PBM-1638 added kmip key identifier to backup metadata#365
PBM-1638 added kmip key identifier to backup metadata#365radoslawszulgo merged 10 commits intoRelease-notes-2.14.0from
Conversation
Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot <copilot@github.com>
There was a problem hiding this comment.
Pull request overview
Updates PBM documentation to reflect storing/displaying the KMIP master key identifier in backup metadata (and related encryption metadata), alongside broader formatting/structure edits in the CLI reference.
Changes:
- Extend
pbm describe-backupJSON example and output field documentation to include encryption metadata (including KMIPkeyIdentifier). - Update physical backup/restore docs to note the master encryption key identifier is stored in backup metadata (2.14.0+) and adjust stated PSMDB requirements.
- Add
venv/to.gitignore.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 8 comments.
| File | Description |
|---|---|
| docs/reference/pbm-commands.md | Expands describe-backup output documentation (KMIP key identifier, security details) and reformats multiple command sections. |
| docs/features/physical.md | Updates physical backup requirements and encryption-at-rest metadata notes (incl. key identifier storage). |
| .gitignore | Ignores local Python virtualenv directory. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| | `-n` , `--node=NODE` | Shows logs for a specified node or a replica set.<br> Specify the node in the format `replset[/host:port]` | | ||
| | `-f` , `--follow` | Follow log output. Allow to view the logs dynamically | | ||
| | `-s` , `--severity=I` | Shows logs filtered by severity level.<br> Supported levels are (from low to high): D - Debug, I - Info (default), W - Warning, E - Error, F - Fatal.<br><br> The output includes both the specified severity level and all higher ones | | ||
| | `--timezone` =TIMEZONE | Timezone of the log output. <br>Supported values: `UTC` (default), `local` or the timezone in the [IANA timezone format](https://en.wikipedia.org/wiki/Tz_database) (e.g. `America/New_York` ) |
There was a problem hiding this comment.
The flag is rendered as `--timezone` =TIMEZONE (with the = outside the inline code and extra spaces). This is inconsistent with other flags and makes the actual CLI syntax ambiguous; please document it as a single flag token (typically --timezone=TIMEZONE).
| | `--timezone` =TIMEZONE | Timezone of the log output. <br>Supported values: `UTC` (default), `local` or the timezone in the [IANA timezone format](https://en.wikipedia.org/wiki/Tz_database) (e.g. `America/New_York` ) | |
| | `--timezone=TIMEZONE` | Timezone of the log output. <br>Supported values: `UTC` (default), `local` or the timezone in the [IANA timezone format](https://en.wikipedia.org/wiki/Tz_database) (e.g. `America/New_York` ) |
| You can back up and restore data which is encrypted at rest. Thereby you ensure data safety and can also comply with security requirements such as GDPR, HIPAA, PCI DSS, or PHI. | ||
|
|
||
| During a backup, Percona Backup for MongoDB stores the encryption settings in the backup metadata. You can verify them using the [`pbm describe-backup`](../reference/pbm-commands.md#pbm-describe-backup) command. Note that the encryption key is not stored nor shown as part of the backup. | ||
| During a backup, Percona Backup for MongoDB stores the encryption settings in the backup metadata. You can verify them using the [`pbm describe-backup`](../reference/pbm-commands.md#pbm-describe-backup) command. The encryption key is stored nor shown as part of the backup. |
There was a problem hiding this comment.
The sentence currently reads “The encryption key is stored nor shown…”, which is grammatically incorrect and also changes the meaning to imply the encryption key is stored. If the intent is to state the key is not stored/shown, please fix the wording accordingly to avoid misleading readers about key material handling.
| During a backup, Percona Backup for MongoDB stores the encryption settings in the backup metadata. You can verify them using the [`pbm describe-backup`](../reference/pbm-commands.md#pbm-describe-backup) command. The encryption key is stored nor shown as part of the backup. | |
| During a backup, Percona Backup for MongoDB stores the encryption settings in the backup metadata. You can verify them using the [`pbm describe-backup`](../reference/pbm-commands.md#pbm-describe-backup) command. The encryption key is neither stored nor shown as part of the backup. |
…e.g.' Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 3 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <copilot@github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 4 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - `--db-config` (optional): required only when you use encryption-at-rest (PBM does not store encryption options in metadata). | ||
|
|
||
|
|
||
| - `--db-config` (optional): required only when you restore from an externally taken backup (without PBM) of a database with encryption at rest (in that case, PBM does not store encryption options in metadata). In that case, you have to provide MongoDB configuration manually via this parameter. The configuration must match the configuration from the node from which the backup was taken, not the current one. For external backups assisted by PBM, you can skip that parameter. PBM creates metadata file within `dbPath` with all necessary `mongod` options, so for the external restore PBM can read this file and provide the options to external `restore-finish` automatically. |
There was a problem hiding this comment.
This paragraph refers to “external restore-finish”, but the command in this workflow is pbm-agent restore-finish (and later pbm restore-finish). To avoid confusion, please name the exact command(s) here rather than “external restore-finish”.
| - `--db-config` (optional): required only when you restore from an externally taken backup (without PBM) of a database with encryption at rest (in that case, PBM does not store encryption options in metadata). In that case, you have to provide MongoDB configuration manually via this parameter. The configuration must match the configuration from the node from which the backup was taken, not the current one. For external backups assisted by PBM, you can skip that parameter. PBM creates metadata file within `dbPath` with all necessary `mongod` options, so for the external restore PBM can read this file and provide the options to external `restore-finish` automatically. | |
| - `--db-config` (optional): required only when you restore from an externally taken backup (without PBM) of a database with encryption at rest (in that case, PBM does not store encryption options in metadata). In that case, you have to provide MongoDB configuration manually via this parameter. The configuration must match the configuration from the node from which the backup was taken, not the current one. For external backups assisted by PBM, you can skip that parameter. PBM creates metadata file within `dbPath` with all necessary `mongod` options, so for the external restore PBM can read this file and provide the options to `pbm-agent restore-finish` automatically. |
| "vault": { | ||
| "serverName": "cosmian", | ||
| "port": 5696, | ||
| "tokenFile": "/etc/vault/token", | ||
| "secret": "secret/data/mongo", | ||
| "secretVersion": 5, | ||
| "disableTLSForTesting": true | ||
| } |
There was a problem hiding this comment.
The JSON example sets security.disableTLSForTesting to true. Even though the later field description notes this is “testing only”, showing it enabled in the primary example can normalize an insecure configuration. Consider using a safer default in the example (omit the field or set it to false) and mention explicitly when/why to enable it.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
No description provided.