Remote+BES: Stabilize command line flags.

Update the command line flags used by remote execution/caching as well as the
build event service (BES).

Major changes:
 - Remote execution/caching and BES share flags for authentication and TLS.
 - Removed API Key authentication from BES, as it's not being used.
 - Add TLS support to BES upload.
 - Add --bes_project_id flag. If set, the value is propagated as part of BES
   lifecycle events.

For reviewers:
Start your review at CommonRemoteAndBesOptions, BuildEventServiceOptions and
RemoteOptions. The other changes are mostly automatic IDE renames of fields and
flag updates in shell script tests.

RELNOTES: None.
PiperOrigin-RevId: 156553857

12 files changed, 158 insertions, 116 deletions

diff --git a/src/main/java/com/google/devtools/build/lib/remote/CachedLocalSpawnRunner.java b/src/main/java/com/google/devtools/build/lib/remote/CachedLocalSpawnRunner.java
index fb7241eb7b..87da7c2405 100644
--- a/src/main/java/com/google/devtools/build/lib/remote/CachedLocalSpawnRunner.java
+++ b/src/main/java/com/google/devtools/build/lib/remote/CachedLocalSpawnRunner.java
@@ -126,7 +126,7 @@ final class CachedLocalSpawnRunner implements SpawnRunner {
         }
       }
       SpawnResult spawnResult = delegate.exec(spawn, policy);
-      if (options.remoteLocalExecUploadResults
+      if (options.remoteUploadLocalResults
           && spawnResult.status() == Status.SUCCESS
           && spawnResult.exitCode() == 0) {
         writeCacheEntry(spawn, policy.getFileOutErr(), actionKey);
diff --git a/src/main/java/com/google/devtools/build/lib/remote/ChannelOptions.java b/src/main/java/com/google/devtools/build/lib/remote/ChannelOptions.java
index d6bfa79ebd..7fa5c9e276 100644
--- a/src/main/java/com/google/devtools/build/lib/remote/ChannelOptions.java
+++ b/src/main/java/com/google/devtools/build/lib/remote/ChannelOptions.java
@@ -18,6 +18,7 @@ import com.google.auth.oauth2.GoogleCredentials;
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.ImmutableList;
 import com.google.devtools.build.lib.concurrent.ThreadSafety.ThreadSafe;
+import com.google.devtools.build.lib.runtime.AuthAndTLSOptions;
 import io.grpc.CallCredentials;
 import io.grpc.auth.MoreCallCredentials;
 import io.grpc.netty.GrpcSslContexts;
@@ -72,12 +73,13 @@ public final class ChannelOptions {
     return maxMessageSize;
   }
 
-  public static ChannelOptions create(RemoteOptions options) {
+  public static ChannelOptions create(AuthAndTLSOptions options, int grpcMaxChunkSizeBytes) {
     try {
       return create(
           options,
-          options.authCredentialsJson != null
-              ? new FileInputStream(options.authCredentialsJson)
+          grpcMaxChunkSizeBytes,
+          options.authCredentials != null
+              ? new FileInputStream(options.authCredentials)
               : null);
     } catch (IOException e) {
       throw new IllegalArgumentException(
@@ -86,18 +88,19 @@ public final class ChannelOptions {
   }
 
