Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Manifest list encryption #7770

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
+807 −72
Open

Manifest list encryption #7770

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
e39e740
draft commit
ggershinsky Jun 5, 2023
cc27c3f
compile and ci fixes
ggershinsky Sep 12, 2024
0988f6f
spotless apply
ggershinsky Sep 12, 2024
6e7de37
re-apply unwrapped cache patch
ggershinsky Sep 12, 2024
1c03cd1
caching limit
ggershinsky Sep 12, 2024
e637adc
address review comments
ggershinsky Sep 17, 2024
1fbdaa6
spotless apply
ggershinsky Sep 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions .palantir/revapi.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1058,6 +1058,11 @@ acceptedBreaks:
new: "method void org.apache.iceberg.encryption.PlaintextEncryptionManager::<init>()"
justification: "Deprecations for 1.6.0 release"
"1.6.0":
org.apache.iceberg:iceberg-api:
- code: "java.class.defaultSerializationChanged"
old: "class org.apache.iceberg.encryption.EncryptingFileIO"
new: "class org.apache.iceberg.encryption.EncryptingFileIO"
justification: "New method for Manifest List reading"
org.apache.iceberg:iceberg-common:
- code: "java.method.removed"
old: "method <T> org.apache.iceberg.common.DynFields.StaticField<T> org.apache.iceberg.common.DynFields.Builder::buildStaticChecked()\
Expand Down Expand Up @@ -1091,6 +1096,12 @@ acceptedBreaks:
- code: "java.class.removed"
old: "enum org.apache.iceberg.BaseMetastoreTableOperations.CommitStatus"
justification: "Removing deprecated code"
- code: "java.method.addedToInterface"
new: "method java.lang.Long org.apache.iceberg.encryption.NativeEncryptionKeyMetadata::fileLength()"
justification: "New method in interface"
- code: "java.method.addedToInterface"
new: "method org.apache.iceberg.encryption.NativeEncryptionKeyMetadata org.apache.iceberg.encryption.NativeEncryptionKeyMetadata::copyWithLength(long)"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than revapi exceptions, we should add default implementations.

justification: "New method in interface"
- code: "java.method.removed"
old: "method java.lang.String org.apache.iceberg.FileScanTaskParser::toJson(org.apache.iceberg.FileScanTask)"
justification: "Removing deprecated code"
Expand Down
43 changes: 43 additions & 0 deletions api/src/main/java/org/apache/iceberg/ManifestListFile.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.iceberg;

import java.nio.ByteBuffer;
import org.apache.iceberg.encryption.EncryptionManager;

public interface ManifestListFile {
rdblue marked this conversation as resolved.
Show resolved Hide resolved

/** Location of manifest list file. */
String location();

/** Snapshot ID of the manifest list. */
long snapshotId();

/**
* The manifest list key metadata is encrypted with a "key encryption key" (KEK). Returns the KEK
* ID for this manifest file.
*/
String keyMetadataKeyId();

/** Returns the manifest list key metadata, encrypted with its KEK. */
ByteBuffer encryptedKeyMetadata();
rdblue marked this conversation as resolved.
Show resolved Hide resolved

/** Decrypt and return the encrypted key metadata */
ByteBuffer decryptKeyMetadata(EncryptionManager em);
}
10 changes: 10 additions & 0 deletions api/src/main/java/org/apache/iceberg/Snapshot.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,16 @@ default Iterable<DeleteFile> removedDeleteFiles(FileIO io) {
*/
String manifestListLocation();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is String manifestListLocation() same as what is stored in ManifestListFile? If so, do we still need it as a separate field?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rdblue @RussellSpitzer what do you think?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are dozens of calls to this method today (tests etc), so we'll likely need to keep it for a while.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I saw that. We can consolidate in a separate PR.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I agree. We need to keep this because it is part of the public API and used in many cases.


/**
* This snapshot's manifest list file info: size, encryption key metadata and location
*
* @return manifest list file info
*/
default ManifestListFile manifestListFile() {
throw new UnsupportedOperationException(
this.getClass().getName() + " doesn't implement manifestListFile method");
}

/**
* Return the id of the schema used when this snapshot was created, or null if this information is
* not available.
Expand Down
13 changes: 11 additions & 2 deletions api/src/main/java/org/apache/iceberg/encryption/EncryptingFileIO.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
import org.apache.iceberg.DataFile;
import org.apache.iceberg.DeleteFile;
import org.apache.iceberg.ManifestFile;
import org.apache.iceberg.ManifestListFile;
import org.apache.iceberg.io.FileIO;
import org.apache.iceberg.io.InputFile;
import org.apache.iceberg.io.OutputFile;
Expand Down Expand Up @@ -109,13 +110,21 @@ public InputFile newInputFile(ManifestFile manifest) {
}
}

