[jira] [Work logged] (HADOOP-13887) Encrypt S3A data client-side with AWS SDK (S3-CSE)

ASF GitHub Bot (Jira) Wed, 21 Jul 2021 03:59:07 -0700


     [ 
https://issues.apache.org/jira/browse/HADOOP-13887?focusedWorklogId=626065&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-626065
 ]


ASF GitHub Bot logged work on HADOOP-13887:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 21/Jul/21 10:58
            Start Date: 21/Jul/21 10:58
    Worklog Time Spent: 10m 
      Work Description: steveloughran commented on a change in pull request 
#2706:
URL: https://github.com/apache/hadoop/pull/2706#discussion_r673869794



##########
File path: 
hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/encryption.md
##########
@@ -619,6 +620,19 @@ clients where S3-CSE has not been enabled.
 - Set `fs.s3a.server-side-encryption-algorithm=CSE-KMS`.
 - Set `fs.s3a.server-side-encryption.key=<KMS_KEY_ID>`.
 
+KMS_KEY_ID:
+
+Identifies the symmetric CMK that encrypts the data key.
+To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When
+using an alias name, prefix it with "alias/". To specify a CMK in a
+different AWSaccount, you must use the key ARN or alias ARN.
+
+For example:
+- Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

Review comment:
       can you wrap these IDs & things with backticks so they stay in a fixed 
font?

##########
File path: 
hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/encryption.md
##########
@@ -619,6 +620,19 @@ clients where S3-CSE has not been enabled.
 - Set `fs.s3a.server-side-encryption-algorithm=CSE-KMS`.
 - Set `fs.s3a.server-side-encryption.key=<KMS_KEY_ID>`.
 
+KMS_KEY_ID:
+
+Identifies the symmetric CMK that encrypts the data key.
+To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When
+using an alias name, prefix it with "alias/". To specify a CMK in a
+different AWSaccount, you must use the key ARN or alias ARN.

