Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BUG: Service account with only LogWriter permission works in Java, not in python #986

Open
Dr-Irv opened this issue Jul 2, 2022 · 7 comments
Assignees
Labels
api: logging Issues related to the googleapis/java-logging API. priority: p3 Desirable enhancement or fix. May not be included in next release. type: question Request for information or clarification. Not an issue.

Comments

@Dr-Irv
Copy link

Dr-Irv commented Jul 2, 2022

I am getting this message when using the Java client library:

ERROR: onFailure exception: com.google.cloud.logging.LoggingException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: The caller does not have permission

I am using a service account that has the "Logs Writer" permission. I know it works because a simple python app successfully writes to the Google cloud logging project. I am using the GOOGLE_APPLICATION_CREDENTIALS environment variable to point to the JSON file that has the token.

If I change the environment variable to point to a non-sensical filename, I get this message

ERROR: onFailure exception: com.google.cloud.logging.LoggingException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: The request is missing a valid API key.

This confirms that the Java library is reading the right file.

Why would things work in python and not work in Java with respect to permissions? How can I find out which permission it thinks I am missing?

@product-auto-label product-auto-label bot added the api: logging Issues related to the googleapis/java-logging API. label Jul 2, 2022
@Dr-Irv
Copy link
Author

Dr-Irv commented Jul 2, 2022

Some additional information to replicate:

I took the project https://github.com/googleapis/java-logging-logback/issues
I changed the file samples/snippets/pom.xml so I could run it from the command line using the following pom.xml:

XML additions to `pom.xml`
  <build>
    <plugins>
      <plugin>
        <!-- Build an executable JAR -->
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-jar-plugin</artifactId>
        <version>2.6</version>
        <configuration>
          <archive>
            <manifest>
              <addClasspath>true</addClasspath>
              <classpathPrefix>lib/</classpathPrefix>
              <mainClass>com.example.logging.logback.Quickstart</mainClass>
            </manifest>
          </archive>
        </configuration>
      </plugin>
      <plugin>
        <!-- Build an executable JAR with runtime dependencies so that this program can be executed from command line using java -jar command -->
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-dependency-plugin</artifactId>
        <version>2.10</version>
        <executions>
          <execution>
            <id>copy-dependencies</id>
            <phase>package</phase>
            <goals>
              <goal>copy-dependencies</goal>
            </goals>
            <configuration>
              <outputDirectory>${project.build.directory}/lib</outputDirectory>
              <overWriteReleases>false</overWriteReleases>
              <overWriteSnapshots>false</overWriteSnapshots>
              <overWriteIfNewer>true</overWriteIfNewer>
            </configuration>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>

Then did

cd samples
mvn package
cd snippets/target
java -cp lib/ -jar logging-logback-snippets-1.2.0.jar

Then got the following:

SLF4J: A number (99) of logging calls during the initialization phase have been intercepted and are
SLF4J: now being replayed. These are subject to the filtering rules of the underlying logging system.
SLF4J: See also http://www.slf4j.org/codes.html#replay
ERROR: onFailure exception: com.google.cloud.logging.LoggingException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: The caller does not have permission
ERROR: onFailure exception: com.google.cloud.logging.LoggingException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: The caller does not have permission

In the same directory (snippets/target), ran this python program:

# Imports the Cloud Logging client library
import google.cloud.logging
from google.cloud.logging.handlers import CloudLoggingHandler, setup_logging

# # Instantiates a client
client = google.cloud.logging.Client()
google_handler = CloudLoggingHandler(client)

# Retrieves a Cloud Logging handler based on the environment
# you're running in and integrates the handler with the
# Python logging module. By default this captures all logs
# at INFO level and higher
client.setup_logging()


# Imports Python standard library logging
import logging


logger = logging.getLogger(__name__)
# The data to log

text = "This is a test"

# Emits the data using the standard logging module

It had output that went to the google cloud logging with no problem:

Program shutting down, attempting to send 1 queued log entries to Cloud Logging...
Waiting up to 5 seconds.
Sent all pending logs.
Waiting up to 5 seconds.
Sent all pending logs.

So I know that my permissions are correct - it works with python. Something is wrong with the Java library.

@Dr-Irv Dr-Irv changed the title Permission Denied in Java, but works in python BUG: Service account with only LogWriter permission works in Java, not in python Jul 2, 2022
@Dr-Irv
Copy link
Author

Dr-Irv commented Jul 2, 2022

Thinking about this overnight, you would need to test this with a service account that only has the LogWriter permission. It may also be the case that my work account that I'm using does not have that permission, so maybe the Java code is mixing up what I personally am allowed to do (not write a log) versus what the service account is allowed to do.

@daniel-sanche daniel-sanche added type: question Request for information or clarification. Not an issue. priority: p3 Desirable enhancement or fix. May not be included in next release. labels Jul 6, 2022
@losalex
Copy link
Contributor

losalex commented Nov 30, 2022

@Dr-Irv , thanks a lot for filing this issue and sorry it took a while to get ti it. Can you please confirm that you use project which has appropriate permissions?

@Dr-Irv
Copy link
Author

Dr-Irv commented Nov 30, 2022

@Dr-Irv , thanks a lot for filing this issue and sorry it took a while to get ti it. Can you please confirm that you use project which has appropriate permissions?

I've moved on to other things, and project permissions were changed by administrators since then.

The bottom line is if you follow the instructions in my comment above at #986 (comment) and create a service account with LogWriter permissions, the Java code doesn't work, and the python code does work.

@losalex losalex removed their assignment Jul 3, 2023
@cindy-peng
Copy link
Contributor

Hi @Dr-Irv , are you still running into this issue? If so, do you mind sharing some details with a latest repro?

@Dr-Irv
Copy link
Author

Dr-Irv commented Jan 8, 2024

Hi @Dr-Irv , are you still running into this issue? If so, do you mind sharing some details with a latest repro?

As mentioned here, , I have moved on to other things, and we found some workaround at some point by changing permissions, so it's no longer an issue for me, but I would bet the bug still exists.

@cindy-peng
Copy link
Contributor

Thanks. I will try to get a repro from #986 (comment) and investigate from there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
api: logging Issues related to the googleapis/java-logging API. priority: p3 Desirable enhancement or fix. May not be included in next release. type: question Request for information or clarification. Not an issue.
Projects
None yet
Development

No branches or pull requests

4 participants