Re: [PR] Core: Add support for encryption.kms-type with aws/azure/gcp [iceberg]

Mon, 09 Feb 2026 01:47:52 -0800 


singhpk234 commented on code in PR #15272:
URL: https://github.com/apache/iceberg/pull/15272#discussion_r2781642756


##########
core/src/main/java/org/apache/iceberg/encryption/EncryptionUtil.java:
##########
@@ -53,8 +54,18 @@ public static KeyManagementClient 
createKmsClient(Map<String, String> catalogPro
         kmsType,
         kmsImpl);
 
-    // TODO: Add KMS implementations
-    Preconditions.checkArgument(kmsType == null, "Unsupported KMS type: %s", 
kmsType);
+    if (kmsType != null) {
+      kmsImpl =
+          switch (kmsType.toLowerCase(Locale.ROOT)) {
+            case CatalogProperties.ENCRYPTION_KMS_TYPE_AWS ->
+                CatalogProperties.ENCRYPTION_KMS_IMPL_AWS;
+            case CatalogProperties.ENCRYPTION_KMS_TYPE_AZURE ->
+                CatalogProperties.ENCRYPTION_KMS_IMPL_AZURE;
+            case CatalogProperties.ENCRYPTION_KMS_TYPE_GCP ->
+                CatalogProperties.ENCRYPTION_KMS_IMPL_GCP;
+            default -> throw new IllegalStateException("Unsupported KMS type: 
" + kmsType);
+          };

Review Comment:
   Have we give a thought about tables which span across multiple cloud 
providers ? do we need something like ResolvingFileIO eq ?



##########
docs/docs/encryption.md:
##########
@@ -28,7 +28,7 @@ Currently, encryption is supported in the Hive and REST 
catalogs for tables with
 
 Two parameters are required to activate encryption of a table:
 
-1. Catalog property `encryption.kms-impl`, that specifies the class path for a 
client of a KMS ("key management service").
+1. Catalog property `encryption.kms-type`, that accepts `aws`, `azure` or 
`gcp`, or catalog property `encryption.kms-impl`, that specifies the class path 
for a client of a KMS ("key management service").

Review Comment:
   what happens when both `type` and impl are specified and they are different, 
do we have assertions ?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to