feat: add framework for File Format Options

[corwinjoy]

Description

This PR adds encryption support and other advanced file options to delta-rs by implementing a comprehensive framework for file format settings. The changes enable users to configure encryption settings, customize writer properties, and apply file-level formatting options when reading and writing Delta tables.

• Introduces a FileFormatOptions trait and related infrastructure to handle file-specific configurations
• Adds support for both simple property-based encryption and KMS-based encryption through new factory patterns
• Updates all operation builders to accept and propagate file format options throughout the write/read pipeline

In general, we have added a new trait called FileFormatOptions at the root DeltaTable level to unify how files within a delta table are read and written with specific formatting. The idea is that you can apply these settings once, at the top level, and then seamlessly perform any operations with the necessary settings.

This PR leverages the DataFusion TableOptions structure to support format options for multiple underlying file formats. (The idea being that delta-rs may eventually want to support storage formats beyond Parquet, such as Vortex or Lance.) Additionally, it centralizes file format options in a single, consistent location. This avoids the current difficulties where one has to separately set WriterProperties; then reader properties as part of the SessionState. (This is in line with comments from @roeap about how file configuration might be improved: #3300 (comment)). We would also like to eventually extend this upgrade to add notations about these file configurations to the delta table properties. For example, if the files are encrypted, one could add a KMS configuration for where to retrieve encryption keys.

Review Suggestion

This PR turned out to be larger than we hoped, so apologies for that, but I don't know how to split it into smaller pieces.
When reviewing, we suggest starting with the file crates/core/src/table/file_format_options.rs to get an overview of the new file format trait that can be applied to delta tables.

Related Issue(s)

Support Parquet Modular Encryption:
#3300

Documentation

Parquet Modular Encryption: https://docs.google.com/document/d/1MUg1J7u5VdLkgejJ4ybzfZt1OmwhQkq2iGPxsn4gqLI/edit?tab=t.0#heading=h.34wvmhc1zdch

Attribution

This PR was created in collaboration with @adamreeve

[github-actions]

ACTION NEEDED

delta-rs follows the Conventional Commits specification for release automation.

The PR title and description are used as the merge commit message. Please update your PR title and description to match the specification.

[corwinjoy]

Note that fully supporting Parquet encryption requires being able to get write and read properties per-file, which is why the existing ability to set WriterProperties isn't sufficient, and why WriterPropertiesFactory::create_writer_properties is called per file and requires a file path. This allows generating new random data encryption keys per file and performing tasks such as specifying a per-file AAD prefix or supporting the external storage of encryption keys that can be looked up using the file path.

[corwinjoy]

@rtyler @roeap @alamb Tagging you here per our previous discussion on adding encryption support to delta-rs.

[rtyler]

I have marked this pull request as draft. This does not compile as is, I can come back to it once it is able to compile and pass unit tests

[corwinjoy]

I have marked this pull request as draft. This does not compile as is, I can come back to it once it is able to compile and pass unit tests

@rtyler OK. It seems that when I auto-merged the main branch it introduced a build error. I have resolved this and the code is once again building and passing unit tests.

[ion-elgreco]

I can see the benefit but we really need to reduce the surface of change that are being introduced

[ion-elgreco]

Let's not change the function signature here and in the other builders

[corwinjoy]

Could you be more specific about what you are looking for? Checking the code base, I see 25 calls to this constructor, and in 10/25 of the cases, I need to pass file_format_options to maintain the needed settings. I guess I could eliminate the 15 cases where I pass None by splitting this into two named constructors...

[ion-elgreco]

You need to use DeltaTableConfig for this:

delta-rs/crates/core/src/table/builder.rs

Lines 30 to 58 in 18f949e

	/// Configuration options for delta table
	#[derive(Debug, Serialize, Deserialize, Clone, DeltaConfig)]
	#[serde(rename_all = "camelCase")]
	pub struct DeltaTableConfig {
	/// Indicates whether DeltaTable should track files.
	/// This defaults to `true`
	///
	/// Some append-only applications might have no need of tracking any files.
	/// Hence, DeltaTable will be loaded with significant memory reduction.
	pub require_files: bool,
	/// Controls how many files to buffer from the commit log when updating the table.
	/// This defaults to 4 * number of cpus
	///
	/// Setting a value greater than 1 results in concurrent calls to the storage api.
	/// This can decrease latency if there are many files in the log since the
	/// last checkpoint, but will also increase memory usage. Possible rate limits of the storage backend should
	/// also be considered for optimal performance.
	pub log_buffer_size: usize,
	/// Control the number of records to read / process from the commit / checkpoint files
	/// when processing record batches.
	pub log_batch_size: usize,
	#[serde(skip_serializing, skip_deserializing)]
	#[delta(skip)]
	/// When a runtime handler is provided, all IO tasks are spawn in that handle
	pub io_runtime: Option<IORuntime>,
	}

[corwinjoy]

OK. I think you are suggesting that I add file_format_options to the config member of DeltaTable.
In fact, that was the approach I tried initially but I had to back that out and add this as a direct member for the following reasons:

1. The file format options don't really seem to fit properly into DeltaTableConfig since these options seem to be more about managing the logfile.
2. We need to preserve the formatting options when going from DeltaTable to DeltaOps and back. Right now, the config gets lost when new_with_state is called. See below where the config gets reset to default:
   

   delta-rs/crates/core/src/table/mod.rs

   Line 128 in 18f949e

   pub(crate) fn new_with_state(log_store: LogStoreRef, state: DeltaTableState) -> Self {

   
   We need to preserve these settings throughout any chained operations. This means we still need an extra parameter in new_with_state to preserve any existings config. Also, I felt it was cleaner to create a new entry and directly set and pass it. Possibly we could move this into DeltaTableConfig but I think this may be more of a hindrance than a help.

