feat: Parquet modular encryption (#16351)

* Initial commit to form PR for datafusion encryption support

* Add tests for encryption configuration

* Apply cargo fmt

* Add a roundtrip encryption test to the parquet tests.

* cargo fmt

* Update test to add decryption parameter to called functions.

* Try to get DataFrame.write_parquet to work with encryption. Doesn't quite, column encryption is broken.

* Update datafusion/datasource-parquet/src/opener.rs

Co-authored-by: Adam Reeve <[email protected]>

* Update datafusion/datasource-parquet/src/source.rs

Co-authored-by: Adam Reeve <[email protected]>

* Fix write test in parquet.rs

* Simplify encryption test. Remove unused imports.

* Run cargo fmt.

* Further streamline roundtrip test.

* Change From methods for FileEncryptionProperties and FileDecryptionProperties to use references.

* Change encryption config to directly hold column keys using custom config fields.

* Fix generated field names in visit for encryptor and decryptor to use "." instead of "::"

* 1. Disable parallel writes with enccryption.
2. Fixed unused header warning in config.rs.
3. Fix test case in encryption.rs to call conversion to ConfigFileDecryption properties correctly.

* cargo fmt

* Update datafusion/common/src/file_options/parquet_writer.rs

Co-authored-by: Copilot <[email protected]>

* fix variables shown in information schema test.

* Backout bad suggestion from copilot

* Remove unused serde reference
Add an example to read and write encrypted parquet files.

* cargo fmt

* change file_format.rs to use global encryption options in struct.

* Turn off page_index for encrypted example. Get encrypted example working with filter.

* Tidy up example output.

* Add missing license. Run taplo format

* Update configs.md by running dev/update_config_docs.sh

* Cargo fmt + clippy changes.

* Add filter test for encrypted files.

* Cargo clippy changes.

* Fix link in README.md

* Add issue tag for parallel writes.

* Move file encryption and decryption properties out of global options

* Use config_namespace_with_hashmap for column encryption/decryption props

* Remove outdated docs on crypto settings.

Signed-off-by: Corwin Joy <[email protected]>

* 1. Add docs for using encryption configuration.
2. Add example SQL for using encryption from CLI.
3. Fix removed variables in test for configuration information.
4. Clippy and cargo fmt.

Signed-off-by: Corwin Joy <[email protected]>

* Update code to add missing ParquetOpener parameter due to merge from main

Signed-off-by: Corwin Joy <[email protected]>

* Add CLI documentation for Parquet options and provide an encryption example

Signed-off-by: Corwin Joy <[email protected]>

* Use ConfigFileDecryptionProperties in ParquetReadOptions

Signed-off-by: Adam Reeve <[email protected]>

* Implement default for ConfigFileEncryptionProperties

Signed-off-by: Corwin Joy <[email protected]>

* Add sqllogictest for parquet with encryption

Signed-off-by: Corwin Joy <[email protected]>

* Apply prettier changes from CI

Signed-off-by: Corwin Joy <[email protected]>

* logical conflift

* fix another logical conflict

---------

Signed-off-by: Corwin Joy <[email protected]>
Signed-off-by: Adam Reeve <[email protected]>
Co-authored-by: Adam Reeve <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Adam Reeve <[email protected]>
Co-authored-by: Andrew Lamb <[email protected]>

Author: 4 people

Cargo.lock

@@ -159,6 +159,7 @@ parquet = { version = "55.1.0", default-features = false, features = [
     "arrow",
     "async",
     "object_store",
+    "encryption",
 ] }
 pbjson = { version = "0.7.0" }
 pbjson-types = "0.7"

Cargo.toml

@@ -60,11 +60,11 @@ pub async fn main() -> Result<()> {
         Options::Cancellation(opt) => opt.run().await,
         Options::Clickbench(opt) => opt.run().await,
         Options::H2o(opt) => opt.run().await,
-        Options::Imdb(opt) => opt.run().await,
+        Options::Imdb(opt) => Box::pin(opt.run()).await,
         Options::ParquetFilter(opt) => opt.run().await,
         Options::Sort(opt) => opt.run().await,
         Options::SortTpch(opt) => opt.run().await,
-        Options::Tpch(opt) => opt.run().await,
+        Options::Tpch(opt) => Box::pin(opt.run()).await,
         Options::TpchConvert(opt) => opt.run().await,
     }
 }

benchmarks/src/bin/dfbench.rs

@@ -53,7 +53,7 @@ pub async fn main() -> Result<()> {
     env_logger::init();
     match ImdbOpt::from_args() {
         ImdbOpt::Benchmark(BenchmarkSubCommandOpt::DataFusionBenchmark(opt)) => {
-            opt.run().await
+            Box::pin(opt.run()).await
         }
         ImdbOpt::Convert(opt) => opt.run().await,
     }

benchmarks/src/bin/imdb.rs

@@ -58,7 +58,7 @@ async fn main() -> Result<()> {
     env_logger::init();
     match TpchOpt::from_args() {
         TpchOpt::Benchmark(BenchmarkSubCommandOpt::DataFusionBenchmark(opt)) => {
-            opt.run().await
+            Box::pin(opt.run()).await
         }
         TpchOpt::Convert(opt) => opt.run().await,
     }

