Skip to content

fix: revert dict back to protobuf in the iam binding update #1838

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Jun 26, 2025
Merged

fix: revert dict back to protobuf in the iam binding update #1838

merged 7 commits into from
Jun 26, 2025

Conversation

shobsi
Copy link
Contributor

@shobsi shobsi commented Jun 20, 2025
edited
Loading

This is needed as some recent updates to a dependency (google-cloud-resource-manager or its dependencies) broke the existing logic, and we are seeing the error like this:

--> policy.bindings.append(new_binding)
TypeError: Expected a message object, but got {'role': 'roles/run.invoker', 'members': [...]}

Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly:

  • Make sure to open an issue as a bug/issue before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea
  • Ensure the tests and linter pass
  • Code coverage does not decrease (if any source code was changed)
  • Appropriate docs were updated (if necessary)

Fixes internal issues 419589974, 425442503 🦕

@shobsi
fix: update the iam binding update logic
b2e26d0 
This is needed as some recent updates to a dependency (google-cloud-resource-manager or its dependencies) broke the existing logic, and we are seeing the
error like this:
--> policy.bindings.append(new_binding)
TypeError: Expected a message object, but got {'role': 'roles/run.invoker', 'members': [...]}
@shobsi shobsi requested a review from tswast June 20, 2025 20:18
@shobsi shobsi requested review from a team as code owners June 20, 2025 20:18
@product-auto-label product-auto-label bot added size: xs Pull request size is extra small. api: bigquery Issues related to the googleapis/python-bigquery-dataframes API. labels Jun 20, 2025
@shobsi
Copy link
Contributor Author

shobsi commented Jun 21, 2025
edited
Loading

@tswast looks like the google.iam usage was done away with in #1611, so this change is effectively reverting that. Let's discuss how should we keep things working in both external and internal environments.

@tswast
Copy link
Collaborator

tswast commented Jun 21, 2025

Let's try to update google3 first. That google.iam namespace is indeed problematic

@tswast
Copy link
Collaborator

tswast commented Jun 21, 2025

CC @parthea Did the gapic generator make a breaking change to no longer allow dictionary inputs?

tswast
tswast reviewed Jun 23, 2025
View reviewed changes
Copy link
Collaborator

@tswast tswast left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a bit concerned that this indicates a breaking change happened in the resource manager client library. Please find the change that broke dictionaries. We might need to update our dependencies in setup.py and the constraints files if this breaking change was intended.

bigframes/clients.py Outdated
} # Use a dictionary to avoid problematic google.iam namespace package.
new_binding = google.iam.v1.policy_pb2.Binding(
role=role, members=[service_account]
) # Use a dictionary to avoid problematic google.iam namespace package.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment is now out-of-date.

Suggested change
) # Use a dictionary to avoid problematic google.iam namespace package.
)

Could you try this in google3? I wonder if a //google/iam/v1:iam_policy_py_pb2 dependency was missing last time I tried it?

Copy link
Contributor Author

@shobsi shobsi Jun 25, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Trying.. but that one should be indirectly included via resourcemanager_v3 (which does include it)?

@product-auto-label product-auto-label bot added size: s Pull request size is small. and removed size: xs Pull request size is extra small. labels Jun 25, 2025
@shobsi
Copy link
Contributor Author

shobsi commented Jun 26, 2025

CC @parthea Did the gapic generator make a breaking change to no longer allow dictionary inputs?

I tested that even with google-cloud-resource-manager==1.12.0 (more than an year old) the dictionary update does not work. So the break happened with the proto->dictionary change. It is a case of missing test coverage for the IAM update code path (which is not integration tested due to internal test project policies where IAM permissions are managed via config). I am adding a mocked unit test which covers at least the binding update part.

@shobsi shobsi changed the title fix: adapt the iam binding update logic to the latest constraints fix: revert dict back to protobuf in the iam binding update logic Jun 26, 2025
@shobsi shobsi changed the title fix: revert dict back to protobuf in the iam binding update logic fix: revert dict back to protobuf in the iam binding update Jun 26, 2025
@tswast tswast merged commit 9fb3cb4 into main Jun 26, 2025
25 checks passed
@tswast tswast deleted the shobsi-iam-policy-binding branch June 26, 2025 14:26
@release-please release-please bot mentioned this pull request Jun 25, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tswast tswast tswast approved these changes

Assignees

@jiaxunwu jiaxunwu

Labels
api: bigquery Issues related to the googleapis/python-bigquery-dataframes API. size: s Pull request size is small.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@shobsi @tswast @jiaxunwu