not true for S2A, if youcan use S2A, youmay end up using S2A (you could end up using DirectPath since DP supersedes S2A or you could end up falling back to TLS if you fail to create S2A channel creds). I'll try to put together a PR taking this into account. Edit: Actually I see that#3671 did take this into account. Although I am unclear on how we can make sure createSingleChannel gets called before setting IsCallCredentialAttachedToChannel |
rockspore commentedMar 5, 2025
For posterity, we confirmed that [:authority:spanner.googleapis.com, :path: /google.spanner.v1.Spanner/BatchCreateSessions, :method: POST, :scheme: https, content-type: application/grpc, te: trailers, user-agent: spanner-java/6.86.0 grpc-java-netty/1.69.0, ..., grpc-accept-encoding: gzip,authorization: Bearer ya29.****, ..., authorization: Bearer 1234, grpc-timeout: 56962080u] The garbage token in the second authorization header didn't cause the call to fail the authn/z. In general, we shouldn't rely on this gRPC implementation detail since it could in theory change the appending order and break everything. This PR will fix the duplication header issue so we are good. |
| returnnewGrpcCallContext( | ||
| transportChannel.getChannel(), | ||
| credentials, | ||
| transportChannel.isDirectPath() ?callOptions.withCallCredentials(null) :callOptions, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Sorry, I meant can we do this logic/ check inside the private constructor? This should only pass the calloptions.
Constructor contains the:this.callOptions = isDirectPath() ? calloptions.withCallCredentials(null) : callOptions logic
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Ah this makes so much sense! Sorry I don't know what I was thinking. Changed.
lqiu96 commentedMar 5, 2025
/gcbrun |
lqiu96 commentedMar 6, 2025
/gcbrun |
| privatefinalImmutableMap<String,List<String>>extraHeaders; | ||
| privatefinalApiCallContextOptionsoptions; | ||
| privatefinalEndpointContextendpointContext; | ||
| privatefinalbooleanisDirectPath; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Thanks for the info. I thought that referred tocanUseDirectPath() which could be invoked multiple times before and after the credentials was set so might be no accurate, but by the time the ClientContext got this boolean from the channel, it should already be final.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Talked with@surbhigarg92 regarding this to get some more information about the issue. This issue from Spanner's POV is not so much that thecanUseDirectPath value that is client is initialized with and used by the TransportChannel is incorrect, it's that Spanner doesn't have a way to get thecanUseDirectPath value when initializing the client for Otel.
Spanner was usingGrpcSpannerStub.create(StubSettings) and didn't have an easy way to access to TransportChannel's fields (StubSettings only exposesgetTransportChannelProvider(). Spanner could useGrpcSpannerStub.create(ClientContext), but that creates the Stub with a new StubSettings and not the one they manually configured.
For them, the DirectPath transportchannel was always created correctly and the value the client uses is correct. They used this workaround to be able to access the field for their use case.
I think their issue is a valid concern, but is different from this.
gax-java/gax-grpc/src/main/java/com/google/api/gax/grpc/GrpcCallContext.java OutdatedShow resolvedHide resolved
Uh oh!
There was an error while loading.Please reload this page.
gax-java/gax-grpc/src/main/java/com/google/api/gax/grpc/GrpcCallContext.java OutdatedShow resolvedHide resolved
Uh oh!
There was an error while loading.Please reload this page.
| retrySettings, | ||
| retryableCodes, | ||
| endpointContext); | ||
| endpointContext, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Its unfortunate that we have to change all the places that use the constructor. Ideally, if we had a builder forGrpcCallContext, the code here would be simplified tothis.toBuilder().setEndpointContext(endpointContext).build(), and we don't have to change the code here at all.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Agreed. But I'd prefer to leave the refactoring with a builder out of this PR since it would look cleaner. I can open an issue for it. Let me know what you think.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
SG. Yes please create a separate issue and we can put it in our backlog.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Thanks. Created#3681
blakeli0 commentedMar 7, 2025
/gcbrun |
rockspore commentedMar 8, 2025
Thanks for all the reviews. No rush but just in case, please help merge it when you see fit since I don't have the permission. |
5ede29c intogoogleapis:mainUh oh!
