Fix Unity Catalog Creds and Iceberg REST endpoint construction (delta-io#5904)

## Summary
This PR fixes Unity Catalog credential detection and refactors Iceberg
REST catalog endpoint construction to properly implement the Iceberg
REST catalog specification.

**Key Changes:**
- Fix credential detection to recognize Unity Catalog's `option.fs.*`
credential properties
- Refactor `/v1/config` endpoint handling to follow Iceberg REST catalog
spec
- Move prefix discovery logic from `UnityCatalogMetadata` to
`IcebergRESTCatalogPlanningClient`
- Improve robustness with trailing slash handling and HTTP client reuse
- More test coverage with explicit path verification
- Fix module separation issues and improve code organization

## Testing
Tests now explicitly verify:
- Correct `/v1/config` endpoint calls with `warehouse` query parameter
- Proper prefix application in `/plan` request paths
- Behavior when no prefix is returned (uses baseUri directly per Iceberg
REST spec)
- Token handling consistency between tests and production
- Trailing slash handling robustness

---

## Compatibility
This is an internal refactoring with no changes to public APIs or
user-facing behavior. The changes:
- Improve correctness of credential detection for Unity Catalog
- Fix internal endpoint construction to follow Iceberg REST spec
- Maintain backward compatibility with existing Unity Catalog
configurations

---------

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: murali-db

iceberg/src/main/scala/org/apache/spark/sql/delta/serverSidePlanning/IcebergRESTCatalogPlanningClient.scala

@@ -23,7 +23,7 @@ import java.util.Locale
 import scala.jdk.CollectionConverters._
 import scala.util.Try
 
-import org.apache.http.client.methods.HttpPost
+import org.apache.http.client.methods.{HttpGet, HttpPost}
 import org.apache.http.entity.{ContentType, StringEntity}
 import org.apache.http.util.EntityUtils
 import org.apache.http.{HttpHeaders, HttpStatus}
@@ -39,6 +39,15 @@ import shadedForDelta.org.apache.iceberg.PartitionSpec
 import shadedForDelta.org.apache.iceberg.rest.requests.{PlanTableScanRequest, PlanTableScanRequestParser}
 import shadedForDelta.org.apache.iceberg.rest.responses.PlanTableScanResponse
 
+/**
+ * Case class for parsing Iceberg REST catalog /v1/config response.
+ * Per the Iceberg REST spec, the config endpoint returns defaults and overrides.
+ * The optional "prefix" in overrides is used for multi-tenant catalog paths.
+ */
+private case class CatalogConfigResponse(
+    defaults: Map[String, String],
+    overrides: Map[String, String])
+
 /**
  * Iceberg REST implementation of ServerSidePlanningClient that calls Iceberg REST catalog server.
  *
@@ -49,29 +58,71 @@ import shadedForDelta.org.apache.iceberg.rest.responses.PlanTableScanResponse
  * Thread safety: This class creates a shared HTTP client that is thread-safe for concurrent
  * requests. The HTTP client should be explicitly closed by calling close() when done.
  *
- * @param icebergRestCatalogUriRoot Base URI of the Iceberg REST catalog server, e.g.,
- *                                   "http://localhost:8181". Should not include trailing slash
- *                                   or "/v1" prefix.
+ * @param baseUriRaw Base URI of the Iceberg REST catalog up to /v1, e.g.,
+ *                   "http://<catalog-URL>/iceberg/v1". Trailing slashes are handled automatically.
+ * @param catalogName Name of the catalog for config endpoint query parameter.
  * @param token Authentication token for the catalog server.
  */
 class IcebergRESTCatalogPlanningClient(
-    icebergRestCatalogUriRoot: String,
+    baseUriRaw: String,
+    catalogName: String,
     token: String) extends ServerSidePlanningClient with AutoCloseable {
 
+  // Normalize baseUri to handle trailing slashes
+  private val baseUri = baseUriRaw.stripSuffix("/")
+
   // Sentinel value indicating "use current snapshot" in Iceberg REST API
   private val CURRENT_SNAPSHOT_ID = 0L
 
   // Partition spec ID for unpartitioned tables
   private val UNPARTITIONED_SPEC_ID = 0
 