@adamreeve It was a couple of months ago that we moved this, do you remember anything else from our discussion? See commit below:
666f0ba

[ion-elgreco]

1. Correct but they are related to loading the table, which file formats (encryption) should belong as well
2. DeltaTableConfig tags along with the snapshot:

   delta-rs/crates/core/src/table/state.rs

   Lines 73 to 76 in a61ac16

   	/// Get the table config which is loaded with of the snapshot
   	pub fn load_config(&self) -> &DeltaTableConfig {
   	self.snapshot.load_config()
   	}

so that shouldn't be an issue to allow it to stay there when you do new_with_state

[corwinjoy]

OK. I think it makes sense to move this here. I will investigate this week. The main issue is whether I have to support serialization out of the gate to make this work / at what points config gets reconstructed from serialized properties. The reason why is that serialization of the FileFormatOptions will be a bit tricky because:

1. I'm not sure if TableOptions fully supports serialization.
2. For direct encryption and decryption properties, we will need to modify the serialization to make sure that passwords don't get serialized.

[ion-elgreco]

I think it would be better if this pushed into the LoadConfig and not passed through each function

[corwinjoy]

Can you elaborate a bit here? There are a lot of these different execute functions (one for every option) and I agree that it would be nice if they had a common configuration structure rather than the somewhat long list of arguments they take. That would probably be independent of this PR. For now, we have just added an additional argument to pass the needed settings through to execution.

[ion-elgreco]

See ping above, it needs to be DeltaTableConfig

[roeap]

@corwinjoy - awesome to see this come to fruition! Will find some time to give this a review hopefully tomorrow.

At first glance one quick question. Do we see a way to "bundle" the datafusion specific stuff a bit more? It's a bit hard to keep track of all the individual flags while reviewing :)

[corwinjoy]

@roeap

At first glance one quick question. Do we see a way to "bundle" the datafusion specific stuff a bit more? It's a bit hard to keep track of all the individual flags while reviewing :)

What we did to minimize this dependency is define an abstract FileFormatOptions trait. Everything just passes around a FileFormatRef defined as Arc<dyn FileFormatOptions>. Then, only when needed, do we grab final table options or writer properties. Furthermore, we've gated these instances of getting final details behind three function calls in file_format_options.rs:

pub fn build_writer_properties_factory_ffo(
    file_format_options: Option<FileFormatRef>,
) -> Option<Arc<dyn WriterPropertiesFactory>> {...}

pub fn to_table_parquet_options_from_ffo(
    file_format_options: Option<&FileFormatRef>,
) -> Option<TableParquetOptions> {...}

pub fn state_with_file_format_options(
    state: SessionState,
    file_format_options: Option<&FileFormatRef>,
) -> DeltaResult<SessionState> {...}

There might be some ways to refine this further, but in general we've tried to isolate and abstract these file properties where possible and not require datafusion.

[corwinjoy]

@roeap From a user point of view, we've tried hard to make the settings as easy as possible. This can be seen in crates/deltalake/examples/basic_operations_encryption.rs. Here, we demonstrate different kinds of operations on tables. (We have a more formal unit test at crates/core/tests/commands_with_encryption.rs). Thes code examples all look like ordinary operations; all we needed was a common function call when creating DeltaOps:

async fn ops_with_crypto(
    uri: &str,
    file_format_options: &FileFormatRef,
) -> Result<DeltaOps, DeltaTableError> {
    let prefix_uri = format!("file://{}", uri);
    let url = Url::parse(&*prefix_uri).unwrap();
    let ops = DeltaOps::try_from_uri(url).await?;
    Ok(ops.with_file_format_options(file_format_options.clone()))
}

Calling with_file_format_options is sufficient to apply the needed encryption settings for all operations.

[corwinjoy]

Still working on this to move the file config to DeltaTableConfig, but doing this in a separate branch to keep things clean. It's fairly tricky, so it will take a bit. I also plan to improve the unit tests to confirm that files are really being encrypted.

