feat: Parquet Modular Encryption with Spark KMS for native readers

[mbutrovich]

Which issue does this PR close?

Closes #.

Rationale for this change

We want to add Parquet Module Encryption support for the native readers when using a Spark KMS. We use the encryption factory features added in DataFusion 50 to register an encryption factory that uses JNI to get decryption keys from Spark.

What changes are included in this PR?

How are these changes tested?

• Existing PME tests with new readers added.
• New tests that exercise PME options like plaintext footer, etc.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 36.78161% with 55 lines in your changes missing coverage. Please review.
✅ Project coverage is 58.28%. Comparing base (f09f8af) to head (e9fcca7).
⚠️ Report is 562 commits behind head on main.

Files with missing lines	Patch %	Lines
...rg/apache/comet/parquet/CometFileKeyUnwrapper.java	0.00%	18 Missing ⚠️
...a/org/apache/comet/parquet/CometParquetUtils.scala	0.00%	15 Missing ⚠️
...ain/scala/org/apache/comet/CometExecIterator.scala	33.33%	7 Missing and 1 partial ⚠️
...va/org/apache/comet/parquet/NativeBatchReader.java	0.00%	5 Missing ⚠️
...n/scala/org/apache/spark/sql/comet/operators.scala	80.76%	3 Missing and 2 partials ⚠️
...n/scala/org/apache/comet/rules/CometScanRule.scala	42.85%	3 Missing and 1 partial ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main    #2447      +/-   ##
============================================
+ Coverage     56.12%   58.28%   +2.16%     
- Complexity      976     1436     +460     
============================================
  Files           119      147      +28     
  Lines         11743    13567    +1824     
  Branches       2251     2360     +109     
============================================
+ Hits           6591     7908    +1317     
- Misses         4012     4428     +416     
- Partials       1140     1231      +91     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[parthchandra]

Also look at https://github.com/apache/parquet-java/blob/master/parquet-hadoop/src/test/java/org/apache/parquet/crypto/TestPropertiesDrivenEncryption.java to see if there are any tests that might be relevant here.

[parthchandra]

There is only one hadoop conf in a spark session so this may be overkill.

[mbutrovich]

Session hadoopConf is not what the scans use though. They add all the relation options (Parquet options like encryption keys) to the hadoopConf, so each scan can have a unique hadoopConf. Whether we could have a Comet plan with multiple Parquet scans is the real question.

[parthchandra]

Whether we could have a Comet plan with multiple Parquet scans is the real question.

I don't know what you mean by this. What exactly are you calling a Parquet scan?

[mbutrovich]

A scan node in a plan tree, specifically a stage that gets converted to a Comet native plan.

[mbutrovich]

I'll simplify this with a couple of assertions that a Comet plan should only have one scan node in it.

[parthchandra]

I see what you mean now. What about a plan with a union ?

[parthchandra]

@mbutrovich I had this one open question about a plan with a union that may have more than one scan. Can you verify this will not be an issue.

[mbutrovich]

Results attached from the benchmark I added to CometReadBenchmark, and a small chart with highlights to see what the overhead of encryption is for the various readers.

benchmark_decryption.txt

[parthchandra]

Whether we could have a Comet plan with multiple Parquet scans is the real question.

I don't know what you mean by this. What exactly are you calling a Parquet scan?