+  /**
+   * Lazily fetch the catalog configuration and construct the endpoint URI root.
+   * Calls /v1/config?warehouse=<catalogName> per Iceberg REST catalog spec to get the prefix.
+   * If no prefix is returned, uses baseUri directly without any prefix per Iceberg spec.
+   */
+  private lazy val icebergRestCatalogUriRoot: String = {
+    fetchCatalogPrefix() match {
+      case Some(prefix) => s"$baseUri/$prefix"
+      case None => baseUri
+    }
+  }
+
+  /**
+   * Fetch catalog prefix from /v1/config endpoint per Iceberg REST catalog spec.
+   * Returns None on any error or if no prefix is defined in the config.
+   */
+  private def fetchCatalogPrefix(): Option[String] = {
+    try {
+      val configUri = s"$baseUri/config?warehouse=$catalogName"
+      val httpGet = new HttpGet(configUri)
+      val response = httpClient.execute(httpGet)
+      try {
+        if (response.getStatusLine.getStatusCode == HttpStatus.SC_OK) {
+          val body = EntityUtils.toString(response.getEntity)
+          val config = JsonUtils.fromJson[CatalogConfigResponse](body)
+          // Apply overrides on top of defaults per Iceberg REST spec
+          config.overrides.get("prefix").orElse(config.defaults.get("prefix"))
+        } else {
+          None
+        }
+      } finally {
+        response.close()
+      }
+    } catch {
+      case _: Exception => None
+    }
+  }
+
   private val httpHeaders = {
     val baseHeaders = Map(
       HttpHeaders.ACCEPT -> ContentType.APPLICATION_JSON.getMimeType,
       HttpHeaders.CONTENT_TYPE -> ContentType.APPLICATION_JSON.getMimeType,
       HttpHeaders.USER_AGENT -> buildUserAgent()
     )
     // Add Bearer token authentication if token is provided
-    val headersWithAuth = if (token != null && token.nonEmpty) {
+    val headersWithAuth = if (token.nonEmpty) {
       baseHeaders + (HttpHeaders.AUTHORIZATION -> s"Bearer $token")
     } else {
       baseHeaders
@@ -186,13 +237,11 @@ class IcebergRESTCatalogPlanningClient(
       sparkProjectionOption: Option[Seq[String]] = None,
       sparkLimitOption: Option[Int] = None): ScanPlan = {
     // Construct the /plan endpoint URI. For Unity Catalog tables, the
-    // icebergRestCatalogUriRoot is constructed by UnityCatalogMetadata which calls
-    // /v1/config to get the optional prefix and builds the proper endpoint
-    // (e.g., {ucUri}/api/2.1/unity-catalog/iceberg-rest/v1/{prefix}).
-    // For other catalogs, the endpoint is passed directly via metadata.
+    // Call /v1/config to get the catalog prefix, then construct the full endpoint.
+    // icebergRestCatalogUriRoot is lazily constructed as: {baseUri}/{prefix}
+    // where prefix comes from /v1/config?warehouse=<catalogName> per Iceberg REST spec.
     // See: https://iceberg.apache.org/rest-catalog-spec/
-    val planTableScanUri =
-      s"$icebergRestCatalogUriRoot/v1/namespaces/$database/tables/$table/plan"
+    val planTableScanUri = s"$icebergRestCatalogUriRoot/namespaces/$database/tables/$table/plan"
 
     // Request planning for current snapshot. snapshotId = 0 means "use current snapshot"
     // in the Iceberg REST API spec. Time-travel queries are not yet supported.

iceberg/src/main/scala/org/apache/spark/sql/delta/serverSidePlanning/IcebergRESTCatalogPlanningClientFactory.scala

@@ -27,9 +27,10 @@ class IcebergRESTCatalogPlanningClientFactory extends ServerSidePlanningClientFa
       spark: SparkSession,
       metadata: ServerSidePlanningMetadata): ServerSidePlanningClient = {
 
-    val endpointUri = metadata.planningEndpointUri
+    val baseUri = metadata.planningEndpointUri
     val token = metadata.authToken.getOrElse("")
+    val catalogName = metadata.catalogName
 
-    new IcebergRESTCatalogPlanningClient(endpointUri, token)
+    new IcebergRESTCatalogPlanningClient(baseUri, catalogName, token)
   }
 }

iceberg/src/test/java/shadedForDelta/org/apache/iceberg/rest/IcebergRESTCatalogAdapterWithPlanSupport.java

