add index-level-encryption support for snapshots and remote-store

Signed-off-by: Uday Bhaskar <[email protected]>

Author: Uday Bhaskar

CHANGELOG.md

@@ -33,6 +33,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Allow the truncate filter in normalizers ([#19778](https://github.com/opensearch-project/OpenSearch/issues/19778))
 - Support pull-based ingestion message mappers and raw payload support ([#19765](https://github.com/opensearch-project/OpenSearch/pull/19765))
 - Support dynamic consumer configuration update in pull-based ingestion ([#19963](https://github.com/opensearch-project/OpenSearch/pull/19963))
+- Add index-level-encryption support for snapshots and remote-store ([#20095](https://github.com/opensearch-project/OpenSearch/pull/20095))
 
 ### Changed
 - Faster `terms` query creation for `keyword` field with index and docValues enabled ([#19350](https://github.com/opensearch-project/OpenSearch/pull/19350))

plugins/repository-azure/src/main/java/org/opensearch/repositories/azure/AzureBlobContainer.java

@@ -40,6 +40,7 @@
 import org.opensearch.action.ActionRunnable;
 import org.opensearch.action.support.GroupedActionListener;
 import org.opensearch.action.support.PlainActionFuture;
+import org.opensearch.cluster.metadata.CryptoMetadata;
 import org.opensearch.common.Nullable;
 import org.opensearch.common.blobstore.BlobContainer;
 import org.opensearch.common.blobstore.BlobMetadata;
@@ -136,6 +137,18 @@ public void writeBlob(String blobName, InputStream inputStream, long blobSize, b
         }
     }
 
+    @Override
+    public void writeBlobWithMetadata(
+        String blobName,
+        InputStream inputStream,
+        long blobSize,
+        boolean failIfAlreadyExists,
+        @Nullable Map<String, String> metadata,
+        @Nullable CryptoMetadata cryptoMetadata
+    ) throws IOException {
+        writeBlob(blobName, inputStream, blobSize, failIfAlreadyExists);
+    }
+
     @Override
     public void writeBlobAtomic(String blobName, InputStream inputStream, long blobSize, boolean failIfAlreadyExists) throws IOException {
         writeBlob(blobName, inputStream, blobSize, failIfAlreadyExists);

plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/S3BlobContainer.java

@@ -63,6 +63,8 @@
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.message.ParameterizedMessage;
 import org.opensearch.action.support.PlainActionFuture;
+import org.opensearch.cluster.metadata.CryptoMetadata;
+import org.opensearch.cluster.metadata.KmsCryptoMetadata;
 import org.opensearch.common.Nullable;
 import org.opensearch.common.SetOnce;
 import org.opensearch.common.StreamContext;
@@ -90,6 +92,7 @@
 import org.opensearch.repositories.s3.async.SizeBasedBlockingQ;
 import org.opensearch.repositories.s3.async.UploadRequest;
 import org.opensearch.repositories.s3.utils.HttpRangeUtils;
+import org.opensearch.repositories.s3.utils.SseKmsUtil;
 import org.opensearch.secure_sm.AccessController;
 
 import java.io.BufferedInputStream;
@@ -192,7 +195,7 @@ public void writeBlob(String blobName, InputStream inputStream, long blobSize, b
     }
 
     /**
-     * Write blob with its object metadata.
+     * Write blob with its object metadata and optional encryption settings.
      */
     @ExperimentalApi
     @Override
@@ -201,20 +204,52 @@ public void writeBlobWithMetadata(
         InputStream inputStream,
         long blobSize,
         boolean failIfAlreadyExists,
-        @Nullable Map<String, String> metadata
+        @Nullable Map<String, String> metadata,
+        @Nullable CryptoMetadata cryptoMetadata
     ) throws IOException {
         assert inputStream.markSupported() : "No mark support on inputStream breaks the S3 SDK's ability to retry requests";
         AccessController.doPrivilegedChecked(() -> {
             if (blobSize <= getLargeBlobThresholdInBytes()) {
-                executeSingleUpload(blobStore, buildKey(blobName), inputStream, blobSize, metadata);
+                executeSingleUpload(blobStore, buildKey(blobName), inputStream, blobSize, metadata, cryptoMetadata);
             } else {
-                executeMultipartUpload(blobStore, buildKey(blobName), inputStream, blobSize, metadata);
+                executeMultipartUpload(blobStore, buildKey(blobName), inputStream, blobSize, metadata, cryptoMetadata);
             }
         });
     }
 