Review comment:
       add a space between AWS and account

##########
File path: 
hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/troubleshooting_s3a.md
##########
@@ -1309,6 +1309,129 @@ enhance security. See 
https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryp
 ```
 We can ignore this, since this CryptoMode 
setting(CryptoMode.AuthenticatedEncryption) 
 is required for range gets to work. 
+
+### com.amazonaws.services.kms.model.InvalidKeyUsageException: You cannot 
generate a data key with an asymmetric CMK
+
+If you generated an Asymmetric CMK from AWS console then CSE-KMS won't be
+able to generate unique data key for encryption. 
+
+```
+Caused by: com.amazonaws.services.kms.model.InvalidKeyUsageException: You 
cannot generate a data key with an asymmetric CMK (Service: AWSKMS; Status 
Code: 400; Error Code: InvalidKeyUsageException; Request ID: 
93609c15-e490-4035-8390-f4396f0d90bf; Proxy: null)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1819)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(AmazonHttpClient.java:1403)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1372)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1145)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:802)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:770)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:744)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:704)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:686)
+       at 
com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:550)
+       at 
com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:530)
+       at 
com.amazonaws.services.kms.AWSKMSClient.doInvoke(AWSKMSClient.java:7223)
+       at 
com.amazonaws.services.kms.AWSKMSClient.invoke(AWSKMSClient.java:7190)
+       at 
com.amazonaws.services.kms.AWSKMSClient.invoke(AWSKMSClient.java:7179)
+       at 
com.amazonaws.services.kms.AWSKMSClient.executeGenerateDataKey(AWSKMSClient.java:3482)
+       at 
com.amazonaws.services.kms.AWSKMSClient.generateDataKey(AWSKMSClient.java:3451)
+       at 
com.amazonaws.services.s3.internal.crypto.v2.S3CryptoModuleBase.buildContentCryptoMaterial(S3CryptoModuleBase.java:533)
+       at 
com.amazonaws.services.s3.internal.crypto.v2.S3CryptoModuleBase.newContentCryptoMaterial(S3CryptoModuleBase.java:481)
+       at 
com.amazonaws.services.s3.internal.crypto.v2.S3CryptoModuleBase.createContentCryptoMaterial(S3CryptoModuleBase.java:447)
+       at 
com.amazonaws.services.s3.internal.crypto.v2.S3CryptoModuleBase.putObjectUsingMetadata(S3CryptoModuleBase.java:160)
+       at 
com.amazonaws.services.s3.internal.crypto.v2.S3CryptoModuleBase.putObjectSecurely(S3CryptoModuleBase.java:156)
+       at 
com.amazonaws.services.s3.AmazonS3EncryptionClientV2.putObject(AmazonS3EncryptionClientV2.java:236)
+       at 
org.apache.hadoop.fs.s3a.S3AFileSystem.lambda$putObjectDirect$17(S3AFileSystem.java:2792)
+       at 
org.apache.hadoop.fs.statistics.impl.IOStatisticsBinding.trackDurationOfSupplier(IOStatisticsBinding.java:604)
+       at 
org.apache.hadoop.fs.s3a.S3AFileSystem.putObjectDirect(S3AFileSystem.java:2789)
+       at 
org.apache.hadoop.fs.s3a.S3AFileSystem.lambda$createEmptyObject$33(S3AFileSystem.java:4440)
+       at org.apache.hadoop.fs.s3a.Invoker.once(Invoker.java:117)
+       ... 49 more
+```
+
+Generate a Symmetric Key in the same region as your S3 storage for CSE-KMS to
+work. 
+
+### com.amazonaws.services.kms.model.NotFoundException: Invalid keyId
+
+If the value in `fs.s3a.server-side-encryption.key` property, does not exist
+/valid in AWS KMS CMK(Customer managed keys), then this error would be seen.
+
+```
+Caused by: com.amazonaws.services.kms.model.NotFoundException: Invalid keyId 
abc (Service: AWSKMS; Status Code: 400; Error Code: NotFoundException; Request 
ID: 9d53552a-3d1b-47c8-984c-9a599d5c2391; Proxy: null)

Review comment:
       again: split line

##########
File path: 
hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/troubleshooting_s3a.md
##########
@@ -1309,6 +1309,129 @@ enhance security. See 
https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryp
 ```
 We can ignore this, since this CryptoMode 
setting(CryptoMode.AuthenticatedEncryption) 
 is required for range gets to work. 
+
+### com.amazonaws.services.kms.model.InvalidKeyUsageException: You cannot 
generate a data key with an asymmetric CMK
+
+If you generated an Asymmetric CMK from AWS console then CSE-KMS won't be
+able to generate unique data key for encryption. 
+
+```
+Caused by: com.amazonaws.services.kms.model.InvalidKeyUsageException: You 
cannot generate a data key with an asymmetric CMK (Service: AWSKMS; Status 
Code: 400; Error Code: InvalidKeyUsageException; Request ID: 
93609c15-e490-4035-8390-f4396f0d90bf; Proxy: null)

Review comment:
       can you break this line down, but do it so that key search strings don't 
get split, e.g
   
   ```
   Caused by: com.amazonaws.services.kms.model.InvalidKeyUsageException:
   You cannot generate a data key with an asymmetric CMK
   (Service: AWSKMS; Status Code: 400; Error Code: InvalidKeyUsageException; 
   Request ID: 93609c15-e490-4035-8390-f4396f0d90bf; Proxy: null)
   ```
   

