apache
diff --git a/‎parquet-hadoop/README.md‎
Lines changed: 119 additions & 0 deletions b/‎parquet-hadoop/README.md‎
Lines changed: 119 additions & 0 deletions
diff --git a/‎parquet-hadoop/pom.xml‎
Lines changed: 1 addition & 0 deletions b/‎parquet-hadoop/pom.xml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎parquet-hadoop/src/main/java/org/apache/parquet/crypto/InternalFileDecryptor.java‎
Lines changed: 20 additions & 8 deletions b/‎parquet-hadoop/src/main/java/org/apache/parquet/crypto/InternalFileDecryptor.java‎
Lines changed: 20 additions & 8 deletions
diff --git a/‎parquet-hadoop/src/main/java/org/apache/parquet/crypto/InternalFileEncryptor.java‎
Lines changed: 22 additions & 0 deletions b/‎parquet-hadoop/src/main/java/org/apache/parquet/crypto/InternalFileEncryptor.java‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎parquet-hadoop/src/main/java/org/apache/parquet/crypto/keytools/ExpiringCacheEntry.java‎
Lines changed: 0 additions & 46 deletions b/‎parquet-hadoop/src/main/java/org/apache/parquet/crypto/keytools/ExpiringCacheEntry.java‎
Lines changed: 0 additions & 46 deletions
diff --git a/‎parquet-hadoop/src/main/java/org/apache/parquet/crypto/keytools/FileKeyMaterialStore.java‎
Lines changed: 32 additions & 2 deletions b/‎parquet-hadoop/src/main/java/org/apache/parquet/crypto/keytools/FileKeyMaterialStore.java‎
Lines changed: 32 additions & 2 deletions
@@ -0,0 +1,119 @@
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one
+  ~ or more contributor license agreements.  See the NOTICE file
+  ~ distributed with this work for additional information
+  ~ regarding copyright ownership.  The ASF licenses this file
+  ~ to you under the Apache License, Version 2.0 (the
+  ~ "License"); you may not use this file except in compliance
+  ~ with the License.  You may obtain a copy of the License at
+  ~
+  ~   http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing,
+  ~ software distributed under the License is distributed on an
+  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  ~ KIND, either express or implied.  See the License for the
+  ~ specific language governing permissions and limitations
+  ~ under the License.
+  -->
+
+
+
+## Class: ParquetOutputFormat
+
+**Property:** `parquet.crypto.factory.class`  
+**Description:** Class implementing EncryptionPropertiesFactory.
+**Default value:** None. If not set, the file won't be encrypted by a crypto factory.
+
+
+## Class: HadoopReadOptions
+
+**Property:** `parquet.crypto.factory.class`  
+**Description:** Class implementing DecryptionPropertiesFactory.
+**Default value:** None. If not set, the file won't be decrypted by a crypto factory.
+
+
+## Class: PropertiesDrivenCryptoFactory
+
+**Property:** `parquet.encryption.column.keys`  
+**Description:** List of columns to encrypt, with master key IDs (see HIVE-21848).Format: “<masterKeyID>:<colName>,<colName>;<masterKeyID>:<colName>...”
+**Default value:** None. If neither `column.keys` nor `footer.key` are set, the file won't be encrypted by the PropertiesDrivenCryptoFactory. If one of the two properties is set, an exception will be thrown.
+
+---
+
+**Property:** `parquet.encryption.footer.key`  
+**Description:** Master key ID for footer encryption/signing.
+**Default value:** None. If neither `column.keys` nor `footer.key` are set, the file won't be encrypted by the PropertiesDrivenCryptoFactory. If one of the two properties is set, an exception will be thrown.
+
+---
+
+**Property:** `parquet.encryption.algorithm`  
+**Description:** Parquet encryption algorithm. Can be `AES_GCM_V1` or `AES_GCM_CTR_V1`.
+**Default value:** `AES_GCM_V1`
+
+---
+
+**Property:** `parquet.encryption.plaintext.footer`  
+**Description:** Write files in plaintext footer mode, that makes many footer fields visible (e.g. schema) but allows legacy readers to access unencrypted columns. The plaintext footer is signed with the footer key. 
+If `false`, write files in encrypted footer mode, that fully encrypts the footer, and signs it with the footer key.
+**Default value:** `false`
+
+---
+
+**Property:** `parquet.encryption.kms.client.class`  
+**Description:** Class implementing the KmsClient interface. "KMS" stands for “key management service”. The Client will interact with a KMS Server to wrap/unrwap encryption keys.
+**Default value:** None
+
+---
+
+**Property:** `parquet.encryption.kms.instance.id`  
+**Description:** ID of the KMS instance that will be used for encryption (if multiple KMS instances are available).
+**Default value:** `DEFAULT`
+
+---
+
+**Property:** `parquet.encryption.kms.instance.url`  
+**Description:** URL of the KMS instance.
+**Default value:** `DEFAULT`
+
+---
+
+**Property:** `parquet.encryption.key.access.token`  
+**Description:** Authorization token that will be passed to KMS.
+**Default value:** None
+
+---
+
+**Property:** `parquet.encryption.double.wrapping`  
+**Description:** Use double wrapping - where data encryption keys (DEKs) are encrypted with key encryption keys (KEKs), which in turn are encrypted with master keys. 
+If `false`, DEKs are directly encrypted with master keys, KEKs are not used.
+**Default value:** `true`
+
+---
+
+**Property:** `parquet.encryption.cache.lifetime.seconds`  
+**Description:** Lifetime of cached entities (key encryption keys, local wrapping keys, KMS client objects).
+**Default value:** `600` (10 minutes)
+
+---
+
+**Property:** `parquet.encryption.wrap.locally`  
+**Description:** Wrap keys locally - master keys are fetched from the KMS server and used to encrypt other keys (DEKs or KEKs).
+If `false` - key wrapping will be performed by a KMS server. 
+**Default value:** `false`
+
+---
+
+**Property:** `parquet.encryption.key.material.store.internally`  
+**Description:** Store key material inside Parquet file footers; this mode doesn’t produce additional files. 
+If `false`, key material is stored in separate new files, created in the same folder - this mode enables key rotation for immutable Parquet files.
+**Default value:** `true`
+
+---
+
+**Property:** `parquet.encryption.data.key.length.bits`  
+**Description:** Length of data encryption keys (DEKs), randomly generated by parquet key management tools. Can be 128, 192 or 256 bits.
+**Default value:** `128`
+
+---
+
@@ -126,6 +126,7 @@
       <groupId>com.squareup.okhttp3</groupId>
       <artifactId>okhttp</artifactId>
       <version>4.6.0</version>
+      <scope>test</scope>
     </dependency>
   </dependencies>
 
