ggershinsky commented on code in PR #15272:
URL: https://github.com/apache/iceberg/pull/15272#discussion_r2783147363
##########
core/src/main/java/org/apache/iceberg/encryption/EncryptionUtil.java:
##########
@@ -53,8 +54,18 @@ public static KeyManagementClient
createKmsClient(Map<String, String> catalogPro
kmsType,
kmsImpl);
- // TODO: Add KMS implementations
- Preconditions.checkArgument(kmsType == null, "Unsupported KMS type: %s",
kmsType);
+ if (kmsType != null) {
+ kmsImpl =
+ switch (kmsType.toLowerCase(Locale.ROOT)) {
+ case CatalogProperties.ENCRYPTION_KMS_TYPE_AWS ->
+ CatalogProperties.ENCRYPTION_KMS_IMPL_AWS;
+ case CatalogProperties.ENCRYPTION_KMS_TYPE_AZURE ->
+ CatalogProperties.ENCRYPTION_KMS_IMPL_AZURE;
+ case CatalogProperties.ENCRYPTION_KMS_TYPE_GCP ->
+ CatalogProperties.ENCRYPTION_KMS_IMPL_GCP;
+ default -> throw new IllegalStateException("Unsupported KMS type:
" + kmsType);
+ };
Review Comment:
Currently, we have three single-cloud implementations, built-in the Iceberg
code. When a patch for a new KMS client (for a widely used platform) is sent
and merged in Iceberg, a new type would be added here.
A multi-cloud KMS client sounds better fitted for the custom
`encryption.kms-impl` parameter; but if there is a popular usecase, then no
reason not to have it as a new type.
Like ResolvingFileIO , the `encryption.kms-impl` passes the catalog
properties to a new class instance.
##########
docs/docs/encryption.md:
##########
@@ -28,7 +28,7 @@ Currently, encryption is supported in the Hive and REST
catalogs for tables with
Two parameters are required to activate encryption of a table:
-1. Catalog property `encryption.kms-impl`, that specifies the class path for a
client of a KMS ("key management service").
+1. Catalog property `encryption.kms-type`, that accepts `aws`, `azure` or
`gcp`, or catalog property `encryption.kms-impl`, that specifies the class path
for a client of a KMS ("key management service").
Review Comment:
This is the first item that follows "Two parameters are required to activate
encryption of a table:". The change makes the requirement somewhat less clear.
We probably want something like
"1. Catalog property that specifies the KMS ("key management service"). It
can be either `encryption.kms-type` for pre-defined KMS clients (`aws`, `azure`
or `gcp`) or `encryption.kms-impl` with the client class path for custom KMS
clients.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
