Stabilize auth flow using CallCredentials #3289
Conversation
As discussed in grpc#1914, we need CallCredentials and MoreCallCredentials to be stable, but there's less of a strong need for the contents of CallCredentials to be stable. We're willing to commit to the name, without needing to commit to the plumbing.
| public final class MoreCallCredentials { | ||
| /** | ||
| * Converts a Google Auth Library {@link Credentials} to {@link CallCredentials}. | ||
| * | ||
| * <p>Although this is a stable API, note that the returned instance's API is not stable. See | ||
| * {@link CallCredentials}. |
There was a problem hiding this comment.
Technically the type CallCredentials itself is now stable, but just none of the methods on it are.
There was a problem hiding this comment.
@garrettjonesgoogle, I've reworded the Javadoc. See if it strikes you as more clear now.
There was a problem hiding this comment.
That helps, I think it is more clear now.
| public interface CallCredentials { | ||
| /** | ||
| * The security level of the transport. It is guaranteed to be present in the {@code attrs} passed | ||
| * to {@link #applyRequestMetadata}. It is by default {@link SecurityLevel#NONE} but can be | ||
| * overridden by the transport. | ||
| */ | ||
| @ExperimentalApi("https//github.com/grpc/grpc-java/issues/1914") | ||
| public static final Key<SecurityLevel> ATTR_SECURITY_LEVEL = |
There was a problem hiding this comment.
I think this should be moved off. It's weird to inherit ATTR_SECURITY_LEVEL if you implement CallCredentials.
There was a problem hiding this comment.
Discussion of that sort should be part of the rest of the stabilization effort. I'm not trying to change the API here, just make a bare-minimum of it stable so that users can authenticate themselves safely.
| @@ -65,6 +72,7 @@ | |||
| * @param applier The outlet of the produced headers. It can be called either before or after this | |||
| * method returns. | |||
| */ | |||
| @ExperimentalApi("https//github.com/grpc/grpc-java/issues/1914") | |||
| void applyRequestMetadata( | |||
There was a problem hiding this comment.
This is not a valid. You can't make part of an interface experimental. All implementers have to implement it, which will break if it is ever removed.
There was a problem hiding this comment.
Did you not read the text added for the interface?
There was a problem hiding this comment.
No, and neither will anyone else. Please do not make our API support load based on the reading comprehension of our users.
If you want to make this stable and keep experimental methods, please make a base class that extends this. That is the correct place to put methods that may change.
There was a problem hiding this comment.
They don't have to read the documentation, but it does explain what is going on. How can someone implement this API without touching Experimental API? How can someone call this API without touching Experimental API? They can't. But I do agree it is strange, thus the documentation.
base class that extends this
I don't understand that. I'd have understood "base class than this extends" and "make this a base class that is extended".
If you want to make this stable and keep experimental methods, please make a base class that extends this. That is the correct place to put methods that may change.
I don't know what you are talking about? That's not a thing we do.
And it doesn't help, since applyRequestMetadata could be completely changed.
There was a problem hiding this comment.
They can implement it, but it needs to be a base class. Experimental API and interface are all or nothing.
I don't understand that. I'd have understood "base class than this extends" and "make this a base class that is extended".
Something like:
interface CallCredentials {
void doNotImplementThisOrYouWillBreak();
}
public abstract class BaseCallCredentials implements CallCredentials {
public final void doNotImplementThisOrYouWillBreak();
}
That way CallCredentials can mostly live on as is, Experimental methods can be moved down to the base class, where they can change. If methods change, callers of experimental methods will change, but implementors of CallCredentials will not.
As the code stands with this PR, someone extending CallCredentials, a stable class, will suffer breakage when experimental methods come and go. That is not stable.
There was a problem hiding this comment.
If methods change, ... implementors of CallCredentials will not [change].
I don't want to provide that guarantee. And I don't see how that is true, unless you are saying there would be no implementors so it is vacuously true.
As the code stands with this PR, someone extending CallCredentials, a stable class, will suffer breakage when experimental methods come and go. That is not stable.
It is impossible to extend CallCredentials without touching ExperimentalApi, so I feel like your sentence is a word-game that is skewing reality. Extending CallCredentials is not stable, because it is impossible with the current ExperimentalApi annotations and even explicitly mentioned in the documentation.
I'd be willing to make CallCredentials an abstract class or add a doNotImplementThisOrYouWillBreak(), but in either case I want to reserve the right to completely change the contents, like adding a new abstract method and removing the existing method.
I could maybe be okay with leaving ExperimentalApi on the interface, but say that we guarantee its name as stable.
There was a problem hiding this comment.
but in either case I want to reserve the right to completely change the contents
Okay, but that isn't stable. Leave the @ExperimentalAPI up top if thats what you want.
I don't want to provide that guarantee.
If you remove the annotation, you provide that guarantee.
It is impossible to extend CallCredentials without touching ExperimentalApi, so I feel like your sentence is a word-game that is skewing reality.
This isn't a word game; you just didn't understand. Extendees of CallCredentials, after it has been unmarked ExperimentalApi, will expect their classes to not break. Leaving ExperimentalApi methods on it implies they will break, because said methods may change or be removed. That's contradicting signal, and certain to confuse some users. That causes us future pain. Do not cause us future pain.
There was a problem hiding this comment.
Talked offline. It seems we're both okay with adding a useless method that implementors have to implement to make things clear. Adding a thisUsesUnstableApi() method.
(iAmUnstableApi() isn't accepted by checkstyle, and while I could change checkstyle... meh.)
|
@ejona86 Please use the "package: thing that changed" style commit message when you squash merge. |
|
LGTM |
|
retest this please |
As discussed in #1914, we need CallCredentials and MoreCallCredentials
to be stable, but there's less of a strong need for the contents of
CallCredentials to be stable. We're willing to commit to the name,
without needing to commit to the plumbing.
CC @garrettjonesgoogle