There was an error while loading.Please reload this page.
🤖 I have created a release *beep* *boop*---<details><summary>2.55.0</summary>##[2.55.0](v2.54.0...v2.55.0)(2025-03-12)### Features* generate showcase using docker image([#3568](#3568))([3857e3f](3857e3f))* next release from main branch is 2.55.0([#3668](#3668))([1eda55f](1eda55f))### Bug Fixes* remove call credentials from call options if DirectPath([#3670](#3670))([5ede29c](5ede29c))### Dependencies* update arrow.version to v18.2.0([#3675](#3675))([5a555e5](5a555e5))</details>---This PR was generated with [ReleasePlease](https://github.com/googleapis/release-please). See[documentation](https://github.com/googleapis/release-please#release-please).Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
| Package | Type | Package file | Manager | Update | Change ||---|---|---|---|---|---|| org.flywaydb.flyway | plugin | misk/gradle/libs.versions.toml | gradle| minor | `11.7.1` -> `11.8.0` || [app.cash.tempest:tempest-bom](https://github.com/cashapp/tempest) |dependencies | misk/gradle/libs.versions.toml | gradle | minor |`2025.03.17.133301-6c83654` -> `2025.05.02.195945-d393c44` ||[com.mysql:mysql-connector-j](http://dev.mysql.com/doc/connector-j/en/)([source](https://github.com/mysql/mysql-connector-j)) | dependencies |misk/gradle/libs.versions.toml | gradle | minor | `8.3.0` -> `8.4.0` || [com.google.guava:guava-bom](https://github.com/google/guava)([source](http://svn.sonatype.org/spice/trunk/oss/oss-parent-9)) |dependencies | misk/gradle/libs.versions.toml | gradle | patch |`33.4.0-jre` -> `33.4.8-jre` ||[com.google.api.grpc:proto-google-common-protos](https://github.com/googleapis/sdk-platform-java)| dependencies | misk/gradle/libs.versions.toml | gradle | minor |`2.54.1` -> `2.55.3` ||[com.google.cloud:google-cloud-core-http](https://github.com/googleapis/sdk-platform-java)| dependencies | misk/gradle/libs.versions.toml | gradle | minor |`2.53.1` -> `2.54.3` ||[com.google.apis:google-api-services-storage](http://nexus.sonatype.org/oss-repository-hosting.html)([source](http://svn.sonatype.org/spice/tags/oss-parent-7)) |dependencies | misk/gradle/libs.versions.toml | gradle | patch |`v1-rev20250312-2.0.0` -> `v1-rev20250424-2.0.0` ||[com.google.cloud:google-cloud-spanner](https://github.com/googleapis/java-spanner)| dependencies | misk/gradle/libs.versions.toml | gradle | minor |`6.90.0` -> `6.92.0` ||[com.google.cloud:google-cloud-logging](https://github.com/googleapis/java-logging)| dependencies | misk/gradle/libs.versions.toml | gradle | patch |`3.22.0` -> `3.22.2` ||[com.google.apis:google-api-services-cloudkms](http://nexus.sonatype.org/oss-repository-hosting.html)([source](http://svn.sonatype.org/spice/tags/oss-parent-7)) |dependencies | misk/gradle/libs.versions.toml | gradle | patch |`v1-rev20250227-2.0.0` -> `v1-rev20250414-2.0.0` ||[com.google.cloud:google-cloud-datastore](https://github.com/googleapis/java-datastore)| dependencies | misk/gradle/libs.versions.toml | gradle | minor |`2.27.1` -> `2.28.0` ||[com.google.cloud:google-cloud-core](https://github.com/googleapis/sdk-platform-java)| dependencies | misk/gradle/libs.versions.toml | gradle | minor |`2.53.1` -> `2.54.3` || [com.google.api:gax](https://github.com/googleapis/sdk-platform-java)| dependencies | misk/gradle/libs.versions.toml | gradle | minor |`2.63.1` -> `2.64.3` ||[com.google.errorprone:error_prone_annotations](https://errorprone.info)([source](https://github.com/google/error-prone)) | dependencies |misk/gradle/libs.versions.toml | gradle | minor | `2.37.0` -> `2.38.0` ||[com.google.protobuf:protoc](https://developers.google.com/protocol-buffers/)([source](https://github.com/protocolbuffers/protobuf)) | dependencies |misk/gradle/libs.versions.toml | gradle | patch | `3.25.6` -> `3.25.7` ||[com.google.protobuf:protobuf-java](https://developers.google.com/protocol-buffers/)([source](https://github.com/protocolbuffers/protobuf)) | dependencies |misk/gradle/libs.versions.toml | gradle | patch | `3.25.6` -> `3.25.7` ||[com.fasterxml.jackson:jackson-bom](https://github.com/FasterXML/jackson-bom)| dependencies | misk/gradle/libs.versions.toml | gradle | minor |`2.18.3` -> `2.19.0` ||[com.google.http-client:google-http-client-jackson2](https://github.com/googleapis/google-http-java-client)| dependencies | misk/gradle/libs.versions.toml | gradle | minor |`1.46.3` -> `1.47.0` ||[com.google.http-client:google-http-client](https://github.com/googleapis/google-http-java-client)| dependencies | misk/gradle/libs.versions.toml | gradle | minor |`1.46.3` -> `1.47.0` ||[com.google.auth:google-auth-library-oauth2-http](https://github.com/googleapis/google-auth-library-java)| dependencies | misk/gradle/libs.versions.toml | gradle | minor |`1.33.1` -> `1.34.0` ||[com.google.auth:google-auth-library-credentials](https://github.com/googleapis/google-auth-library-java)| dependencies | misk/gradle/libs.versions.toml | gradle | minor |`1.33.1` -> `1.34.0` ||[com.github.docker-java:docker-java-transport-httpclient5](https://github.com/docker-java/docker-java)| dependencies | misk/gradle/libs.versions.toml | gradle | minor |`3.4.2` -> `3.5.0` ||[com.github.docker-java:docker-java-transport](https://github.com/docker-java/docker-java)| dependencies | misk/gradle/libs.versions.toml | gradle | minor |`3.4.2` -> `3.5.0` ||[com.github.docker-java:docker-java-core](https://github.com/docker-java/docker-java)| dependencies | misk/gradle/libs.versions.toml | gradle | minor |`3.4.2` -> `3.5.0` ||[com.github.docker-java:docker-java-api](https://github.com/docker-java/docker-java)| dependencies | misk/gradle/libs.versions.toml | gradle | minor |`3.4.2` -> `3.5.0` ||[com.github.docker-java:docker-java](https://github.com/docker-java/docker-java)| dependencies | misk/gradle/libs.versions.toml | gradle | minor |`3.4.2` -> `3.5.0` ||[com.autonomousapps.dependency-analysis](https://github.com/autonomousapps/dependency-analysis-android-gradle-plugin)| plugin | misk/gradle/libs.versions.toml | gradle | minor | `2.16.0` ->`2.17.0` || [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java)| dependencies | misk/gradle/libs.versions.toml | gradle | patch |`1.48.1` -> `1.48.2` || [com.datadoghq:dd-trace-ot](https://github.com/datadog/dd-trace-java)| dependencies | misk/gradle/libs.versions.toml | gradle | patch |`1.48.1` -> `1.48.2` || [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) |dependencies | misk/gradle/libs.versions.toml | gradle | patch |`2.31.22` -> `2.31.34` || [software.amazon.awssdk:sqs](https://aws.amazon.com/sdkforjava) |dependencies | misk/gradle/libs.versions.toml | gradle | patch |`2.31.22` -> `2.31.34` ||[software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava)| dependencies | misk/gradle/libs.versions.toml | gradle | patch |`2.31.22` -> `2.31.34` || [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) |dependencies | misk/gradle/libs.versions.toml | gradle | patch |`2.31.22` -> `2.31.34` || [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) |dependencies | misk/gradle/libs.versions.toml | gradle | patch |`2.31.22` -> `2.31.35` || [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) |dependencies | misk/gradle/libs.versions.toml | gradle | patch |`2.31.22` -> `2.31.35` || [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) |dependencies | misk/gradle/libs.versions.toml | gradle | patch |`2.31.22` -> `2.31.35` || [com.amazonaws:aws-java-sdk-sqs](https://aws.amazon.com/sdkforjava)([source](https://github.com/aws/aws-sdk-java)) | dependencies |misk/gradle/libs.versions.toml | gradle | patch | `1.12.782` ->`1.12.783` || [com.amazonaws:aws-java-sdk-s3](https://aws.amazon.com/sdkforjava)([source](https://github.com/aws/aws-sdk-java)) | dependencies |misk/gradle/libs.versions.toml | gradle | patch | `1.12.782` ->`1.12.783` ||[com.amazonaws:aws-java-sdk-dynamodb](https://aws.amazon.com/sdkforjava)([source](https://github.com/aws/aws-sdk-java)) | dependencies |misk/gradle/libs.versions.toml | gradle | patch | `1.12.782` ->`1.12.783` || [com.amazonaws:aws-java-sdk-core](https://aws.amazon.com/sdkforjava)([source](https://github.com/aws/aws-sdk-java)) | dependencies |misk/gradle/libs.versions.toml | gradle | patch | `1.12.782` ->`1.12.783` |---### Release Notes<details><summary>mysql/mysql-connector-j (com.mysql:mysql-connector-j)</summary>###[`v8.4.0`](mysql/mysql-connector-j@8.3.0...8.4.0)[CompareSource](mysql/mysql-connector-j@8.3.0...8.4.0)</details><details><summary>googleapis/sdk-platform-java(com.google.api.grpc:proto-google-common-protos)</summary>###[`v2.55.1`](https://github.com/googleapis/sdk-platform-java/blob/HEAD/CHANGELOG.md#2551-2025-03-12)##### Dependencies- revert "deps: update arrow.version to v18.2.0"([#​3694](googleapis/sdk-platform-java#3694))([2725744](googleapis/sdk-platform-java@2725744))###[`v2.55.0`](https://github.com/googleapis/sdk-platform-java/blob/HEAD/CHANGELOG.md#2550-2025-03-12)##### Features- generate showcase using docker image([#​3568](googleapis/sdk-platform-java#3568))([3857e3f](googleapis/sdk-platform-java@3857e3f))- next release from main branch is 2.55.0([#​3668](googleapis/sdk-platform-java#3668))([1eda55f](googleapis/sdk-platform-java@1eda55f))##### Bug Fixes- remove call credentials from call options if DirectPath([#​3670](googleapis/sdk-platform-java#3670))([5ede29c](googleapis/sdk-platform-java@5ede29c))##### Dependencies- update arrow.version to v18.2.0([#​3675](googleapis/sdk-platform-java#3675))([5a555e5](googleapis/sdk-platform-java@5a555e5))</details><details><summary>googleapis/java-spanner(com.google.cloud:google-cloud-spanner)</summary>###[`v6.92.0`](https://github.com/googleapis/java-spanner/blob/HEAD/CHANGELOG.md#6920-2025-04-29)##### Features- \[Internal] client-side metrics for afe latency and connectivity error([#​3819](googleapis/java-spanner#3819))([a8dba0a](googleapis/java-spanner@a8dba0a))- Support begin with AbortedException for manager interface([#​3835](googleapis/java-spanner#3835))([5783116](googleapis/java-spanner@5783116))##### Bug Fixes- **deps:** Update the Java code generator (gapic-generator-java) to2.56.2([11bfd90](googleapis/java-spanner@11bfd90))##### Dependencies- Update dependency com.google.cloud:sdk-platform-java-config to