support rotating root keys in key manager

Author: Hastyshell

fe/fe-core/src/test/java/org/apache/doris/nereids/parser/NereidsParserTest.java

@@ -844,4 +844,21 @@ public void testLambdaJoin() {
                 .assertThrowsExactly(ParseException.class)
                 .assertMessageContains("mismatched input '->' expecting {<EOF>, ';'}");
     }
+
+    @Test
+    public void testAdminRotateTdeRootKey() {
+        NereidsParser nereidsParser = new NereidsParser();
+        String sql = "admin rotate tde root key";
+        nereidsParser.parseSingle(sql);
+
+        sql = "admin rotate tde root key properties(\"k\" = \"v\")";
+        nereidsParser.parseSingle(sql);
+
+        sql = "admin rotate tde root key properties(\"k0\" = \"v0\", \"k1\" = \"v1\")";
+        nereidsParser.parseSingle(sql);
+
+        parsePlan("admin rotate tde root key properties()")
+                .assertThrowsExactly(ParseException.class)
+                .assertMessageContains("mismatched input ')' expecting");
+    }
 }

fe/fe-enterprise/pom.xml

@@ -30,9 +30,24 @@
         </dependency>
     </dependencies>
 
-    <properties>
-        <maven.compiler.source>8</maven.compiler.source>
-        <maven.compiler.target>8</maven.compiler.target>
-    </properties>
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <configuration>
+                    <!-->set larger, eg, 3, to reduce the time or running FE unit tests<-->
+                    <forkCount>3</forkCount>
+                    <!-->not reuse forked jvm, so that each unit test will run in separate jvm. to avoid singleton conflict<-->
+                    <reuseForks>false</reuseForks>
+                    <useFile>false</useFile>
+                    <argLine>
+                        -Xmx512m -javaagent:${settings.localRepository}/org/jmockit/jmockit/${jmockit.version}/jmockit-${jmockit.version}.jar @{argLine}
+                    </argLine>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
 
 </project>

fe/fe-enterprise/src/main/java/org/apache/doris/enterprise/AwsKmsRootKeyProvider.java

@@ -35,6 +35,8 @@
 import software.amazon.awssdk.services.kms.model.DecryptResponse;
 import software.amazon.awssdk.services.kms.model.DescribeKeyRequest;
 import software.amazon.awssdk.services.kms.model.DescribeKeyResponse;
+import software.amazon.awssdk.services.kms.model.EncryptRequest;
+import software.amazon.awssdk.services.kms.model.EncryptResponse;
 import software.amazon.awssdk.services.kms.model.GenerateDataKeyRequest;
 import software.amazon.awssdk.services.kms.model.GenerateDataKeyResponse;
 import software.amazon.awssdk.services.kms.model.KeyMetadata;
@@ -49,6 +51,9 @@ public class AwsKmsRootKeyProvider extends KmsRootKeyProvider {
 
     @Override
     public void init(RootKeyInfo info) {
+        if (kms != null) {
+            kms.close();
+        }
         AwsCredentialsProvider credProvider;
         String ak = System.getenv("DORIS_TDE_AK");
         String sk = System.getenv("DORIS_TDE_SK");
@@ -75,6 +80,24 @@ public void init(RootKeyInfo info) {
         this.rootKeyInfo = info;
     }
 
+    public byte[] encrypt(byte[] plaintext) {
+        try {
+            EncryptRequest request = EncryptRequest.builder()
+                    .keyId(rootKeyInfo.cmkId)
+                    .plaintext(SdkBytes.fromByteArray(plaintext))
+                    .build();
+            EncryptResponse response = kms.encrypt(request);
+            SdkBytes sdkBytes = response.ciphertextBlob();
+            return sdkBytes.asByteArray();
+        } catch (KmsException kmsEx) {
+            LOG.error("KMS exception in describeKey: {}", kmsEx.getMessage(), kmsEx);
+            throw new RuntimeException("describeKey failed", kmsEx);
+        } catch (Exception e) {
+            LOG.error("Unexpected error in describeKey: {}", e.getMessage(), e);
+            throw new RuntimeException("describeKey failed", e);
+        }
+    }
+
     public void describeKey() {
         try {
             DescribeKeyRequest req = DescribeKeyRequest.builder()