   @VisibleForTesting
-  public static ChannelOptions create(
-      RemoteOptions options, @Nullable InputStream credentialsInputStream) {
+  public static ChannelOptions create(AuthAndTLSOptions options, int grpcMaxChunkSizeBytes,
+      @Nullable InputStream credentialsInputStream) {
     boolean tlsEnabled = options.tlsEnabled;
     SslContext sslContext = null;
     String tlsAuthorityOverride = options.tlsAuthorityOverride;
     CallCredentials credentials = null;
-    if (options.tlsEnabled && options.tlsCert != null) {
+    if (options.tlsEnabled && options.tlsCertificate != null) {
       try {
-        sslContext = GrpcSslContexts.forClient().trustManager(new File(options.tlsCert)).build();
+        sslContext =
+            GrpcSslContexts.forClient().trustManager(new File(options.tlsCertificate)).build();
       } catch (SSLException e) {
         throw new IllegalArgumentException(
-            "SSL error initializing cert " + options.tlsCert + " : " + e);
+            "SSL error initializing cert " + options.tlsCertificate + " : " + e);
       }
     }
     if (options.authEnabled) {
@@ -118,7 +121,7 @@ public final class ChannelOptions {
     final int maxMessageSize =
         Math.max(
             4 * 1024 * 1024 /* GrpcUtil.DEFAULT_MAX_MESSAGE_SIZE */,
-            options.grpcMaxChunkSizeBytes + CHUNK_MESSAGE_OVERHEAD);
+            grpcMaxChunkSizeBytes + CHUNK_MESSAGE_OVERHEAD);
     return new ChannelOptions(
         tlsEnabled, sslContext, tlsAuthorityOverride, credentials, maxMessageSize);
   }
diff --git a/src/main/java/com/google/devtools/build/lib/remote/GrpcActionCache.java b/src/main/java/com/google/devtools/build/lib/remote/GrpcActionCache.java
index 67b04a969a..d85125f15c 100644
--- a/src/main/java/com/google/devtools/build/lib/remote/GrpcActionCache.java
+++ b/src/main/java/com/google/devtools/build/lib/remote/GrpcActionCache.java
@@ -87,9 +87,9 @@ public class GrpcActionCache implements RemoteActionCache {
       Channel channel, RemoteOptions options, ChannelOptions channelOptions) {
     this.options = options;
     this.casIface =
-        GrpcInterfaces.casInterface(options.grpcTimeoutSeconds, channel, channelOptions);
+        GrpcInterfaces.casInterface(options.remoteTimeout, channel, channelOptions);
     this.iface =
-        GrpcInterfaces.executionCacheInterface(options.grpcTimeoutSeconds, channel, channelOptions);
+        GrpcInterfaces.executionCacheInterface(options.remoteTimeout, channel, channelOptions);
   }
 
   public GrpcActionCache(RemoteOptions options, ChannelOptions channelOptions) {
@@ -392,7 +392,7 @@ public class GrpcActionCache implements RemoteActionCache {
     while (batches++ < numItems) {
       finishLatch.countDown(); // Non-sent batches.
     }
-    finishLatch.await(options.grpcTimeoutSeconds, TimeUnit.SECONDS);
+    finishLatch.await(options.remoteTimeout, TimeUnit.SECONDS);
     if (exception.get() != null) {
       throw exception.get(); // Re-throw the first encountered exception.
     }
diff --git a/src/main/java/com/google/devtools/build/lib/remote/GrpcRemoteExecutor.java b/src/main/java/com/google/devtools/build/lib/remote/GrpcRemoteExecutor.java
index 1812d8f4f0..eb79c91919 100644
--- a/src/main/java/com/google/devtools/build/lib/remote/GrpcRemoteExecutor.java
+++ b/src/main/java/com/google/devtools/build/lib/remote/GrpcRemoteExecutor.java
@@ -25,7 +25,7 @@ import java.util.Iterator;
 @ThreadSafe
 public class GrpcRemoteExecutor extends GrpcActionCache {
   public static boolean isRemoteExecutionOptions(RemoteOptions options) {
-    return options.remoteWorker != null;
+    return options.remoteExecutor != null;
   }
 
   private final GrpcExecutionInterface executionIface;
@@ -43,11 +43,11 @@ public class GrpcRemoteExecutor extends GrpcActionCache {
       ManagedChannel channel, ChannelOptions channelOptions, RemoteOptions options) {
     super(
         options,
-        GrpcInterfaces.casInterface(options.grpcTimeoutSeconds, channel, channelOptions),
+        GrpcInterfaces.casInterface(options.remoteTimeout, channel, channelOptions),
         GrpcInterfaces.executionCacheInterface(
-            options.grpcTimeoutSeconds, channel, channelOptions));
+            options.remoteTimeout, channel, channelOptions));
     this.executionIface =
-        GrpcInterfaces.executionInterface(options.grpcTimeoutSeconds, channel, channelOptions);
+        GrpcInterfaces.executionInterface(options.remoteTimeout, channel, channelOptions);
   }
 
