Add index-level-encryption support for snapshots and remote-store (#20095)

Signed-off-by: Uday Bhaskar <[email protected]>

Author: udabhas

CHANGELOG.md

@@ -12,6 +12,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Added public getter method in `SourceFieldMapper` to return included field ([#20290](https://github.com/opensearch-project/OpenSearch/pull/20290))
 - Support for HTTP/3 (server side) ([#20017](https://github.com/opensearch-project/OpenSearch/pull/20017))
 - Add circuit breaker support for gRPC transport to prevent out-of-memory errors ([#20203](https://github.com/opensearch-project/OpenSearch/pull/20203))
+- Add index-level-encryption support for snapshots and remote-store ([#20095](https://github.com/opensearch-project/OpenSearch/pull/20095))
 
 ### Changed
 - Handle custom metadata files in subdirectory-store ([#20157](https://github.com/opensearch-project/OpenSearch/pull/20157))

plugins/repository-azure/src/main/java/org/opensearch/repositories/azure/AzureBlobContainer.java

@@ -40,6 +40,7 @@
 import org.opensearch.action.ActionRunnable;
 import org.opensearch.action.support.GroupedActionListener;
 import org.opensearch.action.support.PlainActionFuture;
+import org.opensearch.cluster.metadata.CryptoMetadata;
 import org.opensearch.common.Nullable;
 import org.opensearch.common.blobstore.BlobContainer;
 import org.opensearch.common.blobstore.BlobMetadata;
@@ -136,6 +137,25 @@ public void writeBlob(String blobName, InputStream inputStream, long blobSize, b
         }
     }
 
+    @Override
+    public void writeBlobWithMetadata(
+        String blobName,
+        InputStream inputStream,
+        long blobSize,
+        boolean failIfAlreadyExists,
+        @Nullable Map<String, String> metadata,
+        @Nullable CryptoMetadata cryptoMetadata
+    ) throws IOException {
+        if (cryptoMetadata != null) {
+            throw new UnsupportedOperationException(
+                "Azure Blob Storage repository does not currently support CryptoMetadata. "
+                    + "Consider using repository-level encryption settings instead."
+            );
+        }
+        // Azure does not support custom metadata, so we just delegate to writeBlob
+        writeBlob(blobName, inputStream, blobSize, failIfAlreadyExists);
+    }
+
     @Override
     public void writeBlobAtomic(String blobName, InputStream inputStream, long blobSize, boolean failIfAlreadyExists) throws IOException {
         writeBlob(blobName, inputStream, blobSize, failIfAlreadyExists);

plugins/repository-gcs/src/main/java/org/opensearch/repositories/gcs/GoogleCloudStorageBlobContainer.java

@@ -32,6 +32,7 @@
 
 package org.opensearch.repositories.gcs;
 
+import org.opensearch.common.Nullable;
 import org.opensearch.common.blobstore.BlobContainer;
 import org.opensearch.common.blobstore.BlobMetadata;
 import org.opensearch.common.blobstore.BlobPath;
@@ -95,6 +96,18 @@ public void writeBlob(String blobName, InputStream inputStream, long blobSize, b
         blobStore.writeBlob(buildKey(blobName), inputStream, blobSize, failIfAlreadyExists);
     }
 
+    @Override
+    public void writeBlobWithMetadata(
+        String blobName,
+        InputStream inputStream,
+        long blobSize,
+        boolean failIfAlreadyExists,
+        @Nullable Map<String, String> metadata
+    ) throws IOException {
+        // GCS plugin does not currently store custom metadata, so we delegate to writeBlob
+        writeBlob(blobName, inputStream, blobSize, failIfAlreadyExists);
+    }
+
     @Override
     public void writeBlobAtomic(String blobName, InputStream inputStream, long blobSize, boolean failIfAlreadyExists) throws IOException {
         writeBlob(blobName, inputStream, blobSize, failIfAlreadyExists);

plugins/repository-hdfs/src/main/java/org/opensearch/repositories/hdfs/HdfsBlobContainer.java