##########
File path: 
hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/troubleshooting_s3a.md
##########
@@ -1309,6 +1309,129 @@ enhance security. See 
https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryp
 ```
 We can ignore this, since this CryptoMode 
setting(CryptoMode.AuthenticatedEncryption) 
 is required for range gets to work. 
+
+### com.amazonaws.services.kms.model.InvalidKeyUsageException: You cannot 
generate a data key with an asymmetric CMK
+
+If you generated an Asymmetric CMK from AWS console then CSE-KMS won't be
+able to generate unique data key for encryption. 
+
+```
+Caused by: com.amazonaws.services.kms.model.InvalidKeyUsageException: You 
cannot generate a data key with an asymmetric CMK (Service: AWSKMS; Status 
Code: 400; Error Code: InvalidKeyUsageException; Request ID: 
93609c15-e490-4035-8390-f4396f0d90bf; Proxy: null)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1819)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(AmazonHttpClient.java:1403)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1372)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1145)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:802)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:770)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:744)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:704)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:686)
+       at 
com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:550)
+       at 
com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:530)
+       at 
com.amazonaws.services.kms.AWSKMSClient.doInvoke(AWSKMSClient.java:7223)
+       at 
com.amazonaws.services.kms.AWSKMSClient.invoke(AWSKMSClient.java:7190)
+       at 
com.amazonaws.services.kms.AWSKMSClient.invoke(AWSKMSClient.java:7179)
+       at 
com.amazonaws.services.kms.AWSKMSClient.executeGenerateDataKey(AWSKMSClient.java:3482)
+       at 
com.amazonaws.services.kms.AWSKMSClient.generateDataKey(AWSKMSClient.java:3451)
+       at 
com.amazonaws.services.s3.internal.crypto.v2.S3CryptoModuleBase.buildContentCryptoMaterial(S3CryptoModuleBase.java:533)
+       at 
com.amazonaws.services.s3.internal.crypto.v2.S3CryptoModuleBase.newContentCryptoMaterial(S3CryptoModuleBase.java:481)
+       at 
com.amazonaws.services.s3.internal.crypto.v2.S3CryptoModuleBase.createContentCryptoMaterial(S3CryptoModuleBase.java:447)
+       at 
com.amazonaws.services.s3.internal.crypto.v2.S3CryptoModuleBase.putObjectUsingMetadata(S3CryptoModuleBase.java:160)
+       at 
com.amazonaws.services.s3.internal.crypto.v2.S3CryptoModuleBase.putObjectSecurely(S3CryptoModuleBase.java:156)
+       at 
com.amazonaws.services.s3.AmazonS3EncryptionClientV2.putObject(AmazonS3EncryptionClientV2.java:236)
+       at 
org.apache.hadoop.fs.s3a.S3AFileSystem.lambda$putObjectDirect$17(S3AFileSystem.java:2792)
+       at 
org.apache.hadoop.fs.statistics.impl.IOStatisticsBinding.trackDurationOfSupplier(IOStatisticsBinding.java:604)
+       at 
org.apache.hadoop.fs.s3a.S3AFileSystem.putObjectDirect(S3AFileSystem.java:2789)
+       at 
org.apache.hadoop.fs.s3a.S3AFileSystem.lambda$createEmptyObject$33(S3AFileSystem.java:4440)
+       at org.apache.hadoop.fs.s3a.Invoker.once(Invoker.java:117)
+       ... 49 more
+```
+
+Generate a Symmetric Key in the same region as your S3 storage for CSE-KMS to
+work. 
+
+### com.amazonaws.services.kms.model.NotFoundException: Invalid keyId
+
+If the value in `fs.s3a.server-side-encryption.key` property, does not exist
+/valid in AWS KMS CMK(Customer managed keys), then this error would be seen.
+
+```
+Caused by: com.amazonaws.services.kms.model.NotFoundException: Invalid keyId 
abc (Service: AWSKMS; Status Code: 400; Error Code: NotFoundException; Request 
ID: 9d53552a-3d1b-47c8-984c-9a599d5c2391; Proxy: null)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1819)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(AmazonHttpClient.java:1403)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1372)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1145)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:802)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:770)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:744)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:704)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:686)
+       at 
com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:550)
