opensearch-project
diff --git a/‎plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/S3Repository.java‎
Lines changed: 0 additions & 56 deletions b/‎plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/S3Repository.java‎
Lines changed: 0 additions & 56 deletions
diff --git a/‎plugins/repository-s3/src/test/java/org/opensearch/repositories/s3/S3RepositoryTests.java‎
Lines changed: 0 additions & 34 deletions b/‎plugins/repository-s3/src/test/java/org/opensearch/repositories/s3/S3RepositoryTests.java‎
Lines changed: 0 additions & 34 deletions
diff --git a/‎server/src/main/java/org/opensearch/action/admin/cluster/remotestore/metadata/TransportRemoteStoreMetadataAction.java‎
Lines changed: 2 additions & 2 deletions b/‎server/src/main/java/org/opensearch/action/admin/cluster/remotestore/metadata/TransportRemoteStoreMetadataAction.java‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎server/src/main/java/org/opensearch/cluster/metadata/IndexMetadata.java‎
Lines changed: 2 additions & 34 deletions b/‎server/src/main/java/org/opensearch/cluster/metadata/IndexMetadata.java‎
Lines changed: 2 additions & 34 deletions
diff --git a/‎server/src/main/java/org/opensearch/cluster/metadata/MetadataCreateIndexService.java‎
Lines changed: 51 additions & 15 deletions b/‎server/src/main/java/org/opensearch/cluster/metadata/MetadataCreateIndexService.java‎
Lines changed: 51 additions & 15 deletions
diff --git a/‎server/src/main/java/org/opensearch/common/settings/IndexScopedSettings.java‎
Lines changed: 0 additions & 1 deletion b/‎server/src/main/java/org/opensearch/common/settings/IndexScopedSettings.java‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎server/src/main/java/org/opensearch/index/IndexService.java‎
Lines changed: 3 additions & 2 deletions b/‎server/src/main/java/org/opensearch/index/IndexService.java‎
Lines changed: 3 additions & 2 deletions
@@ -507,62 +507,6 @@ protected S3BlobStore createBlobStore() {
         );
     }
 
-    @Override
-    protected S3BlobStore createClientSideEncryptedBlobStore() {
-        serverSideEncryptionType = ServerSideEncryption.AES256.toString();
-        return new S3BlobStore(
-            service,
-            s3AsyncService,
-            multipartUploadEnabled,
-            bucket,
-            bufferSize,
-            cannedACL,
-            storageClass,
-            bulkDeletesSize,
-            metadata,
-            asyncUploadUtils,
-            urgentExecutorBuilder,
-            priorityExecutorBuilder,
-            normalExecutorBuilder,
-            normalPrioritySizeBasedBlockingQ,
-            lowPrioritySizeBasedBlockingQ,
-            genericStatsMetricPublisher,
-            serverSideEncryptionType,
-            null,
-            false,
-            null,
-            null
-        );
-    }
-
-    @Override
-    protected S3BlobStore createServerSideEncryptedBlobStore() {
-        serverSideEncryptionType = ServerSideEncryption.AWS_KMS.toString();
-        return new S3BlobStore(
-            service,
-            s3AsyncService,
-            multipartUploadEnabled,
-            bucket,
-            bufferSize,
-            cannedACL,
-            storageClass,
-            bulkDeletesSize,
-            metadata,
-            asyncUploadUtils,
-            urgentExecutorBuilder,
-            priorityExecutorBuilder,
-            normalExecutorBuilder,
-            normalPrioritySizeBasedBlockingQ,
-            lowPrioritySizeBasedBlockingQ,
-            genericStatsMetricPublisher,
-            serverSideEncryptionType,
-            serverSideEncryptionKmsKey,
-            serverSideEncryptionBucketKey,
-            serverSideEncryptionEncryptionContext,
-            expectedBucketOwner
-        );
-    }
-
     // only use for testing (S3RepositoryTests)
     @Override
     protected BlobStore getBlobStore() {
 
@@ -33,7 +33,6 @@
 package org.opensearch.repositories.s3;
 
 import software.amazon.awssdk.services.s3.S3Client;
-import software.amazon.awssdk.services.s3.model.ServerSideEncryption;
 
 import org.opensearch.cluster.metadata.RepositoryMetadata;
 import org.opensearch.common.blobstore.BlobStoreException;
@@ -176,39 +175,6 @@ public void testValidateHttpLClientType_Invalid_Values() {
         }
     }
 
