singhpk234 commented on code in PR #2802:
URL: https://github.com/apache/polaris/pull/2802#discussion_r2427043181
##########
spec/polaris-management-service.yml:
##########
@@ -1103,6 +1103,10 @@ components:
type: string
description: the aws user arn used to assume the aws role
example: "arn:aws:iam::123456789001:user/abc1-b-self1234"
+ kmsKeyArn:
+ type: string
+ description: the aws kms key arn used to encrypt s3 data
Review Comment:
by s3 data we mean data stored in s3 or iceberg data files ?
if its just data stored in s3, a part of iceberg metadata is generated by
polaris itself, do we need to plumb the encryption to the fileIO polaris uses ?
if its just iceberg data files how are we making sure its not used against
iceberg metadata files such as manifest lists ?
##########
polaris-core/src/main/java/org/apache/polaris/core/storage/aws/AwsCredentialsStorageIntegration.java:
##########
@@ -242,6 +244,21 @@ private IamPolicy policyString(
return
policyBuilder.addStatement(allowGetObjectStatementBuilder.build()).build();
}
+ private static void addKmsKeyPolicy(String kmsKeyArn, IamPolicy.Builder
policyBuilder) {
+ if (kmsKeyArn != null) {
+ IamStatement.Builder allowKms =
+ IamStatement.builder()
+ .effect(IamEffect.ALLOW)
+ .addAction("kms:GenerateDataKeyWithoutPlaintext")
+ .addAction("kms:Encrypt")
+ .addAction("kms:DescribeKey")
+ .addAction("kms:Decrypt")
Review Comment:
should we give encrypt or decrypt based on the priviledge ? for example
TABLE_READ should get decrypt and TABLE_READ_AND_WRITE should both encrypt and
decrypt ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