@@ -40,6 +40,7 @@
 import org.apache.hadoop.fs.Options.CreateOpts;
 import org.apache.hadoop.fs.Path;
 import org.opensearch.common.Nullable;
+import org.opensearch.common.annotation.ExperimentalApi;
 import org.opensearch.common.blobstore.BlobContainer;
 import org.opensearch.common.blobstore.BlobMetadata;
 import org.opensearch.common.blobstore.BlobPath;
@@ -163,6 +164,19 @@ public void writeBlob(String blobName, InputStream inputStream, long blobSize, b
         });
     }
 
+    @ExperimentalApi
+    @Override
+    public void writeBlobWithMetadata(
+        String blobName,
+        InputStream inputStream,
+        long blobSize,
+        boolean failIfAlreadyExists,
+        @Nullable Map<String, String> metadata
+    ) throws IOException {
+        // HDFS does not support custom metadata, so we just delegate to writeBlob
+        writeBlob(blobName, inputStream, blobSize, failIfAlreadyExists);
+    }
+
     @Override
     public void writeBlobAtomic(String blobName, InputStream inputStream, long blobSize, boolean failIfAlreadyExists) throws IOException {
         final String tempBlob = FsBlobContainer.tempBlobName(blobName);

plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/S3BlobContainer.java

@@ -63,6 +63,7 @@
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.message.ParameterizedMessage;
 import org.opensearch.action.support.PlainActionFuture;
+import org.opensearch.cluster.metadata.CryptoMetadata;
 import org.opensearch.common.Nullable;
 import org.opensearch.common.SetOnce;
 import org.opensearch.common.StreamContext;
@@ -90,6 +91,7 @@
 import org.opensearch.repositories.s3.async.SizeBasedBlockingQ;
 import org.opensearch.repositories.s3.async.UploadRequest;
 import org.opensearch.repositories.s3.utils.HttpRangeUtils;
+import org.opensearch.repositories.s3.utils.SseKmsUtil;
 import org.opensearch.secure_sm.AccessController;
 
 import java.io.BufferedInputStream;
@@ -192,7 +194,7 @@ public void writeBlob(String blobName, InputStream inputStream, long blobSize, b
     }
 
     /**
-     * Write blob with its object metadata.
+     * Write blob with its object metadata and optional encryption settings.
      */
     @ExperimentalApi
     @Override
@@ -201,20 +203,51 @@ public void writeBlobWithMetadata(
         InputStream inputStream,
         long blobSize,
         boolean failIfAlreadyExists,
-        @Nullable Map<String, String> metadata
+        @Nullable Map<String, String> metadata,
+        @Nullable CryptoMetadata cryptoMetadata
     ) throws IOException {
         assert inputStream.markSupported() : "No mark support on inputStream breaks the S3 SDK's ability to retry requests";
         AccessController.doPrivilegedChecked(() -> {
             if (blobSize <= getLargeBlobThresholdInBytes()) {
-                executeSingleUpload(blobStore, buildKey(blobName), inputStream, blobSize, metadata);
+                executeSingleUpload(blobStore, buildKey(blobName), inputStream, blobSize, metadata, cryptoMetadata);
             } else {
-                executeMultipartUpload(blobStore, buildKey(blobName), inputStream, blobSize, metadata);
+                executeMultipartUpload(blobStore, buildKey(blobName), inputStream, blobSize, metadata, cryptoMetadata);
             }
         });
     }
 
