Re: [PR] Manifest list encryption [iceberg]

Fri, 12 Jul 2024 16:06:40 -0700 


rdblue commented on code in PR #7770:
URL: https://github.com/apache/iceberg/pull/7770#discussion_r1676546177


##########
core/src/main/java/org/apache/iceberg/SnapshotParser.java:
##########
@@ -147,6 +169,42 @@ static Snapshot fromJson(JsonNode node) {
     if (node.has(MANIFEST_LIST)) {
       // the manifest list is stored in a manifest list file
       String manifestList = JsonUtil.getString(MANIFEST_LIST, node);
+
+      ByteBuffer manifestListKeyMetadata = null;
+      ByteBuffer wrappedManifestListKeyMetadata = null;
+      String wrappedKeyEncryptionKey = null;
+
+      // Manifest list can be encrypted
+      if (node.has(MANIFEST_LIST_KEY_METADATA)) {
+        // Decode and decrypt manifest list key with metadata key
+        String manifestListKeyMetadataString = 
JsonUtil.getString(MANIFEST_LIST_KEY_METADATA, node);
+        wrappedManifestListKeyMetadata =
+            
ByteBuffer.wrap(Base64.getDecoder().decode(manifestListKeyMetadataString));
+
+        NativeEncryptionKeyMetadata nativeWrappedKeyMetadata =
+            EncryptionUtil.parseKeyMetadata(wrappedManifestListKeyMetadata);
+        ByteBuffer wrappedManifestListKey = 
nativeWrappedKeyMetadata.encryptionKey();
+        Preconditions.checkState(
+            encryption instanceof StandardEncryptionManager,
+            "Can't decrypt manifest list key - encryption manager %s is not 
instance of StandardEncryptionManager",
+            encryption.getClass());
+        StandardEncryptionManager standardEncryptionManager =
+            (StandardEncryptionManager) encryption;
+        byte[] keyEncryptionKey = standardEncryptionManager.keyEncryptionKey();

Review Comment:
   Why does the encryption manager need to track this key? Isn't the key coming 
from the table metadata? I think it should be stored in `TableMetadata` 
instead. I believe there is no guarantee that the key doesn't change across 
versions, right? In that case, it will make a lot more sense if we track the 
key on a specific `TableMetadata` instance.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For additional commands, e-mail: issues-h...@iceberg.apache.org

Reply via email to