Re: [PR] Core: Clean up encryption keys as part of RemoveSnapshots [iceberg]

Thu, 18 Jun 2026 03:02:37 -0700 


ggershinsky commented on code in PR #16353:
URL: https://github.com/apache/iceberg/pull/16353#discussion_r3434909508


##########
core/src/main/java/org/apache/iceberg/encryption/EncryptionUtil.java:
##########
@@ -181,6 +185,37 @@ public static Map<String, EncryptedKey> 
encryptionKeys(EncryptionManager em) {
     return sem.encryptionKeys();
   }
 
+  /**
+   * Returns {@link TableMetadata} with encrypted keys from an {@param 
encryptionManager} that are
+   * required to read the snapshots in the given {@param metadata}. Only adds 
keys that are still
+   * referenced in metadata.
+   */
+  public static TableMetadata addEmKeysToMetadata(
+      TableMetadata metadata, EncryptionManager encryptionManager) {
+    if (!(encryptionManager instanceof StandardEncryptionManager 
standardEncryptionManager)) {
+      return metadata;
+    }
+    Set<String> referencedEncryptionKeys =
+        Sets.union(
+            metadata.snapshots().stream()
+                .map(Snapshot::keyId)
+                .filter(Objects::nonNull)
+                .collect(Collectors.toUnmodifiableSet()),
+            metadata.encryptionKeys().stream()
+                .map(EncryptedKey::encryptedById)
+                .filter(Objects::nonNull)
+                .collect(Collectors.toUnmodifiableSet()));
+    TableMetadata.Builder metadataBuilder = TableMetadata.buildFrom(metadata);
+    standardEncryptionManager.encryptionKeys().values().stream()
+        .filter(
+            encryptedKey ->
+                referencedEncryptionKeys.contains(encryptedKey.keyId())
+                    // The KEK may not be referenced but must still be saved 
in the metadata.
+                    || 
standardEncryptionManager.keyEncryptionKeyID().equals(encryptedKey.keyId()))
+        .forEach(metadataBuilder::addEncryptionKey);
+    return metadataBuilder.build();

Review Comment:
   yep, the approach is direct - to save KMS interactions, ml keys are 
encrypted by an intermediate local KEK, that in turn is encrypted by KMS. So 
it's always ml key -> KEK -> KMS. No reason to introduce another hop.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to