steveloughran commented on a change in pull request #3466:
URL: https://github.com/apache/hadoop/pull/3466#discussion_r718337960
##########
File path:
hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/S3AUtils.java
##########
@@ -1597,14 +1678,50 @@ public static String getS3EncryptionKey(String bucket,
* @param conf configuration to scan
* @return the encryption mechanism (which will be {@code NONE} unless
* one is set.
- * @throws IOException on any validation problem.
+ * @throws IOException on JCKES lookup or invalid method/key configuration.
*/
public static S3AEncryptionMethods getEncryptionAlgorithm(String bucket,
Configuration conf) throws IOException {
- S3AEncryptionMethods encryptionMethod = S3AEncryptionMethods.getMethod(
- lookupPassword(bucket, conf,
- Constants.S3_ENCRYPTION_ALGORITHM));
- String encryptionKey = getS3EncryptionKey(bucket, conf);
+ return buildEncryptionSecrets(bucket, conf).getEncryptionMethod();
+ }
+
+ /**
+ * Get the server-side encryption or client side encryption algorithm.
+ * This includes validation of the configuration, checking the state of
+ * the encryption key given the chosen algorithm.
+ *
+ * @param bucket bucket to query for
+ * @param conf configuration to scan
+ * @return the encryption mechanism (which will be {@code NONE} unless
+ * one is set and secrets.
+ * @throws IOException on JCKES lookup or invalid method/key configuration.
+ */
+ @SuppressWarnings("deprecation")
+ public static EncryptionSecrets buildEncryptionSecrets(String bucket,
+ Configuration conf) throws IOException {
+
+ // new key, per-bucket
+ // this will include fixup of the old key in config XML entries
+ String algorithm = lookupBucketSecret(bucket, conf,
S3_ENCRYPTION_ALGORITHM);
+ if (algorithm == null) {
+ // try the old key, per-bucket setting, which will find JCEKS values
+ algorithm = lookupBucketSecret(bucket, conf,
SERVER_SIDE_ENCRYPTION_ALGORITHM);
+ }
+ if (algorithm == null) {
+ // new key, global setting
+ // this will include fixup of the old key in config XML entries
+ algorithm = lookupPassword(null, conf, S3_ENCRYPTION_ALGORITHM);
+ }
+ if (algorithm == null) {
+ // old key, global setting, for JCEKS entries.
+ algorithm = lookupPassword(null, conf, SERVER_SIDE_ENCRYPTION_ALGORITHM);
+ }
Review comment:
no
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
