PARQUET-1373: Encryption key tools

[ggershinsky]

No description provided.

[gszadovszky]

@ggershinsky, is it still in draft state?

[ggershinsky]

the implementation is complete. with the recent addition of a unitest, the draft state can be switched off. I'll rebase it first, to make sure the Travis checks pass.

[ggershinsky]

@ggershinsky, is it still in draft state?

@gszadovszky The pr is completed, ready for a review

[gszadovszky]

Reviewed the most of it but still have some left...

In general I would expect javadoc comments for API public classes/methods. Also, it would be nice to solve the acronyms where used even if they are well known in the crypto world.

There are a couple of concurrent code parts. We shall test somehow that the code is thread-safe. I know, it is not easy but if you execute the related code paths with several parallel threads (e.g. encrypting/decrypting several files in multiple threads) we might find some issues.

Some thoughts that might not tightly related to this PR but to the encryption feature:

I am not familiar with encryption. It would be nice if someone that has crypto experience could also sign this (or the final PR to master) even if she/he is not a committer.

As far as I remember, there were a couple of ongoing PRs related to encryption. Please, update/rebase them if they are required or close them if not.

[ggershinsky]

There are a couple of concurrent code parts. We shall test somehow that the code is thread-safe. I know, it is not easy but if you execute the related code paths with several parallel threads (e.g. encrypting/decrypting several files in multiple threads) we might find some issues.

we'll make the PR test to run multiple threads, writing a number of files in parallel (same for reading).

[gszadovszky]

As for the VaultClient - one option is to move it also to the tests location, commenting out the HTTP calls so the okhttp3 dependency can be removed from the pom. The comments will explain the code and how to build it if needed. The other option is to remove VaultClient altogether from apache/parquet-mr (I can keep it eg in my fork, as a pointer if anybody's interested to see a sample). What do you think?

If you move VaultClient to test, okhttp3 will be a test dependency. I'm fine with that.

---

ConcurrentMap has a segment synchronization for write operations, and allows for synchronization-free read operations; this makes it faster than HasMap with synchronized methods.

Yes, I know how ConcurrentHashMap works. What I wanted to say that you are using synchronization as well. As you already use a ConcurrentMap you might implement these synchronized code parts by using the methods of ConcurrentMap. I've put some examples that might work.

---

Please, check why Travis fails.

---

Another point of view came up about handling sensitive data in memory. Java does not clean memory after garbage collecting objects. It means that sensitive data must be manually cleaned after used otherwise it might get compromised by another java application in the same jvm or even by another process after the jvm exists. Because of the same reason String objects shall never contain sensitive information as the char[] behind the object might not get garbage collected after the String object itself gets dropped.
I did not find any particular bad practice in the code or any examples of the listed situations just wanted to highlight that we shall think about this as well.

[ggershinsky]

ConcurrentMap has a segment synchronization for write operations, and allows for synchronization-free read operations; this makes it faster than HasMap with synchronized methods.

Yes, I know how ConcurrentHashMap works. What I wanted to say that you are using synchronization as well. As you already use a ConcurrentMap you might implement these synchronized code parts by using the methods of ConcurrentMap. I've put some examples that might work.

Sounds good, and thank you for the examples! We've already applied your code (not pushed yet), it indeed allowed to remove the explicit synchronization, making the cache implementation cleaner and faster.

Please, check why Travis fails.

Sorry, should have mentioned that it will take a few more commits to fully address this round of the comments (and fix the unitests). Once all commits are in, I will squash them to simplify the review, and will post a comment here.

Another point of view came up about handling sensitive data in memory. Java does not clean memory after garbage collecting objects. It means that sensitive data must be manually cleaned after used otherwise it might get compromised by another java application in the same jvm or even by another process after the jvm exists. Because of the same reason String objects shall never contain sensitive information as the char[] behind the object might not get garbage collected after the String object itself gets dropped.
I did not find any particular bad practice in the code or any examples of the listed situations just wanted to highlight that we shall think about this as well.

Yep, keeping secret data in Java strings is a notorious problem. I think the general consensus is not to rely on gc or explicit byte wiping - but to remember that these Java processes must run in a trusted environment anyway, simply because they work with confidential information, ranging from the encryption keys to the sensitive data itself. Micro-managing the memory with confidential information is always hard, and is basically impossible with Java. It goes beyond Parquet. One example - the KMS Client implementations send secret tokens and fetch explicit encryption keys, using a custom HTTP library. There is no guarantee this library doesn't use strings (most likely, it does). Another example - the secret tokens are passed as a Hadoop property from Spark or another framework; this is likely to be implemented with strings. Moreover, the tokens are built in an access control system, then sent to a user, then sent to a Spark driver, then sent to Spark workers (or other framework components) - there is no way to control this, except to rely on HTTPS for the transport security, and on running framework drivers/workers in a trusted environment for the memory security.

In other words, our threat model is simple. We don't trust the storage - encrypted Parquet files can be accessed by malicious parties, but they won't be able to read them. We do trust the framework hosts (where the JVM runs) - if these are breached, the secret data can be stolen from any part of host memory / disc pages; not just the Parquet lib memory, but framework memory, HTTP libs, etc. Memory protection is a holy grail in this field, addressed by technologies like VMs, containers, hardware enclaves, etc, etc. Parquet encryption is focused on data-in-storage protection; data-in-memory protection is covered by other technologies.

[gszadovszky]

Thanks a lot for explanation. Agreed on protecting sensitive data in memory cannot be handled by Parquet.

I'll wait for your comment for the next review round.

[ggershinsky]

@gszadovszky the 055bb39 is the squash of all commits that address the latest review round

[ggershinsky]

@gszadovszky the latest review round is addressed by 0355f65

[gszadovszky]

Thanks a lot for the proper documentation. One more thing that I've missed before related to the jsons.

[gszadovszky]

Close/reopen this PR to re-trigger Travis.