parquet/encryption/crypto_factory.h

0001 // Licensed to the Apache Software Foundation (ASF) under one
0002 // or more contributor license agreements.  See the NOTICE file
0003 // distributed with this work for additional information
0004 // regarding copyright ownership.  The ASF licenses this file
0005 // to you under the Apache License, Version 2.0 (the
0006 // "License"); you may not use this file except in compliance
0007 // with the License.  You may obtain a copy of the License at
0008 //
0009 //   http://www.apache.org/licenses/LICENSE-2.0
0010 //
0011 // Unless required by applicable law or agreed to in writing,
0012 // software distributed under the License is distributed on an
0013 // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
0014 // KIND, either express or implied.  See the License for the
0015 // specific language governing permissions and limitations
0016 // under the License.
0017
0018 #pragma once
0019
0020 #include <memory>
0021
0022 #include "parquet/encryption/encryption.h"
0023 #include "parquet/encryption/file_key_wrapper.h"
0024 #include "parquet/encryption/key_toolkit.h"
0025 #include "parquet/encryption/kms_client_factory.h"
0026 #include "parquet/platform.h"
0027
0028 namespace parquet::encryption {
0029
0030 static constexpr ParquetCipher::type kDefaultEncryptionAlgorithm =
0031     ParquetCipher::AES_GCM_V1;
0032 static constexpr bool kDefaultPlaintextFooter = false;
0033 static constexpr bool kDefaultDoubleWrapping = true;
0034 static constexpr double kDefaultCacheLifetimeSeconds = 600;  // 10 minutes
0035 static constexpr bool kDefaultInternalKeyMaterial = true;
0036 static constexpr bool kDefaultUniformEncryption = false;
0037 static constexpr int32_t kDefaultDataKeyLengthBits = 128;
0038
0039 struct PARQUET_EXPORT EncryptionConfiguration {
0040   explicit EncryptionConfiguration(const std::string& footer_key)
0041       : footer_key(footer_key) {}
0042
0043   /// ID of the master key for footer encryption/signing
0044   std::string footer_key;
0045
0046   /// List of columns to encrypt, with column master key IDs (see HIVE-21848).
0047   /// Format: "columnKeyID:colName,colName;columnKeyID:colName..."
0048   /// Either
0049   /// (1) column_keys must be set
0050   /// or
0051   /// (2) uniform_encryption must be set to true
0052   /// If none of (1) and (2) are true, or if both are true, an exception will be
0053   /// thrown.
0054   std::string column_keys;
0055
0056   /// Encrypt footer and all columns with the same encryption key.
0057   bool uniform_encryption = kDefaultUniformEncryption;
0058
0059   /// Parquet encryption algorithm. Can be "AES_GCM_V1" (default), or "AES_GCM_CTR_V1".
0060   ParquetCipher::type encryption_algorithm = kDefaultEncryptionAlgorithm;
0061
0062   /// Write files with plaintext footer.
0063   /// The default is false - files are written with encrypted footer.
0064   bool plaintext_footer = kDefaultPlaintextFooter;
0065
0066   /// Use double wrapping - where data encryption keys (DEKs) are encrypted with key
0067   /// encryption keys (KEKs), which in turn are encrypted with master keys.
0068   /// The default is true. If set to false, use single wrapping - where DEKs are
0069   /// encrypted directly with master keys.
0070   bool double_wrapping = kDefaultDoubleWrapping;
0071
0072   /// Lifetime of cached entities (key encryption keys, local wrapping keys, KMS client
0073   /// objects).
0074   /// The default is 600 (10 minutes).
0075   double cache_lifetime_seconds = kDefaultCacheLifetimeSeconds;
0076
0077   /// Store key material inside Parquet file footers; this mode doesn’t produce
0078   /// additional files. By default, true. If set to false, key material is stored in
0079   /// separate files in the same folder, which enables key rotation for immutable
0080   /// Parquet files.