-    public void testCreateClientSideEncryptedBlobStore() {
-        final RepositoryMetadata metadata = new RepositoryMetadata("dummy-repo", "mock", Settings.EMPTY);
-        try (S3Repository s3Repo = createS3Repo(metadata)) {
-            // Don't expect any Exception
-            S3BlobStore blobStore = s3Repo.createClientSideEncryptedBlobStore();
-            assertNotNull(blobStore);
-            assertNull(blobStore.serverSideEncryptionKmsKey());
-            assertEquals(blobStore.serverSideEncryptionType(), ServerSideEncryption.AES256.toString());
-            assertNull(blobStore.expectedBucketOwner());
-            assertFalse(blobStore.serverSideEncryptionBucketKey());
-        }
-    }
-
-    public void testCreateServerSideEncryptedBlobStore() {
-        Settings settings = Settings.builder()
-            .put("server_side_encryption_type", ServerSideEncryption.AWS_KMS.toString())
-            .put("server_side_encryption_kms_key_id", "kms-key-id")
-            .put("server_side_encryption_bucket_key_enabled", true)
-            .put("server_side_encryption_encryption_context", "enc-ctx")
-            .put("expected_bucket_owner", "123456789012")
-            .build();
-
-        final RepositoryMetadata metadata = new RepositoryMetadata("dummy-repo", "mock", settings);
-        try (S3Repository s3Repo = createS3Repo(metadata)) {
-            // Don't expect any Exception
-            S3BlobStore blobStore = s3Repo.createServerSideEncryptedBlobStore();
-            assertNotNull(blobStore);
-            assertEquals("kms-key-id", blobStore.serverSideEncryptionKmsKey());
-            assertEquals("123456789012", blobStore.expectedBucketOwner());
-            assertTrue(blobStore.serverSideEncryptionBucketKey());
-        }
-    }
-
     private S3Repository createS3Repo(RepositoryMetadata metadata) {
         return new S3Repository(
             metadata,
 
@@ -200,7 +200,7 @@ private Map<String, Map<String, Object>> getSegmentMetadata(
             shardId,
             indexSettings.getRemoteStorePathStrategy(),
             null,
-            indexSettings.isServerSideEncryptionEnabled()
+            RemoteStoreUtils.isServerSideEncryptionEnabledIndex(indexSettings.getIndexMetadata())
         );
 
         Map<String, RemoteSegmentMetadata> segmentMetadataMapWithFilenames = remoteDirectory.readLatestNMetadataFiles(5);
@@ -260,7 +260,7 @@ private Map<String, Map<String, Object>> getTranslogMetadataFiles(
             indexSettings.getRemoteStorePathStrategy(),
             new RemoteStoreSettings(clusterService.getSettings(), clusterService.getClusterSettings()),
             RemoteStoreUtils.determineTranslogMetadataEnabled(indexMetadata),
-            indexSettings.isServerSideEncryptionEnabled()
+            RemoteStoreUtils.isServerSideEncryptionEnabledIndex(indexSettings.getIndexMetadata())
         );
 
         Map<String, TranslogTransferMetadata> metadataMap = manager.readLatestNMetadataFiles(5);
 
@@ -371,7 +371,7 @@ public Iterator<Setting<?>> settings() {
     );
 
     public static final String SETTING_REMOTE_STORE_ENABLED = "index.remote_store.enabled";
-    public static final String SETTING_REMOTE_STORE_SSE_ENABLED = "index.remote_store.sse.enabled";
+    // public static final String SETTING_REMOTE_STORE_SSE_ENABLED = "index.remote_store.sse.enabled";
     public static final String SETTING_INDEX_APPEND_ONLY_ENABLED = "index.append_only.enabled";
 
     public static final String SETTING_REMOTE_SEGMENT_STORE_REPOSITORY = "index.remote_store.segment.repository";
@@ -415,38 +415,6 @@ public Iterator<Setting<?>> settings() {
         Property.Dynamic
     );
 