v3.46.2([#​3836](googleapis/java-spanner#3836))([2ee7f97](googleapis/java-spanner@2ee7f97))###[`v6.91.1`](https://github.com/googleapis/java-spanner/blob/HEAD/CHANGELOG.md#6911-2025-04-21)##### Bug Fixes- SkipHint in the internal parser skipped too much([#​3827](googleapis/java-spanner#3827))([fbf7b4c](googleapis/java-spanner@fbf7b4c))###[`v6.91.0`](https://github.com/googleapis/java-spanner/blob/HEAD/CHANGELOG.md#6910-2025-04-17)##### Features- \[Internal] open telemetry built in metrics for GRPC([#​3709](googleapis/java-spanner#3709))([cd76c73](googleapis/java-spanner@cd76c73))- Add java sample for the pre-splitting feature([#​3713](googleapis/java-spanner#3713))([e97b92e](googleapis/java-spanner@e97b92e))- Add TransactionMutationLimitExceededException as cause toSpannerBatchUpdateException([#​3723](googleapis/java-spanner#3723))([4cf5261](googleapis/java-spanner@4cf5261))- Built in metrics for afe latency and connectivity error([#​3724](googleapis/java-spanner#3724))([e13a2f9](googleapis/java-spanner@e13a2f9))- Support unnamed parameters([#​3820](googleapis/java-spanner#3820))([1afd815](googleapis/java-spanner@1afd815))##### Bug Fixes- Add default implementations for Interval methods inAbstractStructReader([#​3722](googleapis/java-spanner#3722))([97f4544](googleapis/java-spanner@97f4544))- Set transaction isolation level had no effect([#​3718](googleapis/java-spanner#3718))([b382999](googleapis/java-spanner@b382999))##### Performance Improvements- Cache the key used for OTEL traces and metrics([#​3814](googleapis/java-spanner#3814))([c5a2045](googleapis/java-spanner@c5a2045))- Optimize parsing in Connection API([#​3800](googleapis/java-spanner#3800))([a2780ed](googleapis/java-spanner@a2780ed))- Qualify statements without removing comments([#​3810](googleapis/java-spanner#3810))([d358cb9](googleapis/java-spanner@d358cb9))- Remove all calls to getSqlWithoutComments([#​3822](googleapis/java-spanner#3822))([0e1e14c](googleapis/java-spanner@0e1e14c))</details><details><summary>googleapis/java-logging(com.google.cloud:google-cloud-logging)</summary>###[`v3.22.2`](https://github.com/googleapis/java-logging/blob/HEAD/CHANGELOG.md#3222-2025-04-25)##### Dependencies- Update dependency com.google.cloud:sdk-platform-java-config to v3.46.2([#​1796](googleapis/java-logging#1796))([1f88271](googleapis/java-logging@1f88271))###[`v3.22.1`](https://github.com/googleapis/java-logging/blob/HEAD/CHANGELOG.md#3221-2025-04-25)##### Bug Fixes- **deps:** Update the Java code generator (gapic-generator-java) to2.56.2([7cce5b5](googleapis/java-logging@7cce5b5))</details><details><summary>googleapis/java-datastore(com.google.cloud:google-cloud-datastore)</summary>###[`v2.28.0`](https://github.com/googleapis/java-datastore/blob/HEAD/CHANGELOG.md#2280-2025-04-29)##### Features- Java datastore gapic upgrade([#​1824](googleapis/java-datastore#1824))([a296d43](googleapis/java-datastore@a296d43))###[`v2.27.2`](https://github.com/googleapis/java-datastore/blob/HEAD/CHANGELOG.md#2272-2025-04-25)##### Bug Fixes- **deps:** Update the Java code generator (gapic-generator-java) to2.56.2([1210f32](googleapis/java-datastore@1210f32))##### Dependencies- Update dependency com.google.cloud:sdk-platform-java-config to v3.46.2([#​1823](googleapis/java-datastore#1823))([4d2026c](googleapis/java-datastore@4d2026c))</details><details><summary>google/error-prone(com.google.errorprone:error_prone_annotations)</summary>###[`v2.38.0`](https://github.com/google/error-prone/releases/tag/v2.38.0):Error