 
@@ -22,10 +22,14 @@
 import org.apache.parquet.format.BlockCipher;
 import org.apache.parquet.format.EncryptionAlgorithm;
 import org.apache.parquet.hadoop.metadata.ColumnPath;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 import java.util.Arrays;
 import java.util.HashMap;
 
 public class InternalFileDecryptor {
+  private static final Logger LOG = LoggerFactory.getLogger(InternalFileDecryptor.class);
 
   private final FileDecryptionProperties fileDecryptionProperties;
   private final DecryptionKeyRetriever keyRetriever;
@@ -206,6 +210,10 @@ public void setFileCryptoMetaData(EncryptionAlgorithm algorithm,
         throw new ParquetCryptoRuntimeException("Decryptor re-use: Different footer key metadata");
       }
     }
+
+    if (LOG.isDebugEnabled()) {
+      LOG.debug("File Decryptor. Algo: {}. Encrypted footer: {}", algorithm, encryptedFooter);
+    }
   }
 
   public InternalColumnDecryptionSetup setColumnCryptoMetadata(ColumnPath path, boolean encrypted, 
@@ -240,8 +248,11 @@ public InternalColumnDecryptionSetup setColumnCryptoMetadata(ColumnPath path, bo
         }
         columnDecryptionSetup = new InternalColumnDecryptionSetup(path, true, true, 
             getDataModuleDecryptor(null), getThriftModuleDecryptor(null), columnOrdinal, null);
-      } else {
-        // Column is encrypted with column-specific key
+
+        if (LOG.isDebugEnabled()) {
+          LOG.debug("Column decryption (footer key): {}", path);
+        }
+      } else { // Column is encrypted with column-specific key
         byte[] columnKeyBytes = fileDecryptionProperties.getColumnKey(path);
         if ((null == columnKeyBytes) && (null != keyMetadata) && (null != keyRetriever)) {
           // No explicit column key given via API. Retrieve via key metadata.
@@ -251,12 +262,14 @@ public InternalColumnDecryptionSetup setColumnCryptoMetadata(ColumnPath path, bo
             throw new KeyAccessDeniedException("Column " + path + ": key access denied", e);
           }
         }
-
-        if (null == columnKeyBytes) { // Hidden column: encrypted, but key unavailable
-          throw new ParquetCryptoRuntimeException("Column " + path + ": key unavailable");
-        } else { // Key is available
-          columnDecryptionSetup = new InternalColumnDecryptionSetup(path, true, false, 
+        if (null == columnKeyBytes) {
+          throw new ParquetCryptoRuntimeException("Column " + path + "is encrypted with NULL column key");
+        }
+        columnDecryptionSetup = new InternalColumnDecryptionSetup(path, true, false, 
               getDataModuleDecryptor(columnKeyBytes), getThriftModuleDecryptor(columnKeyBytes), columnOrdinal, keyMetadata);
+
+        if (LOG.isDebugEnabled()) {
+          LOG.debug("Column decryption (column key): {}", path);
         }
       }
     }
@@ -300,4 +313,3 @@ public FileDecryptionProperties getDecryptionProperties() {
     return fileDecryptionProperties;
   }
 }
-
 
