pavibhai commented on PR #1424:
URL: https://github.com/apache/polaris/pull/1424#issuecomment-3128004251
@fivetran-ashokborra
Here is what I am thinking of.
- Configuration at the Catalog Level for KMS ARNs
- Empty indicates no KMS vending required
- `*` is allowed
- The values specified here is used as resource
- During the creation of the policy statement, the following needs to happen
- Use the KMS ARNs from the Catalog definition as resources
- Two separate statements one for read and another for write
- Each statement comes with condition against encryption context s3 arn to
restrict to the allowed read or write paths accordingly
This does avoid making another call to S3 to determine the encryption
settings and still perform the required restrictions of limiting the use of
this credentials to only the specified paths.
Hope that makes sense, do let me know. I know the scope is different to what
you started initially, if it helps I can try to put a PR towards the above
scope if this is beyond what you were initially planning on.
cc: @collado-mike
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@polaris.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
