opensearch-project
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎plugins/repository-azure/src/main/java/org/opensearch/repositories/azure/AzureBlobContainer.java‎
Lines changed: 13 additions & 0 deletions b/‎plugins/repository-azure/src/main/java/org/opensearch/repositories/azure/AzureBlobContainer.java‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/S3BlobContainer.java‎
Lines changed: 55 additions & 19 deletions b/‎plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/S3BlobContainer.java‎
Lines changed: 55 additions & 19 deletions
diff --git a/‎plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/utils/SseKmsUtil.java‎
Lines changed: 70 additions & 6 deletions b/‎plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/utils/SseKmsUtil.java‎
Lines changed: 70 additions & 6 deletions
diff --git a/‎plugins/repository-s3/src/test/java/org/opensearch/repositories/s3/S3BlobContainerEncryptionTests.java‎
Lines changed: 44 additions & 0 deletions b/‎plugins/repository-s3/src/test/java/org/opensearch/repositories/s3/S3BlobContainerEncryptionTests.java‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎plugins/repository-s3/src/test/java/org/opensearch/repositories/s3/S3BlobContainerMockClientTests.java‎
Lines changed: 2 additions & 2 deletions b/‎plugins/repository-s3/src/test/java/org/opensearch/repositories/s3/S3BlobContainerMockClientTests.java‎
Lines changed: 2 additions & 2 deletions
@@ -33,6 +33,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Allow the truncate filter in normalizers ([#19778](https://github.com/opensearch-project/OpenSearch/issues/19778))
 - Support pull-based ingestion message mappers and raw payload support ([#19765](https://github.com/opensearch-project/OpenSearch/pull/19765))
 - Support dynamic consumer configuration update in pull-based ingestion ([#19963](https://github.com/opensearch-project/OpenSearch/pull/19963))
+- Add index-level-encryption support for snapshots and remote-store ([#20095](https://github.com/opensearch-project/OpenSearch/pull/20095))
 
 ### Changed
 - Faster `terms` query creation for `keyword` field with index and docValues enabled ([#19350](https://github.com/opensearch-project/OpenSearch/pull/19350))
 
@@ -40,6 +40,7 @@
 import org.opensearch.action.ActionRunnable;
 import org.opensearch.action.support.GroupedActionListener;
 import org.opensearch.action.support.PlainActionFuture;
+import org.opensearch.cluster.metadata.CryptoMetadata;
 import org.opensearch.common.Nullable;
 import org.opensearch.common.blobstore.BlobContainer;
 import org.opensearch.common.blobstore.BlobMetadata;
@@ -136,6 +137,18 @@ public void writeBlob(String blobName, InputStream inputStream, long blobSize, b
         }
     }
 
+    @Override
+    public void writeBlobWithMetadata(
+        String blobName,
+        InputStream inputStream,
+        long blobSize,
+        boolean failIfAlreadyExists,
+        @Nullable Map<String, String> metadata,
+        @Nullable CryptoMetadata cryptoMetadata
+    ) throws IOException {
+        writeBlob(blobName, inputStream, blobSize, failIfAlreadyExists);
+    }
+
     @Override
     public void writeBlobAtomic(String blobName, InputStream inputStream, long blobSize, boolean failIfAlreadyExists) throws IOException {
         writeBlob(blobName, inputStream, blobSize, failIfAlreadyExists);
 
@@ -32,6 +32,9 @@
 
 package org.opensearch.repositories.s3;
 
+import org.opensearch.cluster.metadata.CryptoMetadata;
+import org.opensearch.cluster.metadata.KmsCryptoMetadata;
+import org.opensearch.repositories.s3.utils.SseKmsUtil;
 import software.amazon.awssdk.core.ResponseInputStream;
 import software.amazon.awssdk.core.async.AsyncResponseTransformer;
 import software.amazon.awssdk.core.exception.SdkException;
@@ -192,7 +195,7 @@ public void writeBlob(String blobName, InputStream inputStream, long blobSize, b
     }
 
