infra: hive encryption integration test

Author: smaheshwar-pltr

Makefile

@@ -16,7 +16,7 @@
 # under the License.
 .PHONY: help install install-uv check-license lint \
         test test-integration test-integration-setup test-integration-exec test-integration-cleanup test-integration-rebuild \
-        test-s3 test-adls test-gcs test-coverage coverage-report test test-notebook\
+        test-s3 test-adls test-gcs test-coverage coverage-report \
         docs-serve docs-build notebook notebook-infra \
         clean
 
@@ -38,10 +38,12 @@ else
   PYTHON_ARG =
 endif
 
+# --no-sync so that overlays applied after `make install` (e.g. install-pyarrow-nightly for
+# the encryption integration test) aren't reverted by uv re-syncing the lockfile on `uv run`.
 ifeq ($(COVERAGE),1)
-  TEST_RUNNER = uv run $(PYTHON_ARG) python -m coverage run --parallel-mode --source=pyiceberg -m
+  TEST_RUNNER = uv run --no-sync $(PYTHON_ARG) python -m coverage run --parallel-mode --source=pyiceberg -m
 else
-  TEST_RUNNER = uv run $(PYTHON_ARG) python -m
+  TEST_RUNNER = uv run --no-sync $(PYTHON_ARG) python -m
 endif
 
 ifeq ($(KEEP_COMPOSE),1)
@@ -108,12 +110,19 @@ test: ## Run all unit tests (excluding integration)
 
 test-integration: test-integration-setup test-integration-exec test-integration-cleanup ## Run integration tests
 
-test-integration-setup: install ## Start Docker services for integration tests
+test-integration-setup: install install-pyarrow-nightly ## Start Docker services for integration tests
 	docker compose -f dev/docker-compose-integration.yml kill
 	docker compose -f dev/docker-compose-integration.yml rm -f
 	docker compose -f dev/docker-compose-integration.yml up -d --build --wait
 	uv run $(PYTHON_ARG) python dev/provision.py
 
+# Parquet Modular Encryption decryption (tests/integration/test_encryption.py) needs the
+# pyarrow.parquet.encryption.create_decryption_properties API from apache/arrow#49667. That
+# lands in pyarrow 25, which hasn't been released — pull the nightly until it is.
+install-pyarrow-nightly: ## Overlay nightly pyarrow on top of the installed env (for PME)
+	uv pip install $(PYTHON_ARG) --prerelease=allow --upgrade --force-reinstall \
+		-i https://pypi.anaconda.org/scientific-python-nightly-wheels/simple pyarrow
+
 test-integration-exec: ## Run integration tests (excluding provision)
 	$(TEST_RUNNER) pytest tests/ -m integration $(PYTEST_ARGS)
 
@@ -150,9 +159,6 @@ coverage-report: ## Combine and report coverage
 	uv run $(PYTHON_ARG) coverage html
 	uv run $(PYTHON_ARG) coverage xml
 
-test-notebook: ## Run notebook tests (pyiceberg_example and spark_integration_example) via papermill
-	$(TEST_RUNNER) pytest tests/notebooks/test_pyiceberg_example.py tests/notebooks/test_spark_integration_example.py -m notebook $(PYTEST_ARGS)
-
 # ================
 # Documentation
 # ================

dev/provision.py

@@ -395,3 +395,13 @@
     )
     spark.sql(f"ALTER TABLE {catalog_name}.default.test_empty_scan_ordered_str WRITE ORDERED BY id")
     spark.sql(f"INSERT INTO {catalog_name}.default.test_empty_scan_ordered_str VALUES 'a', 'c'")
+
+# Encrypted Iceberg table written via Spark, read back via PyIceberg in tests/integration/test_encryption.py.
+# Only the Hive catalog is configured with a Java-side KMS (encryption.kms-impl=UnitestKMS); the REST catalog
+# image does not ship UnitestKMS so we limit this fixture to Hive.
+spark.sql("""
+    CREATE OR REPLACE TABLE hive.default.test_encrypted (id bigint, data string, value float)
+    USING iceberg
+    TBLPROPERTIES ('encryption.key-id'='keyA', 'format-version'='3')
+""")
+spark.sql("INSERT INTO hive.default.test_encrypted VALUES (1, 'alice', 1.0), (2, 'bob', 2.0), (3, 'charlie', 3.0)")

