Set default bucket encryption during bucket creation #8478
Conversation
vh05
force-pushed
the
get_bucket_encryption
branch
from
2ad2f5c
to
0ae78a6
Compare
vh05
force-pushed
the
get_bucket_encryption
branch
3 times, most recently
from
0cdb765
to
a9b6309
Compare
vh05
force-pushed
the
get_bucket_encryption
branch
from
a9b6309
to
e8b1651
Compare
All S3 buckets have encryption configured by default, and objects are automatically encrypted by using server side encryption. When we do get-bucker-encryption on any bucket we get the the default encryption configuration. With this patch we set default encryption on bucket while creating the bucket and follow the behavior of S3 bucket Signed-off-by: Vinayakswami Hariharmath <[email protected]>
vh05
force-pushed
the
get_bucket_encryption
branch
from
e8b1651
to
ad54e15
Compare
|
|
||
| // Set default server side bucket encryption | ||
| // More details: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html | ||
| await req.object_sdk.put_bucket_encryption({ |
There was a problem hiding this comment.
Should this be set for any bucket, even namespace buckets (S3, blob)? It's worth checking the current support for bucket encryption in NS buckets and mapping the gaps. I think that if there are any gaps, we should at least make sure we are not setting a configuration that might conflict with the target configuration (e.g. S3 bucket)
There was a problem hiding this comment.
Tested it on aws-s3 namespace bucket. The bucket created out of aws-s3 namespace, is not applied with default server side encryption. Only the parent bucket is encrypted.
The bucket created here is through obc. Do we need to apply the encryption here as well and check ?
There was a problem hiding this comment.
For NS S3, since we don't create the bucket on AWS itself, we should rely on the default of AWS, which should be exactly this unless someone else has set it.
When receiving putBucketEncryption for NS S3 we should simply pass it through to the target bucket and return the result, same for getBucketEncryption, simply return it from the target.
Azure, we might want to skip if it's not the same for now.
For NS FS, I would also not touch for now. Especially not as a default.
That leaves our data buckets, for them, we encrypt all the objects anyway, it's part of the pipeline. So we simply want to set this config so we can return it on a get operation.
@dannyzaken @vh05 wdyt?
There was a problem hiding this comment.
Okay. For NS S3 we will show the underlying bucket's encryption configuration.
All S3 buckets have encryption configured by default, and objects are automatically encrypted by using server side encryption. When we do get-bucker-encryption on any bucket we get the the default encryption configuration.
With this patch we set default encryption on bucket while creating the bucket and follow the behavior of S3 bucket
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2318715