+    /**
+     * Write blob with its object metadata.
+     */
+    @ExperimentalApi
+    @Override
+    public void writeBlobWithMetadata(
+        String blobName,
+        InputStream inputStream,
+        long blobSize,
+        boolean failIfAlreadyExists,
+        @Nullable Map<String, String> metadata
+    ) throws IOException {
+        // Delegate to crypto-aware version with null CryptoMetadata
+        writeBlobWithMetadata(blobName, inputStream, blobSize, failIfAlreadyExists, metadata, null);
+    }
+
     @Override
     public void asyncBlobUpload(WriteContext writeContext, ActionListener<Void> completionListener) throws IOException {
+        CryptoMetadata crypto = writeContext.getCryptoMetadata();
+
+        String indexKmsKey = null;
+        String indexEncContext = null;
+
+        if (crypto != null) {
+            indexKmsKey = crypto.getKeyArn().orElse(null);
+            indexEncContext = crypto.getEncryptionContext().orElse(null);
+        }
+        String mergeEncContext = SseKmsUtil.mergeAndEncodeEncryptionContexts(
+            indexEncContext,
+            blobStore.serverSideEncryptionEncryptionContext()
+        );
+
         UploadRequest uploadRequest = new UploadRequest(
             blobStore.bucket(),
             buildKey(writeContext.getFileName()),
@@ -226,9 +259,9 @@ public void asyncBlobUpload(WriteContext writeContext, ActionListener<Void> comp
             blobStore.isUploadRetryEnabled(),
             writeContext.getMetadata(),
             blobStore.serverSideEncryptionType(),
-            blobStore.serverSideEncryptionKmsKey(),
+            indexKmsKey != null ? indexKmsKey : blobStore.serverSideEncryptionKmsKey(),
             blobStore.serverSideEncryptionBucketKey(),
-            blobStore.serverSideEncryptionEncryptionContext(),
+            mergeEncContext,
             blobStore.expectedBucketOwner()
         );
         try {
@@ -250,7 +283,8 @@ public void asyncBlobUpload(WriteContext writeContext, ActionListener<Void> comp
                         uploadRequest.getKey(),
                         inputStream.getInputStream(),
                         uploadRequest.getContentLength(),
-                        uploadRequest.getMetadata()
+                        uploadRequest.getMetadata(),
+                        crypto
                     );
                     completionListener.onResponse(null);
                 } catch (Exception ex) {
@@ -536,7 +570,8 @@ void executeSingleUpload(
         final String blobName,
         final InputStream input,
         final long blobSize,
-        final Map<String, String> metadata
+        final Map<String, String> metadata,
+        @Nullable CryptoMetadata cryptoMetadata
     ) throws IOException {
 
         // Extra safety checks
@@ -559,7 +594,8 @@ void executeSingleUpload(
         if (CollectionUtils.isNotEmpty(metadata)) {
             putObjectRequestBuilder = putObjectRequestBuilder.metadata(metadata);
         }
-        configureEncryptionSettings(putObjectRequestBuilder, blobStore);
+
+        configureEncryptionSettings(putObjectRequestBuilder, blobStore, cryptoMetadata);
 
         PutObjectRequest putObjectRequest = putObjectRequestBuilder.build();
         try (AmazonS3Reference clientReference = blobStore.clientReference()) {
@@ -585,7 +621,8 @@ void executeMultipartUpload(
         final String blobName,
         final InputStream input,
         final long blobSize,
-        final Map<String, String> metadata
+        final Map<String, String> metadata,
+        @Nullable CryptoMetadata cryptoMetadata
     ) throws IOException {
 
         ensureMultiPartUploadSize(blobSize);
@@ -616,7 +653,7 @@ void executeMultipartUpload(
             createMultipartUploadRequestBuilder.metadata(metadata);
         }
 
-        configureEncryptionSettings(createMultipartUploadRequestBuilder, blobStore);
+        configureEncryptionSettings(createMultipartUploadRequestBuilder, blobStore, cryptoMetadata);
 
         final InputStream requestInputStream;
         if (blobStore.isUploadRetryEnabled()) {

plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/utils/SseKmsUtil.java

@@ -12,33 +12,83 @@
 import software.amazon.awssdk.services.s3.model.PutObjectRequest;
 import software.amazon.awssdk.services.s3.model.ServerSideEncryption;
 
