ggershinsky commented on code in PR #14751:
URL: https://github.com/apache/iceberg/pull/14751#discussion_r2597356420
##########
core/src/main/java/org/apache/iceberg/encryption/BaseEncryptedKey.java:
##########
@@ -21,10 +21,11 @@
import java.nio.ByteBuffer;
import java.util.Map;
import org.apache.iceberg.relocated.com.google.common.base.Preconditions;
+import org.apache.iceberg.util.SerializableByteBuffer;
public class BaseEncryptedKey implements EncryptedKey {
private final String keyId;
- private final ByteBuffer keyMetadata;
+ private final SerializableByteBuffer keyMetadata;
Review Comment:
the new `SerializableByteBuffer` class is far from trivial. One option is to
just use `byte[]` here.
##########
aws/src/main/java/org/apache/iceberg/aws/AwsKeyManagementClient.java:
##########
@@ -102,4 +105,24 @@ public void close() {
kmsClient.close();
}
}
+
+ EncryptionAlgorithmSpec encryptionAlgorithmSpec() {
+ return encryptionAlgorithmSpec;
+ }
+
+ DataKeySpec dataKeySpec() {
+ return dataKeySpec;
+ }
+
+ private KmsClient kmsClient() {
Review Comment:
Makes sense for the worker copies. In the driver, the kms client is closed
by the catalog.
##########
aws/src/main/java/org/apache/iceberg/aws/AwsKeyManagementClient.java:
##########
@@ -39,12 +40,16 @@
*/
public class AwsKeyManagementClient implements KeyManagementClient {
- private KmsClient kmsClient;
+ private Map<String, String> allProperties;
private EncryptionAlgorithmSpec encryptionAlgorithmSpec;
private DataKeySpec dataKeySpec;
+ private transient KmsClient kmsClient;
+
@Override
public void initialize(Map<String, String> properties) {
+ this.allProperties = SerializableMap.copyOf(properties);
+
AwsClientFactory clientFactory = AwsClientFactories.from(properties);
this.kmsClient = clientFactory.kms();
Review Comment:
needed?
##########
core/src/main/java/org/apache/iceberg/encryption/StandardEncryptionManager.java:
##########
@@ -145,42 +137,37 @@ private SecureRandom workerRNG() {
*/
@Deprecated
public ByteBuffer wrapKey(ByteBuffer secretKey) {
- if (transientState == null) {
- throw new IllegalStateException(
- "Cannot wrap key after called after serialization (missing KMS
client)");
- }
-
- return transientState.kmsClient.wrapKey(secretKey, tableKeyId);
+ return kmsClient.wrapKey(secretKey, tableKeyId);
}
/**
* @deprecated will be removed in 2.0.
*/
@Deprecated
public ByteBuffer unwrapKey(ByteBuffer wrappedSecretKey) {
- if (transientState == null) {
- throw new IllegalStateException("Cannot unwrap key after serialization");
+ return kmsClient.unwrapKey(wrappedSecretKey, tableKeyId);
+ }
+
+ private ByteBuffer unwrapKey(String keyId) {
+ if (unwrappedKeyCache != null) {
Review Comment:
why won't we create a local copy of the cache?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
