Re: [PR] Core: Clean up encryption keys as part of RemoveSnapshots [iceberg]

Thu, 18 Jun 2026 02:17:04 -0700 


Hugo-WB commented on code in PR #16353:
URL: https://github.com/apache/iceberg/pull/16353#discussion_r3434597403


##########
core/src/main/java/org/apache/iceberg/encryption/EncryptionUtil.java:
##########
@@ -181,6 +185,37 @@ public static Map<String, EncryptedKey> 
encryptionKeys(EncryptionManager em) {
     return sem.encryptionKeys();
   }
 
+  /**
+   * Returns {@link TableMetadata} with encrypted keys from an {@param 
encryptionManager} that are
+   * required to read the snapshots in the given {@param metadata}. Only adds 
keys that are still
+   * referenced in metadata.
+   */
+  public static TableMetadata addEmKeysToMetadata(
+      TableMetadata metadata, EncryptionManager encryptionManager) {
+    if (!(encryptionManager instanceof StandardEncryptionManager 
standardEncryptionManager)) {
+      return metadata;
+    }
+    Set<String> referencedEncryptionKeys =
+        Sets.union(
+            metadata.snapshots().stream()
+                .map(Snapshot::keyId)
+                .filter(Objects::nonNull)
+                .collect(Collectors.toUnmodifiableSet()),
+            metadata.encryptionKeys().stream()
+                .map(EncryptedKey::encryptedById)
+                .filter(Objects::nonNull)
+                .collect(Collectors.toUnmodifiableSet()));
+    TableMetadata.Builder metadataBuilder = TableMetadata.buildFrom(metadata);
+    standardEncryptionManager.encryptionKeys().values().stream()
+        .filter(
+            encryptedKey ->
+                referencedEncryptionKeys.contains(encryptedKey.keyId())
+                    // The KEK may not be referenced but must still be saved 
in the metadata.
+                    || 
standardEncryptionManager.keyEncryptionKeyID().equals(encryptedKey.keyId()))
+        .forEach(metadataBuilder::addEncryptionKey);
+    return metadataBuilder.build();

Review Comment:
   On second though this will get caught by integration tests. but worth noting.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to