   public ExecuteReply executeRemotely(ExecuteRequest request) {
diff --git a/src/main/java/com/google/devtools/build/lib/remote/README.md b/src/main/java/com/google/devtools/build/lib/remote/README.md
index 2b242c3bb5..ddcf7a9175 100644
--- a/src/main/java/com/google/devtools/build/lib/remote/README.md
+++ b/src/main/java/com/google/devtools/build/lib/remote/README.md
@@ -18,7 +18,7 @@ execution support.
 
 This option is always needed to support distributed caching and remote execution.
 
-* ```build --spawn_strategy=remote --rest_cache_url=http://remote-cache:8080/cache```
+* ```build --spawn_strategy=remote --remote_rest_cache=http://remote-cache:8080/cache```
 
 This option enables distributed caching with a REST endpoint that supports GET, HEAD and PUT.
 
@@ -30,7 +30,7 @@ This option enables distributed caching using a gRPC content-addressable storage
 
 This option enables distributed caching using Hazelcast memory cluster as a content-addressable storage (CAS). Please watch for future announcement as this might be removed in favor of the REST endpoint.
 
-* ```build --spawn_strategy=remote --remote_worker=grpc-builder:5000 --remote_cache=grpc-builder:5000```
+* ```build --spawn_strategy=remote --remote_executor=grpc-builder:5000 --remote_cache=grpc-builder:5000```
 
 This option enables remote execution with a gRPC service at ```grpc-builder:5000```. Remote execution requires a distributed caching service, which is also at ```grpc-builder:5000```.
 
@@ -150,7 +150,7 @@ following options to enable distributed caching. Change `http://server-address:p
 one that you provide. You may also put the options in `~/.bazelrc`.
 
 ```
-build --spawn_strategy=remote --rest_cache_url=http://server-address:port/cache
+build --spawn_strategy=remote --remote_rest_cache=http://server-address:port/cache
 ```
 
 ### Distributed caching with gRPC CAS endpoint
@@ -261,5 +261,5 @@ memory cluster.
 
 Use the following build options.
 ```
-build --spawn_strategy=remote --remote_worker=localhost:8080 --remote_cache=localhost:8080
+build --spawn_strategy=remote --remote_executor=localhost:8080 --remote_cache=localhost:8080
 ```
diff --git a/src/main/java/com/google/devtools/build/lib/remote/RemoteActionContextProvider.java b/src/main/java/com/google/devtools/build/lib/remote/RemoteActionContextProvider.java
index b7c2830a62..261e130e8c 100644
--- a/src/main/java/com/google/devtools/build/lib/remote/RemoteActionContextProvider.java
+++ b/src/main/java/com/google/devtools/build/lib/remote/RemoteActionContextProvider.java
@@ -20,6 +20,7 @@ import com.google.devtools.build.lib.actions.Executor.ActionContext;
 import com.google.devtools.build.lib.buildtool.BuildRequest;
 import com.google.devtools.build.lib.exec.ActionContextProvider;
 import com.google.devtools.build.lib.exec.ExecutionOptions;
+import com.google.devtools.build.lib.runtime.AuthAndTLSOptions;
 import com.google.devtools.build.lib.runtime.CommandEnvironment;
 
