Move exchange encryption for FTE to the engine

core/trino-main/src/main/java/io/trino/FeaturesConfig.java

@@ -105,6 +105,8 @@ public class FeaturesConfig
     private boolean hideInaccessibleColumns;
     private boolean forceSpillingJoin;
 
+    private boolean faultTolerantExecutionExchangeEncryptionEnabled = true;
+
     public enum DataIntegrityVerification
     {
         NONE,
@@ -483,6 +485,18 @@ public FeaturesConfig setForceSpillingJoin(boolean forceSpillingJoin)
         return this;
     }
 
+    public boolean isFaultTolerantExecutionExchangeEncryptionEnabled()
+    {
+        return faultTolerantExecutionExchangeEncryptionEnabled;
+    }
+
+    @Config("fault-tolerant-execution.exchange-encryption-enabled")
+    public FeaturesConfig setFaultTolerantExecutionExchangeEncryptionEnabled(boolean faultTolerantExecutionExchangeEncryptionEnabled)
+    {
+        this.faultTolerantExecutionExchangeEncryptionEnabled = faultTolerantExecutionExchangeEncryptionEnabled;
+        return this;
+    }
+
     public void applyFaultTolerantExecutionDefaults()
     {
         exchangeCompressionEnabled = true;

core/trino-main/src/main/java/io/trino/Session.java

@@ -18,6 +18,7 @@
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Maps;
 import com.google.errorprone.annotations.CanIgnoreReturnValue;
+import io.airlift.slice.Slice;
 import io.airlift.units.DataSize;
 import io.airlift.units.Duration;
 import io.trino.client.ProtocolHeaders;
@@ -82,6 +83,7 @@ public final class Session
     private final SessionPropertyManager sessionPropertyManager;
     private final Map<String, String> preparedStatements;
     private final ProtocolHeaders protocolHeaders;
+    private final Optional<Slice> exchangeEncryptionKey;
 
     public Session(
             QueryId queryId,
@@ -106,7 +108,8 @@ public Session(
             Map<String, Map<String, String>> catalogProperties,
             SessionPropertyManager sessionPropertyManager,
             Map<String, String> preparedStatements,
-            ProtocolHeaders protocolHeaders)
+            ProtocolHeaders protocolHeaders,
+            Optional<Slice> exchangeEncryptionKey)
     {
         this.queryId = requireNonNull(queryId, "queryId is null");
         this.transactionId = requireNonNull(transactionId, "transactionId is null");
@@ -130,6 +133,7 @@ public Session(
         this.sessionPropertyManager = requireNonNull(sessionPropertyManager, "sessionPropertyManager is null");
         this.preparedStatements = requireNonNull(preparedStatements, "preparedStatements is null");
         this.protocolHeaders = requireNonNull(protocolHeaders, "protocolHeaders is null");
+        this.exchangeEncryptionKey = requireNonNull(exchangeEncryptionKey, "exchangeEncryptionKey is null");
 
         requireNonNull(catalogProperties, "catalogProperties is null");
         ImmutableMap.Builder<String, Map<String, String>> catalogPropertiesBuilder = ImmutableMap.builder();
@@ -284,6 +288,11 @@ public ProtocolHeaders getProtocolHeaders()
         return protocolHeaders;
     }
 
+    public Optional<Slice> getExchangeEncryptionKey()
+    {
+        return exchangeEncryptionKey;
+    }
+
     public Session beginTransactionId(TransactionId transactionId, TransactionManager transactionManager, AccessControl accessControl)
     {
         requireNonNull(transactionId, "transactionId is null");
@@ -346,7 +355,8 @@ public Session beginTransactionId(TransactionId transactionId, TransactionManage
                 connectorProperties.buildOrThrow(),
                 sessionPropertyManager,
                 preparedStatements,
-                protocolHeaders);
+                protocolHeaders,
+                exchangeEncryptionKey);
     }
 
