(iceberg) branch main updated: Core: Add support for encryption.kms-type with aws/azure/gcp (#15272)

Sun, 15 Feb 2026 06:32:34 -0800 

This is an automated email from the ASF dual-hosted git repository.

kevinjqliu pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/iceberg.git


The following commit(s) were added to refs/heads/main by this push:
     new 8c2ca1d084 Core: Add support for encryption.kms-type with 
aws/azure/gcp (#15272)
8c2ca1d084 is described below

commit 8c2ca1d084fca37671ba8b38d59ea3f5a187b147
Author: Yuya Ebihara <[email protected]>
AuthorDate: Sun Feb 15 23:31:01 2026 +0900

    Core: Add support for encryption.kms-type with aws/azure/gcp (#15272)
---
 .../main/java/org/apache/iceberg/CatalogProperties.java | 10 ++++++++++
 .../org/apache/iceberg/encryption/EncryptionUtil.java   | 15 +++++++++++++--
 .../apache/iceberg/encryption/TestEncryptionUtil.java   | 17 +++++++++++++++++
 docs/docs/encryption.md                                 |  4 ++--
 .../main/java/org/apache/iceberg/hive/HiveCatalog.java  |  3 ++-
 5 files changed, 44 insertions(+), 5 deletions(-)

diff --git a/core/src/main/java/org/apache/iceberg/CatalogProperties.java 
b/core/src/main/java/org/apache/iceberg/CatalogProperties.java
index f35c90c4e8..59744e5092 100644
--- a/core/src/main/java/org/apache/iceberg/CatalogProperties.java
+++ b/core/src/main/java/org/apache/iceberg/CatalogProperties.java
@@ -162,5 +162,15 @@ public class CatalogProperties {
   public static final long AUTH_SESSION_TIMEOUT_MS_DEFAULT = 
TimeUnit.HOURS.toMillis(1);
 
   public static final String ENCRYPTION_KMS_TYPE = "encryption.kms-type";
+  public static final String ENCRYPTION_KMS_TYPE_AWS = "aws";
+  public static final String ENCRYPTION_KMS_TYPE_AZURE = "azure";
+  public static final String ENCRYPTION_KMS_TYPE_GCP = "gcp";
+
   public static final String ENCRYPTION_KMS_IMPL = "encryption.kms-impl";
+  public static final String ENCRYPTION_KMS_IMPL_AWS =
+      "org.apache.iceberg.aws.AwsKeyManagementClient";
+  public static final String ENCRYPTION_KMS_IMPL_AZURE =
+      "org.apache.iceberg.azure.keymanagement.AzureKeyManagementClient";
+  public static final String ENCRYPTION_KMS_IMPL_GCP =
+      "org.apache.iceberg.gcp.GcpKeyManagementClient";
 }
diff --git 
a/core/src/main/java/org/apache/iceberg/encryption/EncryptionUtil.java 
b/core/src/main/java/org/apache/iceberg/encryption/EncryptionUtil.java
index 1f0461bc4d..382d244883 100644
--- a/core/src/main/java/org/apache/iceberg/encryption/EncryptionUtil.java
+++ b/core/src/main/java/org/apache/iceberg/encryption/EncryptionUtil.java
@@ -21,6 +21,7 @@ package org.apache.iceberg.encryption;
 import java.nio.ByteBuffer;
 import java.nio.charset.StandardCharsets;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
 import java.util.Set;
 import org.apache.iceberg.CatalogProperties;
@@ -53,8 +54,18 @@ public class EncryptionUtil {
         kmsType,
         kmsImpl);
 
-    // TODO: Add KMS implementations
-    Preconditions.checkArgument(kmsType == null, "Unsupported KMS type: %s", 
kmsType);
+    if (kmsType != null) {
+      kmsImpl =
+          switch (kmsType.toLowerCase(Locale.ROOT)) {
+            case CatalogProperties.ENCRYPTION_KMS_TYPE_AWS ->
+                CatalogProperties.ENCRYPTION_KMS_IMPL_AWS;
+            case CatalogProperties.ENCRYPTION_KMS_TYPE_AZURE ->
+                CatalogProperties.ENCRYPTION_KMS_IMPL_AZURE;
+            case CatalogProperties.ENCRYPTION_KMS_TYPE_GCP ->
+                CatalogProperties.ENCRYPTION_KMS_IMPL_GCP;
+            default -> throw new IllegalStateException("Unsupported KMS type: 
" + kmsType);
+          };
+    }
 