+       at 
com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:530)
+       at 
com.amazonaws.services.kms.AWSKMSClient.doInvoke(AWSKMSClient.java:7223)
+       at 
com.amazonaws.services.kms.AWSKMSClient.invoke(AWSKMSClient.java:7190)
+       at 
com.amazonaws.services.kms.AWSKMSClient.invoke(AWSKMSClient.java:7179)
+       at 
com.amazonaws.services.kms.AWSKMSClient.executeGenerateDataKey(AWSKMSClient.java:3482)
+       at 
com.amazonaws.services.kms.AWSKMSClient.generateDataKey(AWSKMSClient.java:3451)
+       at 
com.amazonaws.services.s3.internal.crypto.v2.S3CryptoModuleBase.buildContentCryptoMaterial(S3CryptoModuleBase.java:533)
+       at 
com.amazonaws.services.s3.internal.crypto.v2.S3CryptoModuleBase.newContentCryptoMaterial(S3CryptoModuleBase.java:481)
+       at 
com.amazonaws.services.s3.internal.crypto.v2.S3CryptoModuleBase.createContentCryptoMaterial(S3CryptoModuleBase.java:447)
+       at 
com.amazonaws.services.s3.internal.crypto.v2.S3CryptoModuleBase.putObjectUsingMetadata(S3CryptoModuleBase.java:160)
+       at 
com.amazonaws.services.s3.internal.crypto.v2.S3CryptoModuleBase.putObjectSecurely(S3CryptoModuleBase.java:156)
+       at 
com.amazonaws.services.s3.AmazonS3EncryptionClientV2.putObject(AmazonS3EncryptionClientV2.java:236)
+       at 
org.apache.hadoop.fs.s3a.S3AFileSystem.lambda$putObjectDirect$17(S3AFileSystem.java:2792)
+       at 
org.apache.hadoop.fs.statistics.impl.IOStatisticsBinding.trackDurationOfSupplier(IOStatisticsBinding.java:604)
+       at 
org.apache.hadoop.fs.s3a.S3AFileSystem.putObjectDirect(S3AFileSystem.java:2789)
+       at 
org.apache.hadoop.fs.s3a.S3AFileSystem.lambda$createEmptyObject$33(S3AFileSystem.java:4440)
+       at org.apache.hadoop.fs.s3a.Invoker.once(Invoker.java:117)
+       ... 49 more
+```
+
+Check if `fs.s3a.server-side-encryption.key` is set correctly and matches the
+same on AWS console.
+
+### com.amazonaws.services.kms.model.AWSKMSException: User: <User_ARN> is not 
authorized to perform : kms :GenerateDataKey on resource: <KEY_ID>
+
+User doesn't have authorisation to the specific AWS KMS Key ID. 

Review comment:
       best to use US_EN spelling to avoid creating complaints about spelling. 
So "authorization"

##########
File path: 
hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/troubleshooting_s3a.md
##########
@@ -1309,6 +1309,129 @@ enhance security. See 
https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryp
 ```
 We can ignore this, since this CryptoMode 
setting(CryptoMode.AuthenticatedEncryption) 
 is required for range gets to work. 
+
+### com.amazonaws.services.kms.model.InvalidKeyUsageException: You cannot 
generate a data key with an asymmetric CMK
+
+If you generated an Asymmetric CMK from AWS console then CSE-KMS won't be
+able to generate unique data key for encryption. 
+
+```
+Caused by: com.amazonaws.services.kms.model.InvalidKeyUsageException: You 
cannot generate a data key with an asymmetric CMK (Service: AWSKMS; Status 
Code: 400; Error Code: InvalidKeyUsageException; Request ID: 
93609c15-e490-4035-8390-f4396f0d90bf; Proxy: null)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1819)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(AmazonHttpClient.java:1403)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1372)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1145)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:802)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:770)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:744)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:704)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:686)
+       at 
com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:550)
+       at 
com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:530)
+       at 
com.amazonaws.services.kms.AWSKMSClient.doInvoke(AWSKMSClient.java:7223)
+       at 
com.amazonaws.services.kms.AWSKMSClient.invoke(AWSKMSClient.java:7190)
+       at 
com.amazonaws.services.kms.AWSKMSClient.invoke(AWSKMSClient.java:7179)
+       at 
com.amazonaws.services.kms.AWSKMSClient.executeGenerateDataKey(AWSKMSClient.java:3482)
+       at 
com.amazonaws.services.kms.AWSKMSClient.generateDataKey(AWSKMSClient.java:3451)
+       at 
com.amazonaws.services.s3.internal.crypto.v2.S3CryptoModuleBase.buildContentCryptoMaterial(S3CryptoModuleBase.java:533)
+       at 
