Support broker grpc connection with auth

[xiangfu0]

This PR adds authentication support for broker gRPC connections, enabling secure communication between clients and Pinot brokers over gRPC protocol.

• Enhanced Authentication Framework
  • Extended BasicAuthAccessControlFactory to support both HTTP and gRPC authentication
  • Added GrpcRequesterIdentity support with proper token extraction from gRPC metadata
  • Improved error handling and validation for authentication tokens
• Enhanced JDBC Client Support
  • Enhanced gRPC connection handling in PinotGrpcConnection with case-insensitive metadata matching
  • Added comprehensive examples demonstrating both HTTP and gRPC authentication scenarios

[Copilot]

Pull Request Overview

This PR adds authentication support for broker gRPC connections, enabling secure communication between clients and Pinot brokers over gRPC.

• Extended authentication framework to handle gRPC metadata in brokers
• Enhanced JDBC gRPC connection to support case-insensitive headers and auth injection
• Updated examples and quickstart with gRPC auth scenarios and new grpc port property

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
pinot-tools/src/main/java/org/apache/pinot/tools/AuthQuickstart.java	Added pinot.broker.grpc.port property for quickstart config
pinot-clients/pinot-jdbc-client/src/main/java/org/apache/pinot/client/grpc/PinotGrpcConnection.java	Updated metadata matching loop and added DriverUtils.handleAuth
pinot-clients/pinot-jdbc-client/src/main/java/org/apache/pinot/client/examples/PinotJdbcExample.java	Added overloads and examples for JDBC gRPC authentication
pinot-broker/src/main/java/org/apache/pinot/broker/broker/BasicAuthAccessControlFactory.java	Extended identity check and token extraction for gRPC

Comments suppressed due to low confidence (3)

pinot-clients/pinot-jdbc-client/src/main/java/org/apache/pinot/client/grpc/PinotGrpcConnection.java:92

• Consider adding unit tests to verify that handleAuth correctly injects authentication metadata and handles case-insensitive header keys in the gRPC connection.

    DriverUtils.handleAuth(properties, _metadataMap);

pinot-tools/src/main/java/org/apache/pinot/tools/AuthQuickstart.java:67

• Add a comment or update the quickstart README to explain the new pinot.broker.grpc.port setting so users know why and how to override it.

    properties.put("pinot.broker.grpc.port", "8010");

pinot-clients/pinot-jdbc-client/src/main/java/org/apache/pinot/client/grpc/PinotGrpcConnection.java:61

• Introducing a checked throws SQLException in this constructor changes the public API signature. Consider handling the exception internally or documenting this breaking change for downstream consumers.

      throws SQLException {

[Copilot]

[nitpick] There is duplicated logic for extracting HTTP and gRPC tokens; consider refactoring into a shared helper to simplify getPrincipalOpt and reduce code duplication.

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 40.00000% with 27 lines in your changes missing coverage. Please review.

Project coverage is 63.18%. Comparing base (1a476de) to head (659ae38).
Report is 312 commits behind head on master.

Files with missing lines	Patch %	Lines
...apache/pinot/client/examples/PinotJdbcExample.java	0.00%	16 Missing ⚠️
.../apache/pinot/client/grpc/PinotGrpcConnection.java	0.00%	6 Missing ⚠️
...ava/org/apache/pinot/client/utils/DriverUtils.java	40.00%	2 Missing and 1 partial ⚠️
...t/broker/broker/BasicAuthAccessControlFactory.java	88.88%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master   #16170      +/-   ##
============================================
+ Coverage     62.90%   63.18%   +0.28%     
+ Complexity     1386     1357      -29     
============================================
  Files          2867     2953      +86     
  Lines        163354   169951    +6597     
  Branches      24952    25997    +1045     
============================================
+ Hits         102755   107382    +4627     
- Misses        52847    54449    +1602     
- Partials       7752     8120     +368     

Flag	Coverage Δ
custom-integration1	100.00% <ø> (ø)
integration	100.00% <ø> (ø)
integration1	100.00% <ø> (ø)
integration2	0.00% <ø> (ø)
java-11	63.15% <40.00%> (+0.28%)	⬆️
java-21	63.16% <40.00%> (+0.33%)	⬆️
skip-bytebuffers-false	?
skip-bytebuffers-true	?
temurin	63.18% <40.00%> (+0.28%)	⬆️
unittests	63.18% <40.00%> (+0.28%)	⬆️
unittests1	64.69% <ø> (+8.86%)	⬆️
unittests2	33.35% <40.00%> (-0.23%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.