 /**
@@ -38,6 +39,7 @@ final class RemoteActionContextProvider extends ActionContextProvider {
             env.getClientEnv(),
             env.getExecRoot(),
             buildRequest.getOptions(RemoteOptions.class),
+            buildRequest.getOptions(AuthAndTLSOptions.class),
             verboseFailures,
             env.getRuntime().getProductName()));
     this.strategies = strategiesBuilder.build();
diff --git a/src/main/java/com/google/devtools/build/lib/remote/RemoteModule.java b/src/main/java/com/google/devtools/build/lib/remote/RemoteModule.java
index acc664285b..bbc20d2157 100644
--- a/src/main/java/com/google/devtools/build/lib/remote/RemoteModule.java
+++ b/src/main/java/com/google/devtools/build/lib/remote/RemoteModule.java
@@ -19,6 +19,7 @@ import com.google.common.eventbus.Subscribe;
 import com.google.devtools.build.lib.buildtool.BuildRequest;
 import com.google.devtools.build.lib.buildtool.buildevent.BuildStartingEvent;
 import com.google.devtools.build.lib.exec.ExecutorBuilder;
+import com.google.devtools.build.lib.runtime.AuthAndTLSOptions;
 import com.google.devtools.build.lib.runtime.BlazeModule;
 import com.google.devtools.build.lib.runtime.Command;
 import com.google.devtools.build.lib.runtime.CommandEnvironment;
@@ -67,7 +68,8 @@ public final class RemoteModule extends BlazeModule {
   @Override
   public Iterable<Class<? extends OptionsBase>> getCommandOptions(Command command) {
     return "build".equals(command.name())
-        ? ImmutableList.<Class<? extends OptionsBase>>of(RemoteOptions.class)
+        ? ImmutableList.<Class<? extends OptionsBase>>of(RemoteOptions.class,
+        AuthAndTLSOptions.class)
         : ImmutableList.<Class<? extends OptionsBase>>of();
   }
 }
diff --git a/src/main/java/com/google/devtools/build/lib/remote/RemoteOptions.java b/src/main/java/com/google/devtools/build/lib/remote/RemoteOptions.java
index 0c76aa3106..fcdb44a14a 100644
--- a/src/main/java/com/google/devtools/build/lib/remote/RemoteOptions.java
+++ b/src/main/java/com/google/devtools/build/lib/remote/RemoteOptions.java
@@ -20,14 +20,14 @@ import com.google.devtools.common.options.OptionsBase;
 /** Options for remote execution and distributed caching. */
 public final class RemoteOptions extends OptionsBase {
   @Option(
-    name = "rest_cache_url",
+    name = "remote_rest_cache",
     defaultValue = "null",
     category = "remote",
     help =
         "A base URL for a RESTful cache server for storing build artifacts."
             + "It has to support PUT, GET, and HEAD requests."
   )
-  public String restCacheUrl;
+  public String remoteRestCache;
 
   @Option(
     name = "hazelcast_node",
@@ -56,18 +56,18 @@ public final class RemoteOptions extends OptionsBase {
   public int hazelcastStandaloneListenPort;
 
   @Option(
-    name = "remote_worker",
+    name = "remote_executor",
     defaultValue = "null",
     category = "remote",
-    help = "Hostname and port number of remote worker in the form of host:port. "
+    help = "HOST or HOST:PORT of a remote execution endpoint."
   )
-  public String remoteWorker;
+  public String remoteExecutor;
 
   @Option(
     name = "remote_cache",
     defaultValue = "null",
     category = "remote",
-    help = "Hostname and port number of remote gRPC cache in the form of host:port. "
+    help = "HOST or HOST:PORT of a remote caching endpoint."
   )
   public String remoteCache;
 
@@ -96,12 +96,12 @@ public final class RemoteOptions extends OptionsBase {
   public int grpcMaxBatchSizeBytes;
 
   @Option(
-    name = "grpc_timeout_seconds",
+    name = "remote_timeout",
     defaultValue = "60",
     category = "remote",
-    help = "The maximal number of seconds to wait for remote calls."
+    help = "The maximum number of seconds to wait for remote execution and cache calls."
   )
-  public int grpcTimeoutSeconds;
+  public int remoteTimeout;
 
   @Option(
     name = "remote_accept_cached",
@@ -112,20 +112,20 @@ public final class RemoteOptions extends OptionsBase {
   public boolean remoteAcceptCached;
 
