[#11580] feat(iceberg): Support credential vending in planTableScan endpoint

[laserninja]

What changes were proposed in this pull request?

Add X-Iceberg-Access-Delegation header support to the planTableScan endpoint, mirroring the existing behavior in loadTable and createTable:

• Add @HeaderParam(X_ICEBERG_ACCESS_DELEGATION) String accessDelegation parameter to planTableScan
• Derive isCredentialVending via the existing isCredentialVending() helper
• Pass isCredentialVending into the IcebergRequestContext 3-arg constructor
• Update logging to include access delegation info

Why are the changes needed?

The planTableScan endpoint does not honor the X-Iceberg-Access-Delegation header. Unlike loadTable and createTable, which accept the header and construct an IcebergRequestContext with isCredentialVending=true, planTableScan builds the context without it. As a result, scan-planning responses cannot carry vended storage credentials, forcing clients to make a separate loadTable call to obtain them.

Fix: #11580

Does this PR introduce any user-facing change?

The planTableScan REST endpoint now accepts the X-Iceberg-Access-Delegation header. When vended-credentials is specified, the response can include vended storage credentials (consistent with loadTable / createTable).

How was this patch tested?

Added three new parameterized tests in TestIcebergTableOperations:

• testPlanTableScanWithCredentialVending — verifies the vended-credentials path returns 200 OK
• testPlanTableScanRemoteSigningNotSupported — verifies remote-signing returns 406
• testPlanTableScanInvalidAccessDelegation — verifies invalid values return 400

All 66 tests in TestIcebergTableOperations pass (0 failures).

[github-actions]

Code Coverage Report

Overall Project	66.96% +0.04%	🟢
Files changed	81.28%	🟢

Module	Coverage
aliyun	1.72%	🔴
api	46.82%	🟢
authorization-common	85.96%	🟢
aws	3.66%	🔴
azure	2.47%	🔴
catalog-common	10.4%	🔴
catalog-fileset	80.23%	🟢
catalog-glue	66.91%	🟢
catalog-hive	79.44%	🟢
catalog-jdbc-clickhouse	80.02%	🟢
catalog-jdbc-common	44.22%	🟢
catalog-jdbc-doris	80.28%	🟢
catalog-jdbc-hologres	54.03%	🟢
catalog-jdbc-mysql	79.23%	🟢
catalog-jdbc-oceanbase	78.38%	🟢
catalog-jdbc-postgresql	82.29%	🟢
catalog-jdbc-starrocks	78.51%	🟢
catalog-kafka	77.01%	🟢
catalog-lakehouse-generic	58.53%	🟢
catalog-lakehouse-hudi	79.1%	🟢
catalog-lakehouse-iceberg	85.79%	🟢
catalog-lakehouse-paimon	79.15%	🟢
catalog-model	77.72%	🟢
cli	44.51%	🟢
client-java	78.01%	🟢
common	49.9%	🟢
core	82.38%	🟢
filesystem-hadoop3	77.27%	🟢
flink	0.0%	🔴
flink-common	45.72%	🟢
flink-runtime	0.0%	🔴
gcp	14.12%	🔴
hadoop-common	10.39%	🔴
hive-metastore-common	53.9%	🟢
iceberg-common	57.41%	🟢
iceberg-rest-server	74.01% +0.43%	🟢
idp-basic	86.18%	🟢
integration-test-common	0.0%	🔴
jobs	66.17%	🟢
lance-common	20.79%	🔴
lance-rest-server	60.54%	🟢
lineage	53.02%	🟢
optimizer	82.95%	🟢
optimizer-api	21.95%	🔴
server	85.87%	🟢
server-common	73.28%	🟢
spark	28.57%	🔴
spark-common	41.66%	🟢
trino-connector	40.13%	🟢

Files

Module	File	Coverage
iceberg-rest-server	IcebergTableOperations.java	81.28%	🟢

[laserninja]

Closing in favor of #10800 which covers the full scope (header support + storage-credentials in response). See #10685.