0081   bool internal_key_material = kDefaultInternalKeyMaterial;
0082
0083   /// Length of data encryption keys (DEKs), randomly generated by parquet key
0084   /// management tools. Can be 128, 192 or 256 bits.
0085   /// The default is 128 bits.
0086   int32_t data_key_length_bits = kDefaultDataKeyLengthBits;
0087 };
0088
0089 struct PARQUET_EXPORT DecryptionConfiguration {
0090   /// Lifetime of cached entities (key encryption keys, local wrapping keys, KMS client
0091   /// objects).
0092   /// The default is 600 (10 minutes).
0093   double cache_lifetime_seconds = kDefaultCacheLifetimeSeconds;
0094 };
0095
0096 /// This is a core class, that translates the parameters of high level encryption (like
0097 /// the names of encrypted columns, names of master keys, etc), into parameters of low
0098 /// level encryption (like the key metadata, DEK, etc). A factory that produces the low
0099 /// level FileEncryptionProperties and FileDecryptionProperties objects, from the high
0100 /// level parameters.
0101 class PARQUET_EXPORT CryptoFactory {
0102  public:
0103   /// a KmsClientFactory object must be registered via this method before calling any of
0104   /// GetFileEncryptionProperties()/GetFileDecryptionProperties() methods.
0105   void RegisterKmsClientFactory(std::shared_ptr<KmsClientFactory> kms_client_factory);
0106
0107   /// Get the encryption properties for a Parquet file.
0108   /// If external key material is used then a file system and path to the
0109   /// parquet file must be provided.
0110   std::shared_ptr<FileEncryptionProperties> GetFileEncryptionProperties(
0111       const KmsConnectionConfig& kms_connection_config,
0112       const EncryptionConfiguration& encryption_config, const std::string& file_path = "",
0113       const std::shared_ptr<::arrow::fs::FileSystem>& file_system = NULLPTR);
0114
0115   /// Get decryption properties for a Parquet file.
0116   /// If external key material is used then a file system and path to the
0117   /// parquet file must be provided.
0118   std::shared_ptr<FileDecryptionProperties> GetFileDecryptionProperties(
0119       const KmsConnectionConfig& kms_connection_config,
0120       const DecryptionConfiguration& decryption_config, const std::string& file_path = "",
0121       const std::shared_ptr<::arrow::fs::FileSystem>& file_system = NULLPTR);
0122
0123   void RemoveCacheEntriesForToken(const std::string& access_token) {
0124     key_toolkit_->RemoveCacheEntriesForToken(access_token);
0125   }
0126
0127   void RemoveCacheEntriesForAllTokens() {
0128     key_toolkit_->RemoveCacheEntriesForAllTokens();
0129   }
0130
0131   /// Rotates master encryption keys for a Parquet file that uses external key material.
0132   /// In single wrapping mode, data encryption keys are decrypted with the old master keys
0133   /// and then re-encrypted with new master keys.
0134   /// In double wrapping mode, key encryption keys are decrypted with the old master keys
0135   /// and then re-encrypted with new master keys.
0136   /// This relies on the KMS supporting versioning, such that the old master key is
0137   /// used when unwrapping a key, and the latest version is used when wrapping a key.
0138   void RotateMasterKeys(const KmsConnectionConfig& kms_connection_config,
0139                         const std::string& parquet_file_path,
0140                         const std::shared_ptr<::arrow::fs::FileSystem>& file_system,
0141                         bool double_wrapping = kDefaultDoubleWrapping,
0142                         double cache_lifetime_seconds = kDefaultCacheLifetimeSeconds);
0143
0144  private:
0145   ColumnPathToEncryptionPropertiesMap GetColumnEncryptionProperties(
0146       int dek_length, const std::string& column_keys, FileKeyWrapper* key_wrapper);
0147
0148   /// Key utilities object for kms client initialization and cache control
0149   std::shared_ptr<KeyToolkit> key_toolkit_ = std::make_shared<KeyToolkit>();
0150 };
0151
0152 }  // namespace parquet::encryption