ARROW-9318: [C++] Parquet encryption key management

[thamht4190]

This PR is C++ implementation for parquet key tool, based on the Java implementation and the design doc.

The major parts of this PR are:

• higher level of encryption/decryption configuration, including key management configuration.
• KMS connection configuration
• Abstract class KmsClient, KmsClientFactory
• PropertiesDrivenCryptoFactory class to convert these above configurations to the lower level FileEncryptionProperties, FileDecryptionProperties
• unit test using InMemoryKms (an sample of KmsClient).

Comparing to Java version, this C++ pull doesn't contain externally storing key material using hadoop file system (only storing key material internally in parquet file is supported for now). The reason is lack of understanding about Hadoop file system, can be implemented it later in another pull.

Thanks!

[github-actions]

Thanks for opening a pull request!

Could you open an issue for this pull request on JIRA?
https://issues.apache.org/jira/browse/ARROW

Then could you also rename pull request title in the following format?

ARROW-${JIRA_ID}: [${COMPONENT}] ${SUMMARY}

See also:

• Other pull requests
• Contribution Guidelines - How to contribute patches

[github-actions]

https://issues.apache.org/jira/browse/ARROW-9318

[emkornfield]

I made some style comments but didn't flag every place that they were an issue. Please self review to fix (it also looks like you might need to run clang-format as the lint is failing).

I would expect additional tests around individual files and not just end-to-end tests (any place with non trivial implementations should probably have at least one or two tests. excercising of error conditions on json parsing I think would also be useful.

Another issue is thread-safey. It would be good to clarify which classes are expected/not-expected to be thread safe. For instance, I would at lease expect client caches to be thread safe but it doesn't look like they were implemented to be.

Also this PR is quite large is there any way that it could possibly be broken up into smaller units?

[pitrou]

Just a drive-by comment for now, but given the number of files added I think we should create a src/parquet/encryption subdirectory.

[thamht4190]

I fixed all the comments in this pull, can you please take a look? @emkornfield @pitrou @bkietz cc @ggershinsky

[pitrou]

Ok, I've pushed some updates to try and conform with coding conventions a bit more.

Some high-level comments:

• In general, I'm not particularly happy with the API (for example, why is the configuration mutated while in use?)
• There are some roundtrip tests but no tests with reference data; so there's no guarantee that this actually implements the spec faithfully
• I'm concerned that the crypto code isn't very mindful of safety (see https://issues.apache.org/jira/browse/PARQUET-1997); this PR builds on that and also seems to keep sensitive data around (decryption keys) in various places

I also don't have a personal interest in this currently and I recognize that the PR implements a useful functionality.
@ggershinsky @thamht4190 Do you plan to address some of these concerns in this PR? Otherwise, I may merge this and users of this code will have to be mindful of potential issues.

[ggershinsky]

@pitrou My personal preference is the latter - merging this pr and letting the users of this code to be mindful of potential issues. This is safer than proceeding with the current low-level interface work, which has many more security and other issues. When this pr is merged, it will unblock the users who'd create the high-level interface in Python and address the API point (I'll add a link to this thread in the Python design doc; the Python API is to be reviewed; the C++ API could be synced accordingly).

Regarding the second point - we'll be testing the interop with the Java counterpart, to make sure the spec is implemented properly. Regarding the third point, I think the code is safe, as per our discussion in that jira.

[pitrou]

As for testing, I'd still welcome unit tests with actual pieces of JSON as per the spec, but I won't insist on it here :-)

Last question: do we want to mark those APIs experimental so that we feel free to change them in the future?

[ggershinsky]

Thanks! Yep, I think it's a good idea to mark them as experimental, there is a chance they'll be updated in the course of the Python API work.

[emkornfield]

I also don't have a personal interest in this currently and I recognize that the PR implements a useful functionality.
@ggershinsky @thamht4190 Do you plan to address some of these concerns in this PR? Otherwise, I may merge this and users of this code will have to be mindful of potential issues.

I'll try to look tonight but this makes it sound like there are general concerns around quality here, and that doesn't seem like something we want to merge (especially if it is security related). If I get distracted and don't give feedback by monday, it is OK not to block on me.

[ggershinsky]

Thanks. To clarify - the security concerns I've mentioned above, relate to low level encryption, not to this pull request.

[pitrou]

@emkornfield Feel free to take a last look.

[emkornfield]

It looks like there are JSON changes in here? does this need a rebase?

[pitrou]

@emkornfield The JSON changes are expected, the encryption layer needs to parse and generate some JSON.

[emkornfield]

@emkornfield The JSON changes are expected, the encryption layer needs to parse and generate some JSON.

Ah right, I forgot, will start looking again.

[emkornfield]

Sorry didn't get a chance to look. @pitrou if you are comfortable with changes please go ahead and merge

[pitrou]

I'll merge then. Thank you @thamht4190 and @ggershinsky for contributing this!