[corwinjoy]

@ion-elgreco OK. I have migrated these file options to the config property in DeltaTable. This definitely reduced the changes quite a bit so thanks for the suggestion! I think it looks pretty solid and look forward to your feedback when you are ready.
@adamreeve

[corwinjoy]

@ion-elgreco We could use some feedback on the best way to set the config for an existing table. In this design, we wanted to:

1. Be able to set the config at runtime, not just at table construction. This is important for fields like passwords, where we will not want them to be serialized, or other options that we may want to change at runtime.
2. Make the user interface easy to use.
   With this design, setting the config for any operation looks like: (from crates/deltalake/examples/basic_operations_encryption.rs)

    let ops = DeltaOps::try_from_uri(url).await?;
    let ops = ops
        .with_file_format_options(file_format_options.clone())
        .await?;

We also considered a design where you could only set this via DeltaTableBuilder but I wanted to make this feature easy to use. See e.g. the following diff where this function is removed.

adamreeve@ec40881

@adamreeve

[adamreeve]

I've just pushed a fixed commit that handles when the load fails if the table isn't created yet: adamreeve@0d551a5

This matches the behaviour of DeltaOps::try_from_uri. Maybe there could be a DeltaOps::try_from_table or TryFrom<DeltaTable> for DeltaOps implementation to handle that scenario.

[ion-elgreco]

I am having hard time understanding this usecase. Why wouldn't it be enough to update the DeltaTableConfig, I would assume without setting the encryption you couldn't load the table at all

[ion-elgreco]

@ion-elgreco OK. I have migrated these file options to the config property in DeltaTable. This definitely reduced the changes quite a bit so thanks for the suggestion! I think it looks pretty solid and look forward to your feedback when you are ready. @adamreeve

I'll do another review over the weekend

[codecov]

Codecov Report

❌ Patch coverage is 85.25253% with 73 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.85%. Comparing base (9f67f9f) to head (c7281de).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
crates/core/src/table/file_format_options.rs	89.09%	10 Missing and 8 partials ⚠️
crates/core/src/operations/encryption.rs	70.45%	10 Missing and 3 partials ⚠️
crates/core/src/operations/optimize.rs	85.07%	5 Missing and 5 partials ⚠️
crates/core/src/writer/record_batch.rs	65.38%	6 Missing and 3 partials ⚠️
crates/core/src/operations/write/writer.rs	91.07%	2 Missing and 3 partials ⚠️
crates/core/src/table/builder.rs	55.55%	4 Missing ⚠️
crates/core/src/operations/delete.rs	80.00%	2 Missing and 1 partial ⚠️
crates/core/src/operations/merge/mod.rs	71.42%	2 Missing ⚠️
crates/core/src/operations/update.rs	75.00%	2 Missing ⚠️
crates/core/src/operations/write/mod.rs	81.81%	2 Missing ⚠️
... and 4 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3794      +/-   ##
==========================================
- Coverage   73.99%   73.85%   -0.15%     
==========================================
  Files         148      153       +5     
  Lines       38904    39490     +586     
  Branches    38904    39490     +586     
==========================================
+ Hits        28788    29165     +377     
- Misses       8850     9028     +178     
- Partials     1266     1297      +31     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ion-elgreco]

This is not needed anymore, since you can access the snapshot.load_config() to access the file_format_options

[ion-elgreco]

Same here it's already available in the snapshot. so we can defer at latest stage to grab these from the load_config

[ion-elgreco]

I prefer we Impl Into here between these two structs.

[ion-elgreco]

I suggest we remove this here. We can move all this logic into:

DeltaScanConfigBuilder.build(), there we can introspect the TableLoadConfig and set the parquetOptions on the DeltaScanConfig

[ion-elgreco]

This can be removed since this will happen inside the DeltaScanBuilder with my suggestion above

[ion-elgreco]

Same here, not needed anymore, since we can pass it through the DeltaScanConfig

[ion-elgreco]

Why can this return None as well?

[ion-elgreco]

56.2.0 has landed so this can be removed

[ion-elgreco]

Do we really need a function for this 🤷

[ion-elgreco]

unwrap_or_default is more idiomatic

[ion-elgreco]

same applies here, I dont think we need a function for just a map()

[ion-elgreco]

@corwinjoy looks already better but I think we can reduce the amount of line changes even more!

I still have to take a better look at why we need a WriterPropertiesFactory :s but maybe you can explain it shortly for me?

[adamreeve]

I still have to take a better look at why we need a WriterPropertiesFactory :s but maybe you can explain it shortly for me?

Corwin is busy travelling this week so might be slow to reply, but I can help answer this part. For some use cases it might be fine to have a single WriterProperties instance for all files, but there are a few reasons why you could want to generate new encryption properties per-file so need a factory:

• To generate new random data encryption keys per file, as it's good security practice to limit how widely one key is used
• To set a different AAD prefix per-file, which prevents attackers from being able to swap out encrypted modules between files and tamper with data
• Be able to handle schema changes like adding columns while specifying per-column encryption keys
• Enables use of external key material, which is when you write a JSON file alongside each Parquet file containing the key metadata. This allows rotation of master keys without having to re-write Parquet files, only the JSON files need to be rewritten. We don't implement this in the Rust parquet-key-management crate but it's supported by the Java and C++/Python Parquet implementations.

This also aligns with the DataFusion EncryptionFactory trait that takes the file path as a parameter when creating encryption and decryption properties.