Package org.apache.parquet.crypto.keytools

Class LocalWrapKmsClient

java.lang.Object

org.apache.parquet.crypto.keytools.LocalWrapKmsClient

All Implemented Interfaces:

KmsClient

public abstract class LocalWrapKmsClient
extends Object
implements KmsClient

Typically, KMS systems support in-server key wrapping. Their clients should implement KmsClient interface directly. An extension of the LocalWrapKmsClient class should used only in rare situations where in-server wrapping is not supported. The wrapping will be done locally then - the MEKs will be fetched from the KMS server via the getMasterKeyFromServer function, and used to encrypt a DEK or KEK inside the LocalWrapKmsClient code. Note: master key rotation is not supported with local wrapping.

Field Summary

Fields

Modifier and Type	Field	Description
protected org.apache.hadoop.conf.Configuration	hadoopConfiguration
protected String	kmsInstanceID
protected String	kmsInstanceURL
protected String	kmsToken
static String	LOCAL_WRAP_NO_KEY_VERSION

Fields inherited from interface org.apache.parquet.crypto.keytools.KmsClient

KEY_ACCESS_TOKEN_DEFAULT, KMS_INSTANCE_ID_DEFAULT, KMS_INSTANCE_URL_DEFAULT

Constructor Summary

Constructors

Constructor	Description
LocalWrapKmsClient()

Method Summary

Modifier and Type	Method	Description
protected abstract byte[]	getMasterKeyFromServer(String masterKeyIdentifier)	Get master key from the remote KMS server.
void	initialize(org.apache.hadoop.conf.Configuration configuration, String kmsInstanceID, String kmsInstanceURL, String accessToken)	Pass configuration with KMS-specific parameters.
protected abstract void	initializeInternal()	Pass configuration with KMS-specific parameters.
byte[]	unwrapKey(String wrappedKey, String masterKeyIdentifier)	Decrypts (unwraps) a key with the master key.
String	wrapKey(byte[] key, String masterKeyIdentifier)	Wraps a key - encrypts it with the master key, encodes the result and potentially adds a KMS-specific metadata.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

LOCAL_WRAP_NO_KEY_VERSION

public static final String LOCAL_WRAP_NO_KEY_VERSION

See Also:

Constant Field Values

kmsInstanceID

protected String kmsInstanceID

kmsInstanceURL

protected String kmsInstanceURL

kmsToken

protected String kmsToken

hadoopConfiguration

protected org.apache.hadoop.conf.Configuration hadoopConfiguration

Constructor Detail

LocalWrapKmsClient

public LocalWrapKmsClient()

Method Detail

initialize

public void initialize(org.apache.hadoop.conf.Configuration configuration,
                       String kmsInstanceID,
                       String kmsInstanceURL,
                       String accessToken)

Description copied from interface: KmsClient

Pass configuration with KMS-specific parameters.

Specified by:

initialize in interface KmsClient

Parameters:

configuration - Hadoop configuration

kmsInstanceID - ID of the KMS instance handled by this KmsClient. Use the default value, for KMS systems that don't work with multiple instances.

kmsInstanceURL - URL of the KMS instance handled by this KmsClient. Use the default value, for KMS systems that don't work with URLs.

accessToken - KMS access (authorization) token. Use the default value, for KMS systems that don't work with tokens.

wrapKey

public String wrapKey(byte[] key,
                      String masterKeyIdentifier)
               throws KeyAccessDeniedException

Description copied from interface: KmsClient

Wraps a key - encrypts it with the master key, encodes the result and potentially adds a KMS-specific metadata. If your KMS client code throws runtime exceptions related to access/permission problems (such as Hadoop AccessControlException), catch them and throw the KeyAccessDeniedException.

Specified by:

wrapKey in interface KmsClient

Parameters:

key - : key bytes to be wrapped

masterKeyIdentifier - : a string that uniquely identifies the master key in a KMS instance

Returns:

wrapped key

Throws:

KeyAccessDeniedException - unauthorized to encrypt with the given master key

unwrapKey

public byte[] unwrapKey(String wrappedKey,
                        String masterKeyIdentifier)
                 throws KeyAccessDeniedException

Description copied from interface: KmsClient

Decrypts (unwraps) a key with the master key. If your KMS client code throws runtime exceptions related to access/permission problems (such as Hadoop AccessControlException), catch them and throw the KeyAccessDeniedException.

Specified by:

unwrapKey in interface KmsClient

Parameters:

wrappedKey - String produced by wrapKey operation

masterKeyIdentifier - : a string that uniquely identifies the master key in a KMS instance

Returns:

unwrapped key bytes

Throws:

KeyAccessDeniedException - unauthorized to unwrap with the given master key

getMasterKeyFromServer

protected abstract byte[] getMasterKeyFromServer(String masterKeyIdentifier)
                                          throws KeyAccessDeniedException

Get master key from the remote KMS server. If your KMS client code throws runtime exceptions related to access/permission problems (such as Hadoop AccessControlException), catch them and throw the KeyAccessDeniedException.

Parameters:

masterKeyIdentifier - : a string that uniquely identifies the master key in a KMS instance

Returns:

master key bytes

Throws:

KeyAccessDeniedException - unauthorized to get the master key

initializeInternal

protected abstract void initializeInternal()
                                    throws KeyAccessDeniedException

Pass configuration with KMS-specific parameters.

Throws:

KeyAccessDeniedException