org.apache.parquet.crypto.keytools

Class RemoteKmsClient

java.lang.Object

org.apache.parquet.crypto.keytools.RemoteKmsClient

All Implemented Interfaces:

KmsClient

public abstract class RemoteKmsClient
extends Object
implements KmsClient

Field Summary

Fields

Modifier and Type	Field and Description
protected org.apache.hadoop.conf.Configuration	hadoopConfiguration
protected boolean	isDefaultToken
protected Boolean	isWrapLocally
protected String	kmsInstanceID
protected String	kmsInstanceURL
protected String	kmsToken
static String	LOCAL_WRAP_NO_KEY_VERSION

Fields inherited from interface org.apache.parquet.crypto.keytools.KmsClient

KEY_ACCESS_TOKEN_DEFAULT, KMS_INSTANCE_ID_DEFAULT, KMS_INSTANCE_URL_DEFAULT

Constructor Summary

Constructors

Constructor and Description
RemoteKmsClient()

Method Summary

Modifier and Type	Method and Description
protected abstract byte[]	getMasterKeyFromServer(String masterKeyIdentifier) Get master key from the remote KMS server.
void	initialize(org.apache.hadoop.conf.Configuration configuration, String kmsInstanceID, String kmsInstanceURL, String accessToken) Pass configuration with KMS-specific parameters.
protected abstract void	initializeInternal() Pass configuration with KMS-specific parameters.
byte[]	unwrapKey(String wrappedKey, String masterKeyIdentifier) Decrypts (unwraps) a key with the master key.
protected abstract byte[]	unwrapKeyInServer(String wrappedKey, String masterKeyIdentifier) Unwrap a key with the master key in the remote KMS server.
String	wrapKey(byte[] key, String masterKeyIdentifier) Wraps a key - encrypts it with the master key, encodes the result and potentially adds a KMS-specific metadata.
protected abstract String	wrapKeyInServer(byte[] keyBytes, String masterKeyIdentifier) Wrap a key with the master key in the remote KMS server.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

LOCAL_WRAP_NO_KEY_VERSION

public static final String LOCAL_WRAP_NO_KEY_VERSION

See Also:

Constant Field Values

kmsInstanceID

protected String kmsInstanceID

kmsInstanceURL

protected String kmsInstanceURL

kmsToken

protected String kmsToken

isWrapLocally

protected Boolean isWrapLocally

hadoopConfiguration

protected org.apache.hadoop.conf.Configuration hadoopConfiguration

isDefaultToken

protected boolean isDefaultToken

Constructor Detail

RemoteKmsClient

public RemoteKmsClient()

Method Detail

initialize

public void initialize(org.apache.hadoop.conf.Configuration configuration,
                       String kmsInstanceID,
                       String kmsInstanceURL,
                       String accessToken)

Description copied from interface: KmsClient

Pass configuration with KMS-specific parameters.

Specified by:

initialize in interface KmsClient

Parameters:

configuration - Hadoop configuration

kmsInstanceID - ID of the KMS instance handled by this KmsClient. Use the default value, for KMS systems that don't work with multiple instances.

kmsInstanceURL - URL of the KMS instance handled by this KmsClient. Use the default value, for KMS systems that don't work with URLs.

accessToken - KMS access (authorization) token. Use the default value, for KMS systems that don't work with tokens.

wrapKey

public String wrapKey(byte[] key,
                      String masterKeyIdentifier)
               throws KeyAccessDeniedException

Description copied from interface: KmsClient

Wraps a key - encrypts it with the master key, encodes the result and potentially adds a KMS-specific metadata. If your KMS client code throws runtime exceptions related to access/permission problems (such as Hadoop AccessControlException), catch them and throw the KeyAccessDeniedException.

Specified by:

wrapKey in interface KmsClient

Returns:

wrapped key

Throws:

KeyAccessDeniedException - unauthorized to encrypt with the given master key

unwrapKey

public byte[] unwrapKey(String wrappedKey,
                        String masterKeyIdentifier)
                 throws KeyAccessDeniedException

Description copied from interface: KmsClient

Decrypts (unwraps) a key with the master key. If your KMS client code throws runtime exceptions related to access/permission problems (such as Hadoop AccessControlException), catch them and throw the KeyAccessDeniedException.

Specified by:

unwrapKey in interface KmsClient

Parameters:

wrappedKey - String produced by wrapKey operation

Returns:

unwrapped key bytes

Throws:

KeyAccessDeniedException - unauthorized to unwrap with the given master key

wrapKeyInServer

protected abstract String wrapKeyInServer(byte[] keyBytes,
                                          String masterKeyIdentifier)
                                   throws KeyAccessDeniedException,
                                          UnsupportedOperationException

Wrap a key with the master key in the remote KMS server. If your KMS client code throws runtime exceptions related to access/permission problems (such as Hadoop AccessControlException), catch them and throw the KeyAccessDeniedException.

Parameters:

keyBytes: - key bytes to be wrapped

masterKeyIdentifier: - a string that uniquely identifies the master key in a KMS instance

Returns:

wrappedKey: Encrypts key bytes with the master key, encodes the result and potentially adds a KMS-specific metadata.

Throws:

KeyAccessDeniedException - unauthorized to encrypt with the given master key

UnsupportedOperationException - KMS does not support in-server wrapping

unwrapKeyInServer

protected abstract byte[] unwrapKeyInServer(String wrappedKey,
                                            String masterKeyIdentifier)
                                     throws KeyAccessDeniedException,
                                            UnsupportedOperationException

Unwrap a key with the master key in the remote KMS server. If your KMS client code throws runtime exceptions related to access/permission problems (such as Hadoop AccessControlException), catch them and throw the KeyAccessDeniedException.

Parameters:

wrappedKey - String produced by wrapKey operation

masterKeyIdentifier: - a string that uniquely identifies the master key in a KMS instance

Returns:

key bytes

Throws:

KeyAccessDeniedException - unauthorized to unwrap with the given master key

UnsupportedOperationException - KMS does not support in-server unwrapping

getMasterKeyFromServer

protected abstract byte[] getMasterKeyFromServer(String masterKeyIdentifier)
                                          throws KeyAccessDeniedException,
                                                 UnsupportedOperationException

Get master key from the remote KMS server. Required only for local wrapping. No need to implement if KMS supports in-server wrapping/unwrapping. If your KMS client code throws runtime exceptions related to access/permission problems (such as Hadoop AccessControlException), catch them and throw the KeyAccessDeniedException.

Parameters:

masterKeyIdentifier: - a string that uniquely identifies the master key in a KMS instance

Returns:

master key bytes

Throws:

KeyAccessDeniedException - unauthorized to get the master key

UnsupportedOperationException - If not implemented, or KMS does not support key fetching

initializeInternal

protected abstract void initializeInternal()
                                    throws KeyAccessDeniedException

Pass configuration with KMS-specific parameters.

Throws:

KeyAccessDeniedException