Revert "HADOOP-19197. S3A: Support AWS KMS Encryption Context (#7193)"

This reverts commit eb656c0.

This was done because the writable/serializable class
    org.apache.hadoop.fs.s3a.auth.delegation.EncryptionSecrets
is no longer wire-compatible once context attributes
are included.

Author: steveloughran

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeysPublic.java

@@ -1022,7 +1022,6 @@ public class CommonConfigurationKeysPublic {
           "fs.s3a.*.server-side-encryption.key",
           "fs.s3a.encryption.algorithm",
           "fs.s3a.encryption.key",
-          "fs.s3a.encryption.context",
           "fs.azure\\.account.key.*",
           "credential$",
           "oauth.*secret",

hadoop-common-project/hadoop-common/src/main/resources/core-default.xml

@@ -742,7 +742,6 @@
       fs.s3a.*.server-side-encryption.key
       fs.s3a.encryption.algorithm
       fs.s3a.encryption.key
-      fs.s3a.encryption.context
       fs.s3a.secret.key
       fs.s3a.*.secret.key
       fs.s3a.session.key
@@ -1780,15 +1779,6 @@
   </description>
 </property>
 
-<property>
-  <name>fs.s3a.encryption.context</name>
-  <description>Specific encryption context to use if fs.s3a.encryption.algorithm
-    has been set to 'SSE-KMS' or 'DSSE-KMS'. The value of this property is a set
-    of non-secret comma-separated key-value pairs of additional contextual
-    information about the data that are separated by equal operator (=).
-  </description>
-</property>
-
 <property>
   <name>fs.s3a.signing-algorithm</name>
   <description>Override the default signing algorithm so legacy

hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/Constants.java

@@ -774,16 +774,6 @@ private Constants() {
   public static final String S3_ENCRYPTION_KEY =
       "fs.s3a.encryption.key";
 
-  /**
-   * Set S3-SSE encryption context.
-   * The value of this property is a set of non-secret comma-separated key-value pairs
-   * of additional contextual information about the data that are separated by equal
-   * operator (=).
-   * value:{@value}
-   */
-  public static final String S3_ENCRYPTION_CONTEXT =
-      "fs.s3a.encryption.context";
-
   /**
    * Client side encryption (CSE-CUSTOM) with custom cryptographic material manager class name.
    * Custom keyring class name for CSE-KMS.

hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/S3AUtils.java

@@ -38,7 +38,6 @@
 import org.apache.hadoop.fs.PathFilter;
 import org.apache.hadoop.fs.PathIOException;
 import org.apache.hadoop.fs.RemoteIterator;
-import org.apache.hadoop.fs.s3a.impl.S3AEncryption;
 import org.apache.hadoop.util.functional.RemoteIterators;
 import org.apache.hadoop.fs.s3a.auth.delegation.EncryptionSecrets;
 import org.apache.hadoop.fs.s3a.impl.MultiObjectDeleteException;
@@ -1325,7 +1324,7 @@ static void patchSecurityCredentialProviders(Configuration conf) {
    * @throws IOException on any IO problem
    * @throws IllegalArgumentException bad arguments
    */
-  public static String lookupBucketSecret(
+  private static String lookupBucketSecret(
       String bucket,
       Configuration conf,
       String baseKey)
@@ -1471,8 +1470,6 @@ public static EncryptionSecrets buildEncryptionSecrets(String bucket,
     int encryptionKeyLen =
         StringUtils.isBlank(encryptionKey) ? 0 : encryptionKey.length();
     String diagnostics = passwordDiagnostics(encryptionKey, "key");
-    String encryptionContext = S3AEncryption.getS3EncryptionContextBase64Encoded(bucket, conf,
-        encryptionMethod.requiresSecret());
     switch (encryptionMethod) {
     case SSE_C:
       LOG.debug("Using SSE-C with {}", diagnostics);
@@ -1508,7 +1505,7 @@ public static EncryptionSecrets buildEncryptionSecrets(String bucket,
       LOG.debug("Data is unencrypted");
       break;
     }
-    return new EncryptionSecrets(encryptionMethod, encryptionKey, encryptionContext);
+    return new EncryptionSecrets(encryptionMethod, encryptionKey);
   }
 