@@ -22,11 +22,15 @@
 import org.apache.parquet.format.BlockCipher;
 import org.apache.parquet.format.FileCryptoMetaData;
 import org.apache.parquet.hadoop.metadata.ColumnPath;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.apache.parquet.format.EncryptionAlgorithm;
 
 import java.util.HashMap;
+import java.util.Map;
 
 public class InternalFileEncryptor {
+  private static final Logger LOG = LoggerFactory.getLogger(InternalFileEncryptor.class);
 
   private final EncryptionAlgorithm algorithm;
   private final FileEncryptionProperties fileEncryptionProperties;
@@ -42,6 +46,9 @@ public class InternalFileEncryptor {
 
   public InternalFileEncryptor(FileEncryptionProperties fileEncryptionProperties) {
     this.fileEncryptionProperties = fileEncryptionProperties;
+    if (LOG.isDebugEnabled()) {
+      fileEncryptorLog();
+    }
     algorithm = fileEncryptionProperties.getAlgorithm();
     footerKey = fileEncryptionProperties.getFooterKey();
     encryptFooter =  fileEncryptionProperties.encryptedFooter();
@@ -171,4 +178,19 @@ public AesGcmEncryptor getSignedFooterEncryptor() {
     }
     return (AesGcmEncryptor) ModuleCipherFactory.getEncryptor(AesMode.GCM, footerKey);
   }
+
+  private void fileEncryptorLog() {
+    String encryptedColumnList;
+    Map<ColumnPath, ColumnEncryptionProperties> columnPropertyMap = fileEncryptionProperties.getEncryptedColumns();
+    if (null != columnPropertyMap) {
+      encryptedColumnList = "";
+      for (Map.Entry<ColumnPath, ColumnEncryptionProperties> entry : columnPropertyMap.entrySet()) {
+        encryptedColumnList += entry.getKey() + "; ";
+      }
+    } else {
+      encryptedColumnList = "Every column will be encrypted with footer key.";
+    }
+    LOG.debug("File Encryptor. Algo: {}. Encrypted footer: {}.  Encrypted columns: {}", 
+        fileEncryptionProperties.getAlgorithm(), fileEncryptionProperties.encryptedFooter(), encryptedColumnList);
+  }
 }
@@ -26,17 +26,47 @@
 
 public interface FileKeyMaterialStore {
 
+  /**
+   * Initializes key material store for a parquet file.
+   * @param parquetFilePath Parquet file path
+   * @param hadoopConfig Hadoop configuration
+   * @param tempStore set true if this is a temporary store, used in key rotation
+   */
   public void initialize(Path parquetFilePath, Configuration hadoopConfig, boolean tempStore);
 
+  /**
+   * Add key material for one encryption key.
+   * @param keyIDInFile ID of the key in Parquet file
+   * @param keyMaterial key material
+   */
   public void addKeyMaterial(String keyIDInFile, String keyMaterial);
+  
+  /**
+   * After key material was added for all keys in the given Parquet file, 
+   * save material in persistent store.
+   */
+  public void saveMaterial();
 
+  /**
+   * Get key material
+   * @param keyIDInFile ID of a key in Parquet file
+   * @return key material
+   */
   public String getKeyMaterial(String keyIDInFile);
 
-  public void saveMaterial();
-
+  /**
+   * @return Set of all key IDs in this store (for the given Parquet file) 
+   */
   public Set<String> getKeyIDSet();
 
+  /**
+   * Remove key material from persistent store. Used in key rotation.
+   */
   public void removeMaterial();
 
