Add support for impersonating users/groups

linkedin · Feb 6, 2025 · 1f514ee · 1f514ee
1 parent e5b7f1e
commit 1f514ee
Show file tree

Hide file tree

Showing 3 changed files with 92 additions and 11 deletions.
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -26,8 +26,8 @@ junit = "junit:junit:4.12"
 kafka-clients = "org.apache.kafka:kafka-clients:3.2.0"
 kubernetes-client = "io.kubernetes:client-java:18.0.0"
 kubernetes-extended-client = "io.kubernetes:client-java-extended:18.0.0"
-slf4j-simple = "org.slf4j:slf4j-simple:1.7.30"
-slf4j-api = "org.slf4j:slf4j-api:1.7.30"
+slf4j-simple = "org.slf4j:slf4j-simple:1.7.36"
+slf4j-api = "org.slf4j:slf4j-api:1.7.36"
 sqlline = "sqlline:sqlline:1.12.0"
 quidem = "net.hydromatic:quidem:0.11"
 venice = "com.linkedin.venice:venice-common:0.4.376"

diff --git a/hoptimator-demodb/build.gradle b/hoptimator-demodb/build.gradle
@@ -1,9 +1,55 @@
 plugins {
   id 'java'
+  id 'maven-publish'
 }
 
 dependencies {
   implementation project(':hoptimator-api')
   implementation project(':hoptimator-util')
   implementation libs.calcite.core
 }
+
+publishing {
+  repositories {
+    maven {
+      name 'GitHubPackages'
+      url = 'https://maven.pkg.github.com/linkedin/Hoptimator'
+      credentials {
+        username = System.getenv('GITHUB_ACTOR')
+        password = System.getenv('GITHUB_TOKEN')
+      }
+    }
+    maven {
+      name 'LinkedInJFrog'
+      url 'https://linkedin.jfrog.io/artifactory/hoptimator'
+      credentials {
+        username = System.getenv('JFROG_USERNAME')
+        password = System.getenv('JFROG_API_KEY')
+      }
+    }
+  }
+  publications {
+    maven(MavenPublication) {
+      groupId = 'com.linkedin.hoptimator'
+      artifactId = 'hoptimator-demodb'
+      version = System.getenv('VERSION')
+      from components.java
+      pom {
+        name = 'hoptimator-api'
+        description = 'In-memory database driver for testing'
+        url = 'https://github.com/linkedin/Hoptimator'
+        licenses {
+          license {
+            name = 'BSD 2-Clause'
+            url = 'https://raw.githubusercontent.com/linkedin/Hoptimator/main/LICENSE'
+            }
+          }
+        scm {
+          connection = 'scm:git:git://github.com:linkedin/Hoptimator.git'
+          developerConnection = 'scm:git:ssh://github.com:linkedin/Hoptimator.git'
+          url = 'https://github.com/linkedin/Hoptimator'
+        }
+      }
+    }
+  }
+}
diff --git a/hoptimator-k8s/src/main/java/com/linkedin/hoptimator/k8s/K8sContext.java b/hoptimator-k8s/src/main/java/com/linkedin/hoptimator/k8s/K8sContext.java
@@ -31,6 +31,10 @@ public class K8sContext {
   public static final String NAMESPACE_KEY = "k8s.namespace";
   public static final String SERVER_KEY = "k8s.server";
   public static final String USER_KEY = "k8s.user";
+  public static final String KUBECONFIG_KEY = "k8s.kubeconfig";
+  public static final String IMPERSONATE_USER_KEY = "k8s.impersonate.user";
+  public static final String IMPERSONATE_GROUP_KEY = "k8s.impersonate.group";
+  public static final String IMPERSONATE_GROUPS_KEY = "k8s.impersonate.groups";
   public static final String PASSWORD_KEY = "k8s.password";
   public static final String TOKEN_KEY = "k8s.token";
   public static final String SSL_TRUSTSTORE_LOCATION_KEY = "k8s.ssl.truststore.location";
@@ -46,36 +50,48 @@ public K8sContext(Properties connectionProperties) {
     } else {
       this.namespace = getPodNamespace();
     }
+    String kubeconfig = connectionProperties.getProperty(KUBECONFIG_KEY);
     String server = connectionProperties.getProperty(SERVER_KEY);
     String user = connectionProperties.getProperty(USER_KEY);
+    String impersonateUser = connectionProperties.getProperty(IMPERSONATE_USER_KEY);
+    String impersonateGroup = connectionProperties.getProperty(IMPERSONATE_GROUP_KEY);
+    String impersonateGroups = connectionProperties.getProperty(IMPERSONATE_GROUPS_KEY);
     String password = connectionProperties.getProperty(PASSWORD_KEY);
     String token = connectionProperties.getProperty(TOKEN_KEY);
     String truststore = connectionProperties.getProperty(SSL_TRUSTSTORE_LOCATION_KEY);
 
+    String info = "";
+
     if (server != null && user != null && password != null) {
-      this.clientInfo = "User " + user + " accessing " + server + " via password authentication";
+      info = "User " + user + " using password authentication.";
       this.apiClient = Config.fromUserPassword(server, user, password);
     } else if (server != null && token != null) {
-      this.clientInfo = "Accessing " + server + " via token authentication";
+      info = "Using token authentication.";
       this.apiClient = Config.fromToken(server, token);
       this.apiClient.setApiKeyPrefix("Bearer");
-    } else if (server != null) {
-      this.clientInfo = "Using default configuration from ./kube/config to access " + server;
+    } else if (kubeconfig == null) {
+      info = "Using default configuration from ./kube/config.";
       try {
         this.apiClient = Config.defaultClient();
       } catch (IOException e) {
         throw new RuntimeException(e);
       }
-      this.apiClient.setBasePath(server);
     } else {
-      this.clientInfo = "Using default configuration from ./kube/config";
-      try {
-        this.apiClient = Config.defaultClient();
+      info = "Using kubeconfig from " + kubeconfig + ".";
+      try (Reader r = Files.newBufferedReader(Paths.get(kubeconfig))) {
+        KubeConfig kubeConfig = KubeConfig.loadKubeConfig(r);
+        kubeConfig.setFile(new File(kubeconfig));
+        this.apiClient = ClientBuilder.kubeconfig(kubeConfig).build();
       } catch (IOException e) {
         throw new RuntimeException(e);
       }
     }
-
+
+    if (server != null) {
+      info += " Accessing " + server + ".";
+      this.apiClient.setBasePath(server);
+    }
+
     if (truststore != null) {
       try {
         InputStream in = Files.newInputStream(Paths.get(truststore));
@@ -85,7 +101,26 @@ public K8sContext(Properties connectionProperties) {
       }
     }
 
+    if (impersonateUser != null) {
+      info = "User is " + impersonateUser + ". " + info;
+      apiClient.addDefaultHeader("Impersonate-User", impersonateUser);
+    }
+
+    if (impersonateGroup != null) {
+      info = "Group is " + impersonateGroup + ". " + info;
+      apiClient.addDefaultHeader("Impersonate-Group", impersonateGroup);
+    }
+
+    // Impersonate-Group header can be applied repeatedly
+    if (impersonateGroups != null) {
+      info = info + " Impersonating groups " + impersonateGroups + ".";
+      for (String x : impersonateGroups.split(",")) {
+        apiClient.addDefaultHeader("Impersonate-Group", x);
+      }
+    }
+
     this.informerFactory = new SharedInformerFactory(apiClient);
+    this.clientInfo = info;
   }
 
   public ApiClient apiClient() {