com.amazonaws.services.s3.internal.crypto.v2.S3CryptoModuleBase.newContentCryptoMaterial(S3CryptoModuleBase.java:481)
+       at 
com.amazonaws.services.s3.internal.crypto.v2.S3CryptoModuleBase.createContentCryptoMaterial(S3CryptoModuleBase.java:447)
+       at 
com.amazonaws.services.s3.internal.crypto.v2.S3CryptoModuleBase.putObjectUsingMetadata(S3CryptoModuleBase.java:160)
+       at 
com.amazonaws.services.s3.internal.crypto.v2.S3CryptoModuleBase.putObjectSecurely(S3CryptoModuleBase.java:156)
+       at 
com.amazonaws.services.s3.AmazonS3EncryptionClientV2.putObject(AmazonS3EncryptionClientV2.java:236)
+       at 
org.apache.hadoop.fs.s3a.S3AFileSystem.lambda$putObjectDirect$17(S3AFileSystem.java:2792)
+       at 
org.apache.hadoop.fs.statistics.impl.IOStatisticsBinding.trackDurationOfSupplier(IOStatisticsBinding.java:604)
+       at 
org.apache.hadoop.fs.s3a.S3AFileSystem.putObjectDirect(S3AFileSystem.java:2789)
+       at 
org.apache.hadoop.fs.s3a.S3AFileSystem.lambda$createEmptyObject$33(S3AFileSystem.java:4440)
+       at org.apache.hadoop.fs.s3a.Invoker.once(Invoker.java:117)
+       ... 49 more
+```
+
+Generate a Symmetric Key in the same region as your S3 storage for CSE-KMS to
+work. 
+
+### com.amazonaws.services.kms.model.NotFoundException: Invalid keyId
+
+If the value in `fs.s3a.server-side-encryption.key` property, does not exist
+/valid in AWS KMS CMK(Customer managed keys), then this error would be seen.
+
+```
+Caused by: com.amazonaws.services.kms.model.NotFoundException: Invalid keyId 
abc (Service: AWSKMS; Status Code: 400; Error Code: NotFoundException; Request 
ID: 9d53552a-3d1b-47c8-984c-9a599d5c2391; Proxy: null)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1819)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(AmazonHttpClient.java:1403)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1372)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1145)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:802)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:770)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:744)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:704)
+       at 
com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:686)
+       at 
com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:550)
+       at 
com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:530)
+       at 
com.amazonaws.services.kms.AWSKMSClient.doInvoke(AWSKMSClient.java:7223)
+       at 
com.amazonaws.services.kms.AWSKMSClient.invoke(AWSKMSClient.java:7190)
+       at 
com.amazonaws.services.kms.AWSKMSClient.invoke(AWSKMSClient.java:7179)
+       at 
com.amazonaws.services.kms.AWSKMSClient.executeGenerateDataKey(AWSKMSClient.java:3482)
+       at 
com.amazonaws.services.kms.AWSKMSClient.generateDataKey(AWSKMSClient.java:3451)
+       at 
com.amazonaws.services.s3.internal.crypto.v2.S3CryptoModuleBase.buildContentCryptoMaterial(S3CryptoModuleBase.java:533)
+       at 
com.amazonaws.services.s3.internal.crypto.v2.S3CryptoModuleBase.newContentCryptoMaterial(S3CryptoModuleBase.java:481)
+       at 
com.amazonaws.services.s3.internal.crypto.v2.S3CryptoModuleBase.createContentCryptoMaterial(S3CryptoModuleBase.java:447)
+       at 
com.amazonaws.services.s3.internal.crypto.v2.S3CryptoModuleBase.putObjectUsingMetadata(S3CryptoModuleBase.java:160)
+       at 
com.amazonaws.services.s3.internal.crypto.v2.S3CryptoModuleBase.putObjectSecurely(S3CryptoModuleBase.java:156)
+       at 
com.amazonaws.services.s3.AmazonS3EncryptionClientV2.putObject(AmazonS3EncryptionClientV2.java:236)
+       at 
org.apache.hadoop.fs.s3a.S3AFileSystem.lambda$putObjectDirect$17(S3AFileSystem.java:2792)
+       at 
org.apache.hadoop.fs.statistics.impl.IOStatisticsBinding.trackDurationOfSupplier(IOStatisticsBinding.java:604)
+       at 
org.apache.hadoop.fs.s3a.S3AFileSystem.putObjectDirect(S3AFileSystem.java:2789)
+       at 
org.apache.hadoop.fs.s3a.S3AFileSystem.lambda$createEmptyObject$33(S3AFileSystem.java:4440)
+       at org.apache.hadoop.fs.s3a.Invoker.once(Invoker.java:117)
+       ... 49 more
+```
+
+Check if `fs.s3a.server-side-encryption.key` is set correctly and matches the
+same on AWS console.
+
+### com.amazonaws.services.kms.model.AWSKMSException: User: <User_ARN> is not 
authorized to perform : kms :GenerateDataKey on resource: <KEY_ID>
+
+User doesn't have authorisation to the specific AWS KMS Key ID. 
+```
+Caused by: com.amazonaws.services.kms.model.AWSKMSException: User: arn:aws

