Merge remote-tracking branch 'upstream/master'

dchourasia · dchourasia · commit 9f5b13490eef · 2025-07-24T00:17:25.000Z
diff --git a/sdk/python/feast/feature_store.py b/sdk/python/feast/feature_store.py
@@ -1893,6 +1893,23 @@ def write_to_online_store(
             allow_registry_cache=allow_registry_cache,
             transform_on_write=transform_on_write,
         )
+
+        # Validate that the dataframe has meaningful feature data
+        if df is not None:
+            if df.empty:
+                warnings.warn("Cannot write empty dataframe to online store")
+                return  # Early return for empty dataframe
+
+            # Check if feature columns are empty (entity columns may have data but feature columns are empty)
+            feature_column_names = [f.name for f in feature_view.features]
+            if feature_column_names:
+                feature_df = df[feature_column_names]
+                if feature_df.empty or feature_df.isnull().all().all():
+                    warnings.warn(
+                        "Cannot write dataframe with empty feature columns to online store"
+                    )
+                    return  # Early return for empty feature columns
+
         provider = self._get_provider()
         provider.ingest_df(feature_view, df)
 
@@ -1919,6 +1936,23 @@ async def write_to_online_store_async(
             inputs=inputs,
             allow_registry_cache=allow_registry_cache,
         )
+
+        # Validate that the dataframe has meaningful feature data
+        if df is not None:
+            if df.empty:
+                warnings.warn("Cannot write empty dataframe to online store")
+                return  # Early return for empty dataframe
+
+            # Check if feature columns are empty (entity columns may have data but feature columns are empty)
+            feature_column_names = [f.name for f in feature_view.features]
+            if feature_column_names:
+                feature_df = df[feature_column_names]
+                if feature_df.empty or feature_df.isnull().all().all():
+                    warnings.warn(
+                        "Cannot write dataframe with empty feature columns to online store"
+                    )
+                    return  # Early return for empty feature columns
+
         provider = self._get_provider()
         await provider.ingest_df_async(feature_view, df)
 
diff --git a/sdk/python/feast/permissions/auth_model.py b/sdk/python/feast/permissions/auth_model.py
@@ -1,4 +1,17 @@
-from typing import Literal
+# --------------------------------------------------------------------
+# Extends OIDC client auth model with an optional `token` field.
+# Works on Pydantic v2-only.
+#
+# Accepted credential sets (exactly **one** of):
+#   1 pre-issued `token`
+#   2 `client_secret`            (client-credentials flow)
+#   3 `username` + `password` + `client_secret`  (ROPG)
+# --------------------------------------------------------------------
+from __future__ import annotations
+
+from typing import Literal, Optional
+
+from pydantic import model_validator
 
 from feast.repo_config import FeastConfigBaseModel
 
@@ -13,9 +26,40 @@ class OidcAuthConfig(AuthConfig):
 
 
 class OidcClientAuthConfig(OidcAuthConfig):
-    username: str
-    password: str
-    client_secret: str
+    # any **one** of the four fields below is sufficient
+    username: Optional[str] = None
+    password: Optional[str] = None
+    client_secret: Optional[str] = None
+    token: Optional[str] = None  # pre-issued `token`
+
+    @model_validator(mode="after")
+    def _validate_credentials(cls, values):
+        """Enforce exactly one valid credential set."""
+        d = values.__dict__ if hasattr(values, "__dict__") else values
+
+        has_user_pass = bool(d.get("username")) and bool(d.get("password"))
+        has_secret = bool(d.get("client_secret"))
+        has_token = bool(d.get("token"))
+
+        # 1 static token
+        if has_token and not (has_user_pass or has_secret):
+            return values
+
+        # 2 client_credentials
+        if has_secret and not has_user_pass and not has_token:
+            return values
+
+        # 3 ROPG
+        if has_user_pass and has_secret and not has_token:
+            return values
+
+        raise ValueError(
+            "Invalid OIDC client auth combination: "
+            "provide either\n"
+            "  • token\n"
+            "  • client_secret (without username/password)\n"
+            "  • username + password + client_secret"
+        )
 
 
 class NoAuthConfig(AuthConfig):
diff --git a/sdk/python/feast/permissions/client/oidc_authentication_client_manager.py b/sdk/python/feast/permissions/client/oidc_authentication_client_manager.py
@@ -30,13 +30,28 @@ def get_token(self):
             self.auth_config.auth_discovery_url
         ).get_token_url()
 
-        token_request_body = {
-            "grant_type": "password",
-            "client_id": self.auth_config.client_id,
-            "client_secret": self.auth_config.client_secret,
-            "username": self.auth_config.username,
-            "password": self.auth_config.password,
-        }
+        # 1) pre-issued JWT supplied in config
+        if getattr(self.auth_config, "token", None):
+            return self.auth_config.token
+
+        # 2) client_credentials
+        if self.auth_config.client_secret and not (
+            self.auth_config.username and self.auth_config.password
+        ):
+            token_request_body = {
+                "grant_type": "client_credentials",
+                "client_id": self.auth_config.client_id,
+                "client_secret": self.auth_config.client_secret,
+            }
+        # 3) ROPG (username + password + client_secret)
+        else:
+            token_request_body = {
+                "grant_type": "password",
+                "client_id": self.auth_config.client_id,
+                "client_secret": self.auth_config.client_secret,
+                "username": self.auth_config.username,
+                "password": self.auth_config.password,
+            }
         headers = {"Content-Type": "application/x-www-form-urlencoded"}
 
         token_response = requests.post(
diff --git a/sdk/python/feast/repo_config.py b/sdk/python/feast/repo_config.py
@@ -308,11 +308,22 @@ def offline_store(self):
     def auth_config(self):
         if not self._auth:
             if isinstance(self.auth, Dict):
-                is_oidc_client = (
-                    self.auth.get("type") == AuthType.OIDC.value
-                    and "username" in self.auth
-                    and "password" in self.auth
-                    and "client_secret" in self.auth
+                # treat this auth block as *client-side* OIDC when it matches
+                #   1)  ROPG            – username + password + client_secret
+                #   2)  client-credentials – client_secret only
+                #   3)  static token    – token
+                is_oidc_client = self.auth.get("type") == AuthType.OIDC.value and (
+                    (
+                        "username" in self.auth
+                        and "password" in self.auth
+                        and "client_secret" in self.auth
+                    )  # 1
+                    or (
+                        "client_secret" in self.auth
+                        and "username" not in self.auth
+                        and "password" not in self.auth
+                    )  # 2
+                    or ("token" in self.auth)  # 3
                 )
                 self._auth = get_auth_config_from_type(
                     "oidc_client" if is_oidc_client else self.auth.get("type")
diff --git a/sdk/python/tests/unit/online_store/test_online_writes.py b/sdk/python/tests/unit/online_store/test_online_writes.py
diff --git a/sdk/python/tests/utils/test_wrappers.py b/sdk/python/tests/utils/test_wrappers.py
