feat(encryption) [7/N] Read encrypted manifest list#2453
Conversation
| io: &FileIO, | ||
| metadata: &TableMetadata, | ||
| metadata_location: Option<&str>, | ||
| encryption_manager: Option<&EncryptionManager>, |
There was a problem hiding this comment.
public api change here
| &self, | ||
| file_io: &FileIO, | ||
| table_metadata: &TableMetadata, | ||
| encryption_manager: Option<&EncryptionManager>, |
There was a problem hiding this comment.
public api change here.
There was a problem hiding this comment.
We had some discussion before, and I think we should add sth like ManifestListLoader to avoid such api changes.
There was a problem hiding this comment.
The api should be as following:
impl Table {
pub fn manifest_list_loader(&self, s: &Snapshot) -> Result<ManifestListLoader> {
...
}
}With this approach, we could hide all table related constructs like Runtime, Cache, FileIO to avoid api changes in future.
There was a problem hiding this comment.
+1 it would be nice to encapsulate these public apis now rather than scramble when Iceberg-Rust eventually preps for its 1.0 release. @blackmwk do you feel strongly about adding a manifest_list_loader method in this PR or a future one?
There was a problem hiding this comment.
I've added the loader in this PR, let me know what you think!
There was a problem hiding this comment.
I prefer to move it into a standalone pr.
There was a problem hiding this comment.
Will move the manifest list reader to it's own PR now
| /// | ||
| /// Returns `Ok(None)` if the property is not set. Returns an error if the | ||
| /// property is set but no [`KeyManagementClient`] was provided. | ||
| fn maybe_configure_encryption( |
There was a problem hiding this comment.
Wasn't exactly sure if this should live here or if it's a concern of the EM?
| metadata_location: Option<String>, | ||
| metadata: Option<TableMetadataRef>, | ||
| identifier: Option<TableIdent>, | ||
| kms_client: Option<Arc<dyn KeyManagementClient>>, |
There was a problem hiding this comment.
Thanks for working on the encryption support @xanderbailey, this is really great.
I think TableMetadata::table_properties has all the information we need to construct either a KeyManagementClient or a EncryptionManager. Do you think we could build them as part of the builder instead of passing KeyManagementClient in the API?
There was a problem hiding this comment.
Thanks for taking a look! In Java's case the kms is configured at the catalog level (CatalogProperties.ENCRYPTION_KMS_*) and I think we should do the same, the catalog will take some KmsFactory and construct the KMS for the table? WDYT?
There was a problem hiding this comment.
Sounds good to me, thanks @xanderbailey.
I think it is closer to the encryption() method in Java's HiveTableOperations.java
| pub const PROPERTY_ENCRYPTION_KEY_ID: &str = "encryption.key-id"; | ||
|
|
||
| /// Property key for the encryption data encryption key (DEK) length in bytes. | ||
| pub const PROPERTY_ENCRYPTION_DATA_KEY_LENGTH: &str = "encryption.data-key-length"; |
There was a problem hiding this comment.
Thanks for adding it. I think I can get rid of the additional argument for data key length In introduced in #2466
xanderbailey
force-pushed
the
xb/encryption-7-table-wiring
branch
from
d2d19e7 to
3bb548e
Compare
mbutrovich
left a comment
mbutrovich
left a comment
There was a problem hiding this comment.
Thanks @xanderbailey! First initial pass, trying to refer back to RFC and spec. I think this looks right:
- The "EM lives on
Table, passed explicitly, FileIO stays encryption-unaware" shape is exactly the decision in RFC #2183 thread. TableBuilder::maybe_configure_encryptionis the function the RFC literally names (RFC §"Catalog Integration", Step 2) with the same three-step logic.- v3-only enforcement matches the format spec (Appendix E) and RFC §"Format Version Requirement".
- Putting
kms_client(...)directly onTableBuilder(rather than the RFC's catalog-levelKmsClientFactory) is acknowledged as interim in the PR description. decrypt_manifest_list_key_metadata(key_id: &str) -> StandardKeyMetadatais the signature negotiated in #2383.- Snapshot
key-idis optional in v3 per spec.md §Snapshots, so(None, _)reading via an EM-equipped table is spec-valid.
| let manifest_list_content = match (&self.encryption_key_id, encryption_manager) { | ||
| (Some(_), None) => { | ||
| return Err(Error::new( | ||
| ErrorKind::FeatureUnsupported, |
There was a problem hiding this comment.