     public Session withDefaultProperties(Map<String, String> systemPropertyDefaults, Map<String, Map<String, String>> catalogPropertyDefaults, AccessControl accessControl)
@@ -392,7 +402,38 @@ public Session withDefaultProperties(Map<String, String> systemPropertyDefaults,
                 catalogProperties,
                 sessionPropertyManager,
                 preparedStatements,
-                protocolHeaders);
+                protocolHeaders,
+                exchangeEncryptionKey);
+    }
+
+    public Session withExchangeEncryption(Slice encryptionKey)
+    {
+        checkState(exchangeEncryptionKey.isEmpty(), "exchangeEncryptionKey is already present");
+        return new Session(
+                queryId,
+                transactionId,
+                clientTransactionSupport,
+                identity,
+                source,
+                catalog,
+                schema,
+                path,
+                traceToken,
+                timeZoneKey,
+                locale,
+                remoteUserAddress,
+                userAgent,
+                clientInfo,
+                clientTags,
+                clientCapabilities,
+                resourceEstimates,
+                start,
+                systemProperties,
+                catalogProperties,
+                sessionPropertyManager,
+                preparedStatements,
+                protocolHeaders,
+                Optional.of(encryptionKey));
     }
 
     public ConnectorSession toConnectorSession()
@@ -832,7 +873,8 @@ public Session build()
                     catalogSessionProperties,
                     sessionPropertyManager,
                     preparedStatements,
-                    protocolHeaders);
+                    protocolHeaders,
+                    Optional.empty());
         }
     }
 

core/trino-main/src/main/java/io/trino/SessionRepresentation.java

@@ -17,6 +17,7 @@
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
+import io.airlift.slice.Slice;
 import io.trino.metadata.SessionPropertyManager;
 import io.trino.spi.QueryId;
 import io.trino.spi.security.BasicPrincipal;
@@ -309,10 +310,10 @@ public Identity toIdentity(Map<String, String> extraCredentials)
 
     public Session toSession(SessionPropertyManager sessionPropertyManager)
     {
-        return toSession(sessionPropertyManager, emptyMap());
+        return toSession(sessionPropertyManager, emptyMap(), Optional.empty());
     }
 
-    public Session toSession(SessionPropertyManager sessionPropertyManager, Map<String, String> extraCredentials)
+    public Session toSession(SessionPropertyManager sessionPropertyManager, Map<String, String> extraCredentials, Optional<Slice> exchangeEncryptionKey)
     {
         return new Session(
                 new QueryId(queryId),
@@ -337,6 +338,7 @@ public Session toSession(SessionPropertyManager sessionPropertyManager, Map<Stri
                 catalogProperties,
                 sessionPropertyManager,
                 preparedStatements,
-                createProtocolHeaders(protocolName));
+                createProtocolHeaders(protocolName),
+                exchangeEncryptionKey);
     }
 }

core/trino-main/src/main/java/io/trino/dispatcher/LocalDispatchQueryFactory.java

@@ -16,6 +16,7 @@
 import com.google.common.util.concurrent.ListenableFuture;
 import com.google.common.util.concurrent.ListeningExecutorService;
 import io.airlift.log.Logger;
+import io.trino.FeaturesConfig;
 import io.trino.Session;
 import io.trino.event.QueryMonitor;
 import io.trino.execution.ClusterSizeMonitor;
@@ -63,6 +64,7 @@ public class LocalDispatchQueryFactory
     private final Map<Class<? extends Statement>, QueryExecutionFactory<?>> executionFactories;
     private final WarningCollectorFactory warningCollectorFactory;
     private final ListeningExecutorService executor;
+    private final boolean faultTolerantExecutionExchangeEncryptionEnabled;
 
