Re: [PR] Manifest list encryption [iceberg]

Thu, 01 Aug 2024 16:06:45 -0700 


rdblue commented on code in PR #7770:
URL: https://github.com/apache/iceberg/pull/7770#discussion_r1700984337


##########
core/src/main/java/org/apache/iceberg/encryption/EncryptionUtil.java:
##########
@@ -70,31 +76,105 @@ public static KeyManagementClient 
createKmsClient(Map<String, String> catalogPro
     return kmsClient;
   }
 
+  /**
+   * @deprecated will be removed in 2.0.0. use {@link 
#createEncryptionManager(String, int,
+   *     KeyManagementClient, long)} instead.
+   */
+  @Deprecated
   public static EncryptionManager createEncryptionManager(
       Map<String, String> tableProperties, KeyManagementClient kmsClient) {
-    Preconditions.checkArgument(kmsClient != null, "Invalid KMS client: null");
     String tableKeyId = 
tableProperties.get(TableProperties.ENCRYPTION_TABLE_KEY);
-
-    if (null == tableKeyId) {
-      // Unencrypted table
-      return PlaintextEncryptionManager.instance();
-    }
-
     int dataKeyLength =
         PropertyUtil.propertyAsInt(
             tableProperties,
             TableProperties.ENCRYPTION_DEK_LENGTH,
             TableProperties.ENCRYPTION_DEK_LENGTH_DEFAULT);
 
+    return createEncryptionManager(
+        tableKeyId, dataKeyLength, kmsClient, 
CatalogProperties.KEK_CACHE_TIMEOUT_MS_DEFAULT);
+  }
+
+  public static EncryptionManager createEncryptionManager(
+      String tableKeyId, int dataKeyLength, KeyManagementClient kmsClient, 
long kekCacheTimeout) {
+    Preconditions.checkArgument(kmsClient != null, "Invalid KMS client: null");
+
+    if (null == tableKeyId) {
+      // Unencrypted table
+      return PlaintextEncryptionManager.instance();
+    }
+
     Preconditions.checkState(
         dataKeyLength == 16 || dataKeyLength == 24 || dataKeyLength == 32,
         "Invalid data key length: %s (must be 16, 24, or 32)",
         dataKeyLength);
 
-    return new StandardEncryptionManager(tableKeyId, dataKeyLength, kmsClient);
+    return new StandardEncryptionManager(tableKeyId, dataKeyLength, kmsClient, 
kekCacheTimeout);
   }
 
   public static EncryptedOutputFile plainAsEncryptedOutput(OutputFile 
encryptingOutputFile) {
     return new BaseEncryptedOutputFile(encryptingOutputFile, 
EncryptionKeyMetadata.empty());
   }
+
+  public static EncryptionKeyMetadata setFileLength(
+      EncryptionKeyMetadata encryptionKeyMetadata, long manifestListLength) {
+    Preconditions.checkState(
+        encryptionKeyMetadata instanceof StandardKeyMetadata,
+        "Cant set file length in %s",
+        encryptionKeyMetadata.getClass());
+    ((StandardKeyMetadata) 
encryptionKeyMetadata).setFileLength(manifestListLength);
+    return encryptionKeyMetadata;
+  }
+
+  private static long parseFileLength(ByteBuffer keyMetadataBuffer) {
+    StandardKeyMetadata standardKeyMetadata = 
StandardKeyMetadata.parse(keyMetadataBuffer);
+    return standardKeyMetadata.fileLength();
+  }
+
+  public static void getKekCacheFromMetadata(FileIO io, Map<String, 
KeyEncryptionKey> kekCache) {
+    Preconditions.checkState(
+        io instanceof EncryptingFileIO,
+        "Can't set KEK cache - IO %s is not instance of EncryptingFileIO",
+        io.getClass());
+    EncryptionManager encryption = ((EncryptingFileIO) io).encryptionManager();
+    Preconditions.checkState(
+        encryption instanceof StandardEncryptionManager,
+        "Can't set KEK cache - encryption manager %s is not instance of 
StandardEncryptionManager",
+        encryption.getClass());
+    ((StandardEncryptionManager) encryption).addKekCache(kekCache);
+  }
+
+  public static InputFile decryptManifestListFile(
+      ManifestListFile manifestListFile, FileIO fileIO) {
+    Preconditions.checkArgument(
+        fileIO instanceof EncryptingFileIO,
+        "Cannot read manifest list (%s) because it is encrypted but the 
configured "
+            + "FileIO (%s) does not implement EncryptingFileIO",
+        manifestListFile.location(),
+        fileIO.getClass());
+    EncryptingFileIO encryptingFileIO = (EncryptingFileIO) fileIO;
+
+    Preconditions.checkArgument(
+        encryptingFileIO.encryptionManager() instanceof 
StandardEncryptionManager,
+        "Cannot read manifest list (%s) because it is encrypted but the "
+            + "encryption manager (%s) is not StandardEncryptionManager",
+        manifestListFile.location(),
+        encryptingFileIO.encryptionManager().getClass());
+    StandardEncryptionManager standardEncryptionManager =
+        (StandardEncryptionManager) encryptingFileIO.encryptionManager();

Review Comment:
   Similar to the comment just above, if this is done in `EncryptingFileIO` 
then there is no need to cast.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For additional commands, e-mail: issues-h...@iceberg.apache.org

Reply via email to