Prone 2.38.0New checks:-[`AddNullMarkedToPackageInfo`](https://errorprone.info/bugpattern/AddNullMarkedToPackageInfo):adds[`@org.jspecify.annotations.NullMarked`](https://jspecify.dev/docs/api/org/jspecify/annotations/NullMarked.html)annotation to package-info files- [`IntLiteralCast`](https://errorprone.info/bugpattern/IntLiteralCast):Suggests a literal of the desired type instead of casting an int literalto a long, float, or double-[`MisleadingEmptyVarargs`](https://errorprone.info/bugpattern/MisleadingEmptyVarargs):Discourages calling varargs methods that expect at least one argumentwith no arguments, like Mockito's `thenThrow`-[`PreconditionsExpensiveString`](https://errorprone.info/bugpattern/PreconditionsExpensiveString):Discourages expensive string formatting in Guava `Preconditions` checks- [`SelfSet`](https://errorprone.info/bugpattern/SelfSet): Detectsmistakes like `proto.setFoo(proto.getFoo())`-[`UnnecessaryCopy`](https://errorprone.info/bugpattern/UnnecessaryCopy):detect unnecessary copies of proto Lists and Maps.Closed issues:[#​4924](google/error-prone#4924),[#​4897](google/error-prone#4897),[#​4995](google/error-prone#4995)Full changelog:google/error-prone@v2.37.0...v2.38.0</details><details><summary>googleapis/google-http-java-client(com.google.http-client:google-http-client-jackson2)</summary>###[`v1.47.0`](https://github.com/googleapis/google-http-java-client/blob/HEAD/CHANGELOG.md#1470-2025-04-28)##### Features- Next release from main branch is 1.47.0([#​2087](googleapis/google-http-java-client#2087))([f89cc4c](googleapis/google-http-java-client@f89cc4c))##### Bug Fixes- Encode + sign in url with %2B([#​2094](googleapis/google-http-java-client#2094))([1f8aca7](googleapis/google-http-java-client@1f8aca7))##### Dependencies- Update github/codeql-action action to v3.28.16([#​2057](googleapis/google-http-java-client#2057))([4fc3e3a](googleapis/google-http-java-client@4fc3e3a))</details><details><summary>googleapis/google-auth-library-java(com.google.auth:google-auth-library-oauth2-http)</summary>###[`v1.34.0`](https://github.com/googleapis/google-auth-library-java/blob/HEAD/CHANGELOG.md#1340-2025-04-29)##### Features- Implement X509 certificate provider([#​1722](googleapis/google-auth-library-java#1722))([4340684](googleapis/google-auth-library-java@4340684))- Next release from main branch is 1.34.0([#​1698](googleapis/google-auth-library-java#1698))([fe43815](googleapis/google-auth-library-java@fe43815))- Next release from main branch is 1.34.0([#​1702](googleapis/google-auth-library-java#1702))([4507cf9](googleapis/google-auth-library-java@4507cf9))##### Bug Fixes- Do not add padding in Client-Side CAB tokens.([#​1728](googleapis/google-auth-library-java#1728))([8a75ccd](googleapis/google-auth-library-java@8a75ccd))</details><details><summary>docker-java/docker-java(com.github.docker-java:docker-java-transport-httpclient5)</summary>###[`v3.5.0`](https://github.com/docker-java/docker-java/releases/tag/3.5.0)[CompareSource](docker-java/docker-java@3.4.2...3.5.0)##### Breaking changes- Fix InspectContainerResponse data types to be able to hold an int64[@​eddumelendez](https://github.com/eddumelendez)([#​2392](docker-java/docker-java#2392))- Add some missed options to UpdateContainerCmd[@​MillQK](https://github.com/MillQK)([#​2389](docker-java/docker-java#2389))##### 