ggershinsky commented on a change in pull request #3053:
URL: https://github.com/apache/iceberg/pull/3053#discussion_r722178026
##########
File path:
core/src/main/java/org/apache/iceberg/hadoop/HadoopTableOperations.java
##########
@@ -82,6 +95,104 @@ public TableMetadata current() {
return currentMetadata;
}
+ @Override
+ @SuppressWarnings("checkstyle:CyclomaticComplexity")
+ public EncryptionManager encryption() {
+ // TODO run by single thread? or synchronize?
+ if (null != encryptionManager) {
+ return encryptionManager;
+ }
+
+ TableMetadata tableMetadata = current();
+ Map<String, String> tableProperties = tableMetadata.properties();
+
+ String keyManagerType = PropertyUtil.propertyAsString(tableProperties,
+ TableProperties.ENCRYPTION_MANAGER_TYPE,
TableProperties.ENCRYPTION_MANAGER_TYPE_PLAINTEXT);
+ if
(keyManagerType.equals(TableProperties.ENCRYPTION_MANAGER_TYPE_PLAINTEXT)) {
+ encryptionManager = new PlaintextEncryptionManager();
+ return encryptionManager;
+ }
+
+ if
(keyManagerType.equals(TableProperties.ENCRYPTION_MANAGER_TYPE_SINGLE_ENVELOPE)
||
+
keyManagerType.equals(TableProperties.ENCRYPTION_MANAGER_TYPE_DOUBLE_ENVELOPE))
{
+ boolean doubleWrap =
keyManagerType.equals(TableProperties.ENCRYPTION_MANAGER_TYPE_DOUBLE_ENVELOPE);
+ if (doubleWrap) {
+ throw new RuntimeException("Double envelope encryption is not
supported yet");
+ }
+
+ Schema tableSchema = tableMetadata.schema();
+
+ String tableKeyId = PropertyUtil.propertyAsString(tableProperties,
+ TableProperties.ENCRYPTION_TABLE_KEY, null);
+ if (null == tableKeyId) {
+ throw new RuntimeException("Table encryption key is not specified");
+ }
+
+ boolean pushdown = PropertyUtil.propertyAsBoolean(tableProperties,
+ TableProperties.ENCRYPTION_PUSHDOWN_ENABLED,
TableProperties.ENCRYPTION_PUSHDOWN_ENABLED_DEFAULT);
+ // TODO since TableProperties.DEFAULT_FILE_FORMAT are overwritten eg in
Spark,
+ // TODO check for pushdown in each data format and throw unsupported
exception in Avro
+
+ String dataEncryptionAlgorithm =
PropertyUtil.propertyAsString(tableProperties,
+ TableProperties.ENCRYPTION_DATA_ALGORITHM,
TableProperties.ENCRYPTION_DATA_ALGORITHM_DEFAULT);
+
+ EnvelopeConfig.Builder dataFileConfBuilder =
EnvelopeConfig.builderFor(tableSchema)
+ .singleWrap(tableKeyId)
+
.useAlgorithm(EncryptionAlgorithm.valueOf(dataEncryptionAlgorithm));
+
+ String columnKeysProperty =
PropertyUtil.propertyAsString(tableProperties,
+ TableProperties.ENCRYPTION_COLUMN_KEYS, null);
+
+ if (null != columnKeysProperty) {
+ if (!pushdown) {
+ throw new RuntimeException("Column-specific master keys are
supported only in pushdown mode");
+ }
+
+ // TODO
+ throw new RuntimeException("Column-specific master keys are not
supported yet");
+ }
+
+ EnvelopeConfig dataFileConfig = dataFileConfBuilder.build();
+
+ String kmsClientImpl = PropertyUtil.propertyAsString(tableProperties,
+ TableProperties.ENCRYPTION_KMS_CLIENT_IMPL, null);
+
+ // Pass custom kms configuration from table and Hadoop properties
+ Map<String, String> kmsProperties = new HashMap<>();
+ for (Map.Entry<String, String> property : tableProperties.entrySet()) {
+ if (property.getKey().contains("kms.client")) { // TODO
+ kmsProperties.put(property.getKey(), property.getValue());
+ }
+ }
+
+ for (Map.Entry<String, String> property : conf) {
+ if (property.getKey().contains("kms.client")) { // TODO
+ kmsProperties.put(property.getKey(), property.getValue());
+ }
+ }
Review comment:
`Configuration` is a Hadoop class, that should probably be transparent
to other callers of `TableEnvelopeKeyManager.loadKmsClient `. Agree re table
properties, that should be ok for all, will add it as a separate parameter to
this method.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
