Skip to content

[Storage] Add UC Delta API credential property mapping#6677

Closed
TimothyW553 wants to merge 2 commits into
delta-io:masterfrom
TimothyW553:stack/drc-credential-props
Closed

[Storage] Add UC Delta API credential property mapping#6677
TimothyW553 wants to merge 2 commits into
delta-io:masterfrom
TimothyW553:stack/drc-credential-props

Conversation

@TimothyW553
Copy link
Copy Markdown
Collaborator

@TimothyW553 TimothyW553 commented Apr 27, 2026
edited
Loading

🥞 Stacked PR

Use this link to review incremental changes.

Which Delta project/connector is this regarding?

Spark / Unity Catalog

Description

This PR adds Delta-owned credential property mapping for credentials returned by the UC Delta Rest Catalog API.

UC Delta Rest Catalog API responses contain UC credential models, while Delta file access still needs Hadoop filesystem properties. This PR copies the required UC Spark credential mapping into Delta Spark so later PRs can use the same conversion for both named table credentials and temporary path credentials.

This PR adds:

  • CredPropsUtil for table-scoped and path-scoped credentials.
  • AWS, Azure, and GCS credential provider implementations.
  • Static and renewable credential support.
  • Optional credential-scoped filesystem overrides.
  • Delta-owned credential config constants and API client helpers.
  • Provided Hadoop/GCS dependencies required by the copied providers.
  • A GCS AccessToken constructor compatibility fix for util-hadoop 3.0.2.

This PR only adds the credential utility layer. Child PRs wire it into UC Delta Rest Catalog API loadTable, path credentials, and create table flows.

How was this patch tested?

Covered by UCDeltaRestCatalogApiCredentialPropsUtilSuite for:

  • static S3 credential properties
  • static Azure and GCS credential properties
  • renewable table credential properties
  • renewable path credential properties
  • credential-scoped filesystem overrides
  • no credential properties for non-UC-vended schemes

Also compiled iceberg/Compile/compile for the GCS compatibility fix.

Does this PR introduce any user-facing changes?

No. This only adds internal Delta Spark credential mapping utilities for the UC Delta Rest Catalog API stack.

@TimothyW553 TimothyW553 requested a review from tdas as a code owner April 27, 2026 23:11
This was referenced Apr 27, 2026
Open
Draft
Draft
Open
Open
@TimothyW553 TimothyW553 force-pushed the stack/drc-credential-props branch from f4893d8 to 8bc003e Compare April 27, 2026 23:29
@TimothyW553 TimothyW553 mentioned this pull request Apr 28, 2026
Open
@TimothyW553 TimothyW553 force-pushed the stack/drc-credential-props branch 7 times, most recently from e433d7e to eab7835 Compare April 29, 2026 07:57
@TimothyW553 TimothyW553 changed the title spark: copy UC credential property mapping spark: copy UC Delta Rest Catalog API credential property mapping Apr 29, 2026
@TimothyW553 TimothyW553 force-pushed the stack/drc-credential-props branch 2 times, most recently from 6dd01e2 to 04445d1 Compare April 29, 2026 23:30
@TimothyW553 TimothyW553 changed the title spark: copy UC Delta Rest Catalog API credential property mapping spark: copy UC Delta API credential property mapping Apr 30, 2026
@TimothyW553 TimothyW553 force-pushed the stack/drc-credential-props branch 2 times, most recently from c5085fe to 05f90da Compare April 30, 2026 05:30
TimothyW553
TimothyW553 commented Apr 30, 2026
View reviewed changes
Comment thread storage/src/main/java/io/delta/storage/unitycatalog/hadoop/CredPropsUtil.java
return self();
}

public T table(String catalog, String schema, String table, String location) {
Copy link
Copy Markdown
Collaborator Author

@TimothyW553 TimothyW553 Apr 30, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This mostly follows UC Spark CredPropsUtil; the main extra Delta shape is storing catalog/schema/table/location so renewal can call UC Delta table credential APIs.

TimothyW553
TimothyW553 commented Apr 30, 2026
View reviewed changes
Comment thread .../src/main/java/io/delta/storage/unitycatalog/hadoop/UCDeltaRestCatalogApiCredentialConf.java

package io.delta.storage.unitycatalog.hadoop;

public class UCDeltaRestCatalogApiCredentialConf {
Copy link
Copy Markdown
Collaborator Author

@TimothyW553 TimothyW553 Apr 30, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a smaller Delta storage copy of UC UCHadoopConf; it keeps only the credential Hadoop keys needed by these helpers.

