smaheshwar-pltr commented on code in PR #7770:
URL: https://github.com/apache/iceberg/pull/7770#discussion_r1844220351
##########
core/src/main/java/org/apache/iceberg/encryption/EncryptionUtil.java:
##########
@@ -70,31 +75,93 @@ public static KeyManagementClient
createKmsClient(Map<String, String> catalogPro
return kmsClient;
}
+ /**
+ * @deprecated will be removed in 2.0.0. use {@link
#createEncryptionManager(String, int,
+ * KeyManagementClient)} instead.
+ */
+ @Deprecated
public static EncryptionManager createEncryptionManager(
Map<String, String> tableProperties, KeyManagementClient kmsClient) {
- Preconditions.checkArgument(kmsClient != null, "Invalid KMS client: null");
String tableKeyId =
tableProperties.get(TableProperties.ENCRYPTION_TABLE_KEY);
-
- if (null == tableKeyId) {
- // Unencrypted table
- return PlaintextEncryptionManager.instance();
- }
-
int dataKeyLength =
PropertyUtil.propertyAsInt(
tableProperties,
TableProperties.ENCRYPTION_DEK_LENGTH,
TableProperties.ENCRYPTION_DEK_LENGTH_DEFAULT);
+ return createEncryptionManager(tableKeyId, dataKeyLength, kmsClient);
+ }
+
+ public static EncryptionManager createEncryptionManager(
+ String tableKeyId, int dataKeyLength, KeyManagementClient kmsClient) {
+ Preconditions.checkArgument(kmsClient != null, "Invalid KMS client: null");
+
+ if (null == tableKeyId) {
+ // Unencrypted table
+ return PlaintextEncryptionManager.instance();
+ }
+
Preconditions.checkState(
dataKeyLength == 16 || dataKeyLength == 24 || dataKeyLength == 32,
"Invalid data key length: %s (must be 16, 24, or 32)",
dataKeyLength);
- return new StandardEncryptionManager(tableKeyId, dataKeyLength, kmsClient);
+ return new StandardEncryptionManager(tableKeyId, dataKeyLength,
ImmutableList.of(), kmsClient);
}
public static EncryptedOutputFile plainAsEncryptedOutput(OutputFile
encryptingOutputFile) {
return new BaseEncryptedOutputFile(encryptingOutputFile,
EncryptionKeyMetadata.empty());
}
+
+ /**
+ * Decrypt the key metadata for a snapshot.
+ *
+ * <p>Encryption for snapshot key metadata is only available for tables
using standard encryption.
+ *
+ * @param manifestList a ManifestListFile
+ * @param em the table's EncryptionManager
+ * @return a decrypted key metadata buffer
+ */
+ public static ByteBuffer decryptSnapshotKeyMetadata(
+ ManifestListFile manifestList, EncryptionManager em) {
+ Preconditions.checkState(
+ em instanceof StandardEncryptionManager,
+ "Snapshot key metadata encryption requires a
StandardEncryptionManager");
+ ByteBuffer unwrappedKey =
+ ((StandardEncryptionManager)
em).unwrapKey(manifestList.keyMetadataKeyId());
+ return decryptSnapshotKeyMetadata(
+ unwrappedKey, manifestList.snapshotId(),
manifestList.encryptedKeyMetadata());
+ }
+
+ private static ByteBuffer decryptSnapshotKeyMetadata(
+ ByteBuffer key, long snapshotId, ByteBuffer encryptedKeyMetadata) {
+ Ciphers.AesGcmDecryptor decryptor = new
Ciphers.AesGcmDecryptor(ByteBuffers.toByteArray(key));
+ byte[] keyMetadataBytes = ByteBuffers.toByteArray(encryptedKeyMetadata);
+ byte[] decryptedKeyMetadata = decryptor.decrypt(keyMetadataBytes,
snapshotIdAsAAD(snapshotId));
+ return ByteBuffer.wrap(decryptedKeyMetadata);
+ }
+
+ /**
+ * Encrypts the key metadata for a snapshot.
+ *
+ * <p>Encryption for snapshot key metadata is only available for tables
using standard encryption.
+ *
+ * @param key unwrapped snapshot key bytes
+ * @param snapshotId ID of the table snapshot
+ * @param keyMetadata unencrypted EncryptionKeyMetadata
+ * @return a Pair of the key ID used to encrypt and the encrypted key
metadata
Review Comment:
```suggestion
* @return the encrypted key metadata
```
(nit)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For additional commands, e-mail: issues-h...@iceberg.apache.org
