org.apache.parquet.crypto.keytools

Interface KmsClient

All Known Implementing Classes:

LocalWrapKmsClient

public interface KmsClient

Field Summary

Fields

Modifier and Type	Field and Description
static String	KEY_ACCESS_TOKEN_DEFAULT
static String	KMS_INSTANCE_ID_DEFAULT
static String	KMS_INSTANCE_URL_DEFAULT

Method Summary

Modifier and Type	Method and Description
void	initialize(org.apache.hadoop.conf.Configuration configuration, String kmsInstanceID, String kmsInstanceURL, String accessToken) Pass configuration with KMS-specific parameters.
byte[]	unwrapKey(String wrappedKey, String masterKeyIdentifier) Decrypts (unwraps) a key with the master key.
String	wrapKey(byte[] keyBytes, String masterKeyIdentifier) Wraps a key - encrypts it with the master key, encodes the result and potentially adds a KMS-specific metadata.

Field Detail

KMS_INSTANCE_ID_DEFAULT

static final String KMS_INSTANCE_ID_DEFAULT

See Also:

Constant Field Values

KMS_INSTANCE_URL_DEFAULT

static final String KMS_INSTANCE_URL_DEFAULT

See Also:

Constant Field Values

KEY_ACCESS_TOKEN_DEFAULT

static final String KEY_ACCESS_TOKEN_DEFAULT

See Also:

Constant Field Values

Method Detail

initialize

void initialize(org.apache.hadoop.conf.Configuration configuration,
                String kmsInstanceID,
                String kmsInstanceURL,
                String accessToken)
         throws KeyAccessDeniedException

Pass configuration with KMS-specific parameters.

Parameters:

configuration - Hadoop configuration

kmsInstanceID - ID of the KMS instance handled by this KmsClient. Use the default value, for KMS systems that don't work with multiple instances.

kmsInstanceURL - URL of the KMS instance handled by this KmsClient. Use the default value, for KMS systems that don't work with URLs.

accessToken - KMS access (authorization) token. Use the default value, for KMS systems that don't work with tokens.

Throws:

KeyAccessDeniedException - unauthorized to initialize the KMS client

wrapKey

String wrapKey(byte[] keyBytes,
               String masterKeyIdentifier)
        throws KeyAccessDeniedException

Wraps a key - encrypts it with the master key, encodes the result and potentially adds a KMS-specific metadata.

If your KMS client code throws runtime exceptions related to access/permission problems (such as Hadoop AccessControlException), catch them and throw the KeyAccessDeniedException.

Parameters:

keyBytes: - key bytes to be wrapped

masterKeyIdentifier: - a string that uniquely identifies the master key in a KMS instance

Returns:

wrapped key

Throws:

KeyAccessDeniedException - unauthorized to encrypt with the given master key

unwrapKey

byte[] unwrapKey(String wrappedKey,
                 String masterKeyIdentifier)
          throws KeyAccessDeniedException

Decrypts (unwraps) a key with the master key.

If your KMS client code throws runtime exceptions related to access/permission problems (such as Hadoop AccessControlException), catch them and throw the KeyAccessDeniedException.

Parameters:

wrappedKey - String produced by wrapKey operation

masterKeyIdentifier: - a string that uniquely identifies the master key in a KMS instance

Returns:

unwrapped key bytes

Throws:

KeyAccessDeniedException - unauthorized to unwrap with the given master key