GoogleCloudPlatform
diff --git a/‎v1/src/main/java/com/google/cloud/teleport/spanner/ExportPipeline.java‎
Lines changed: 0 additions & 30 deletions b/‎v1/src/main/java/com/google/cloud/teleport/spanner/ExportPipeline.java‎
Lines changed: 0 additions & 30 deletions
diff --git a/‎v1/src/main/java/com/google/cloud/teleport/spanner/ExportTransform.java‎
Lines changed: 48 additions & 12 deletions b/‎v1/src/main/java/com/google/cloud/teleport/spanner/ExportTransform.java‎
Lines changed: 48 additions & 12 deletions
diff --git a/‎v1/src/main/java/com/google/cloud/teleport/spanner/ImportPipeline.java‎
Lines changed: 1 addition & 28 deletions b/‎v1/src/main/java/com/google/cloud/teleport/spanner/ImportPipeline.java‎
Lines changed: 1 addition & 28 deletions
diff --git a/‎v1/src/main/java/com/google/cloud/teleport/spanner/ImportTransform.java‎
Lines changed: 56 additions & 0 deletions b/‎v1/src/main/java/com/google/cloud/teleport/spanner/ImportTransform.java‎
Lines changed: 56 additions & 0 deletions
diff --git a/‎v1/src/main/java/com/google/cloud/teleport/spanner/iam/IAMCheckResult.java‎
Lines changed: 2 additions & 2 deletions b/‎v1/src/main/java/com/google/cloud/teleport/spanner/iam/IAMCheckResult.java‎
Lines changed: 2 additions & 2 deletions
@@ -23,16 +23,10 @@
 import com.google.cloud.teleport.metadata.TemplateParameter;
 import com.google.cloud.teleport.metadata.TemplateParameter.TemplateEnumOption;
 import com.google.cloud.teleport.spanner.ExportPipeline.ExportPipelineOptions;
-import com.google.cloud.teleport.spanner.iam.IAMCheckResult;
-import com.google.cloud.teleport.spanner.iam.IAMPermissionsChecker;
-import com.google.cloud.teleport.spanner.iam.IAMRequirementsCreator;
-import com.google.cloud.teleport.spanner.iam.IAMResourceRequirements;
 import com.google.cloud.teleport.spanner.spannerio.SpannerConfig;
-import java.util.Collections;
 import org.apache.beam.runners.dataflow.options.DataflowPipelineOptions;
 import org.apache.beam.sdk.Pipeline;
 import org.apache.beam.sdk.PipelineResult;
-import org.apache.beam.sdk.extensions.gcp.options.GcpOptions;
 import org.apache.beam.sdk.options.Default;
 import org.apache.beam.sdk.options.Description;
 import org.apache.beam.sdk.options.PipelineOptions;
@@ -269,7 +263,6 @@ public static void main(String[] args) {
             .withDatabaseId(options.getDatabaseId())
             .withRpcPriority(options.getSpannerPriority())
             .withDataBoostEnabled(options.getDataBoostEnabled());
-
     p.begin()
         .apply(
             "Run Export",
@@ -282,7 +275,6 @@ public static void main(String[] args) {
                 options.getShouldExportRelatedTables(),
                 options.getShouldExportTimestampAsLogicalType(),
                 options.getAvroTempDirectory()));
-    validateRequiredPermissions(options);
     PipelineResult result = p.run();
     if (options.getWaitUntilFinish()
         &&