dev/spark/Dockerfile

@@ -18,8 +18,10 @@ ARG BASE_IMAGE_SPARK_VERSION=4.0.1
 FROM apache/spark:${BASE_IMAGE_SPARK_VERSION}
 
 # Dependency versions - keep these compatible
-# Changing these will invalidate the JAR download cache layer
-ARG ICEBERG_VERSION=1.10.1
+# Changing these will invalidate the JAR download cache layer.
+# Iceberg 1.11.0 carries the Hive encryption integration (apache/iceberg#13066) — the prior
+# 1.10.x release predates that work and silently no-ops encryption.kms-impl / encryption.key-id.
+ARG ICEBERG_VERSION=1.11.0
 ARG ICEBERG_SPARK_RUNTIME_VERSION=4.0_2.13
 ARG HADOOP_VERSION=3.4.1
 ARG AWS_SDK_VERSION=2.24.6
@@ -36,13 +38,15 @@ RUN apt-get update -qq && \
     mkdir -p /home/iceberg/spark-events && \
     chown -R spark:spark /home/iceberg
 
-# Download JARs with retry logic (most cacheable - only changes when versions change)
-# This is the slowest step, so we do it before copying config files
+# Download JARs with retry logic (most cacheable - only changes when versions change).
+# iceberg-core-${ICEBERG_VERSION}-tests.jar ships org.apache.iceberg.encryption.UnitestKMS, a
+# fixed-master-key KMS used by the encryption integration test on the Spark write path.
 RUN set -e && \
     cd "${SPARK_HOME}/jars" && \
     for jar_path in \
         "org/apache/iceberg/iceberg-spark-runtime-${ICEBERG_SPARK_RUNTIME_VERSION}/${ICEBERG_VERSION}/iceberg-spark-runtime-${ICEBERG_SPARK_RUNTIME_VERSION}-${ICEBERG_VERSION}.jar" \
         "org/apache/iceberg/iceberg-aws-bundle/${ICEBERG_VERSION}/iceberg-aws-bundle-${ICEBERG_VERSION}.jar" \
+        "org/apache/iceberg/iceberg-core/${ICEBERG_VERSION}/iceberg-core-${ICEBERG_VERSION}-tests.jar" \
         "org/apache/hadoop/hadoop-aws/${HADOOP_VERSION}/hadoop-aws-${HADOOP_VERSION}.jar" \
         "software/amazon/awssdk/bundle/${AWS_SDK_VERSION}/bundle-${AWS_SDK_VERSION}.jar"; \
     do \

dev/spark/spark-defaults.conf

@@ -34,6 +34,11 @@ spark.sql.catalog.hive.io-impl         org.apache.iceberg.aws.s3.S3FileIO
 spark.sql.catalog.hive.warehouse       s3://warehouse/hive/
 spark.sql.catalog.hive.s3.endpoint     http://minio:9000
 
+# Test-only KMS so Spark can write encrypted Iceberg tables for the encryption integration test.
+# UnitestKMS comes from iceberg-core-<version>-tests.jar and uses fixed master keys ("keyA",
+# "keyB") that match the InMemoryKms config used on the PyIceberg side.
+spark.sql.catalog.hive.encryption.kms-impl  org.apache.iceberg.encryption.UnitestKMS
+
 # Configure Spark's default session catalog (spark_catalog) to use Iceberg backed by the Hive Metastore
 spark.sql.catalog.spark_catalog        org.apache.iceberg.spark.SparkSessionCatalog
 spark.sql.catalog.spark_catalog.type   hive

