Skip to content

chore(auth): Porting the changes from the old RAB PR #13559#13713

Open
vverman wants to merge 8 commits into
googleapis:new-regional-access-boundaries-july2026from
vverman:regional-access-boundaries-main-merge
Open

chore(auth): Porting the changes from the old RAB PR #13559#13713
vverman wants to merge 8 commits into
googleapis:new-regional-access-boundaries-july2026from
vverman:regional-access-boundaries-main-merge

Conversation

@vverman

@vverman vverman commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

No description provided.

vverman added 6 commits June 16, 2026 16:19
…gleapis#12867)

1. The RAB refresh uses a direct executor with a fixed thread pool as
opposed to instantiating a new thread each time.

2. The RAB env gate -> GOOGLE_AUTH_TRUST_BOUNDARY_ENABLE_EXPERIMENT has
been removed. This means RAB refresh triggers by default.

3. Added other fixes/suggestions made in the previous Java
[PR](googleapis/google-auth-library-java#1880).
…oogleapis#13331)

In ComputeEngineCredentials when running on GKE platform, the
getAccount() call may return a value which isn't an email.

In this case the right behaviour is to skip RAB lookup which is what
this PR does.

Added tests.
@vverman vverman changed the title Porting the changes from the old RAB PR #13559 chore(auth): Porting the changes from the old RAB PR #13559 Jul 8, 2026

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a Regional Access Boundary (RAB) mechanism to the Google Auth Library, allowing credentials to fetch and include 'x-allowed-locations' headers in API requests for regional security enforcement. The changes include the addition of a 'RegionalAccessBoundaryManager' for caching and asynchronous refreshing, and updates to various credential classes to integrate this functionality. The reviewer identified a critical issue regarding audience mismatch in the self-signed JWT flow and suggested skipping the RAB refresh in that scenario. Additionally, the reviewer recommended performance and correctness improvements, such as using case-insensitive hostname comparisons, removing redundant null checks, and optimizing map operations to reduce unnecessary object allocations.

@nbayati nbayati left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Leaving here for context that the first 5 commits were approved in this PR before we had to roll it back due to bugs in the backend.

@vverman vverman marked this pull request as ready for review July 9, 2026 03:33
@vverman vverman requested review from a team as code owners July 9, 2026 03:33
@vverman vverman requested a review from nbayati July 9, 2026 03:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants