Skip to content

(WIP) Remove KMS policies when KMS is not configured #3445

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
MonkeyCanCode wants to merge 8 commits into from
Closed

(WIP) Remove KMS policies when KMS is not configured #3445

MonkeyCanCode wants to merge 8 commits into from

Conversation

@MonkeyCanCode
Copy link
Contributor

@MonkeyCanCode MonkeyCanCode commented Jan 15, 2026

This PR addressed issues reported in #3440 where when end-user is not using KMS encryption for S3, Polaris still enforces in-lines policies which contains KMS related policies. While fixing this issue, I noticed our read-only policy for kMS is a bit too wide where GenerateDataKey and GenerateDataKeyWithoutPlaintext should be belongs to write operation instead of read. Thus, this PR also addresses this issue.

Checklist

  • 🛡️ Don't disclose security issues! (contact security@apache.org)
  • 🔗 Clearly explained why the changes are needed, or linked related issues: Fixes #
  • 🧪 Added/updated tests with good coverage, or manually tested (and explained how)
  • 💡 Added comments for complex logic
  • 🧾 Updated CHANGELOG.md (if needed)
  • 📚 Updated documentation in site/content/in-dev/unreleased (if needed)

@github-project-automation github-project-automation bot moved this to PRs In Progress in Basic Kanban Board Jan 15, 2026
@MonkeyCanCode MonkeyCanCode requested a review from dimas-b January 15, 2026 02:01
@MonkeyCanCode MonkeyCanCode mentioned this pull request Jan 15, 2026
Open
dimas-b
dimas-b reviewed Jan 15, 2026
View reviewed changes
...core/src/main/java/org/apache/polaris/core/storage/aws/AwsCredentialsStorageIntegration.java Outdated
if (hasCurrentKey || hasAllowedKeys) {
policyBuilder.addStatement(allowKms.build());
} else if (!canWrite) {
} else if (!canWrite && region != null && accountId != null) {
Copy link
Contributor

@dimas-b dimas-b Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like this else condition will now be evaluated when hasCurrentKey == true and hasAllowedKeys == false, but it was not evaluated in that case before 🤔 WDYT?

Copy link
Contributor Author

@MonkeyCanCode MonkeyCanCode Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the quick review @dimas-b and that is a fair point which I missed. It appears this is really specific for handling s3 and s3-compatible and I am not sure if the above logic will break or not due to lack of infra to test. I had made the needed code changes to preserve this workflow. Please take another look when you get a chance.

Copy link
Contributor

@dimas-b dimas-b Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thx - LGTM 👍

dimas-b
dimas-b previously approved these changes Jan 15, 2026
View reviewed changes
@github-project-automation github-project-automation bot moved this from PRs In Progress to Ready to merge in Basic Kanban Board Jan 15, 2026
@dimas-b
Copy link
Contributor

dimas-b commented Jan 15, 2026

CC: @fabio-rizzo-01

@dimas-b dimas-b requested a review from adutra January 19, 2026 19:32
dimas-b
dimas-b reviewed Jan 20, 2026
View reviewed changes
runtime/service/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalog.java
Comment on lines +1415 to +1417
if (currentMetadata != null) {
tableFileIO =
loadFileIOForTableLike(
Copy link
Contributor

@dimas-b dimas-b Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How is that related to KMS policies?

Copy link
Contributor

@dimas-b dimas-b Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it's just a parallel bugfix, I'd prefer to make it in a separate PR for the sake of clarity 🤔 WDYT?

Copy link
Contributor Author

@MonkeyCanCode MonkeyCanCode Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Appear to be a parallel bug. I am waiting for testing from reporter then I can split this into two PRs. Currently if we merged current PR, it will trigger diff error from reporter.

Copy link
Contributor

@dimas-b dimas-b Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sounds good - thx!

@MonkeyCanCode MonkeyCanCode changed the title (fix) Remove KMS policies when KMS is not configured (WIP) Remove KMS policies when KMS is not configured Jan 21, 2026
@MonkeyCanCode
Copy link
Contributor Author

MonkeyCanCode commented Jan 21, 2026

Close this one and opened three different PRs for easier review:

  1. (fix) Remove KMS policies when KMS is not configured and improved default KMS permission for RO/RW #3493
  2. (NOT_READY) Fixed IcebergCatalog stale FileIO after metadata refresh #3494
  3. DO-NOT-MERGE (fix) Refined AWS vs non-AWS detection for S3-compatible storage #3496

@github-project-automation github-project-automation bot moved this from Ready to merge to Done in Basic Kanban Board Jan 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dimas-b dimas-b dimas-b left review comments

@adutra adutra Awaiting requested review from adutra

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MonkeyCanCode @dimas-b