szlta opened a new pull request, #17155: URL: https://github.com/apache/iceberg/pull/17155
## Summary Adds REST KMS credential vending to the spec for Iceberg table encryption. This extends REST access delegation so catalogs can return short-lived, scoped KMS credentials alongside storage credentials. Clients match vended KMS credentials to KMS key IDs referenced by Iceberg encryption metadata and continue to call the KMS directly. Original design doc: https://docs.google.com/document/d/1VSewbVmjukU5eTiZruCJVmUZcRZvcAsd4JOeC6Lt3fo ## Changes This PR adds: - `kms-vended-credentials` as an access-delegation mechanism - `encryption.kms-type` as a catalog-level KMS provider/type identifier - `key-management-credentials` to credential-bearing REST responses - `KeyManagementCredential`, containing: - `kms-key-ids` - provider-specific credential `config` - client matching rules between `kms-key-ids` and `EncryptedKey.encrypted-by-id` - security guidance for vended KMS credentials, including time-bounded credentials and provider-supported scoping ## Credential sourcing For encrypted table operations, credential sourcing should be consistent with REST access-delegation rules. If a catalog honors REST access delegation for an encrypted table operation, it should provide all delegated credentials required for that operation, including storage credentials and KMS credentials. If REST access delegation is not used or not honored, the client remains responsible for providing the required credentials locally. ## Not included This PR does not add remote KMS wrap/unwrap APIs. Remote wrap/unwrap may be useful for some environments and can be proposed separately, but it has a different protocol shape and security model because plaintext Iceberg key material would flow through the catalog API. This PR focuses on KMS credential vending, where the catalog returns short-lived, scoped KMS credentials and clients continue to call the KMS directly. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