@Override
public InputFile newInputFile(ManifestListFile manifestList) {
if (manifestList.encryptedKeyMetadata() != null) {
ByteBuffer keyMetadata = manifestList.decryptKeyMetadata(em);
return newDecryptingInputFile(manifestList.location(), keyMetadata);
} else {
return newInputFile(manifestList.location());
}
}

public InputFile newDecryptingInputFile(String path, ByteBuffer buffer) {
return em.decrypt(wrap(io.newInputFile(path), buffer));
}

public InputFile newDecryptingInputFile(String path, long length, ByteBuffer buffer) {
// TODO: is the length correct for the encrypted file? It may be the length of the plaintext
// stream
return em.decrypt(wrap(io.newInputFile(path, length), buffer));
}

Expand Down
10 changes: 10 additions & 0 deletions api/src/main/java/org/apache/iceberg/io/FileIO.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
import org.apache.iceberg.DataFile;
import org.apache.iceberg.DeleteFile;
import org.apache.iceberg.ManifestFile;
import org.apache.iceberg.ManifestListFile;
import org.apache.iceberg.relocated.com.google.common.base.Preconditions;

/**
Expand Down Expand Up @@ -70,6 +71,15 @@ default InputFile newInputFile(ManifestFile manifest) {
return newInputFile(manifest.path(), manifest.length());
}

default InputFile newInputFile(ManifestListFile manifestList) {
Preconditions.checkArgument(
manifestList.encryptedKeyMetadata() == null,
"Cannot decrypt manifest list: %s (use EncryptingFileIO)",
manifestList.location());
// cannot pass length because it is not tracked outside of key metadata
return newInputFile(manifestList.location());
}

/** Get a {@link OutputFile} instance to write bytes to the file at the given path. */
OutputFile newOutputFile(String path);

Expand Down
70 changes: 70 additions & 0 deletions core/src/main/java/org/apache/iceberg/BaseManifestListFile.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.iceberg;

import java.io.Serializable;
import java.nio.ByteBuffer;
import org.apache.iceberg.encryption.EncryptionManager;
import org.apache.iceberg.encryption.EncryptionUtil;
import org.apache.iceberg.util.ByteBuffers;

class BaseManifestListFile implements ManifestListFile, Serializable {
private final String location;
private final long snapshotId;
private final String keyMetadataKeyID;
// stored as a byte array to be Serializable
private final byte[] encryptedKeyMetadata;

BaseManifestListFile(
String location, long snapshotId, String keyMetadataKeyID, ByteBuffer encryptedKeyMetadata) {
this.location = location;
this.snapshotId = snapshotId;
this.encryptedKeyMetadata = ByteBuffers.toByteArray(encryptedKeyMetadata);
this.keyMetadataKeyID = keyMetadataKeyID;
}

@Override
public String location() {
return location;
}

@Override
public long snapshotId() {
return snapshotId;
}

@Override
public String keyMetadataKeyId() {
return keyMetadataKeyID;
}

@Override
public ByteBuffer encryptedKeyMetadata() {
if (encryptedKeyMetadata == null) {
return null;
}

return ByteBuffer.wrap(encryptedKeyMetadata);
}

@Override
public ByteBuffer decryptKeyMetadata(EncryptionManager em) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When was this added? I don't think this should be here because it just calls a method on EncryptionManager.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was added in PR11 (these lines: interface, implementation ). I think the main is reason is, the class EncryptingFileIO is in the api module, so it cannot access StandardEncryptionManager and EncryptionUtil classes.

return EncryptionUtil.decryptSnapshotKeyMetadata(this, em);
}
}
39 changes: 33 additions & 6 deletions core/src/main/java/org/apache/iceberg/BaseSnapshot.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
import org.apache.iceberg.exceptions.RuntimeIOException;
import org.apache.iceberg.io.CloseableIterable;
import org.apache.iceberg.io.FileIO;
import org.apache.iceberg.relocated.com.google.common.annotations.VisibleForTesting;
import org.apache.iceberg.relocated.com.google.common.base.MoreObjects;
import org.apache.iceberg.relocated.com.google.common.base.Objects;
import org.apache.iceberg.relocated.com.google.common.base.Preconditions;
Expand All @@ -38,11 +39,11 @@ class BaseSnapshot implements Snapshot {
private final Long parentId;
private final long sequenceNumber;
private final long timestampMillis;
private final String manifestListLocation;
private final String operation;
private final Map<String, String> summary;
private final Integer schemaId;
private final String[] v1ManifestLocations;
private final ManifestListFile manifestListFile;

