Add support for S3 EncryptionMaterialsProvider to PrestoS3FileSystem

pom.xml

@@ -59,6 +59,8 @@
         <air.test.jvmsize>2g</air.test.jvmsize>
 
         <air.javadoc.lint>-missing</air.javadoc.lint>
+
+        <aws.sdk.version>1.9.31</aws.sdk.version>
     </properties>
 
     <modules>
@@ -577,8 +579,20 @@
 
             <dependency>
                 <groupId>com.amazonaws</groupId>
-                <artifactId>aws-java-sdk</artifactId>
-                <version>1.8.9.1</version>
+                <artifactId>aws-java-sdk-core</artifactId>
+                <version>${aws.sdk.version}</version>
+                <exclusions>
+                    <exclusion>
+                        <groupId>commons-logging</groupId>
+                        <artifactId>commons-logging</artifactId>
+                    </exclusion>
+                </exclusions>
+            </dependency>
+
+            <dependency>
+                <groupId>com.amazonaws</groupId>
+                <artifactId>aws-java-sdk-s3</artifactId>
+                <version>${aws.sdk.version}</version>
                 <exclusions>
                     <exclusion>
                         <groupId>commons-logging</groupId>

presto-hive/pom.xml

@@ -130,7 +130,18 @@
 
         <dependency>
             <groupId>com.amazonaws</groupId>
-            <artifactId>aws-java-sdk</artifactId>
+            <artifactId>aws-java-sdk-core</artifactId>
+            <exclusions>
+                <exclusion>
+                    <groupId>joda-time</groupId>
+                    <artifactId>joda-time</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+
+        <dependency>
+            <groupId>com.amazonaws</groupId>
+            <artifactId>aws-java-sdk-s3</artifactId>
             <exclusions>
                 <exclusion>
                     <groupId>joda-time</groupId>

presto-hive/src/main/java/com/facebook/presto/hive/PrestoS3FileSystem.java

@@ -29,7 +29,10 @@
 import com.amazonaws.regions.Regions;
 import com.amazonaws.services.s3.AmazonS3;
 import com.amazonaws.services.s3.AmazonS3Client;
+import com.amazonaws.services.s3.AmazonS3EncryptionClient;
 import com.amazonaws.services.s3.model.AmazonS3Exception;
+import com.amazonaws.services.s3.model.CryptoConfiguration;
+import com.amazonaws.services.s3.model.EncryptionMaterialsProvider;
 import com.amazonaws.services.s3.model.GetObjectRequest;
 import com.amazonaws.services.s3.model.ListObjectsRequest;
 import com.amazonaws.services.s3.model.ObjectListing;
@@ -49,6 +52,7 @@
 import io.airlift.log.Logger;
 import io.airlift.units.DataSize;
 import io.airlift.units.Duration;
+import org.apache.hadoop.conf.Configurable;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.BlockLocation;
 import org.apache.hadoop.fs.BufferedFSInputStream;
@@ -121,6 +125,7 @@ public static PrestoS3FileSystemStats getFileSystemStats()
     public static final String S3_MULTIPART_MIN_FILE_SIZE = "presto.s3.multipart.min-file-size";
     public static final String S3_MULTIPART_MIN_PART_SIZE = "presto.s3.multipart.min-part-size";
     public static final String S3_USE_INSTANCE_CREDENTIALS = "presto.s3.use-instance-credentials";
+    public static final String S3_ENCRYPTION_MATERIALS_PROVIDER = "presto.s3.encryption-materials-provider";
 
     private static final DataSize BLOCK_SIZE = new DataSize(32, MEGABYTE);
     private static final DataSize MAX_SKIP_SIZE = new DataSize(1, MEGABYTE);
@@ -264,14 +269,20 @@ public FileStatus getFileStatus(Path path)
         }
 
         return new FileStatus(
-                metadata.getContentLength(),
+                getObjectSize(metadata),
                 false,
                 1,
                 BLOCK_SIZE.toBytes(),
                 lastModifiedTime(metadata),
                 qualifiedPath(path));
     }
 
+    private static long getObjectSize(ObjectMetadata metadata)
+    {
+        String unencryptedContentLength = metadata.getUserMetadata().get("x-amz-unencrypted-content-length");
+        return unencryptedContentLength != null ? Long.parseLong(unencryptedContentLength) : metadata.getContentLength();
+    }
+
     @Override
     public FSDataInputStream open(Path path, int bufferSize)
             throws IOException
@@ -444,6 +455,9 @@ private Iterator<LocatedFileStatus> statusFromPrefixes(List<String> prefixes)
 