-    /**
-     * Used to specify if the index data should be persisted in the remote store.
-     */
-    public static final Setting<Boolean> INDEX_REMOTE_STORE_SSE_ENABLED_SETTING = Setting.boolSetting(
-        SETTING_REMOTE_STORE_SSE_ENABLED,
-        false,
-        new Setting.Validator<>() {
-
-            @Override
-            public void validate(final Boolean value) {}
-
-            @Override
-            public void validate(final Boolean value, final Map<Setting<?>, Object> settings) {
-                final Boolean isRemoteStoreEnabled = (Boolean) settings.get(INDEX_REMOTE_STORE_ENABLED_SETTING);
-                if (!isRemoteStoreEnabled && value) {
-                    throw new IllegalArgumentException(
-                        "Server Side Encryption can be enabled when " + INDEX_REMOTE_STORE_ENABLED_SETTING.getKey() + " is enabled. "
-                    );
-                }
-            }
-
-            @Override
-            public Iterator<Setting<?>> settings() {
-                final List<Setting<?>> settings = List.of(INDEX_REMOTE_STORE_ENABLED_SETTING);
-                return settings.iterator();
-            }
-        },
-        Property.IndexScope,
-        Property.PrivateIndex,
-        Property.Dynamic
-    );
-
     /**
      * Used to specify if the index data should be persisted in the remote store.
      */
@@ -1025,7 +993,7 @@ public Iterator<Setting<?>> settings() {
     public static final String KEY_PRIMARY_TERMS = "primary_terms";
     public static final String REMOTE_STORE_CUSTOM_KEY = "remote_store";
     public static final String TRANSLOG_METADATA_KEY = "translog_metadata";
-    public static final String SERVER_SIDE_ENCRYPTION_ENABLED = "server_side_encryption_enabled";
+    public static final String REMOTE_STORE_SSE_ENABLED_INDEX_KEY = "sse_enabled_index";
     public static final String CONTEXT_KEY = "context";
     public static final String INGESTION_SOURCE_KEY = "ingestion_source";
     public static final String INGESTION_STATUS_KEY = "ingestion_status";
 
@@ -632,7 +632,8 @@ static Optional<String> validateOverlap(Set<String> requestSettings, Settings co
     IndexMetadata buildAndValidateTemporaryIndexMetadata(
         final Settings aggregatedIndexSettings,
         final CreateIndexClusterStateUpdateRequest request,
-        final int routingNumShards
+        final int routingNumShards,
+        final ClusterState clusterState
     ) {
 
         final boolean isHiddenAfterTemplates = IndexMetadata.INDEX_HIDDEN_SETTING.get(aggregatedIndexSettings);
@@ -642,7 +643,7 @@ IndexMetadata buildAndValidateTemporaryIndexMetadata(
         tmpImdBuilder.setRoutingNumShards(routingNumShards);
         tmpImdBuilder.settings(aggregatedIndexSettings);
         tmpImdBuilder.system(isSystem);
-        addRemoteStoreCustomMetadata(tmpImdBuilder, true);
+        addRemoteStoreCustomMetadata(tmpImdBuilder, true, clusterState);
 
         if (request.context() != null) {
             tmpImdBuilder.context(request.context());
@@ -661,7 +662,9 @@ IndexMetadata buildAndValidateTemporaryIndexMetadata(
      * @param tmpImdBuilder     index metadata builder.
      * @param assertNullOldType flag to verify that the old remote store path type is null
      */
-    public void addRemoteStoreCustomMetadata(IndexMetadata.Builder tmpImdBuilder, boolean assertNullOldType) {
+    public void addRemoteStoreCustomMetadata(IndexMetadata.Builder tmpImdBuilder, boolean assertNullOldType, ClusterState clusterState) {
+
+        boolean isRestoreFromSnapshot = !assertNullOldType;
         if (remoteStoreCustomMetadataResolver == null) {
             return;
         }
@@ -676,6 +679,27 @@ public void addRemoteStoreCustomMetadata(IndexMetadata.Builder tmpImdBuilder, bo
         boolean isTranslogMetadataEnabled = remoteStoreCustomMetadataResolver.isTranslogMetadataEnabled();
         remoteCustomData.put(IndexMetadata.TRANSLOG_METADATA_KEY, Boolean.toString(isTranslogMetadataEnabled));
 