@@ -293,26 +285,4 @@ public static void main(String[] args) {
       result.waitUntilFinish();
     }
   }
-
-  private static void validateRequiredPermissions(ExportPipelineOptions options) {
-    IAMResourceRequirements spannerRequirements =
-        IAMRequirementsCreator.createSpannerResourceRequirement();
-
-    GcpOptions gcpOptions = options.as(GcpOptions.class);
-
-    IAMPermissionsChecker iamPermissionsChecker =
-        new IAMPermissionsChecker(gcpOptions.getProject(), gcpOptions);
-    IAMCheckResult missingPermission =
-        iamPermissionsChecker.check(Collections.singletonList(spannerRequirements));
-    if (missingPermission.isSuccess()) {
-      return;
-    }
-    String errorString =
-        "For resource: "
-            + missingPermission.getResourceName()
-            + ", missing permissions: "
-            + missingPermission.getMissingPermissions()
-            + ";";
-    throw new RuntimeException(errorString);
-  }
 }
@@ -30,6 +30,9 @@
 import com.google.cloud.teleport.spanner.ddl.Sequence;
 import com.google.cloud.teleport.spanner.ddl.Table;
 import com.google.cloud.teleport.spanner.ddl.Udf;
+import com.google.cloud.teleport.spanner.iam.IAMCheckResult;
+import com.google.cloud.teleport.spanner.iam.IAMPermissionsChecker;
+import com.google.cloud.teleport.spanner.iam.IAMRequirementsCreator;
 import com.google.cloud.teleport.spanner.proto.ExportProtos;
 import com.google.cloud.teleport.spanner.proto.ExportProtos.Export;
 import com.google.cloud.teleport.spanner.proto.ExportProtos.ProtoDialect;
@@ -53,6 +56,7 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
+import java.security.GeneralSecurityException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -86,19 +90,8 @@
 import org.apache.beam.sdk.io.fs.ResolveOptions;
 import org.apache.beam.sdk.io.fs.ResourceId;
 import org.apache.beam.sdk.options.ValueProvider;
-import org.apache.beam.sdk.transforms.Combine;
+import org.apache.beam.sdk.transforms.*;
 import org.apache.beam.sdk.transforms.Combine.CombineFn;
-import org.apache.beam.sdk.transforms.Contextful;
-import org.apache.beam.sdk.transforms.Create;
-import org.apache.beam.sdk.transforms.DoFn;
-import org.apache.beam.sdk.transforms.Flatten;
-import org.apache.beam.sdk.transforms.GroupByKey;
-import org.apache.beam.sdk.transforms.PTransform;
-import org.apache.beam.sdk.transforms.ParDo;
-import org.apache.beam.sdk.transforms.Requirements;
-import org.apache.beam.sdk.transforms.SerializableFunction;
-import org.apache.beam.sdk.transforms.SerializableFunctions;
-import org.apache.beam.sdk.transforms.View;
 import org.apache.beam.sdk.transforms.join.CoGbkResult;
 import org.apache.beam.sdk.transforms.join.CoGroupByKey;
 import org.apache.beam.sdk.transforms.join.KeyedPCollectionTuple;
@@ -184,6 +177,19 @@ public ExportTransform(
   public WriteFilesResult<String> expand(PBegin begin) {
     Pipeline p = begin.getPipeline();
 
