bulkio: support passing key in query param for google cloud storage #31602
Comments
|
This seems like a good plan. Does 3) mean you're also considering implementing implicit auth for AWS S3 when CockroachDB is running on AWS EC2? We got some questions about this recently from a prospective customer, and it sounded like a relatively simple addition using the |
|
We should also consider how to allow users to pass additional parameters to our various cloud storage options. For example, S3 allows users to configure server-side encryption for PutObject requests via three |
|
We can add more of these options as requested. I think they are pretty straightforward. |
|
Let's file them individually though -- I've like to be able to close this one once we implement the described auth params. |
|
Sure, filed:
|
petermattis
added
the
C-enhancement
Previously, the options for GCS authentication for bulk IO were: * set the value of `cloudstorage.gs.default.key` (`auth=default`) * use the GCP SDK's implicit auth (`auth=implicit`) This change adds the option `auth=specified`, allowing the JSON key object to be sent in the new `credentials` query param, allowing for authentication on a per-statement basis. Fixes cockroachdb#31602 Release note (enterprise change): Adds the option to supply Google Cloud Storage credentials on a per-statement basis with the query parameter `credentials`.
32544: storageccl: support per-statement credentials param for GCS r=lucy-zhang a=lucy-zhang Previously, the options for GCS authentication for bulk IO were: * set the value of `cloudstorage.gs.default.key` (`auth=default`) * use the GCP SDK's implicit auth (`auth=implicit`) This change adds the option `auth=specified`, allowing the JSON key object to be sent in the new `credentials` query param, allowing for authentication on a per-statement basis. Fixes #31602 Release note (enterprise change): Adds the option to supply Google Cloud Storage credentials on a per-statement basis with the query parameter `credentials`. Co-authored-by: Lucy Zhang <lucy-zhang@users.noreply.github.com>
Motivation/Context
Currently interacting with files on google cloud storage in backup/restore/import/export requiring using either the implicit "instance" auth (where the file access is done using the vm's auth) or using a key stored in a the
cloudstorage.gs.default.keykey (identified byauth=default). This setting was devised and named with the intent that we could define other settings to save multiple keys, though support for arbitrary, user-defined settings names does not yet exist. We went with this approach because "key" for gcs access was a large, cumbersome JSON blob that we judged would be clunky to put in a query parameter.However using settings has some drawbacks -- only the root user can read and write them, and they are global to a cluster -- anyone who can use the cluster can use them. This is less than ideal -- ideally a user who can access a specific GCS bucket should be able to backup or restore to it independently of what a different user, on the same cluster, can do. Making auth per-statement avoids this issue. Most of the time a human isn't running a
BACKUPby hand anyway -- a script composes the query by combining variables, so it doesn't matter how large a key is (up to the max URL length).Plan
The text was updated successfully, but these errors were encountered: