Bug #23264
open
Server side encryption support for s3 COPY operation
Added by Casey Bodley about 6 years ago.
Updated 14 days ago.
Description
If the source object of a copy operation is encrypted with SSE-C, we should be requiring the x-amz-copy-source-server-side-encryption-customer-* headers necessary to decrypt it, and then apply the x-amz-server-side-encryption-customer-* headers (if given) to re-encrypt the target object.
For SSE-KMS, we should also respect the x-amz-server-side-encryption* headers when writing the target object.
- Related to Bug #23232: RGWCopyObj silently corrupts the object that was mulitpart-uploaded in SSE-C added
- Assignee set to Casey Bodley
- Priority changed from Normal to High
- Priority changed from High to Normal
- Has duplicate Bug #45942: [rgw] copy object on bucket with SSE-C returns NotImplemented added
Is there any plan to fix this in upcoming releases?
- Assignee changed from Casey Bodley to Marcus Watts
Does this still happen, Marcus?
Matt
It does not silently corrupt objects as far as I can tell, but it does still return a 501 NotImplemented when you try to do a CopyObject with an SSE-C encrypted object -- which is quite frustrating. I'm in the process of adding support for SSE-C to the docker registry project and because of this bug it won't work on my ceph cluster :-(
Does this apply to other SSE modes as well, if it is still a problem? I've run into the same error with SSE-S3 and was curious if there was progress on this or whether to pursue FDE instead.
adam madsen wrote:
Does this apply to other SSE modes as well, if it is still a problem? I've run into the same error with SSE-S3 and was curious if there was progress on this or whether to pursue FDE instead.
this does apply to all flavors of server-side encryption. the low-level copy operation returns this not-implemented error if the source object uses any form of encryption
i believe Marcus does plan to implement this in the near- to medium-term
- Status changed from New to In Progress
- Tags set to sse
- Pull request ID set to 54543
Also available in: Atom
PDF