yadavay-amzn opened a new pull request, #57140:
URL: https://github.com/apache/spark/pull/57140

   ### What changes were proposed in this pull request?
   
   This adds the foundational credential types for the OIDC Credential 
Propagation SPIP 
([SPARK-57703](https://issues.apache.org/jira/browse/SPARK-57703)), task 1 of 
3. Three types are introduced in `org.apache.spark.security` (spark-core), all 
`@DeveloperApi`:
   
   - `UserContext` - driver-side OIDC identity (`principal`, `issuer`, 
`rawToken`, `issuedAt`, `expiresAt`). It is intentionally **not** 
`Serializable` (driver-only, never transmitted to executors). Its `toString()` 
redacts `rawToken` as `[REDACTED]`, and `getRawToken()` is annotated 
`@JsonIgnore` so the raw token is excluded from Jackson serialization.
   - `ServiceCredential` - a short-lived, scoped delegated credential 
(`properties: Map<String, String>`, `expiresAt`). `Serializable`. Its 
`toString()` redacts the property values (keys shown, values `[REDACTED]`) 
since they may hold cloud secret keys.
   - `UserCredentials` - a per-scheme `Map<String, ServiceCredential>` bundle. 
`Serializable`, with a `forScheme(String)` lookup returning 
`Optional<ServiceCredential>`. It contains no `UserContext` or raw token.
   
   The types are implemented in Java so they are directly usable from both 
Scala and Java and from the Java `CredentialProvider` SPI added in the 
follow-up (SPARK-57891). All are immutable (final fields, defensive-copied and 
unmodifiable maps).
   
   ### Why are the changes needed?
   
   There are currently no types in Spark to represent an OIDC identity or 
short-lived delegated credentials for propagation to executors. These are the 
foundational types the rest of the credential-propagation framework builds on. 
See the SPIP design document, Appendix A.
   
   ### Does this PR introduce _any_ user-facing change?
   
   No behavior change. It adds new `@DeveloperApi` types only.
   
   ### How was this patch tested?
   
   New JUnit `CredentialTypesSuite` covering the acceptance criteria: 
`rawToken` redaction in `toString()`, exclusion of `rawToken` from Jackson 
serialization, `ServiceCredential.toString()` value redaction, 
Java-serialization round-trip for `ServiceCredential`/`UserCredentials` (no 
loss), `forScheme` present/absent lookup, and expiry checks. `dev/checkstyle` 
is clean.
   
   ### Was this patch authored or co-authored using generative AI tooling?
   
   Authored with assistance by Claude Opus 4.8.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to