tests: assert direct parquet read fails, polish PME error message

smaheshwar-pltr · smaheshwar-pltr · commit a511f4c6efba · 2026-05-29T02:24:32.000+01:00
diff --git a/pyiceberg/io/pyarrow.py b/pyiceberg/io/pyarrow.py
@@ -1120,14 +1120,20 @@ def _get_file_format(file_format: FileFormat, **kwargs: dict[str, Any]) -> ds.Fi
 def _get_decryption_properties(key_metadata_bytes: bytes) -> Any:
     """Build FileDecryptionProperties from Iceberg key metadata.
 
-    Requires a custom PyArrow build with pyarrow.parquet.encryption support.
+    Requires PyArrow >= 25 (currently nightly-only) for the direct-key
+    `create_decryption_properties` API added by apache/arrow#49667.
     """
     try:
         import pyarrow.parquet.encryption as pe
+
+        if not hasattr(pe, "create_decryption_properties"):
+            raise ImportError("create_decryption_properties not available")
     except ImportError as e:
         raise ImportError(
-            "Parquet Modular Encryption requires a PyArrow build with encryption support. "
-            "See PYARROW_ENCRYPTION_HANDOFF.md for build instructions."
+            "Parquet Modular Encryption requires PyArrow >= 25 with the direct-key API "
+            "(apache/arrow#49667). Until it releases, install the nightly: "
+            "`make install-pyarrow-nightly` (or `uv pip install -i "
+            "https://pypi.anaconda.org/scientific-python-nightly-wheels/simple pyarrow`)."
         ) from e
 
     from pyiceberg.encryption.key_metadata import StandardKeyMetadata
diff --git a/tests/integration/test_encryption.py b/tests/integration/test_encryption.py
@@ -110,3 +110,24 @@ def test_encrypted_table_to_polars(hive_catalog_with_kms) -> None:  # type: igno
     assert df["id"].to_list() == [1, 2, 3]
     assert df["data"].to_list() == ["alice", "bob", "charlie"]
     assert df["value"].to_list() == [1.0, 2.0, 3.0]
+
+
+@pytest.mark.integration
+def test_encrypted_table_direct_parquet_read_fails(hive_catalog_with_kms) -> None:  # type: ignore[no-untyped-def]
+    """Canary: a raw PyArrow read of a data file without decryption properties must fail.
+
+    Mirrors iceberg-java's TestTableEncryption#testDirectDataFileRead, which proves the data
+    files are genuinely PME-encrypted by asserting that reading them without the keys raises
+    ParquetCryptoRuntimeException. Without this check, the read tests above could silently pass
+    on plaintext Parquet and the POC would be meaningless.
+    """
+    import pyarrow.parquet as pq
+
+    tbl = hive_catalog_with_kms.load_table("default.test_encrypted")
+
+    data_files = [task.file.file_path for task in tbl.scan().plan_files()]
+    assert data_files, "expected at least one data file in the encrypted table"
+
+    for file_path in data_files:
+        with pytest.raises(OSError, match="encrypted"), tbl.io.new_input(file_path).open() as fi:
+            pq.read_table(fi)