@@ -66,6 +66,10 @@ class IcebergRESTCatalogAdapterWithPlanSupport extends RESTCatalogAdapter {
   // Static field for test credential injection - credentials to inject into /plan responses
   // Volatile is used to guarantee correct cross-thread access (test thread and Jetty server thread).
   private static volatile Map<String, String> testCredentials = null;
+  
+  // Static field to capture the request path of /plan requests for test verification
+  // Volatile is used to guarantee correct cross-thread access (test thread and Jetty server thread).
+  private static volatile String capturedPlanRequestPath = null;
 
   IcebergRESTCatalogAdapterWithPlanSupport(Catalog catalog) {
     super(catalog);
@@ -125,6 +129,14 @@ static Boolean getCapturedCaseSensitive() {
     return capturedCaseSensitive;
   }
 
+  /**
+   * Get the request path captured from the most recent /plan request.
+   * Package-private for test access.
+   */
+  static String getCapturedPlanRequestPath() {
+    return capturedPlanRequestPath;
+  }
+
   /**
    * Set test credentials to inject into /plan responses.
    * Package-private for test access.
@@ -153,6 +165,7 @@ static void clearCaptured() {
     capturedMinRowsRequested = null;
     capturedCaseSensitive = null;
     testCredentials = null;
+    capturedPlanRequestPath = null;
   }
 
   @Override
@@ -166,6 +179,7 @@ protected <T extends RESTResponse> T execute(
 
     // Intercept /plan requests before they reach the base adapter
     if (isPlanTableScanRequest(request)) {
+      capturedPlanRequestPath = request.path();  // Capture the path for test verification
       try {
         PlanTableScanResponse response = handlePlanTableScan(request, parserContext);
         return (T) response;

iceberg/src/test/java/shadedForDelta/org/apache/iceberg/rest/IcebergRESTServer.java

@@ -186,6 +186,14 @@ public Boolean getCapturedCaseSensitive() {
     return IcebergRESTCatalogAdapterWithPlanSupport.getCapturedCaseSensitive();
   }
 
+  /**
+   * Get the request path captured from the most recent /plan request.
+   * Delegates to adapter. For test verification of endpoint construction.
+   */
+  public String getCapturedPlanRequestPath() {
+    return IcebergRESTCatalogAdapterWithPlanSupport.getCapturedPlanRequestPath();
+  }
+
   /**
    * Set test credentials to inject into /plan responses.
    * Used for testing credential extraction in clients.

iceberg/src/test/scala/org/apache/spark/sql/delta/serverSidePlanning/IcebergRESTCatalogPlanningClientSuite.scala

@@ -83,7 +83,7 @@ class IcebergRESTCatalogPlanningClientSuite extends QueryTest with SharedSparkSe
   // Tests that the REST /plan endpoint returns 0 files for an empty table.
   test("basic plan table scan via IcebergRESTCatalogPlanningClient") {
     withTempTable("testTable") { table =>
-      val client = new IcebergRESTCatalogPlanningClient(serverUri, null)
+      val client = new IcebergRESTCatalogPlanningClient(serverUri, "test_catalog", "")
       try {
         val scanPlan = client.planScan(defaultNamespace.toString, "testTable")
         assert(scanPlan != null, "Scan plan should not be null")
@@ -111,7 +111,7 @@ class IcebergRESTCatalogPlanningClientSuite extends QueryTest with SharedSparkSe
         .map(row => (new Path(row.getString(0)).getName, row.getLong(1)))
         .toMap
 
-      val client = new IcebergRESTCatalogPlanningClient(serverUri, null)
+      val client = new IcebergRESTCatalogPlanningClient(serverUri, "test_catalog", "")
       try {
         val scanPlan = client.planScan(defaultNamespace.toString, "tableWithData")
         assert(scanPlan != null, "Scan plan should not be null")
@@ -143,49 +143,69 @@ class IcebergRESTCatalogPlanningClientSuite extends QueryTest with SharedSparkSe
   // This will test the client's partition validation logic at
   // IcebergRESTCatalogPlanningClient:160-164
 
-  test("UnityCatalogMetadata uses prefix from /v1/config endpoint") {
-    import org.apache.spark.sql.delta.serverSidePlanning.UnityCatalogMetadata
+  test("IcebergRESTCatalogPlanningClient uses prefix from /v1/config endpoint") {
+    server.clearCaptured()  // Clear any previous state
 