+    /**
+     * Write blob with its object metadata.
+     */
+    @ExperimentalApi
+    @Override
+    public void writeBlobWithMetadata(
+        String blobName,
+        InputStream inputStream,
+        long blobSize,
+        boolean failIfAlreadyExists,
+        @Nullable Map<String, String> metadata
+    ) throws IOException {
+        // Delegate to crypto-aware version with null CryptoMetadata
+        writeBlobWithMetadata(blobName, inputStream, blobSize, failIfAlreadyExists, metadata, null);
+    }
+
     @Override
     public void asyncBlobUpload(WriteContext writeContext, ActionListener<Void> completionListener) throws IOException {
+        CryptoMetadata crypto = writeContext.getCryptoMetadata();
+
+        String indexKmsKey = null;
+        String indexEncContext = null;
+
+        if (crypto instanceof KmsCryptoMetadata) {
+            KmsCryptoMetadata kmsMetadata = (KmsCryptoMetadata) crypto;
+            indexKmsKey = kmsMetadata.getKmsKeyArn().orElse(null);
+            indexEncContext = kmsMetadata.getKmsEncryptionContext().orElse(null);
+        }
+        String mergeEncContext = SseKmsUtil.mergeAndEncodeEncryptionContexts(
+            indexEncContext,
+            blobStore.serverSideEncryptionEncryptionContext()
+        );
+
         UploadRequest uploadRequest = new UploadRequest(
             blobStore.bucket(),
             buildKey(writeContext.getFileName()),
@@ -226,9 +261,9 @@ public void asyncBlobUpload(WriteContext writeContext, ActionListener<Void> comp
             blobStore.isUploadRetryEnabled(),
             writeContext.getMetadata(),
             blobStore.serverSideEncryptionType(),
-            blobStore.serverSideEncryptionKmsKey(),
+            indexKmsKey != null ? indexKmsKey : blobStore.serverSideEncryptionKmsKey(),
             blobStore.serverSideEncryptionBucketKey(),
-            blobStore.serverSideEncryptionEncryptionContext(),
+            mergeEncContext,
             blobStore.expectedBucketOwner()
         );
         try {
@@ -250,7 +285,8 @@ public void asyncBlobUpload(WriteContext writeContext, ActionListener<Void> comp
                         uploadRequest.getKey(),
                         inputStream.getInputStream(),
                         uploadRequest.getContentLength(),
-                        uploadRequest.getMetadata()
+                        uploadRequest.getMetadata(),
+                        crypto
                     );
                     completionListener.onResponse(null);
                 } catch (Exception ex) {
@@ -536,7 +572,8 @@ void executeSingleUpload(
         final String blobName,
         final InputStream input,
         final long blobSize,
-        final Map<String, String> metadata
+        final Map<String, String> metadata,
+        @Nullable CryptoMetadata cryptoMetadata
     ) throws IOException {
 
         // Extra safety checks
@@ -559,7 +596,8 @@ void executeSingleUpload(
         if (CollectionUtils.isNotEmpty(metadata)) {
             putObjectRequestBuilder = putObjectRequestBuilder.metadata(metadata);
         }
-        configureEncryptionSettings(putObjectRequestBuilder, blobStore);
+
+        configureEncryptionSettings(putObjectRequestBuilder, blobStore, cryptoMetadata);
 
         PutObjectRequest putObjectRequest = putObjectRequestBuilder.build();
         try (AmazonS3Reference clientReference = blobStore.clientReference()) {
@@ -585,7 +623,8 @@ void executeMultipartUpload(
         final String blobName,
         final InputStream input,
         final long blobSize,
-        final Map<String, String> metadata
+        final Map<String, String> metadata,
+        @Nullable CryptoMetadata cryptoMetadata
     ) throws IOException {
 
         ensureMultiPartUploadSize(blobSize);
@@ -616,7 +655,7 @@ void executeMultipartUpload(
             createMultipartUploadRequestBuilder.metadata(metadata);
         }
 
