Skip to content

FEAT: encryption extension integration with kafka#5625

Merged
chenqi0805 merged 117 commits into
opensearch-project:mainfrom
chenqi0805:feat/encryption-extension-integration-with-kafka
May 30, 2025
Merged

FEAT: encryption extension integration with kafka#5625
chenqi0805 merged 117 commits into
opensearch-project:mainfrom
chenqi0805:feat/encryption-extension-integration-with-kafka

Conversation

@chenqi0805
Copy link
Copy Markdown
Collaborator

@chenqi0805 chenqi0805 commented Apr 18, 2025
edited
Loading

Description

This PR integrates the encryption plugin with the kafka buffer by

  • introduce encryption_id which references the encryption config ID in the extension config under topic configuration
  • introduce BufferMessageEncryptionDeserializer and BufferMessageEncryptionSerializer as a wrapper around inner dataSerializer with encryption engine.
  • avoids clash with existing kms config under kafka topic by adding mutual exclusive validation check between encryption_key and encryption_id.

Manually tested with

version: "2"
extension:
  encryption:
    default:
      kms:
        encryption_key_directory: s3://my-encryption-1/key
        key_id: 0f1e4812-b5a3-454a-afc6-fbce9a251263
        encryption_context:
          aws:osis:arn: "arn:aws:osis:us-west-2:253613578708:pipeline/test-persistent-buffer-1"
        region: us-east-1
      #  #sts_role_arn: arn:aws:iam::253613578708:role/FullAccess
waf-access-log-pipeline:
  source:
    http:
      path: "/${pipelineName}/logs"
      ssl: false
      port: 21890
  buffer:
    kafka:
      bootstrap_servers:
        - "localhost:9092"
      encryption:
        type: none
      topics:
        - group_id: "BufferGroup-sbw44hdc2cqybr6ghmbkrdwzue"
          name: "BufferTopic-sbw44hdc2cqybr6ghmbkrdwzue"
          encryption_id: default
          #create_topic: true
          #encryption_key: AQIDAHi4L/vFhsXe6BbZnQC2Y/2j9I9hZG3I4bTZi1rXOep0DQG7bFN0uQMPI/4XP0JOcnQPAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM/IflndDoqKPzeR5vAgEQgDsVdh4c7ghXJg30RdudEXk+e2CB5GAFNqPHwxyl+yLOe5lPWT3oXuKEirJ1AJ1J5yPYIc/qZ1pWfcilUw
          #kms:
          #  key_id: 0f1e4812-b5a3-454a-afc6-fbce9a251263
  sink:
    - stdout:

Note:
The kafka buffer integration test failure is on the existing kafka topic kms config unrelated to encryption extension. There is a separate effort to fix the integ test.

Issues Resolved

Resolves #[Issue number to be closed when this PR is merged]

Check List

  • New functionality includes testing.
  • New functionality has a documentation issue. Please link to it in this PR.
    • New functionality has javadoc added
  • Commits are signed with a real name per the DCO

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

chenqi0805 and others added 30 commits April 2, 2025 14:19
@chenqi0805
INIT: encryption extension
337f006 
Signed-off-by: George Chen <qchea@amazon.com>
@chenqi0805
ADD: rotation http handler and data key supplier
4e7f651 
Signed-off-by: George Chen <qchea@amazon.com>
@RashmiRam @chenqi0805
Fixed kinesis retrieval config argument passing to KCL scheduler (ope…
2d9b978 
…nsearch-project#5272)

Signed-off-by: RashmiRam <ras.xena@gmail.com>
Signed-off-by: George Chen <qchea@amazon.com>
@san81 @chenqi0805
Handling end to end acknowledgement in Jira Source (opensearch-projec…
f5b5f5b 
…t#5344)

* Handling end to end acknowledgement

Signed-off-by: Santhosh Gandhe <1909520+san81@users.noreply.github.com>

* introduced boolean to control end to end Acknowledgment

Signed-off-by: Santhosh Gandhe <1909520+san81@users.noreply.github.com>

* acknowledgments on case

Signed-off-by: Santhosh Gandhe <1909520+san81@users.noreply.github.com>

---------

Signed-off-by: Santhosh Gandhe <1909520+san81@users.noreply.github.com>
Signed-off-by: George Chen <qchea@amazon.com>
@Galactus22625 @chenqi0805
add batch size field for jira source (opensearch-project#5348)
a7d5f5b 
* add batch size field for jira source

