Bug #23264
openServer side encryption support for s3 COPY operation
0%
Description
If the source object of a copy operation is encrypted with SSE-C, we should be requiring the x-amz-copy-source-server-side-encryption-customer-* headers necessary to decrypt it, and then apply the x-amz-server-side-encryption-customer-* headers (if given) to re-encrypt the target object.
For SSE-KMS, we should also respect the x-amz-server-side-encryption* headers when writing the target object.
Updated by Casey Bodley about 6 years ago
- Related to Bug #23232: RGWCopyObj silently corrupts the object that was mulitpart-uploaded in SSE-C added
Updated by Casey Bodley almost 4 years ago
- Has duplicate Bug #45942: [rgw] copy object on bucket with SSE-C returns NotImplemented added
Updated by David Piper about 3 years ago
Is there any plan to fix this in upcoming releases?
Updated by Matt Benjamin almost 2 years ago
- Assignee changed from Casey Bodley to Marcus Watts
Does this still happen, Marcus?
Matt
Updated by Richard Bateman over 1 year ago
It does not silently corrupt objects as far as I can tell, but it does still return a 501 NotImplemented when you try to do a CopyObject with an SSE-C encrypted object -- which is quite frustrating. I'm in the process of adding support for SSE-C to the docker registry project and because of this bug it won't work on my ceph cluster :-(
Updated by adam madsen about 1 year ago
Does this apply to other SSE modes as well, if it is still a problem? I've run into the same error with SSE-S3 and was curious if there was progress on this or whether to pursue FDE instead.
Updated by Casey Bodley 10 months ago
adam madsen wrote:
Does this apply to other SSE modes as well, if it is still a problem? I've run into the same error with SSE-S3 and was curious if there was progress on this or whether to pursue FDE instead.
this does apply to all flavors of server-side encryption. the low-level copy operation returns this not-implemented error if the source object uses any form of encryption
i believe Marcus does plan to implement this in the near- to medium-term
Updated by Casey Bodley about 12 hours ago
- Status changed from New to In Progress
- Tags set to sse
- Pull request ID set to 54543