[GitHub] [hadoop] mukund-thakur commented on a change in pull request #1823: HADOOP-16794 S3 Encryption keys not propagating correctly during copy operation

Fri, 28 Feb 2020 10:38:45 -0800 

mukund-thakur commented on a change in pull request #1823: HADOOP-16794 S3 
Encryption keys not propagating correctly during copy operation
URL: https://github.com/apache/hadoop/pull/1823#discussion_r385857403
 
 

 ##########
 File path: 
hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/S3AFileSystem.java
 ##########
 @@ -3394,6 +3396,42 @@ private CopyResult copyFile(String srcKey, String 
dstKey, long size,
         });
   }
 
+  /**
+   * Propagate encryption parameters from source file if set else use the
+   * current file system encryption settings.
+   * @param srcom
+   * @param copyObjectRequest
+   */
+  private void propagateEncryptionParams(ObjectMetadata srcom,
+                                         CopyObjectRequest copyObjectRequest) {
+    Optional<SSEAwsKeyManagementParams> kmsParams = Optional.empty();
+    String sourceKMSId = srcom.getSSEAwsKmsKeyId();
+    if (isNotEmpty(sourceKMSId)) {
+      // source KMS ID is propagated
+      LOG.debug("Propagating SSE-KMS settings from source {}",
+          sourceKMSId);
+      kmsParams = Optional.of(new SSEAwsKeyManagementParams(sourceKMSId));
+    }
+    kmsParams.ifPresent(
 
 Review comment:
   > pull that up into the if() clause and you can avoid doing the optional 
work, just
   > setSSE...(new SS3AwsKMP(sourceKMSId)).
   Done
   > now, troublespot, and its one I'm curious about. What if there's SSE-C 
set, as it is also being set on the request? FWIW, I think things will break 
trying to read the file by setting the SSE-C key will inevitably break too.
   If SSE-C is used, sseKmsKey won't be present in the sourceObjectMeta. So 
that shouldn't be a problem. I debugged this test 
ITestS3AEncryptionSSEC#testRenameFile and it works fine. Please let me know if 
I am missing something.
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to