// lazily initialized
private transient List<ManifestFile> allManifests = null;
Expand All @@ -53,6 +54,7 @@ class BaseSnapshot implements Snapshot {
private transient List<DeleteFile> addedDeleteFiles = null;
private transient List<DeleteFile> removedDeleteFiles = null;

@VisibleForTesting
BaseSnapshot(
long sequenceNumber,
long snapshotId,
Expand All @@ -62,14 +64,34 @@ class BaseSnapshot implements Snapshot {
Map<String, String> summary,
Integer schemaId,
String manifestList) {
this(
sequenceNumber,
snapshotId,
parentId,
timestampMillis,
operation,
summary,
schemaId,
new BaseManifestListFile(manifestList, snapshotId, null, null));
}

BaseSnapshot(
long sequenceNumber,
long snapshotId,
Long parentId,
long timestampMillis,
String operation,
Map<String, String> summary,
Integer schemaId,
ManifestListFile manifestListFile) {
this.sequenceNumber = sequenceNumber;
this.snapshotId = snapshotId;
this.parentId = parentId;
this.timestampMillis = timestampMillis;
this.operation = operation;
this.summary = summary;
this.schemaId = schemaId;
this.manifestListLocation = manifestList;
this.manifestListFile = manifestListFile;
this.v1ManifestLocations = null;
}

Expand All @@ -89,7 +111,7 @@ class BaseSnapshot implements Snapshot {
this.operation = operation;
this.summary = summary;
this.schemaId = schemaId;
this.manifestListLocation = null;
this.manifestListFile = new BaseManifestListFile(null, snapshotId, null, null);
this.v1ManifestLocations = v1ManifestLocations;
}

Expand Down Expand Up @@ -128,6 +150,11 @@ public Integer schemaId() {
return schemaId;
}

@Override
public ManifestListFile manifestListFile() {
return manifestListFile;
}

private void cacheManifests(FileIO fileIO) {
if (fileIO == null) {
throw new IllegalArgumentException("Cannot cache changes: FileIO is null");
Expand All @@ -143,7 +170,7 @@ private void cacheManifests(FileIO fileIO) {

if (allManifests == null) {
// if manifests isn't set, then the snapshotFile is set and should be read to get the list
this.allManifests = ManifestLists.read(fileIO.newInputFile(manifestListLocation));
this.allManifests = ManifestLists.read(fileIO.newInputFile(manifestListFile));
}

if (dataManifests == null || deleteManifests == null) {
Expand Down Expand Up @@ -216,7 +243,7 @@ public Iterable<DeleteFile> removedDeleteFiles(FileIO fileIO) {

@Override
public String manifestListLocation() {
return manifestListLocation;
return manifestListFile.location();
}

private void cacheDeleteFileChanges(FileIO fileIO) {
Expand Down Expand Up @@ -317,7 +344,7 @@ public String toString() {
.add("timestamp_ms", timestampMillis)
.add("operation", operation)
.add("summary", summary)
.add("manifest-list", manifestListLocation)
.add("manifest-list", manifestListFile.location())
.add("schema-id", schemaId)
.toString();
}
Expand Down
6 changes: 6 additions & 0 deletions core/src/main/java/org/apache/iceberg/CatalogProperties.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -160,4 +160,10 @@ private CatalogProperties() {}

public static final String ENCRYPTION_KMS_TYPE = "encryption.kms-type";
public static final String ENCRYPTION_KMS_IMPL = "encryption.kms-impl";
public static final String WRITER_KEK_TIMEOUT_SEC = "encryption.kek-timeout-sec";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Avoid using kek because it is not clear. Is there a good term for the key you're referring to here?

Copy link
Contributor Author

@ggershinsky ggershinsky Sep 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we have a reasonably well defined value of this parameter in the NIST spec, maybe we don't need to make it configurable in an initial version of table encryption. This parameter is also not easy to explain. So I'll remove this from the CatalogProperties for now. If, for some reason, a requirement comes later to make this configurable, we can add this back, with a proper name and documentation.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds great!


/**
* Default time-out of key encryption keys. Per NIST SP 800-57 P1 R5 section 5.3.6, set to 1 week.
*/
public static final long WRITER_KEK_TIMEOUT_SEC_DEFAULT = TimeUnit.DAYS.toSeconds(7);
}
Loading