Skip to content

feat: add support for Postgres IAM authentication in JDBC and R2DBC connectors#490

Merged
shubha-rajan merged 15 commits intomainfrom
iam-auth
May 24, 2021
Merged

feat: add support for Postgres IAM authentication in JDBC and R2DBC connectors#490
shubha-rajan merged 15 commits intomainfrom
iam-auth

Conversation

@shubha-rajan
Copy link
Copy Markdown
Contributor

@shubha-rajan shubha-rajan commented May 11, 2021
edited
Loading

Change Description

Adds IAM Auth support. Some notes to keep in mind:

  • Users need to include a nonempty string for the password when connecting. This will be ignored, but is required to bypass driver errors for null and empty passwords.
  • sslmode needs to be disabled or the driver will hang indefinitely.

Checklist

  • Make sure to open an issue as a
    bug/issue
    before writing your code! That way we can discuss the change, evaluate
    designs, and agree on the general idea.
  • Ensure the tests and linter pass
  • Appropriate documentation is updated (if necessary)

Relevant issues:

@google-cla google-cla bot added the cla: yes label May 11, 2021
@shubha-rajan shubha-rajan force-pushed the iam-auth branch 2 times, most recently from a289613 to d8db5d2 Compare May 11, 2021 21:20
@shubha-rajan shubha-rajan added kokoro:force-run Add this label to force Kokoro to re-run the tests. and removed kokoro:force-run Add this label to force Kokoro to re-run the tests. labels May 11, 2021
@shubha-rajan shubha-rajan marked this pull request as ready for review May 11, 2021 21:26
@shubha-rajan shubha-rajan requested review from enocom and kurtisvg May 11, 2021 21:38
kurtisvg
kurtisvg suggested changes May 12, 2021
View reviewed changes
core/src/main/java/com/google/cloud/sql/TokenSourceFactory.java Outdated
/**
* Name of system property that can specify an alternative credential factory.
*/
String TOKEN_SOURCE_FACTORY_PROPERTY = "cloudSql.socketFactory.TokenSourceFactory";
Copy link
Copy Markdown
Contributor

@kurtisvg kurtisvg May 12, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already have a credential socket factory right? Can we get a token source from the credentials?

Copy link
Copy Markdown
Contributor

@kurtisvg kurtisvg May 12, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess what I'm saying is we already have a property for setting the user credentials, can we reuse the user credentials instead of trying to ask for the token source from somewhere else?

Copy link
Copy Markdown
Contributor Author

@shubha-rajan shubha-rajan May 12, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So the Credential Factory returns credentials that are wrapped in a HttpCredentialsAdapter and there's no way to get credentials back from that, because they're private https://github.com/googleapis/google-auth-library-java/blob/master/oauth2_http/java/com/google/auth/http/HttpCredentialsAdapter.java#L64

We could change the Credential Factory to return a GoogleCredentials object and then convert that to the HttpCredentialsAdapter later, but I'm hesitant to change the existing interface

Copy link
Copy Markdown
Contributor

@kurtisvg kurtisvg May 12, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a DPE owned library - can we PR a getter so we can have access to it?

Copy link
Copy Markdown
Contributor Author

@shubha-rajan shubha-rajan May 12, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

googleapis/google-auth-library-java#658

@shubha-rajan shubha-rajan mentioned this pull request May 12, 2021
Closed
@shubha-rajan shubha-rajan force-pushed the iam-auth branch 4 times, most recently from 4732aa0 to 6f8f197 Compare May 14, 2021 16:48
@shubha-rajan shubha-rajan added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label May 14, 2021
@kokoro-team kokoro-team removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label May 14, 2021
@shubha-rajan shubha-rajan requested a review from kurtisvg May 20, 2021 22:40
@shubha-rajan shubha-rajan merged commit 3799c78 into main May 24, 2021
@shubha-rajan shubha-rajan deleted the iam-auth branch May 24, 2021 16:41
@meltsufin
Copy link
Copy Markdown
Member

meltsufin commented Jun 3, 2021

@shubha-rajan @kurtisvg

sslmode needs to be disabled or the driver will hang indefinitely.

Are there any security implications to disabling sslmode?

@meltsufin meltsufin mentioned this pull request Jun 3, 2021
Merged
@kurtisvg
Copy link
Copy Markdown
Contributor

kurtisvg commented Jun 3, 2021

@meltsufin No - there are two potential layers of encryption - at the connection level, and at the database protocol level. Disabling at the database level is fine because the connection level is always persistent.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@enocom enocom Awaiting requested review from enocom

1 more reviewer

@kurtisvg kurtisvg kurtisvg approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add support for IAM database authentication

4 participants

@shubha-rajan @meltsufin @kurtisvg @kokoro-team