Review comment:
       split line again




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

    Worklog Id:     (was: 626065)
    Time Spent: 10h 50m  (was: 10h 40m)

> Encrypt S3A data client-side with AWS SDK (S3-CSE)
> --------------------------------------------------
>
>                 Key: HADOOP-13887
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13887
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/s3
>    Affects Versions: 2.8.0
>            Reporter: Jeeyoung Kim
>            Assignee: Igor Mazur
>            Priority: Minor
>              Labels: pull-request-available
>         Attachments: HADOOP-13887-002.patch, HADOOP-13887-007.patch, 
> HADOOP-13887-branch-2-003.patch, HADOOP-13897-branch-2-004.patch, 
> HADOOP-13897-branch-2-005.patch, HADOOP-13897-branch-2-006.patch, 
> HADOOP-13897-branch-2-008.patch, HADOOP-13897-branch-2-009.patch, 
> HADOOP-13897-branch-2-010.patch, HADOOP-13897-branch-2-012.patch, 
> HADOOP-13897-branch-2-014.patch, HADOOP-13897-trunk-011.patch, 
> HADOOP-13897-trunk-013.patch, HADOOP-14171-001.patch, S3-CSE Proposal.pdf
>
>          Time Spent: 10h 50m
>  Remaining Estimate: 0h
>
> Expose the client-side encryption option documented in Amazon S3 
> documentation  - 
> http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
> Currently this is not exposed in Hadoop but it is exposed as an option in AWS 
> Java SDK, which Hadoop currently includes. It should be trivial to propagate 
> this as a parameter passed to the S3client used in S3AFileSystem.java



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Work logged] (HADOOP-13887) Encrypt S3A data client-side with AWS SDK (S3-CSE)

Reply via email to