     /**
-     * Write blob with its object metadata.
+     * Write blob with its object metadata and optional encryption settings.
      */
     @ExperimentalApi
     @Override
@@ -201,20 +204,51 @@ public void writeBlobWithMetadata(
         InputStream inputStream,
         long blobSize,
         boolean failIfAlreadyExists,
-        @Nullable Map<String, String> metadata
+        @Nullable Map<String, String> metadata,
+        @Nullable CryptoMetadata cryptoMetadata
     ) throws IOException {
         assert inputStream.markSupported() : "No mark support on inputStream breaks the S3 SDK's ability to retry requests";
         AccessController.doPrivilegedChecked(() -> {
             if (blobSize <= getLargeBlobThresholdInBytes()) {
-                executeSingleUpload(blobStore, buildKey(blobName), inputStream, blobSize, metadata);
+                executeSingleUpload(blobStore, buildKey(blobName), inputStream, blobSize, metadata, cryptoMetadata);
             } else {
-                executeMultipartUpload(blobStore, buildKey(blobName), inputStream, blobSize, metadata);
+                executeMultipartUpload(blobStore, buildKey(blobName), inputStream, blobSize, metadata, cryptoMetadata);
             }
         });
     }
 
+    /**
+     * Write blob with its object metadata.
+     */
+    @ExperimentalApi
+    @Override
+    public void writeBlobWithMetadata(
+        String blobName,
+        InputStream inputStream,
+        long blobSize,
+        boolean failIfAlreadyExists,
+        @Nullable Map<String, String> metadata
+    ) throws IOException {
+        // Delegate to crypto-aware version with null CryptoMetadata
+        writeBlobWithMetadata(blobName, inputStream, blobSize, failIfAlreadyExists, metadata, null);
+    }
+
     @Override
     public void asyncBlobUpload(WriteContext writeContext, ActionListener<Void> completionListener) throws IOException {
+        CryptoMetadata crypto = writeContext.getCryptoMetadata();
+        
+        String indexKmsKey = null;
+        String mergeEncContext = null;
+
+        if (crypto instanceof KmsCryptoMetadata) {
+            KmsCryptoMetadata kmsMetadata = (KmsCryptoMetadata) crypto;
+            indexKmsKey = kmsMetadata.getKmsKeyArn().orElse(null);
+            mergeEncContext = SseKmsUtil.mergeAndEncodeEncryptionContexts(
+                kmsMetadata.getKmsEncryptionContext().orElse(null),
+                blobStore.serverSideEncryptionEncryptionContext()
+            );
+        }
+
         UploadRequest uploadRequest = new UploadRequest(
             blobStore.bucket(),
             buildKey(writeContext.getFileName()),
@@ -226,9 +260,9 @@ public void asyncBlobUpload(WriteContext writeContext, ActionListener<Void> comp
             blobStore.isUploadRetryEnabled(),
             writeContext.getMetadata(),
             blobStore.serverSideEncryptionType(),
-            blobStore.serverSideEncryptionKmsKey(),
+            indexKmsKey != null ? indexKmsKey : blobStore.serverSideEncryptionKmsKey(),
             blobStore.serverSideEncryptionBucketKey(),
-            blobStore.serverSideEncryptionEncryptionContext(),
+            mergeEncContext,
             blobStore.expectedBucketOwner()
         );
         try {
@@ -245,13 +279,14 @@ public void asyncBlobUpload(WriteContext writeContext, ActionListener<Void> comp
                 );
                 InputStreamContainer inputStream = streamContext.provideStream(0);
                 try {
-                    executeMultipartUpload(
-                        blobStore,
-                        uploadRequest.getKey(),
-                        inputStream.getInputStream(),
-                        uploadRequest.getContentLength(),
-                        uploadRequest.getMetadata()
-                    );
+                        executeMultipartUpload(
+                            blobStore,
+                            uploadRequest.getKey(),
+                            inputStream.getInputStream(),
+                            uploadRequest.getContentLength(),
+                            uploadRequest.getMetadata(),
+                            crypto
+                        );
                     completionListener.onResponse(null);
                 } catch (Exception ex) {
                     logger.error(
@@ -536,8 +571,8 @@ void executeSingleUpload(
         final String blobName,
         final InputStream input,
         final long blobSize,
-        final Map<String, String> metadata
-    ) throws IOException {
+        final Map<String, String> metadata,
+        @Nullable CryptoMetadata cryptoMetadata) throws IOException {
 
         // Extra safety checks
         if (blobSize > MAX_FILE_SIZE.getBytes()) {
@@ -559,7 +594,8 @@ void executeSingleUpload(
         if (CollectionUtils.isNotEmpty(metadata)) {
             putObjectRequestBuilder = putObjectRequestBuilder.metadata(metadata);
         }
-        configureEncryptionSettings(putObjectRequestBuilder, blobStore);
+
+        configureEncryptionSettings(putObjectRequestBuilder, blobStore, cryptoMetadata);
 
