My idea was the setting, which disables encryption on rgw, so rgw anounces, it doesn't support it (I don't know how client and server are comunicating this now, so maybe I am oversimplyfing it). Anyway, workaround with rgw_crypt_s3_kms_encryption_keys looks great. Thank you!
[cid:adform_logo_1884183f-e12d-4814-94e9-345e0c828435.png]<https://site.adform.com/> Arvydas Opulskis IT Systems Engineer Email: arvydas.opuls...@adform.com<mailto:arvydas.opuls...@adform.com> Mobile: +370 614 19604 Rotušės a. 17, LT-44279 Kaunas, Lithuania Adform Insider News<http://blog.adform.com/> [cid:MRC_b412ba15-8053-4742-aeae-8c9f04d24ef1.png]<http://blog.adform.com/press-releases/adform-receives-accreditation-from-media-rating-council/> Disclaimer: The information contained in this message and attachments is intended solely for the attention and use of the named addressee and may be confidential. If you are not the intended recipient, you are reminded that the information remains the property of the sender. You must not use, disclose, distribute, copy, print or rely on this e-mail. If you have received this message in error, please contact the sender immediately and irrevocably delete this message and any copies. On Tue, 2018-10-16 at 09:10 -0400, Casey Bodley wrote: That's not currently possible, no. And I don't think it's a good idea to add such a feature; if the client requests that something be encrypted, the server should either encrypt it or reject the request. There is a config called rgw_crypt_s3_kms_encryption_keys that we use for testing, though, which allows you to specify a mapping of kms keyids to actual keys. If your client is using a limited number of kms keyids, you can provide keys for them and get limited sse-kms support without setting up an actual kms. For example, this is our test configuration for use with s3tests: rgw crypt s3 kms encryption keys = testkey-1=YmluCmJvb3N0CmJvb3N0LWJ1aWxkCmNlcGguY29uZgo= testkey-2=aWIKTWFrZWZpbGUKbWFuCm91dApzcmMKVGVzdGluZwo= Where s3tests is sending requests with header x-amz-server-side-encryption-aws-kms-key-id: testkey1 or testkey2. I hope that helps! Casey On 10/16/18 8:43 AM, Arvydas Opulskis wrote: Hi, got no success on IRC, maybe someone will help me here. After RGW upgrade from Jewel to Luminous, one S3 user started to receive errors from his postgre wal-e solution. Error is like this: "Server Side Encryption with KMS managed key requires HTTP header x-amz-server-side-encryption : aws:kms". After some reading, seems, like this client is forcing Server side encryption (SSE) on RGW and it is not configured. Because user can't disable encryption in his solution for now (it will be possible in future release), can I somehow disable Encryption support on Luminous RGW? Thank you for your insights. _______________________________________________ ceph-users mailing list ceph-users@lists.ceph.com<mailto:ceph-users@lists.ceph.com> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com _______________________________________________ ceph-users mailing list ceph-users@lists.ceph.com<mailto:ceph-users@lists.ceph.com> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
_______________________________________________ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
