thamht4190 commented on a change in pull request #8023: URL: https://github.com/apache/arrow/pull/8023#discussion_r498685819
########## File path: cpp/src/parquet/encryption/remote_kms_client.cc ########## @@ -0,0 +1,127 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +#include "arrow/json/object_parser.h" +#include "arrow/json/object_writer.h" + +#include "parquet/encryption/key_toolkit_internal.h" +#include "parquet/encryption/remote_kms_client.h" +#include "parquet/exception.h" + +using arrow::json::ObjectParser; +using arrow::json::ObjectWriter; + +namespace parquet { +namespace encryption { + +constexpr const char RemoteKmsClient::kLocalWrapNoKeyVersion[]; + +constexpr const char RemoteKmsClient::LocalKeyWrap::kLocalWrapKeyVersionField[]; +constexpr const char RemoteKmsClient::LocalKeyWrap::kLocalWrapEncryptedKeyField[]; + +RemoteKmsClient::LocalKeyWrap::LocalKeyWrap(const std::string& master_key_version, + const std::string& encrypted_encoded_key) + : encrypted_encoded_key_(encrypted_encoded_key), + master_key_version_(master_key_version) {} + +std::string RemoteKmsClient::LocalKeyWrap::CreateSerialized( + const std::string& encrypted_encoded_key) { + ObjectWriter json_writer; + + json_writer.SetString(kLocalWrapKeyVersionField, kLocalWrapNoKeyVersion); + json_writer.SetString(kLocalWrapEncryptedKeyField, encrypted_encoded_key); + + return json_writer.Serialize(); +} + +RemoteKmsClient::LocalKeyWrap RemoteKmsClient::LocalKeyWrap::Parse( + const std::string& wrapped_key) { + ObjectParser json_parser; + if (!json_parser.Parse(wrapped_key)) { + throw ParquetException("Failed to parse local key wrap json " + wrapped_key); + } + std::string master_key_version; + PARQUET_ASSIGN_OR_THROW(master_key_version, + json_parser.GetString(kLocalWrapKeyVersionField)); + + std::string encrypted_encoded_key; + PARQUET_ASSIGN_OR_THROW(encrypted_encoded_key, + json_parser.GetString(kLocalWrapEncryptedKeyField)); + + return RemoteKmsClient::LocalKeyWrap(master_key_version, encrypted_encoded_key); +} + +void RemoteKmsClient::Initialize(const KmsConnectionConfig& kms_connection_config, + bool is_wrap_locally) { + kms_connection_config_ = kms_connection_config; + is_wrap_locally_ = is_wrap_locally; + if (is_wrap_locally_) { + master_key_cache_.Clear(); + } + + is_default_token_ = + kms_connection_config_.key_access_token() == KmsClient::kKeyAccessTokenDefault; + + InitializeInternal(); +} + +std::string RemoteKmsClient::WrapKey(const std::string& key_bytes, + const std::string& master_key_identifier) { + if (is_wrap_locally_) { Review comment: Right @pitrou. I was over-thought. @ggershinsky Actually, as a C++ developer, when looking at `RemoteKmsClient` class implementation: * If I'm going to write in-server wrapping kms client, I can see that `RemoteKmsClient` doesn't help much (and also has a lot of local wrapping stuff), I may choose to write `MyRemoteKmsClient` which inherits from `KmsClient`, not `RemoteKmsClient`. There are 2 advantages I can see: reducing one level of inheritance and a lighter-weight class. * If I'm going to write local wrapping kms client, I still need to implement `WrapKeyInServer` and `UnwrapKeyInServer` (even I can let them empty methods). As you said to me, users are going to use either local wrapping or in-server wrapping in their system, not both at the same time. So current implementation of `RemoteKmsClient` doesn't really make sense to me. Will you reconsider at this point? ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