Signed-off-by: Maxwell Brown <mxwelwbr@amazon.com>

* remove unused config fields

Signed-off-by: Maxwell Brown <mxwelwbr@amazon.com>

* add interface function to simplify batchSize code

Signed-off-by: Maxwell Brown <mxwelwbr@amazon.com>

* default batch size comments

Signed-off-by: Maxwell Brown <mxwelwbr@amazon.com>

---------

Signed-off-by: Maxwell Brown <mxwelwbr@amazon.com>
Signed-off-by: Maxwell Brown <55033421+Galactus22625@users.noreply.github.com>
Signed-off-by: George Chen <qchea@amazon.com>
@graytaylor0 @chenqi0805
Implement delete_s3_objects_on_read for S3-SQS source (opensearch-pro…
01750e3 
…ject#5358)

Signed-off-by: Taylor Gray <tylgry@amazon.com>
Signed-off-by: George Chen <qchea@amazon.com>
@oeyh @chenqi0805
Initial PR for stream support for Postgres in Rds source (opensearch-…
ee992d3 
…project#5310)

* First working version

Signed-off-by: Hai Yan <oeyh@amazon.com>

* More progress and update existing unit tests

Signed-off-by: Hai Yan <oeyh@amazon.com>

* Add unit tests

Signed-off-by: Hai Yan <oeyh@amazon.com>

* Remove and rename classes

Signed-off-by: Hai Yan <oeyh@amazon.com>

* Remove test code

Signed-off-by: Hai Yan <oeyh@amazon.com>

* Address review comments

Signed-off-by: Hai Yan <oeyh@amazon.com>

* Address minor issues

Signed-off-by: Hai Yan <oeyh@amazon.com>

* Group MySQL and Postgres stream states

Signed-off-by: Hai Yan <oeyh@amazon.com>

* Address more comments

Signed-off-by: Hai Yan <oeyh@amazon.com>

* Fix Java21 build

Signed-off-by: Hai Yan <oeyh@amazon.com>

---------

Signed-off-by: Hai Yan <oeyh@amazon.com>
Signed-off-by: George Chen <qchea@amazon.com>
@san81 @chenqi0805
Check pointing Leader Scheduler State (opensearch-project#5352)
1d17343 
* Handling end to end acknowledgement

Signed-off-by: Santhosh Gandhe <1909520+san81@users.noreply.github.com>

* checking pointing leader state for every one minute

Signed-off-by: Santhosh Gandhe <1909520+san81@users.noreply.github.com>

* corresponding test cases fix

Signed-off-by: Santhosh Gandhe <1909520+san81@users.noreply.github.com>

---------

Signed-off-by: Santhosh Gandhe <1909520+san81@users.noreply.github.com>
Signed-off-by: George Chen <qchea@amazon.com>
@san81 @chenqi0805
Fixing a flaky test (opensearch-project#5365)
0a8b62e 
Signed-off-by: Santhosh Gandhe <1909520+san81@users.noreply.github.com>
Signed-off-by: George Chen <qchea@amazon.com>
@san81 @chenqi0805
disabling caffine cache instead of setting the max to 1 (opensearch-p…
bb6dcec 
…roject#5362)

Signed-off-by: Santhosh Gandhe <1909520+san81@users.noreply.github.com>
Signed-off-by: George Chen <qchea@amazon.com>
@oeyh @chenqi0805
Disable flaky tests fow now (opensearch-project#5366)
33d4462 
Signed-off-by: Hai Yan <oeyh@amazon.com>
Signed-off-by: George Chen <qchea@amazon.com>
@graytaylor0 @chenqi0805
Add debug logs for Kafka consumer (opensearch-project#5369)
7861cd6 
Signed-off-by: Taylor Gray <tylgry@amazon.com>
Signed-off-by: George Chen <qchea@amazon.com>
@srikanthjg @chenqi0805
lambda processor should retry for certain class of exceptions (opense…
7b83593 
…arch-project#5320)

