[
https://issues.apache.org/jira/browse/HADOOP-13887?focusedWorklogId=622465&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-622465
]
ASF GitHub Bot logged work on HADOOP-13887:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 14/Jul/21 11:24
Start Date: 14/Jul/21 11:24
Worklog Time Spent: 10m
Work Description: steveloughran commented on pull request #2706:
URL: https://github.com/apache/hadoop/pull/2706#issuecomment-879811892
Bad news I'm afraid: I've got an extra bit of work for this patch.
The encryption option and key must be included in delegation tokens, so that
encryption setting I have on my client is picked up and propagated to all
workers in a launched job.
We already do this for all the service side encryption options, by creating
and serializing a EncryptionSecrets instance in the token.
This class already supports passing S3-CSE information, so what is needed is
to hook this up with CSE as well as SSE call
- [ ] setEncryptionSecrets in FileSystem.initialize needs to build the
secrets from the client side options, if active
- [ ] bindAWSClient needs to set client side encryption options from any DT.
you may want to add code in EncryptionSecretOperations to help -
EncryptionSecrets MUST NOT use any AWS SDK call to avoid classloading issues.
There's makes me think that the CSE binding/setup code needs to be merged
with the SSE stuff a bit more
# The encryption secrets built up in S3AFS.initialize() MUST use the client
side
secrets if set, so they are picked up by DTs
# FileSystem.setEncryptionSecrets() should set the isCSEEnabled flag.
# CSE-only ITest to call S3AFS.getEncryptionSecrets() & verify that all is
good
# See if ITestSessionDelegationInFileystem can pick up and propagate CSE
options.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 622465)
Time Spent: 7h 40m (was: 7.5h)
> Encrypt S3A data client-side with AWS SDK (S3-CSE)
> --------------------------------------------------
>
> Key: HADOOP-13887
> URL: https://issues.apache.org/jira/browse/HADOOP-13887
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: fs/s3
> Affects Versions: 2.8.0
> Reporter: Jeeyoung Kim
> Assignee: Igor Mazur
> Priority: Minor
> Labels: pull-request-available
> Attachments: HADOOP-13887-002.patch, HADOOP-13887-007.patch,
> HADOOP-13887-branch-2-003.patch, HADOOP-13897-branch-2-004.patch,
> HADOOP-13897-branch-2-005.patch, HADOOP-13897-branch-2-006.patch,
> HADOOP-13897-branch-2-008.patch, HADOOP-13897-branch-2-009.patch,
> HADOOP-13897-branch-2-010.patch, HADOOP-13897-branch-2-012.patch,
> HADOOP-13897-branch-2-014.patch, HADOOP-13897-trunk-011.patch,
> HADOOP-13897-trunk-013.patch, HADOOP-14171-001.patch, S3-CSE Proposal.pdf
>
> Time Spent: 7h 40m
> Remaining Estimate: 0h
>
> Expose the client-side encryption option documented in Amazon S3
> documentation -
> http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
> Currently this is not exposed in Hadoop but it is exposed as an option in AWS
> Java SDK, which Hadoop currently includes. It should be trivial to propagate
> this as a parameter passed to the S3client used in S3AFileSystem.java
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