fe/fe-enterprise/src/main/java/org/apache/doris/enterprise/KeyManager.java

@@ -18,12 +18,15 @@
 package org.apache.doris.enterprise;
 
 import org.apache.doris.catalog.Env;
+import org.apache.doris.common.AnalysisException;
 import org.apache.doris.common.Config;
 import org.apache.doris.encryption.DataKeyMaterial;
 import org.apache.doris.encryption.EncryptionKey;
 import org.apache.doris.encryption.KeyManagerInterface;
 import org.apache.doris.encryption.KeyManagerStore;
 import org.apache.doris.encryption.RootKeyInfo;
+import org.apache.doris.encryption.RootKeyInfo.RootKeyType;
+import org.apache.doris.nereids.trees.plans.commands.AdminRotateTdeRootKeyCommand;
 import org.apache.doris.persist.KeyOperationInfo;
 
 import com.google.common.base.Preconditions;
@@ -32,7 +35,10 @@
 
 import java.util.Arrays;
 import java.util.Base64;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
+import java.util.Objects;
 import java.util.zip.CRC32;
 
 public class KeyManager implements KeyManagerInterface {
@@ -157,6 +163,7 @@ public void init() {
     public void replayKeyOperation(KeyOperationInfo keyOpInfo) {
         store = Env.getCurrentEnv().getKeyManagerStore();
         store.setRootKeyInfo(keyOpInfo.getRootKeyInfo());
+        store.clearMasterKeys();
         for (EncryptionKey key : keyOpInfo.getMasterKeys()) {
             store.addMasterKey(key);
         }
@@ -219,4 +226,86 @@ private void decryptMasterKey() {
             LOG.info("Successfully decrypted the plaintext of {}, version {}", versionKey.id, versionKey.version);
         }
     }
+
+    @Override
+    public void rotateRootKey(Map<String, String> properties) throws Exception {
+        if (properties == null) {
+            properties = new HashMap<>();
+        }
+
+        store.writeLock();
+        try {
+            RootKeyInfo rootKeyInfo = store.getRootKeyInfo();
+            RootKeyInfo newRootKeyInfo = new RootKeyInfo(rootKeyInfo);
+
+            String keyProviderType = properties.get(AdminRotateTdeRootKeyCommand.DORIS_TDE_KEY_PROVIDER);
+            if (keyProviderType != null) {
+                newRootKeyInfo.type = RootKeyType.tryFrom(keyProviderType);
+                // TODO(tsy): remove this branch after local key provider is supported
+                if (newRootKeyInfo.type == RootKeyType.LOCAL) {
+                    throw new IllegalArgumentException("Local key provider is currently unsupported");
+                }
+            }
+
+            String kmsMasterKeyId = properties.get(AdminRotateTdeRootKeyCommand.DORIS_TDE_KEY_ID);
+            if (kmsMasterKeyId != null) {
+                newRootKeyInfo.cmkId = kmsMasterKeyId;
+            }
+
+            String kmsEndpoint = properties.get(AdminRotateTdeRootKeyCommand.DORIS_TDE_KEY_ENDPOINT);
+            if (kmsEndpoint != null) {
+                newRootKeyInfo.endpoint = kmsEndpoint;
+            }
+
+            String kmsRegion = properties.get(AdminRotateTdeRootKeyCommand.DORIS_TDE_KEY_REGION);
+            if (kmsRegion != null) {
+                newRootKeyInfo.region = kmsRegion;
+            }
+
+            String password = properties.get(AdminRotateTdeRootKeyCommand.DORIS_TDE_KEY_PASSWORD);
+            if (newRootKeyInfo.type.equals(RootKeyType.LOCAL) && !Objects.equals(password, rootKeyInfo.password)) {
+                if (password == null) {
+                    throw new IllegalArgumentException("Missing required `"
+                            + AdminRotateTdeRootKeyCommand.DORIS_TDE_KEY_PASSWORD + "` for local key provider");
+                }
+                String originalPasswd = properties.get(AdminRotateTdeRootKeyCommand.DORIS_TDE_KEY_ORIGINAL_PASSWORD);
+                if (rootKeyInfo.type.equals(RootKeyType.LOCAL)) {
+                    if (originalPasswd == null) {
+                        throw new IllegalArgumentException("Missing required ` + "
+                                + AdminRotateTdeRootKeyCommand.DORIS_TDE_KEY_ORIGINAL_PASSWORD
+                                + "` for local key provider");
+                    }
+                    if (!Objects.equals(originalPasswd, rootKeyInfo.password)) {
+                        throw new IllegalArgumentException("Password in `"
+                                + AdminRotateTdeRootKeyCommand.DORIS_TDE_KEY_ORIGINAL_PASSWORD + "` is incorrect");
+                    }
+                }
+            }
+            if (password != null) {
+                if (!newRootKeyInfo.type.equals(RootKeyType.LOCAL)) {
+                    throw new IllegalArgumentException("Password is only required for local key provider");
+                }
+                newRootKeyInfo.password = password;
+            }
+
+            store.setRootKeyInfo(newRootKeyInfo);
+            rootKeyProvider.init(newRootKeyInfo);
+
+            KeyOperationInfo opInfo = new KeyOperationInfo();
+            opInfo.setRootKeyInfo(newRootKeyInfo);
+            List<EncryptionKey> masterKeys = store.getMasterKeys();
+            for (EncryptionKey masterKey : masterKeys) {
+                byte[] newCiphertext = rootKeyProvider.encrypt(masterKey.plaintext);
+                masterKey.ciphertext = Base64.getEncoder().encodeToString(newCiphertext);
+                long now = System.currentTimeMillis();
+                masterKey.mtime = now;
+                masterKey.ctime = now;
+                opInfo.addMasterKey(masterKey);
+            }
+            opInfo.setOpType(KeyOperationInfo.KeyOPType.SET_ROOT_KEY);
+            Env.getCurrentEnv().getEditLog().logOperateKey(opInfo);
+        } finally {
+            store.writeUnlock();
+        }
+    }
 }

