HADOOP-19587. SSE-C integration changes

[rajdchak]

Description of PR

This PR is for the integration of S3A with SSE_C support introduced in Analytics Accelerator library.

How was this patch tested?

Ran all the integrations tests in hadoop-aws on EC2 instance.

Setup:
Created personal bucket in us-west-2 region. Ran the integrations tests in hadoop-aws with the configs mainly enabling Analytics stream and SSEC encryption.

<configuration>
    <property>
        <name>test.fs.s3a.name</name>
        <value>s3a://rajdchak-s3a-integration/</value>
    </property>

    <property>
        <name>fs.contract.test.fs.s3a</name>
        <value>${test.fs.s3a.name}</value>
    </property>

    <property>
        <name>fs.s3a.endpoint.region</name>
        <value>us-west-2</value>
    </property>

    <property>
        <name>fs.s3a.access.key</name>
        <description>AWS access key ID. Omit for IAM role-based authentication.</description>
        <value> </value>
    </property>

    <property>
        <name>fs.s3a.secret.key</name>
        <description>AWS secret key. Omit for IAM role-based authentication.</description>
        <value> </value>
    </property>

    <property>
        <name>fs.s3a.session.token</name>
        <value>
           
        </value>
    </property>

    <property>
        <name>fs.s3a.aws.credentials.provider</name>
        <value>
            org.apache.hadoop.fs.s3a.TemporaryAWSCredentialsProvider
        </value>
    </property>

    <property>
        <name>fs.s3a.scale.test.enabled</name>
        <value>true</value>
    </property>

    <property>
        <name>fs.s3a.input.stream.type</name>
        <value>analytics</value>
    </property>

    <property>
        <name>fs.s3a.encryption.algorithm</name>
        <description>Specify a server-side encryption or client-side
            encryption algorithm for s3a: file system. Unset by default. It supports the
            following values: 'AES256' (for SSE-S3), 'SSE-KMS', 'SSE-C', and 'CSE-KMS'
        </description>
        <value>SSE-C</value>
    </property>

    <property>
        <name>fs.s3a.encryption.key</name>
        <description>Specific encryption key to use if fs.s3a.encryption.algorithm
            has been set to 'SSE-KMS', 'SSE-C' or 'CSE-KMS'. In the case of SSE-C
            , the value of this property should be the Base64 encoded key. If you are
            using SSE-KMS and leave this property empty, you'll be using your default's
            S3 KMS key, otherwise you should set this property to the specific KMS key
            id. In case of 'CSE-KMS' this value needs to be the AWS-KMS Key ID
            generated from AWS console.
        </description>
        <value>AO8XKQXJgtIS9G+IrSWZ2eSNW1yJlvqElVoVcNlvDqE=</value>
    </property>


</configuration>

However unrelated to these changes whenever we enabled SSE_C there are multiple tests which fail with Bad Request exception as they are running on public buckets like noaa-cors-pds. We should take an action item to disable those tests if SSE_C is enabled. Created an issue for this error https://issues.apache.org/jira/browse/HADOOP-19590 .

For code changes:

• Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
• Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
• If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
• If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 37s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 1s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
+1 💚	test4tests	0m 0s		The patch appears to include 3 new or modified test files.
			_ trunk Compile Tests _
+1 💚	mvninstall	37m 18s		trunk passed
+1 💚	compile	0m 45s		trunk passed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04
+1 💚	compile	0m 37s		trunk passed with JDK Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
+1 💚	checkstyle	0m 35s		trunk passed
+1 💚	mvnsite	0m 44s		trunk passed
+1 💚	javadoc	0m 44s		trunk passed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04
+1 💚	javadoc	0m 35s		trunk passed with JDK Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
+1 💚	spotbugs	1m 10s		trunk passed
+1 💚	shadedclient	35m 33s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
-1 ❌	mvninstall	0m 21s	/patch-mvninstall-hadoop-tools_hadoop-aws.txt	hadoop-aws in the patch failed.
-1 ❌	compile	0m 24s	/patch-compile-hadoop-tools_hadoop-aws-jdkUbuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04.txt	hadoop-aws in the patch failed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04.
-1 ❌	javac	0m 24s	/patch-compile-hadoop-tools_hadoop-aws-jdkUbuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04.txt	hadoop-aws in the patch failed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04.
-1 ❌	compile	0m 19s	/patch-compile-hadoop-tools_hadoop-aws-jdkPrivateBuild-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09.txt	hadoop-aws in the patch failed with JDK Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09.
-1 ❌	javac	0m 19s	/patch-compile-hadoop-tools_hadoop-aws-jdkPrivateBuild-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09.txt	hadoop-aws in the patch failed with JDK Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09.
+1 💚	blanks	0m 0s		The patch has no blanks issues.
-0 ⚠️	checkstyle	0m 21s	/results-checkstyle-hadoop-tools_hadoop-aws.txt	hadoop-tools/hadoop-aws: The patch generated 4 new + 5 unchanged - 0 fixed = 9 total (was 5)
-1 ❌	mvnsite	0m 21s	/patch-mvnsite-hadoop-tools_hadoop-aws.txt	hadoop-aws in the patch failed.
-1 ❌	javadoc	0m 23s	/patch-javadoc-hadoop-tools_hadoop-aws-jdkUbuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04.txt	hadoop-aws in the patch failed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04.
-1 ❌	javadoc	0m 27s	/results-javadoc-javadoc-hadoop-tools_hadoop-aws-jdkPrivateBuild-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09.txt	hadoop-tools_hadoop-aws-jdkPrivateBuild-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09 with JDK Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09 generated 1 new + 0 unchanged - 0 fixed = 1 total (was 0)
-1 ❌	spotbugs	0m 21s	/patch-spotbugs-hadoop-tools_hadoop-aws.txt	hadoop-aws in the patch failed.
+1 💚	shadedclient	40m 55s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
-1 ❌	unit	0m 26s	/patch-unit-hadoop-tools_hadoop-aws.txt	hadoop-aws in the patch failed.
+1 💚	asflicense	0m 39s		The patch does not generate ASF License warnings.
		122m 24s

