ggershinsky commented on PR #13225: URL: https://github.com/apache/iceberg/pull/13225#issuecomment-4369201720
Basically, the lifecycle of a KMS client object is driven by these events: - initialize call - done once. Passes the catalog properties map. A pointer to this map can be kept. Also, other potential channels for credential passing (such as system env or files) can be queried at this stage. Plus, if needed, a per-table credential map can be fetched and stored. - wrap/unwrap calls. Pass the table key id. Credentials can be refreshed (and, if needed, per-table credentials can be fetched or extracted locally) at this stage, using the catalog property map, system env, files or other channels. Also, it's possible to run a thread in the KMS client that would asynchronously handle the credentials. So the mechanism seems to be quite flexible. But if it doesn't cover important usecases, we can consider changes. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
