ggershinsky commented on code in PR #7770:
URL: https://github.com/apache/iceberg/pull/7770#discussion_r1703084453
##########
core/src/main/java/org/apache/iceberg/encryption/StandardEncryptionManager.java:
##########
@@ -20,28 +20,46 @@
import java.nio.ByteBuffer;
import java.security.SecureRandom;
+import java.util.Base64;
+import java.util.Map;
+import org.apache.iceberg.CatalogProperties;
import org.apache.iceberg.TableProperties;
import org.apache.iceberg.io.InputFile;
import org.apache.iceberg.io.OutputFile;
import org.apache.iceberg.io.SeekableInputStream;
import org.apache.iceberg.relocated.com.google.common.base.Preconditions;
import org.apache.iceberg.relocated.com.google.common.collect.Iterables;
+import org.apache.iceberg.relocated.com.google.common.collect.Maps;
import org.apache.iceberg.util.ByteBuffers;
public class StandardEncryptionManager implements EncryptionManager {
+ public static final int KEK_ID_LENGTH = 16;
+
private final transient KeyManagementClient kmsClient;
private final String tableKeyId;
private final int dataKeyLength;
-
+ private final long kekCacheTimeout;
+ private Map<String, KeyEncryptionKey> kekCache;
private transient volatile SecureRandom lazyRNG = null;
+ /**
+ * @deprecated will be removed in 2.0.0. use {@link
#StandardEncryptionManager(String, int,
+ * KeyManagementClient, long)} instead.
+ */
+ @Deprecated
+ public StandardEncryptionManager(
+ String tableKeyId, int dataKeyLength, KeyManagementClient kmsClient) {
+ this(tableKeyId, dataKeyLength, kmsClient,
CatalogProperties.KEK_CACHE_TIMEOUT_MS_DEFAULT);
+ }
+
/**
* @param tableKeyId table encryption key id
* @param dataKeyLength length of data encryption key (16/24/32 bytes)
* @param kmsClient Client of KMS used to wrap/unwrap keys in envelope
encryption
+ * @param kekCacheTimeout timeout of kek (key encryption key) cache entries
*/
public StandardEncryptionManager(
- String tableKeyId, int dataKeyLength, KeyManagementClient kmsClient) {
+ String tableKeyId, int dataKeyLength, KeyManagementClient kmsClient,
long kekCacheTimeout) {
Review Comment:
Different organizations can set the kekCacheTimeout differently, to address
their particular security requirements. But that's probably an advanced
feature. We can start with a default value; and make it configurable later - if
needed (if we get a request from the community). What do you think?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For additional commands, e-mail: issues-h...@iceberg.apache.org
