[Feature] Add Data Access Token vending in OpenHouse

[raymondlam12]

Willingness to contribute

{"label"=>"Yes. I can contribute a fix for this bug independently.", "value"=>"independent"}

Feature Request Proposal

Cloud blob storage providers like AWS and Azure have "data access token", tokens that provide authorized access to S3 storage / Azure Blob Storage, support via AWS S3 Access Grants and Azure Shared Access Signatures respectively.

As a catalog, OpenHouse can vend these "data access tokens" for accessing storage to a specific table and users would subsequently leverage these credentials to access their storage.

Motivation

What is the use case for this feature?

This would put OpenHouse in the data access control place and remove the need to synchronize data access control with underlying blob storage.

What component(s) does this feature affect?

• Table Service: This is the RESTful catalog service that stores table metadata. :services:tables
• Jobs Service: This is the job orchestrator that submits data services for table maintenance. :services:jobs
• Data Services: This is the jobs that performs table maintenance. apps:spark
• Iceberg internal catalog: This is the internal Iceberg catalog for OpenHouse Catalog Service. :iceberg:openhouse
• Spark Client Integration: This is the Apache Spark integration for OpenHouse catalog. :integration:spark
• Documentation: This is the documentation for OpenHouse. docs
• Local Docker: This is the local Docker environment for OpenHouse. infra/recipes/docker-compose
• Other: Please specify the component.

Details

No response