danielcweeks commented on code in PR #14447:
URL: https://github.com/apache/iceberg/pull/14447#discussion_r2628836288
##########
bigquery/src/main/java/org/apache/iceberg/gcp/bigquery/BigQueryMetastoreCatalog.java:
##########
@@ -58,15 +57,8 @@
public class BigQueryMetastoreCatalog extends BaseMetastoreCatalog
implements SupportsNamespaces, Configurable<Object> {
- // User provided properties.
- public static final String PROJECT_ID = "gcp.bigquery.project-id";
- public static final String GCP_LOCATION = "gcp.bigquery.location";
- public static final String LIST_ALL_TABLES = "gcp.bigquery.list-all-tables";
Review Comment:
These are technically public, so for Semver we should probably mark them
deprecated for removal in 1.12 (see
[deprecations](https://iceberg.apache.org/contribute/#deprecation-notices)
##########
bigquery/src/main/java/org/apache/iceberg/gcp/bigquery/BigQueryProperties.java:
##########
@@ -0,0 +1,165 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.iceberg.gcp.bigquery;
+
+import com.google.auth.oauth2.GoogleCredentials;
+import com.google.auth.oauth2.ImpersonatedCredentials;
+import com.google.cloud.ServiceOptions;
+import com.google.cloud.bigquery.BigQueryOptions;
+import java.io.IOException;
+import java.io.Serializable;
+import java.io.UncheckedIOException;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+import
org.apache.iceberg.relocated.com.google.common.annotations.VisibleForTesting;
+import org.apache.iceberg.relocated.com.google.common.base.Preconditions;
+import org.apache.iceberg.relocated.com.google.common.collect.ImmutableList;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class BigQueryProperties implements Serializable {
+
+ private static final Logger LOG =
LoggerFactory.getLogger(BigQueryProperties.class);
+
+ // User provided properties.
+ public static final String PROJECT_ID = "gcp.bigquery.project-id";
+ public static final String GCP_LOCATION = "gcp.bigquery.location";
+ public static final String LIST_ALL_TABLES = "gcp.bigquery.list-all-tables";
+
+ // Service account impersonation properties.
+ public static final String IMPERSONATE_SERVICE_ACCOUNT =
"gcp.impersonate.service-account";
+ public static final String IMPERSONATE_LIFETIME_SECONDS =
"gcp.impersonate.lifetime-seconds";
+ public static final String IMPERSONATE_SCOPES = "gcp.impersonate.scopes";
+ public static final String IMPERSONATE_DELEGATES =
"gcp.impersonate.delegates";
Review Comment:
Don't we want to scope these properties to big query as well (e.g.
`gcp.bigquery...` since we want the impersonation to be scoped to that client
specifically.
##########
gcp/src/main/java/org/apache/iceberg/gcp/GCPProperties.java:
##########
@@ -49,6 +49,12 @@ public class GCPProperties implements Serializable {
public static final String GCS_OAUTH2_REFRESH_CREDENTIALS_ENDPOINT =
"gcs.oauth2.refresh-credentials-endpoint";
+ // Impersonation properties
+ public static final String GCS_IMPERSONATE_SERVICE_ACCOUNT =
"gcp.impersonate.service-account";
+ public static final String GCS_IMPERSONATE_LIFETIME_SECONDS =
"gcp.impersonate.lifetime-seconds";
+ public static final String GCS_IMPERSONATE_DELEGATES =
"gcp.impersonate.delegates";
+ public static final int GCS_IMPERSONATE_LIFETIME_SECONDS_DEFAULT = 3600;
+
Review Comment:
Also, no scopes necessary here?
##########
bigquery/src/main/java/org/apache/iceberg/gcp/bigquery/BigQueryProperties.java:
##########
@@ -0,0 +1,165 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.iceberg.gcp.bigquery;
+
+import com.google.auth.oauth2.GoogleCredentials;
+import com.google.auth.oauth2.ImpersonatedCredentials;
+import com.google.cloud.ServiceOptions;
+import com.google.cloud.bigquery.BigQueryOptions;
+import java.io.IOException;
+import java.io.Serializable;
+import java.io.UncheckedIOException;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+import
org.apache.iceberg.relocated.com.google.common.annotations.VisibleForTesting;
+import org.apache.iceberg.relocated.com.google.common.base.Preconditions;
+import org.apache.iceberg.relocated.com.google.common.collect.ImmutableList;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class BigQueryProperties implements Serializable {
Review Comment:
I think you can leave this at package-level protection.
##########
gcp/src/main/java/org/apache/iceberg/gcp/GCPProperties.java:
##########
@@ -49,6 +49,12 @@ public class GCPProperties implements Serializable {
public static final String GCS_OAUTH2_REFRESH_CREDENTIALS_ENDPOINT =
"gcs.oauth2.refresh-credentials-endpoint";
+ // Impersonation properties
+ public static final String GCS_IMPERSONATE_SERVICE_ACCOUNT =
"gcp.impersonate.service-account";
+ public static final String GCS_IMPERSONATE_LIFETIME_SECONDS =
"gcp.impersonate.lifetime-seconds";
+ public static final String GCS_IMPERSONATE_DELEGATES =
"gcp.impersonate.delegates";
+ public static final int GCS_IMPERSONATE_LIFETIME_SECONDS_DEFAULT = 3600;
+
Review Comment:
Did you mean to prefix these with `gcs`? instead of `gcp`? This looks like
it overlaps with the ones defined in BigQueryProperties.
##########
bigquery/src/main/java/org/apache/iceberg/gcp/bigquery/BigQueryMetastoreCatalog.java:
##########
@@ -81,23 +73,17 @@ public BigQueryMetastoreCatalog() {}
@Override
public void initialize(String name, Map<String, String> properties) {
- Preconditions.checkArgument(
- properties.containsKey(PROJECT_ID),
- "Invalid GCP project: %s must be specified",
- PROJECT_ID);
- this.projectId = properties.get(PROJECT_ID);
- this.projectLocation = properties.getOrDefault(GCP_LOCATION,
DEFAULT_GCP_LOCATION);
+ this.projectId = properties.get(BigQueryProperties.PROJECT_ID);
Review Comment:
This now feels like it's a little out of order. Why not create the
`BigQueryProperties` first thing, which includes these values that we're now
parsing out of the property map?
##########
bigquery/src/main/java/org/apache/iceberg/gcp/bigquery/BigQueryMetastoreClientImpl.java:
##########
@@ -127,9 +128,21 @@ public BigQueryMetastoreClientImpl(BigQueryOptions options)
throws IOException, GeneralSecurityException {
// Initialize client that will be used to send requests. This client only
needs to be created
// once, and can be reused for multiple requests
- HttpCredentialsAdapter httpCredentialsAdapter =
- new HttpCredentialsAdapter(
-
GoogleCredentials.getApplicationDefault().createScoped(BigqueryScopes.all()));
+
+ // Get credentials from options, or use application default
+ GoogleCredentials credentials =
+ (options.getCredentials() instanceof GoogleCredentials)
+ ? (GoogleCredentials) options.getCredentials()
+ : GoogleCredentials.getApplicationDefault();
+
+ // Scope credentials unless already scoped (e.g., ImpersonatedCredentials)
+ GoogleCredentials scopedCredentials =
+ (credentials instanceof ImpersonatedCredentials)
+ ? credentials
+ : credentials.createScoped(BigqueryScopes.all());
Review Comment:
Can we handle this in `BigQueryProperties::metastoreOptions()` such that the
returned options credentials already has the correct scopes?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