-    // Configure server to return prefix
-    server.setCatalogPrefix("catalogs/test-catalog")
+    server.setCatalogPrefix("catalogs/test-catalog-prefix")
 
-    val metadata = UnityCatalogMetadata(
-      catalogName = "test_catalog",
-      ucUri = serverUri,
-      ucToken = "test-token",
-      tableProps = Map.empty)
+    withTempTable("testTable") { table =>
+      // Client expects baseUri to include the /v1 path (per Iceberg REST spec)
+      val client = new IcebergRESTCatalogPlanningClient(s"$serverUri/v1", "test_catalog", "")
+      try {
+        // Make a call that will trigger the lazy initialization of icebergRestCatalogUriRoot
+        // which internally calls fetchCatalogPrefix()
+        val scanPlan = client.planScan(defaultNamespace.toString, "testTable")
+        assert(scanPlan != null, "Scan plan should not be null")
 
-    // Verify endpoint includes prefix from /v1/config response
-    val expectedEndpoint = s"$serverUri/api/2.1/unity-catalog/iceberg-rest/v1/catalogs/test-catalog"
-    assert(
-      metadata.planningEndpointUri == expectedEndpoint,
-      s"Expected endpoint to include prefix: ${metadata.planningEndpointUri}")
+        // Verify the server received a /plan request with the correct prefix
+        // This confirms that the config endpoint returned the correct prefix and that the client
+        // correctly constructed the full plan request path.
+        val capturedPath = server.getCapturedPlanRequestPath()
+        assert(capturedPath != null, "Server should have captured the request path")
+        assert(capturedPath.startsWith("v1/catalogs/test-catalog-prefix/"),
+          s"Expected path to start with 'v1/catalogs/test-catalog-prefix/' but got: $capturedPath")
+      } finally {
+        client.close()
+      }
+    }
   }
 
-  test("UnityCatalogMetadata falls back when /v1/config returns no prefix") {
-    import org.apache.spark.sql.delta.serverSidePlanning.UnityCatalogMetadata
+  test("IcebergRESTCatalogPlanningClient uses baseUri directly when /v1/config returns no prefix") {
+    server.clearCaptured()  // Clear any previous state
 
-    // Configure server to return no prefix (fallback case)
+    // Configure server to return no prefix
     server.setCatalogPrefix(null)
 
-    val metadata = UnityCatalogMetadata(
-      catalogName = "test_catalog",
-      ucUri = serverUri,
-      ucToken = "test-token",
-      tableProps = Map.empty)
-
-    // Verify endpoint uses simple path without prefix
-    val expectedEndpoint = s"$serverUri/api/2.1/unity-catalog/iceberg-rest"
-    assert(
-      metadata.planningEndpointUri == expectedEndpoint,
-      s"Expected endpoint without prefix: ${metadata.planningEndpointUri}")
+    withTempTable("testTable") { table =>
+      // Client expects baseUri to include the /v1 path (per Iceberg REST spec)
+      val client = new IcebergRESTCatalogPlanningClient(s"$serverUri/v1", "test_catalog", "")
+      try {
+        // Make a call that will trigger the lazy initialization
+        val scanPlan = client.planScan(defaultNamespace.toString, "testTable")
+        assert(scanPlan != null, "Scan plan should not be null")
+
+        // Verify the server received a /plan request using baseUri directly (no prefix)
+        val capturedPath = server.getCapturedPlanRequestPath()
+        assert(capturedPath != null, "Server should have captured the request path")
+        // When no prefix is returned, use baseUri directly without adding prefix
+        assert(
+          !capturedPath.contains("catalogs/"),
+          s"Expected path to NOT contain 'catalogs/' when no prefix, but got: $capturedPath")
+        assert(
+          capturedPath.startsWith("v1/namespaces/"),
+          s"Expected path to start with 'v1/namespaces/' (using baseUri directly), but got: " +
+            s"$capturedPath")
+      } finally {
+        client.close()
+      }
+    }
   }
 
   test("filter sent to IRC server over HTTP") {
     withTempTable("filterTest") { table =>
       populateTestData(s"rest_catalog.${defaultNamespace}.filterTest")
 
