Skip to content

[FLINK-39113][s3] Fix s3.sse.kms.encryption-context config in native s3 connector#28070

Merged
gaborgsomogyi merged 10 commits into
apache:masterfrom
gaborgsomogyi:FLINK-39579
May 5, 2026
Merged

[FLINK-39113][s3] Fix s3.sse.kms.encryption-context config in native s3 connector#28070
gaborgsomogyi merged 10 commits into
apache:masterfrom
gaborgsomogyi:FLINK-39579

Conversation

@gaborgsomogyi
Copy link
Copy Markdown
Contributor

@gaborgsomogyi gaborgsomogyi commented Apr 29, 2026

What is the purpose of the change

s3.sse.kms.encryption-context was listed in the README as a supported configuration option for SSE-KMS, but the corresponding ConfigOption never existed in NativeS3FileSystemFactory. As a result, the encryption context was silently ignored regardless of what users configured, and the sseKms(keyId, context) code path in S3EncryptionConfig was dead code unreachable from production.

This PR closes the gap by adding the missing config option and wiring it end-to-end.

Brief change log

  • Fix: Add SSE_KMS_ENCRYPTION_CONTEXT (s3.sse.kms.encryption-context) ConfigOption to NativeS3FileSystemFactory and wire it through S3EncryptionConfig.fromConfig() — the feature was documented but never implemented
  • Fix: Update docs (README, s3.md EN/ZH) with correct aws:s3:arn encryption context example reflecting real AWS usage
  • Tests: Add unit tests for S3EncryptionConfig, S3ExceptionUtils, S3FileStatus, S3BlockLocation

Verifying this change

Existing and new unit tests.

Does this pull request potentially affect one of the following parts:

  • Dependencies (does it add or upgrade a dependency): no
  • The public API, i.e., is any changed class annotated with @Public(Evolving): no
  • The serializers: no
  • The runtime per-record code paths (performance sensitive): no
  • Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: no
  • The S3 file system connector: yes

Documentation

  • Does this pull request introduce a new feature? no
  • If yes, how is the feature documented? docs
Was generative AI tooling used to co-author this PR?
  • Yes (please specify the tool below)

Generated-by: Claude code

@gaborgsomogyi
Copy link
Copy Markdown
Contributor Author

gaborgsomogyi commented Apr 29, 2026

cc @Samrat002

@flinkbot
Copy link
Copy Markdown
Collaborator

flinkbot commented Apr 29, 2026
edited
Loading

CI report:

Bot commands The @flinkbot bot supports the following commands:
  • @flinkbot run azure re-run the last Azure build

@gaborgsomogyi gaborgsomogyi changed the title [FLINK-39579][s3] Fix s3.sse.kms.encryption-context config in native s3 connector [FLINK-39113][s3] Fix s3.sse.kms.encryption-context config in native s3 connector Apr 29, 2026
Samrat002
Samrat002 reviewed Apr 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Samrat002 Samrat002 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NativeS3OutputStream.uploadToS3() is a separate write path for small files. It builds a PutObjectRequest but currently doesn't call ssekmsEncryptionContext(). The context wired through NativeS3ObjectOperations.applyEncryption() won't apply to writes that go through NativeS3OutputStream. Could you extend that code path as well?

Comment thread ...ystems/flink-s3-fs-native/src/main/java/org/apache/flink/fs/s3native/S3EncryptionConfig.java
Comment thread ...tems/flink-s3-fs-native/src/test/java/org/apache/flink/fs/s3native/S3ExceptionUtilsTest.java
Comment thread ...ystems/flink-s3-fs-native/src/main/java/org/apache/flink/fs/s3native/S3EncryptionConfig.java
Comment thread ...ms/flink-s3-fs-native/src/test/java/org/apache/flink/fs/s3native/S3EncryptionConfigTest.java Outdated
Comment thread docs/content.zh/docs/deployment/filesystems/s3.md Outdated
Comment thread ...stems/flink-s3-fs-native/src/test/java/org/apache/flink/fs/s3native/S3BlockLocationTest.java
Comment thread ...ystems/flink-s3-fs-native/src/main/java/org/apache/flink/fs/s3native/S3EncryptionConfig.java Outdated
Comment thread ...esystems/flink-s3-fs-native/src/test/java/org/apache/flink/fs/s3native/S3FileStatusTest.java
@gaborgsomogyi gaborgsomogyi force-pushed the FLINK-39579 branch 2 times, most recently from 69ec88c to cdd8670 Compare April 30, 2026 16:02
@github-actions github-actions Bot added the community-reviewed PR has been reviewed by the community. label Apr 30, 2026
@gaborgsomogyi gaborgsomogyi requested a review from Samrat002 April 30, 2026 16:44
Samrat002
Samrat002 reviewed May 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Samrat002 Samrat002 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left few comments.

