Skip to content

feat(bqjdbc): Bypass dry-run job for read-only tokens.#12961

Open
logachev wants to merge 4 commits intomainfrom
kirl/read-only-token
Open

feat(bqjdbc): Bypass dry-run job for read-only tokens.#12961
logachev wants to merge 4 commits intomainfrom
kirl/read-only-token

Conversation

@logachev
Copy link
Copy Markdown
Contributor

@logachev logachev commented Apr 29, 2026
edited
Loading

This allows driver to be used with tokens created for read-only scope. Note that this scope is not recommended by BigQuery, so it should not be used unless absolutely necessary.

This will be removed in the future.

List of changes:

  • Statement: always using queryWithTimeout. This method is using create under the cover in some cases. The only difference is that now we can't provide custom JobID. I think it is ok for consistency between modes
  • New connection string flag to indicate that Access Token is readonly. I originally wanted to parse token, however, it'd be suitable only for JWT, but e.g. Service Account access tokens are different and we can't 100% rely on it.
  • Added integration tests to validate AccessToken auth for both regular & read-only scopes.

@logachev logachev requested review from a team as code owners April 29, 2026 20:36
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request implements detection for read-only OAuth tokens by parsing JWT scopes within the BigQuery JDBC connection. When such a token is identified, the system skips dry runs and assumes a SELECT statement type to avoid errors. The review feedback identifies several critical issues, including potential NullPointerException vulnerabilities in the new fromValue and token check methods, and a regression where numeric OAuthType values are no longer supported. Additionally, suggestions were made to follow Java naming conventions and to refine exception handling by avoiding generic catches.

Comment thread ...gle-cloud-bigquery-jdbc/src/main/java/com/google/cloud/bigquery/jdbc/BigQueryConnection.java Outdated
Comment thread ...oud-bigquery-jdbc/src/main/java/com/google/cloud/bigquery/jdbc/BigQueryJdbcOAuthUtility.java Outdated
Comment thread ...gle-cloud-bigquery-jdbc/src/main/java/com/google/cloud/bigquery/jdbc/BigQueryConnection.java Outdated
Comment thread ...gle-cloud-bigquery-jdbc/src/main/java/com/google/cloud/bigquery/jdbc/BigQueryConnection.java Outdated
@logachev logachev force-pushed the kirl/read-only-token branch from 1bf43f8 to a5a7650 Compare April 29, 2026 22:56
@logachev logachev force-pushed the kirl/read-only-token branch from b1f841f to b149d90 Compare April 29, 2026 23:02
@logachev logachev requested review from a team as code owners April 29, 2026 23:02
@googleapis googleapis deleted a comment from snippet-bot Bot Apr 29, 2026
@logachev logachev force-pushed the kirl/read-only-token branch from 52ec632 to ef7530b Compare April 29, 2026 23:17
@logachev
Copy link
Copy Markdown
Contributor Author

logachev commented Apr 29, 2026

/gemini review

gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces support for read-only OAuth access tokens by adding a new OAuthAccessTokenReadonly connection property and adjusting query execution logic to bypass dry runs and explicit job creation when such tokens are used. Feedback indicates that the changes in BigQueryStatement globally enforce stateless query mode, which inadvertently disables custom Job ID generation for users with standard tokens. It is recommended to restore the conditional logic to preserve backward compatibility for non-read-only scenarios.

Comment thread ...ogle-cloud-bigquery-jdbc/src/main/java/com/google/cloud/bigquery/jdbc/BigQueryStatement.java
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@logachev