         PutObjectRequest putObjectRequest = putObjectRequestBuilder.build();
         try (AmazonS3Reference clientReference = blobStore.clientReference()) {
@@ -585,8 +621,8 @@ void executeMultipartUpload(
         final String blobName,
         final InputStream input,
         final long blobSize,
-        final Map<String, String> metadata
-    ) throws IOException {
+        final Map<String, String> metadata,
+        @Nullable CryptoMetadata cryptoMetadata) throws IOException {
 
         ensureMultiPartUploadSize(blobSize);
         final long partSize = blobStore.bufferSizeInBytes();
@@ -616,7 +652,7 @@ void executeMultipartUpload(
             createMultipartUploadRequestBuilder.metadata(metadata);
         }
 
-        configureEncryptionSettings(createMultipartUploadRequestBuilder, blobStore);
+        configureEncryptionSettings(createMultipartUploadRequestBuilder, blobStore, cryptoMetadata);
 
         final InputStream requestInputStream;
         if (blobStore.isUploadRetryEnabled()) {
 
@@ -8,6 +8,9 @@
 
 package org.opensearch.repositories.s3.utils;
 
+import org.opensearch.cluster.metadata.CryptoMetadata;
+import org.opensearch.cluster.metadata.KmsCryptoMetadata;
+import org.opensearch.common.Nullable;
 import software.amazon.awssdk.services.s3.model.CreateMultipartUploadRequest;
 import software.amazon.awssdk.services.s3.model.PutObjectRequest;
 import software.amazon.awssdk.services.s3.model.ServerSideEncryption;
@@ -16,29 +19,90 @@
 import org.opensearch.repositories.s3.async.UploadRequest;
 
 public class SseKmsUtil {
+    /**
+     * Merges index-level and repository-level encryption contexts, converts to JSON format if needed,
+     * and Base64 encodes for S3.
+     * <p>
+     * Delegates to centralized EncryptionContextUtils for consistent behavior.
+     *
+     * @param indexEncContext Index-level encryption context - can be cryptofs or JSON format
+     * @param repoEncContext  Repository-level encryption context - already Base64 encoded JSON
+     * @return Base64 encoded merged JSON encryption context, or null if both are null
+     */
+    public static String mergeAndEncodeEncryptionContexts(
+        @Nullable String indexEncContext,
+        @Nullable String repoEncContext
+    ) {
+        return org.opensearch.repositories.blobstore.EncryptionContextUtils.mergeAndEncodeEncryptionContexts(
+            indexEncContext,
+            repoEncContext
+        );
+    }
 
-    public static void configureEncryptionSettings(CreateMultipartUploadRequest.Builder builder, S3BlobStore blobStore) {
+    public static void configureEncryptionSettings(
+        CreateMultipartUploadRequest.Builder builder,
+        S3BlobStore blobStore,
+        @Nullable CryptoMetadata cryptoMetadata
+    ) {
         if (blobStore.serverSideEncryptionType().equals(ServerSideEncryption.AES256.toString())) {
             builder.serverSideEncryption(ServerSideEncryption.AES256);
         } else if (blobStore.serverSideEncryptionType().equals(ServerSideEncryption.AWS_KMS.toString())) {
+            String indexKmsKey = null;
+            String indexEncContext = null;
+            
+            if (cryptoMetadata instanceof KmsCryptoMetadata) {
+                KmsCryptoMetadata kmsMetadata = (KmsCryptoMetadata) cryptoMetadata;
+                indexKmsKey = kmsMetadata.getKmsKeyArn().orElse(null);
+                indexEncContext = kmsMetadata.getKmsEncryptionContext().orElse(null);
+            }
+            
+            String kmsKey = (indexKmsKey != null) ? indexKmsKey : blobStore.serverSideEncryptionKmsKey();
+            String encContext = mergeAndEncodeEncryptionContexts(
+                indexEncContext,
+                blobStore.serverSideEncryptionEncryptionContext()
+            );
+
             builder.serverSideEncryption(ServerSideEncryption.AWS_KMS);
-            builder.ssekmsKeyId(blobStore.serverSideEncryptionKmsKey());
+            builder.ssekmsKeyId(kmsKey);
             builder.bucketKeyEnabled(blobStore.serverSideEncryptionBucketKey());
-            builder.ssekmsEncryptionContext(blobStore.serverSideEncryptionEncryptionContext());
+            builder.ssekmsEncryptionContext(encContext);
         }
     }
 
