Package org.apache.iceberg.gcp

Class GcpKeyManagementClient

java.lang.Object

org.apache.iceberg.gcp.GcpKeyManagementClient

All Implemented Interfaces:

Closeable, Serializable, AutoCloseable, KeyManagementClient

public class GcpKeyManagementClient
extends Object
implements KeyManagementClient

Key management client implementation that uses Google Cloud Key Management. To be used for encrypting/decrypting keys with a KMS-managed master key (by referencing its key ID)

Uses GcpKeyManagementClient.ByteStringShim to ensure this class works with and without iceberg-gcp-bundle. Since the bundle relocates ByteString, all related methods need to be loaded dynamically. During runtime if the relocated class is observed, it will be preferred over the original one.

See Also:

• Serialized Form

Nested Class Summary

Nested classes/interfaces inherited from interface org.apache.iceberg.encryption.KeyManagementClient

KeyManagementClient.KeyGenerationResult

Constructor Summary

Constructors

Constructor	Description
GcpKeyManagementClient()

Method Summary

Modifier and Type	Method	Description
void	close()	Close KMS Client to release underlying resources, this could be triggered in different threads when KmsClient is shared by multiple encryption managers.
void	initialize(Map<String,String> properties)	Initialize the KMS client with given properties.
ByteBuffer	unwrapKey(ByteBuffer wrappedKey, String wrappingKeyId)	Unwrap a secret key, using a wrapping/master key which is stored in KMS and referenced by an ID.
ByteBuffer	wrapKey(ByteBuffer key, String wrappingKeyId)	Wrap a secret key, using a wrapping/master key which is stored in KMS and referenced by an ID.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.iceberg.encryption.KeyManagementClient

generateKey, supportsKeyGeneration

Constructor Details

GcpKeyManagementClient

public GcpKeyManagementClient()

Method Details

initialize

public void initialize(Map<String,String> properties)

Description copied from interface: KeyManagementClient

Initialize the KMS client with given properties.

Specified by:

initialize in interface KeyManagementClient

Parameters:

properties - kms client properties

wrapKey

public ByteBuffer wrapKey(ByteBuffer key,
 String wrappingKeyId)

Description copied from interface: KeyManagementClient

Wrap a secret key, using a wrapping/master key which is stored in KMS and referenced by an ID. Wrapping means encryption of the secret key with the master key, and adding optional KMS-specific metadata that allows the KMS to decrypt the secret key in an unwrapping call.

Specified by:

wrapKey in interface KeyManagementClient

Parameters:

key - a secret key being wrapped

wrappingKeyId - a key ID that represents a wrapping key stored in KMS

Returns:

wrapped key material

unwrapKey

public ByteBuffer unwrapKey(ByteBuffer wrappedKey,
 String wrappingKeyId)

Description copied from interface: KeyManagementClient

Unwrap a secret key, using a wrapping/master key which is stored in KMS and referenced by an ID.

Specified by:

unwrapKey in interface KeyManagementClient

Parameters:

wrappedKey - wrapped key material (encrypted key and optional KMS metadata, returned by the wrapKey method)

wrappingKeyId - a key ID that represents a wrapping key stored in KMS

Returns:

raw key bytes

close

public void close()

Description copied from interface: KeyManagementClient

Close KMS Client to release underlying resources, this could be triggered in different threads when KmsClient is shared by multiple encryption managers.

Specified by:

close in interface AutoCloseable

Specified by:

close in interface Closeable

Specified by:

close in interface KeyManagementClient