Skip to content
This repository was archived by the owner on Mar 6, 2026. It is now read-only.

test: add column ACLs test with real policy tag#678

Merged
plamut merged 5 commits into
googleapis:masterfrom
plamut:iss-614
Jun 17, 2021
Merged

test: add column ACLs test with real policy tag#678
plamut merged 5 commits into
googleapis:masterfrom
plamut:iss-614

Conversation

@plamut
Copy link
Copy Markdown
Contributor

@plamut plamut commented May 24, 2021

Closes #614.

This is the test, PTAL. I could not test it locally, though, the backend still responds with UNIMPLEMENTED error. Am I missing anything?

PR checklist:

  • Make sure to open an issue as a bug/issue before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea
  • Ensure the tests and linter pass
  • Code coverage does not decrease (if any source code was changed)
  • Appropriate docs were updated (if necessary)

@plamut plamut requested review from a team and shollyman May 24, 2021 12:08
@product-auto-label product-auto-label Bot added the api: bigquery Issues related to the googleapis/python-bigquery API. label May 24, 2021
@google-cla google-cla Bot added the cla: yes This human has signed the Contributor License Agreement. label May 24, 2021
@tseaver
Copy link
Copy Markdown
Contributor

tseaver commented May 24, 2021

Does the policy tag feature require adding the CI project to a list of allowed projects for the feature?

The second failure (in TestBigQuery.test_dbapi_connection_does_not_leak_sockets) is actually a "negative" leak (3 connections open at the start, 1 open at the end). I'm assuming GC cleaned up after the policy tag test failed, but while the leak test was running.

shollyman
shollyman approved these changes May 24, 2021
View reviewed changes
Copy link
Copy Markdown
Contributor

@shollyman shollyman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for putting this together.

@plamut
Copy link
Copy Markdown
Contributor Author

plamut commented May 25, 2021

Does the policy tag feature require adding the CI project to a list of allowed projects for the feature?

If I understood correctly, then no, but apparently there's still some missing piece to make this work. @shollyman ?

The second failure (in TestBigQuery.test_dbapi_connection_does_not_leak_sockets) is actually a "negative" leak (3 connections open at the start, 1 open at the end). I'm assuming GC cleaned up after the policy tag test failed, but while the leak test was running.

It's the first time I'm seeing this, but this explanation sounds plausible. It's slightly worrying that the test is not completely isolated, but it to date it hasn't caused problems. One option would be to change the assertion to "less or equal", although that could also be masking the tests interference.

I'd say we keep an eye on it, but don't try to fix it, unless the flakiness becomes problematic.

@plamut plamut added the status: blocked Resolving the issue is dependent on other work. label Jun 15, 2021
@shollyman
Copy link
Copy Markdown
Contributor

shollyman commented Jun 15, 2021

I seem to be able to use the client without issue.

$ pip freeze
cachetools==4.2.2
certifi==2021.5.30
chardet==4.0.0
google-api-core==1.30.0
google-auth==1.31.0
google-cloud-datacatalog==3.2.1
googleapis-common-protos==1.53.0
grpc-google-iam-v1==0.12.3
grpcio==1.38.0
idna==2.10
libcst==0.3.19
mypy-extensions==0.4.3
packaging==20.9
proto-plus==1.18.1
protobuf==3.17.3
pyasn1==0.4.8
pyasn1-modules==0.2.8
pyparsing==2.4.7
pytz==2021.1
PyYAML==5.4.1
requests==2.25.1
rsa==4.7.2
six==1.16.0
typing-extensions==3.10.0.0
typing-inspect==0.7.1
urllib3==1.26.5

sample code:

from google.cloud.datacatalog_v1 import PolicyTagManagerClient
from google.cloud.datacatalog_v1.types import Taxonomy

def main():

  client = PolicyTagManagerClient()


  new_taxonomy = Taxonomy(
                          display_name="Custom test taxonomy",
                          description="This taxonomy is ony used for a test.",
                          activated_policy_types=[Taxonomy.PolicyType.FINE_GRAINED_ACCESS_CONTROL])

  createresp = client.create_taxonomy(parent="projects/shollyman-demo-test/locations/us", taxonomy=new_taxonomy)

  resp = client.list_taxonomies(parent="projects/shollyman-demo-test/locations/us")

  for t in resp:
    print("{} -> {}".format(t.display_name, t.name))


if __name__ == "__main__":
  main()

invocation:

$ python catalogtest.py
Custom test taxonomy -> projects/shollyman-demo-test/locations/us/taxonomies/408338391262190617
Sample Taxonomy -> projects/shollyman-demo-test/locations/us/taxonomies/6484488580374782575
test2 -> projects/shollyman-demo-test/locations/us/taxonomies/6247855699646749172
testing -> projects/shollyman-demo-test/locations/us/taxonomies/3363827134841403621

@plamut
Copy link
Copy Markdown
Contributor Author

plamut commented Jun 15, 2021
edited by shollyman
Loading

Edit: Could it be a GCP project issue? This is the one thing that differs.

Generally, if the service isn't enabled it's generally clear about the error (and the text usually has a link to enable the service) as this is handled centrally. I don't appear to have access to the python test project with my personal credentials so I'm only getting permission denied responses when I attempt to use it.

@shollyman
Copy link
Copy Markdown
Contributor

shollyman commented Jun 15, 2021

and apparently I mangled Peter's previous comment somehow instead of quoting it in my own.

@plamut
Copy link
Copy Markdown
Contributor Author

plamut commented Jun 16, 2021
edited
Loading

I see the full project path is used for the parent argument in the working sample, i.e. "projects/shollyman-demo-test/locations/us", while the test here uses just the project id.

If I change that to a full project path, I start getting a permission denied error, but that actually seems OK, as my test service account does not have any DataCatalog roles granted. After fixing that, things actually started working.

Is there any way to make the backend error message more informative?

Edit: Same result if providing a completely random non-existing project ID.

Edit 2: However, providing a project path of a non-existing project results in 403 Permission denied.

Edit 3: Providing a project without location, e.g. projects/project-foo also results in UNIMPLEMENTED.

plamut
plamut commented Jun 16, 2021
View reviewed changes
Comment thread tests/system/test_client.py Outdated
@plamut plamut added do not merge Indicates a pull request not ready for merge, due to either quality or timing. and removed status: blocked Resolving the issue is dependent on other work. labels Jun 16, 2021
@plamut plamut removed the do not merge Indicates a pull request not ready for merge, due to either quality or timing. label Jun 17, 2021
@plamut plamut requested a review from shollyman June 17, 2021 08:11
shollyman
shollyman approved these changes Jun 17, 2021
View reviewed changes
Copy link
Copy Markdown
Contributor

@shollyman shollyman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for sticking with this.

@plamut plamut merged commit b2a689b into googleapis:master Jun 17, 2021
@plamut plamut deleted the iss-614 branch June 17, 2021 20:59
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@shollyman shollyman shollyman approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

api: bigquery Issues related to the googleapis/python-bigquery API. cla: yes This human has signed the Contributor License Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

minor: add integration test for column acls feature

3 participants

@plamut @tseaver @shollyman