Skip to content

feat(spanner): auth login support for Spanner Omni endpoints#13470

Merged
sakthivelmanii merged 9 commits into
googleapis:mainfrom
sagnghos:sagnghos/loginOmni
Jun 30, 2026
Merged

feat(spanner): auth login support for Spanner Omni endpoints#13470
sakthivelmanii merged 9 commits into
googleapis:mainfrom
sagnghos:sagnghos/loginOmni

Conversation

@sagnghos

@sagnghos sagnghos commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

⚠️ Note to Reviewers:

Of the ~14k lines changed in this PR, approximately ~12.5k lines are auto-generated protobuf and gRPC classes.
Specifically, the files Login.java, Authentication.java, and LoginServiceGrpc.java account for the vast majority of the diff.

The actual hand-written logic is small and contained within the core auth implementation and connection classes.

This PR introduces native authentication support for Spanner Omni endpoints using the OPAQUE password-authenticated key exchange protocol.

Key Changes:

  • Omni Login Protocol: Added generated protobufs (Login.java, Authentication.java, LoginServiceGrpc.java) and a gRPC LoginClient to handle the authentication handshake with Omni endpoints.
  • LoginClient & OPAQUE Protocol: Implements the LoginClient utilizing OpaqueUtil to perform the secure two-step OPAQUE authentication flow over gRPC.
  • SpannerOmniCredentials: A new credentials provider that manages Omni authentication tokens, incorporating automatic background token refresh mechanisms.
  • Security Considerations: Securely handles raw passwords using char arrays, ensuring sensitive credentials are zeroed out of memory buffers immediately after processing.
  • Client Integration: Updated ConnectionOptions and SpannerOptions.Builder with a new login(username, password) method to wire up Omni credentials. The channel initialization logic was moved to prepareBuilder() to ensure the builder pattern remains order-independent.

To run Integration Tests with auth login run below command with default username/password

mvn clean -pl java-spanner/google-cloud-spanner -B verify \
  -DskipUnitTests=true \
  -DskipITs=false \
  -Dspanner.omni.host=https://localhost:15000 \
  -Dspanner.testenv.instance=projects/default/instances/default \
  -Denforcer.skip=true \
  -Dspanner.username=admin \
  -Dspanner.password=admin

Design Document: Spanner Omni Auth Login

@sagnghos sagnghos requested review from a team as code owners June 15, 2026 10:58
@sagnghos sagnghos force-pushed the sagnghos/loginOmni branch from ed429f9 to 538b901 Compare June 15, 2026 10:58
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 15, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces username and password authentication for Spanner Omni using the OPAQUE protocol. It adds the necessary gRPC service stubs, cryptographic utilities (including Argon2 stretching and Simplified SWU mapping), and a new SpannerOmniCredentials class to handle token refresh. Feedback on the changes highlights a security vulnerability in SpannerOmniCredentials where sensitive password bytes could remain in memory if an exception occurs during encoding. Additionally, improvements are suggested to enforce exact envelope size checks in LoginClient to avoid unhandled exceptions, and to ensure both username and password are non-empty in SpannerOmniHelper before attempting login.

Comment thread ...google-cloud-spanner/src/main/java/com/google/cloud/spanner/omni/SpannerOmniCredentials.java
Comment thread java-spanner/google-cloud-spanner/src/main/java/com/google/cloud/spanner/omni/LoginClient.java Outdated
Comment thread ...r/google-cloud-spanner/src/main/java/com/google/cloud/spanner/testing/SpannerOmniHelper.java Outdated
@sagnghos sagnghos force-pushed the sagnghos/loginOmni branch from d0d0b69 to 520c75b Compare June 16, 2026 05:08
@rahul2393 rahul2393 added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 18, 2026
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 18, 2026
@sagnghos sagnghos force-pushed the sagnghos/loginOmni branch 3 times, most recently from a4cfbf1 to 0012a2d Compare June 25, 2026 06:15
@sagnghos sagnghos force-pushed the sagnghos/loginOmni branch from 0012a2d to a4874c5 Compare June 29, 2026 10:05
@rahul2393

rahul2393 commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

/gemini review

gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 29, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces OPAQUE protocol authentication support for Spanner Omni. It adds new dependencies on Bouncy Castle and Tink, introduces a login method to SpannerOptions and ConnectionOptions, and implements the OPAQUE cryptographic handshake via several new classes including LoginClient, OpaqueUtil, and SpannerOmniCredentials. A security concern was raised regarding OpaqueUtil.expandMessageXmd, where intermediate sensitive arrays derived from the password are not zeroed out after use, potentially exposing cryptographic material in memory.

Comment thread java-spanner/google-cloud-spanner/src/main/java/com/google/cloud/spanner/omni/OpaqueUtil.java
@rahul2393 rahul2393 added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 29, 2026
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 29, 2026
@rahul2393 rahul2393 added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 29, 2026
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 29, 2026
@sagnghos

sagnghos commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

PTAL @styee

styee
styee approved these changes Jun 29, 2026
View reviewed changes

@styee styee left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This matches the Go and C++ implementations. There are few things Gemini found, I will apply the same findings elsewhere.

@sagnghos sagnghos force-pushed the sagnghos/loginOmni branch from 9161519 to e15ec8c Compare June 30, 2026 03:38
@rahul2393 rahul2393 added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 30, 2026
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 30, 2026
@sakthivelmanii sakthivelmanii added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 30, 2026
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jun 30, 2026
@sakthivelmanii sakthivelmanii merged commit 55930b4 into googleapis:main Jun 30, 2026
198 of 200 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rahul2393 rahul2393 rahul2393 approved these changes
@sakthivelmanii sakthivelmanii sakthivelmanii approved these changes
+2 more reviewers
@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments
@styee styee styee approved these changes
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@sagnghos @rahul2393 @styee @sakthivelmanii @yoshi-kokoro