7/25/2023
Attendees (Gidon Gershinsky <[email protected]>, Gang Wu, Chao Sun, Xinli
Shang, Jiashen Zhang)
Review data masking
1.
The current design is to implement on the reader side and it is
lightweight
2.
When KMS returned access denied and the session-based flag is enabled, a
null value is returned instead of the original value.
3.
Relying on the KMS access denied has a few issues
1.
Expense because it is RPC calls
2.
There are different KMS and the retuning error might be different
Add a column-wise key/nullify flag just like we did in the column encryption
<https://github.com/apache/parquet-mr/tree/master/parquet-hadoop#class-propertiesdrivencryptofactory>.
By doing this, we don’t need to contact KMS
--
Xinli Shang
