CSEUtils (Apache Hadoop Amazon Web Services support 3.4.2 API)

java.lang.Object
- org.apache.hadoop.fs.s3a.impl.CSEUtils

@InterfaceAudience.Private
 @InterfaceStability.Evolving
public final class CSEUtils
extends Object

S3 client side encryption (CSE) utility class.

Method Summary

All Methods Static Methods Concrete Methods
Modifier and Type	Method and Description
`static CSEMaterials`	`getClientSideEncryptionMaterials(org.apache.hadoop.conf.Configuration conf, String bucket, S3AEncryptionMethods algorithm)` Creates encryption materials for client-side encryption based on the specified algorithm.
`static long`	`getUnencryptedObjectLength(S3AStore store, String key, long contentLength, software.amazon.awssdk.services.s3.model.HeadObjectResponse headObjectResponse)` Determines the actual unencrypted length of an S3 object.
`static boolean`	`isCSEEnabled(String encryptionMethod)` Checks if Client-Side Encryption (CSE) is enabled based on the encryption method.
`static boolean`	`isObjectEncrypted(S3AStore store, String key)` Checks if an S3 object is encrypted by examining its metadata.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Method Detail
  - isCSEEnabled
```
public static boolean isCSEEnabled(String encryptionMethod)
```
    Checks if Client-Side Encryption (CSE) is enabled based on the encryption method. Validates if the provided encryption method matches either CSE-KMS or CSE-Custom encryption methods. These are the two supported client-side encryption methods.
    
    Parameters:
    
    encryptionMethod - The encryption method to check (case-sensitive)
    
    Returns:
    
    true if the encryption method is either CSE-KMS or CSE-Custom, false otherwise
    
    See Also:
    
    S3AEncryptionMethods.CSE_KMS, S3AEncryptionMethods.CSE_CUSTOM
  - isObjectEncrypted
```
public static boolean isObjectEncrypted(S3AStore store,
                                        String key)
                                 throws IOException
```
    Checks if an S3 object is encrypted by examining its metadata. This method performs a HEAD request on the object and checks for the presence of encryption metadata (specifically the CEK algorithm indicator).
    
    Parameters:
    
    store - The S3AStore instance used to access the S3 object
    
    key - The key (path) of the S3 object to check
    
    Returns:
    
    true if the object is encrypted (has CEK algorithm metadata), false otherwise
    
    Throws:
    
    IOException - If there's an error accessing the object metadata or communicating with S3
  - getUnencryptedObjectLength
```
public static long getUnencryptedObjectLength(S3AStore store,
                                              String key,
                                              long contentLength,
                                              software.amazon.awssdk.services.s3.model.HeadObjectResponse headObjectResponse)
                                       throws IOException
```
    Determines the actual unencrypted length of an S3 object. This method uses a three-step process to determine the object's unencrypted length: 1. If the object is not encrypted, returns the original content length 2. If encrypted, attempts to read the unencrypted length from object metadata 3. If metadata is unavailable, calculates length by performing a ranged GET operation
    
    Parameters:
    
    store - The S3AStore instance used to access the S3 object
    
    key - The key (path) of the S3 object
    
    contentLength - The encrypted object's content length
    
    headObjectResponse - The object's metadata from a HEAD request, may be null
    
    Returns:
    
    The length of the object's unencrypted content
    
    Throws:
    
    IOException - If there's an error: - accessing the object or its metadata - parsing the unencrypted length from metadata - performing the ranged GET operation - computing the unencrypted length
  - getClientSideEncryptionMaterials
```
public static CSEMaterials getClientSideEncryptionMaterials(org.apache.hadoop.conf.Configuration conf,
                                                            String bucket,
                                                            S3AEncryptionMethods algorithm)
                                                     throws IOException
```
    Creates encryption materials for client-side encryption based on the specified algorithm. Supports two types of client-side encryption:
    - CSE_KMS: Uses AWS KMS for key management
    - CSE_CUSTOM: Uses a custom cryptographic implementation
    Parameters:
    
    conf - The configuration containing encryption settings
    
    bucket - The S3 bucket name for which encryption materials are being created
    
    algorithm - The encryption algorithm to use (CSE_KMS or CSE_CUSTOM)
    
    Returns:
    
    CSEMaterials configured with the appropriate encryption settings
    
    Throws:
    
    IOException - If there's an error retrieving encryption configuration
    
    IllegalArgumentException - If: - KMS key ID is null or empty (for CSE_KMS) - Custom crypto class name is null or empty (for CSE_CUSTOM) - Unsupported encryption algorithm is specified

Class CSEUtils

Method Summary

Methods inherited from class java.lang.Object

Method Detail

isCSEEnabled

isObjectEncrypted

getUnencryptedObjectLength

getClientSideEncryptionMaterials