-        configureEncryptionSettings(createMultipartUploadRequestBuilder, blobStore);
+        configureEncryptionSettings(createMultipartUploadRequestBuilder, blobStore, cryptoMetadata);
 
         final InputStream requestInputStream;
         if (blobStore.isUploadRetryEnabled()) {

plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/utils/SseKmsUtil.java

@@ -12,33 +12,88 @@
 import software.amazon.awssdk.services.s3.model.PutObjectRequest;
 import software.amazon.awssdk.services.s3.model.ServerSideEncryption;
 
+import org.opensearch.cluster.metadata.CryptoMetadata;
+import org.opensearch.cluster.metadata.KmsCryptoMetadata;
+import org.opensearch.common.Nullable;
 import org.opensearch.repositories.s3.S3BlobStore;
 import org.opensearch.repositories.s3.async.UploadRequest;
 
 public class SseKmsUtil {
+    /**
+     * Merges index-level and repository-level encryption contexts, converts to JSON format if needed,
+     * and Base64 encodes for S3.
+     * <p>
+     * Delegates to centralized EncryptionContextUtils for consistent behavior.
+     *
+     * @param indexEncContext Index-level encryption context - can be cryptofs or JSON format
+     * @param repoEncContext  Repository-level encryption context - already Base64 encoded JSON
+     * @return Base64 encoded merged JSON encryption context, or null if both are null
+     */
+    public static String mergeAndEncodeEncryptionContexts(@Nullable String indexEncContext, @Nullable String repoEncContext) {
+        return org.opensearch.repositories.blobstore.EncryptionContextUtils.mergeAndEncodeEncryptionContexts(
+            indexEncContext,
+            repoEncContext
+        );
+    }
 
-    public static void configureEncryptionSettings(CreateMultipartUploadRequest.Builder builder, S3BlobStore blobStore) {
+    public static void configureEncryptionSettings(
+        CreateMultipartUploadRequest.Builder builder,
+        S3BlobStore blobStore,
+        @Nullable CryptoMetadata cryptoMetadata
+    ) {
         if (blobStore.serverSideEncryptionType().equals(ServerSideEncryption.AES256.toString())) {
             builder.serverSideEncryption(ServerSideEncryption.AES256);
         } else if (blobStore.serverSideEncryptionType().equals(ServerSideEncryption.AWS_KMS.toString())) {
+            String indexKmsKey = null;
+            String indexEncContext = null;
+
+            if (cryptoMetadata instanceof KmsCryptoMetadata) {
+                KmsCryptoMetadata kmsMetadata = (KmsCryptoMetadata) cryptoMetadata;
+                indexKmsKey = kmsMetadata.getKmsKeyArn().orElse(null);
+                indexEncContext = kmsMetadata.getKmsEncryptionContext().orElse(null);
+            }
+
+            String kmsKey = (indexKmsKey != null) ? indexKmsKey : blobStore.serverSideEncryptionKmsKey();
+            String encContext = mergeAndEncodeEncryptionContexts(indexEncContext, blobStore.serverSideEncryptionEncryptionContext());
+
             builder.serverSideEncryption(ServerSideEncryption.AWS_KMS);
-            builder.ssekmsKeyId(blobStore.serverSideEncryptionKmsKey());
+            builder.ssekmsKeyId(kmsKey);
             builder.bucketKeyEnabled(blobStore.serverSideEncryptionBucketKey());
-            builder.ssekmsEncryptionContext(blobStore.serverSideEncryptionEncryptionContext());
+            builder.ssekmsEncryptionContext(encContext);
         }
     }
 
