Skip to content

feat(bigquery-jdbc): support custom OTel credentials and dynamic token refresh#13302

Draft
keshavdandeva wants to merge 1 commit into
jdbc/feature-branch-otelfrom
jdbc/bypass-auth-lib
Draft

feat(bigquery-jdbc): support custom OTel credentials and dynamic token refresh#13302
keshavdandeva wants to merge 1 commit into
jdbc/feature-branch-otelfrom
jdbc/bypass-auth-lib

Conversation

@keshavdandeva
Copy link
Copy Markdown
Contributor

@keshavdandeva keshavdandeva commented May 29, 2026

b/516416076

This PR enables the BigQuery JDBC driver to use custom Service Account credentials (JSON string or file path) for OpenTelemetry tracing, bypassing the ADC-only limitation of the default GCP extension.

Key Changes

  • BigQueryJdbcOpenTelemetry.java: Added a customizer to inject dynamic OAuth2 headers into OTLP exporters (supporting both HTTP and gRPC) while preserving auto-configured properties.
  • ITOpenTelemetryTest.java: Added 4 integration tests to verify custom credentials and transport protocols.
  • ITBase.java: Moved the shared getAuthJson() helper here to remove duplication.
  • pom.xml: Moved opentelemetry-sdk-trace to compile scope to support the implementation.

@keshavdandeva keshavdandeva changed the base branch from main to jdbc/feature-branch-otel May 29, 2026 17:15
gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request integrates OpenTelemetry (OTel) tracing and logging into the BigQuery JDBC driver, enabling trace context propagation and logging bridging to Google Cloud Logging. It updates key components like BigQueryConnection, BigQueryStatement, and BigQueryDatabaseMetaData to wrap database operations in OTel spans, and introduces extensive testing. The review feedback correctly identifies critical bugs in the credential resolution and validation logic within BigQueryConnection, where OAuthType is compared directly to enum names instead of supporting standard integer values, and key file paths are ignored.

I am having trouble creating individual review comments. Click here to see my feedback.

java-bigquery-jdbc/src/main/java/com/google/cloud/bigquery/jdbc/BigQueryConnection.java (1080-1088)

high

The resolveEffectiveCredentials method has two critical issues:

  1. It only checks OAUTH_PVT_KEY_PROPERTY_NAME (which corresponds to the raw JSON string OAuthPvtKey) and completely ignores OAUTH_PVT_KEY_PATH_PROPERTY_NAME (which corresponds to the key file path OAuthPvtKeyPath). If a user configures the driver using a service account key file path, the OTel exporter will fail to resolve the credentials.
  2. It compares authTypeStr directly with the enum name "GOOGLE_SERVICE_ACCOUNT". However, in standard JDBC URL configurations, OAuthType is specified as an integer (e.g., 0 for Service Account). This mismatch will cause the method to return null even when a valid Service Account configuration is present.

We should introduce helper methods to robustly identify the authentication type (supporting both integer values and enum names) and check both the raw key and the key path properties.

  private String resolveEffectiveCredentials() {
    String creds = this.gcpTelemetryCredentials;
    String authTypeStr = this.authProperties.get(BigQueryJdbcUrlUtility.OAUTH_TYPE_PROPERTY_NAME);
    if (creds == null && isServiceAccount(authTypeStr)) {
      String pvtKey = this.authProperties.get(BigQueryJdbcUrlUtility.OAUTH_PVT_KEY_PROPERTY_NAME);
      if (pvtKey != null) {
        return pvtKey;
      }
      return this.authProperties.get(BigQueryJdbcUrlUtility.OAUTH_PVT_KEY_PATH_PROPERTY_NAME);
    }
    return creds;
  }

  private static boolean isServiceAccount(String authTypeStr) {
    return "0".equals(authTypeStr) || BigQueryJdbcOAuthUtility.AuthType.GOOGLE_SERVICE_ACCOUNT.name().equals(authTypeStr);
  }

  private static boolean isAdc(String authTypeStr) {
    return "3".equals(authTypeStr) || BigQueryJdbcOAuthUtility.AuthType.APPLICATION_DEFAULT_CREDENTIALS.name().equals(authTypeStr);
  }

java-bigquery-jdbc/src/main/java/com/google/cloud/bigquery/jdbc/BigQueryConnection.java (1090-1101)

high

The validateTraceConfiguration method compares authTypeStr directly with the enum names "GOOGLE_SERVICE_ACCOUNT" and "APPLICATION_DEFAULT_CREDENTIALS". Since OAuthType is typically configured as an integer (e.g., 0 or 3) in JDBC URLs, this validation will incorrectly throw a BigQueryJdbcRuntimeException for valid configurations.

We should update this method to use the robust helper methods that support both integer values and enum names.

  private void validateTraceConfiguration(boolean isTraceEnabled, String effectiveCredentials) {
    if (isTraceEnabled && effectiveCredentials == null) {
      String authTypeStr = this.authProperties.get(BigQueryJdbcUrlUtility.OAUTH_TYPE_PROPERTY_NAME);
      if (!isServiceAccount(authTypeStr) && !isAdc(authTypeStr)) {
        throw new BigQueryJdbcRuntimeException(
            "Exporting traces to Google Cloud is only supported when using Application Default Credentials (ADC) or Service Account authentication.");
      }
    }
  }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@keshavdandeva