fe/fe-enterprise/src/main/java/org/apache/doris/enterprise/KmsRootKeyProvider.java

@@ -20,6 +20,8 @@
 import org.apache.doris.encryption.DataKeyMaterial;
 import org.apache.doris.encryption.RootKeyInfo;
 
+import java.util.Map;
+
 class KmsRootKeyProvider implements RootKeyProvider {
     @Override
     public void init(RootKeyInfo info) {
@@ -30,6 +32,11 @@ public void describeKey() {
 
     }
 
+    @Override
+    public byte[] encrypt(byte[] plaintext) {
+        return new byte[0];
+    }
+
     public byte[] decrypt(byte[] ciphertext) {
         return null;
     }

fe/fe-enterprise/src/main/java/org/apache/doris/enterprise/LocalRootKeyProvider.java

@@ -22,6 +22,7 @@
 
 import java.nio.charset.StandardCharsets;
 import java.security.spec.KeySpec;
+import java.util.Map;
 import javax.crypto.Cipher;
 import javax.crypto.SecretKey;
 import javax.crypto.SecretKeyFactory;
@@ -56,6 +57,11 @@ public void describeKey() {
         System.out.println("LocalRootKeyProvider using password-derived AES-256 root key (CTR mode).");
     }
 
+    @Override
+    public byte[] encrypt(byte[] plaintext) {
+        return new byte[0];
+    }
+
     @Override
     public byte[] decrypt(byte[] ciphertext) {
         try {

fe/fe-enterprise/src/main/java/org/apache/doris/enterprise/RootKeyProvider.java

@@ -20,13 +20,17 @@
 import org.apache.doris.encryption.DataKeyMaterial;
 import org.apache.doris.encryption.RootKeyInfo;
 
+import java.util.Map;
+
 public interface RootKeyProvider {
 
-    public void init(RootKeyInfo info);
+    void init(RootKeyInfo info);
+
+    void describeKey();
 
-    public void describeKey();
+    byte[] encrypt(byte[] plaintext);
 
-    public byte[] decrypt(byte[] ciphertext);
+    byte[] decrypt(byte[] ciphertext);
 
-    public DataKeyMaterial generateSymmetricDataKey(int length);
+    DataKeyMaterial generateSymmetricDataKey(int length);
 }