Configuring Iceberg settings in Control Panel(在控制面板中配置 Iceberg 设置)¶
:::callout{theme="neutral"} Iceberg table support is in the beta phase of development and may not be available on your environment. Contact Palantir Support to request access. Iceberg must be enabled on your environment before you can configure these settings. :::
Overview¶
Iceberg table settings are configured per-enrollment in Control Panel. From this interface, relevant administrators can enable Iceberg, configure encryption settings, manage storage locations, and set defaults for how Iceberg tables are written across projects.
To access Iceberg settings, open Control Panel from the Applications portal and search for the Iceberg table settings page.
Required permissions¶
Only users with the Enrollment Administrator or Information Security Officer role can modify Iceberg settings in Control Panel.
Verifying Iceberg is enabled¶
After contacting Palantir Support and receiving approval, Palantir will enable Iceberg for your enrollment. You can verify that Iceberg is enabled by checking that Enable Foundry Iceberg is toggled on at the top of the Iceberg table settings page.
Configuring Iceberg encryption settings¶
Foundry offers two layers of encryption for Iceberg tables:
- Server-side encryption (SSE) [required]: Encrypts data at rest in the storage bucket. SSE is enabled by default for Foundry-managed storage. For customer-managed buckets, you must enable SSE on your bucket to ensure your data is encrypted at rest.
- Client-side encryption (CSE) [optional] Applies Iceberg table encryption ↗ to metadata and data files before they are written to the storage location, providing an additional layer of encryption on top of standard server-side encryption.
:::callout{theme="neutral"} Client-side Iceberg table encryption is a new and evolving capability that is not yet supported by all Foundry features, external compute engines, or tools that connect to Iceberg tables. Enabling it may limit functionality until broader compatibility is available. Within Foundry, use of Iceberg tables with CSE in single-node transforms and "faster" Pipeline Builder pipelines is not yet supported. :::
Configuring storage locations¶
Foundry supports the following storage options for Iceberg tables:
- Foundry-managed storage: Managed storage provided by Palantir.
- Bring-your-own-bucket (BYOB): Customer-managed storage buckets.
If available in your environment, Foundry-managed storage will appear by default.
To add a customer-managed storage bucket, first follow the instructions to set up your BYOB source. Once you have your source created, you can select it in the Control Panel interface via Configure buckets in the Iceberg storage buckets section. You can configure multiple storage locations and use them for different projects to organize where Iceberg table data is written.
You can also set advanced storage settings on your BYOB buckets on this page, such as Access delegation details and Custom FileIO configuration properties.
Configuring Iceberg storage and encryption defaults¶
You can configure default settings for how Iceberg tables are written across your enrollment, and optionally override these defaults for specific projects or namespaces.
Enrollment-wide defaults¶
In the Configure global Iceberg storage section:
- Allow writing Iceberg tables by default to all projects: When enabled, Iceberg tables can be written to any project by default. When disabled, Iceberg is only available in projects with explicit overrides.
- Default storage for newly created Iceberg tables: Select which storage location to use by default for new Iceberg tables.
- Iceberg table encryption (client-side encryption): Select whether to enable or disable client-side Iceberg table encryption.
Project-level or namespace-level overrides¶
To override enrollment-level defaults for specific projects or namespaces, select Add project or namespace in the Customize storage section. For each project or namespace, you can override:
- The storage location for Iceberg tables in that project
- The client-side encryption setting for Iceberg tables
Project-level or namespace-level overrides only apply to newly written tables in the project. Existing tables retain their current storage locations and encryption settings.
Modifying existing settings¶
When you modify storage settings, such as storage location or encryption configuration, the new settings apply only to newly created tables. Existing tables will not be migrated or have their encryption settings altered.
