docs: Update README with client-side CAB instructions#1607
Merged
lqiu96 merged 6 commits intogoogleapis:client-side-cabfrom Feb 6, 2025
Merged
docs: Update README with client-side CAB instructions#1607lqiu96 merged 6 commits intogoogleapis:client-side-cabfrom
lqiu96 merged 6 commits intogoogleapis:client-side-cabfrom
Conversation
This commit updates the README file to include instructions for setting up and using the client-side CAB feature.
aeitzman
reviewed
Jan 13, 2025
lqiu96
reviewed
Jan 24, 2025
lqiu96
reviewed
Jan 24, 2025
lqiu96
reviewed
Jan 24, 2025
lqiu96
reviewed
Jan 27, 2025
lqiu96
reviewed
Jan 27, 2025
lqiu96
reviewed
Jan 27, 2025
lqiu96
reviewed
Jan 27, 2025
Comment on lines
+995
to
+996
| There are two ways to generate downscoped tokens using a | ||
| CredentialAccessBoundary: |
Member
There was a problem hiding this comment.
nit: If possible, could there be like a table or a pro/ cons comparison between the two that explicitly spells out what any considerations/ impacts of one vs the other?
Also, is there a need for something like a migration guide? To help users potentially migrate from server-side to client-side?
Member
There was a problem hiding this comment.
Also, is there an general recommendation that that your team would provide between the two. I know it's possible that may not be a recommendation.
i.e. Prefer client-side unless ... X,Y,Z blocker?
Contributor
Author
There was a problem hiding this comment.
Checked with the team, we don't have a general recommendation, or a migration guide. Depending on their use case, and whether or not they need many unique downscoped tokens or they can re-use existing ones, they can decide between the two optiosn.
Member
There was a problem hiding this comment.
Ok, that's fine that there is no recommendation. To clarify my above messages, I think the wording below makes it seem like there is almost no reason not to choose client-side CAB.
From a new user's perspective: Client side minimizes the amount of calls to STS when rules change frequently. If my rules don't even change that frequent, I can imagine that there would be even less calls to STS and making it even more efficient.
My point is that I think from a new user perspective, I don't know when/ why I would consider server-side CAB. All I see if pros for client-side over server-side.
lqiu96
approved these changes
Jan 27, 2025
Member
lqiu96
left a comment
lqiu96
left a comment
There was a problem hiding this comment.
LGTM. Added a few nits if you could address.
aeitzman
approved these changes
Jan 28, 2025
Member
|
I also just noticed this here: google-auth-library-java/README.md Line 10 in 8e59c59 I think we can update this to reflect this latest module. |
Contributor
Author
Ah good catch! I just realized that all the cab stuff are under |
lqiu96
reviewed
Feb 4, 2025
lqiu96
approved these changes
Feb 6, 2025
Member
|
Oh @nbayati I see this is to the client-side-cab branch and not to main. I think we'll need to raise another PR to main |
nbayati
added a commit
to nbayati/google-auth-library-java
that referenced
this pull request
Feb 7, 2025
* docs: Update README with client-side CAB instructions This commit updates the README file to include instructions for setting up and using the client-side CAB feature. * chore: readme file wording updated based on comments feedback. * Update readme: Mention CAB rule changes and its effect on server vs client side token generation. * Link to wikipedia page for Principle of the Least Privilege concept. * chore: fix spacing. * Add a section for google-auth-library-cab-token-generator
Contributor
Author
lqiu96
pushed a commit
that referenced
this pull request
Feb 7, 2025
* docs: Update README with client-side CAB instructions This commit updates the README file to include instructions for setting up and using the client-side CAB feature. * chore: readme file wording updated based on comments feedback. * Update readme: Mention CAB rule changes and its effect on server vs client side token generation. * Link to wikipedia page for Principle of the Least Privilege concept. * chore: fix spacing. * Add a section for google-auth-library-cab-token-generator
svc-squareup-copybara
pushed a commit
to cashapp/misk
that referenced
this pull request
Feb 9, 2025
| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | [com.google.http-client:google-http-client-jackson2](https://github.com/googleapis/google-http-java-client) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `1.46.0` -> `1.46.1` | | [com.google.http-client:google-http-client](https://github.com/googleapis/google-http-java-client) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `1.46.0` -> `1.46.1` | | [com.google.auth:google-auth-library-oauth2-http](https://github.com/googleapis/google-auth-library-java) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `1.32.0` -> `1.32.1` | | [com.google.auth:google-auth-library-credentials](https://github.com/googleapis/google-auth-library-java) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `1.32.0` -> `1.32.1` | | [com.autonomousapps.dependency-analysis](https://github.com/autonomousapps/dependency-analysis-android-gradle-plugin) | plugin | misk/gradle/libs.versions.toml | gradle | patch | `2.8.0` -> `2.8.1` | | [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.15` -> `2.30.16` | | [software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.15` -> `2.30.16` | | [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.15` -> `2.30.16` | | [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.15` -> `2.30.16` | | [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.15` -> `2.30.16` | | [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.15` -> `2.30.16` | --- ### Release Notes <details> <summary>googleapis/google-http-java-client (com.google.http-client:google-http-client-jackson2)</summary> ### [`v1.46.1`](https://github.com/googleapis/google-http-java-client/blob/HEAD/CHANGELOG.md#1461-2025-02-07) ##### Bug Fixes - Remove unnecessary nexus plugin activation ([#​2071](googleapis/google-http-java-client#2071)) ([e3a3523](googleapis/google-http-java-client@e3a3523)) ##### Dependencies - Revert dependency io.grpc:grpc-context back to v1.69.0 ([5790ac4](googleapis/google-http-java-client@5790ac4)) </details> <details> <summary>googleapis/google-auth-library-java (com.google.auth:google-auth-library-oauth2-http)</summary> ### [`v1.32.1`](https://github.com/googleapis/google-auth-library-java/blob/HEAD/CHANGELOG.md#1321-2025-02-07) ##### Bug Fixes - Add cab-token-generator module to Auth BOM ([#​1662](googleapis/google-auth-library-java#1662)) ([e409b02](googleapis/google-auth-library-java@e409b02)) - Remove unnecessary nexus-staging-maven-plugin activation ([#​1665](googleapis/google-auth-library-java#1665)) ([d138023](googleapis/google-auth-library-java@d138023)) ##### Dependencies - Update dependency com.google.http-client:google-http-client-bom to v1.46.0 ([e53c441](googleapis/google-auth-library-java@e53c441)) ##### Documentation - Update README with client-side CAB instructions ([#​1607](googleapis/google-auth-library-java#1607)) ([#​1666](googleapis/google-auth-library-java#1666)) ([2996297](googleapis/google-auth-library-java@2996297)) </details> <details> <summary>autonomousapps/dependency-analysis-android-gradle-plugin (com.autonomousapps.dependency-analysis)</summary> ### [`v2.8.1`](https://github.com/autonomousapps/dependency-analysis-android-gradle-plugin/blob/HEAD/CHANGELOG.md#Version-281) - \[Fix]: cache `SuperClassGraph`. No need to recompute for each dependency. - \[Fix]: use less heap by using empty singleton collections. - \[Fix]: trade metaspace for heap by interning strings. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: c26ab17091cb359fb631e73c0754aab31e09f98e
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This commit updates the README file to include instructions for setting up and using the client-side CAB feature.
Design doc: go/client-side-cab-client-library-java