Export/import encryption parameters in YDB SDK (#17798)

Author: UgnineSirdis

include/ydb-cpp-sdk/client/export/export.h

@@ -79,6 +79,12 @@ struct TExportToS3Settings : public TOperationRequestSettings<TExportToS3Setting
         UNKNOWN = std::numeric_limits<int>::max(),
     };
 
+    struct TEncryptionAlgorithm {
+        static const std::string AES_128_GCM;
+        static const std::string AES_256_GCM;
+        static const std::string CHACHA_20_POLY_1305;
+    };
+
     struct TItem {
         std::string Src;
         std::string Dst;
@@ -89,6 +95,17 @@ struct TExportToS3Settings : public TOperationRequestSettings<TExportToS3Setting
     FLUENT_SETTING_OPTIONAL(std::string, Description);
     FLUENT_SETTING_OPTIONAL(uint32_t, NumberOfRetries);
     FLUENT_SETTING_OPTIONAL(std::string, Compression);
+    FLUENT_SETTING_OPTIONAL(std::string, SourcePath);
+    FLUENT_SETTING_OPTIONAL(std::string, DestinationPrefix);
+
+    TSelf& SymmetricEncryption(const std::string& algorithm, const std::string& key) {
+        EncryptionAlgorithm_ = algorithm;
+        SymmetricKey_ = key;
+        return *this;
+    }
+
+    std::string EncryptionAlgorithm_;
+    std::string SymmetricKey_;
 };
 
 class TExportToS3Response : public TOperation {

include/ydb-cpp-sdk/client/import/import.h

@@ -35,15 +35,28 @@ struct TImportFromS3Settings : public TOperationRequestSettings<TImportFromS3Set
     using TSelf = TImportFromS3Settings;
 
     struct TItem {
+        // Source prefix.
+        // S3 prefix for item
         std::string Src;
+
+        // Destination path.
+        // database path where to import data
         std::string Dst;
+
+        // Source path.
+        // if the export contains the database objects list, you may specify the database object name,
+        // and the S3 prefix will be looked up in the database objects list by the import procedure
+        std::string SrcPath = {};
     };
 
     FLUENT_SETTING_VECTOR(TItem, Item);
     FLUENT_SETTING_OPTIONAL(std::string, Description);
     FLUENT_SETTING_OPTIONAL(uint32_t, NumberOfRetries);
     FLUENT_SETTING_OPTIONAL(bool, NoACL);
     FLUENT_SETTING_OPTIONAL(bool, SkipChecksumValidation);
+    FLUENT_SETTING_OPTIONAL(std::string, SourcePrefix);
+    FLUENT_SETTING_OPTIONAL(std::string, DestinationPath);
+    FLUENT_SETTING_OPTIONAL(std::string, SymmetricKey);
 };
 
 class TImportFromS3Response : public TOperation {

src/client/export/export.cpp

@@ -21,6 +21,10 @@ namespace NExport {
 using namespace NThreading;
 using namespace Ydb::Export;
 
+const std::string TExportToS3Settings::TEncryptionAlgorithm::AES_128_GCM = "AES-128-GCM";
+const std::string TExportToS3Settings::TEncryptionAlgorithm::AES_256_GCM = "AES-256-GCM";
+const std::string TExportToS3Settings::TEncryptionAlgorithm::CHACHA_20_POLY_1305 = "ChaCha20-Poly1305";
+
 /// Common
 namespace {
 
@@ -194,8 +198,25 @@ TFuture<TExportToS3Response> TExportClient::ExportToS3(const TExportToS3Settings
         request.mutable_settings()->set_compression(TStringType{settings.Compression_.value()});
     }
 
+    if (settings.SourcePath_) {
+        request.mutable_settings()->set_source_path(settings.SourcePath_.value());
+    }
+
+    if (settings.DestinationPrefix_) {
+        request.mutable_settings()->set_destination_prefix(settings.DestinationPrefix_.value());
+    }
+
     request.mutable_settings()->set_disable_virtual_addressing(!settings.UseVirtualAddressing_);
 
+    if (settings.EncryptionAlgorithm_.empty() != settings.SymmetricKey_.empty()) {
+        throw TContractViolation("Encryption algorithm and symmetric key must be set together");
+    }
+
+    if (!settings.EncryptionAlgorithm_.empty() && !settings.SymmetricKey_.empty()) {
+        request.mutable_settings()->mutable_encryption_settings()->set_encryption_algorithm(settings.EncryptionAlgorithm_);
+        request.mutable_settings()->mutable_encryption_settings()->mutable_symmetric_key()->set_key(settings.SymmetricKey_);
+    }
+
     return Impl_->ExportToS3(std::move(request), settings);
 }
 

src/client/import/import.cpp

@@ -141,9 +141,19 @@ TFuture<TImportFromS3Response> TImportClient::ImportFromS3(const TImportFromS3Se
     request.mutable_settings()->set_secret_key(TStringType{settings.SecretKey_});
 
     for (const auto& item : settings.Item_) {
+        if (!item.Src.empty() && !item.SrcPath.empty()) {
+            throw TContractViolation(
+                TStringBuilder() << "Invalid item: both source prefix and source path are set: \"" << item.Src << "\" and \"" << item.SrcPath << "\"");
+        }
+
         auto& protoItem = *request.mutable_settings()->mutable_items()->Add();
-        protoItem.set_source_prefix(TStringType{item.Src});
-        protoItem.set_destination_path(TStringType{item.Dst});
+        if (!item.Src.empty()) {
+            protoItem.set_source_prefix(item.Src);
+        }
+        if (!item.SrcPath.empty()) {
+            protoItem.set_source_path(item.SrcPath);
+        }
+        protoItem.set_destination_path(item.Dst);
     }
 
     if (settings.Description_) {
@@ -158,6 +168,18 @@ TFuture<TImportFromS3Response> TImportClient::ImportFromS3(const TImportFromS3Se
         request.mutable_settings()->set_no_acl(settings.NoACL_.value());
     }
 
+    if (settings.SourcePrefix_) {
+        request.mutable_settings()->set_source_prefix(settings.SourcePrefix_.value());
+    }
+
+    if (settings.DestinationPath_) {
+        request.mutable_settings()->set_destination_path(settings.DestinationPath_.value());
+    }
+
+    if (settings.SymmetricKey_) {
+        request.mutable_settings()->mutable_encryption_settings()->mutable_symmetric_key()->set_key(*settings.SymmetricKey_);
+    }
+
     request.mutable_settings()->set_disable_virtual_addressing(!settings.UseVirtualAddressing_);
 
     return Impl_->ImportFromS3(std::move(request), settings);