JingsongLi commented on code in PR #8460:
URL: https://github.com/apache/paimon/pull/8460#discussion_r3523227084


##########
paimon-filesystems/paimon-oss-impl/src/main/java/org/apache/paimon/oss/OSSFileIO.java:
##########
@@ -200,7 +203,13 @@ protected AliyunOSSFileSystem 
createFileSystem(org.apache.hadoop.fs.Path path) {
                                             + "': the CMK key id must not be 
blank or contain"
                                             + " whitespace/newlines.");
                         }
-                        enableSseKms(fs, trimmed);
+                        // Configurable method, defaulting to KMS (what a CMK 
requires).
+                        String sseAlgorithm =
+                                hadoopOptions.getString(OSS_SSE_ALGORITHM, 
SSE_KMS_ALGORITHM);
+                        if (StringUtils.isNullOrWhitespaceOnly(sseAlgorithm)) {
+                            sseAlgorithm = SSE_KMS_ALGORITHM;
+                        }
+                        enableSseKms(fs, sseAlgorithm.trim(), trimmed);

Review Comment:
   The new CMK path passes the user-configured 
`fs.oss.server-side-encryption-algorithm` into `x-oss-server-side-encryption` 
while also setting `x-oss-server-side-encryption-key-id`. That creates invalid 
requests for values such as `AES256` or `SM4`: OSS only accepts the key-id 
header when the SSE method is `KMS`; `SM4` is represented by 
`x-oss-server-side-data-encryption`, not by replacing 
`x-oss-server-side-encryption`.
   
   Please keep the CMK/BYOK path using `KMS` for `serverSideEncryption`, and 
either reject non-`KMS` values when a key id is configured or map a separate 
data-encryption option to `ObjectMetadata#setServerSideDataEncryption` / the 
matching copy header.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to