hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Loughran (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-13075) Add support for SSE-KMS and SSE-C in s3a filesystem
Date Thu, 26 Jan 2017 10:35:24 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-13075?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15839536#comment-15839536
] 

Steve Loughran commented on HADOOP-13075:
-----------------------------------------

re

bq. By this do you mean convert instances of {{request.setSSECustomerKey(new SSECustomerKey(serverSideEncryptionKey));}}
with
{{request.setSSECustomerKey(new SSECustomerKey(S3AUtils.getPassword(getConf(), Constants.SERVER_SIDE_ENCRYPTION_KEY));}}

or just 

{code}
serverSideEncryptionKey = S3AUtils.getPassword(getConf(), Constants.SERVER_SIDE_ENCRYPTION_KEY
{code}

The key thing is that getPassword() will first attempt to look in any jceks files for the
secrets, falling back to inline config. those jceks files let you keep the secrets out the
XML documents and share round a cluster (somehow). It's an extra level of defence against
key leakage, which, given these are encryption keys, matters. cc [~lmccay]

> Add support for SSE-KMS and SSE-C in s3a filesystem
> ---------------------------------------------------
>
>                 Key: HADOOP-13075
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13075
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/s3
>            Reporter: Andrew Olson
>            Assignee: Federico Czerwinski
>
> S3 provides 3 types of server-side encryption [1],
> * SSE-S3 (Amazon S3-Managed Keys) [2]
> * SSE-KMS (AWS KMS-Managed Keys) [3]
> * SSE-C (Customer-Provided Keys) [4]
> Of which the S3AFileSystem in hadoop-aws only supports opting into SSE-S3 (HADOOP-10568)
-- the underlying aws-java-sdk makes that very simple [5]. With native support in aws-java-sdk
already available it should be fairly straightforward [6],[7] to support the other two types
of SSE with some additional fs.s3a configuration properties.
> [1] http://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
> [2] http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html
> [3] http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
> [4] http://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html
> [5] http://docs.aws.amazon.com/AmazonS3/latest/dev/SSEUsingJavaSDK.html
> [6] http://docs.aws.amazon.com/AmazonS3/latest/dev/kms-using-sdks.html#kms-using-sdks-java
> [7] http://docs.aws.amazon.com/AmazonS3/latest/dev/sse-c-using-java-sdk.html



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message