   @Option(
-    name = "remote_allow_local_fallback",
+    name = "remote_local_fallback",
     defaultValue = "true",
     category = "remote",
-    help = "Whether to fall back to standalone strategy if remote fails."
+    help = "Whether to fall back to standalone local execution strategy if remote execution fails."
   )
-  public boolean remoteAllowLocalFallback;
+  public boolean remoteLocalFallback;
 
   @Option(
-    name = "remote_local_exec_upload_results",
+    name = "remote_upload_local_results",
     defaultValue = "true",
     category = "remote",
-    help = "Whether to upload action results to the remote cache after executing locally."
+    help = "Whether to upload locally executed action results to the remote cache."
   )
-  public boolean remoteLocalExecUploadResults;
+  public boolean remoteUploadLocalResults;
 
   @Option(
     name = "experimental_remote_platform_override",
@@ -134,56 +134,4 @@ public final class RemoteOptions extends OptionsBase {
     help = "Temporary, for testing only. Manually set a Platform to pass to remote execution."
   )
   public String experimentalRemotePlatformOverride;
-
-  @Option(
-    name = "auth_enabled",
-    defaultValue = "false",
-    category = "remote",
-    help = "Whether to enable API key authentication."
-  )
-  public boolean authEnabled;
-
-  @Option(
-    name = "auth_scope",
-    defaultValue = "null",
-    category = "remote",
-    help = "If server authentication requires a scope, provide it here."
-  )
-  public String authScope;
-
-  @Option(
-    name = "auth_credentials_json",
-    defaultValue = "null",
-    category = "remote",
-    help = "Location of credentials JSON file."
-  )
-  public String authCredentialsJson;
-
-  @Option(
-    name = "tls_enabled",
-    defaultValue = "false",
-    category = "remote",
-    help =
-        "If set to true, Bazel uses TLS encryption for all connections to remote cache and "
-            + "execution servers."
-  )
-  public boolean tlsEnabled;
-
-  @Option(
-    name = "tls_cert",
-    defaultValue = "null",
-    category = "remote",
-    help = "TLS certificate file to use."
-  )
-  public String tlsCert;
-
-  @Option(
-    name = "tls_authority_override",
-    defaultValue = "null",
-    category = "remote",
-    help =
-        "If present, consider the value of the flag a valid TLS authority. This is useful for "
-            + "using self-signed test TLS certificates. For testing only."
-  )
-  public String tlsAuthorityOverride;
 }
diff --git a/src/main/java/com/google/devtools/build/lib/remote/RemoteSpawnRunner.java b/src/main/java/com/google/devtools/build/lib/remote/RemoteSpawnRunner.java
index e7025beee8..73fb45eefe 100644
--- a/src/main/java/com/google/devtools/build/lib/remote/RemoteSpawnRunner.java
+++ b/src/main/java/com/google/devtools/build/lib/remote/RemoteSpawnRunner.java
@@ -36,6 +36,7 @@ import com.google.devtools.build.lib.remote.RemoteProtocol.ExecuteRequest;
 import com.google.devtools.build.lib.remote.RemoteProtocol.ExecutionStatus;
 import com.google.devtools.build.lib.remote.RemoteProtocol.Platform;
 import com.google.devtools.build.lib.remote.TreeNodeRepository.TreeNode;
+import com.google.devtools.build.lib.runtime.AuthAndTLSOptions;
 import com.google.devtools.build.lib.util.io.FileOutErr;
 import com.google.devtools.build.lib.vfs.Path;
 import com.google.devtools.build.lib.vfs.PathFragment;
@@ -82,15 +83,18 @@ final class RemoteSpawnRunner implements SpawnRunner {
 
   RemoteSpawnRunner(
       Path execRoot,
-      RemoteOptions options) {
-    this(execRoot, options, connect(options));
+      RemoteOptions options,
+      AuthAndTLSOptions authTlsOptions) {
+    this(execRoot, options, connect(options, authTlsOptions));
   }
 