中文翻译¶
在控制面板中配置 Iceberg 设置¶
:::callout{theme="neutral"} Iceberg 表支持处于 beta 开发阶段,您的环境可能尚不支持此功能。请联系 Palantir 支持团队申请访问权限。在配置这些设置之前,必须先在您的环境中启用 Iceberg。 :::
概述¶
Iceberg 表设置可在控制面板(Control Panel)中按注册(Enrollment)进行配置。通过此界面,相关管理员可以启用 Iceberg、配置加密设置、管理存储位置,以及设置跨项目写入 Iceberg 表的默认行为。
要访问 Iceberg 设置,请从应用程序(Applications)门户打开控制面板(Control Panel),然后搜索Iceberg 表设置(Iceberg table settings)页面。
所需权限¶
只有拥有注册管理员(Enrollment Administrator)或信息安全官(Information Security Officer)角色的用户才能修改控制面板中的 Iceberg 设置。
验证 Iceberg 是否已启用¶
联系 Palantir 支持并获得批准后,Palantir 将为您的注册启用 Iceberg。您可以通过检查 Iceberg 表设置页面顶部的启用 Foundry Iceberg(Enable Foundry Iceberg)开关是否已打开,来验证 Iceberg 是否已启用。
配置 Iceberg 加密设置¶
Foundry 为 Iceberg 表提供两层加密:
- 服务器端加密(SSE) [必需]: 对存储桶中的静态数据进行加密。对于 Foundry 管理的存储,SSE 默认启用。对于客户管理的存储桶,您必须在存储桶上启用 SSE,以确保数据在静态时得到加密。
- 客户端加密(CSE) [可选] 在元数据和数据文件写入存储位置之前,对其应用 Iceberg 表加密 ↗,在标准服务器端加密的基础上提供额外的加密层。
:::callout{theme="neutral"} 客户端 Iceberg 表加密是一项新兴且不断发展的功能,目前并非所有 Foundry 功能、外部计算引擎或连接 Iceberg 表的工具都支持此功能。启用此功能可能会限制某些功能,直到更广泛的兼容性可用。在 Foundry 内部,尚不支持在单节点转换(single-node transforms)和"更快"的 Pipeline Builder 管道中使用启用了 CSE 的 Iceberg 表。 :::
配置存储位置¶
Foundry 支持以下用于 Iceberg 表的存储选项(storage options):
- Foundry 管理的存储(Foundry-managed storage): Palantir 提供的托管存储。
- 自带存储桶(BYOB): 客户管理的存储桶。
如果您的环境中可用,Foundry 管理的存储将默认显示。
要添加客户管理的存储桶,请首先按照说明设置您的 BYOB 源(BYOB source)。创建源后,您可以在控制面板界面中,通过 Iceberg 存储桶部分中的配置存储桶(Configure buckets)进行选择。您可以配置多个存储位置,并将其用于不同的项目,以组织 Iceberg 表数据的写入位置。
您还可以在此页面上为 BYOB 存储桶设置高级存储设置,例如访问委派详情(Access delegation details)和自定义 FileIO 配置属性(Custom FileIO configuration properties)。
配置 Iceberg 存储和加密默认值¶
您可以配置整个注册中 Iceberg 表写入方式的默认设置,并可选择为特定项目或命名空间覆盖这些默认值。
注册级默认值¶
在配置全局 Iceberg 存储(Configure global Iceberg storage)部分:
- 默认允许向所有项目写入 Iceberg 表: 启用后,默认情况下可以向任何项目写入 Iceberg 表。禁用后,Iceberg 仅适用于具有显式覆盖的项目。
- 新创建 Iceberg 表的默认存储: 选择新 Iceberg 表默认使用的存储位置。
- Iceberg 表加密(客户端加密): 选择启用或禁用客户端 Iceberg 表加密。
项目级或命名空间级覆盖¶
要为特定项目或命名空间覆盖注册级默认值,请在自定义存储(Customize storage)部分选择添加项目或命名空间(Add project or namespace)。对于每个项目或命名空间,您可以覆盖:
- 该项目中 Iceberg 表的存储位置
- Iceberg 表的客户端加密设置
项目级或命名空间级覆盖仅适用于项目中新写入的表。现有表将保留其当前的存储位置和加密设置。
修改现有设置¶
当您修改存储设置(例如存储位置或加密配置)时,新设置仅适用于新创建的表。现有表不会被迁移,其加密设置也不会被更改。