BUG: Service account with only LogWriter permission works in Java, not in python

[Dr-Irv]

I am getting this message when using the Java client library:

ERROR: onFailure exception: com.google.cloud.logging.LoggingException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: The caller does not have permission

I am using a service account that has the "Logs Writer" permission. I know it works because a simple python app successfully writes to the Google cloud logging project. I am using the GOOGLE_APPLICATION_CREDENTIALS environment variable to point to the JSON file that has the token.

If I change the environment variable to point to a non-sensical filename, I get this message

ERROR: onFailure exception: com.google.cloud.logging.LoggingException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: The request is missing a valid API key.

This confirms that the Java library is reading the right file.

Why would things work in python and not work in Java with respect to permissions? How can I find out which permission it thinks I am missing?

[Dr-Irv]

Some additional information to replicate:

I took the project https://github.com/googleapis/java-logging-logback/issues
I changed the file samples/snippets/pom.xml so I could run it from the command line using the following pom.xml:

XML additions to `pom.xml`

  <build>
    <plugins>
      <plugin>
        <!-- Build an executable JAR -->
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-jar-plugin</artifactId>
        <version>2.6</version>
        <configuration>
          <archive>
            <manifest>
              <addClasspath>true</addClasspath>
              <classpathPrefix>lib/</classpathPrefix>
              <mainClass>com.example.logging.logback.Quickstart</mainClass>
            </manifest>
          </archive>
        </configuration>
      </plugin>
      <plugin>
        <!-- Build an executable JAR with runtime dependencies so that this program can be executed from command line using java -jar command -->
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-dependency-plugin</artifactId>
        <version>2.10</version>
        <executions>
          <execution>
            <id>copy-dependencies</id>
            <phase>package</phase>
            <goals>
              <goal>copy-dependencies</goal>
            </goals>
            <configuration>
              <outputDirectory>${project.build.directory}/lib</outputDirectory>
              <overWriteReleases>false</overWriteReleases>
              <overWriteSnapshots>false</overWriteSnapshots>
              <overWriteIfNewer>true</overWriteIfNewer>
            </configuration>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>

Then did

cd samples
mvn package
cd snippets/target
java -cp lib/ -jar logging-logback-snippets-1.2.0.jar

Then got the following:

SLF4J: A number (99) of logging calls during the initialization phase have been intercepted and are
SLF4J: now being replayed. These are subject to the filtering rules of the underlying logging system.
SLF4J: See also http://www.slf4j.org/codes.html#replay
ERROR: onFailure exception: com.google.cloud.logging.LoggingException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: The caller does not have permission
ERROR: onFailure exception: com.google.cloud.logging.LoggingException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: The caller does not have permission

In the same directory (snippets/target), ran this python program:

# Imports the Cloud Logging client library
import google.cloud.logging
from google.cloud.logging.handlers import CloudLoggingHandler, setup_logging

# # Instantiates a client
client = google.cloud.logging.Client()
google_handler = CloudLoggingHandler(client)

# Retrieves a Cloud Logging handler based on the environment
# you're running in and integrates the handler with the
# Python logging module. By default this captures all logs
# at INFO level and higher
client.setup_logging()


# Imports Python standard library logging
import logging


logger = logging.getLogger(__name__)
# The data to log

text = "This is a test"

# Emits the data using the standard logging module

It had output that went to the google cloud logging with no problem:

Program shutting down, attempting to send 1 queued log entries to Cloud Logging...
Waiting up to 5 seconds.
Sent all pending logs.
Waiting up to 5 seconds.
Sent all pending logs.

So I know that my permissions are correct - it works with python. Something is wrong with the Java library.

[Dr-Irv]

Thinking about this overnight, you would need to test this with a service account that only has the LogWriter permission. It may also be the case that my work account that I'm using does not have that permission, so maybe the Java code is mixing up what I personally am allowed to do (not write a log) versus what the service account is allowed to do.

[losalex]

@Dr-Irv , thanks a lot for filing this issue and sorry it took a while to get ti it. Can you please confirm that you use project which has appropriate permissions?

[Dr-Irv]

@Dr-Irv , thanks a lot for filing this issue and sorry it took a while to get ti it. Can you please confirm that you use project which has appropriate permissions?

I've moved on to other things, and project permissions were changed by administrators since then.

The bottom line is if you follow the instructions in my comment above at #986 (comment) and create a service account with LogWriter permissions, the Java code doesn't work, and the python code does work.

[cindy-peng]

Hi @Dr-Irv , are you still running into this issue? If so, do you mind sharing some details with a latest repro?

[Dr-Irv]

Hi @Dr-Irv , are you still running into this issue? If so, do you mind sharing some details with a latest repro?

As mentioned here, , I have moved on to other things, and we found some workaround at some point by changing permissions, so it's no longer an issue for me, but I would bet the bug still exists.

[cindy-peng]

Thanks. I will try to get a repro from #986 (comment) and investigate from there.