Add Polaris blog about KMS #3331
Conversation
Following up on apache#2802
adnanhemani
left a comment
adnanhemani
left a comment
There was a problem hiding this comment.
LGTM! Thanks for this @dimas-b !
singhpk234
left a comment
singhpk234
left a comment
There was a problem hiding this comment.
Thanks a ton for penning it down @dimas-b !
Thank you @fivetran-ashokborra @fabio-rizzo-01 for working on these and the polaris community members for making this happen !
| AWS [Key Management Service](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) (KMS) provides | ||
| a way to encrypt S3 data in AWS without exposing raw key material outside AWS services. | ||
|
|
||
| Apache Polaris supports using KMS in its catalogs backed by AWS S3 storage. |
There was a problem hiding this comment.
minor: do we need (incubating) here ?
There was a problem hiding this comment.
I guess not... the statement below already mentions a specific incubating version, plus the site's front page has the appropriate "incubating" designation.
| This can be achieved by using the `--allowed-kms-key` CLI option to add zero or more extra KMS key ARNs to the | ||
| catalog's storage configuration. | ||
|
|
||
| Note: if the key material is rotated without introducing a new key ARN, no catalog changes are necessary. |
There was a problem hiding this comment.
didn't fully get this part, can you please elaborate
github-project-automation
bot
moved this from PRs In Progress
to Ready to merge
in Basic Kanban Board
singhpk234
left a comment
singhpk234
left a comment
There was a problem hiding this comment.
LGTM, thanks @dimas-b !
Added some questions on the timeline for the cli feature.
| Apache Polaris supports using KMS in its catalogs backed by AWS S3 storage. | ||
|
|
||
| The core functionality is available via Polaris REST API since the `1.2.0-incubating` release. | ||
| CLI support will be made available in the release following `1.3.0-incubating`. |
There was a problem hiding this comment.
Are we planning to CP #3330 this tp 1.3x ? and have a new RC ?
There was a problem hiding this comment.
I guess not. Let's not expand scope of 1.3.0
There was a problem hiding this comment.
I was trying to understand more what the above statement meant, 1.3.1 could also be a following release.
i think we mean 1.4 ideally and we are not sure if will be 2.0 ?
| ## Using Multiple KMS Keys | ||
|
|
||
| If the bucket used by the catalog has had multiple different KMS key ARNs associated with it over time, | ||
| Polaris needs to know all related key ARNs in order to properly form policies for accessing old and new data. |
There was a problem hiding this comment.
optional :
| Polaris needs to know all related key ARNs in order to properly form policies for accessing old and new data. | |
| Polaris needs to know all related key ARNs in order to properly form policies used for vending creds for accessing old and new data. |
| This can be achieved by using the `--allowed-kms-key` CLI option to add zero or more extra KMS key ARNs to the | ||
| catalog's storage configuration. |
There was a problem hiding this comment.
do we plan to merge this blog post cli pr gets merged ?
There was a problem hiding this comment.
yes, CLI needs to go first
|
LGTM, Thanks for the acknowledgement 🙏 @fabio-rizzo-01 thanks for working on this feature |
|
I'm going to merge this PR in its current form. Willing to take feedback and make adjustments after merging. |
github-project-automation
bot
moved this from Ready to merge
to Done
in Basic Kanban Board
5 participants
Following up on #2802
Checklist
CHANGELOG.md(if needed)site/content/in-dev/unreleased(if needed)