Can we do ErrorKind::PreconditionFailed or ErrorKind::Unexpected here?
There was a problem hiding this comment.
Precondition seems correct
| let input = file_io.new_input(&self.manifest_list)?; | ||
| EncryptedInputFile::new(input, key_metadata).read().await? | ||
| } | ||
| (None, _) => file_io.new_input(&self.manifest_list)?.read().await?, |
There was a problem hiding this comment.
It's non-obvious that there could be an intentionally unused EncryptionManager here, since a table could have unencrypted snapshots in its history. Maybe worth a one-line comment so someone doesn't change this to (None, None).
There was a problem hiding this comment.
Double checked and java does the same https://github.com/apache/iceberg/blob/main/api/src/main/java/org/apache/iceberg/encryption/EncryptingFileIO.java#L120-L125
There was a problem hiding this comment.
This would be nice small place to improve on what Java does, even if its in a follow up comment only PR.
|
|
||
| use bytes::Bytes; | ||
|
|
||
| use crate::encryption::kms::{KeyManagementClient, MemoryKeyManagementClient}; |
There was a problem hiding this comment.
Can we hoist these up near 539?
|
|
||
| let kms_client = kms_client.ok_or_else(|| { | ||
| Error::new( | ||
| ErrorKind::FeatureUnsupported, |
There was a problem hiding this comment.
Same ErrorKind feedback as before. Whatever we pick should be consistent.
| /// Data files within manifests are only deleted if the `gc.enabled` table | ||
| /// property is `true` (the default), to avoid corrupting other tables that | ||
| /// may share the same data files. | ||
| pub async fn drop_table_data( |
There was a problem hiding this comment.
Do we have a test for this code path, even just to make sure future signature changes don't break reading manifest lists?
There was a problem hiding this comment.
I was going to add more tests here when we had all the decryption stuff in, else I'd have to awkwardly construct an encrypted manifest list with unencrypted manifest files which seemed a little wonky to me. WDYT?
There was a problem hiding this comment.
I guess we can defer as long as end up with a test for the codepath. I know it's hard when the features comes in pieces like this.
| &self, | ||
| file_io: &FileIO, | ||
| table_metadata: &TableMetadata, | ||
| encryption_manager: Option<&EncryptionManager>, |
There was a problem hiding this comment.
We had some discussion before, and I think we should add sth like ManifestListLoader to avoid such api changes.
| &self, | ||
| file_io: &FileIO, | ||
| table_metadata: &TableMetadata, | ||
| encryption_manager: Option<&EncryptionManager>, |
There was a problem hiding this comment.
The api should be as following:
impl Table {
pub fn manifest_list_loader(&self, s: &Snapshot) -> Result<ManifestListLoader> {
...
}
}With this approach, we could hide all table related constructs like Runtime, Cache, FileIO to avoid api changes in future.
| )); | ||
| } | ||
|
|
||
| let kms_client = kms_client.ok_or_else(|| { |
There was a problem hiding this comment.
Is this correct? Why user must provide a kms_client for table property?
There was a problem hiding this comment.
If a table_key_id is present (encryption.key-id) then the the user must provide a KMS, the property is telling us that the table is encrypted. If we weren't to fail loudly here I think users would end up with some cryptic deserialize error when they try and read an encrypted manifest list.
There was a problem hiding this comment.
We should log a warning if encryption key is not set, but kms client is provided.
xanderbailey
force-pushed
the
xb/encryption-7-table-wiring
branch
2 times, most recently
from
296ccbf to
f3d4a9b
Compare
|
Thanks so much for your reviews so far @blackmwk, would you mind taking another quick look here when you've got a minute? |
| &self, | ||
| file_io: &FileIO, | ||
| table_metadata: &TableMetadata, | ||
| encryption_manager: Option<&EncryptionManager>, |
There was a problem hiding this comment.
