JingsongLi commented on code in PR #8460:
URL: https://github.com/apache/paimon/pull/8460#discussion_r3523227084
##########
paimon-filesystems/paimon-oss-impl/src/main/java/org/apache/paimon/oss/OSSFileIO.java:
##########
@@ -200,7 +203,13 @@ protected AliyunOSSFileSystem
createFileSystem(org.apache.hadoop.fs.Path path) {
+ "': the CMK key id must not be
blank or contain"
+ " whitespace/newlines.");
}
- enableSseKms(fs, trimmed);
+ // Configurable method, defaulting to KMS (what a CMK
requires).
+ String sseAlgorithm =
+ hadoopOptions.getString(OSS_SSE_ALGORITHM,
SSE_KMS_ALGORITHM);
+ if (StringUtils.isNullOrWhitespaceOnly(sseAlgorithm)) {
+ sseAlgorithm = SSE_KMS_ALGORITHM;
+ }
+ enableSseKms(fs, sseAlgorithm.trim(), trimmed);
Review Comment:
The new CMK path passes the user-configured
`fs.oss.server-side-encryption-algorithm` into `x-oss-server-side-encryption`
while also setting `x-oss-server-side-encryption-key-id`. That creates invalid
requests for values such as `AES256` or `SM4`: OSS only accepts the key-id
header when the SSE method is `KMS`; `SM4` is represented by
`x-oss-server-side-data-encryption`, not by replacing
`x-oss-server-side-encryption`.
Please keep the CMK/BYOK path using `KMS` for `serverSideEncryption`, and
either reject non-`KMS` values when a key id is configured or map a separate
data-encryption option to `ObjectMetadata#setServerSideDataEncryption` / the
matching copy header.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]