Skip to content

Storage: add support for KMS keys#5259

Merged
tseaver merged 8 commits into
masterfrom
storage-support_kms_keys-wip
May 9, 2018
Merged

Storage: add support for KMS keys#5259
tseaver merged 8 commits into
masterfrom
storage-support_kms_keys-wip

Conversation

@tseaver
Copy link
Copy Markdown
Contributor

@tseaver tseaver commented Apr 27, 2018

Merge is blocked for public beta of the KMS support. We will need to adjust the system tests at that time to switch from using keys in the global location to keys in the same location as the bucket.

@tseaver tseaver added type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. api: storage Issues related to the Cloud Storage API. do not merge Indicates a pull request not ready for merge, due to either quality or timing. labels Apr 27, 2018
@tseaver tseaver requested a review from frankyn April 27, 2018 21:50
@tseaver tseaver requested a review from lukesneeringer as a code owner April 27, 2018 21:50
@googlebot googlebot added the cla: yes This human has signed the Contributor License Agreement. label Apr 27, 2018
@tseaver tseaver mentioned this pull request Apr 27, 2018
Merged
frankyn
frankyn suggested changes Apr 28, 2018
View reviewed changes
Comment thread storage/google/cloud/storage/blob.py Outdated
:param kms_key_name:
Optional resource name of Cloud KMS key used to encrypt the blob's
contents.
See https://cloud.google.com/storage/docs/encryption#kms.

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

Comment thread storage/tests/system.py
# We can't verify it, but ideally we would check that the following
# URL was resolvable with our credentals
# KEY_URL = 'https://cloudkms.googleapis.com/v1/{}'.format(
# kms_key_name)

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

Comment thread storage/tests/unit/test_blob.py Outdated
download_url = blob._get_download_url()
expected_url = (
'https://www.googleapis.com/download/storage/v1/b/'
'buhkit/o/bzzz-fly.txt?alt=media') # kmsKeyName *not* expected

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

Comment thread storage/tests/system.py
key_name,
)

def test_blob_w_explicit_kms_key_name(self):

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

@tseaver
Copy link
Copy Markdown
Contributor Author

tseaver commented Apr 30, 2018

@frankyn PTAL.

frankyn
frankyn approved these changes Apr 30, 2018
View reviewed changes
Copy link
Copy Markdown
Contributor

@frankyn frankyn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but do not merge and still pending switching to regional keys.

@tseaver
Copy link
Copy Markdown
Contributor Author

tseaver commented May 7, 2018

@frankyn FYI I just ran the KMS system tests without changing to regional keys, and they passed. When I switch to regional keys, they fail.

@frankyn
Copy link
Copy Markdown
Contributor

frankyn commented May 7, 2018

Thanks @tseaver, what is the error you're seeing?

@tseaver
Copy link
Copy Markdown
Contributor Author

tseaver commented May 7, 2018

@frankyn The Cloud KMS key resides in a region that is not allowed.

@frankyn
Copy link
Copy Markdown
Contributor

frankyn commented May 7, 2018

Synced with @tseaver and will look into reproducing error and syncing with GCS team.

@googlebot
Copy link
Copy Markdown

googlebot commented May 8, 2018

So there's good news and bad news.

👍 The good news is that everyone that needs to sign a CLA (the pull request submitter and all commit authors) have done so. Everything is all good there.

😕 The bad news is that it appears that one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that here in the pull request.

Note to project maintainer: This is a terminal state, meaning the cla/google commit status will not change from this state. It's up to you to confirm consent of the commit author(s) and merge this pull request when appropriate.

@googlebot googlebot added cla: no This human has *not* signed the Contributor License Agreement. and removed cla: yes This human has signed the Contributor License Agreement. labels May 8, 2018
@frankyn frankyn added cla: yes This human has signed the Contributor License Agreement. and removed cla: no This human has *not* signed the Contributor License Agreement. labels May 9, 2018
@googlebot
Copy link
Copy Markdown

googlebot commented May 9, 2018

A Googler has manually verified that the CLAs look good.

(Googler, please make sure the reason for overriding the CLA status is clearly documented in these comments.)

@frankyn
Copy link
Copy Markdown
Contributor

frankyn commented May 9, 2018

I made commits and caused the CLA issue. I'm okay with my contributions being added to the repo.

@tseaver
Copy link
Copy Markdown
Contributor Author

tseaver commented May 9, 2018

@frankyn We are good to merge this branch today, right?

@frankyn
Copy link
Copy Markdown
Contributor

frankyn commented May 9, 2018

I saw the failures in tests were related to logging, and tests for storage weren't ran. I ran tests locally and they passed, but I want to make sure they're not broken for repo system tests.

@tseaver
Copy link
Copy Markdown
Contributor Author

tseaver commented May 9, 2018

@frankyn The logging system tests shouldn't even run against this branch. I've run them locally using the same credentials we use on CircleCI, and they pass. I will try rebuilding them.

@tseaver tseaver force-pushed the storage-support_kms_keys-wip branch from 200df7c to d7843d1 Compare May 9, 2018 20:58
@googlebot
Copy link
Copy Markdown

googlebot commented May 9, 2018

So there's good news and bad news.

👍 The good news is that everyone that needs to sign a CLA (the pull request submitter and all commit authors) have done so. Everything is all good there.

😕 The bad news is that it appears that one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that here in the pull request.

Note to project maintainer: This is a terminal state, meaning the cla/google commit status will not change from this state. It's up to you to confirm consent of the commit author(s) and merge this pull request when appropriate.

@googlebot googlebot added cla: no This human has *not* signed the Contributor License Agreement. and removed cla: yes This human has signed the Contributor License Agreement. labels May 9, 2018
@tseaver
Copy link
Copy Markdown
Contributor Author

tseaver commented May 9, 2018

I've rebased the branch against current master, hoping that the fix in #5264 will exclude the irrelevant system tests.

@frankyn frankyn added cla: yes This human has signed the Contributor License Agreement. and removed cla: no This human has *not* signed the Contributor License Agreement. labels May 9, 2018
@googlebot
Copy link
Copy Markdown

googlebot commented May 9, 2018

A Googler has manually verified that the CLAs look good.

(Googler, please make sure the reason for overriding the CLA status is clearly documented in these comments.)

@frankyn
Copy link
Copy Markdown
Contributor

frankyn commented May 9, 2018

Same state as before, but CLA: yes was removed again..

@tseaver tseaver merged commit 38c3e9a into master May 9, 2018
@tseaver tseaver deleted the storage-support_kms_keys-wip branch May 9, 2018 21:50
parthea pushed a commit that referenced this pull request Mar 9, 2026
@tseaver
Storage: add support for KMS keys (#5259)
592ca82 
* Add support for blob-level KMS encryption keys (#5221)

* Add 'Bucket.default_kms_key_name' property. (#5222)

* Expose 'Blob.kms_key_name' as read-only property (#5249)

* Add system tests for GCS-KMS integration (#5257)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lukesneeringer lukesneeringer Awaiting requested review from lukesneeringer

1 more reviewer

@frankyn frankyn frankyn approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

api: storage Issues related to the Cloud Storage API. cla: yes This human has signed the Contributor License Agreement. do not merge Indicates a pull request not ready for merge, due to either quality or timing. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tseaver @frankyn @googlebot