-    public static void configureEncryptionSettings(PutObjectRequest.Builder builder, S3BlobStore blobStore) {
+    public static void configureEncryptionSettings(
+        PutObjectRequest.Builder builder,
+        S3BlobStore blobStore,
+        @Nullable CryptoMetadata cryptoMetadata
+    ) {
         if (blobStore.serverSideEncryptionType().equals(ServerSideEncryption.AES256.toString())) {
             builder.serverSideEncryption(ServerSideEncryption.AES256);
         } else if (blobStore.serverSideEncryptionType().equals(ServerSideEncryption.AWS_KMS.toString())) {
+            String indexKmsKey = null;
+            String indexEncContext = null;
+
+            if (cryptoMetadata instanceof KmsCryptoMetadata) {
+                KmsCryptoMetadata kmsMetadata = (KmsCryptoMetadata) cryptoMetadata;
+                indexKmsKey = kmsMetadata.getKmsKeyArn().orElse(null);
+                indexEncContext = kmsMetadata.getKmsEncryptionContext().orElse(null);
+            }
+
+            String kmsKey = (indexKmsKey != null) ? indexKmsKey : blobStore.serverSideEncryptionKmsKey();
+            String encContext = mergeAndEncodeEncryptionContexts(indexEncContext, blobStore.serverSideEncryptionEncryptionContext());
+
             builder.serverSideEncryption(ServerSideEncryption.AWS_KMS);
-            builder.ssekmsKeyId(blobStore.serverSideEncryptionKmsKey());
+            builder.ssekmsKeyId(kmsKey);
             builder.bucketKeyEnabled(blobStore.serverSideEncryptionBucketKey());
-            builder.ssekmsEncryptionContext(blobStore.serverSideEncryptionEncryptionContext());
+            builder.ssekmsEncryptionContext(encContext);
         }
     }
 
+    public static void configureEncryptionSettings(PutObjectRequest.Builder builder, S3BlobStore blobStore) {
+        configureEncryptionSettings(builder, blobStore, null);
+    }
+
     public static void configureEncryptionSettings(CreateMultipartUploadRequest.Builder builder, UploadRequest uploadRequest) {
         if (uploadRequest.getServerSideEncryptionType().equals(ServerSideEncryption.AES256.toString())) {
             builder.serverSideEncryption(ServerSideEncryption.AES256);

plugins/repository-s3/src/test/java/org/opensearch/repositories/s3/S3BlobContainerEncryptionTests.java

@@ -0,0 +1,45 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.repositories.s3;
+
+import org.opensearch.cluster.metadata.CryptoMetadata;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.repositories.s3.utils.SseKmsUtil;
+import org.opensearch.test.OpenSearchTestCase;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+
+public class S3BlobContainerEncryptionTests extends OpenSearchTestCase {
+
+    public void testEncryptionContextMerging() {
+        String indexContext = "tenant=acme,classification=confidential";
+        String repoContext = Base64.getEncoder().encodeToString("{\"repo\":\"test\",\"env\":\"prod\"}".getBytes(StandardCharsets.UTF_8));
+
+        String merged = SseKmsUtil.mergeAndEncodeEncryptionContexts(indexContext, repoContext);
+        assertNotNull(merged);
+
+        String decoded = new String(Base64.getDecoder().decode(merged), StandardCharsets.UTF_8);
+        assertTrue(decoded.contains("\"tenant\":\"acme\""));
+        assertTrue(decoded.contains("\"classification\":\"confidential\""));
+        assertTrue(decoded.contains("\"repo\":\"test\""));
+        assertTrue(decoded.contains("\"env\":\"prod\""));
+    }
+
+    public void testCryptoMetadataExtraction() {
+        Settings cryptoSettings = Settings.builder()
+            .put("kms.key_arn", "arn:aws:kms:us-east-1:123456789:key/index-key")
+            .put("kms.encryption_context", "tenant=acme,env=staging")
+            .build();
+        CryptoMetadata cryptoMetadata = new CryptoMetadata("index-provider", "aws-kms", cryptoSettings);
+
+        assertEquals("arn:aws:kms:us-east-1:123456789:key/index-key", cryptoMetadata.settings().get("kms.key_arn"));
+        assertEquals("tenant=acme,env=staging", cryptoMetadata.settings().get("kms.encryption_context"));
+    }
+}

plugins/repository-s3/src/test/java/org/opensearch/repositories/s3/S3BlobContainerMockClientTests.java

@@ -757,7 +757,8 @@ private void testLargeFilesRedirectedToSlowSyncClient(boolean expectException, W
             anyString(),
             any(InputStream.class),
             anyLong(),
-            anyMap()
+            anyMap(),
+            null
         );
 
         if (expectException) {

plugins/repository-s3/src/test/java/org/opensearch/repositories/s3/S3BlobStoreContainerTests.java

