Raphael Azzolini created HADOOP-19197:
-----------------------------------------
Summary: S3A: Support AWS KMS Encryption Context
Key: HADOOP-19197
URL: https://issues.apache.org/jira/browse/HADOOP-19197
Project: Hadoop Common
Issue Type: New Feature
Components: fs/s3
Affects Versions: 3.4.0
Reporter: Raphael Azzolini
S3A properties allow users to choose the AWS KMS key
({_}fs.s3a.encryption.key{_}) and S3 encryption algorithm to be used
(f{_}s.s3a.encryption.algorithm{_}). In addition to the AWS KMS Key, an
encryption context can be used as non-secret data that adds additional
integrity and authenticity to check the encrypted data. However, there is no
option to specify the [AWS KMS Encryption
Context|https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context]
in S3A.
In AWS SDK v2 the encryption context in S3 requests is set by the parameter
[ssekmsEncryptionContext.|https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/s3/model/CreateMultipartUploadRequest.Builder.html#ssekmsEncryptionContext(java.lang.String)]
It receives a base64-encoded UTF-8 string holding JSON with the encryption
context key-value pairs. The value of this parameter could be set by the user
in a new property {_}*fs.s3a.encryption.context*{_}, and be stored in the
[EncryptionSecrets|https://github.com/apache/hadoop/blob/trunk/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/delegation/EncryptionSecrets.java]
to later be used when setting the encryption parameters in
[RequestFactoryImpl|https://github.com/apache/hadoop/blob/f92a8ab8ae54f11946412904973eb60404dee7ff/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/impl/RequestFactoryImpl.java].
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org
