[HADOOP-13075] Add support for SSE-KMS and SSE-C in s3a filesystem - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.8.0
Fix Version/s: 2.9.0, 3.0.0-alpha4
Component/s: fs/s3
Labels:
None

Target Version/s:

2.9.0
Release Note:

Hide
The new encryption options SSE-KMS and especially SSE-C must be considered experimental at present. If you are using SSE-C, problems may arise if the bucket mixes encrypted and unencrypted files. For SSE-KMS, there may be extra throttling of IO, especially with the fadvise=random option. You may wish to request an increase in your KMS IOPs limits.

Show
The new encryption options SSE-KMS and especially SSE-C must be considered experimental at present. If you are using SSE-C, problems may arise if the bucket mixes encrypted and unencrypted files. For SSE-KMS, there may be extra throttling of IO, especially with the fadvise=random option. You may wish to request an increase in your KMS IOPs limits.

Description

S3 provides 3 types of server-side encryption [1],

SSE-S3 (Amazon S3-Managed Keys) [2]
SSE-KMS (AWS KMS-Managed Keys) [3]
SSE-C (Customer-Provided Keys) [4]

Of which the S3AFileSystem in hadoop-aws only supports opting into SSE-S3 (~~HADOOP-10568~~) – the underlying aws-java-sdk makes that very simple [5]. With native support in aws-java-sdk already available it should be fairly straightforward [6],[7] to support the other two types of SSE with some additional fs.s3a configuration properties.

[1] http://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
[2] http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html
[3] http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
[4] http://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html
[5] http://docs.aws.amazon.com/AmazonS3/latest/dev/SSEUsingJavaSDK.html
[6] http://docs.aws.amazon.com/AmazonS3/latest/dev/kms-using-sdks.html#kms-using-sdks-java
[7] http://docs.aws.amazon.com/AmazonS3/latest/dev/sse-c-using-java-sdk.html

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HADOOP-13075-001.patch
04/Feb/17 01:09
55 kB
Steve Moist
HADOOP-13075-002.patch
06/Feb/17 17:01
55 kB
Steve Moist
HADOOP-13075-003.patch
09/Feb/17 18:57
59 kB
Steve Moist
HADOOP-13075-branch2.002.patch
09/Feb/17 18:57
59 kB
Steve Moist

Issue Links

breaks

HADOOP-14102 Relax error message assertion in S3A test ITestS3AEncryptionSSEC

Resolved

HADOOP-14120 needless S3AFileSystem.setOptionalPutRequestParameters in S3ABlockOutputStream putObject()

Resolved

is depended upon by

HADOOP-14324 Refine S3 server-side-encryption key as encryption secret; improve error reporting and diagnostics

Resolved

DRILL-5536 Support AWS S3 SSE-KMS encrypted objects querying

Open

relates to

HADOOP-14305 S3A SSE tests won't run in parallel: Bad request in directory GetFileStatus

Resolved

links to

GitHub Pull Request #110

GitHub Pull Request #113

GitHub Pull Request #183

(5 links to)

Activity

People

Assignee:: Steve Moist

Reporter:: Andrew Olson

Votes:: 4 Vote for this issue

Watchers:: 22 Start watching this issue

Dates

Created:: 29/Apr/16 19:54

Updated:: 01/Mar/19 18:04

Resolved:: 11/Feb/17 23:08