benchmarks/src/bin/tpch.rs

@@ -65,6 +65,7 @@ cargo run --example dataframe
 - [`flight_sql_server.rs`](examples/flight/flight_sql_server.rs): Run DataFusion as a standalone process and execute SQL queries from JDBC clients
 - [`function_factory.rs`](examples/function_factory.rs): Register `CREATE FUNCTION` handler to implement SQL macros
 - [`optimizer_rule.rs`](examples/optimizer_rule.rs): Use a custom OptimizerRule to replace certain predicates
+- [`parquet_encrypted.rs`](examples/parquet_encrypted.rs): Read and write encrypted Parquet files using DataFusion
 - [`parquet_index.rs`](examples/parquet_index.rs): Create an secondary index over several parquet files and use it to speed up queries
 - [`parquet_exec_visitor.rs`](examples/parquet_exec_visitor.rs): Extract statistics by visiting an ExecutionPlan after execution
 - [`parse_sql_expr.rs`](examples/parse_sql_expr.rs): Parse SQL text into DataFusion `Expr`.

datafusion-examples/README.md

@@ -0,0 +1,119 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+use datafusion::common::DataFusionError;
+use datafusion::config::TableParquetOptions;
+use datafusion::dataframe::{DataFrame, DataFrameWriteOptions};
+use datafusion::logical_expr::{col, lit};
+use datafusion::parquet::encryption::decrypt::FileDecryptionProperties;
+use datafusion::parquet::encryption::encrypt::FileEncryptionProperties;
+use datafusion::prelude::{ParquetReadOptions, SessionContext};
+use tempfile::TempDir;
+
+#[tokio::main]
+async fn main() -> datafusion::common::Result<()> {
+    // The SessionContext is the main high level API for interacting with DataFusion
+    let ctx = SessionContext::new();
+
+    // Find the local path of "alltypes_plain.parquet"
+    let testdata = datafusion::test_util::parquet_test_data();
+    let filename = &format!("{testdata}/alltypes_plain.parquet");
+
+    // Read the sample parquet file
+    let parquet_df = ctx
+        .read_parquet(filename, ParquetReadOptions::default())
+        .await?;
+
+    // Show information from the dataframe
+    println!(
+        "==============================================================================="
+    );
+    println!("Original Parquet DataFrame:");
+    query_dataframe(&parquet_df).await?;
+
+    // Setup encryption and decryption properties
+    let (encrypt, decrypt) = setup_encryption(&parquet_df)?;
+
+    // Create a temporary file location for the encrypted parquet file
+    let tmp_dir = TempDir::new()?;
+    let tempfile = tmp_dir.path().join("alltypes_plain-encrypted.parquet");
+    let tempfile_str = tempfile.into_os_string().into_string().unwrap();
+
+    // Write encrypted parquet
+    let mut options = TableParquetOptions::default();
+    options.crypto.file_encryption = Some((&encrypt).into());
+    parquet_df
+        .write_parquet(
+            tempfile_str.as_str(),
+            DataFrameWriteOptions::new().with_single_file_output(true),
+            Some(options),
+        )
+        .await?;
+
+    // Read encrypted parquet
+    let ctx: SessionContext = SessionContext::new();
+    let read_options =
+        ParquetReadOptions::default().file_decryption_properties((&decrypt).into());
+
+    let encrypted_parquet_df = ctx.read_parquet(tempfile_str, read_options).await?;
+
+    // Show information from the dataframe
+    println!("\n\n===============================================================================");
+    println!("Encrypted Parquet DataFrame:");
+    query_dataframe(&encrypted_parquet_df).await?;
+
+    Ok(())
+}
+
+// Show information from the dataframe
+async fn query_dataframe(df: &DataFrame) -> Result<(), DataFusionError> {
+    // show its schema using 'describe'
+    println!("Schema:");
+    df.clone().describe().await?.show().await?;
+
+    // Select three columns and filter the results
+    // so that only rows where id > 1 are returned
+    println!("\nSelected rows and columns:");
+    df.clone()
+        .select_columns(&["id", "bool_col", "timestamp_col"])?
+        .filter(col("id").gt(lit(5)))?
+        .show()
+        .await?;
+
+    Ok(())
+}
+
+// Setup encryption and decryption properties
+fn setup_encryption(
+    parquet_df: &DataFrame,
+) -> Result<(FileEncryptionProperties, FileDecryptionProperties), DataFusionError> {
+    let schema = parquet_df.schema();
+    let footer_key = b"0123456789012345".to_vec(); // 128bit/16
+    let column_key = b"1234567890123450".to_vec(); // 128bit/16
+
+    let mut encrypt = FileEncryptionProperties::builder(footer_key.clone());
+    let mut decrypt = FileDecryptionProperties::builder(footer_key.clone());
+
+    for field in schema.fields().iter() {
+        encrypt = encrypt.with_column_key(field.name().as_str(), column_key.clone());
+        decrypt = decrypt.with_column_key(field.name().as_str(), column_key.clone());
+    }
+
+    let encrypt = encrypt.build()?;
+    let decrypt = decrypt.build()?;
+    Ok((encrypt, decrypt))
+}

datafusion-examples/examples/parquet_encrypted.rs

@@ -58,6 +58,7 @@ base64 = "0.22.1"
 chrono = { workspace = true }
 half = { workspace = true }
 hashbrown = { workspace = true }
+hex = "0.4.3"
 indexmap = { workspace = true }
 libc = "0.2.174"
 log = { workspace = true }