Re: [PR] Manifest list encryption [iceberg]

Sun, 04 Aug 2024 01:14:31 -0700 


ggershinsky commented on code in PR #7770:
URL: https://github.com/apache/iceberg/pull/7770#discussion_r1703113214


##########
core/src/main/java/org/apache/iceberg/encryption/StandardEncryptionManager.java:
##########
@@ -92,13 +112,98 @@ public ByteBuffer wrapKey(ByteBuffer secretKey) {
 
   public ByteBuffer unwrapKey(ByteBuffer wrappedSecretKey) {
     if (kmsClient == null) {
-      throw new IllegalStateException(
-          "Cannot wrap key after called after serialization (missing KMS 
client)");
+      throw new IllegalStateException("Cannot unwrap key after serialization 
(missing KMS client)");
     }
 
     return kmsClient.unwrapKey(wrappedSecretKey, tableKeyId);
   }
 
+  public void addKekCache(Map<String, KeyEncryptionKey> wrappedKekCache) {
+    for (Map.Entry<String, KeyEncryptionKey> entry : 
wrappedKekCache.entrySet()) {
+      KeyEncryptionKey wrappedKek = entry.getValue();
+      KeyEncryptionKey cachedKek = kekCache.get(entry.getKey());
+
+      if (cachedKek != null) {
+        Preconditions.checkState(
+            cachedKek.wrappedKey().equals(wrappedKek.wrappedKey()),
+            "Cached kek wrap differs from newly added for %s",
+            entry.getKey());
+      } else {
+        ByteBuffer encryptedKEK =
+            
ByteBuffer.wrap(Base64.getDecoder().decode(wrappedKek.wrappedKey()));
+        // Unwrap the key in KMS
+        byte[] kekBytes = unwrapKey(encryptedKEK).array();
+
+        kekCache.put(
+            entry.getKey(),
+            new KeyEncryptionKey(
+                wrappedKek.id(), kekBytes, wrappedKek.wrappedKey(), 
wrappedKek.timestamp()));
+      }
+    }
+  }
+
+  public KeyEncryptionKey currentKEK() {

Review Comment:
   This is the KEK that is currently used by the writers (to encrypt the 
metadata of manifest list files). This KEK is the latest in the table KEK cache 
(kept in the encryption manager object).



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For additional commands, e-mail: issues-h...@iceberg.apache.org

Reply via email to