+  /**
+   * Move key material to another store. Used in key rotation.
+   * @param targetKeyMaterialStore target store
+   */
   public void moveMaterialTo(FileKeyMaterialStore targetKeyMaterialStore);
 }
Original file line number	Diff line number	Diff line change
`@@ -22,10 +22,14 @@`
`22`	`22`	`import org.apache.parquet.format.BlockCipher;`
`23`	`23`	`import org.apache.parquet.format.EncryptionAlgorithm;`
`24`	`24`	`import org.apache.parquet.hadoop.metadata.ColumnPath;`
	`25`	`+import org.slf4j.Logger;`
	`26`	`+import org.slf4j.LoggerFactory;`
	`27`	`+`
`25`	`28`	`import java.util.Arrays;`
`26`	`29`	`import java.util.HashMap;`
`27`	`30`
`28`	`31`	`public class InternalFileDecryptor {`
	`32`	`+ private static final Logger LOG = LoggerFactory.getLogger(InternalFileDecryptor.class);`
`29`	`33`
`30`	`34`	`private final FileDecryptionProperties fileDecryptionProperties;`
`31`	`35`	`private final DecryptionKeyRetriever keyRetriever;`
`@@ -206,6 +210,10 @@ public void setFileCryptoMetaData(EncryptionAlgorithm algorithm,`
`206`	`210`	`throw new ParquetCryptoRuntimeException("Decryptor re-use: Different footer key metadata");`
`207`	`211`	`}`
`208`	`212`	`}`
	`213`	`+`
	`214`	`+ if (LOG.isDebugEnabled()) {`
	`215`	`+ LOG.debug("File Decryptor. Algo: {}. Encrypted footer: {}", algorithm, encryptedFooter);`
	`216`	`+ }`
`209`	`217`	`}`
`210`	`218`
`211`	`219`	`public InternalColumnDecryptionSetup setColumnCryptoMetadata(ColumnPath path, boolean encrypted,`
`@@ -240,8 +248,11 @@ public InternalColumnDecryptionSetup setColumnCryptoMetadata(ColumnPath path, bo`
`240`	`248`	`}`
`241`	`249`	`columnDecryptionSetup = new InternalColumnDecryptionSetup(path, true, true,`
`242`	`250`	`getDataModuleDecryptor(null), getThriftModuleDecryptor(null), columnOrdinal, null);`
`243`		`- } else {`
`244`		`- // Column is encrypted with column-specific key`
	`251`	`+`
	`252`	`+ if (LOG.isDebugEnabled()) {`
	`253`	`+ LOG.debug("Column decryption (footer key): {}", path);`
	`254`	`+ }`
	`255`	`+ } else { // Column is encrypted with column-specific key`
`245`	`256`	`byte[] columnKeyBytes = fileDecryptionProperties.getColumnKey(path);`
`246`	`257`	`if ((null == columnKeyBytes) && (null != keyMetadata) && (null != keyRetriever)) {`
`247`	`258`	`// No explicit column key given via API. Retrieve via key metadata.`
`@@ -251,12 +262,14 @@ public InternalColumnDecryptionSetup setColumnCryptoMetadata(ColumnPath path, bo`
`251`	`262`	`throw new KeyAccessDeniedException("Column " + path + ": key access denied", e);`
`252`	`263`	`}`
`253`	`264`	`}`
`254`		`-`
`255`		`- if (null == columnKeyBytes) { // Hidden column: encrypted, but key unavailable`
`256`		`- throw new ParquetCryptoRuntimeException("Column " + path + ": key unavailable");`
`257`		`- } else { // Key is available`
`258`		`- columnDecryptionSetup = new InternalColumnDecryptionSetup(path, true, false,`
	`265`	`+ if (null == columnKeyBytes) {`
	`266`	`+ throw new ParquetCryptoRuntimeException("Column " + path + "is encrypted with NULL column key");`
	`267`	`+ }`
	`268`	`+ columnDecryptionSetup = new InternalColumnDecryptionSetup(path, true, false,`
`259`	`269`	`getDataModuleDecryptor(columnKeyBytes), getThriftModuleDecryptor(columnKeyBytes), columnOrdinal, keyMetadata);`
	`270`	`+`
	`271`	`+ if (LOG.isDebugEnabled()) {`
	`272`	`+ LOG.debug("Column decryption (column key): {}", path);`
`260`	`273`	`}`
`261`	`274`	`}`
`262`	`275`	`}`
`@@ -300,4 +313,3 @@ public FileDecryptionProperties getDecryptionProperties() {`
`300`	`313`	`return fileDecryptionProperties;`
`301`	`314`	`}`
`302`	`315`	`}`
`303`		`-`