📈 Enhancements- Add setters for security options and runtimes[@​LarsSven](https://github.com/LarsSven)([#​2384](docker-java/docker-java#2384))##### 🐛 Bug Fixes- Fix possible CME while replacing properties[@​eddumelendez](https://github.com/eddumelendez)([#​2416](docker-java/docker-java#2416))##### Dependencies- Bump com.google.guava:guava from 19.0 to 33.4.6-jre[@​artragis](https://github.com/artragis)([#​2300](docker-java/docker-java#2300))- Bump org.awaitility:awaitility from 4.0.1 to 4.3.0[@​dependabot](https://github.com/dependabot)([#​2408](docker-java/docker-java#2408))- Bump org.immutables:value from 2.8.2 to 2.10.1[@​dependabot](https://github.com/dependabot)([#​2220](docker-java/docker-java#2220))- Bump org.apache.commons:commons-compress from 1.21 to 1.27.1[@​dependabot](https://github.com/dependabot)([#​2256](docker-java/docker-java#2256))- Bump org.projectlombok:lombok from 1.18.22 to 1.18.38[@​dependabot](https://github.com/dependabot)([#​2210](docker-java/docker-java#2210))- Bump com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider from2.10.3 to 2.18.3 [@​dependabot](https://github.com/dependabot)([#​2281](docker-java/docker-java#2281))- Bump jackson.version from 2.8.8 to 2.18.3[@​dependabot](https://github.com/dependabot)([#​2283](docker-java/docker-java#2283))- Bump netty.version from 4.1.46.Final to 4.1.119.Final[@​dependabot](https://github.com/dependabot)([#​2302](docker-java/docker-java#2302))- Bump org.bouncycastle:bcpkix-jdk18on from 1.76 to 1.80[@​dependabot](https://github.com/dependabot)([#​2254](docker-java/docker-java#2254))- Bump commons-io:commons-io from 2.13.0 to 2.18.0[@​dependabot](https://github.com/dependabot)([#​2263](docker-java/docker-java#2263))- Bump net.java.dev.jna:jna from 5.13.0 to 5.17.0[@​dependabot](https://github.com/dependabot)([#​2273](docker-java/docker-java#2273))- Bump org.apache.commons:commons-lang3 from 3.12.0 to 3.17.0[@​dependabot](https://github.com/dependabot)([#​2259](docker-java/docker-java#2259))- Bump com.github.siom79.japicmp:japicmp-maven-plugin from 0.18.2 to0.23.1 [@​dependabot](https://github.com/dependabot)([#​2238](docker-java/docker-java#2238))- Bump org.junit.jupiter:junit-jupiter from 5.10.0 to 5.12.1[@​dependabot](https://github.com/dependabot)([#​2241](docker-java/docker-java#2241))- Bump junixsocket.version from 2.6.1 to 2.10.1[@​dependabot](https://github.com/dependabot)([#​2249](docker-java/docker-java#2249))- Bump org.apache.httpcomponents.client5:httpclient5 from 5.4.2 to 5.4.3[@​dependabot](https://github.com/dependabot)([#​2272](docker-java/docker-java#2272))- Bump org.assertj:assertj-core from 3.24.2 to 3.27.3[@​dependabot](https://github.com/dependabot)([#​2291](docker-java/docker-java#2291))- Upgrade Apache HttpClient to version 5.4[@​ok2c](https://github.com/ok2c)([#​2364](docker-java/docker-java#2364))</details><details><summary>autonomousapps/dependency-analysis-android-gradle-plugin(com.autonomousapps.dependency-analysis)</summary>###[`v2.17.0`](https://github.com/autonomousapps/dependency-analysis-android-gradle-plugin/blob/HEAD/CHANGELOG.md#Version-2170)- \[Fix]: duplicate class warning doesn't warn about multipledependencies with same GAV.- \[Fix]: ensure all capabilities are internally sorted; alsosynthesized dependencies.- \[Fix]: ensure all dependencies are internally sorted.- \[Fix]: ensure output of GraphViewTask is fully sorted (thereforedeterministic).