     private Iterator<LocatedFileStatus> statusFromObjects(List<S3ObjectSummary> objects)
     {
+        // NOTE: for encrypted objects, S3ObjectSummary.size() used below is NOT correct,
+        // however, to get the correct size we'd need to make an additional request to get
+        // user metadata, and in this case it doesn't matter.
         return objects.stream()
                 .filter(object -> !object.getKey().endsWith("/"))
                 .map(object -> new FileStatus(
@@ -552,7 +566,14 @@ private static String keyFromPath(Path path)
     private AmazonS3Client createAmazonS3Client(URI uri, Configuration hadoopConfig, ClientConfiguration clientConfig)
     {
         AWSCredentialsProvider credentials = getAwsCredentialsProvider(uri, hadoopConfig);
-        AmazonS3Client client = new AmazonS3Client(credentials, clientConfig, METRIC_COLLECTOR);
+        EncryptionMaterialsProvider emp = createEncryptionMaterialsProvider(hadoopConfig);
+        AmazonS3Client client;
+        if (emp != null) {
+            client = new AmazonS3EncryptionClient(credentials, emp, clientConfig, new CryptoConfiguration(), METRIC_COLLECTOR);
+        }
+        else {
+            client = new AmazonS3Client(credentials, clientConfig, METRIC_COLLECTOR);
+        }
 
         // use local region when running inside of EC2
         Region region = Regions.getCurrentRegion();
@@ -562,6 +583,26 @@ private AmazonS3Client createAmazonS3Client(URI uri, Configuration hadoopConfig,
         return client;
     }
 
+    private EncryptionMaterialsProvider createEncryptionMaterialsProvider(Configuration hadoopConfig)
+    {
+        EncryptionMaterialsProvider emp = null;
+        String empClassName = hadoopConfig.get(S3_ENCRYPTION_MATERIALS_PROVIDER);
+        if (empClassName != null) {
+            try {
+                Class empClass = Class.forName(empClassName);
+                emp = (EncryptionMaterialsProvider) empClass.newInstance();
+                if (emp instanceof Configurable) {
+                    ((Configurable) emp).setConf(hadoopConfig);
+                }
+            }
+            catch (Exception x) {
+                throw new RuntimeException("Unable to load or create S3 encryption materials provider " + empClassName + ": " + x, x);
+            }
+        }
+
+        return emp;
+    }
+
     private AWSCredentialsProvider getAwsCredentialsProvider(URI uri, Configuration conf)
     {
         // first try credentials from URI or static properties

presto-hive/src/test/java/com/facebook/presto/hive/MockAmazonS3.java

@@ -30,6 +30,7 @@
 import com.amazonaws.services.s3.model.BucketLoggingConfiguration;
 import com.amazonaws.services.s3.model.BucketNotificationConfiguration;
 import com.amazonaws.services.s3.model.BucketPolicy;
+import com.amazonaws.services.s3.model.BucketReplicationConfiguration;
 import com.amazonaws.services.s3.model.BucketTaggingConfiguration;
 import com.amazonaws.services.s3.model.BucketVersioningConfiguration;
 import com.amazonaws.services.s3.model.BucketWebsiteConfiguration;
@@ -80,9 +81,11 @@
 import com.amazonaws.services.s3.model.SetBucketLoggingConfigurationRequest;
 import com.amazonaws.services.s3.model.SetBucketNotificationConfigurationRequest;
 import com.amazonaws.services.s3.model.SetBucketPolicyRequest;
+import com.amazonaws.services.s3.model.SetBucketReplicationConfigurationRequest;
 import com.amazonaws.services.s3.model.SetBucketTaggingConfigurationRequest;
 import com.amazonaws.services.s3.model.SetBucketVersioningConfigurationRequest;
 import com.amazonaws.services.s3.model.SetBucketWebsiteConfigurationRequest;
+import com.amazonaws.services.s3.model.SetObjectAclRequest;
 import com.amazonaws.services.s3.model.StorageClass;
 import com.amazonaws.services.s3.model.UploadPartRequest;
 import com.amazonaws.services.s3.model.UploadPartResult;
@@ -763,4 +766,35 @@ public boolean isRequesterPaysEnabled(String bucketName)
     {
         return false;
     }
+
+    @Override
+    public void setObjectAcl(SetObjectAclRequest setObjectAclRequest)
+            throws AmazonClientException, AmazonServiceException
+    {
+    }
+
+    @Override
+    public void setBucketReplicationConfiguration(String s, BucketReplicationConfiguration bucketReplicationConfiguration)
+            throws AmazonServiceException, AmazonClientException
+    {
+    }
+
+    @Override
+    public void setBucketReplicationConfiguration(SetBucketReplicationConfigurationRequest setBucketReplicationConfigurationRequest)
+            throws AmazonServiceException, AmazonClientException
+    {
+    }
+
+    @Override
+    public BucketReplicationConfiguration getBucketReplicationConfiguration(String s)
+            throws AmazonServiceException, AmazonClientException
+    {
+        return null;
+    }
+
+    @Override
+    public void deleteBucketReplicationConfiguration(String s)
+            throws AmazonServiceException, AmazonClientException
+    {
+    }
 }