add missing parts

Author: ggershinsky

core/src/main/java/org/apache/iceberg/BaseMetastoreTableOperations.java

@@ -214,7 +214,7 @@ protected void refreshFromMetadataLocation(
     this.shouldRefresh = false;
   }
 
-  private String metadataFileLocation(TableMetadata metadata, String filename) {
+  protected String metadataFileLocation(TableMetadata metadata, String filename) {
     String metadataLocation = metadata.properties().get(TableProperties.WRITE_METADATA_LOCATION);
 
     if (metadataLocation != null) {

core/src/main/java/org/apache/iceberg/encryption/EncryptionUtil.java

@@ -75,7 +75,7 @@ public static KeyManagementClient createKmsClient(Map<String, String> catalogPro
     return kmsClient;
   }
 
-  static EncryptionManager createEncryptionManager(
+  public static EncryptionManager createEncryptionManager(
       List<EncryptedKey> keys, Map<String, String> tableProperties, KeyManagementClient kmsClient) {
     Preconditions.checkArgument(kmsClient != null, "Invalid KMS client: null");
     String tableKeyId = tableProperties.get(TableProperties.ENCRYPTION_TABLE_KEY);
@@ -96,7 +96,7 @@ static EncryptionManager createEncryptionManager(
         "Invalid data key length: %s (must be 16, 24, or 32)",
         dataKeyLength);
 
-    return new StandardEncryptionManager(tableKeyId, dataKeyLength, kmsClient);
+    return new StandardEncryptionManager(keys, tableKeyId, dataKeyLength, kmsClient);
   }
 
   public static EncryptedOutputFile plainAsEncryptedOutput(OutputFile encryptingOutputFile) {
@@ -128,6 +128,14 @@ public static ByteBuffer decryptManifestListKeyMetadata(
     return ByteBuffer.wrap(decryptedKeyMetadata);
   }
 
+  public static Map<String, EncryptedKey> encryptionKeys(EncryptionManager em) {
+    Preconditions.checkState(
+        em instanceof StandardEncryptionManager,
+        "Retrieving encryption keys requires a StandardEncryptionManager");
+    StandardEncryptionManager sem = (StandardEncryptionManager) em;
+    return sem.encryptionKeys();
+  }
+
   /**
    * Encrypts the key metadata for a manifest list.
    *

core/src/main/java/org/apache/iceberg/encryption/StandardEncryptionManager.java

@@ -23,6 +23,7 @@
 import java.nio.ByteBuffer;
 import java.security.SecureRandom;
 import java.util.Base64;
+import java.util.List;
 import java.util.Map;
 import java.util.concurrent.TimeUnit;
 import org.apache.iceberg.TableProperties;
@@ -46,9 +47,19 @@ private class TransientEncryptionState {
     private final Map<String, EncryptedKey> encryptionKeys;
     private final LoadingCache<String, ByteBuffer> unwrappedKeyCache;
 
-    private TransientEncryptionState(KeyManagementClient kmsClient) {
+    private TransientEncryptionState(KeyManagementClient kmsClient, List<EncryptedKey> keys) {
       this.kmsClient = kmsClient;
       this.encryptionKeys = Maps.newLinkedHashMap();
+
+      if (keys != null) {
+        for (EncryptedKey key : keys) {
+          encryptionKeys.put(
+              key.keyId(),
+              new BaseEncryptedKey(
+                  key.keyId(), key.encryptedKeyMetadata(), key.encryptedById(), key.properties()));
+        }
+      }
+
       this.unwrappedKeyCache =
           Caffeine.newBuilder()
               .expireAfterWrite(1, TimeUnit.HOURS)
@@ -64,20 +75,33 @@ private TransientEncryptionState(KeyManagementClient kmsClient) {
   private transient volatile SecureRandom lazyRNG = null;
 