+1 it would be nice to encapsulate these public apis now rather than scramble when Iceberg-Rust eventually preps for its 1.0 release. @blackmwk do you feel strongly about adding a manifest_list_loader method in this PR or a future one?
| let input = file_io.new_input(&self.manifest_list)?; | ||
| EncryptedInputFile::new(input, key_metadata).read().await? | ||
| } | ||
| (None, _) => file_io.new_input(&self.manifest_list)?.read().await?, |
There was a problem hiding this comment.
This would be nice small place to improve on what Java does, even if its in a follow up comment only PR.
| pub cdc_norm_level: i32, | ||
| /// The master key id used to encrypt this table's manifest list and data | ||
| /// files. `None` if `encryption.key-id` is not set. | ||
| pub encryption_key_id: Option<String>, |
There was a problem hiding this comment.
Code style nit pick: we could utilize Rust's match and type system if we had a TableProperties without this and a separate struct for EncryptedTableProperties. The encrypted struct would look like
struct EncryptedTableProperties {
/// The master key id used to encrypt this table's manifest list and data
/// files. `None` if `encryption.key-id` is not set.
pub encryption_key_id: Option<String>,
...TableProperties,
}Then when you need to check to use encrypted vs non-encrypted code paths you would just utilize match and check the type of the table's properties.
There was a problem hiding this comment.
I don't know if ...TableProperties is valid rust is it? Do you mean copy all of the fields out and have an enum for table properties? Seems like adding a new struct here would just be added indirection, WDYT?
| } | ||
|
|
||
| /// Loads a [`ManifestList`] for a snapshot. | ||
| pub struct ManifestListLoader<'a> { |
There was a problem hiding this comment.
This should be moved to manifest_list module.
There was a problem hiding this comment.
Sorry, I made a mistake, we already have a ManifestListWriter, maybe we should call this ManifestListReader?
| /// Loads and returns the [`ManifestList`] for this snapshot. | ||
| pub async fn load(&self) -> Result<ManifestList> { | ||
| self.snapshot | ||
| .load_manifest_list(self.file_io, self.table_metadata, self.encryption_manager) |
There was a problem hiding this comment.
We should move the logic of loading manifest list into this method, and deprecate the load_manifest_list in Snapshot.
|
|
||
| // Encryption is a v3 feature: `encryption-keys` table metadata and the | ||
| // snapshot `key-id` field are introduced in format version 3. | ||
| if metadata.format_version() < FormatVersion::V3 { |
There was a problem hiding this comment.
This logic is odd to me. I think the correct one should be like:
if format_version < v3 {
return Ok(None)
}
// Now we are v3
if encryption_key_id is none {
return None
}
There was a problem hiding this comment.
Happy to make that change, I was trying to test the invariants more explicitly, i.e if we end up with a table with encryption_key_id and you're not V3 then we should shout loudly. But I'm happy with your suggestion
| )); | ||
| } | ||
|
|
||
| let kms_client = kms_client.ok_or_else(|| { |
| )); | ||
| } | ||
|
|
||
| let kms_client = kms_client.ok_or_else(|| { |
There was a problem hiding this comment.
We should log a warning if encryption key is not set, but kms client is provided.
| &self, | ||
| file_io: &FileIO, | ||
| table_metadata: &TableMetadata, | ||
| encryption_manager: Option<&EncryptionManager>, |
There was a problem hiding this comment.
I prefer to move it into a standalone pr.
|
Have moved |
xanderbailey
force-pushed
the
xb/encryption-7-table-wiring
branch
from
f3d4a9b to
2626710
Compare
5 participants
Which issue does this PR close?
What changes are included in this PR?
Wires encryption support into the
Tabletype so that encrypted manifest lists can be read. Adds anEncryptionManageraccessor onTableand ensures it is supplied wherever manifest lists are loaded from snapshots.Also threads the
EncryptionManagerthroughpurge_table/drop_table_dataso that dropping an encrypted table can read its manifest lists and clean up referenced files correctly.A design decision was made whilst reviewing the RFC to keep the EM out of
FileIoand pass it around separately which turns out to be much cleaner.Note that we aren't exposing any sort of configuration for the KMS when building the tables in the catalogs. That will come later. That PR is deliberately coming later to minimise the public surface area whilst this feature is under development.
Also note that
StaticTabledoesn't have the KMS wired in yet since we'd need to merge the KmsFactory to make that code path valid. Similar story is true for wiring this through the catalogs.Are these changes tested?
Yes