@@ -134,7 +134,7 @@ public void testExecuteSingleUploadBlobSizeTooLarge() {
 
         final IllegalArgumentException e = expectThrows(
             IllegalArgumentException.class,
-            () -> blobContainer.executeSingleUpload(blobStore, randomAlphaOfLengthBetween(1, 10), null, blobSize, null)
+            () -> blobContainer.executeSingleUpload(blobStore, randomAlphaOfLengthBetween(1, 10), null, blobSize, null, null)
         );
         assertEquals("Upload request size [" + blobSize + "] can't be larger than 5gb", e.getMessage());
     }
@@ -153,6 +153,7 @@ public void testExecuteSingleUploadBlobSizeLargerThanBufferSize() {
                 blobName,
                 new ByteArrayInputStream(new byte[0]),
                 ByteSizeUnit.MB.toBytes(2),
+                null,
                 null
             )
         );
@@ -665,7 +666,7 @@ public void testExecuteSingleUpload() throws IOException {
         when(client.putObject(putReqCaptor.capture(), bodyCaptor.capture())).thenReturn(PutObjectResponse.builder().build());
 
         // Pass the known-length stream + tell the code the exact size
-        blobContainer.executeSingleUpload(blobStore, blobName, inputStream, blobSize, metadata);
+        blobContainer.executeSingleUpload(blobStore, blobName, inputStream, blobSize, metadata, null);
 
         final PutObjectRequest request = putReqCaptor.getValue();
         final RequestBody requestBody = bodyCaptor.getValue();
@@ -703,7 +704,7 @@ public void testExecuteMultipartUploadBlobSizeTooLarge() {
 
         final IllegalArgumentException e = expectThrows(
             IllegalArgumentException.class,
-            () -> blobContainer.executeMultipartUpload(blobStore, randomAlphaOfLengthBetween(1, 10), null, blobSize, null)
+            () -> blobContainer.executeMultipartUpload(blobStore, randomAlphaOfLengthBetween(1, 10), null, blobSize, null, null)
         );
         assertEquals("Multipart upload request size [" + blobSize + "] can't be larger than 5tb", e.getMessage());
     }
@@ -715,7 +716,7 @@ public void testExecuteMultipartUploadBlobSizeTooSmall() {
 
         final IllegalArgumentException e = expectThrows(
             IllegalArgumentException.class,
-            () -> blobContainer.executeMultipartUpload(blobStore, randomAlphaOfLengthBetween(1, 10), null, blobSize, null)
+            () -> blobContainer.executeMultipartUpload(blobStore, randomAlphaOfLengthBetween(1, 10), null, blobSize, null, null)
         );
         assertEquals("Multipart upload request size [" + blobSize + "] can't be smaller than 5mb", e.getMessage());
     }
@@ -803,7 +804,7 @@ public void testExecuteMultipartUpload() throws IOException {
 
         final ByteArrayInputStream inputStream = new ByteArrayInputStream(new byte[0]);
         final S3BlobContainer blobContainer = new S3BlobContainer(blobPath, blobStore);
-        blobContainer.executeMultipartUpload(blobStore, blobName, inputStream, blobSize, metadata);
+        blobContainer.executeMultipartUpload(blobStore, blobName, inputStream, blobSize, metadata, null);
 
         final CreateMultipartUploadRequest initRequest = createMultipartUploadRequestArgumentCaptor.getValue();
         assertEquals(bucketName, initRequest.bucket());
@@ -933,7 +934,7 @@ public void testExecuteMultipartUploadAborted() {
 
         final IOException e = expectThrows(IOException.class, () -> {
             final S3BlobContainer blobContainer = new S3BlobContainer(blobPath, blobStore);
-            blobContainer.executeMultipartUpload(blobStore, blobName, new ByteArrayInputStream(new byte[0]), blobSize, null);
+            blobContainer.executeMultipartUpload(blobStore, blobName, new ByteArrayInputStream(new byte[0]), blobSize, null, null);
         });
 
         assertEquals("Unable to upload object [" + blobName + "] using multipart upload", e.getMessage());