   /**
+   * @deprecated will be removed in 2.0.
+   */
+  @Deprecated
+  public StandardEncryptionManager(
+      String tableKeyId, int dataKeyLength, KeyManagementClient kmsClient) {
+    this(List.of(), tableKeyId, dataKeyLength, kmsClient);
+  }
+
+  /**
+   * @param keys encryption keys from table metadata
    * @param tableKeyId table encryption key id
    * @param dataKeyLength length of data encryption key (16/24/32 bytes)
    * @param kmsClient Client of KMS used to wrap/unwrap keys in envelope encryption
    */
   public StandardEncryptionManager(
-      String tableKeyId, int dataKeyLength, KeyManagementClient kmsClient) {
+      List<EncryptedKey> keys,
+      String tableKeyId,
+      int dataKeyLength,
+      KeyManagementClient kmsClient) {
     Preconditions.checkNotNull(tableKeyId, "Invalid encryption key ID: null");
     Preconditions.checkArgument(
         dataKeyLength == 16 || dataKeyLength == 24 || dataKeyLength == 32,
         "Invalid data key length: %s (must be 16, 24, or 32)",
         dataKeyLength);
     Preconditions.checkNotNull(kmsClient, "Invalid KMS client: null");
     this.tableKeyId = tableKeyId;
-    this.transientState = new TransientEncryptionState(kmsClient);
+    this.transientState = new TransientEncryptionState(kmsClient, keys);
     this.dataKeyLength = dataKeyLength;
   }
 
@@ -134,6 +158,14 @@ public ByteBuffer unwrapKey(ByteBuffer wrappedSecretKey) {
     return transientState.kmsClient.unwrapKey(wrappedSecretKey, tableKeyId);
   }
 
+  Map<String, EncryptedKey> encryptionKeys() {
+    if (transientState == null) {
+      throw new IllegalStateException("Cannot return the encryption keys after serialization");
+    }
+
+    return transientState.encryptionKeys;
+  }
+
   private String keyEncryptionKeyID() {
     if (transientState == null) {
       throw new IllegalStateException("Cannot return the current key after serialization");

hive-metastore/src/main/java/org/apache/iceberg/hive/HiveTableOperations.java

@@ -84,7 +84,7 @@ public class HiveTableOperations extends BaseMetastoreTableOperations
 
   private EncryptionManager encryptionManager;
   private EncryptingFileIO encryptingFileIO;
-  private String encryptionKeyId;
+  private String tableKeyId;
   private int encryptionDekLength;
   private List<EncryptedKey> encryptedKeysFromMetadata;
 
@@ -119,7 +119,7 @@ protected String tableName() {
 
   @Override
   public FileIO io() {
-    if (encryptionKeyId == null) {
+    if (tableKeyId == null) {
       return fileIO;
     }
 
@@ -136,19 +136,19 @@ public EncryptionManager encryption() {
       return encryptionManager;
     }
 
-    if (encryptionKeyId != null) {
+    if (tableKeyId != null) {
       if (keyManagementClient == null) {
         throw new RuntimeException(
             "Cant create encryption manager, because key management client is not set");
       }
 
-      Map<String, String> tableProperties = Maps.newHashMap();
-      tableProperties.put(TableProperties.ENCRYPTION_TABLE_KEY, encryptionKeyId);
-      tableProperties.put(
+      Map<String, String> encryptionProperties = Maps.newHashMap();
+      encryptionProperties.put(TableProperties.ENCRYPTION_TABLE_KEY, tableKeyId);
+      encryptionProperties.put(
           TableProperties.ENCRYPTION_DEK_LENGTH, String.valueOf(encryptionDekLength));
       encryptionManager =
           EncryptionUtil.createEncryptionManager(
-              encryptedKeysFromMetadata, tableProperties, keyManagementClient);
+              encryptedKeysFromMetadata, encryptionProperties, keyManagementClient);
     } else {
       return PlaintextEncryptionManager.instance();
     }
@@ -159,7 +159,7 @@ public EncryptionManager encryption() {
   @Override
   protected void doRefresh() {
     String metadataLocation = null;
-    String encryptionKeyIdFromHMS = null;
+    String tableKeyIdFromHMS = null;
     String dekLengthFromHMS = null;
     try {
       Table table = metaClients.run(client -> client.getTable(database, tableName));
@@ -170,9 +170,12 @@ protected void doRefresh() {
       HiveOperationsBase.validateTableIsIceberg(table, fullName);
 
