dimas-b commented on code in PR #17155:
URL: https://github.com/apache/iceberg/pull/17155#discussion_r3581222153
##########
open-api/rest-catalog-open-api.yaml:
##########
@@ -3665,6 +3673,43 @@ components:
additionalProperties:
type: string
+ KeyManagementCredential:
+ type: object
+ description: |
+ Provider-specific credential config for accessing one or more KMS keys
required by an encrypted
+ table operation.
+
+ The key-management provider is advertised in catalog configuration,
such as `encryption.kms-type`
+ returned from `/v1/config`. The `config` map contains
provider-specific properties for the
+ selected key-management provider.
+
+ Clients should select the credential config by matching KMS key
identifiers referenced by table
+ encryption metadata, such as `EncryptedKey.encrypted-by-id`, against
`kms-key-ids`. If no
+ key-management credential matches a KMS key ID required by table
encryption metadata, the client
+ must fail the operation with an authorization or missing-credential
error.
Review Comment:
I agree with the general idea, but as far as the API spec is concerned, it
does not feel right to me to _require_ clients to fails if the server returns
an incomplete response (missing KMS credentials).
I think a more appropriate statement would be "catalogs must provide KMS
credentials for all key IDs required by table encryption metadata...". How does
that sounds?
##########
open-api/rest-catalog-open-api.yaml:
##########
@@ -3665,6 +3676,44 @@ components:
additionalProperties:
type: string
+ KeyManagementCredential:
+ type: object
+ description: |
+ Provider-specific credential config for accessing one or more KMS keys
required by an encrypted
+ table operation.
+
+ The key-management provider is advertised in catalog configuration,
such as `encryption.kms-type`
+ returned from `/v1/config`. The `config` map contains
provider-specific properties for the
+ selected key-management provider.
+
+ Clients should select the credential config by matching KMS key
identifiers referenced by table
+ encryption metadata, such as `EncryptedKey.encrypted-by-id`, against
`kms-key-ids`. If a response
+ includes `key-management-credentials` but no credential matches a KMS
key ID required by table
+ encryption metadata, the client must fail the operation with an
authorization or missing-credential
+ error.
+
+ Credential configs must be time-bounded and should be scoped to the
minimum required KMS operations
Review Comment:
How are time bounds defined?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]