- \[Fix]: intermediate android res classes must have meaningfulhashCode() functions.- \[Fix]: improve sorting of various build outputs to ensuredeterminism.</details><details><summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary>###[`v1.48.2`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.48.2):1.48.2##### Components##### Profiling- 🐛 Bump ddprof-java to 1.24.0([#​8717](DataDog/dd-trace-java#8717) -[@​jbachorik](https://github.com/jbachorik))- Add diagnostic counters for some failed unwinds by[@​jbachorik](https://github.com/jbachorik) inDataDog/java-profiler#202- Add profiler counters for time spent in stack unwinding by[@​bric3](https://github.com/bric3) inDataDog/java-profiler#195- Increase number of reserved frames (cherry-pick[`6c0aff4`](DataDog/dd-trace-java@6c0aff4)) by[@​MattAlp](https://github.com/MattAlp) inDataDog/java-profiler#206- Dwarf and JVMFlag related downports by[@​jbachorik](https://github.com/jbachorik) inDataDog/java-profiler#204##### Tracer core- 🐛 Turn off JDK socket support by default([#​8716](DataDog/dd-trace-java#8716) -[@​mcculls](https://github.com/mcculls))##### Instrumentations##### Akka instrumentation- 🐛 Handle reentrant scope cleanup in Akka/Pekko actorinstrumentations([#​8723](DataDog/dd-trace-java#8723) -[@​mcculls](https://github.com/mcculls))</details><details><summary>aws/aws-sdk-java (com.amazonaws:aws-java-sdk-sqs)</summary>###[`v1.12.783`](https://github.com/aws/aws-sdk-java/blob/HEAD/CHANGELOG.md#112783-2025-04-29)[CompareSource](aws/aws-sdk-java@1.12.782...1.12.783)#### **Amazon S3**- ### Features - Abort multipart download if object is modified during download.</details>---### Configuration📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2amevery weekday" in timezone Australia/Melbourne, Automerge - At any time(no schedule defined).🚦 **Automerge**: Enabled.♻ **Rebasing**: Never, or you tick the rebase/retry checkbox.👻 **Immortal**: This PR will be recreated if closed unmerged. Get[config help](https://github.com/renovatebot/renovate/discussions) ifthat's undesired.---- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, checkthis box---This PR has been generated by [RenovateBot](https://github.com/renovatebot/renovate).GitOrigin-RevId: 91d7374bcdee536ba58a6cd5ea2b1710688db2c0
Uh oh!
There was an error while loading.Please reload this page.
This PR eliminates the issue where call credentials get attached twice to a RPC in DirectPath cases. Particularly, when user credentials get used, the problem causes the RPC to fail due to the duplication of the quota project ID (internal-only context:b/364288002).
The approach is to strip the credentials in the callOptions returned by the
GrpcCallContextif theTransportChannelis DirectPath. The side effect is that users won't be able to configure call credentials via theApiCallContextif DirectPath is used.We think this is acceptable because:
TransportChannelProvider.withCredentials(). At a higher level, this is done by configuring theCredentialsProviderin theStubSettingsor theServiceOptions.Tested DirectPath using Spanner
Headers sent
Bearer token is sent twice (first
ya29.***value is valid and second1234is invalid). The second one was attached by customizing the ApiCallContext to send an invalid CallCredentials as part of the CallOptions. The call still succeeded as the first Bearer token in the Metadata is used.