       metadataLocation = table.getParameters().get(METADATA_LOCATION_PROP);
-      encryptionKeyIdFromHMS = table.getParameters().get(TableProperties.ENCRYPTION_TABLE_KEY);
+      /* Table key ID must be retrieved from a catalog service, and not from untrusted storage
+      (e.g. metadata json file) that can be tampered with. For example, an attacker can remove
+      the table key parameter (along with existing snapshots) in the file, making the writers
+      produce unencrypted files. Table key ID is taken directly from HMS catalog */
+      tableKeyIdFromHMS = table.getParameters().get(TableProperties.ENCRYPTION_TABLE_KEY);
       dekLengthFromHMS = table.getParameters().get(TableProperties.ENCRYPTION_DEK_LENGTH);
-
     } catch (NoSuchObjectException e) {
       if (currentMetadataLocation() != null) {
         throw new NoSuchTableException("No such table: %s.%s", database, tableName);
@@ -188,18 +191,16 @@ protected void doRefresh() {
       throw new RuntimeException("Interrupted during refresh", e);
     }
 
-    if (encryptionKeyIdFromHMS != null) {
-      encryptionKeyId = encryptionKeyIdFromHMS; // todo gg
+    refreshFromMetadataLocation(metadataLocation, metadataRefreshMaxRetries);
+
+    if (tableKeyIdFromHMS != null) {
+      tableKeyId = tableKeyIdFromHMS;
       encryptionDekLength =
           (dekLengthFromHMS != null)
               ? Integer.parseInt(dekLengthFromHMS)
-              : TableProperties.ENCRYPTION_DEK_LENGTH_DEFAULT; // todo gg
-    }
+              : TableProperties.ENCRYPTION_DEK_LENGTH_DEFAULT;
 
-    refreshFromMetadataLocation(metadataLocation, metadataRefreshMaxRetries);
-
-    if (encryptionKeyIdFromHMS != null) {
-      checkEncryptionProperties(encryptionKeyIdFromHMS, dekLengthFromHMS);
+      checkEncryptionProperties(tableKeyIdFromHMS, dekLengthFromHMS);
       encryptedKeysFromMetadata = current().encryptionKeys();
     }
   }
@@ -210,16 +211,20 @@ protected void doCommit(TableMetadata base, TableMetadata metadata) {
     boolean newTable = base == null;
     encryptionPropsFromMetadata(metadata.properties());
 
+    String newMetadataLocation;
     if (encryption() instanceof StandardEncryptionManager) {
+      // Add new encryption keys to the metadata
       TableMetadata.Builder builder = TableMetadata.buildFrom(metadata);
       for (Map.Entry<String, EncryptedKey> entry :
           EncryptionUtil.encryptionKeys(encryption()).entrySet()) {
         builder.addEncryptionKey(entry.getValue());
       }
-      metadata = builder.build();
+
+      newMetadataLocation = writeNewMetadataIfRequired(newTable, builder.build());
+    } else {
+      newMetadataLocation = writeNewMetadataIfRequired(newTable, metadata);
     }
 
-    String newMetadataLocation = writeNewMetadataIfRequired(newTable, metadata);
     boolean hiveEngineEnabled = hiveEngineEnabled(metadata, conf);
     boolean keepHiveStats = conf.getBoolean(ConfigProperties.KEEP_HIVE_STATS, false);
 
@@ -272,10 +277,9 @@ protected void doCommit(TableMetadata base, TableMetadata metadata) {
       // get Iceberg props that have been removed
       Set<String> removedProps = Collections.emptySet();
       if (base != null) {
-        TableMetadata finalMetadata = metadata;
         removedProps =
             base.properties().keySet().stream()
-                .filter(key -> !finalMetadata.properties().containsKey(key))
+                .filter(key -> !metadata.properties().containsKey(key))
                 .collect(Collectors.toSet());
       }
 