* lambda processor should retry for certain class of exceptions

Signed-off-by: Srikanth Govindarajan <srigovs@amazon.com>

* Address Comment on complete codec

Signed-off-by: Srikanth Govindarajan <srigovs@amazon.com>

* Add retryCondidition to lambda Client

Signed-off-by: Srikanth Govindarajan <srigovs@amazon.com>

* Address comments

Signed-off-by: Srikanth Govindarajan <srigovs@amazon.com>

* Address comments and add UT and IT

Signed-off-by: Srikanth Govindarajan <srigovs@amazon.com>

* Address comment on completeCodec

Signed-off-by: Srikanth Govindarajan <srigovs@amazon.com>

---------

Signed-off-by: Srikanth Govindarajan <srigovs@amazon.com>
Signed-off-by: George Chen <qchea@amazon.com>
@oeyh @chenqi0805
Fix postgres stream (opensearch-project#5367)
3734197 
Signed-off-by: Hai Yan <oeyh@amazon.com>
Signed-off-by: George Chen <qchea@amazon.com>
@graytaylor0 @chenqi0805
Change Kafka Buffer defaults for fetch.max.wait.ms, fetch.min.bytes, …
df07aee 
…partition.assignment.strategy, close consumer on shutdown (opensearch-project#5373)

Signed-off-by: Taylor Gray <tylgry@amazon.com>
Signed-off-by: George Chen <qchea@amazon.com>
@Galactus22625 @chenqi0805
Improve Jira logging (opensearch-project#5351)
ea2f770 
Improve Jira logging

Signed-off-by: Maxwell Brown <mxwelwbr@amazon.com>
Signed-off-by: George Chen <qchea@amazon.com>
@san81 @chenqi0805
Plugin metrics injection (opensearch-project#5372)
6853466 
* injectable plugin metrics

Signed-off-by: Santhosh Gandhe <1909520+san81@users.noreply.github.com>

* removed an unused parameter

Signed-off-by: Santhosh Gandhe <1909520+san81@users.noreply.github.com>

* fixing a flaky test

Signed-off-by: Santhosh Gandhe <1909520+san81@users.noreply.github.com>

---------

Signed-off-by: Santhosh Gandhe <1909520+san81@users.noreply.github.com>
Signed-off-by: George Chen <qchea@amazon.com>
@kkondaka @chenqi0805
Fixed javadoc errors (opensearch-project#5379)
dec63be 
Signed-off-by: Krishna Kondaka <krishkdk@amazon.com>
Signed-off-by: George Chen <qchea@amazon.com>
@jmsusanto @chenqi0805
Implementation of sqs-common plugin and refactored sqs and s3 source (o…
f17c815 
…pensearch-project#5361)

* initial refactoring

Signed-off-by: Jeremy Michael <jsusanto@amazon.com>

* refactored sqs-source to use sqs-common

Signed-off-by: Jeremy Michael <jsusanto@amazon.com>

* refactored SqsWorker to use the common library

Signed-off-by: Jeremy Michael <jsusanto@amazon.com>

* minor changes

Signed-off-by: Jeremy Michael <jsusanto@amazon.com>

* another small fix

Signed-off-by: Jeremy Michael <jsusanto@amazon.com>

* added unit tests for sqs-common

Signed-off-by: Jeremy Michael <jsusanto@amazon.com>

* updated tests

Signed-off-by: Jeremy Michael <jsusanto@amazon.com>

---------

Signed-off-by: Jeremy Michael <jsusanto@amazon.com>
Co-authored-by: Jeremy Michael <jsusanto@amazon.com>
Signed-off-by: George Chen <qchea@amazon.com>
@shenkw1 @chenqi0805
schema revisions, add json aliases (opensearch-project#5349)
993dc23 
* schema revisions, add json aliases

Signed-off-by: Katherine Shen <katshen@amazon.com>
Signed-off-by: George Chen <qchea@amazon.com>
@oeyh @chenqi0805
Add e2e ack, checkpointing and metrics to Postgres stream processing (o…
b266ca2 
…pensearch-project#5375)