   /**
@@ -1701,21 +1698,6 @@ public static Map<String, String> getTrimmedStringCollectionSplitByEquals(
       final Configuration configuration,
       final String name) {
     String valueString = configuration.get(name);
-    return getTrimmedStringCollectionSplitByEquals(valueString);
-  }
-
-  /**
-   * Get the equal op (=) delimited key-value pairs of the <code>name</code> property as
-   * a collection of pair of <code>String</code>s, trimmed of the leading and trailing whitespace
-   * after delimiting the <code>name</code> by comma and new line separator.
-   * If no such property is specified then empty <code>Map</code> is returned.
-   *
-   * @param valueString the string containing the key-value pairs.
-   * @return property value as a <code>Map</code> of <code>String</code>s, or empty
-   * <code>Map</code>.
-   */
-  public static Map<String, String> getTrimmedStringCollectionSplitByEquals(
-      final String valueString) {
     if (null == valueString) {
       return new HashMap<>();
     }

hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/delegation/EncryptionSecretOperations.java

@@ -61,20 +61,4 @@ public static Optional<String> getSSEAwsKMSKey(final EncryptionSecrets secrets)
       return Optional.empty();
     }
   }
-
-  /**
-   * Gets the SSE-KMS context if present, else don't set it in the S3 request.
-   *
-   * @param secrets source of the encryption secrets.
-   * @return an optional AWS KMS encryption context to attach to a request.
-   */
-  public static Optional<String> getSSEAwsKMSEncryptionContext(final EncryptionSecrets secrets) {
-    if ((secrets.getEncryptionMethod() == S3AEncryptionMethods.SSE_KMS
-        || secrets.getEncryptionMethod() == S3AEncryptionMethods.DSSE_KMS)
-        && secrets.hasEncryptionContext()) {
-      return Optional.of(secrets.getEncryptionContext());
-    } else {
-      return Optional.empty();
-    }
-  }
 }

hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/delegation/EncryptionSecrets.java

@@ -67,11 +67,6 @@ public class EncryptionSecrets implements Writable, Serializable {
    */
   private String encryptionKey = "";
 
-  /**
-   * Encryption context: base64-encoded UTF-8 string.
-   */
-  private String encryptionContext = "";
-
   /**
    * This field isn't serialized/marshalled; it is rebuilt from the
    * encryptionAlgorithm field.
@@ -89,28 +84,23 @@ public EncryptionSecrets() {
    * Create a pair of secrets.
    * @param encryptionAlgorithm algorithm enumeration.
    * @param encryptionKey key/key reference.
-   * @param encryptionContext  base64-encoded string with the encryption context key-value pairs.
    * @throws IOException failure to initialize.
    */
   public EncryptionSecrets(final S3AEncryptionMethods encryptionAlgorithm,
-      final String encryptionKey,
-      final String encryptionContext) throws IOException {
-    this(encryptionAlgorithm.getMethod(), encryptionKey, encryptionContext);
+      final String encryptionKey) throws IOException {
+    this(encryptionAlgorithm.getMethod(), encryptionKey);
   }
 
   /**
    * Create a pair of secrets.
    * @param encryptionAlgorithm algorithm name
    * @param encryptionKey key/key reference.
-   * @param encryptionContext  base64-encoded string with the encryption context key-value pairs.
    * @throws IOException failure to initialize.
    */
   public EncryptionSecrets(final String encryptionAlgorithm,
-      final String encryptionKey,
-      final String encryptionContext) throws IOException {
+      final String encryptionKey) throws IOException {
     this.encryptionAlgorithm = encryptionAlgorithm;
     this.encryptionKey = encryptionKey;
-    this.encryptionContext = encryptionContext;
     init();
   }
 
@@ -124,7 +114,6 @@ public void write(final DataOutput out) throws IOException {
     new LongWritable(serialVersionUID).write(out);
     Text.writeString(out, encryptionAlgorithm);
     Text.writeString(out, encryptionKey);
-    Text.writeString(out, encryptionContext);
   }
 
   /**
@@ -143,7 +132,6 @@ public void readFields(final DataInput in) throws IOException {
     }
     encryptionAlgorithm = Text.readString(in, MAX_SECRET_LENGTH);
     encryptionKey = Text.readString(in, MAX_SECRET_LENGTH);
-    encryptionContext = Text.readString(in);
     init();
   }
 
@@ -176,10 +164,6 @@ public String getEncryptionKey() {
     return encryptionKey;
   }
 
-  public String getEncryptionContext() {
-    return encryptionContext;
-  }
-
   /**
    * Does this instance have encryption options?
    * That is: is the algorithm non-null.
@@ -197,14 +181,6 @@ public boolean hasEncryptionKey() {
     return StringUtils.isNotEmpty(encryptionKey);
   }
 