@@ -410,6 +414,54 @@ public ClientPool<IMetaStoreClient, TException> metaClients() {
     return metaClients;
   }
 
+  @Override
+  public TableOperations temp(TableMetadata uncommittedMetadata) {
+    return new TableOperations() {
+      @Override
+      public TableMetadata current() {
+        return uncommittedMetadata;
+      }
+
+      @Override
+      public TableMetadata refresh() {
+        throw new UnsupportedOperationException(
+            "Cannot call refresh on temporary table operations");
+      }
+
+      @Override
+      public void commit(TableMetadata base, TableMetadata metadata) {
+        throw new UnsupportedOperationException("Cannot call commit on temporary table operations");
+      }
+
+      @Override
+      public String metadataFileLocation(String fileName) {
+        return HiveTableOperations.this.metadataFileLocation(uncommittedMetadata, fileName);
+      }
+
+      @Override
+      public LocationProvider locationProvider() {
+        return LocationProviders.locationsFor(
+            uncommittedMetadata.location(), uncommittedMetadata.properties());
+      }
+
+      @Override
+      public FileIO io() {
+        HiveTableOperations.this.encryptionPropsFromMetadata(uncommittedMetadata.properties());
+        return HiveTableOperations.this.io();
+      }
+
+      @Override
+      public EncryptionManager encryption() {
+        return HiveTableOperations.this.encryption();
+      }
+
+      @Override
+      public long newSnapshotId() {
+        return HiveTableOperations.this.newSnapshotId();
+      }
+    };
+  }
+
   /**
    * Returns if the hive engine related values should be enabled on the table, or not.
    *
@@ -465,11 +517,11 @@ private static boolean hiveLockEnabled(TableMetadata metadata, Configuration con
   }
 
   private void encryptionPropsFromMetadata(Map<String, String> tableProperties) {
-    if (encryptionKeyId == null) {
-      encryptionKeyId = tableProperties.get(TableProperties.ENCRYPTION_TABLE_KEY);
+    if (tableKeyId == null) {
+      tableKeyId = tableProperties.get(TableProperties.ENCRYPTION_TABLE_KEY);
     }
 
-    if (encryptionKeyId != null && encryptionDekLength <= 0) {
+    if (tableKeyId != null && encryptionDekLength <= 0) {
       String dekLength = tableProperties.get(TableProperties.ENCRYPTION_DEK_LENGTH);
       encryptionDekLength =
           (dekLength == null)
@@ -483,7 +535,7 @@ private void checkEncryptionProperties(String encryptionKeyIdFromHMS, String dek
 
     String encryptionKeyIdFromMetadata =
         propertiesFromMetadata.get(TableProperties.ENCRYPTION_TABLE_KEY);
-    if (!encryptionKeyIdFromHMS.equals(encryptionKeyIdFromMetadata)) {
+    if (!Objects.equals(encryptionKeyIdFromHMS, encryptionKeyIdFromMetadata)) {
       String errMsg =
           String.format(
               "Metadata file might have been modified. Encryption key id %s differs from HMS value %s",

hive-metastore/src/test/java/org/apache/iceberg/hive/TestHiveCommitLocks.java

@@ -185,6 +185,7 @@ public void before() throws Exception {
                 overriddenHiveConf,
                 spyCachedClientPool,
                 ops.io(),
+                null,
                 catalog.name(),
                 dbName,
                 tableName));
@@ -615,6 +616,7 @@ public void testNoLockCallsWithNoLock() throws TException {
                 confWithLock,
                 spyCachedClientPool,
                 ops.io(),
+                null,
                 catalog.name(),
                 TABLE_IDENTIFIER.namespace().level(0),
                 TABLE_IDENTIFIER.name()));