* Initial commit

Signed-off-by: Hai Yan <oeyh@amazon.com>

* Update unit tests

Signed-off-by: Hai Yan <oeyh@amazon.com>

* Add more metrics

Signed-off-by: Hai Yan <oeyh@amazon.com>

* Add more tests

Signed-off-by: Hai Yan <oeyh@amazon.com>

* Address review comments

Signed-off-by: Hai Yan <oeyh@amazon.com>

* Address review comments

Signed-off-by: Hai Yan <oeyh@amazon.com>

---------

Signed-off-by: Hai Yan <oeyh@amazon.com>
Signed-off-by: George Chen <qchea@amazon.com>
@kkondaka @chenqi0805
Add cloudwatch logs sink (opensearch-project#5406)
e434b3e 
* Add cloudwatch logs sink

Signed-off-by: Krishna Kondaka <krishkdk@amazon.com>

* Addressed review comments

Signed-off-by: Krishna Kondaka <krishkdk@amazon.com>

---------

Signed-off-by: Krishna Kondaka <krishkdk@amazon.com>
Signed-off-by: George Chen <qchea@amazon.com>
@dlvenable @chenqi0805
Updates the Dockerfile to use non-legacy syntax for environment varia…
6e86afb 
…bles. (opensearch-project#5417)

Signed-off-by: David Venable <dlv@amazon.com>
Signed-off-by: George Chen <qchea@amazon.com>
@dlvenable @chenqi0805
Moves asifsmohammed to the Emeritus section. We previously removed hi…
023fd5e 
…m from the CODEOWNERS, so this keeps these in sync. (opensearch-project#5419)

Signed-off-by: David Venable <dlv@amazon.com>
Signed-off-by: George Chen <qchea@amazon.com>
@jmsusanto @chenqi0805
SQS Source: Add on_error Config, Multi-Region Support, and sqsMessage…
6030f63 
…DelayTimer Metric for Auto-Scaling (opensearch-project#5409)

Signed-off-by: Jeremy Michael <jsusanto@amazon.com>
Signed-off-by: George Chen <qchea@amazon.com>
@oeyh @chenqi0805
Support export from postgres (opensearch-project#5414)
8b11fc4 
Signed-off-by: Hai Yan <oeyh@amazon.com>
Signed-off-by: George Chen <qchea@amazon.com>
@graytaylor0 @chenqi0805
Add max_receive_count configuration option in S3-SQS source to delete…
c98792f 
… messages that have been received many times (opensearch-project#5408)

Signed-off-by: Taylor Gray <tylgry@amazon.com>
Signed-off-by: George Chen <qchea@amazon.com>
@dlvenable @chenqi0805
Set the JVM file encoding to UTF-8. Resolves opensearch-project#5238. (
b6f140d 
…opensearch-project#5420)

Signed-off-by: David Venable <dlv@amazon.com>
Signed-off-by: George Chen <qchea@amazon.com>
@MohammedAghil @chenqi0805
Zero Buffer Implementation and Tests (opensearch-project#5416)
87f0915 
* Zero Buffer Implementation and Tests

Signed-off-by: Mohammed Aghil Puthiyottil <57040494+MohammedAghil@users.noreply.github.com>

* Moved ZeroBuffer Implementation into data-prepper-core and addressed comments

Signed-off-by: Mohammed Aghil Puthiyottil <57040494+MohammedAghil@users.noreply.github.com>

* Modified ZeroBufferTests to use MockitoExtension and addressed comments

Signed-off-by: Mohammed Aghil Puthiyottil <57040494+MohammedAghil@users.noreply.github.com>

---------

Signed-off-by: Mohammed Aghil Puthiyottil <57040494+MohammedAghil@users.noreply.github.com>
Signed-off-by: George Chen <qchea@amazon.com>
@srikanthjg @chenqi0805
Add stateful buffer for lambda sink (opensearch-project#5354)
9496212 
* Fix merge conflict

