Skip to content

feat(auth): implement in-place Regional Access Boundary configuration and add public RAB getters#16987

Merged
macastelaz merged 2 commits intogoogleapis:mainfrom
macastelaz:clean-rab-only-today
May 7, 2026
Merged

feat(auth): implement in-place Regional Access Boundary configuration and add public RAB getters#16987
macastelaz merged 2 commits intogoogleapis:mainfrom
macastelaz:clean-rab-only-today

Conversation

@macastelaz
Copy link
Copy Markdown
Contributor

@macastelaz macastelaz commented May 7, 2026

This PR makes the following changes:

  • Rename _with_regional_access_boundary to _set_regional_access_boundary and _with_blocking_regional_access_boundary_lookup to set_blocking_regional_access_boundary_lookup. This is to ensure any expectation that "with" methods return copies isn't violated.
  • Modify both methods to apply changes in-place on self and return self instead of making copies.
  • Add public getters regional_access_boundary and regional_access_boundary_expiry to CredentialsWithRegionalAccessBoundary.
  • Update and split unit tests to verify in-place mutation and getters independently.

gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces new properties for regional access boundary and updates existing methods _with_regional_access_boundary and _with_blocking_regional_access_boundary_lookup to _set_regional_access_boundary and _set_blocking_regional_access_boundary_lookup, respectively. The methods were modified to perform in-place mutation instead of returning a copy of the credentials. The reviewer noted that these changes are breaking and require a minor version bump, and advised maintaining the original cloning behavior to ensure proper isolation of background refresh logic.

Comment thread packages/google-auth/google/auth/credentials.py
Comment on lines +374 to 385
def _set_regional_access_boundary(self, seed):
"""Applies the regional_access_boundary provided via the seed on these
credentials. This is intended for internal use only as invalid
seeds would produce unexpected results until automatic recovery is supported.
Currently this is used by the gcloud CLI and therefore changes to the
contract MUST be backwards compatible (e.g. the method signature must be
unchanged and a copy of the credenials with the RAB set must be returned).
unchanged and the credentials with the RAB set must be returned).


Returns:
google.auth.credentials.Credentials: A new credentials instance.
google.auth.credentials.Credentials: The credentials instance.
"""
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The method _with_regional_access_boundary has been renamed to _set_regional_access_boundary and changed to mutate in-place. This is a breaking change that will impact consumers like the gcloud CLI. Per repository guidelines, breaking changes require a minor version bump rather than a patch. Furthermore, if you choose to revert to the previous cloning behavior to maintain compatibility, ensure that a new _RegionalAccessBoundaryManager is created for the clone to isolate background refresh logic.

References
  1. When a release introduces breaking changes, prefer a minor version bump over a patch version bump.
  2. When cloning credentials, create a new _RegionalAccessBoundaryManager for the clone to isolate background refresh logic.

Comment thread packages/google-auth/google/auth/credentials.py
Comment on lines +392 to 402
def _set_blocking_regional_access_boundary_lookup(self):
"""Enables the blocking lookup mode on these credentials.
This is intended for internal use only as blocking lookup requires additional
care and consideration. Currently this is used by the gcloud CLI and
therefore changes to the contract MUST be backwards compatible (e.g. the
method signature must be unchanged and a copy of the credentials with the
method signature must be unchanged and the credentials with the
blocking lookup flag set to true must be returned).

Returns:
google.auth.credentials.Credentials: A new credentials instance.
google.auth.credentials.Credentials: The credentials instance.
"""
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Renaming _with_blocking_regional_access_boundary_lookup and switching to in-place mutation violates backward compatibility requirements. This breaking change necessitates a minor version bump to maintain the ability to provide patches for previous versions. If the original 'copy' behavior is restored, remember to isolate background refresh logic by creating a new _RegionalAccessBoundaryManager for the cloned instance.

References
  1. When a release introduces breaking changes, prefer a minor version bump over a patch version bump.
  2. When cloning credentials, create a new _RegionalAccessBoundaryManager for the clone to isolate background refresh logic.

@macastelaz
feat(auth): implement in-place Regional Access Boundary configuration…
386f479 
… & public getters

- Rename _with_regional_access_boundary to _set_regional_access_boundary and _with_blocking_regional_access_boundary_lookup to _set_blocking_regional_access_boundary_lookup.
- Modify both methods to apply changes in-place on self and return self instead of making copies.
- Add public getters regional_access_boundary and regional_access_boundary_expiry to CredentialsWithRegionalAccessBoundary.
- Update and split unit tests to verify in-place mutation and getters independently.
@macastelaz macastelaz force-pushed the clean-rab-only-today branch from 5fbd9a5 to 386f479 Compare May 7, 2026 17:34
@macastelaz macastelaz marked this pull request as ready for review May 7, 2026 17:46
@macastelaz macastelaz requested review from a team as code owners May 7, 2026 17:46
@macastelaz macastelaz enabled auto-merge (squash) May 7, 2026 17:51
@macastelaz macastelaz merged commit df07fce into googleapis:main May 7, 2026
31 checks passed
@noahdietz noahdietz mentioned this pull request May 7, 2026
Merged
noahdietz added a commit that referenced this pull request May 7, 2026
@noahdietz
chore: librarian release pull request: 20260507T182255Z (#16994)
4bab8c5 
PR created by the Librarian CLI to initialize a release. Merging this PR
will auto trigger a release.

Librarian Version: v0.12.0
Language Image:
us-central1-docker.pkg.dev/cloud-sdk-librarian-prod/images-prod/python-librarian-generator@sha256:234b9d1f2ddb057ed7ac6a38db0bf8163d839c65c6cf88ade52530cddebce59e
<details><summary>google-auth: v2.52.0</summary>

##
[v2.52.0](google-auth-v2.51.0...google-auth-v2.52.0)
(2026-05-07)

### Features

* implement in-place Regional Access Boundary configuration and add
public RAB getters (#16987)
([df07fce](df07fceb))

* make _CLOUD_RESOURCE_MANAGER URL universe-domain-aware (#16546)
([e938028](e938028b))

</details>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nbayati nbayati nbayati approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@nbayati nbayati

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@macastelaz @nbayati