+        Optional<DiscoveryNode> remoteNode = clusterState.nodes()
+            .getNodes()
+            .values()
+            .stream()
+            .filter(DiscoveryNode::isRemoteStoreNode)
+            .findFirst();
+
+        String sseEnabledIndex = existingCustomData == null
+            ? null
+            : existingCustomData.get(IndexMetadata.REMOTE_STORE_SSE_ENABLED_INDEX_KEY);
+        if (isRestoreFromSnapshot && sseEnabledIndex != null) {
+            remoteCustomData.put(IndexMetadata.REMOTE_STORE_SSE_ENABLED_INDEX_KEY, sseEnabledIndex);
+        }
+
+        if (remoteNode.isPresent()
+            && !isRestoreFromSnapshot
+            && RemoteStoreSettings.isServerSideEncryptionRepoEnabled(clusterState.nodes().getMinNodeVersion())
+            && RemoteStoreNodeAttribute.isRemoteStoreServerSideEncryptionEnabled(remoteNode.get().getAttributes())) {
+            remoteCustomData.put(IndexMetadata.REMOTE_STORE_SSE_ENABLED_INDEX_KEY, Boolean.toString(true));
+        }
+
         // Determine the path type for use using the remoteStorePathResolver.
         RemoteStorePathStrategy newPathStrategy = remoteStoreCustomMetadataResolver.getPathStrategy();
         remoteCustomData.put(PathType.NAME, newPathStrategy.getType().name());
@@ -730,7 +754,9 @@ private ClusterState applyCreateIndexRequestWithV1Templates(
             clusterService.getClusterSettings()
         );
         int routingNumShards = getIndexNumberOfRoutingShards(aggregatedIndexSettings, null);
-        IndexMetadata tmpImd = buildAndValidateTemporaryIndexMetadata(aggregatedIndexSettings, request, routingNumShards);
+        IndexMetadata tmpImd = buildAndValidateTemporaryIndexMetadata(aggregatedIndexSettings, request, routingNumShards, currentState);
+
+        // buildServerSideEncryptionSetting(tmpImd, clusterService.getClusterSettings(), false);
 
         return applyCreateIndexWithTemporaryService(
             currentState,
@@ -755,6 +781,23 @@ private ClusterState applyCreateIndexRequestWithV1Templates(
         );
     }
 
+    // private void buildServerSideEncryptionSetting(IndexMetadata tmpImd, ClusterSettings clusterSettings, boolean isRestore) {
+    //
+    // if (isRestore)
+    // if (remoteStoreCustomMetadataResolver == null) {
+    // return;
+    // }
+    //
+    // Map<String, String> remoteCustomMetadata = tmpImd.getCustomData(IndexMetadata.REMOTE_STORE_CUSTOM_KEY);
+    //
+    // String sseEnabledIndex = existingCustomData == null ? null : existingCustomData.get(IndexMetadata.SETTING_REMOTE_STORE_SSE_ENABLED);
+    // if (assertNullOldType || sseEnabledIndex != null) {
+    //
+    // }
+    // remoteCustomData.put(IndexMetadata.SETTING_REMOTE_STORE_SSE_ENABLED, Boolean.toString(true));
+    //
+    // }
+
     private ClusterState applyCreateIndexRequestWithV2Template(
         final ClusterState currentState,
         final CreateIndexClusterStateUpdateRequest request,
@@ -795,7 +838,7 @@ private ClusterState applyCreateIndexRequestWithV2Template(
             clusterService.getClusterSettings()
         );
         int routingNumShards = getIndexNumberOfRoutingShards(aggregatedIndexSettings, null);
-        IndexMetadata tmpImd = buildAndValidateTemporaryIndexMetadata(aggregatedIndexSettings, request, routingNumShards);
+        IndexMetadata tmpImd = buildAndValidateTemporaryIndexMetadata(aggregatedIndexSettings, request, routingNumShards, currentState);
 
         return applyCreateIndexWithTemporaryService(
             currentState,
@@ -879,7 +922,7 @@ private ClusterState applyCreateIndexRequestWithExistingMetadata(
             clusterService.getClusterSettings()
         );
         final int routingNumShards = getIndexNumberOfRoutingShards(aggregatedIndexSettings, sourceMetadata);
-        IndexMetadata tmpImd = buildAndValidateTemporaryIndexMetadata(aggregatedIndexSettings, request, routingNumShards);
+        IndexMetadata tmpImd = buildAndValidateTemporaryIndexMetadata(aggregatedIndexSettings, request, routingNumShards, currentState);
 