Subsystem	Report/Notes
Docker	ClientAPI=1.50 ServerAPI=1.50 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7738/1/artifact/out/Dockerfile
GITHUB PR	#7738
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets
uname	Linux ea7c8ef7536d 5.15.0-136-generic #147-Ubuntu SMP Sat Mar 15 15:53:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / 73da94a
Default Java	Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7738/1/testReport/
Max. process+thread count	545 (vs. ulimit of 5500)
modules	C: hadoop-tools/hadoop-aws U: hadoop-tools/hadoop-aws
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7738/1/console
versions	git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[ahmarsuhail]

just created https://issues.apache.org/jira/browse/HADOOP-19587, can you update your PR title to

"HADOOP-19587. SSE-C integration changes". Adding the JIRA issue HADOOP-19587. allow the PR gets attached to JIRA.

[ahmarsuhail]

this test needs work, you shouldn't need to depend on anything from the contract package

[ahmarsuhail]

ahh my bad, ITestS3AEncryptionSSEC also does this, ignore my comment

[ahmarsuhail]

this test is messy, I think because a lot of boiler plate that's needed here already exists in ITestS3AEncryptionSSEC.

How about instead of adding the SSE-C test here, add it in ITestS3AEncryptionSSEC?

All you have to do there is set AAL to enabled.

[ahmarsuhail]

We're also not testing completely. You're basically checking if the SSE-C key was set in openStreamInformation, which is fine, but not really necessary. What you want to test is the end behaviour.

Can you write and then read a file using SSE-C with AAL? So all you need to do is call writeThenReadFile() with AAL enabled.

If that read succeeds then things worked, and the SSE-C was passed correctly.

Then you also want to check what happens if you pass in an empty key to AAL, or an invalid key? it's similar to the test we wrote in AAL, but we should also add it here.

[rajdchak]

There are tests similar to what you are suggesting in ITestS3AEncryptionSSEC, may be we can run those with AAL enabled always

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 34s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
+1 💚	test4tests	0m 0s		The patch appears to include 2 new or modified test files.
			_ trunk Compile Tests _
+1 💚	mvninstall	37m 30s		trunk passed
+1 💚	compile	0m 45s		trunk passed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04
+1 💚	compile	0m 36s		trunk passed with JDK Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
+1 💚	checkstyle	0m 33s		trunk passed
+1 💚	mvnsite	0m 43s		trunk passed
+1 💚	javadoc	0m 40s		trunk passed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04
+1 💚	javadoc	0m 33s		trunk passed with JDK Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
+1 💚	spotbugs	1m 16s		trunk passed
+1 💚	shadedclient	41m 52s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
-1 ❌	mvninstall	0m 20s	/patch-mvninstall-hadoop-tools_hadoop-aws.txt	hadoop-aws in the patch failed.
-1 ❌	compile	0m 23s	/patch-compile-hadoop-tools_hadoop-aws-jdkUbuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04.txt	hadoop-aws in the patch failed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04.
-1 ❌	javac	0m 23s	/patch-compile-hadoop-tools_hadoop-aws-jdkUbuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04.txt	hadoop-aws in the patch failed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04.
-1 ❌	compile	0m 19s	/patch-compile-hadoop-tools_hadoop-aws-jdkPrivateBuild-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09.txt	hadoop-aws in the patch failed with JDK Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09.
-1 ❌	javac	0m 19s	/patch-compile-hadoop-tools_hadoop-aws-jdkPrivateBuild-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09.txt	hadoop-aws in the patch failed with JDK Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09.
+1 💚	blanks	0m 0s		The patch has no blanks issues.
-0 ⚠️	checkstyle	0m 21s	/results-checkstyle-hadoop-tools_hadoop-aws.txt	hadoop-tools/hadoop-aws: The patch generated 5 new + 5 unchanged - 0 fixed = 10 total (was 5)
-1 ❌	mvnsite	0m 21s	/patch-mvnsite-hadoop-tools_hadoop-aws.txt	hadoop-aws in the patch failed.
-1 ❌	javadoc	0m 20s	/patch-javadoc-hadoop-tools_hadoop-aws-jdkUbuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04.txt	hadoop-aws in the patch failed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04.
-1 ❌	javadoc	0m 28s	/results-javadoc-javadoc-hadoop-tools_hadoop-aws-jdkPrivateBuild-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09.txt	hadoop-tools_hadoop-aws-jdkPrivateBuild-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09 with JDK Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09 generated 1 new + 0 unchanged - 0 fixed = 1 total (was 0)
-1 ❌	spotbugs	0m 20s	/patch-spotbugs-hadoop-tools_hadoop-aws.txt	hadoop-aws in the patch failed.
+1 💚	shadedclient	43m 57s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
-1 ❌	unit	0m 24s	/patch-unit-hadoop-tools_hadoop-aws.txt	hadoop-aws in the patch failed.
+1 💚	asflicense	0m 37s		The patch does not generate ASF License warnings.
		131m 45s

