[
https://issues.apache.org/jira/browse/BEAM-5959?focusedWorklogId=194766&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-194766
]
ASF GitHub Bot logged work on BEAM-5959:
----------------------------------------
Author: ASF GitHub Bot
Created on: 05/Feb/19 19:34
Start Date: 05/Feb/19 19:34
Worklog Time Spent: 10m
Work Description: udim commented on pull request #7682: [BEAM-5959] Add
GCS KMS support
URL: https://github.com/apache/beam/pull/7682#discussion_r254011714
##########
File path:
sdks/java/extensions/google-cloud-platform-core/src/main/java/org/apache/beam/sdk/extensions/gcp/options/GcpOptions.java
##########
@@ -390,4 +391,15 @@ private static HttpRequestInitializer
chainHttpRequestInitializer(
}
}
}
+
+ /** GCP <a href="https://cloud.google.com/kms/";>Cloud KMS</a> key for
operations. */
+ @Description(
+ "GCP Cloud KMS key for creation of new objects, such as GCS objects and
BigQuery tables. "
+ + "Semantics vary per service. Key format is: "
+ +
"projects/<project>/locations/<location>/keyRings/<keyring>/cryptoKeys/<key>")
+ @Experimental
+ @Nullable
+ String getGcpKmsKey();
Review comment:
I'm changing the semantics and renaming the command line flag (--gcpKmsKey).
It will no longer affect IO sources and sinks, only Dataflow and bucket
creation in gcpTempLocation (used to stage files for Dataflow pipelines).
For GCS, KMS can still be used using bucket default keys.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 194766)
Time Spent: 21h 40m (was: 21.5h)
> Add Cloud KMS support to GCS creates and copies
> -----------------------------------------------
>
> Key: BEAM-5959
> URL: https://issues.apache.org/jira/browse/BEAM-5959
> Project: Beam
> Issue Type: Bug
> Components: io-java-gcp, sdk-py-core
> Reporter: Udi Meiri
> Assignee: Udi Meiri
> Priority: Major
> Time Spent: 21h 40m
> Remaining Estimate: 0h
>
> Beam SDK currently uses the CopyTo GCS API call, which doesn't support
> copying objects that Customer Managed Encryption Keys (CMEK).
> CMEKs are managed in Cloud KMS.
> Items (for Java and Python SDKs):
> - Update clients to versions that support KMS keys.
> - Change copyTo API calls to use rewriteTo (Python - directly, Java -
> possibly convert copyTo API call to use client library)
> - Add unit tests.
> - Add basic tests (DirectRunner and GCS buckets with CMEK).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
