nuggetwheat opened a new issue, #25105: URL: https://github.com/apache/beam/issues/25105
### What happened? We're about to launch Fine-grained Access Control (FGAC) to Spanner Change Streams. As part of this effort, we are extending the Spanner Change Stream Dataflow Templates to support FGAC. This involves setting the SpannerConfig databaseRole field to the FGAC role that will be used for FGAC permission checking in the application database. However, a recent change went into Beam ([Support querying against Postgres for the SpannerIO chan...](https://github.com/apache/beam/commit/57e5b69f45bfc11c6060a76888364383ac71d9a4)) that propagates the databaseRole into the SpannerConfig that is used to access the Change Streams metadata database. Because the role is not defined in the metadata database, the request fails with an exception `PERMISSION_DENIED: Role not found: <databaseRole>` which causes the job to fail. It's a bit difficult to reproduce because it requires yet-to-be submitted code in the Dataflow Templates project. It's a small fix that I'm implementing and testing now. We would like this fix to get cherry-picked into Beam 2.45. ### Issue Priority Priority: 2 (default / most bugs should be filed as P2) ### Issue Components - [ ] Component: Python SDK - [X] Component: Java SDK - [ ] Component: Go SDK - [ ] Component: Typescript SDK - [X] Component: IO connector - [ ] Component: Beam examples - [ ] Component: Beam playground - [ ] Component: Beam katas - [ ] Component: Website - [ ] Component: Spark Runner - [ ] Component: Flink Runner - [ ] Component: Samza Runner - [ ] Component: Twister2 Runner - [ ] Component: Hazelcast Jet Runner - [ ] Component: Google Cloud Dataflow Runner -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: github-unsubscr...@beam.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