tests/integration/test_encryption.py

@@ -0,0 +1,112 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+"""Reads of Spark-written, Parquet-encrypted Iceberg tables via PyIceberg.
+
+The encrypted table (`hive.default.test_encrypted`) is provisioned by `dev/provision.py`
+using Spark with `encryption.kms-impl=org.apache.iceberg.encryption.UnitestKMS`. UnitestKMS
+ships hardcoded master keys (keyA=b"0123456789012345", keyB=b"1123456789012345"); we mirror
+those bytes here through PyIceberg's InMemoryKms so unwrapping succeeds.
+
+Decryption of the data files requires PyArrow's `parquet.encryption.create_decryption_properties`
+API, which is available in PyArrow >= 25 (currently shipped only via the nightly wheels). See
+the Makefile target `install-pyarrow-nightly`.
+"""
+
+from __future__ import annotations
+
+import pytest
+
+from pyiceberg.catalog import load_catalog
+
+# UnitestKMS master keys, hex-encoded so they can be set as catalog properties and parsed by
+# InMemoryKms.initialize (`encryption.kms.key.<id>=<hex>`).
+_KEY_A_HEX = b"0123456789012345".hex()
+_KEY_B_HEX = b"1123456789012345".hex()
+
+
+@pytest.fixture(scope="module")
+def hive_catalog_with_kms():  # type: ignore[no-untyped-def]
+    return load_catalog(
+        "local",
+        **{
+            "type": "hive",
+            "uri": "thrift://localhost:9083",
+            "s3.endpoint": "http://localhost:9000",
+            "s3.access-key-id": "admin",
+            "s3.secret-access-key": "password",
+            "py-kms-impl": "pyiceberg.encryption.kms.InMemoryKms",
+            "encryption.kms.key.keyA": _KEY_A_HEX,
+            "encryption.kms.key.keyB": _KEY_B_HEX,
+        },
+    )
+
+
+@pytest.mark.integration
+def test_encrypted_table_metadata(hive_catalog_with_kms) -> None:  # type: ignore[no-untyped-def]
+    tbl = hive_catalog_with_kms.load_table("default.test_encrypted")
+
+    assert tbl.metadata.format_version == 3
+    assert tbl.metadata.properties.get("encryption.key-id") == "keyA"
+    assert tbl.metadata.encryption_keys, "expected encryption keys on table metadata"
+
+    snapshot = tbl.current_snapshot()
+    assert snapshot is not None
+    assert snapshot.key_id is not None, "expected key_id on current snapshot"
+
+
+@pytest.mark.integration
+def test_encrypted_table_to_arrow(hive_catalog_with_kms) -> None:  # type: ignore[no-untyped-def]
+    tbl = hive_catalog_with_kms.load_table("default.test_encrypted")
+
+    result = tbl.scan().to_arrow().sort_by("id")
+
+    assert result.num_rows == 3
+    assert result.column("id").to_pylist() == [1, 2, 3]
+    assert result.column("data").to_pylist() == ["alice", "bob", "charlie"]
+    assert result.column("value").to_pylist() == [1.0, 2.0, 3.0]
+
+
+@pytest.mark.integration
+def test_encrypted_table_to_pandas(hive_catalog_with_kms) -> None:  # type: ignore[no-untyped-def]
+    tbl = hive_catalog_with_kms.load_table("default.test_encrypted")
+
+    df = tbl.scan().to_pandas().sort_values("id").reset_index(drop=True)
+
+    assert list(df["id"]) == [1, 2, 3]
+    assert list(df["data"]) == ["alice", "bob", "charlie"]
+    assert list(df["value"]) == [1.0, 2.0, 3.0]
+
+
+@pytest.mark.integration
+def test_encrypted_table_to_duckdb(hive_catalog_with_kms) -> None:  # type: ignore[no-untyped-def]
+    tbl = hive_catalog_with_kms.load_table("default.test_encrypted")
+
+    con = tbl.scan().to_duckdb("encrypted")
+    rows = con.execute("SELECT id, data, value FROM encrypted ORDER BY id").fetchall()
+
+    assert rows == [(1, "alice", 1.0), (2, "bob", 2.0), (3, "charlie", 3.0)]
+
+
+@pytest.mark.integration
+def test_encrypted_table_to_polars(hive_catalog_with_kms) -> None:  # type: ignore[no-untyped-def]
+    tbl = hive_catalog_with_kms.load_table("default.test_encrypted")
+
+    df = tbl.scan().to_polars().sort("id")
+
+    assert df["id"].to_list() == [1, 2, 3]
+    assert df["data"].to_list() == ["alice", "bob", "charlie"]
+    assert df["value"].to_list() == [1.0, 2.0, 3.0]