GH-47435: [Python][Parquet] Add direct key encryption/decryption API

[smaheshwar-pltr]

Rationale for this change

See #47435.

What changes are included in this PR?

Adds direct encryption / decryption Python API

Are these changes tested?

Yes, see PR.

Are there any user-facing changes?

Yes, new Python bindings.

• GitHub Issue: [Parquet][Python] API to decrypt parquet file using one DEK and no metadata #47435

[github-actions]

Thanks for opening a pull request!

If this is not a minor PR. Could you open an issue for this pull request on GitHub? https://github.com/apache/arrow/issues/new/choose

Opening GitHub issues ahead of time contributes to the Openness of the Apache Arrow project.

Then could you also rename the pull request title in the following format?

GH-${GITHUB_ISSUE_ID}: [${COMPONENT}] ${SUMMARY}

or

MINOR: [${COMPONENT}] ${SUMMARY}

See also:

• Other pull requests
• Contribution Guidelines - Contributing Overview

[smaheshwar-pltr]

cc @ggershinsky, this is a requirement for PyIceberg encryption support, see apache/iceberg-python#3221

[ggershinsky]

sgtm, #47435 (comment)

[github-actions]

⚠️ GitHub issue #47435 has been automatically assigned in GitHub to PR creator.

[github-actions]

⚠️ GitHub issue #47435 has been automatically assigned in GitHub to PR creator.

[smaheshwar-pltr]

Per #47435 (comment), adding this documentation

[adamreeve]

I don't think it's true that the CryptoFactory handles key rotation automatically, that part of the comment should probably be removed. It does allow key rotation if you use external key material though.

[smaheshwar-pltr]

Not sure who to ping here for review, @AlenkaF @raulcd @rok maybe could I please have some eyes on this?

[adamreeve]

Thanks for implementing this @smaheshwar-pltr! I've left a few suggestions

[adamreeve]

I don't think it's true that the CryptoFactory handles key rotation automatically, that part of the comment should probably be removed. It does allow key rotation if you use external key material though.

[smaheshwar-pltr]

@adamreeve, thank you for the great review here 🙌 . I've reworked the docs now - they are consistent with my (inexperienced) understanding.

Would appreciate your eyes on this again, please let me know what you think!

[github-actions]

Revision: 3e529d5

Submitted crossbow builds: ursacomputing/crossbow @ actions-4b28d0a71b

Task	Status
preview-docs

[adamreeve]

Thanks for the changes @smaheshwar-pltr, I just noticed one more minor issue that I missed first time around sorry.

[adamreeve]

@smaheshwar-pltr, can you please comment on #47435 so I can assign it to you? Eg. just a "take" comment.

Then I'll merge this, the CI failures are unrelated and also failing on main.

[adamreeve]

I've created #49821 as a follow-up issue to add support for per-column keys.

[pitrou]

If all these APIs can raise C++ exceptions, which kind of exceptions will be raised on the Python side?

[smaheshwar-pltr]

(I don't think these specific calls actually reach a (C++) throw on the paths we hit, so this is being defensive. We do validations python-side that throw TypeError and ValueError on e.g. invalid length / algorithm.)

If an exception was raised somehow though, I think we'd be fine and are consistent with elsewhere in this file - from https://cython.readthedocs.io/en/latest/src/userguide/wrapping_CPlusPlus.html#exceptions, the except + here would surface it as a RuntimeError.

For example, FileMetaData::AppendRowGroups is also exposed as except +

arrow/python/pyarrow/includes/libparquet.pxd

Line 403 in 640b66c

void AppendRowGroups(const CFileMetaData& other) except +

and reachably throws ParquetException

arrow/cpp/src/parquet/metadata.cc

Line 933 in 640b66c

throw ParquetException(msg);

which would Cython surfaces as RuntimeError - we even have a test for this:

arrow/python/pyarrow/tests/parquet/test_metadata.py

Line 751 in 640b66c

with pytest.raises(RuntimeError, match=prefix + expected_error):

[pitrou]

Nit: reuse the KEY_ constants above?

[smaheshwar-pltr]

Thank you, addressed in 640b66c (I also lifted to module scope to match the other constants)

[pitrou]

Can we also test something about the exception message?

Suggested change

	with pytest.raises(IOError):
	with pytest.raises(IOError, match='XXX...'):

[smaheshwar-pltr]

Thank you, addressed in 640b66c.

[pitrou]

Same here.

[smaheshwar-pltr]

Thank you, addressed in 640b66c.

[pitrou]

We shouldn't call tobytes as it will utf8-encode a str object.

[smaheshwar-pltr]

Thank you, addressed in 640b66c I think with a isinstance(footer_key, bytes) check.

[pitrou]

Same here.

[smaheshwar-pltr]

Thanks - #49667 (comment)

[pitrou]

Why are we using new? We can create a plain value, I think.

[smaheshwar-pltr]

Thanks, switched to CFileDecryptionPropertiesBuilder in 640b66c as described

[pitrou]

Same here and other instances below.

[smaheshwar-pltr]

Done, thanks

[smaheshwar-pltr]

Actually, I had to revert this specifically in 72029b6 due to https://github.com/apache/arrow/actions/runs/25529723022/job/76124851585 - CI failed with "C++ class must have a nullary constructor to be stack allocated". parquet::FileEncryptionProperties::Builder only declares explicit Builder(SecureString footer_key) (no default ctor), so Cython can't stack-allocate it.

[smaheshwar-pltr]

Thank you for the review @pitrou 🙏 I believe all comments are now addressed, PTAL!

[smaheshwar-pltr]

Friendly ping @adamreeve @pitrou 🙏

[smaheshwar-pltr]

Friendly ping here @adamreeve @pitrou / others! Would love to get this in / reviewed!

[adamreeve]

The latest changes look good to me thanks @smaheshwar-pltr.

The build timing out is a problem on other branches too so looks unrelated to this change.

[smaheshwar-pltr]

Thanks @adamreeve I've pushed an empty commit in 5dd54ca to retrigger 🙏

[adamreeve]

The timeout is happening consistently but doesn't need to pass for this PR to be merged. I've raised #49998 for this.

I'll leave this PR open a while longer in case @pitrou wants to take another look.

[conbench-apache-arrow]

After merging your PR, Conbench analyzed the 4 benchmarking runs that have been run so far on merge-commit 336fdb3.

There were no benchmark performance regressions. 🎉

The full Conbench report has more details. It also includes information about 9 possible false positives for unstable benchmarks that are known to sometimes produce them.