fix: DirectPath non-default SA requires creds (#2281)

mohanli-ml · web-flow · commit c7d614acd9be · 2024-01-08T19:56:16.000Z
Spanner tries to set the `allowNonDefaultServiceAccount` option in its client library, which makes some tests fail. In these tests, client and server are running on the same machine, and no credentials are provided. DirectPath is not supposed to be tested by these tests, so we add a requirement that if the client wants to use non-default service account for DirectPath, the credential associated with the service account must be provided.
diff --git a/gax-java/gax-grpc/src/main/java/com/google/api/gax/grpc/InstantiatingGrpcChannelProvider.java b/gax-java/gax-grpc/src/main/java/com/google/api/gax/grpc/InstantiatingGrpcChannelProvider.java
@@ -282,7 +282,7 @@ private void logDirectPathMisconfig() {
                 + " attemptDirectPathXds option.");
       } else {
         // Case 2: credential is not correctly set
-        if (!isNonDefaultServiceAccountAllowed()) {
+        if (!isCredentialDirectPathCompatible()) {
           LOG.log(
               Level.WARNING,
               "DirectPath is misconfigured. Please make sure the credential is an instance of "
@@ -303,7 +303,12 @@ private void logDirectPathMisconfig() {
     }
   }
 
-  private boolean isNonDefaultServiceAccountAllowed() {
+  @VisibleForTesting
+  boolean isCredentialDirectPathCompatible() {
+    // DirectPath requires a call credential during gRPC channel construction.
+    if (needsCredentials()) {
+      return false;
+    }
     if (allowNonDefaultServiceAccount != null && allowNonDefaultServiceAccount) {
       return true;
     }
@@ -365,7 +370,7 @@ private ManagedChannel createSingleChannel() throws IOException {
     // Check DirectPath traffic.
     boolean useDirectPathXds = false;
     if (isDirectPathEnabled()
-        && isNonDefaultServiceAccountAllowed()
+        && isCredentialDirectPathCompatible()
         && isOnComputeEngine()
         && canUseDirectPathWithUniverseDomain()) {
       CallCredentials callCreds = MoreCallCredentials.from(credentials);
diff --git a/gax-java/gax-grpc/src/test/java/com/google/api/gax/grpc/InstantiatingGrpcChannelProviderTest.java b/gax-java/gax-grpc/src/test/java/com/google/api/gax/grpc/InstantiatingGrpcChannelProviderTest.java
@@ -284,6 +284,14 @@ public void testDirectPathXdsDisableByDefault() throws IOException {
     assertThat(provider.isDirectPathXdsEnabled()).isFalse();
   }
 
+  @Test
+  public void testDirectPathDisallowNullCredentials() throws IOException {
+    InstantiatingGrpcChannelProvider provider =
+        InstantiatingGrpcChannelProvider.newBuilder().build();
+
+    assertThat(provider.isCredentialDirectPathCompatible()).isFalse();
+  }
+
   @Test
   public void testDirectPathXdsEnabled() throws IOException {
     InstantiatingGrpcChannelProvider provider =