     @Inject
     public LocalDispatchQueryFactory(
@@ -75,7 +77,8 @@ public LocalDispatchQueryFactory(
             Map<Class<? extends Statement>, QueryExecutionFactory<?>> executionFactories,
             WarningCollectorFactory warningCollectorFactory,
             ClusterSizeMonitor clusterSizeMonitor,
-            DispatchExecutor dispatchExecutor)
+            DispatchExecutor dispatchExecutor,
+            FeaturesConfig featuresConfig)
     {
         this.queryManager = requireNonNull(queryManager, "queryManager is null");
         this.transactionManager = requireNonNull(transactionManager, "transactionManager is null");
@@ -87,6 +90,7 @@ public LocalDispatchQueryFactory(
         this.warningCollectorFactory = requireNonNull(warningCollectorFactory, "warningCollectorFactory is null");
         this.clusterSizeMonitor = requireNonNull(clusterSizeMonitor, "clusterSizeMonitor is null");
         this.executor = dispatchExecutor.getExecutor();
+        this.faultTolerantExecutionExchangeEncryptionEnabled = requireNonNull(featuresConfig, "featuresConfig is null").isFaultTolerantExecutionExchangeEncryptionEnabled();
     }
 
     @Override
@@ -112,7 +116,8 @@ public DispatchQuery createDispatchQuery(
                 executor,
                 metadata,
                 warningCollector,
-                getQueryType(preparedQuery.getStatement()));
+                getQueryType(preparedQuery.getStatement()),
+                faultTolerantExecutionExchangeEncryptionEnabled);
 
         // It is important that `queryCreatedEvent` is called here. Moving it past the `executor.submit` below
         // can result in delivering query-created event after query analysis has already started.

core/trino-main/src/main/java/io/trino/execution/QueryStateMachine.java

@@ -92,9 +92,12 @@
 import static io.trino.execution.QueryState.TERMINAL_QUERY_STATES;
 import static io.trino.execution.QueryState.WAITING_FOR_RESOURCES;
 import static io.trino.execution.StageInfo.getAllStages;
+import static io.trino.operator.RetryPolicy.TASK;
 import static io.trino.server.DynamicFilterService.DynamicFiltersStats;
 import static io.trino.spi.StandardErrorCode.NOT_FOUND;
 import static io.trino.spi.StandardErrorCode.USER_CANCELED;
+import static io.trino.util.Ciphers.createRandomAesEncryptionKey;
+import static io.trino.util.Ciphers.serializeAesEncryptionKey;
 import static io.trino.util.Failures.toFailure;
 import static java.util.Objects.requireNonNull;
 import static java.util.concurrent.TimeUnit.MILLISECONDS;
@@ -216,7 +219,8 @@ public static QueryStateMachine begin(
             Executor executor,
             Metadata metadata,
             WarningCollector warningCollector,
-            Optional<QueryType> queryType)
+            Optional<QueryType> queryType,
+            boolean faultTolerantExecutionExchangeEncryptionEnabled)
     {
         return beginWithTicker(
                 existingTransactionId,
@@ -232,7 +236,8 @@ public static QueryStateMachine begin(
                 Ticker.systemTicker(),
                 metadata,
                 warningCollector,
-                queryType);
+                queryType,
+                faultTolerantExecutionExchangeEncryptionEnabled);
     }
 
     static QueryStateMachine beginWithTicker(
@@ -249,7 +254,8 @@ static QueryStateMachine beginWithTicker(
             Ticker ticker,
             Metadata metadata,
             WarningCollector warningCollector,
-            Optional<QueryType> queryType)
+            Optional<QueryType> queryType,
+            boolean faultTolerantExecutionExchangeEncryptionEnabled)
     {
         // if there is an existing transaction, activate it
         existingTransactionId.ifPresent(transactionId -> {
@@ -270,6 +276,11 @@ static QueryStateMachine beginWithTicker(
             session = session.beginTransactionId(transactionId, transactionManager, accessControl);
         }
 
+        if (getRetryPolicy(session) == TASK && faultTolerantExecutionExchangeEncryptionEnabled) {
+            // encryption is mandatory for fault tolerant execution as it relies on an external storage to store intermediate data generated during an exchange
+            session = session.withExchangeEncryption(serializeAesEncryptionKey(createRandomAesEncryptionKey()));
+        }
+
         QueryStateMachine queryStateMachine = new QueryStateMachine(
                 query,
                 preparedQuery,