Class LocalWrapKmsClient
- java.lang.Object
-
- org.apache.parquet.crypto.keytools.LocalWrapKmsClient
-
- All Implemented Interfaces:
KmsClient
public abstract class LocalWrapKmsClient extends Object implements KmsClient
Typically, KMS systems support in-server key wrapping. Their clients should implement KmsClient interface directly. An extension of the LocalWrapKmsClient class should used only in rare situations where in-server wrapping is not supported. The wrapping will be done locally then - the MEKs will be fetched from the KMS server via the getMasterKeyFromServer function, and used to encrypt a DEK or KEK inside the LocalWrapKmsClient code. Note: master key rotation is not supported with local wrapping.
-
-
Field Summary
Fields Modifier and Type Field Description protected org.apache.hadoop.conf.Configuration
hadoopConfiguration
protected String
kmsInstanceID
protected String
kmsInstanceURL
protected String
kmsToken
static String
LOCAL_WRAP_NO_KEY_VERSION
-
Fields inherited from interface org.apache.parquet.crypto.keytools.KmsClient
KEY_ACCESS_TOKEN_DEFAULT, KMS_INSTANCE_ID_DEFAULT, KMS_INSTANCE_URL_DEFAULT
-
-
Constructor Summary
Constructors Constructor Description LocalWrapKmsClient()
-
Method Summary
All Methods Instance Methods Abstract Methods Concrete Methods Modifier and Type Method Description protected abstract byte[]
getMasterKeyFromServer(String masterKeyIdentifier)
Get master key from the remote KMS server.void
initialize(org.apache.hadoop.conf.Configuration configuration, String kmsInstanceID, String kmsInstanceURL, String accessToken)
Pass configuration with KMS-specific parameters.protected abstract void
initializeInternal()
Pass configuration with KMS-specific parameters.byte[]
unwrapKey(String wrappedKey, String masterKeyIdentifier)
Decrypts (unwraps) a key with the master key.String
wrapKey(byte[] key, String masterKeyIdentifier)
Wraps a key - encrypts it with the master key, encodes the result and potentially adds a KMS-specific metadata.
-
-
-
Field Detail
-
LOCAL_WRAP_NO_KEY_VERSION
public static final String LOCAL_WRAP_NO_KEY_VERSION
- See Also:
- Constant Field Values
-
kmsInstanceID
protected String kmsInstanceID
-
kmsInstanceURL
protected String kmsInstanceURL
-
kmsToken
protected String kmsToken
-
hadoopConfiguration
protected org.apache.hadoop.conf.Configuration hadoopConfiguration
-
-
Method Detail
-
initialize
public void initialize(org.apache.hadoop.conf.Configuration configuration, String kmsInstanceID, String kmsInstanceURL, String accessToken)
Description copied from interface:KmsClient
Pass configuration with KMS-specific parameters.- Specified by:
initialize
in interfaceKmsClient
- Parameters:
configuration
- Hadoop configurationkmsInstanceID
- ID of the KMS instance handled by this KmsClient. Use the default value, for KMS systems that don't work with multiple instances.kmsInstanceURL
- URL of the KMS instance handled by this KmsClient. Use the default value, for KMS systems that don't work with URLs.accessToken
- KMS access (authorization) token. Use the default value, for KMS systems that don't work with tokens.
-
wrapKey
public String wrapKey(byte[] key, String masterKeyIdentifier) throws KeyAccessDeniedException
Description copied from interface:KmsClient
Wraps a key - encrypts it with the master key, encodes the result and potentially adds a KMS-specific metadata. If your KMS client code throws runtime exceptions related to access/permission problems (such as Hadoop AccessControlException), catch them and throw the KeyAccessDeniedException.- Specified by:
wrapKey
in interfaceKmsClient
- Parameters:
key
- : key bytes to be wrappedmasterKeyIdentifier
- : a string that uniquely identifies the master key in a KMS instance- Returns:
- wrapped key
- Throws:
KeyAccessDeniedException
- unauthorized to encrypt with the given master key
-
unwrapKey
public byte[] unwrapKey(String wrappedKey, String masterKeyIdentifier) throws KeyAccessDeniedException
Description copied from interface:KmsClient
Decrypts (unwraps) a key with the master key. If your KMS client code throws runtime exceptions related to access/permission problems (such as Hadoop AccessControlException), catch them and throw the KeyAccessDeniedException.- Specified by:
unwrapKey
in interfaceKmsClient
- Parameters:
wrappedKey
- String produced by wrapKey operationmasterKeyIdentifier
- : a string that uniquely identifies the master key in a KMS instance- Returns:
- unwrapped key bytes
- Throws:
KeyAccessDeniedException
- unauthorized to unwrap with the given master key
-
getMasterKeyFromServer
protected abstract byte[] getMasterKeyFromServer(String masterKeyIdentifier) throws KeyAccessDeniedException
Get master key from the remote KMS server. If your KMS client code throws runtime exceptions related to access/permission problems (such as Hadoop AccessControlException), catch them and throw the KeyAccessDeniedException.- Parameters:
masterKeyIdentifier
- : a string that uniquely identifies the master key in a KMS instance- Returns:
- master key bytes
- Throws:
KeyAccessDeniedException
- unauthorized to get the master key
-
initializeInternal
protected abstract void initializeInternal() throws KeyAccessDeniedException
Pass configuration with KMS-specific parameters.- Throws:
KeyAccessDeniedException
-
-