Kousuke Saruta created SPARK-57892:
--------------------------------------
Summary: Add TokenIngestor interface and FileTokenIngestor
implementation
Key: SPARK-57892
URL: https://issues.apache.org/jira/browse/SPARK-57892
Project: Spark
Issue Type: Sub-task
Components: Spark Core
Affects Versions: 4.3.0
Reporter: Kousuke Saruta
This sub-task is part of the umbrella
[SPARK-57703|https://issues.apache.org/jira/browse/SPARK-57703] (OIDC
Credential Propagation).
h2. Problem
There is no mechanism to read an OIDC identity token from a file and produce a
{{UserContext}} for the credential propagation framework.
h2. Goal
Introduce a {{TokenIngestor}} abstraction and a file-based implementation that
reads and monitors an OIDC token file.
h2. Scope
* {{TokenIngestor}} interface: {{load(): Option[UserContext]}}
* {{FileTokenIngestor}}:
** Reads token from path configured via
{{spark.security.credentials.identityToken.file}}
** Parses JWT claims (sub, iss, exp, iat) to construct {{UserContext}}
** Detects file rotation via mtime change
** Handles errors gracefully (malformed JWT, missing file, empty file)
* JWT parsing: use jjwt (already a Spark dependency) for unsigned claims parsing
h2. Acceptance criteria
* {{FileTokenIngestor.load()}} returns a valid {{UserContext}} from a token
file.
* Rotation detection: after file content changes, {{load()}} returns updated
{{UserContext}}.
* Invalid content (malformed JWT, empty file) does not crash; returns None or
previous valid context.
* Works with both workload-level SA tokens and per-user identity tokens.
* Unit tests for all above cases.
Reference: [SPIP design document Appendix
B|https://docs.google.com/document/d/1usJKncCPMiyFUg7aIdpZ0HQsklXIHow_sU_6dfFMjN0/edit].
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]