Conversation
Following up on apache#2802
adnanhemani
left a comment
adnanhemani
left a comment
There was a problem hiding this comment.
LGTM! Thanks for this @dimas-b !
singhpk234
left a comment
singhpk234
left a comment
There was a problem hiding this comment.
Thanks a ton for penning it down @dimas-b !
Thank you @fivetran-ashokborra @fabio-rizzo-01 for working on these and the polaris community members for making this happen !
| AWS [Key Management Service](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) (KMS) provides | ||
| a way to encrypt S3 data in AWS without exposing raw key material outside AWS services. | ||
|
|
||
| Apache Polaris supports using KMS in its catalogs backed by AWS S3 storage. |
There was a problem hiding this comment.
minor: do we need (incubating) here ?
There was a problem hiding this comment.
I guess not... the statement below already mentions a specific incubating version, plus the site's front page has the appropriate "incubating" designation.
| This can be achieved by using the `--allowed-kms-key` CLI option to add zero or more extra KMS key ARNs to the | ||
| catalog's storage configuration. | ||
|
|
||
| Note: if the key material is rotated without introducing a new key ARN, no catalog changes are necessary. |
There was a problem hiding this comment.
didn't fully get this part, can you please elaborate
github-project-automation
bot
moved this from PRs In Progress
to Ready to merge
in Basic Kanban Board
singhpk234
left a comment
singhpk234
left a comment
There was a problem hiding this comment.
LGTM, thanks @dimas-b !
Added some questions on the timeline for the cli feature.
| Apache Polaris supports using KMS in its catalogs backed by AWS S3 storage. | ||
|
|
||
| The core functionality is available via Polaris REST API since the `1.2.0-incubating` release. | ||
| CLI support will be made available in the release following `1.3.0-incubating`. |
There was a problem hiding this comment.
Are we planning to CP #3330 this tp 1.3x ? and have a new RC ?
There was a problem hiding this comment.
I guess not. Let's not expand scope of 1.3.0
There was a problem hiding this comment.
I was trying to understand more what the above statement meant, 1.3.1 could also be a following release.
i think we mean 1.4 ideally and we are not sure if will be 2.0 ?
| ## Using Multiple KMS Keys | ||
|
|
||
| If the bucket used by the catalog has had multiple different KMS key ARNs associated with it over time, | ||
| Polaris needs to know all related key ARNs in order to properly form policies for accessing old and new data. |
There was a problem hiding this comment.
optional :
| Polaris needs to know all related key ARNs in order to properly form policies for accessing old and new data. | |
| Polaris needs to know all related key ARNs in order to properly form policies used for vending creds for accessing old and new data. |
| This can be achieved by using the `--allowed-kms-key` CLI option to add zero or more extra KMS key ARNs to the | ||
| catalog's storage configuration. |
There was a problem hiding this comment.
do we plan to merge this blog post cli pr gets merged ?
There was a problem hiding this comment.
yes, CLI needs to go first
|
LGTM, Thanks for the acknowledgement 🙏 @fabio-rizzo-01 thanks for working on this feature |
|
I'm going to merge this PR in its current form. Willing to take feedback and make adjustments after merging. |
github-project-automation
bot
moved this from Ready to merge
to Done
in Basic Kanban Board
* Add Polaris blog about KMS Following up on apache#2802
* Disable renovate bot for openapi generator cli (apache#3306) * Fix openapi-generator-cli version in build system * Fix openapi-generator-cli version in build system * Build: Ensure reproducible .properties files (apache#3089) This is a safety net in case Properties are generated anywhere during the build. * Generate release vote e-mail as Github Step Summary (apache#3150) * Improve error handling in quickstart setup script (apache#3288) Add error detection and validation to API calls in the quickstart docker-compose setup with clear error messages for easier debugging. * (doc): Fix tools doc and add tool doc for mcp server (apache#3311) * chore(deps): update actions/stale digest to a21a081 (apache#3326) * Add cancel release candidate workflow (apache#3321) This commit fixes apache#3080 * fix(deps): update quarkus platform and group to v3.30.5 (apache#3329) * chore(deps): update actions/checkout digest to 8e8c483 (apache#3319) * fix(deps): update dependency org.agrona:agrona to v2.4.0 (apache#3333) * (feat): Helm: add priority class name support for helm (apache#3310) * Add priority class name support for helm * Update changelog * Update default port for metrics from 8282 to 8182 (apache#3335) Corrects the default metrics port from 8282 to 8182 and clarifies the available metrics endpoints in the documentation. * fix(deps): update dependency software.amazon.awssdk:bom to v2.40.16 (apache#3336) * Add KMS options to catalogs create CLI (apache#3330) * Add Polaris blog about KMS (apache#3331) * Add Polaris blog about KMS Following up on apache#2802 * Use mainstream PostgreSQLContainer (apache#3345) Migrate from the deprecated PostgreSQLContainer class to the mainstream one as suggested by javadoc. * fix(deps): update dependency org.apache.iceberg:iceberg-bom to v1.10.1 (apache#3317) * Enforce mypy for CLI (apache#3305) * fix(deps): update dependency software.amazon.awssdk:bom to v2.41.1 (apache#3351) * Last merged commit e75eb4b --------- Co-authored-by: Yong Zheng <[email protected]> Co-authored-by: Pierre Laporte <[email protected]> Co-authored-by: Tamas Mate <[email protected]> Co-authored-by: Mend Renovate <[email protected]> Co-authored-by: rishii-19-works <[email protected]> Co-authored-by: Dmitri Bourlatchkov <[email protected]>
5 participants
Following up on #2802
Checklist
CHANGELOG.md(if needed)site/content/in-dev/unreleased(if needed)