joyhaldar opened a new pull request, #14447: URL: https://github.com/apache/iceberg/pull/14447
**Description:** This PR adds service account impersonation support to [BigQueryMetastoreCatalog](https://github.com/apache/iceberg/blob/main/bigquery/src/main/java/org/apache/iceberg/gcp/bigquery/BigQueryMetastoreCatalog.java), enabling identity separation between cluster operations and data access **Problem** BigQueryMetastoreCatalog only supports Application Default Credentials with no mechanism for service account impersonation. This prevents: - Implementing least-privilege security (cluster operations vs data access) - Running multi-tenant workloads on shared clusters - Creating proper audit trails per service account **Solution** Introduces a pluggable factory pattern for BigQuery client creation with impersonation support using Google's ImpersonatedCredentials API. **Key changes:** - Created BigQueryClientFactory interface with DefaultBigQueryClientFactory (ADC) and ImpersonatedBigQueryClientFactory (impersonation) - Added impersonation properties to GCPProperties: service account, delegates, lifetime, scopes - Updated BigQueryMetastoreCatalog to use factory pattern - Propagated impersonation settings to GCS operations via PrefixedStorage **_Configuration_** **Minimal:** ``` gcp.bigquery.client.factory=org.apache.iceberg.gcp.bigquery.ImpersonatedBigQueryClientFactory gcp.impersonate.service-account=data...@project.iam.gserviceaccount.com ``` **Full:** ``` gcp.bigquery.client.factory=org.apache.iceberg.gcp.bigquery.ImpersonatedBigQueryClientFactory gcp.impersonate.service-account=data...@project.iam.gserviceaccount.com gcp.impersonate.delegates=admin...@project.iam.gserviceaccount.com gcp.impersonate.lifetime-seconds=3600 gcp.impersonate.scopes=bigquery,devstorage.read_only ``` **Testing** Added unit tests: - TestDefaultBigQueryClientFactory - TestImpersonatedBigQueryClientFactory - TestBigQueryCatalog - TestGCPProperties **Backward Compatibility** Fully backward compatible, catalogs without factory configuration continue using ADC exactly as before. Closes #14446 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
