[GitHub] [iceberg] andersonm-ibm commented on pull request #4080: Add VaultKmsClient as an example KMS client implementation

[GitBox <gi...@apache.org>]

andersonm-ibm commented on pull request #4080:
URL: https://github.com/apache/iceberg/pull/4080#issuecomment-1034553840


   > Why can't it be used in production, and what if I want to use it in production? Can you help me understand?
   > 
   > @andersonm-ibm
   
   Hi @liujinhui1994 . This can be used as the basis for the production-grade KMS client. However, some of the reasons for this not being production-ready, in no specific order:
   
   - We won't be supporting changes in Vault API, which might break this client , or maintaining different versions of this client
   - More flexibility might be needed in the definition of the path to the transit engine, which in this example is hardcoded to  "/v1/transit"
   - The final decision on how to pass the access token might depend on the production environment and company policies
   - Error handling can be made more tailored to specific use cases. For example, if you need to differentiate the cases where Vault doesn't grant access to the keys, then you would define a specific exception
   - More rigorous testing would be required to cover all the scenarios relevant to a production environment


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@iceberg.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@iceberg.apache.org
For additional commands, e-mail: issues-help@iceberg.apache.org