Pierre Villard created NIFI-15359:
-------------------------------------
Summary: Upgrade S3 Encryption Client to 4.0.0
Key: NIFI-15359
URL: https://issues.apache.org/jira/browse/NIFI-15359
Project: Apache NiFi
Issue Type: Improvement
Components: Extensions
Reporter: Pierre Villard
Assignee: Pierre Villard
Upgrade the S3 Encryption Client to latest 4.0.0.
It includes a breaking change as explained here:
[https://github.com/aws/amazon-s3-encryption-client-java/releases/tag/v4.0.0]
{code:java}
builderV4() now defaults to commitmentPolicy (REQUIRE_ENCRYPT_REQUIRE_DECRYPT)
and encryptionAlgorithm (ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY) {code}
It means that we may be in a situation where we could not decrypt existing data
with FetchS3 because of the new default.
Proposition is to expose a new property for the user to select the commitment
policy but to still apply the new default of the client given the security
posture that it implies.
The recommendation for the user, would be to set the property with:
||Scenario||Recommended Policy||
|New deployment (no legacy data)|Require Encrypt Require Decrypt (default)|
|Migration period (need to read legacy + write new)|Require Encrypt Allow
Decrypt|
|Read-only access to legacy data|Forbid Encrypt Allow Decrypt|
This breaking change would be documented in the migration guide with guidance
on what value to select for this new property if needed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
