mrendi29 commented on code in PR #16075: URL: https://github.com/apache/iceberg/pull/16075#discussion_r3182941198
########## hashicorp/src/main/java/org/apache/iceberg/hashicorp/VaultKeyManagementClient.java: ########## @@ -0,0 +1,191 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.iceberg.hashicorp; + +import java.io.Closeable; +import java.nio.ByteBuffer; +import java.nio.charset.StandardCharsets; +import java.util.Base64; +import java.util.Map; +import org.apache.iceberg.encryption.KeyManagementClient; +import org.apache.iceberg.relocated.com.google.common.base.Preconditions; +import org.apache.iceberg.relocated.com.google.common.base.Strings; +import org.apache.iceberg.util.SerializableMap; + +/** + * KMS client implementation using HashiCorp Vault Transit secrets engine with AppRole + * authentication. + */ +public class VaultKeyManagementClient implements KeyManagementClient, Closeable { + @SuppressWarnings("unused") + private SerializableMap<String, String> properties; + + private String vaultAddress; + private String transitMount; + private String appRolePath; + private String appRoleId; + private String appSecretId; + private boolean rotateToken; + + private transient volatile String vaultToken; + private transient volatile long tokenExpiry; + private transient volatile VaultClient client; + + @Override + public void initialize(Map<String, String> newProperties) { + this.properties = SerializableMap.copyOf(newProperties); + + vaultAddress = newProperties.get(VaultProperties.VAULT_ADDRESS_PROP); + Preconditions.checkArgument( + !Strings.isNullOrEmpty(vaultAddress), + "%s must be set in newProperties", + VaultProperties.VAULT_ADDRESS_PROP); + + transitMount = newProperties.getOrDefault(VaultProperties.VAULT_TRANSIT_MOUNT_PROP, "transit"); + appRolePath = newProperties.getOrDefault(VaultProperties.VAULT_APPROLE_PATH_PROP, "approle"); + rotateToken = + Boolean.parseBoolean( + newProperties.getOrDefault(VaultProperties.VAULT_ROTATE_TOKEN_PROP, "false")); + + String configuredVaultToken = newProperties.get(VaultProperties.VAULT_TOKEN_PROP); + appRoleId = newProperties.get(VaultProperties.VAULT_ROLE_ID_PROP); + appSecretId = newProperties.get(VaultProperties.VAULT_SECRET_ID_PROP); Review Comment: What are your thoughts about using an env var instead of explicitly specifying secretID in the config? I believe this would be beneficial for folks who use [ spark-operator in k8s ](https://www.kubeflow.org/docs/components/spark-operator/user-guide/writing-sparkapplication/#specifying-spark-configuration) and would not like sensitive credentials to live in the spark config. Internally we also grab the secretID from an environment variable to avoid this. ########## hashicorp/src/main/java/org/apache/iceberg/hashicorp/VaultClient.java: ########## @@ -0,0 +1,221 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.iceberg.hashicorp; + +import com.fasterxml.jackson.databind.JsonNode; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.databind.node.ObjectNode; +import java.io.Closeable; +import java.io.IOException; +import java.io.UncheckedIOException; +import java.util.OptionalLong; +import org.apache.hc.client5.http.classic.methods.HttpPost; +import org.apache.hc.client5.http.impl.classic.CloseableHttpClient; +import org.apache.hc.client5.http.impl.classic.HttpClients; +import org.apache.hc.client5.http.protocol.HttpClientContext; +import org.apache.hc.core5.http.ClassicHttpResponse; +import org.apache.hc.core5.http.ContentType; +import org.apache.hc.core5.http.ParseException; +import org.apache.hc.core5.http.io.HttpClientResponseHandler; +import org.apache.hc.core5.http.io.entity.EntityUtils; +import org.apache.hc.core5.http.io.entity.StringEntity; +import org.apache.iceberg.relocated.com.google.common.base.Preconditions; + +/** + * HTTP client for interacting with HashiCorp Vault REST API. + * + * @see <a href=https://developer.hashicorp.com/vault/api-docs>HashiCorp Vault HTTP API</a> + */ +class VaultClient implements Closeable { + private static final ObjectMapper MAPPER = new ObjectMapper(); + private static final String VAULT_TOKEN_HEADER = "X-Vault-Token"; + + private final String address; + private final String transitMount; + private final String appRolePath; + + private transient volatile CloseableHttpClient httpClient; + + VaultClient(String address, String transitMount, String appRolePath) { + this.address = address; + this.transitMount = transitMount; + this.appRolePath = appRolePath; + } + + AuthResult authenticate(String roleId, String secretId) { + ObjectNode requestBody = MAPPER.createObjectNode(); + requestBody.put("role_id", roleId); + requestBody.put("secret_id", secretId); + + JsonNode response = post("/v1/auth/" + appRolePath + "/login", null, requestBody); + JsonNode authNode = response.get("auth"); + if (authNode == null) { + throw new RuntimeException("Failed to authenticate: no auth section in response"); + } + + String clientToken = authNode.get("client_token").asText(); + OptionalLong leaseDuration = + authNode.has("lease_duration") + ? OptionalLong.of(authNode.get("lease_duration").asLong()) + : OptionalLong.empty(); + return new AuthResult(clientToken, leaseDuration); + } + + String encrypt(String vaultToken, String wrappingKeyId, String plaintext) { + ObjectNode requestBody = MAPPER.createObjectNode(); + requestBody.put("plaintext", plaintext); + + JsonNode response = + post("/v1/" + transitMount + "/encrypt/" + wrappingKeyId, vaultToken, requestBody); + + JsonNode dataNode = response.get("data"); + if (dataNode == null || !dataNode.has("ciphertext")) { + throw new RuntimeException("Failed to wrap key: no ciphertext returned"); + } + + return dataNode.get("ciphertext").asText(); + } + + String decrypt(String vaultToken, String wrappingKeyId, String ciphertext) { + ObjectNode requestBody = MAPPER.createObjectNode(); + requestBody.put("ciphertext", ciphertext); + + JsonNode response = + post("/v1/" + transitMount + "/decrypt/" + wrappingKeyId, vaultToken, requestBody); + + JsonNode dataNode = response.get("data"); + if (dataNode == null || !dataNode.has("plaintext")) { + throw new RuntimeException("Failed to unwrap key: no plaintext returned"); + } + + return dataNode.get("plaintext").asText(); + } + + DataKey generateKey(String vaultToken, String wrappingKeyId) { + ObjectNode requestBody = MAPPER.createObjectNode(); + + JsonNode response = + post( + "/v1/" + transitMount + "/datakey/plaintext/" + wrappingKeyId, vaultToken, requestBody); + + JsonNode dataNode = response.get("data"); + if (dataNode == null || !dataNode.has("plaintext") || !dataNode.has("ciphertext")) { + throw new RuntimeException("Failed to generate key: missing plaintext or ciphertext"); + } + + String plaintext = dataNode.get("plaintext").asText(); + String ciphertext = dataNode.get("ciphertext").asText(); + return new DataKey(plaintext, ciphertext); + } + + private JsonNode post(String path, String token, ObjectNode requestBody) { + HttpPost request = new HttpPost(address + path); + if (token != null) { + request.setHeader(VAULT_TOKEN_HEADER, token); + } + + try { + request.setEntity( + new StringEntity(MAPPER.writeValueAsString(requestBody), ContentType.APPLICATION_JSON)); + } catch (IOException e) { + throw new UncheckedIOException("Failed to serialize request body", e); + } + + try { + return httpClient().execute(request, HttpClientContext.create(), new VaultResponseHandler()); + } catch (IOException e) { + throw new UncheckedIOException("Failed to execute Vault request to " + path, e); + } + } + + private static class VaultResponseHandler implements HttpClientResponseHandler<JsonNode> { + @Override + public JsonNode handleResponse(ClassicHttpResponse response) { + int statusCode = response.getCode(); + Preconditions.checkState(statusCode == 200, "Status must be 200: %d", statusCode); + + try { + String responseBody = EntityUtils.toString(response.getEntity()); + return MAPPER.readTree(responseBody); + } catch (ParseException e) { + throw new RuntimeException("Failed to parse Vault error response", e); + } catch (IOException e) { + throw new UncheckedIOException("Failed to read response", e); + } + } + } + + private CloseableHttpClient httpClient() { + if (httpClient == null) { + synchronized (this) { + if (httpClient == null) { + httpClient = HttpClients.createDefault(); Review Comment: WDYT about also allowing clients to configure SSL config in the http client? There may be folks who do a mTLS vault deployment or who need to trust their vault deployment's CA. I believe the bettercloud vault had a similar solution: https://github.com/BetterCloud/vault-java-driver/blob/master/src/main/java/com/bettercloud/vault/SslConfig.java#L44 I am trying to find if such a thing is also possible with the apache http client -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