+      PCollection<Void> validationSignal =
+              begin
+                      .apply("Trigger Validation", Create.of((Void) null))
+                      .apply(
+                              "Validate Config",
+                              ParDo.of(
+                                      new DoFn<Void, Void>() {
+                                          @ProcessElement
+                                          public void processElement(ProcessContext c) {
+                                              validateRequiredPermissions(spannerConfig);
+                                          }
+                                      }));
+
     /*
      * Allow users to specify read timestamp.
      * CreateTransaction and CreateTransactionFn classes in SpannerIO
@@ -198,6 +204,7 @@ public WriteFilesResult<String> expand(PBegin begin) {
             .apply(
                 "Create transaction",
                 ParDo.of(new CreateTransactionFnWithTimestamp(spannerConfig, snapshotTime)))
+                .apply("Validate", Wait.on(validationSignal))
             .apply("Tx As PCollectionView", View.asSingleton());
 
     PCollectionView<Dialect> dialectView =
@@ -1120,4 +1127,33 @@ private TableManifest buildGcsManifest(ProcessContext c, Iterable<GcsPath> files
       return result.build();
     }
   }
+
+
+    private static void validateRequiredPermissions(SpannerConfig spannerConfig) {
+        String instanceId = spannerConfig.getInstanceId().get();
+        String databaseId = spannerConfig.getDatabaseId().get();
+        IAMCheckResult iamCheckResult;
+        try {
+            IAMPermissionsChecker iamPermissionsChecker =
+                    new IAMPermissionsChecker(spannerConfig.getProjectId().get());
+            iamCheckResult =
+                    iamPermissionsChecker.checkSpannerDatabaseRequirements(
+                            IAMRequirementsCreator.createSpannerWriteResourceRequirement(),
+                            instanceId,
+                            databaseId);
+            if (iamCheckResult.isPermissionsAvailable()) {
+                return;
+            }
+            String errorString =
+                    "For resource: "
+                            + iamCheckResult.getResourceName()
+                            + ", missing permissions: "
+                            + iamCheckResult.getMissingPermissions()
+                            + ";";
+            throw new RuntimeException(errorString);
+        } catch (GeneralSecurityException | IOException e) {
+            LOG.error("Error while validating permissions for spanner", e);
+            throw new RuntimeException(e);
+        }
+    }
 }
@@ -23,16 +23,10 @@
 import com.google.cloud.teleport.metadata.TemplateParameter;
 import com.google.cloud.teleport.metadata.TemplateParameter.TemplateEnumOption;
 import com.google.cloud.teleport.spanner.ImportPipeline.Options;
-import com.google.cloud.teleport.spanner.iam.IAMCheckResult;
-import com.google.cloud.teleport.spanner.iam.IAMPermissionsChecker;
-import com.google.cloud.teleport.spanner.iam.IAMRequirementsCreator;
-import com.google.cloud.teleport.spanner.iam.IAMResourceRequirements;
 import com.google.cloud.teleport.spanner.spannerio.SpannerConfig;
-import java.util.Collections;
 import org.apache.beam.runners.dataflow.options.DataflowPipelineOptions;
 import org.apache.beam.sdk.Pipeline;
 import org.apache.beam.sdk.PipelineResult;
-import org.apache.beam.sdk.extensions.gcp.options.GcpOptions;
 import org.apache.beam.sdk.options.Default;
 import org.apache.beam.sdk.options.Description;
 import org.apache.beam.sdk.options.PipelineOptions;
@@ -246,6 +240,7 @@ public static void main(String[] args) {
             .withInstanceId(options.getInstanceId())
             .withDatabaseId(options.getDatabaseId())
             .withRpcPriority(options.getSpannerPriority());
+
     p.apply(
         new ImportTransform(
             spannerConfig,
@@ -258,7 +253,6 @@ public static void main(String[] args) {
             options.getDdlCreationTimeoutInMinutes(),
             options.getEarlyIndexCreateThreshold()));
 
-    validateRequiredPermissions(options);
     PipelineResult result = p.run();
 
     if (options.getWaitUntilFinish()
@@ -270,25 +264,4 @@ public static void main(String[] args) {
       result.waitUntilFinish();
     }
   }
-
-  private static void validateRequiredPermissions(Options options) {
-    IAMResourceRequirements spannerRequirements =
-        IAMRequirementsCreator.createSpannerResourceRequirement();
-    GcpOptions gcpOptions = options.as(GcpOptions.class);
-
-    IAMPermissionsChecker iamPermissionsChecker =
-        new IAMPermissionsChecker(gcpOptions.getProject(), gcpOptions);
-    IAMCheckResult missingPermission =
-        iamPermissionsChecker.check(Collections.singletonList(spannerRequirements));
-    if (missingPermission.isSuccess()) {
-      return;
-    }
-    String errorString =
-        "For resource: "
-            + missingPermission.getResourceName()
-            + ", missing permissions: "
-            + missingPermission.getMissingPermissions()
-            + ";";
-    throw new RuntimeException(errorString);
-  }
 }
@@ -19,6 +19,7 @@
 import com.google.cloud.spanner.Database;
 import com.google.cloud.spanner.DatabaseAdminClient;
 import com.google.cloud.spanner.DatabaseId;
+import com.google.cloud.spanner.DatabaseNotFoundException;
 import com.google.cloud.spanner.Dialect;
 import com.google.cloud.spanner.Mutation;
 import com.google.cloud.teleport.spanner.ddl.ChangeStream;
@@ -29,6 +30,9 @@
 import com.google.cloud.teleport.spanner.ddl.Sequence;
 import com.google.cloud.teleport.spanner.ddl.Table;
 import com.google.cloud.teleport.spanner.ddl.Udf;
+import com.google.cloud.teleport.spanner.iam.IAMCheckResult;
+import com.google.cloud.teleport.spanner.iam.IAMPermissionsChecker;
+import com.google.cloud.teleport.spanner.iam.IAMRequirementsCreator;
 import com.google.cloud.teleport.spanner.proto.ExportProtos.Export;
 import com.google.cloud.teleport.spanner.proto.ExportProtos.ProtoDialect;
 import com.google.cloud.teleport.spanner.proto.ExportProtos.TableManifest;
@@ -54,6 +58,7 @@
 import java.nio.channels.Channels;
 import java.nio.file.Path;
 import java.nio.file.Paths;
+import java.security.GeneralSecurityException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
@@ -141,9 +146,23 @@ public ImportTransform(
 