Subsystem	Report/Notes
Docker	ClientAPI=1.50 ServerAPI=1.50 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7738/2/artifact/out/Dockerfile
GITHUB PR	#7738
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets
uname	Linux 4d35ada06b92 5.15.0-136-generic #147-Ubuntu SMP Sat Mar 15 15:53:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / eba60c0
Default Java	Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7738/2/testReport/
Max. process+thread count	700 (vs. ulimit of 5500)
modules	C: hadoop-tools/hadoop-aws U: hadoop-tools/hadoop-aws
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7738/2/console
versions	git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 50s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
+1 💚	test4tests	0m 0s		The patch appears to include 2 new or modified test files.
			_ trunk Compile Tests _
+1 💚	mvninstall	42m 31s		trunk passed
+1 💚	compile	0m 46s		trunk passed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04
+1 💚	compile	0m 35s		trunk passed with JDK Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
+1 💚	checkstyle	0m 33s		trunk passed
+1 💚	mvnsite	0m 42s		trunk passed
+1 💚	javadoc	0m 43s		trunk passed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04
+1 💚	javadoc	0m 34s		trunk passed with JDK Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
+1 💚	spotbugs	1m 10s		trunk passed
+1 💚	shadedclient	40m 49s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
-1 ❌	mvninstall	0m 21s	/patch-mvninstall-hadoop-tools_hadoop-aws.txt	hadoop-aws in the patch failed.
-1 ❌	compile	0m 23s	/patch-compile-hadoop-tools_hadoop-aws-jdkUbuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04.txt	hadoop-aws in the patch failed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04.
-1 ❌	javac	0m 23s	/patch-compile-hadoop-tools_hadoop-aws-jdkUbuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04.txt	hadoop-aws in the patch failed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04.
-1 ❌	compile	0m 20s	/patch-compile-hadoop-tools_hadoop-aws-jdkPrivateBuild-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09.txt	hadoop-aws in the patch failed with JDK Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09.
-1 ❌	javac	0m 20s	/patch-compile-hadoop-tools_hadoop-aws-jdkPrivateBuild-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09.txt	hadoop-aws in the patch failed with JDK Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09.
+1 💚	blanks	0m 0s		The patch has no blanks issues.
-0 ⚠️	checkstyle	0m 21s	/results-checkstyle-hadoop-tools_hadoop-aws.txt	hadoop-tools/hadoop-aws: The patch generated 5 new + 5 unchanged - 0 fixed = 10 total (was 5)
-1 ❌	mvnsite	0m 21s	/patch-mvnsite-hadoop-tools_hadoop-aws.txt	hadoop-aws in the patch failed.
-1 ❌	javadoc	0m 21s	/patch-javadoc-hadoop-tools_hadoop-aws-jdkUbuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04.txt	hadoop-aws in the patch failed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04.
-1 ❌	javadoc	0m 26s	/results-javadoc-javadoc-hadoop-tools_hadoop-aws-jdkPrivateBuild-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09.txt	hadoop-tools_hadoop-aws-jdkPrivateBuild-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09 with JDK Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09 generated 1 new + 0 unchanged - 0 fixed = 1 total (was 0)
-1 ❌	spotbugs	0m 21s	/patch-spotbugs-hadoop-tools_hadoop-aws.txt	hadoop-aws in the patch failed.
+1 💚	shadedclient	44m 5s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
-1 ❌	unit	0m 25s	/patch-unit-hadoop-tools_hadoop-aws.txt	hadoop-aws in the patch failed.
+1 💚	asflicense	0m 36s		The patch does not generate ASF License warnings.
		136m 14s

Subsystem	Report/Notes
Docker	ClientAPI=1.50 ServerAPI=1.50 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7738/3/artifact/out/Dockerfile
GITHUB PR	#7738
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets
uname	Linux 56128bf431a3 5.15.0-138-generic #148-Ubuntu SMP Fri Mar 14 19:05:48 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / eba60c0
Default Java	Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7738/3/testReport/
Max. process+thread count	524 (vs. ulimit of 5500)
modules	C: hadoop-tools/hadoop-aws U: hadoop-tools/hadoop-aws
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7738/3/console
versions	git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.