-    public static void configureEncryptionSettings(PutObjectRequest.Builder builder, S3BlobStore blobStore) {
+    public static void configureEncryptionSettings(
+        PutObjectRequest.Builder builder,
+        S3BlobStore blobStore,
+        @Nullable CryptoMetadata cryptoMetadata
+    ) {
         if (blobStore.serverSideEncryptionType().equals(ServerSideEncryption.AES256.toString())) {
             builder.serverSideEncryption(ServerSideEncryption.AES256);
         } else if (blobStore.serverSideEncryptionType().equals(ServerSideEncryption.AWS_KMS.toString())) {
+            String indexKmsKey = null;
+            String indexEncContext = null;
+            
+            if (cryptoMetadata instanceof KmsCryptoMetadata) {
+                KmsCryptoMetadata kmsMetadata = (KmsCryptoMetadata) cryptoMetadata;
+                indexKmsKey = kmsMetadata.getKmsKeyArn().orElse(null);
+                indexEncContext = kmsMetadata.getKmsEncryptionContext().orElse(null);
+            }
+            
+            String kmsKey = (indexKmsKey != null) ? indexKmsKey : blobStore.serverSideEncryptionKmsKey();
+            String encContext = mergeAndEncodeEncryptionContexts(
+                indexEncContext,
+                blobStore.serverSideEncryptionEncryptionContext()
+            );
+
             builder.serverSideEncryption(ServerSideEncryption.AWS_KMS);
-            builder.ssekmsKeyId(blobStore.serverSideEncryptionKmsKey());
+            builder.ssekmsKeyId(kmsKey);
             builder.bucketKeyEnabled(blobStore.serverSideEncryptionBucketKey());
-            builder.ssekmsEncryptionContext(blobStore.serverSideEncryptionEncryptionContext());
+            builder.ssekmsEncryptionContext(encContext);
         }
     }
 
+    public static void configureEncryptionSettings(PutObjectRequest.Builder builder, S3BlobStore blobStore) {
+        configureEncryptionSettings(builder, blobStore, null);
+    }
+
     public static void configureEncryptionSettings(CreateMultipartUploadRequest.Builder builder, UploadRequest uploadRequest) {
         if (uploadRequest.getServerSideEncryptionType().equals(ServerSideEncryption.AES256.toString())) {
             builder.serverSideEncryption(ServerSideEncryption.AES256);
 
@@ -0,0 +1,44 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.repositories.s3;
+
+import org.opensearch.cluster.metadata.CryptoMetadata;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.repositories.s3.utils.SseKmsUtil;
+import org.opensearch.test.OpenSearchTestCase;
+
+import java.util.Base64;
+
+public class S3BlobContainerEncryptionTests extends OpenSearchTestCase {
+
+    public void testEncryptionContextMerging() {
+        String indexContext = "tenant=acme,classification=confidential";
+        String repoContext = Base64.getEncoder().encodeToString("{\"repo\":\"test\",\"env\":\"prod\"}".getBytes());
+
+        String merged = SseKmsUtil.mergeAndEncodeEncryptionContexts(indexContext, repoContext);
+        assertNotNull(merged);
+
+        String decoded = new String(Base64.getDecoder().decode(merged));
+        assertTrue(decoded.contains("\"tenant\":\"acme\""));
+        assertTrue(decoded.contains("\"classification\":\"confidential\""));
+        assertTrue(decoded.contains("\"repo\":\"test\""));
+        assertTrue(decoded.contains("\"env\":\"prod\""));
+    }
+
+    public void testCryptoMetadataExtraction() {
+        Settings cryptoSettings = Settings.builder()
+            .put("kms.key_arn", "arn:aws:kms:us-east-1:123456789:key/index-key")
+            .put("kms.encryption_context", "tenant=acme,env=staging")
+            .build();
+        CryptoMetadata cryptoMetadata = new CryptoMetadata("index-provider", "aws-kms", cryptoSettings);
+
+        assertEquals("arn:aws:kms:us-east-1:123456789:key/index-key", cryptoMetadata.settings().get("kms.key_arn"));
+        assertEquals("tenant=acme,env=staging", cryptoMetadata.settings().get("kms.encryption_context"));
+    }
+}
@@ -757,8 +757,8 @@ private void testLargeFilesRedirectedToSlowSyncClient(boolean expectException, W
             anyString(),
             any(InputStream.class),
             anyLong(),
-            anyMap()
-        );
+            anyMap(),
+            null, null);
 
         if (expectException) {
             verify(client, times(1)).abortMultipartUpload(any(AbortMultipartUploadRequest.class));