Cheers,
Samrat

Comment thread ...esystems/flink-s3-fs-native/src/main/java/org/apache/flink/fs/s3native/S3ClientProvider.java Outdated
Comment thread ...ystems/flink-s3-fs-native/src/main/java/org/apache/flink/fs/s3native/S3EncryptionConfig.java Outdated
Comment thread ...ystems/flink-s3-fs-native/src/main/java/org/apache/flink/fs/s3native/S3EncryptionConfig.java Outdated
Comment thread ...ms/flink-s3-fs-native/src/test/java/org/apache/flink/fs/s3native/S3EncryptionConfigTest.java Outdated
Comment thread ...ms/flink-s3-fs-native/src/test/java/org/apache/flink/fs/s3native/S3EncryptionConfigTest.java Outdated
Comment thread ...ms/flink-s3-fs-native/src/test/java/org/apache/flink/fs/s3native/S3EncryptionConfigTest.java Outdated
Comment thread ...tems/flink-s3-fs-native/src/test/java/org/apache/flink/fs/s3native/S3ExceptionUtilsTest.java Outdated
Comment thread ...tems/flink-s3-fs-native/src/test/java/org/apache/flink/fs/s3native/S3ExceptionUtilsTest.java Outdated
Comment thread ...tems/flink-s3-fs-native/src/test/java/org/apache/flink/fs/s3native/S3ExceptionUtilsTest.java Outdated
Comment thread ...tems/flink-s3-fs-native/src/test/java/org/apache/flink/fs/s3native/S3ExceptionUtilsTest.java Outdated
Samrat002
Samrat002 approved these changes May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Samrat002 Samrat002 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall, Changes looks good. I have validated e2e working 🚀

1 small comment .

Cheers,
Samrat

Comment thread ...ystems/flink-s3-fs-native/src/main/java/org/apache/flink/fs/s3native/S3EncryptionConfig.java Outdated
@gaborgsomogyi
[FLINK-39113][s3] Fix s3.sse.kms.encryption-context config in native …
fd5f65a 
…s3 connector
@gaborgsomogyi
[FLINK-39113][s3] Address review feedback for native s3 connector enc…
69d4381 
…ryption context

- Switch fromConfig() normalization to toLowerCase(Locale.ROOT), removing
  the SSE_KMS placeholder case
- Add sseKms(Map) factory overload so encryption context is preserved when
  using the default AWS-managed key
- Revert Map.copyOf() to null-tolerant unmodifiableMap(new HashMap<>())
@gaborgsomogyi
[FLINK-39113][s3] Fix missing encryption context in NativeS3OutputStr…
6ecf80a 
…eam write path

Move serializeEncryptionContext to S3EncryptionConfig and apply it in
NativeS3OutputStream.uploadToS3(), which previously dropped the KMS
encryption context for small-file (non-multipart) writes.
@gaborgsomogyi
[FLINK-39113][s3] Fix stale Javadoc on fromConfig after normalization…
675c6ad 
… change
@gaborgsomogyi
Test simplification and restructuring
98dd5a7
@gaborgsomogyi
Test fixes
5872ce8
@gaborgsomogyi
Single sseKms function
b9957e0
@gaborgsomogyi
Make nullables explicit
99ba7e6
@gaborgsomogyi
Use realistic encryption context examples in tests
dbd4474
@gaborgsomogyi
Copy link
Copy Markdown
Contributor Author

gaborgsomogyi commented May 4, 2026

Rebased to master, maybe tests are more stable there

@gaborgsomogyi
Copy link
Copy Markdown
Contributor Author

gaborgsomogyi commented May 5, 2026

@flinkbot run azure

@gaborgsomogyi gaborgsomogyi force-pushed the FLINK-39579 branch 2 times, most recently from 99b1142 to aaa6942 Compare May 5, 2026 14:13
@gaborgsomogyi gaborgsomogyi merged commit 1aa9c85 into apache:master May 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Samrat002 Samrat002 Samrat002 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

community-reviewed PR has been reviewed by the community.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gaborgsomogyi @flinkbot @Samrat002