[
https://issues.apache.org/jira/browse/HADOOP-19197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17866072#comment-17866072
]
ASF GitHub Bot commented on HADOOP-19197:
-----------------------------------------
steveloughran commented on code in PR #6874:
URL: https://github.com/apache/hadoop/pull/6874#discussion_r1677840394
##########
hadoop-tools/hadoop-aws/src/test/java/org/apache/hadoop/fs/s3a/auth/delegation/TestS3ADelegationTokenSupport.java:
##########
@@ -76,7 +76,7 @@ public void testSessionTokenDecode() throws Throwable {
renewer,
new URI("s3a://anything/"),
new MarshalledCredentials("a", "b", ""),
- new EncryptionSecrets(S3AEncryptionMethods.SSE_S3, ""),
+ new EncryptionSecrets(S3AEncryptionMethods.SSE_S3, "", ""),
Review Comment:
extend test to verify the secrets are round tripped correctly
##########
hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/S3AUtils.java:
##########
@@ -1402,6 +1406,79 @@ public static String getS3EncryptionKey(
}
}
+ /**
+ * Get any SSE context, without propagating exceptions from
+ * JCEKs files.
+ * @param bucket bucket to query for
+ * @param conf configuration to examine
+ * @return the encryption context value or ""
+ * @throws IllegalArgumentException bad arguments.
+ */
+ public static String getS3EncryptionContext(
Review Comment:
1. `FunctionalIO.uncheckIOExceptions()` can do the wrapping now. Though If
it is for tests, why bother?
2. If new methods in production code are needed, lets start a new
S3AEncryption class in fs.s3a.impl for this stuff, S3AUtils is too big and
while leaving it alone helps backports, there's no need to make things worse
> S3A: Support AWS KMS Encryption Context
> ---------------------------------------
>
> Key: HADOOP-19197
> URL: https://issues.apache.org/jira/browse/HADOOP-19197
> Project: Hadoop Common
> Issue Type: New Feature
> Components: fs/s3
> Affects Versions: 3.4.0
> Reporter: Raphael Azzolini
> Priority: Major
> Labels: pull-request-available
>
> S3A properties allow users to choose the AWS KMS key
> ({_}fs.s3a.encryption.key{_}) and S3 encryption algorithm to be used
> (f{_}s.s3a.encryption.algorithm{_}). In addition to the AWS KMS Key, an
> encryption context can be used as non-secret data that adds additional
> integrity and authenticity to check the encrypted data. However, there is no
> option to specify the [AWS KMS Encryption
> Context|https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context]
> in S3A.
> In AWS SDK v2 the encryption context in S3 requests is set by the parameter
> [ssekmsEncryptionContext.|https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/s3/model/CreateMultipartUploadRequest.Builder.html#ssekmsEncryptionContext(java.lang.String)]
> It receives a base64-encoded UTF-8 string holding JSON with the encryption
> context key-value pairs. The value of this parameter could be set by the user
> in a new property {_}*fs.s3a.encryption.context*{_}, and be stored in the
> [EncryptionSecrets|https://github.com/apache/hadoop/blob/trunk/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/delegation/EncryptionSecrets.java]
> to later be used when setting the encryption parameters in
> [RequestFactoryImpl|https://github.com/apache/hadoop/blob/f92a8ab8ae54f11946412904973eb60404dee7ff/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/impl/RequestFactoryImpl.java].
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
