v1.76.0

Compare Source

Bug Fixes

• xds: ClusterResolverLb has been converted to use XdsDepManager, which finishes the changes for gRFC A74 xDS Config Tears. This change should resolve some unnecessary reconnections introduced in v1.75.0 when using weighted_round_robin and maybe other policies.
• compiler: A fix has been implemented for the blockingV2 stub to mangle generated method names that conflict with java.lang.Object methods.
• servlet: A race condition in AsyncServletOutputStreamWriter has been fixed to prevent threads from getting stuck.
• servlet: An issue where AsyncContext.complete() was called multiple times, causing an IllegalStateException, has been resolved.
• binder: The REMOTE_UID is now required to hold the exact UID passed to the SecurityPolicy.
• binder: The server will now only accept post-setup transactions from the authorized server UID.
• util: AdvancedTlsX509TrustManager now errors with a message to say that files don’t exist instead of the previous “Files were unmodified before their initial update. Probably a bug.”
• android: A fix has been implemented for network change handling on API levels below 24.

Improvements

• api: Allocations of Attributes.Builder have been reduced. This mostly benefits attributes.toBuilder(), but that’s not expected to be visible in regular workloads.
• api: An empty array allocation in LoadBalancer.CreateSubchannelArgs.Builder has been avoided. It is a small optimization and is not expected to have any performance impact.
• servlet: A configurable methodNameResolver has been added to configure the mapping from servlet request paths to gRPC method name
• servlet: Avoid a race by increasing the AsyncContext timeout by 5 seconds. The gRPC Context timeout should trigger first
• xds: Pretty-print envoy.service.discovery.v3.Resource in debug logs
• bazel: The java/proto rules from rules_java/rules_proto are now used instead of native rules.
• bazel: Unnecessary direct build dependencies were removed from some targets
• netty: Support for the BCJSSE provider has been added in GrpcSslContexts.
• netty: Huffman coding in server response headers has been disabled; it was already disabled for client request headers
• netty: Include allow header for HTTP response code 405
• okhttp: Include allow header for HTTP response code 405
• binder: Error descriptions for ServiceConnection callbacks have been improved
• binder: Apps can now call SecurityPolicy.checkAuthorization() by PeerUid.

New Features

• stub: Trailers are now propagated in StatusException when thrown by BlockingClientCall.
• compiler: Support for macOS aarch64 with a universal binary has been added.
• opentelemetry: grpc.subchannel.* metrics as described in gRFC A94 OTel metrics for Subchannels have been added. grpc.disconnect_error will show as “unknown” until transports implement support
• binder: A NameResolver for Android's intent: URIs has been introduced.
• binder: A basic SocketStats with just the local and remote addresses has been added for channelz.

Documentation

• SECURITY.md: The documentation now describes how to use gcompat with LD_PRELOAD for Alpine.
• examples: The documentation now explains Bazel BCR releases and the git_override option.

Dependencies

• Upgraded Guava version to 33.4.8.
• The org.apache.tomcat:annotations-api dependency has been removed from the examples.

Thanks to

@​JoeCqupt
@​Sangamesh1997
@​benjaminp
@​camelcc
@​dmytroreutov
@​duckladydinh
@​jirkafm
@​kilink
@​panchenko
@​umairk79
@​vimanikag
@​werkt
@​xuhongxu96
@​zrlw

v1.75.0

Compare Source

Behavior Changes

• binder: Introduce server pre-authorization (#​12127). grpc-binder clients authorize servers by checking the UID of the sender of the SETUP_TRANSPORT Binder transaction against some SecurityPolicy. But merely binding to an unauthorized server to learn its UID can enable "keep-alive" and "background activity launch" abuse, even if security policy ultimately causes the grpc connection to fail. Pre-authorization mitigates this kind of abuse by resolving addresses and authorizing a candidate server Application's UID before binding to it. Pre-auth is especially important when the server's address is not fixed in advance but discovered by PackageManager lookup.

Bug Fixes

• core: grpc-timeout should always be positive (#​12201) (6dfa03c). There is a local race between when the deadline is checked before sending the RPC and when the timeout is calculated to put on-the-wire. The code replaced negative timeouts with 0 nanoseconds. gRPC’s PROTOCOL-HTTP2 spec states that timeouts should be positive, so now non-positive values are replaced with 1 nanosecond
• core: Improved DEADLINE_EXCEEDED message for delayed calls (6ff8eca). Delayed calls are the first calls on a Channel before name resolution has resolved addresses. Previously you could see confusing errors saying the deadline “will be exceeded in” X time. The message tense was simply wrong, and now will be correct: deadline “was exceeded after” X time.
• xds: PriorityLB now only uses the failOverTimer to start additional priorities, not fail RPCs (c4256ad). You should no longer see “Connection timeout for priority” errors.

Improvements

• netty: Count sent RST_STREAMs against NettyServerBuilder.maxRstFramesPerWindow() limit (#​12288). This extends the Rapid Reset tool to also cover MadeYouReset. the reset stream count will cause a 420 "Enhance your calm response" to be sent. This depends on Netty 4.1.124 for a bug fix to actually call the encoder by the frame writer.
• xds: Convert CdsLb to XdsDepManager (297ab05). This is part of gRFC A74 to have atomic xDS config updates. This is an internal change, but does change the error description seen in certain cases, especially DEADLINE_EXCEEDED on a brand-new channel.
• census: APIs for stats and tracing (#​12050) (9193701). Client channel and server builders with interceptors and factories respectively for stats and tracing.
• stub: simplify BlockingClientCall infinite blocking (#​12217) (ba0a732). Move deadline computation into overloads with finite timeouts. Blocking calls without timeouts now do not have to read the clock.
• xds: Do RLS fallback policy eagar start (#​12211) (42e1829). In gRPC-Java, the xDS clusters were lazily subscribed, which meant the fallback target which is returned in the RLS config wasn’t subscribed until a RPC actually falls back to it. The delayed resource subscription process in gRPC Java made it more susceptible to the effects of the INITIAL_RESOURCE_FETCH_TIMEOUT compared to other programming languages. It also had impact beyond the RLS cache expiration case, for example, when the first time the client initialized the channel, we couldn't fallback when the intended target times out, because of the lazy subscription. This change starts the fallback LB policy for the default target at the start of RLS policy instead of only when falling back to the default target, which fixes the above mentioned problems.
• xds: Aggregate cluster fixes (A75) (#​12186) (7e982e4). The earlier implementation of aggregate clusters concatenated the priorities from the underlying clusters into a single list, so that it could use a single LB policy defined at the aggregate cluster layer to choose a priority from that combined list. However, it turns out that aggregate clusters don't actually define the LB policy in the aggregate cluster; instead, the aggregate cluster uses a special cluster-provided LB policy that first chooses the underlying cluster and then delegates to the LB policy of the underlying cluster. This change implements that.
• api: set size correctly for sets and maps in handling Metadata values to be exchanged during a call (#​12229) (8021727)
• xds: xdsClient cache transient error for new watchers (#​12291). When a resource update is NACKed, cache the error and update new watchers that get added with that error instead of making them hang.
• xds: Avoid PriorityLb re-enabling timer on duplicate CONNECTING (#​12289). If a LB policy gives extraneous updates with state CONNECTING, then it was possible to re-create failOverTimer which would then wait the 10 seconds for the child to finish CONNECTING. We only want to give the child one opportunity after transitioning out of READY/IDLE.
• xds: Use a different log name for XdsClientImpl and ControlPlaneClient (#​12287). ControlPlaneClient uses "xds-cp-client" now instead of "xds-client" while logging.

Dependencies Changes

• Upgrade to Netty 4.1.124.Final (#​12286). This implicitly disables NettyAdaptiveCumulator (#​11284), which can have a performance impact. We delayed upgrading Netty to give time to rework the optimization, but we've gone too long already without upgrading which causes problems for vulnerability tracking.
• bazel: Use jar_jar to avoid xds deps (#​12243) (8f09b96). The //xds and //xds:orca targets now use jar_jar to shade the protobuf generated code. This allows them to use their own private copy of the protos and drop direct Bazel dependencies on cel-spec, grpc, rules_go, com_github_cncf_xds, envoy_api, com_envoyproxy_protoc_gen_validate, and opencensus_proto. This mirrors the shading of protobuf messages done for grpc-xds provided on Maven Central and should simplify dependency management
• Protobuf upgraded to 3.25.8
• proto-google-common-protos upgraded to 2.59.2
• s2a-proto upgraded to 1.1.2
• google-cloud-logging upgraded to 3.23.1 (used by gcp-observability)
• OpenTelemetry upgraded to 1.52.0

Documentation

• Clarify requirements for creating a cross-user Channel. (#​12181). The @SystemApi runtime visibility requirement isn't really new. It has always been implicit in the required INTERACT_ACROSS_USERS permission, which can only be held by system apps in production. Now deprecated BinderChannelBuilder#bindAsUser has always required SDK_INT >= 30. This change just copies that requirement forward to its replacement APIs in AndroidComponentAddress and the TARGET_ANDROID_USER NameResolver.Args.
• api: Add more Javadoc for NameResolver.Listener2 interface (#​12220) (d352540)

Thanks to

@​benjaminp
@​werkt
@​kilink
@​vimanikag