[FLINK-39113][s3] Fix s3.sse.kms.encryption-context config in native s3 connector#28070
Open
gaborgsomogyi wants to merge 5 commits intoapache:masterfrom
Open
[FLINK-39113][s3] Fix s3.sse.kms.encryption-context config in native s3 connector#28070gaborgsomogyi wants to merge 5 commits intoapache:masterfrom
gaborgsomogyi wants to merge 5 commits intoapache:masterfrom
Conversation
Contributor
Author
|
cc @Samrat002 |
Collaborator
gaborgsomogyi
force-pushed
the
FLINK-39579
branch
from
d335870 to
b3f1760
Compare
gaborgsomogyi
changed the title
gaborgsomogyi
force-pushed
the
FLINK-39579
branch
from
b3f1760 to
8e16a10
Compare
Samrat002
reviewed
Apr 30, 2026
Contributor
Samrat002
left a comment
Samrat002
left a comment
There was a problem hiding this comment.
NativeS3OutputStream.uploadToS3() is a separate write path for small files. It builds a PutObjectRequest but currently doesn't call ssekmsEncryptionContext(). The context wired through NativeS3ObjectOperations.applyEncryption() won't apply to writes that go through NativeS3OutputStream. Could you extend that code path as well?
…ryption context - Switch fromConfig() normalization to toLowerCase(Locale.ROOT), removing the SSE_KMS placeholder case - Add sseKms(Map) factory overload so encryption context is preserved when using the default AWS-managed key - Revert Map.copyOf() to null-tolerant unmodifiableMap(new HashMap<>())
…eam write path Move serializeEncryptionContext to S3EncryptionConfig and apply it in NativeS3OutputStream.uploadToS3(), which previously dropped the KMS encryption context for small-file (non-multipart) writes.
gaborgsomogyi
force-pushed
the
FLINK-39579
branch
from
8e16a10 to
69ec88c
Compare
gaborgsomogyi
force-pushed
the
FLINK-39579
branch
from
69ec88c to
cdd8670
Compare
github-actions
Bot
added
the
community-reviewed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What is the purpose of the change
s3.sse.kms.encryption-contextwas listed in the README as a supported configuration option for SSE-KMS, but the corresponding ConfigOption never existed in NativeS3FileSystemFactory. As a result, the encryption context was silently ignored regardless of what users configured, and thesseKms(keyId, context)code path inS3EncryptionConfigwas dead code unreachable from production.This PR closes the gap by adding the missing config option and wiring it end-to-end.
Brief change log
SSE_KMS_ENCRYPTION_CONTEXT(s3.sse.kms.encryption-context) ConfigOption toNativeS3FileSystemFactoryand wire it throughS3EncryptionConfig.fromConfig()— the feature was documented but never implementedS3EncryptionConfig,S3ExceptionUtils,S3FileStatus,S3BlockLocationVerifying this change
Existing and new unit tests.
Does this pull request potentially affect one of the following parts:
@Public(Evolving): noDocumentation
Was generative AI tooling used to co-author this PR?
Generated-by: Claude code