-  private static GrpcRemoteExecutor connect(RemoteOptions options) {
+  private static GrpcRemoteExecutor connect(RemoteOptions options,
+      AuthAndTLSOptions authTlsOptions) {
     Preconditions.checkArgument(GrpcRemoteExecutor.isRemoteExecutionOptions(options));
-    ChannelOptions channelOptions = ChannelOptions.create(options);
+    ChannelOptions channelOptions = ChannelOptions.create(authTlsOptions,
+        options.grpcMaxChunkSizeBytes);
     return new GrpcRemoteExecutor(
-        RemoteUtils.createChannel(options.remoteWorker, channelOptions), channelOptions, options);
+        RemoteUtils.createChannel(options.remoteExecutor, channelOptions), channelOptions, options);
   }
 
   @Override
diff --git a/src/main/java/com/google/devtools/build/lib/remote/RemoteSpawnStrategy.java b/src/main/java/com/google/devtools/build/lib/remote/RemoteSpawnStrategy.java
index 9882da210b..537643990b 100644
--- a/src/main/java/com/google/devtools/build/lib/remote/RemoteSpawnStrategy.java
+++ b/src/main/java/com/google/devtools/build/lib/remote/RemoteSpawnStrategy.java
@@ -44,6 +44,7 @@ import com.google.devtools.build.lib.remote.RemoteProtocol.ExecutionStatus;
 import com.google.devtools.build.lib.remote.RemoteProtocol.Platform;
 import com.google.devtools.build.lib.remote.TreeNodeRepository.TreeNode;
 import com.google.devtools.build.lib.rules.fileset.FilesetActionContext;
+import com.google.devtools.build.lib.runtime.AuthAndTLSOptions;
 import com.google.devtools.build.lib.standalone.StandaloneSpawnStrategy;
 import com.google.devtools.build.lib.util.io.FileOutErr;
 import com.google.devtools.build.lib.vfs.Path;
@@ -71,7 +72,7 @@ final class RemoteSpawnStrategy implements SpawnActionContext {
   private final Path execRoot;
   private final StandaloneSpawnStrategy standaloneStrategy;
   private final boolean verboseFailures;
-  private final RemoteOptions options;
+  private final RemoteOptions remoteOptions;
   // TODO(olaola): This will be set on a per-action basis instead.
   private final Platform platform;
   private final ChannelOptions channelOptions;
@@ -80,18 +81,20 @@ final class RemoteSpawnStrategy implements SpawnActionContext {
   RemoteSpawnStrategy(
       Map<String, String> clientEnv,
       Path execRoot,
-      RemoteOptions options,
+      RemoteOptions remoteOptions,
+      AuthAndTLSOptions authTlsOptions,
       boolean verboseFailures,
       String productName) {
     this.execRoot = execRoot;
     this.standaloneStrategy = new StandaloneSpawnStrategy(execRoot, verboseFailures, productName);
     this.verboseFailures = verboseFailures;
-    this.options = options;
-    channelOptions = ChannelOptions.create(options);
-    if (options.experimentalRemotePlatformOverride != null) {
+    this.remoteOptions = remoteOptions;
+    channelOptions = ChannelOptions.create(authTlsOptions, remoteOptions.grpcMaxChunkSizeBytes);
+    if (remoteOptions.experimentalRemotePlatformOverride != null) {
       Platform.Builder platformBuilder = Platform.newBuilder();
       try {
-        TextFormat.getParser().merge(options.experimentalRemotePlatformOverride, platformBuilder);
+        TextFormat.getParser().merge(remoteOptions.experimentalRemotePlatformOverride,
+            platformBuilder);
       } catch (ParseException e) {
         throw new IllegalArgumentException(
             "Failed to parse --experimental_remote_platform_override", e);
@@ -139,7 +142,7 @@ final class RemoteSpawnStrategy implements SpawnActionContext {
       ActionKey actionKey)
       throws ExecException, InterruptedException {
     standaloneStrategy.exec(spawn, actionExecutionContext);
-    if (options.remoteLocalExecUploadResults && actionCache != null && actionKey != null) {
+    if (remoteOptions.remoteUploadLocalResults && actionCache != null && actionKey != null) {
       ArrayList<Path> outputFiles = new ArrayList<>();
       for (ActionInput output : spawn.getOutputFiles()) {
         Path outputFile = execRoot.getRelative(output.getExecPathString());
@@ -214,19 +217,19 @@ final class RemoteSpawnStrategy implements SpawnActionContext {
     if (spawn.isRemotable()) {
       // Initialize remote cache and execution handlers. We use separate handlers for every
       // action to enable server-side parallelism (need a different gRPC channel per action).
-      if (SimpleBlobStoreFactory.isRemoteCacheOptions(options)) {
-        actionCache = new SimpleBlobStoreActionCache(SimpleBlobStoreFactory.create(options));
-      } else if (GrpcActionCache.isRemoteCacheOptions(options)) {
-        actionCache = new GrpcActionCache(options, channelOptions);
+      if (SimpleBlobStoreFactory.isRemoteCacheOptions(remoteOptions)) {
+        actionCache = new SimpleBlobStoreActionCache(SimpleBlobStoreFactory.create(remoteOptions));
+      } else if (GrpcActionCache.isRemoteCacheOptions(remoteOptions)) {
+        actionCache = new GrpcActionCache(remoteOptions, channelOptions);
       }
       // Otherwise actionCache remains null and remote caching/execution are disabled.
 
