plusplusjiajia commented on code in PR #8460:
URL: https://github.com/apache/paimon/pull/8460#discussion_r3523311567
##########
paimon-filesystems/paimon-oss-impl/src/main/java/org/apache/paimon/oss/OSSFileIO.java:
##########
@@ -200,7 +203,13 @@ protected AliyunOSSFileSystem
createFileSystem(org.apache.hadoop.fs.Path path) {
+ "': the CMK key id must not be
blank or contain"
+ " whitespace/newlines.");
}
- enableSseKms(fs, trimmed);
+ // Configurable method, defaulting to KMS (what a CMK
requires).
+ String sseAlgorithm =
+ hadoopOptions.getString(OSS_SSE_ALGORITHM,
SSE_KMS_ALGORITHM);
+ if (StringUtils.isNullOrWhitespaceOnly(sseAlgorithm)) {
+ sseAlgorithm = SSE_KMS_ALGORITHM;
+ }
+ enableSseKms(fs, sseAlgorithm.trim(), trimmed);
Review Comment:
@JingsongLi Good catch, thanks. The original code reused hadoop-aliyun's
native fs.oss.server-side-encryption-algorithm for config compatibility, but
you're right it doesn't work on the CMK path — it conflates the encryption
method with the data-encryption algorithm, which OSS models as separate headers
(key-id is KMS-only; SM4 goes in x-oss-server-side-data-encryption).
I'll rework it along your option (2): three keys mapping 1:1 to the OSS
headers instead of overloading -algorithm:
- fs.oss.server-side-encryption → x-oss-server-side-encryption
- fs.oss.server-side-encryption-key-id →
x-oss-server-side-encryption-key-id
- fs.oss.server-side-data-encryption → x-oss-server-side-data-encryption
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]