-  /**
-   * Does this instance have an encryption context?
-   * @return true if there's an encryption context.
-   */
-  public boolean hasEncryptionContext() {
-    return StringUtils.isNotEmpty(encryptionContext);
-  }
-
   @Override
   public boolean equals(final Object o) {
     if (this == o) {
@@ -215,13 +191,12 @@ public boolean equals(final Object o) {
     }
     final EncryptionSecrets that = (EncryptionSecrets) o;
     return Objects.equals(encryptionAlgorithm, that.encryptionAlgorithm)
-        && Objects.equals(encryptionKey, that.encryptionKey)
-        && Objects.equals(encryptionContext, that.encryptionContext);
+        && Objects.equals(encryptionKey, that.encryptionKey);
   }
 
   @Override
   public int hashCode() {
-    return Objects.hash(encryptionAlgorithm, encryptionKey, encryptionContext);
+    return Objects.hash(encryptionAlgorithm, encryptionKey);
   }
 
   /**

hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/impl/RequestFactoryImpl.java

@@ -298,8 +298,6 @@ protected void copyEncryptionParameters(HeadObjectResponse srcom,
       LOG.debug("Propagating SSE-KMS settings from source {}",
           sourceKMSId);
       copyObjectRequestBuilder.ssekmsKeyId(sourceKMSId);
-      EncryptionSecretOperations.getSSEAwsKMSEncryptionContext(encryptionSecrets)
-          .ifPresent(copyObjectRequestBuilder::ssekmsEncryptionContext);
       return;
     }
 
@@ -312,15 +310,11 @@ protected void copyEncryptionParameters(HeadObjectResponse srcom,
       // Set the KMS key if present, else S3 uses AWS managed key.
       EncryptionSecretOperations.getSSEAwsKMSKey(encryptionSecrets)
           .ifPresent(copyObjectRequestBuilder::ssekmsKeyId);
-      EncryptionSecretOperations.getSSEAwsKMSEncryptionContext(encryptionSecrets)
-              .ifPresent(copyObjectRequestBuilder::ssekmsEncryptionContext);
       break;
     case DSSE_KMS:
       copyObjectRequestBuilder.serverSideEncryption(ServerSideEncryption.AWS_KMS_DSSE);
       EncryptionSecretOperations.getSSEAwsKMSKey(encryptionSecrets)
           .ifPresent(copyObjectRequestBuilder::ssekmsKeyId);
-      EncryptionSecretOperations.getSSEAwsKMSEncryptionContext(encryptionSecrets)
-              .ifPresent(copyObjectRequestBuilder::ssekmsEncryptionContext);
       break;
     case SSE_C:
       EncryptionSecretOperations.getSSECustomerKey(encryptionSecrets)
@@ -427,15 +421,11 @@ private void putEncryptionParameters(PutObjectRequest.Builder putObjectRequestBu
       // Set the KMS key if present, else S3 uses AWS managed key.
       EncryptionSecretOperations.getSSEAwsKMSKey(encryptionSecrets)
           .ifPresent(putObjectRequestBuilder::ssekmsKeyId);
-      EncryptionSecretOperations.getSSEAwsKMSEncryptionContext(encryptionSecrets)
-              .ifPresent(putObjectRequestBuilder::ssekmsEncryptionContext);
       break;
     case DSSE_KMS:
       putObjectRequestBuilder.serverSideEncryption(ServerSideEncryption.AWS_KMS_DSSE);
       EncryptionSecretOperations.getSSEAwsKMSKey(encryptionSecrets)
           .ifPresent(putObjectRequestBuilder::ssekmsKeyId);
-      EncryptionSecretOperations.getSSEAwsKMSEncryptionContext(encryptionSecrets)
-              .ifPresent(putObjectRequestBuilder::ssekmsEncryptionContext);
       break;
     case SSE_C:
       EncryptionSecretOperations.getSSECustomerKey(encryptionSecrets)
@@ -507,15 +497,11 @@ private void multipartUploadEncryptionParameters(
       // Set the KMS key if present, else S3 uses AWS managed key.
       EncryptionSecretOperations.getSSEAwsKMSKey(encryptionSecrets)
           .ifPresent(mpuRequestBuilder::ssekmsKeyId);
-      EncryptionSecretOperations.getSSEAwsKMSEncryptionContext(encryptionSecrets)
-              .ifPresent(mpuRequestBuilder::ssekmsEncryptionContext);
       break;
     case DSSE_KMS:
       mpuRequestBuilder.serverSideEncryption(ServerSideEncryption.AWS_KMS_DSSE);
       EncryptionSecretOperations.getSSEAwsKMSKey(encryptionSecrets)
           .ifPresent(mpuRequestBuilder::ssekmsKeyId);
-      EncryptionSecretOperations.getSSEAwsKMSEncryptionContext(encryptionSecrets)
-              .ifPresent(mpuRequestBuilder::ssekmsEncryptionContext);
       break;
     case SSE_C:
       EncryptionSecretOperations.getSSECustomerKey(encryptionSecrets)