+import org.opensearch.cluster.metadata.CryptoMetadata;
+import org.opensearch.common.Nullable;
+import org.opensearch.repositories.blobstore.EncryptionContextUtils;
 import org.opensearch.repositories.s3.S3BlobStore;
 import org.opensearch.repositories.s3.async.UploadRequest;
 
 public class SseKmsUtil {
+    /**
+     * Merges index-level and repository-level encryption contexts, converts to JSON format if needed,
+     * and Base64 encodes for S3.
+     * <p>
+     * Delegates to centralized EncryptionContextUtils for consistent behavior.
+     *
+     * @param indexEncContext Index-level encryption context - can be cryptofs or JSON format
+     * @param repoEncContext  Repository-level encryption context - already Base64 encoded JSON
+     * @return Base64 encoded merged JSON encryption context, or null if both are null
+     */
+    public static String mergeAndEncodeEncryptionContexts(@Nullable String indexEncContext, @Nullable String repoEncContext) {
+        return EncryptionContextUtils.mergeAndEncodeEncryptionContexts(indexEncContext, repoEncContext);
+    }
 
-    public static void configureEncryptionSettings(CreateMultipartUploadRequest.Builder builder, S3BlobStore blobStore) {
+    public static void configureEncryptionSettings(
+        CreateMultipartUploadRequest.Builder builder,
+        S3BlobStore blobStore,
+        @Nullable CryptoMetadata cryptoMetadata
+    ) {
         if (blobStore.serverSideEncryptionType().equals(ServerSideEncryption.AES256.toString())) {
             builder.serverSideEncryption(ServerSideEncryption.AES256);
         } else if (blobStore.serverSideEncryptionType().equals(ServerSideEncryption.AWS_KMS.toString())) {
+            String indexKmsKey = null;
+            String indexEncContext = null;
+
+            if (cryptoMetadata != null) {
+                indexKmsKey = cryptoMetadata.getKeyArn().orElse(null);
+                indexEncContext = cryptoMetadata.getEncryptionContext().orElse(null);
+            }
+
+            String kmsKey = (indexKmsKey != null) ? indexKmsKey : blobStore.serverSideEncryptionKmsKey();
+            String encContext = mergeAndEncodeEncryptionContexts(indexEncContext, blobStore.serverSideEncryptionEncryptionContext());
+
             builder.serverSideEncryption(ServerSideEncryption.AWS_KMS);
-            builder.ssekmsKeyId(blobStore.serverSideEncryptionKmsKey());
+            builder.ssekmsKeyId(kmsKey);
             builder.bucketKeyEnabled(blobStore.serverSideEncryptionBucketKey());
-            builder.ssekmsEncryptionContext(blobStore.serverSideEncryptionEncryptionContext());
+            builder.ssekmsEncryptionContext(encContext);
         }
     }
 
-    public static void configureEncryptionSettings(PutObjectRequest.Builder builder, S3BlobStore blobStore) {
+    public static void configureEncryptionSettings(
+        PutObjectRequest.Builder builder,
+        S3BlobStore blobStore,
+        @Nullable CryptoMetadata cryptoMetadata
+    ) {
         if (blobStore.serverSideEncryptionType().equals(ServerSideEncryption.AES256.toString())) {
             builder.serverSideEncryption(ServerSideEncryption.AES256);
         } else if (blobStore.serverSideEncryptionType().equals(ServerSideEncryption.AWS_KMS.toString())) {
+            String indexKmsKey = null;
+            String indexEncContext = null;
+
+            if (cryptoMetadata != null) {
+                indexKmsKey = cryptoMetadata.getKeyArn().orElse(null);
+                indexEncContext = cryptoMetadata.getEncryptionContext().orElse(null);
+            }
+
+            String kmsKey = (indexKmsKey != null) ? indexKmsKey : blobStore.serverSideEncryptionKmsKey();
+            String encContext = mergeAndEncodeEncryptionContexts(indexEncContext, blobStore.serverSideEncryptionEncryptionContext());
+
             builder.serverSideEncryption(ServerSideEncryption.AWS_KMS);
-            builder.ssekmsKeyId(blobStore.serverSideEncryptionKmsKey());
+            builder.ssekmsKeyId(kmsKey);
             builder.bucketKeyEnabled(blobStore.serverSideEncryptionBucketKey());
-            builder.ssekmsEncryptionContext(blobStore.serverSideEncryptionEncryptionContext());
+            builder.ssekmsEncryptionContext(encContext);
         }
     }
 