         return applyCreateIndexWithTemporaryService(
             currentState,
@@ -1056,7 +1099,7 @@ static Settings aggregateIndexSettings(
         indexSettingsBuilder.put(SETTING_INDEX_UUID, UUIDs.randomBase64UUID());
 
         updateReplicationStrategy(indexSettingsBuilder, request.settings(), settings, combinedTemplateSettings, clusterSettings);
-        updateRemoteStoreSettings(indexSettingsBuilder, currentState, clusterSettings, settings, request.index(), false);
+        updateRemoteStoreSettings(indexSettingsBuilder, currentState, clusterSettings, settings, request.index());
 
         if (sourceMetadata != null) {
             assert request.resizeType() != null;
@@ -1162,8 +1205,7 @@ public static void updateRemoteStoreSettings(
         ClusterState clusterState,
         ClusterSettings clusterSettings,
         Settings nodeSettings,
-        String indexName,
-        boolean isRestoreFromSnapshot
+        String indexName
     ) {
         if ((isRemoteDataAttributePresent(nodeSettings)
             && clusterSettings.get(REMOTE_STORE_COMPATIBILITY_MODE_SETTING).equals(RemoteStoreNodeService.CompatibilityMode.STRICT))
@@ -1179,12 +1221,6 @@ public static void updateRemoteStoreSettings(
 
             if (remoteNode.isPresent()) {
                 segmentRepo = RemoteStoreNodeAttribute.getSegmentRepoName(remoteNode.get().getAttributes());
-                if (!isRestoreFromSnapshot
-                    && RemoteStoreSettings.isServerSideEncryptionRepoEnabled(clusterState.nodes().getMinNodeVersion())
-                    && RemoteStoreNodeAttribute.isRemoteStoreServerSideEncryptionEnabled(remoteNode.get().getAttributes(), segmentRepo)) {
-                    settingsBuilder.put(IndexMetadata.SETTING_REMOTE_STORE_SSE_ENABLED, true);
-                }
-
                 translogRepo = RemoteStoreNodeAttribute.getTranslogRepoName(remoteNode.get().getAttributes());
                 if (segmentRepo != null) {
                     settingsBuilder.put(SETTING_REMOTE_STORE_ENABLED, true).put(SETTING_REMOTE_SEGMENT_STORE_REPOSITORY, segmentRepo);
 
@@ -242,7 +242,6 @@ public final class IndexScopedSettings extends AbstractScopedSettings {
 
                 // Settings for remote store enablement
                 IndexMetadata.INDEX_REMOTE_STORE_ENABLED_SETTING,
-                IndexMetadata.INDEX_REMOTE_STORE_SSE_ENABLED_SETTING,
                 IndexMetadata.INDEX_REMOTE_SEGMENT_STORE_REPOSITORY_SETTING,
                 IndexMetadata.INDEX_REMOTE_TRANSLOG_REPOSITORY_SETTING,
 
 
@@ -84,6 +84,7 @@
 import org.opensearch.index.query.QueryShardContext;
 import org.opensearch.index.query.SearchIndexNameMatcher;
 import org.opensearch.index.remote.RemoteStoreStatsTrackerFactory;
+import org.opensearch.index.remote.RemoteStoreUtils;
 import org.opensearch.index.seqno.RetentionLeaseSyncer;
 import org.opensearch.index.shard.IndexEventListener;
 import org.opensearch.index.shard.IndexShard;
@@ -697,12 +698,12 @@ public synchronized IndexShard createShard(
                     }
 
                     remoteDirectory = ((RemoteSegmentStoreDirectoryFactory) remoteDirectoryFactory).newDirectory(
-                        RemoteStoreNodeAttribute.getRemoteStoreSegmentRepo(this.indexSettings.getSettings()),
+                        RemoteStoreNodeAttribute.getRemoteStoreSegmentRepo(this.indexSettings.getNodeSettings()),
                         this.indexSettings.getUUID(),
                         shardId,
                         this.indexSettings.getRemoteStorePathStrategy(),
                         this.indexSettings.getRemoteStoreSegmentPathPrefix(),
-                        this.indexSettings.isServerSideEncryptionEnabled()
+                        RemoteStoreUtils.isServerSideEncryptionEnabledIndex(this.indexSettings.getIndexMetadata())
                     );
                 }
                 // When an instance of Store is created, a shardlock is created which is released on closing the instance of store.