[ 
https://issues.apache.org/jira/browse/HADOOP-15267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18095611#comment-18095611
 ] 

Michael Johnson commented on HADOOP-15267:
------------------------------------------

Hi,

MultiPartUploads to S3 are in 3 parts:
 * CreateMultipartUpload:  
[https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html]
 * UploadPart: 
[https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPart.html] 
 * CompleteMultipartUpload:  
[https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html]
 

When using SSE-C, I believe this Bug was corrected for only the first 2 
parts...but not the 3rd!

Meaning, when calling the CompleteMultipartUpload function, it does not pass 
the required Encryption Headers!

If you look at the S3 Docs for CompleteMultipartUpload:  
[https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html#API_CompleteMultipartUpload_RequestParameters]
 

These Headers are still required when SSE-C is used:
 * 
*[x-amz-server-side-encryption-customer-algorithm|https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html#API_CompleteMultipartUpload_RequestSyntax]*
 * 
{*}[x-amz-server-side-encryption-customer-key|https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html#API_CompleteMultipartUpload_RequestSyntax]{*}{*}{*}
 * 
{*}[x-amz-server-side-encryption-customer-key-MD5|https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html#API_CompleteMultipartUpload_RequestSyntax]{*}{*}{*}

This library is used internally by Apache Flink 2.2.0 for Snapshotting when 
SSE-C is required...as such, it will cause Snapshotting to fail on the 3rd 
stage!

Considering that the official S3 Docs confirm that the headers are required for 
CompleteMultipartUpload, I think this should be classified as a bug in the 
library and thus this Jira should be reopened OR a new Jira made to address 
this bug.

> S3A multipart upload fails when SSE-C encryption is enabled
> -----------------------------------------------------------
>
>                 Key: HADOOP-15267
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15267
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/s3
>    Affects Versions: 2.9.0, 3.0.0, 3.1.0
>         Environment: Hadoop 3.1 Snapshot
>            Reporter: Anis Elleuch
>            Assignee: Anis Elleuch
>            Priority: Critical
>             Fix For: 3.1.0, 2.10.0, 3.0.3
>
>         Attachments: HADOOP-15267-001.patch, HADOOP-15267-002.patch, 
> HADOOP-15267-003.patch
>
>
> When I enable SSE-C encryption in Hadoop 3.1 and set  fs.s3a.multipart.size 
> to 5 Mb, storing data in AWS doesn't work anymore. For example, running the 
> following code:
> {code}
> >>> df1 = spark.read.json('/home/user/people.json')
> >>> df1.write.mode("overwrite").json("s3a://testbucket/people.json")
> {code}
> shows the following exception:
> {code:java}
> com.amazonaws.services.s3.model.AmazonS3Exception: The multipart upload 
> initiate requested encryption. Subsequent part requests must include the 
> appropriate encryption parameters.
> {code}
> After some investigation, I discovered that hadoop-aws doesn't send SSE-C 
> headers in Put Object Part as stated in AWS specification: 
> [https://docs.aws.amazon.com/AmazonS3/latest/API/mpUploadUploadPart.html]
> {code:java}
> If you requested server-side encryption using a customer-provided encryption 
> key in your initiate multipart upload request, you must provide identical 
> encryption information in each part upload using the following headers.
> {code}
>  
> You can find a patch attached to this issue for a better clarification of the 
> problem.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to