]>
Commit | Line | Data |
---|---|---|
1d09f67e TL |
1 | // Licensed to the Apache Software Foundation (ASF) under one |
2 | // or more contributor license agreements. See the NOTICE file | |
3 | // distributed with this work for additional information | |
4 | // regarding copyright ownership. The ASF licenses this file | |
5 | // to you under the Apache License, Version 2.0 (the | |
6 | // "License"); you may not use this file except in compliance | |
7 | // with the License. You may obtain a copy of the License at | |
8 | // | |
9 | // http://www.apache.org/licenses/LICENSE-2.0 | |
10 | // | |
11 | // Unless required by applicable law or agreed to in writing, | |
12 | // software distributed under the License is distributed on an | |
13 | // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | |
14 | // KIND, either express or implied. See the License for the | |
15 | // specific language governing permissions and limitations | |
16 | // under the License. | |
17 | ||
18 | #pragma once | |
19 | ||
20 | #include <string> | |
21 | ||
22 | #include "parquet/platform.h" | |
23 | ||
24 | namespace arrow { | |
25 | namespace json { | |
26 | namespace internal { | |
27 | class ObjectParser; | |
28 | } // namespace internal | |
29 | } // namespace json | |
30 | } // namespace arrow | |
31 | ||
32 | namespace parquet { | |
33 | namespace encryption { | |
34 | ||
35 | // KeyMaterial class represents the "key material", keeping the information that allows | |
36 | // readers to recover an encryption key (see description of the KeyMetadata class). The | |
37 | // keytools package (PARQUET-1373) implements the "envelope encryption" pattern, in a | |
38 | // "single wrapping" or "double wrapping" mode. In the single wrapping mode, the key | |
39 | // material is generated by encrypting the "data encryption key" (DEK) by a "master key". | |
40 | // In the double wrapping mode, the key material is generated by encrypting the DEK by a | |
41 | // "key encryption key" (KEK), that in turn is encrypted by a "master key". | |
42 | // | |
43 | // Key material is kept in a flat json object, with the following fields: | |
44 | // 1. "keyMaterialType" - a String, with the type of key material. In the current | |
45 | // version, only one value is allowed - "PKMT1" (stands | |
46 | // for "parquet key management tools, version 1"). For external key material storage, | |
47 | // this field is written in both "key metadata" and "key material" jsons. For internal | |
48 | // key material storage, this field is written only once in the common json. | |
49 | // 2. "isFooterKey" - a boolean. If true, means that the material belongs to a file footer | |
50 | // key, and keeps additional information (such as | |
51 | // KMS instance ID and URL). If false, means that the material belongs to a column | |
52 | // key. | |
53 | // 3. "kmsInstanceID" - a String, with the KMS Instance ID. Written only in footer key | |
54 | // material. | |
55 | // 4. "kmsInstanceURL" - a String, with the KMS Instance URL. Written only in footer key | |
56 | // material. | |
57 | // 5. "masterKeyID" - a String, with the ID of the master key used to generate the | |
58 | // material. | |
59 | // 6. "wrappedDEK" - a String, with the wrapped DEK (base64 encoding). | |
60 | // 7. "doubleWrapping" - a boolean. If true, means that the material was generated in | |
61 | // double wrapping mode. | |
62 | // If false - in single wrapping mode. | |
63 | // 8. "keyEncryptionKeyID" - a String, with the ID of the KEK used to generate the | |
64 | // material. Written only in double wrapping mode. | |
65 | // 9. "wrappedKEK" - a String, with the wrapped KEK (base64 encoding). Written only in | |
66 | // double wrapping mode. | |
67 | class PARQUET_EXPORT KeyMaterial { | |
68 | public: | |
69 | // these fields are defined in a specification and should never be changed | |
70 | static constexpr const char kKeyMaterialTypeField[] = "keyMaterialType"; | |
71 | static constexpr const char kKeyMaterialType1[] = "PKMT1"; | |
72 | ||
73 | static constexpr const char kFooterKeyIdInFile[] = "footerKey"; | |
74 | static constexpr const char kColumnKeyIdInFilePrefix[] = "columnKey"; | |
75 | ||
76 | static constexpr const char kIsFooterKeyField[] = "isFooterKey"; | |
77 | static constexpr const char kDoubleWrappingField[] = "doubleWrapping"; | |
78 | static constexpr const char kKmsInstanceIdField[] = "kmsInstanceID"; | |
79 | static constexpr const char kKmsInstanceUrlField[] = "kmsInstanceURL"; | |
80 | static constexpr const char kMasterKeyIdField[] = "masterKeyID"; | |
81 | static constexpr const char kWrappedDataEncryptionKeyField[] = "wrappedDEK"; | |
82 | static constexpr const char kKeyEncryptionKeyIdField[] = "keyEncryptionKeyID"; | |
83 | static constexpr const char kWrappedKeyEncryptionKeyField[] = "wrappedKEK"; | |
84 | ||
85 | public: | |
86 | KeyMaterial() = default; | |
87 | ||
88 | static KeyMaterial Parse(const std::string& key_material_string); | |
89 | ||
90 | static KeyMaterial Parse( | |
91 | const ::arrow::json::internal::ObjectParser* key_material_json); | |
92 | ||
93 | /// This method returns a json string that will be stored either inside a parquet file | |
94 | /// or in a key material store outside the parquet file. | |
95 | static std::string SerializeToJson(bool is_footer_key, | |
96 | const std::string& kms_instance_id, | |
97 | const std::string& kms_instance_url, | |
98 | const std::string& master_key_id, | |
99 | bool is_double_wrapped, const std::string& kek_id, | |
100 | const std::string& encoded_wrapped_kek, | |
101 | const std::string& encoded_wrapped_dek, | |
102 | bool is_internal_storage); | |
103 | ||
104 | bool is_footer_key() const { return is_footer_key_; } | |
105 | bool is_double_wrapped() const { return is_double_wrapped_; } | |
106 | const std::string& master_key_id() const { return master_key_id_; } | |
107 | const std::string& wrapped_dek() const { return encoded_wrapped_dek_; } | |
108 | const std::string& kek_id() const { return kek_id_; } | |
109 | const std::string& wrapped_kek() const { return encoded_wrapped_kek_; } | |
110 | const std::string& kms_instance_id() const { return kms_instance_id_; } | |
111 | const std::string& kms_instance_url() const { return kms_instance_url_; } | |
112 | ||
113 | private: | |
114 | KeyMaterial(bool is_footer_key, const std::string& kms_instance_id, | |
115 | const std::string& kms_instance_url, const std::string& master_key_id, | |
116 | bool is_double_wrapped, const std::string& kek_id, | |
117 | const std::string& encoded_wrapped_kek, | |
118 | const std::string& encoded_wrapped_dek); | |
119 | ||
120 | bool is_footer_key_; | |
121 | std::string kms_instance_id_; | |
122 | std::string kms_instance_url_; | |
123 | std::string master_key_id_; | |
124 | bool is_double_wrapped_; | |
125 | std::string kek_id_; | |
126 | std::string encoded_wrapped_kek_; | |
127 | std::string encoded_wrapped_dek_; | |
128 | }; | |
129 | ||
130 | } // namespace encryption | |
131 | } // namespace parquet |