alopresto commented on a change in pull request #3787: NIFI-6734:
S3EncryptionService fixes and improvements
URL: https://github.com/apache/nifi/pull/3787#discussion_r331707051
##########
File path:
nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/s3/encryption/StandardS3EncryptionService.java
##########
@@ -52,74 +53,80 @@
import java.util.Map;
-@Tags({"service", "encryption", "encrypt", "decryption", "decrypt", "key"})
+@Tags({"service", "aws", "s3", "encryption", "encrypt", "decryption",
"decrypt", "key"})
@CapabilityDescription("Adds configurable encryption to S3 Put and S3 Fetch
operations.")
public class StandardS3EncryptionService extends AbstractControllerService
implements AmazonS3EncryptionService {
private static final Logger logger =
LoggerFactory.getLogger(StandardS3EncryptionService.class);
- public static final String STRATEGY_NAME_NONE = "NONE";
- public static final String STRATEGY_NAME_SSE_S3 = "SSE_S3";
- public static final String STRATEGY_NAME_SSE_KMS = "SSE_KMS";
- public static final String STRATEGY_NAME_SSE_C = "SSE_C";
- public static final String STRATEGY_NAME_CSE_KMS = "CSE_KMS";
- public static final String STRATEGY_NAME_CSE_CMK = "CSE_CMK";
-
- private static final Map<String, S3EncryptionStrategy> namedStrategies =
new HashMap<String, S3EncryptionStrategy>() {{
+ private static final Map<String, S3EncryptionStrategy> NAMED_STRATEGIES =
new HashMap<String, S3EncryptionStrategy>() {{
put(STRATEGY_NAME_NONE, new NoOpEncryptionStrategy());
put(STRATEGY_NAME_SSE_S3, new ServerSideS3EncryptionStrategy());
put(STRATEGY_NAME_SSE_KMS, new ServerSideKMSEncryptionStrategy());
- put(STRATEGY_NAME_SSE_C, new ServerSideCEKEncryptionStrategy());
+ put(STRATEGY_NAME_SSE_C, new ServerSideCEncryptionStrategy());
put(STRATEGY_NAME_CSE_KMS, new ClientSideKMSEncryptionStrategy());
- put(STRATEGY_NAME_CSE_CMK, new ClientSideCMKEncryptionStrategy());
+ put(STRATEGY_NAME_CSE_C, new ClientSideCEncryptionStrategy());
}};
private static final AllowableValue NONE = new
AllowableValue(STRATEGY_NAME_NONE, "None","No encryption.");
private static final AllowableValue SSE_S3 = new
AllowableValue(STRATEGY_NAME_SSE_S3, "Server-side S3","Use server-side,
S3-managed encryption.");
private static final AllowableValue SSE_KMS = new
AllowableValue(STRATEGY_NAME_SSE_KMS, "Server-side KMS","Use server-side, KMS
key to perform encryption.");
- private static final AllowableValue SSE_C = new
AllowableValue(STRATEGY_NAME_SSE_C, "Server-side Customer Key","Use
server-side, customer-supplied key for encryption.");
+ private static final AllowableValue SSE_C = new
AllowableValue(STRATEGY_NAME_SSE_C, "Server-side Customer Key","Use
server-side, customer-supplied key to perform encryption.");
private static final AllowableValue CSE_KMS = new
AllowableValue(STRATEGY_NAME_CSE_KMS, "Client-side KMS","Use client-side, KMS
key to perform encryption.");
- private static final AllowableValue CSE_CMK = new
AllowableValue(STRATEGY_NAME_CSE_CMK, "Client-side Customer Master Key","Use
client-side, customer-supplied master key to perform encryption.");
+ private static final AllowableValue CSE_C = new
AllowableValue(STRATEGY_NAME_CSE_C, "Client-side Customer Key","Use
client-side, customer-supplied key to perform encryption.");
+
+ public static final Map<String, AllowableValue>
ENCRYPTION_STRATEGY_ALLOWABLE_VALUES = new HashMap<String, AllowableValue>() {{
+ put(STRATEGY_NAME_NONE, NONE);
+ put(STRATEGY_NAME_SSE_S3, SSE_S3);
+ put(STRATEGY_NAME_SSE_KMS, SSE_KMS);
+ put(STRATEGY_NAME_SSE_C, SSE_C);
+ put(STRATEGY_NAME_CSE_KMS, CSE_KMS);
+ put(STRATEGY_NAME_CSE_C, CSE_C);
+ }};
public static final PropertyDescriptor ENCRYPTION_STRATEGY = new
PropertyDescriptor.Builder()
.name("encryption-strategy")
.displayName("Encryption Strategy")
.description("Strategy to use for S3 data encryption and
decryption.")
- .allowableValues(NONE, SSE_S3, SSE_KMS, SSE_C, CSE_KMS, CSE_CMK)
+ .allowableValues(NONE, SSE_S3, SSE_KMS, SSE_C, CSE_KMS, CSE_C)
.required(true)
.defaultValue(NONE.getValue())
.build();
public static final PropertyDescriptor ENCRYPTION_VALUE = new
PropertyDescriptor.Builder()
.name("key-id-or-key-material")
.displayName("Key ID or Key Material")
- .description("For Server-side CEK and Client-side CMK, this is
base64-encoded Key Material. For all others (except 'None'), it is the KMS Key
ID.")
+ .description("For None and Server-side S3: not used. For
Server-side KMS and Client-side KMS: the KMS Key ID must be configured. " +
+ "For Server-side Customer Key and Client-side Customer
Key: the Key Material must be specified in Base64 encoded form. " +
+ "In case of Server-side Customer Key, the key must be an
AES-256 key. In case of Client-side Customer Key, it can be an AES-256, AES-192
or AES-128 key.")
.required(false)
.sensitive(true)
- .addValidator(new StandardValidators.StringLengthValidator(0,
4096))
+ .addValidator((subject, input, context) -> new
ValidationResult.Builder().valid(true).build()) // will be validated in
customValidate()
Review comment:
If `customValidate()` validates this value, it does not need a static
validator here.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