     KeyManagementClient kmsClient;
     DynConstructors.Ctor<KeyManagementClient> ctor;
diff --git 
a/core/src/test/java/org/apache/iceberg/encryption/TestEncryptionUtil.java 
b/core/src/test/java/org/apache/iceberg/encryption/TestEncryptionUtil.java
index 39f0e7a381..edb55d3218 100644
--- a/core/src/test/java/org/apache/iceberg/encryption/TestEncryptionUtil.java
+++ b/core/src/test/java/org/apache/iceberg/encryption/TestEncryptionUtil.java
@@ -19,6 +19,7 @@
 package org.apache.iceberg.encryption;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
 
 import java.io.ByteArrayOutputStream;
 import java.io.File;
@@ -27,6 +28,7 @@ import java.io.InputStream;
 import java.lang.reflect.InvocationTargetException;
 import java.util.Map;
 import org.apache.iceberg.CatalogProperties;
+import org.apache.iceberg.relocated.com.google.common.collect.ImmutableMap;
 import org.junit.jupiter.api.Test;
 
 public class TestEncryptionUtil {
@@ -52,6 +54,21 @@ public class TestEncryptionUtil {
     
assertThat(kmsClientObj.getClass().getClassLoader()).isSameAs(customClassLoader);
   }
 
+  @Test
+  public void testInvalidTypeAndImpl() {
+    assertThatThrownBy(
+            () ->
+                EncryptionUtil.createKmsClient(
+                    ImmutableMap.of(
+                        CatalogProperties.ENCRYPTION_KMS_TYPE,
+                        CatalogProperties.ENCRYPTION_KMS_TYPE_AWS,
+                        CatalogProperties.ENCRYPTION_KMS_IMPL,
+                        CatalogProperties.ENCRYPTION_KMS_IMPL_AWS)))
+        .isInstanceOf(IllegalArgumentException.class)
+        .hasMessage(
+            "Cannot set both KMS type (aws) and KMS impl 
(org.apache.iceberg.aws.AwsKeyManagementClient)");
+  }
+
   static class UnitTestCustomClassLoader extends ClassLoader {
 
     @Override
diff --git a/docs/docs/encryption.md b/docs/docs/encryption.md
index 5da51486f7..cbdce85e76 100644
--- a/docs/docs/encryption.md
+++ b/docs/docs/encryption.md
@@ -28,7 +28,7 @@ Currently, encryption is supported in the Hive and REST 
catalogs for tables with
 
 Two parameters are required to activate encryption of a table:
 
-1. Catalog property `encryption.kms-impl`, that specifies the class path for a 
client of a KMS ("key management service").
+1. Catalog property that specifies the KMS ("key management service"). It can 
be either `encryption.kms-type` for pre-defined KMS clients (`aws`, `azure` or 
`gcp`) or `encryption.kms-impl` with the client class path for custom KMS 
clients.
 2. Table property `encryption.key-id`, that specifies the ID of a master key 
used to encrypt and decrypt the table. Master keys are stored and managed in 
the KMS.
 
 For more details on table encryption, see the "Appendix: Internals Overview" 
[subsection](#appendix-internals-overview).
@@ -42,7 +42,7 @@ spark-sql --packages 
org.apache.iceberg:iceberg-spark-runtime-{{ sparkVersionMaj
     --conf spark.sql.catalog.spark_catalog.type=hive \
     --conf spark.sql.catalog.local=org.apache.iceberg.spark.SparkCatalog \
     --conf spark.sql.catalog.local.type=hive \
-    --conf 
spark.sql.catalog.local.encryption.kms-impl=org.apache.iceberg.aws.AwsKeyManagementClient
+    --conf spark.sql.catalog.local.encryption.kms-type=aws
 ```
 
 ```sql
diff --git 
a/hive-metastore/src/main/java/org/apache/iceberg/hive/HiveCatalog.java 
b/hive-metastore/src/main/java/org/apache/iceberg/hive/HiveCatalog.java
index a6264c67fd..93267716db 100644
--- a/hive-metastore/src/main/java/org/apache/iceberg/hive/HiveCatalog.java
+++ b/hive-metastore/src/main/java/org/apache/iceberg/hive/HiveCatalog.java
@@ -126,7 +126,8 @@ public class HiveCatalog extends BaseMetastoreViewCatalog
             ? new HadoopFileIO(conf)
             : CatalogUtil.loadFileIO(fileIOImpl, properties, conf);
 
-    if (catalogProperties.containsKey(CatalogProperties.ENCRYPTION_KMS_IMPL)) {
+    if (catalogProperties.containsKey(CatalogProperties.ENCRYPTION_KMS_TYPE)
+        || 
catalogProperties.containsKey(CatalogProperties.ENCRYPTION_KMS_IMPL)) {
       this.keyManagementClient = EncryptionUtil.createKmsClient(properties);
     }

Reply via email to