[SPARK-57891][CORE] Add CredentialProvider SPI and ServiceLoader discovery#57191
Open
yadavay-amzn wants to merge 2 commits into
Open
[SPARK-57891][CORE] Add CredentialProvider SPI and ServiceLoader discovery#57191yadavay-amzn wants to merge 2 commits into
yadavay-amzn wants to merge 2 commits into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this pull request?
This is task 2 of the OIDC Credential Propagation SPIP (SPARK-57703), building on the core types added in SPARK-57890. It introduces the pluggable provider SPI in
org.apache.spark.security(spark-core):CredentialProvider- a@DeveloperApiinterface that providers (AWS STS, Azure, GCP, etc.) implement to exchange a user identity for a short-livedServiceCredentialCredentialResolutionException- a@DeveloperApichecked exception thrown byresolve.CredentialProviderLoader- discovers implementations viaServiceLoaderand selects a provider per scheme. Scheme keys are normalized to lowercase. Selection follows an explicit-configuration policy:spark.security.credentials.provider.<scheme>names the fully-qualified provider class to use for that scheme. If exactly one discovered provider supports a scheme, no configuration is needed; if multiple support it and the conf is unset, a clear error is raised listing the candidates. Each selected provider is initialized exactly once.A
FakeCredentialProvider(and a second one sharing a scheme) plus aMETA-INF/servicesregistration are added undercore/src/testto exercise discovery and selection.Why are the changes needed?
There is currently no pluggable SPI for exchanging an identity token for short-lived service credentials. This is the extension point the credential-propagation framework builds on. See the SPIP design document, Appendix A.
Does this PR introduce any user-facing change?
No behavior change. It adds new
@DeveloperApitypes only; nothing uses them until the follow-up (SPARK-57892 / the manager task).How was this patch tested?
New JUnit
CredentialProviderLoaderSuitecovering the acceptance criteria, ServiceLoader discovery, provider selection/ambiguity, error cases, and null-input guards.Design notes (feedback/suggestions welcome)
Two choices worth considering:
spark.security.credentials.provider.<scheme>(single fully-qualified class name). This can be extended to an ordered-priority list later without breaking the conf if preferred.initlifecycle: each provider is initialized once, on first selection, with that call's configuration (first-conf-wins), inside the loader's lock. This sets the provider lifecycle the manager task will consume.Was this patch authored or co-authored using generative AI tooling?
No.