Conversation
Signed-off-by: Endi Caushi <[email protected]>
Signed-off-by: Endi Caushi <[email protected]>
Signed-off-by: Endi Caushi <[email protected]>
|
cc @ggershinsky |
|
Thanks @mrendi29 . I don't have much experience with the Vault. But from the Iceberg encryption interface pov, this looks good. |
| awssdk-s3accessgrants = { module = "software.amazon.s3.accessgrants:aws-s3-accessgrants-java-plugin", version.ref = "awssdk-s3accessgrants" } | ||
| azuresdk-bom = { module = "com.azure:azure-sdk-bom", version.ref = "azuresdk-bom" } | ||
| bson = { module = "org.mongodb:bson", version.ref = "bson-ver"} | ||
| bettercloud-vault = { module = "com.bettercloud:vault-java-driver", version.ref = "bettercloud-vault" } |
There was a problem hiding this comment.
I learned before that adding a new dependency also requires adding license information to LICENSE file.
|
@nastra @amogh-jahagirdar what do you think, how can Iceberg support key management solutions other than the cloud provider's solution? Instead of adopting the key management client implementation itself, should Iceberg instead provide an option to dynamically load (maybe there's already an option like this?) the key management implementation with the parameters? |
|
Okay, never mind, I found the answer, looks like dynamic loading of KeyManagementClient is supported by |
|
Although the ultimate decision is up to the project PMCs, I personally think that it is probably not a good idea to put this in the core module. Putting it there means that everyone, who uses Iceberg will also take the risk (I refer here mostly to security risks) of the additional dependency required for interaction with HashiCorp vault (not to mention the minimal risk of the client implementation itself), even when they don't need it at all. Other key vault clients are implemented within a cloud provider specific module. |
|
@nandorKollar this makes sense, should i move this into a separate module i.e. hashikorp-vault-kms/ ? |
|
This pull request has been marked as stale due to 30 days of inactivity. It will be closed in 1 week if no further activity occurs. If you think that’s incorrect or this pull request requires a review, please simply write any comment. If closed, you can revive the PR at any time and @mention a reviewer or discuss it on the [email protected] list. Thank you for your contributions. |
|
This pull request has been closed due to lack of activity. This is not a judgement on the merit of the PR in any way. It is just a way of keeping the PR queue manageable. If you think that is incorrect, or the pull request requires review, you can revive the PR at any time. |
|
mrendi29 This is a great idea for iceberg. It's a a pity the PR has been closed. |
|
@asdasdruasd I just noticed Trino has started working on Iceberg encryption on trinodb/trino#28354 which is really nice. I will be happy to port this over for Trino should that be required once the support for encryption in trino is out. |
4 participants
Addresses #14437
We are planning to use HashiCorp Vault Transit engine as our KMS of choice. This is the preliminary client that we are using so far so I thought to contribute this back to the community.