szlta commented on code in PR #17155:
URL: https://github.com/apache/iceberg/pull/17155#discussion_r3578178474
##########
open-api/rest-catalog-open-api.yaml:
##########
@@ -3665,6 +3673,43 @@ components:
additionalProperties:
type: string
+ KeyManagementCredential:
+ type: object
+ description: |
+ Provider-specific credential config for accessing one or more KMS keys
required by an encrypted
+ table operation.
+
+ The key-management provider is advertised in catalog configuration,
such as `encryption.kms-type`
+ returned from `/v1/config`. The `config` map contains
provider-specific properties for the
+ selected key-management provider.
+
+ Clients should select the credential config by matching KMS key
identifiers referenced by table
+ encryption metadata, such as `EncryptedKey.encrypted-by-id`, against
`kms-key-ids`. If no
+ key-management credential matches a KMS key ID required by table
encryption metadata, the client
+ must fail the operation with an authorization or missing-credential
error.
Review Comment:
I think we do want the client to act like this. When vended credentials are
provided by the catalog, the client should use them, and use them only.
When vended credentials are provided we don't want clients to silently
bypass the catalog's KMS authorization decision by using unrelated local
credentials for the same delegated operation. That could also re-introduce a
hybrid consumption of credentials which we want to avoid.
I clarified this section that failing is only a requirement when vended
credentials are provided by catalog side.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]