+    public static void configureEncryptionSettings(PutObjectRequest.Builder builder, S3BlobStore blobStore) {
+        configureEncryptionSettings(builder, blobStore, null);
+    }
+
     public static void configureEncryptionSettings(CreateMultipartUploadRequest.Builder builder, UploadRequest uploadRequest) {
         if (uploadRequest.getServerSideEncryptionType().equals(ServerSideEncryption.AES256.toString())) {
             builder.serverSideEncryption(ServerSideEncryption.AES256);

plugins/repository-s3/src/test/java/org/opensearch/repositories/s3/S3BlobContainerEncryptionTests.java

@@ -0,0 +1,45 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.repositories.s3;
+
+import org.opensearch.cluster.metadata.CryptoMetadata;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.repositories.s3.utils.SseKmsUtil;
+import org.opensearch.test.OpenSearchTestCase;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+
+public class S3BlobContainerEncryptionTests extends OpenSearchTestCase {
+
+    public void testEncryptionContextMerging() {
+        String indexContext = "tenant=acme,classification=confidential";
+        String repoContext = Base64.getEncoder().encodeToString("{\"repo\":\"test\",\"env\":\"prod\"}".getBytes(StandardCharsets.UTF_8));
+
+        String merged = SseKmsUtil.mergeAndEncodeEncryptionContexts(indexContext, repoContext);
+        assertNotNull(merged);
+
+        String decoded = new String(Base64.getDecoder().decode(merged), StandardCharsets.UTF_8);
+        assertTrue(decoded.contains("\"tenant\":\"acme\""));
+        assertTrue(decoded.contains("\"classification\":\"confidential\""));
+        assertTrue(decoded.contains("\"repo\":\"test\""));
+        assertTrue(decoded.contains("\"env\":\"prod\""));
+    }
+
+    public void testCryptoMetadataExtraction() {
+        Settings cryptoSettings = Settings.builder()
+            .put("kms.key_arn", "arn:aws:kms:us-east-1:123456789:key/index-key")
+            .put("kms.encryption_context", "tenant=acme,env=staging")
+            .build();
+        CryptoMetadata cryptoMetadata = new CryptoMetadata("index-provider", "aws-kms", cryptoSettings);
+
+        assertEquals("arn:aws:kms:us-east-1:123456789:key/index-key", cryptoMetadata.settings().get("kms.key_arn"));
+        assertEquals("tenant=acme,env=staging", cryptoMetadata.settings().get("kms.encryption_context"));
+    }
+}

plugins/repository-s3/src/test/java/org/opensearch/repositories/s3/S3BlobContainerMockClientTests.java

@@ -88,6 +88,7 @@
 import static org.mockito.ArgumentMatchers.anyLong;
 import static org.mockito.ArgumentMatchers.anyMap;
 import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.isNull;
 import static org.mockito.Mockito.any;
 import static org.mockito.Mockito.doAnswer;
 import static org.mockito.Mockito.doNothing;
@@ -757,7 +758,8 @@ private void testLargeFilesRedirectedToSlowSyncClient(boolean expectException, W
             anyString(),
             any(InputStream.class),
             anyLong(),
-            anyMap()
+            anyMap(),
+            isNull()
         );
 
         if (expectException) {