   @Override
   public PDone expand(PBegin begin) {
+
+    PCollection<Void> validationSignal =
+        begin
+            .apply("Trigger Validation", Create.of((Void) null))
+            .apply(
+                "Validate Config",
+                ParDo.of(
+                    new DoFn<Void, Void>() {
+                      @ProcessElement
+                      public void processElement(ProcessContext c) {
+                        validateRequiredPermissions(spannerConfig);
+                      }
+                    }));
     PCollectionView<Dialect> dialectView =
         begin
             .apply("Read Dialect", new ReadDialect(spannerConfig))
+            .apply("Validate", Wait.on(validationSignal))
             .apply("Dialect As PCollectionView", View.asSingleton());
 
     PCollection<Export> manifest =
@@ -953,4 +972,41 @@ private void validateLocalFiles(ProcessContext c, String table, TableManifest ma
       }
     }
   }
+
+  private static void validateRequiredPermissions(SpannerConfig spannerConfig) {
+    String instanceId = spannerConfig.getInstanceId().get();
+    String databaseId = spannerConfig.getDatabaseId().get();
+    IAMCheckResult iamCheckResult;
+    try {
+      IAMPermissionsChecker iamPermissionsChecker =
+          new IAMPermissionsChecker(spannerConfig.getProjectId().get());
+      try {
+
+        iamCheckResult =
+            iamPermissionsChecker.checkSpannerDatabaseRequirements(
+                IAMRequirementsCreator.createSpannerWriteResourceRequirement(),
+                instanceId,
+                databaseId);
+      } catch (DatabaseNotFoundException e) {
+        // If DatabaseNotFoundException exception is thrown, then validation at instance level need
+        // to be performed.
+        iamCheckResult =
+            iamPermissionsChecker.checkSpannerInstanceRequirements(
+                IAMRequirementsCreator.createSpannerWriteResourceRequirement(), instanceId);
+      }
+      if (iamCheckResult.isPermissionsAvailable()) {
+        return;
+      }
+      String errorString =
+          "For resource: "
+              + iamCheckResult.getResourceName()
+              + ", missing permissions: "
+              + iamCheckResult.getMissingPermissions()
+              + ";";
+      throw new RuntimeException(errorString);
+    } catch (GeneralSecurityException | IOException e) {
+      LOG.error("Error while validating permissions for spanner", e);
+      throw new RuntimeException(e);
+    }
+  }
 }
@@ -36,7 +36,7 @@ public List<String> getMissingPermissions() {
     return new ArrayList<>(missingPermissions);
   }
 
-  public boolean isSuccess() {
+  public boolean isPermissionsAvailable() {
     return missingPermissions.isEmpty();
   }
 
@@ -49,7 +49,7 @@ public String toString() {
         + ", missingPermissions="
         + missingPermissions
         + ", success="
-        + isSuccess()
+        + isPermissionsAvailable()
         + '}';
   }
 }
Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ public List<String> getMissingPermissions() {`
`36`	`36`	`return new ArrayList<>(missingPermissions);`
`37`	`37`	`}`
`38`	`38`
`39`		`- public boolean isSuccess() {`
	`39`	`+ public boolean isPermissionsAvailable() {`
`40`	`40`	`return missingPermissions.isEmpty();`
`41`	`41`	`}`
`42`	`42`
`@@ -49,7 +49,7 @@ public String toString() {`
`49`	`49`	`+ ", missingPermissions="`
`50`	`50`	`+ missingPermissions`
`51`	`51`	`+ ", success="`
`52`		`- + isSuccess()`
	`52`	`+ + isPermissionsAvailable()`
`53`	`53`	`+ '}';`
`54`	`54`	`}`
`55`	`55`	`}`