shameersss1 commented on code in PR #6884: URL: https://github.com/apache/hadoop/pull/6884#discussion_r1674103126
########## hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/encryption.md: ########## @@ -674,10 +674,18 @@ clients where S3-CSE has not been enabled. ### Features -- Supports client side encryption with keys managed in AWS KMS. +- Supports client side encryption with keys managed in AWS KMS (CSE-KMS) +- Supports client side encryption with custom keys by implementing custom [Keyring](https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/choose-keyring.html) (CSE-CUSTOM) +- Backward compatible with older encryption clients like `AmazonS3EncryptionClient.java`(V1) and `AmazonS3EncryptionClientV2.java`(V2) - encryption settings propagated into jobs through any issued delegation tokens. - encryption information stored as headers in the uploaded object. +### Compatibility + +- V1 and V2 client suppports reading unencrypted s3 object where as V3 client does not support. Inorder to read s3 objects in a directory with mix of encrypted and unencrypted objects when CSE is enabled set `fs.s3a.encryption.cse.read.unencrypted.objects=true` +- Unlike V2 and V3 client which always pads 16 bytes, V1 client pads extra bytes to the next multiple of 16. For example if unencrypted object size is 12bytes, V1 client pads extra 4bytes to make it multiple of 16. So inorder to read objects encrypted by V1 client, set `fs.s3a.encryption.cse.object.size.ranged.get.enabled=true` Review Comment: ack -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
