Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#946: Implement SSE-KMS and SSE-C for AWS S3 #2170

Closed
wants to merge 4 commits into from
Closed

#946: Implement SSE-KMS and SSE-C for AWS S3 #2170

wants to merge 4 commits into from

Conversation

alex-laties
Copy link
Contributor

@alex-laties alex-laties commented Feb 22, 2020
edited
Loading

Implements #946

  • [] I added CHANGELOG entry for this change.
  • [] Change is not relevant to the end user.

Changes

Added support for parsing and passing along AWS S3 SSE-KMS and SSE-C mode configuration details. Seemed pretty easy.

Adds the following config vars:

  • sse_s3 - essentially the new encrypt_sse, enables SSE-S3 mode.
  • sse_kms_id - enables SSE-KMS mode when set.
  • sse_kms_context - optional map of string keys and values for the KMS Context.
  • sse_c_key - enables SSE-C mode when set. expects a filepath.

encrypt_sse is kept as an alias for sse_s3, as that's what encrypt_sse currently does, and it seems silly to break valid configuration files from prior to this change for little reason.

Note that KMS and C mode both supersede and override SSE-S3 mode currently. This allows for syntax like:

encrypt_sse: true
sse_c_key: "/path/to/my/key"

to work as expected.

KMS and C mode are mutually exclusive, and trying to enable both currently throws an error.
E.G.

# this is invalid and will throw an error during validation
sse_c_key: "/path/to/my/key"
sse_kms_id: "myid"

Verification

Haven't yet really... would like some help from @jujugrrr to validate the code does what I think it does before going any further really.

Alexander Laties added 3 commits February 22, 2020 15:14
move sse validation to validate func and test properly
cd988c0 
Signed-off-by: Alexander Laties <[email protected]>
update docs
04c4d65 
Signed-off-by: Alexander Laties <[email protected]>
don't get cute with docs
deb7178 
Signed-off-by: Alexander Laties <[email protected]>
bwplotka
bwplotka reviewed Feb 25, 2020
View reviewed changes
Copy link
Member

@bwplotka bwplotka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! One suggestion really.

pkg/objstore/s3/s3.go
// NOTE: If both sse_c_key and sse_kms_id are set, we throw an error, as it's unclear what the operator wants.
// See https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html
// for more details on the SSE-S3, SSE-KMS, and SSE-C options.
SSEEncryptionLegacy bool `yaml:"encrypt_sse"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we want something like this, but what about, since we are in struct make it more generic? The problem with this approach is that the relation if user will see ALL three of them is not really sure.

It should be clear that you can either set sse_s3, see_c or see_kms if possible... (:

Or at least let's create SSE SSEConfig field and put all of those in such struct. I think that would work. Also let's remove legacy field and add CHANGELOG item for removal of this. What do you think?

@stale
Copy link

stale bot commented Mar 26, 2020

This issue/PR has been automatically marked as stale because it has not had recent activity. Please comment on status otherwise the issue will be closed in a week. Thank you for your contributions.

@stale stale bot added the stale label Mar 26, 2020
@stale stale bot closed this Apr 2, 2020
@arshvin
Copy link

arshvin commented Apr 7, 2020

It seems like this feature should work but probably not in my environment. During attempts to upload the new block into AWS S3 store or to read meta.json file of already uploaded block with help by AWS CLI, I only get 403 http-error. Unfortunately I have no access to AWS Console to touch the knobs but from the other side I've tried to put files to and get files from this bucket with SSE-KMS with help by peace of code which uses the same version of the minio-go labrary (6.0.49). What's a miserable week (

@jalev jalev mentioned this pull request Aug 23, 2020
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bwplotka bwplotka bwplotka left review comments

@povilasv povilasv Awaiting requested review from povilasv

Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alex-laties @arshvin @bwplotka