-      if (actionCache != null && GrpcRemoteExecutor.isRemoteExecutionOptions(options)) {
+      if (actionCache != null && GrpcRemoteExecutor.isRemoteExecutionOptions(remoteOptions)) {
         workExecutor =
             new GrpcRemoteExecutor(
-                RemoteUtils.createChannel(options.remoteWorker, channelOptions),
+                RemoteUtils.createChannel(remoteOptions.remoteExecutor, channelOptions),
                 channelOptions,
-                options);
+                remoteOptions);
       }
     }
     if (!spawn.isRemotable() || actionCache == null) {
@@ -260,9 +263,10 @@ final class RemoteSpawnStrategy implements SpawnActionContext {
 
       // Look up action cache, and reuse the action output if it is found.
       actionKey = ContentDigests.computeActionKey(action);
-      ActionResult result =
-          this.options.remoteAcceptCached ? actionCache.getCachedActionResult(actionKey) : null;
-      boolean acceptCachedResult = this.options.remoteAcceptCached;
+      ActionResult result = this.remoteOptions.remoteAcceptCached
+          ? actionCache.getCachedActionResult(actionKey)
+          : null;
+      boolean acceptCachedResult = this.remoteOptions.remoteAcceptCached;
       if (result != null) {
         // We don't cache failed actions, so we know the outputs exist.
         // For now, download all outputs locally; in the future, we can reuse the digests to
@@ -304,7 +308,7 @@ final class RemoteSpawnStrategy implements SpawnActionContext {
         return;
       }
       if (status.getError() == ExecutionStatus.ErrorCode.EXEC_FAILED
-          || !options.remoteAllowLocalFallback) {
+          || !remoteOptions.remoteLocalFallback) {
         passRemoteOutErr(actionCache, result, actionExecutionContext.getFileOutErr());
         throw new UserExecException(status.getErrorDetail());
       }
@@ -323,14 +327,14 @@ final class RemoteSpawnStrategy implements SpawnActionContext {
         stackTrace = "\n" + Throwables.getStackTraceAsString(e);
       }
       eventHandler.handle(Event.warn(mnemonic + " remote work failed (" + e + ")" + stackTrace));
-      if (options.remoteAllowLocalFallback) {
+      if (remoteOptions.remoteLocalFallback) {
         execLocally(spawn, actionExecutionContext, actionCache, actionKey);
       } else {
         throw new UserExecException(e);
       }
     } catch (CacheNotFoundException e) {
       eventHandler.handle(Event.warn(mnemonic + " remote work results cache miss (" + e + ")"));
-      if (options.remoteAllowLocalFallback) {
+      if (remoteOptions.remoteLocalFallback) {
         execLocally(spawn, actionExecutionContext, actionCache, actionKey);
       } else {
         throw new UserExecException(e);
diff --git a/src/main/java/com/google/devtools/build/lib/remote/SimpleBlobStoreFactory.java b/src/main/java/com/google/devtools/build/lib/remote/SimpleBlobStoreFactory.java
index 2bb5962399..2f6993cce1 100644
--- a/src/main/java/com/google/devtools/build/lib/remote/SimpleBlobStoreFactory.java
+++ b/src/main/java/com/google/devtools/build/lib/remote/SimpleBlobStoreFactory.java
@@ -187,7 +187,7 @@ public final class SimpleBlobStoreFactory {
   }
 