TimothyW553
TimothyW553 commented Apr 30, 2026
View reviewed changes
Comment thread .../src/main/java/io/delta/storage/unitycatalog/hadoop/credentials/AbfsVendedTokenProvider.java
if (conf.get(UCDeltaRestCatalogApiCredentialConf.AZURE_INIT_SAS_TOKEN) != null
&& conf.get(UCDeltaRestCatalogApiCredentialConf.AZURE_INIT_SAS_TOKEN_EXPIRED_TIME) != null) {
String sasToken = conf.get(UCDeltaRestCatalogApiCredentialConf.AZURE_INIT_SAS_TOKEN);
Objects.requireNonNull(
Copy link
Copy Markdown
Collaborator Author

@TimothyW553 TimothyW553 Apr 30, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a straight UC Spark port; the main difference is replacing Guava Preconditions with JDK checks.

TimothyW553
TimothyW553 commented Apr 30, 2026
View reviewed changes
Comment thread storage/src/main/java/io/delta/storage/unitycatalog/hadoop/credentials/GenericCredential.java
return new GenericCredential(tempCred);
}

public static GenericCredential fromStorageCredential(StorageCredential storageCredential) {
Copy link
Copy Markdown
Collaborator Author

@TimothyW553 TimothyW553 Apr 30, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This adapter is Delta-specific because UC Delta APIs return StorageCredential, while UC Spark renewal returns TemporaryCredentials directly.

TimothyW553
TimothyW553 commented Apr 30, 2026
View reviewed changes
Comment thread ...rc/main/java/io/delta/storage/unitycatalog/hadoop/credentials/GenericCredentialProvider.java
return credential;
}

protected UCClient ucClient() {
Copy link
Copy Markdown
Collaborator Author

@TimothyW553 TimothyW553 Apr 30, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the main non-port file: renewal uses Delta UCClient / UCTokenBasedRestClient instead of UC Spark legacy TemporaryCredentialsApi.

TimothyW553
TimothyW553 commented Apr 30, 2026
View reviewed changes
Comment thread storage/src/main/java/io/delta/storage/unitycatalog/hadoop/fs/CredScopedFileSystem.java
final long maxSize =
Long.getLong(CRED_SCOPED_FS_CACHE_MAX_SIZE, CRED_SCOPED_FS_CACHE_MAX_SIZE_DEFAULT);
CACHE =
Collections.synchronizedMap(
Copy link
Copy Markdown
Collaborator Author

@TimothyW553 TimothyW553 Apr 30, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same credential-scoped FS logic as UC Spark, but Guava CacheBuilder is replaced with a JDK synchronized LRU map for storage.

@TimothyW553 TimothyW553 changed the title spark: copy UC Delta API credential property mapping [Spark] Copy UC Delta API credential property mapping Apr 30, 2026
@TimothyW553 TimothyW553 force-pushed the stack/drc-credential-props branch from 05f90da to 7672549 Compare April 30, 2026 06:28
@TimothyW553 TimothyW553 requested a review from openinx April 30, 2026 06:35
@TimothyW553 TimothyW553 requested a review from yili-db April 30, 2026 06:35
@TimothyW553 TimothyW553 changed the title [Spark] Copy UC Delta API credential property mapping [Storage] Add UC Delta API credential property mapping Apr 30, 2026
@TimothyW553 TimothyW553 force-pushed the stack/drc-credential-props branch from 7672549 to 3c158ad Compare April 30, 2026 06:57
openinx
openinx reviewed Apr 30, 2026
View reviewed changes
Comment thread .../src/main/java/io/delta/storage/unitycatalog/hadoop/credentials/AbfsVendedTokenProvider.java
@@ -0,0 +1,73 @@
/*
Copy link
Copy Markdown
Collaborator

@openinx openinx Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @TimothyW553 , I think one key request is: how could we migrate the tests also from the unitycatalog spark connector to the delta repo also ?

because we don't want any functional regression after we do the migration.

@TimothyW553 TimothyW553 force-pushed the stack/drc-credential-props branch from 3c158ad to 5dacf5d Compare April 30, 2026 18:55
@TimothyW553 TimothyW553 force-pushed the stack/drc-credential-props branch from 5dacf5d to e0b7139 Compare April 30, 2026 22:15
@TimothyW553
Copy link
Copy Markdown
Collaborator Author

TimothyW553 commented May 1, 2026

Closing this because PR3 now uses unitycatalog-hadoop directly, so this copied credential mapping PR is no longer needed.

@TimothyW553 TimothyW553 closed this May 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@openinx openinx openinx left review comments

@tdas tdas Awaiting requested review from tdas tdas is a code owner

@yili-db yili-db Awaiting requested review from yili-db

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TimothyW553 @openinx