[jira] [Commented] (NIFI-4256) Add support for all AWS S3 Encryption Options

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/NIFI-4256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16268153#comment-16268153
 ] 

ASF GitHub Bot commented on NIFI-4256:
--------------------------------------

Github user jvwing commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/2291#discussion_r153398470
  
    --- Diff: 
nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/s3/encryption/EncryptedS3PutEnrichmentService.java
 ---
    @@ -0,0 +1,181 @@
    +/*
    + * Licensed to the Apache Software Foundation (ASF) under one or more
    + * contributor license agreements.  See the NOTICE file distributed with
    + * this work for additional information regarding copyright ownership.
    + * The ASF licenses this file to You under the Apache License, Version 2.0
    + * (the "License"); you may not use this file except in compliance with
    + * the License.  You may obtain a copy of the License at
    + *
    + *     http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +package org.apache.nifi.processors.aws.s3.encryption;
    +
    +import java.util.ArrayList;
    +import java.util.Collections;
    +import java.util.List;
    +
    +import com.amazonaws.services.s3.model.InitiateMultipartUploadRequest;
    +import com.amazonaws.services.s3.model.ObjectMetadata;
    +import com.amazonaws.services.s3.model.PutObjectRequest;
    +import com.amazonaws.services.s3.model.SSEAwsKeyManagementParams;
    +import com.amazonaws.services.s3.model.SSECustomerKey;
    +import org.apache.commons.lang3.StringUtils;
    +import org.apache.nifi.annotation.documentation.CapabilityDescription;
    +import org.apache.nifi.annotation.documentation.Tags;
    +import org.apache.nifi.annotation.lifecycle.OnEnabled;
    +import org.apache.nifi.components.PropertyDescriptor;
    +import org.apache.nifi.controller.AbstractControllerService;
    +import org.apache.nifi.controller.ConfigurationContext;
    +import org.apache.nifi.processor.util.StandardValidators;
    +import org.apache.nifi.processors.aws.s3.service.S3PutEnrichmentService;
    +import org.apache.nifi.reporting.InitializationException;
    +
    +@Tags({"aws", "s3", "encryption", "server", "kms", "key"})
    +@CapabilityDescription("Provides the ability to configure S3 Server Side 
Encryption once and reuse " +
    +        "that configuration throughout the application")
    +public class EncryptedS3PutEnrichmentService extends 
AbstractControllerService implements S3PutEnrichmentService {
    +
    +    public static final String METHOD_SSE_S3 = "SSE-S3";
    +    public static final String METHOD_SSE_KMS = "SSE-KMS";
    +    public static final String METHOD_SSE_C = "SSE-C";
    +
    +    public static final String ALGORITHM_AES256 = "AES256";
    +    public static final String CUSTOMER_ALGORITHM_AES256 = "AES256";
    +
    +
    +    public static final PropertyDescriptor ENCRYPTION_METHOD = new 
PropertyDescriptor.Builder()
    +            .name("encryption-method")
    +            .displayName("Encryption Method")
    +            .required(true)
    +            .allowableValues(METHOD_SSE_S3, METHOD_SSE_KMS, METHOD_SSE_C)
    +            .defaultValue(METHOD_SSE_S3)
    +            .description("Method by which the S3 object will be encrypted 
server-side.")
    +            .build();
    +
    +    public static final PropertyDescriptor ALGORITHM = new 
PropertyDescriptor.Builder()
    +            .name("sse-algorithm")
    +            .displayName("Algorithm")
    +            .allowableValues(ALGORITHM_AES256)
    +            .defaultValue(ALGORITHM_AES256)
    +            .description("Encryption algorithm to use (only AES256 
currently supported)")
    +            .build();
    +
    +    public static final PropertyDescriptor KMS_KEY_ID = new 
PropertyDescriptor.Builder()
    +            .name("sse-kme-key-id")
    +            .displayName("KMS Key Id")
    +            .required(false)
    +            .expressionLanguageSupported(true)
    +            .addValidator(StandardValidators.NON_EMPTY_VALIDATOR)
    +            .description("Custom KMS key identifier. Supports key or alias 
ARN.")
    +            .build();
    +
    +    public static final PropertyDescriptor CUSTOMER_KEY = new 
PropertyDescriptor.Builder()
    +            .name("sse-customer-key")
    +            .displayName("Customer Key")
    +            .required(false)
    +            .expressionLanguageSupported(true)
    +            .addValidator(StandardValidators.NON_EMPTY_VALIDATOR)
    +            .description("Customer provided 256-bit, base64-encoded 
encryption key.")
    +            .build();
    +
    +    public static final PropertyDescriptor CUSTOMER_ALGORITHM = new 
PropertyDescriptor.Builder()
    +            .name("sse-customer-algorithm")
    +            .displayName("Customer Algorithm")
    +            .allowableValues(CUSTOMER_ALGORITHM_AES256)
    +            .defaultValue(CUSTOMER_ALGORITHM_AES256)
    +            .description("Customer encryption algorithm to use (only 
AES256 currently supported)")
    +            .build();
    +
    +    private static final List<PropertyDescriptor> properties;
    +    private String encryptionMethod;
    +    private String algorithm;
    +    private String kmsKeyId;
    +    private String customerKey;
    +    private String customerAlgorithm;
    +
    +
    +    static {
    +        final List<PropertyDescriptor> props = new ArrayList<>();
    +        props.add(ENCRYPTION_METHOD);
    +        props.add(ALGORITHM);
    +        props.add(KMS_KEY_ID);
    +        props.add(CUSTOMER_KEY);
    +        props.add(CUSTOMER_ALGORITHM);
    +        properties = Collections.unmodifiableList(props);
    +    }
    +
    +    @Override
    +    protected List<PropertyDescriptor> getSupportedPropertyDescriptors() {
    +        return properties;
    +    }
    +
    +    @OnEnabled
    +    public void onConfigured(final ConfigurationContext context) throws 
InitializationException {
    +        encryptionMethod = 
context.getProperty(ENCRYPTION_METHOD).getValue();
    +        algorithm = context.getProperty(ALGORITHM).getValue();
    +        kmsKeyId = context.getProperty(KMS_KEY_ID).getValue();
    --- End diff --
    
    Should this evaluate expression language like 
`context.getProperty(KMS_KEY_ID).evaluateAttributeExpressions().getValue()`?


> Add support for all AWS S3 Encryption Options
> ---------------------------------------------
>
>                 Key: NIFI-4256
>                 URL: https://issues.apache.org/jira/browse/NIFI-4256
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>    Affects Versions: 1.2.0
>            Reporter: Franco
>              Labels: aws, aws-s3, security
>
> NiFi currently only supports SSE-S3 encryption (AES256).
> Support needs to be added for:
> * SSE-S3
> * SSE-KMS
> * SSE-C
> * CSE-KMS CMK
> * CSE-Master Key
> With all of the appropriate configuration options and such that SSE is 
> available only for PutS3Object whilst CSE is available also for FetchS3Object.
> Given that this will add another 20 or so UI properties the intention is to 
> split it into a Client Side Encryption Service and Server Side Encryption 
> Service. This will allow users to reuse "encryption" across different 
> workflows.
> Existing flows using the Server Side Encryption option will still work as is 
> but will be overridden if a service is added.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)