[
https://issues.apache.org/jira/browse/NIFI-4256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16258770#comment-16258770
]
ASF GitHub Bot commented on NIFI-4256:
--------------------------------------
Github user jvwing commented on the issue:
https://github.com/apache/nifi/pull/2248
@baank, thanks for putting in all the work on this PR so far, it is looking
pretty good. The full build with contrib-check passed. I have been able to
run through the encryption functionality without problems so far. I have a few
comments and questions:
* I see warnings like "The service APIs should not be bundled with the
implementations" when starting NiFi:
```
2017-11-19 03:01:29,148 WARN [main] org.apache.nifi.nar.ExtensionManager
Controller Service
org.apache.nifi.processors.aws.s3.encryption.EncryptedS3ClientService is
bundled with its supporting APIs
org.apache.nifi.processors.aws.s3.S3ClientService. The service APIs should not
be bundled with the implementations.
2017-11-19 03:01:29,158 WARN [main] org.apache.nifi.nar.ExtensionManager
Controller Service
org.apache.nifi.processors.aws.s3.encryption.EncryptedS3PutEnrichmentService is
bundled with its supporting APIs
org.apache.nifi.processors.aws.s3.service.S3PutEnrichmentService. The service
APIs should not be bundled with the implementations.
```
As part of the recent restructuring of the nifi-aws-bundle, service
interfaces are now defined in the nifi-aws-service-api project, with
implementations in one of the other projects. I think we should move the
interface definitions for S3ClientService and S3PutEnrichmentService into the
nifi-aws-service-api project.
* In PutS3Object, I recommend that calling the S3PutEnrichmentService be
the very last thing before making the request to S3, to provide the maximum
range of modification options. At the moment, there are some ACL settings that
follow enrichment. Does that make sense?
* Why does the EncryptedS3PutEnrichmentService offer to capture and use the
MD5 hash of the key? I vaguely understood that the AWS SDK would handle the
MD5 hash when necessary, which I also understood to be for get requests, and
I'm not sure when I would fill it in. The documentation is not very clear, but
[ObjectMetadata.setSSECustomerKeyMd5](http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/s3/model/ObjectMetadata.html#setSSECustomerKeyMd5-java.lang.String-)
says "for internal use only". The service seemed to work just fine for me
without providing it, and it is not described as required. From line 163:
```
if (StringUtils.isNotBlank(customerKeyMD5)) {
putObjectRequest.getMetadata().setSSECustomerKeyMd5(customerKeyMD5);
}
```
When would we need this?
> Add support for all AWS S3 Encryption Options
> ---------------------------------------------
>
> Key: NIFI-4256
> URL: https://issues.apache.org/jira/browse/NIFI-4256
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework
> Affects Versions: 1.2.0
> Reporter: Franco
> Labels: aws, aws-s3, security
>
> NiFi currently only supportsĀ SSE-S3 encryption (AES256).
> Support needs to be added for:
> * SSE-S3
> * SSE-KMS
> * SSE-C
> * CSE-KMS CMK
> * CSE-Master Key
> With all of the appropriate configuration options and such that SSE is
> available only for PutS3Object whilst CSE is available also for FetchS3Object.
> Given that this will add another 20 or so UI properties the intention is to
> split it into a Client Side Encryption Service and Server Side Encryption
> Service. This will allow users to reuse "encryption" across different
> workflows.
> Existing flows using the Server Side Encryption option will still work as is
> but will be overridden if a service is added.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
