[Spark] Add UC Delta Rest Catalog API path credentials for raw path reads

[TimothyW553]

🥞 Stacked PR

Use this link to review incremental changes.

• stack/drc-loadtable-storage [Files changed]
  • stack/drc-loadtable-catalog [Files changed]
    • stack/drc-path-credentials [Files changed]
      • stack/drc-createtable-storage [Files changed]
        • stack/drc-createtable-catalog [Files changed]
          • stack/drc-external-createtable [Files changed]
            • stack/drc-updatetable-storage [Files changed]
              • stack/drc-updatetable-catalog [Files changed]

---

Which Delta project/connector is this regarding?

Spark / Unity Catalog

Description

This PR adds UC Delta Rest Catalog API temporary path credentials for raw Delta path reads.

Named UC table reads already use table credentials from the previous PR. Raw path reads use a different Spark/Delta entry point, so they need GET /delta/v1/temporary-path-credentials instead of named-table loadTable credentials.

This PR adds:

• UCClient.getTemporaryPathCredentials(...) and UCTokenBasedRestClient support for the temporary path credentials endpoint.
• DeltaCatalogClient.pathCredentialOptions(...) to fetch path-scoped credentials for cloud paths using the UC Delta Rest Catalog API-enabled default catalog.
• Delta source and DeltaTableV2 wiring so raw path reads receive those credential options before touching storage.
• A guard so Delta path identifiers are not sent to named-table UC Delta Rest Catalog API loadTable.
• A server-side planning guard so disabled server-side planning does not inspect table properties while loading path-based catalog-managed test tables.
• Spark UC integration test coverage for DeltaTable.forPath with UC Delta Rest Catalog API path credentials.

If no UC Delta Rest Catalog API-enabled default catalog is configured, or the path is not a supported cloud path, this PR returns no extra credential options and keeps the existing behavior.

How was this patch tested?

Covered by UCTokenBasedRestClientSuite for temporary path credentials and unsupported endpoint behavior.

Covered by DeltaCatalogClientSuite for path credential options and path identifier skip behavior.

Covered by ServerSidePlannedTableSuite for the disabled server-side planning guard.

Covered by the Spark UC integration tests.

Local verification:

./build/sbt "sparkUnityCatalog/testOnly io.sparkuctest.UCDeltaTableReadTest"
./build/sbt "sparkUnityCatalog/test"
./build/sbt scalafmtAll javafmtAll
./build/sbt scalafmtCheckAll javafmtCheckAll "spark/testScalastyle" "sparkV1/testScalastyle"

Does this PR introduce any user-facing changes?

No released user-facing change. This only applies when UC Delta Rest Catalog API is enabled for the default catalog used to authorize raw path access.

[openinx]

why don't we loadTable from the UCSingleCatlaog ? in this current code, all the credential renewal won't work, that's a huge risk.

[openinx]

I see the reason why you add the getTemporaryPathCredentials API in the client interface now, since you need it to generate the initial temp credentials.

But after this unitycatalog/unitycatalog#1549, actually we don't need to explicitly set the initial credential any more.

So we can entirely remove the getTemporaryPathCredentials code in oss delta now.

[openinx]

Rather than defining a separate DeltaCatalogClient, why not just introduce a separate StagingTableCatalog, just like the UCSingleCatalog in oss-unitycatalog.

Essentially, the UCSingleCatalog is using the old and legacy client api to talk to unitycatalog. and the UCDeltaCatalog will use the new client api to talk to new catalog endpoint.

Does this make sense ?