nifi-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Peter Turcsanyi (Jira)" <j...@apache.org>
Subject [jira] [Created] (NIFI-6734) S3EncryptionService fixes and improvements
Date Tue, 01 Oct 2019 19:24:00 GMT
Peter Turcsanyi created NIFI-6734:
-------------------------------------

             Summary: S3EncryptionService fixes and improvements
                 Key: NIFI-6734
                 URL: https://issues.apache.org/jira/browse/NIFI-6734
             Project: Apache NiFi
          Issue Type: Bug
          Components: Extensions
            Reporter: Peter Turcsanyi
            Assignee: Peter Turcsanyi


I found some issues while I was setting up S3 encryption controller service.
 I think these should be addressed before the initial release of the CS.

Bugs:
 - multipart upload not works in case of SSE S3 encryption
 - multipart upload not works in case of CSE* encryptions

Code cleanup:
 - CSE CMK encryption strategy sets the KMS region, but it will not be used (as the key does
not come from KMS, but will be specified by the client) => setting the KMS region is not
necessary / misleading in the code
 - CSE* encryption strategies set the KMS region on the client, but the client needs the bucket
region (which can be different than the KMS region) and it will be set later in the code flow
=> setting the KMS region on the client is not necessary / misleading in the code

Documentation enhancements:
 - 'Key ID or Key Material' property: document in the property description that it is not
used (should be empty) in case of SSE S3, for other encryption types use the same names as
in the Encryption Strategy combo (eg. 'Server-side Customer Key' instead of 'Server-side CEK')
 - 'region' property: add display name + description, document in the property description
that it is the KMS region and is only used in case of Client-side KMS
 - documentation of PutS3Object and FetchS3Object should be separated: eg. FetchS3Object does
not have 'Server Side Encryption' property referred in the docs and the controller service
is not needed for fetching SSE S3 and SSE KMS encrypted objects
 - add 'aws' and 's3' tags to the CS
 - additionalDetails not linked properly (not accessible)

Renaming:
 - 'Client-side Customer Master Key' property value: CMK (Customer Master Key) is generally
used for the client side encryption keys in the [AWS docs|https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html],
regardless that the key provided by the client or stored in KMS. For this reason, 'Client-side
KMS' vs 'Client-side Customer Master Key' is a bit confusing for me, I would use 'Client-side
Customer Key' for the latter (similar to 'Server-side KMS' and 'Server-side Customer Key')
 - 'region' property: should be renamed to kms-region (to avoid confusion with the bucket
region in the code)



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message