ggershinsky commented on code in PR #7770:
URL: https://github.com/apache/iceberg/pull/7770#discussion_r1717312383
##########
core/src/main/java/org/apache/iceberg/encryption/StandardEncryptionManager.java:
##########
@@ -20,28 +20,46 @@
import java.nio.ByteBuffer;
import java.security.SecureRandom;
+import java.util.Base64;
+import java.util.Map;
+import org.apache.iceberg.CatalogProperties;
import org.apache.iceberg.TableProperties;
import org.apache.iceberg.io.InputFile;
import org.apache.iceberg.io.OutputFile;
import org.apache.iceberg.io.SeekableInputStream;
import org.apache.iceberg.relocated.com.google.common.base.Preconditions;
import org.apache.iceberg.relocated.com.google.common.collect.Iterables;
+import org.apache.iceberg.relocated.com.google.common.collect.Maps;
import org.apache.iceberg.util.ByteBuffers;
public class StandardEncryptionManager implements EncryptionManager {
+ public static final int KEK_ID_LENGTH = 16;
+
private final transient KeyManagementClient kmsClient;
private final String tableKeyId;
private final int dataKeyLength;
-
+ private final long kekCacheTimeout;
+ private Map<String, KeyEncryptionKey> kekCache;
private transient volatile SecureRandom lazyRNG = null;
+ /**
+ * @deprecated will be removed in 2.0.0. use {@link
#StandardEncryptionManager(String, int,
+ * KeyManagementClient, long)} instead.
+ */
+ @Deprecated
+ public StandardEncryptionManager(
+ String tableKeyId, int dataKeyLength, KeyManagementClient kmsClient) {
+ this(tableKeyId, dataKeyLength, kmsClient,
CatalogProperties.KEK_CACHE_TIMEOUT_MS_DEFAULT);
+ }
+
/**
* @param tableKeyId table encryption key id
* @param dataKeyLength length of data encryption key (16/24/32 bytes)
* @param kmsClient Client of KMS used to wrap/unwrap keys in envelope
encryption
+ * @param kekCacheTimeout timeout of kek (key encryption key) cache entries
*/
public StandardEncryptionManager(
- String tableKeyId, int dataKeyLength, KeyManagementClient kmsClient) {
+ String tableKeyId, int dataKeyLength, KeyManagementClient kmsClient,
long kekCacheTimeout) {
Review Comment:
If Flink produces a new snapshot every 2 minutes, we will have by default
144 KEKs a day.. Growing to a very large number in days and weeks. All of them
unwrapped by KMS in readers, can be very expensive. We might want to keep this
parameter configurable..
(now it is renamed to "writer KEK timeout")
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For additional commands, e-mail: issues-h...@iceberg.apache.org
