[jira] [Commented] (HADOOP-18708) AWS SDK V2 - Implement CSE

Sat, 03 Aug 2024 03:38:41 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-18708?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17870697#comment-17870697
 ] 

ASF GitHub Bot commented on HADOOP-18708:
-----------------------------------------

shameersss1 commented on code in PR #6884:
URL: https://github.com/apache/hadoop/pull/6884#discussion_r1702684690


##########
hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/impl/encryption/CSEUtils.java:
##########
@@ -0,0 +1,214 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.fs.s3a.impl.encryption;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.s3a.S3AEncryptionMethods;
+import org.apache.hadoop.fs.s3a.api.RequestFactory;
+import org.apache.hadoop.fs.s3a.impl.InternalConstants;
+import org.apache.hadoop.util.Preconditions;
+
+import software.amazon.awssdk.services.s3.S3Client;
+import software.amazon.awssdk.services.s3.model.GetObjectRequest;
+import software.amazon.awssdk.services.s3.model.HeadObjectRequest;
+import software.amazon.awssdk.services.s3.model.HeadObjectResponse;
+import software.amazon.awssdk.services.s3.model.NoSuchKeyException;
+
+import static 
org.apache.hadoop.fs.s3a.Constants.S3_ENCRYPTION_CSE_CUSTOM_KEYRING_CLASS_NAME;
+import static 
org.apache.hadoop.fs.s3a.Constants.S3_ENCRYPTION_CSE_INSTRUCTION_FILE_SUFFIX;
+import static org.apache.hadoop.fs.s3a.S3AEncryptionMethods.CSE_CUSTOM;
+import static org.apache.hadoop.fs.s3a.S3AEncryptionMethods.CSE_KMS;
+import static org.apache.hadoop.fs.s3a.S3AUtils.formatRange;
+import static org.apache.hadoop.fs.s3a.S3AUtils.getS3EncryptionKey;
+import static org.apache.hadoop.fs.s3a.impl.AWSHeaders.CRYPTO_CEK_ALGORITHM;
+import static 
org.apache.hadoop.fs.s3a.impl.AWSHeaders.UNENCRYPTED_CONTENT_LENGTH;
+import static 
org.apache.hadoop.fs.s3a.impl.InternalConstants.CSE_PADDING_LENGTH;
+
+/**
+ * S3 client side encryption (CSE) utility class.
+ */
+@InterfaceAudience.Public
+@InterfaceStability.Evolving
+public final class CSEUtils {
+
+  private CSEUtils() {
+  }
+
+  /**
+   * Checks if the file suffix ends CSE file suffix.
+   * {@link 
org.apache.hadoop.fs.s3a.Constants#S3_ENCRYPTION_CSE_INSTRUCTION_FILE_SUFFIX}
+   * when the config
+   * @param key file name
+   * @return true if file name ends with CSE instruction file suffix
+   */
+  public static boolean isCSEInstructionFile(String key) {
+    return key.endsWith(S3_ENCRYPTION_CSE_INSTRUCTION_FILE_SUFFIX);
+  }
+
+  /**
+   * Checks if CSE-KMS or CSE-CUSTOM is set.
+   * @param encryptionMethod type of encryption used
+   * @return true if encryption method is CSE-KMS or CSE-CUSTOM
+   */
+  public static boolean isCSEKmsOrCustom(String encryptionMethod) {
+    return CSE_KMS.getMethod().equals(encryptionMethod) ||
+        CSE_CUSTOM.getMethod().equals(encryptionMethod);
+  }
+
+  /**
+   * Checks if a given S3 object is encrypted or not by checking following two 
conditions
+   * 1. if object metadata contains x-amz-cek-alg
+   * 2. if instruction file is present
+   *
+   * @param s3Client S3 client
+   * @param factory   S3 request factory
+   * @param key      key value of the s3 object
+   * @return true if S3 object is encrypted
+   */
+  public static boolean isObjectEncrypted(S3Client s3Client, RequestFactory 
factory, String key) {
+    HeadObjectRequest.Builder requestBuilder = 
factory.newHeadObjectRequestBuilder(key);
+    HeadObjectResponse headObjectResponse = 
s3Client.headObject(requestBuilder.build());
+    if (headObjectResponse.hasMetadata() &&
+        headObjectResponse.metadata().get(CRYPTO_CEK_ALGORITHM) != null) {
+      return true;
+    }
+    HeadObjectRequest.Builder instructionFileRequestBuilder =
+        factory.newHeadObjectRequestBuilder(key + 
S3_ENCRYPTION_CSE_INSTRUCTION_FILE_SUFFIX);
+    try {
+      s3Client.headObject(instructionFileRequestBuilder.build());
+      return true;
+    } catch (NoSuchKeyException e) {
+      // Ignore. This indicates no instruction file is present
+    }
+    return false;
+  }
+
+  /**
+   * Get the unencrypted object length by either subtracting
+   * {@link InternalConstants#CSE_PADDING_LENGTH} from the object size or 
calculating the
+   * actual size by doing S3 ranged GET operation.
+   *
+   * @param s3Client           S3 client
+   * @param bucket             bucket name of the s3 object
+   * @param key                key value of the s3 object
+   * @param factory            S3 request factory
+   * @param contentLength      S3 object length
+   * @param headObjectResponse response from headObject call
+   * @param cseRangedGetEnabled is ranged get enabled
+   * @param cseReadUnencryptedObjects is reading of une
+   * @return unencrypted length of the object
+   * @throws IOException IO failures
+   */
+  public static long getUnencryptedObjectLength(S3Client s3Client,
+      String bucket,
+      String key,
+      RequestFactory factory,
+      long contentLength,
+      HeadObjectResponse headObjectResponse,
+      boolean cseRangedGetEnabled,
+      boolean cseReadUnencryptedObjects) throws IOException {
+
+    if (cseReadUnencryptedObjects) {
+      // if object is unencrypted, return the actual size
+      if (!isObjectEncrypted(s3Client, factory, key)) {
+        return contentLength;
+      }
+    }
+
+    // check if unencrypted content length metadata is present or not.
+    if (headObjectResponse != null) {
+      String plaintextLength = 
headObjectResponse.metadata().get(UNENCRYPTED_CONTENT_LENGTH);
+      if (headObjectResponse.hasMetadata() && plaintextLength !=null &&
+          !plaintextLength.isEmpty()) {
+        return Long.parseLong(plaintextLength);
+      }
+    }
+
+    if (cseRangedGetEnabled) {

Review Comment:
   V2 and V3 always pads 16 bytes so it makes sense to subtract 16 bytes but to 
have compatibility with v1 client which pads bytes in multiple of 16 simply 
subtracting 16 bytes leads to wrong result/exception.





> AWS SDK V2 - Implement CSE
> --------------------------
>
>                 Key: HADOOP-18708
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18708
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/s3
>    Affects Versions: 3.4.0
>            Reporter: Ahmar Suhail
>            Assignee: Syed Shameerur Rahman
>            Priority: Major
>              Labels: pull-request-available
>
> S3 Encryption client for SDK V2 is now available, so add client side 
> encryption back in. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to