   public static SimpleBlobStore createRest(RemoteOptions options) {
-    return new RestBlobStore(options.restCacheUrl);
+    return new RestBlobStore(options.remoteRestCache);
   }
 
   public static SimpleBlobStore create(RemoteOptions options) {
@@ -213,6 +213,6 @@ public final class SimpleBlobStoreFactory {
   }
 
   private static boolean isRestUrlOptions(RemoteOptions options) {
-    return options.restCacheUrl != null;
+    return options.remoteRestCache != null;
   }
 }
diff --git a/src/main/java/com/google/devtools/build/lib/runtime/AuthAndTLSOptions.java b/src/main/java/com/google/devtools/build/lib/runtime/AuthAndTLSOptions.java
new file mode 100644
index 0000000000..587b68dfd7
--- /dev/null
+++ b/src/main/java/com/google/devtools/build/lib/runtime/AuthAndTLSOptions.java
@@ -0,0 +1,79 @@
+// Copyright 2017 The Bazel Authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.devtools.build.lib.runtime;
+
+import com.google.devtools.common.options.Option;
+import com.google.devtools.common.options.OptionsBase;
+import com.google.devtools.common.options.OptionsParser.OptionUsageRestrictions;
+
+/**
+ * Common options for authentication and TLS.
+ */
+public class AuthAndTLSOptions extends OptionsBase {
+  @Option(
+      name = "auth_enabled",
+      defaultValue = "false",
+      category = "remote",
+      help = "Whether to enable authentication for remote execution/caching and the build event "
+          + "service (BES). If not otherwise specified 'Google Application Default Credentials' "
+          + "are used. Disabled by default."
+  )
+  public boolean authEnabled;
+
+  @Option(
+      name = "auth_scope",
+      defaultValue = "null",
+      category = "remote",
+      help = "If server authentication requires a scope, provide it here."
+  )
+  public String authScope;
+
+  @Option(
+      name = "auth_credentials",
+      defaultValue = "null",
+      category = "remote",
+      help = "Specifies the file to get authentication credentials from. See "
+          + "https://cloud.google.com/docs/authentication for more details. 'Google Application "
+          + "Default Credentials' are used by default."
+  )
+  public String authCredentials;
+
+  @Option(
+      name = "tls_enabled",
+      defaultValue = "false",
+      category = "remote",
+      help = "Specifies whether to use TLS for remote execution/caching and the build event service"
+          + " (BES)."
+  )
+  public boolean tlsEnabled;
+
+  @Option(
+      name = "tls_certificate",
+      defaultValue = "null",
+      category = "remote",
+      help = "Specify the TLS client certificate to use."
+  )
+  public String tlsCertificate;
+
+  @Option(
+      name = "tls_authority_override",
+      defaultValue = "null",
+      category = "remote",
+      optionUsageRestrictions = OptionUsageRestrictions.HIDDEN,
+      help = "TESTING ONLY! Can be used with a self-signed certificate to consider the specified "
+          + "value a valid TLS authority."
+  )
+  public String tlsAuthorityOverride;
+}