Re: [PR] HADOOP-18708: Support S3 Client Side Encryption(CSE) With AWS SDK V2 [hadoop]

Thu, 11 Jul 2024 07:22:41 -0700 


shameersss1 commented on code in PR #6884:
URL: https://github.com/apache/hadoop/pull/6884#discussion_r1674104148


##########
hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/S3AFileSystem.java:
##########
@@ -1109,6 +1136,44 @@ private ClientManager createClientManager(URI fsURI, 
boolean dtEnabled) throws I
         S3_CLIENT_FACTORY_IMPL, DEFAULT_S3_CLIENT_FACTORY_IMPL,
         S3ClientFactory.class);
 
+    S3ClientFactory clientFactory;
+    S3ClientFactory unecnryptedClientFactory = null;
+    CSEMaterials cseMaterials = null;
+
+    if (isCSEEnabled) {
+      S3AEncryptionMethods algorithm = getS3EncryptionAlgorithm();
+      switch (algorithm) {
+      case CSE_KMS:
+        String kmsKeyId = getS3EncryptionKey(bucket, conf, true);
+        Preconditions.checkArgument(kmsKeyId != null && !kmsKeyId.isEmpty(),
+            "KMS keyId cannot be null or empty");
+        cseMaterials  = new CSEMaterials()
+            .withCSEKeyType(CSEMaterials.CSEKeyType.KMS)
+            .withConf(conf)
+            .withKmsKeyId(kmsKeyId);
+        break;
+      case CSE_CUSTOM:
+        String customCryptoClassName = 
conf.get(S3_ENCRYPTION_CSE_CUSTOM_KEYRING_CLASS_NAME);
+        Preconditions.checkArgument(customCryptoClassName != null &&
+                !customCryptoClassName.isEmpty(),
+            "CSE custom cryptographic class name cannot be null or empty");
+        cseMaterials  = new CSEMaterials()
+            .withCSEKeyType(CSEMaterials.CSEKeyType.CUSTOM)
+            .withConf(conf)
+            .withCustomCryptographicClassName(customCryptoClassName);
+        break;
+      default:
+        throw new IllegalArgumentException("Invalid client side encryption 
algorithm."
+            + " Only CSE-KMS and CSE-CUSTOM is supported");
+      }
+      clientFactory = 
ReflectionUtils.newInstance(EncryptionS3ClientFactory.class, conf);
+      // This just creates a factory class. Unencrypted client will only be 
created when the
+      // config is enabled and when it is actually required.
+      unecnryptedClientFactory = 
ReflectionUtils.newInstance(s3ClientFactoryClass, conf);

Review Comment:
   ack



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to