-      val client = new IcebergRESTCatalogPlanningClient(serverUri, null)
+      val client = new IcebergRESTCatalogPlanningClient(serverUri, "test_catalog", "")
       try {
         val testCases = Seq(
           (EqualTo("longCol", 2L), "EqualTo numeric (long)"),
@@ -295,7 +315,7 @@ class IcebergRESTCatalogPlanningClientSuite extends QueryTest with SharedSparkSe
           Set("`address.city`"))
       )
 
-      val client = new IcebergRESTCatalogPlanningClient(serverUri, null)
+      val client = new IcebergRESTCatalogPlanningClient(serverUri, "test_catalog", "")
       try {
         testCases.foreach { testCase =>
           // Clear previous captured projection
@@ -328,7 +348,7 @@ class IcebergRESTCatalogPlanningClientSuite extends QueryTest with SharedSparkSe
       val tableName = s"rest_catalog.${defaultNamespace}.limitTest"
       populateTestData(tableName)
 
-      val client = new IcebergRESTCatalogPlanningClient(serverUri, null)
+      val client = new IcebergRESTCatalogPlanningClient(serverUri, null, "")
       try {
         // Test different limit values
         val testCases = Seq(
@@ -363,7 +383,7 @@ class IcebergRESTCatalogPlanningClientSuite extends QueryTest with SharedSparkSe
       val tableName = s"rest_catalog.${defaultNamespace}.filterProjectionLimitTest"
       populateTestData(tableName)
 
-      val client = new IcebergRESTCatalogPlanningClient(serverUri, null)
+      val client = new IcebergRESTCatalogPlanningClient(serverUri, "test_catalog", "")
       try {
         // Note: Filter types are already tested in "filter sent to IRC server" test.
         // Here we verify filter, projection, AND limit are sent together correctly.
@@ -441,7 +461,7 @@ class IcebergRESTCatalogPlanningClientSuite extends QueryTest with SharedSparkSe
     withTempTable("caseSensitiveTest") { table =>
       populateTestData(s"rest_catalog.${defaultNamespace}.caseSensitiveTest")
 
-      val client = new IcebergRESTCatalogPlanningClient(serverUri, null)
+      val client = new IcebergRESTCatalogPlanningClient(serverUri, null, "")
       try {
         server.clearCaptured()
 
@@ -472,7 +492,7 @@ class IcebergRESTCatalogPlanningClientSuite extends QueryTest with SharedSparkSe
     withTempTable("credentialsTest") { table =>
       populateTestData(s"rest_catalog.${defaultNamespace}.credentialsTest")
 
-      val client = new IcebergRESTCatalogPlanningClient(serverUri, null)
+      val client = new IcebergRESTCatalogPlanningClient(serverUri, "test_catalog", "")
       try {
         // Test cases for all three cloud providers
         val testCases = Seq(
@@ -531,7 +551,7 @@ class IcebergRESTCatalogPlanningClientSuite extends QueryTest with SharedSparkSe
     withTempTable("noCredentialsTest") { table =>
       populateTestData(s"rest_catalog.${defaultNamespace}.noCredentialsTest")
 
-      val client = new IcebergRESTCatalogPlanningClient(serverUri, null)
+      val client = new IcebergRESTCatalogPlanningClient(serverUri, "test_catalog", "")
       try {
         // Don't configure any credentials (current default behavior)
         val scanPlan = client.planScan(defaultNamespace.toString, "noCredentialsTest")
@@ -549,7 +569,7 @@ class IcebergRESTCatalogPlanningClientSuite extends QueryTest with SharedSparkSe
     withTempTable("incompleteCredsTest") { table =>
       populateTestData(s"rest_catalog.${defaultNamespace}.incompleteCredsTest")
 
-      val client = new IcebergRESTCatalogPlanningClient(serverUri, null)
+      val client = new IcebergRESTCatalogPlanningClient(serverUri, "test_catalog", "")
       try {
         // Test cases for incomplete credentials that should throw errors
         val errorTestCases = Seq(
@@ -630,7 +650,7 @@ class IcebergRESTCatalogPlanningClientSuite extends QueryTest with SharedSparkSe
   }
 
   test("User-Agent header format") {
-    val client = new IcebergRESTCatalogPlanningClient("http://localhost:8080", null)
+    val client = new IcebergRESTCatalogPlanningClient("http://localhost:8080", "test_catalog", "")
     try {
       val userAgent = client.getUserAgent()