feat(auth): Add blocking Regional Access Boundary Lookup and Seed Support#16720
feat(auth): Add blocking Regional Access Boundary Lookup and Seed Support#16720macastelaz wants to merge 12 commits intogoogleapis:mainfrom
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request renames the "Trust Boundary" feature to "Regional Access Boundary" (RAB) and introduces a centralized management system for it. Key changes include the implementation of _RegionalAccessBoundaryManager for thread-safe state handling and background refreshes, and the update of multiple credential types to support this new mechanism. The with_trust_boundary method is deprecated in favor of with_regional_access_boundary. Review feedback recommends updating a type hint in the utility module to correctly reflect the expected data types and removing redundant error logging in the base credentials class to reduce log noise.
| if not url: | ||
| raise exceptions.InvalidValue("Failed to build trust boundary lookup URL.") | ||
| _LOGGER.error("Failed to build Regional Access Boundary lookup URL.") | ||
| return None |
There was a problem hiding this comment.
This error log is redundant. All implementations of _build_regional_access_boundary_lookup_url() that can fail and return None already log a more specific error message. This generic log entry adds noise to the logs.
To avoid duplicate logging, please remove this _LOGGER.error call.
| if not url: | |
| raise exceptions.InvalidValue("Failed to build trust boundary lookup URL.") | |
| _LOGGER.error("Failed to build Regional Access Boundary lookup URL.") | |
| return None | |
| if not url: | |
| return None |
References
- Remove duplicate lines of code, especially duplicate assertions in tests, to keep the codebase clean and avoid redundancy.
macastelaz
force-pushed
the
clean-rab-gcloud
branch
from
0785de5 to
23ad64b
Compare
…undary implementation
Renamed 'with_regional_access_boundary' to '_with_regional_access_boundary' to indicate internal use.
Update the comment block of "_with_regional_access_boundary" to inform future maintainers of the necessity to maintain a backwards compatible contract of this method.
macastelaz
force-pushed
the
clean-rab-gcloud
branch
from
7686ffb to
78bd7e6
Compare
macastelaz
force-pushed
the
clean-rab-gcloud
branch
from
8c0bcee to
81a2d2c
Compare
macastelaz
force-pushed
the
clean-rab-gcloud
branch
from
03803f7 to
87880a6
Compare
macastelaz
force-pushed
the
clean-rab-gcloud
branch
from
4bd1c9c to
1872dd1
Compare
macastelaz
changed the title
3 participants
In order for the gcloud CLI to support Regional Access Boundary, the Python auth SDK needs to support blocking lookups as well as allowing an initial seed RAB to be provided (gcloud will set this seed if the CLI has a locally cached valid RAB available).
Additional details can be found at go/rab-python-gcloud-one-pager