Signed-off-by: Srikanth Govindarajan <srigovs@amazon.com>

* Address concurrency/synchronization comment

Signed-off-by: Srikanth Govindarajan <srigovs@amazon.com>

* Fix InMemoryBufferSynchronized and Add IT

Signed-off-by: Srikanth Govindarajan <srigovs@amazon.com>

* Address timeout threshold comment

Signed-off-by: Srikanth Govindarajan <srigovs@amazon.com>

* Add IT for timeout threshold

Signed-off-by: Srikanth Govindarajan <srigovs@amazon.com>

* Fix checkstyle

Signed-off-by: Srikanth Govindarajan <srigovs@amazon.com>

---------

Signed-off-by: Srikanth Govindarajan <srigovs@amazon.com>
Signed-off-by: George Chen <qchea@amazon.com>
chenqi0805 added 14 commits May 19, 2025 11:47
@chenqi0805
REF: AwsContext
ce1a485 
Signed-off-by: George Chen <qchea@amazon.com>
@chenqi0805
Merge branch 'tmp/encryption-extension-3' into enh/encryption-extensi…
94b06e5 
…on-3

Signed-off-by: George Chen <qchea@amazon.com>
@chenqi0805
MAINT: renaming
e9c1775 
Signed-off-by: George Chen <qchea@amazon.com>
@chenqi0805
MAINT: refactoring some classes and interfaces
f1018a1 
Signed-off-by: George Chen <qchea@amazon.com>
@chenqi0805
MAINT: missing interface
710222a 
Signed-off-by: George Chen <qchea@amazon.com>
@chenqi0805
Merge branch 'enh/encryption-extension-3' into feat/encryption-extens…
b377a58 
…ion-integration-with-kafka

Signed-off-by: George Chen <qchea@amazon.com>
@chenqi0805
MAINT: public class
0daa645 
Signed-off-by: George Chen <qchea@amazon.com>
@chenqi0805
Merge branch 'enh/encryption-extension-3' into feat/encryption-extens…
6cdc359 
…ion-integration-with-kafka

Signed-off-by: George Chen <qchea@amazon.com>
@chenqi0805
STY: doc
6e76b21 
Signed-off-by: George Chen <qchea@amazon.com>
@chenqi0805
REF: AwsContext and AwsContextImpl
283ced9 
Signed-off-by: George Chen <qchea@amazon.com>
@chenqi0805
MAINT: documentation
f1d2752 
Signed-off-by: George Chen <qchea@amazon.com>
@chenqi0805
Merge branch 'enh/encryption-extension-3' into feat/encryption-extens…
ebf99a0 
…ion-integration-with-kafka

Signed-off-by: George Chen <qchea@amazon.com>
@chenqi0805
Merge branch 'main' into feat/encryption-extension-integration-with-k…
68828cf 
…afka

Signed-off-by: George Chen <qchea@amazon.com>
@chenqi0805
MAINT: allow encryption plugin in pipeline config
a76b06d 
Signed-off-by: George Chen <qchea@amazon.com>
@chenqi0805 chenqi0805 marked this pull request as ready for review May 29, 2025 21:46
@chenqi0805 chenqi0805 merged commit 540f3a1 into opensearch-project:main May 30, 2025
41 of 50 checks passed
@chenqi0805 chenqi0805 deleted the feat/encryption-extension-integration-with-kafka branch May 30, 2025 21:21
jeffreyAaron pushed a commit to jeffreyAaron/data-prepper that referenced this pull request Jun 13, 2025
@chenqi0805 @jeffreyAaron
FEAT: encryption extension integration with kafka (opensearch-project…
32a99e7 
…#5625)

* FEAT: encryption extension integration with kafka buffer

Signed-off-by: George Chen <qchea@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oeyh oeyh oeyh approved these changes

@sb2k16 sb2k16 Awaiting requested review from sb2k16 sb2k16 is a code owner

@engechas engechas Awaiting requested review from engechas

@san81 san81 Awaiting requested review from san81 san81 is a code owner

@srikanthjg srikanthjg Awaiting requested review from srikanthjg srikanthjg is a code owner

@graytaylor0 graytaylor0 Awaiting requested review from graytaylor0 graytaylor0 is a code owner

@dinujoh dinujoh Awaiting requested review from dinujoh dinujoh is a code owner

@kkondaka kkondaka Awaiting requested review from kkondaka kkondaka is a code owner

@KarstenSchnitter KarstenSchnitter Awaiting requested review from KarstenSchnitter KarstenSchnitter is a code owner

@dlvenable dlvenable Awaiting requested review from dlvenable dlvenable is a code owner

+1 more reviewer

@shenkw1 shenkw1 shenkw1 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.