Kousuke Saruta created SPARK-57892:
--------------------------------------

             Summary: Add TokenIngestor interface and FileTokenIngestor 
implementation
                 Key: SPARK-57892
                 URL: https://issues.apache.org/jira/browse/SPARK-57892
             Project: Spark
          Issue Type: Sub-task
          Components: Spark Core
    Affects Versions: 4.3.0
            Reporter: Kousuke Saruta


This sub-task is part of the umbrella 
[SPARK-57703|https://issues.apache.org/jira/browse/SPARK-57703] (OIDC 
Credential Propagation).

h2. Problem

There is no mechanism to read an OIDC identity token from a file and produce a 
{{UserContext}} for the credential propagation framework.

h2. Goal

Introduce a {{TokenIngestor}} abstraction and a file-based implementation that 
reads and monitors an OIDC token file.

h2. Scope

* {{TokenIngestor}} interface: {{load(): Option[UserContext]}}
* {{FileTokenIngestor}}:
** Reads token from path configured via 
{{spark.security.credentials.identityToken.file}}
** Parses JWT claims (sub, iss, exp, iat) to construct {{UserContext}}
** Detects file rotation via mtime change
** Handles errors gracefully (malformed JWT, missing file, empty file)
* JWT parsing: use jjwt (already a Spark dependency) for unsigned claims parsing

h2. Acceptance criteria

* {{FileTokenIngestor.load()}} returns a valid {{UserContext}} from a token 
file.
* Rotation detection: after file content changes, {{load()}} returns updated 
{{UserContext}}.
* Invalid content (malformed JWT, empty file) does not crash; returns None or 
previous valid context.
* Works with both workload-level SA tokens and per-user identity tokens.
* Unit tests for all above cases.

Reference: [SPIP design document Appendix 
B|https://docs.google.com/document/d/1usJKncCPMiyFUg7aIdpZ0HQsklXIHow_sU_6dfFMjN0/edit].




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to