add storage access configuration #22232
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
ti-chi-bot
bot
added
the
missing-translation-status
Summary of ChangesHello @wildpcww, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request introduces essential documentation for configuring storage access credentials for TiDB Cloud's backup and restore features. It provides clear, step-by-step instructions for both AWS S3 and Alibaba Cloud OSS, focusing on secure practices like using IAM/RAM users and granting least-privilege permissions. This enhancement aims to improve user experience and security when integrating TiDB Cloud with external cloud storage for data management. Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
ti-chi-bot
bot
added
the
size/M
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds documentation for configuring storage access for backup and restore operations. The changes are clear and add valuable information for users. I've provided a few suggestions to improve formatting, consistency, and technical accuracy, including fixing an invalid JSON example and adding a missing permission. Overall, this is a great addition to the documentation.
| "s3:prefix": "<Your backup folder>/*" | ||
| } | ||
| } | ||
| }, |
There was a problem hiding this comment.
The JSON example is invalid due to an extra comma after the Condition block. This will cause errors for users who copy and paste it. Please remove the trailing comma.
| }, | |
| } |
| - In the **Effect** section, select **Allow**. | ||
| - In the **Service** section, select **Object Storage Service**. | ||
| - In the **Action** section, select the permissions as needed. | ||
| - To restore a backup to a TiDB Cloud instance, grant `oss:ListObjects` and `oss:GetObject` permissions. |
There was a problem hiding this comment.
For restore operations, the oss:GetBucketInfo permission is also required, similar to how s3:GetBucketLocation is needed for S3. This is consistent with the permissions listed for import operations in other parts of the documentation. Please add oss:GetBucketInfo to the list of required permissions for technical accuracy.
| - To restore a backup to a TiDB Cloud instance, grant `oss:ListObjects` and `oss:GetObject` permissions. | |
| - To restore a backup to a TiDB Cloud instance, grant `oss:ListObjects`, `oss:GetObject`, and `oss:GetBucketInfo` permissions. |
| > | ||
| > To create an access key for your storage bucket, see [Configure Amazon S3 access using an AWS access key](#configure-amazon-s3-access-using-an-aws-access-key) and [Configure Alibaba Cloud Object Storage Service (OSS) access](#configure-alibaba-cloud-object-storage-service-oss-access). | ||
|
|
There was a problem hiding this comment.
Please remove the extra blank line for better readability. One blank line is sufficient to separate the tip from the next step.
| Create a policy and attach it to the IAM user. Ensure the policy includes the required permissions based on your task: | ||
| - **To restore data** to a TiDB Cloud instance, grant `s3:GetObject`, `s3:GetBucketLocation`, and `s3:ListBucket` permissions. | ||
|
|
||
| The following is an example policy that allows TiDB Cloud to **restore** data from a specific folder in your S3 bucket. |
There was a problem hiding this comment.
There is a trailing whitespace at the end of this line. Please remove it for consistency.
| The following is an example policy that allows TiDB Cloud to **restore** data from a specific folder in your S3 bucket. | |
| The following is an example policy that allows TiDB Cloud to **restore** data from a specific folder in your S3 bucket. |
| > | ||
| > TiDB Cloud does not store your access keys. It is recommended that you [delete the access key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey) after the import or export is complete. | ||
|
|
||
| ### Configure Alibaba Cloud Object Storage Service (OSS) access |
There was a problem hiding this comment.
This heading has a trailing space. Please remove it.
| ### Configure Alibaba Cloud Object Storage Service (OSS) access | |
| ### Configure Alibaba Cloud Object Storage Service (OSS) access |
|
|
||
| 1. Create a RAM user and get the AccessKey pair. For more information, see [Create a RAM user](https://www.alibabacloud.com/help/en/ram/user-guide/create-a-ram-user). | ||
|
|
||
| In the **Access Mode** section, select **Using permanent AccessKey to access**. |
There was a problem hiding this comment.
According to the style guide, UI labels and options should be enclosed in backticks. Please wrap Using permanent AccessKey to access in backticks for consistency.
| In the **Access Mode** section, select **Using permanent AccessKey to access**. | |
| In the **Access Mode** section, select `Using permanent AccessKey to access`. |
References
- Code snippets, command names, options, and paths should be in backticks. (link)
| - In the **Effect** section, select **Allow**. | ||
| - In the **Service** section, select **Object Storage Service**. |
There was a problem hiding this comment.
According to the style guide, UI labels and options should be enclosed in backticks. Please wrap Allow and Object Storage Service in backticks for consistency.
| - In the **Effect** section, select **Allow**. | |
| - In the **Service** section, select **Object Storage Service**. | |
| - In the **Effect** section, select `Allow`. | |
| - In the **Service** section, select `Object Storage Service`. |
References
- Code snippets, command names, options, and paths should be in backticks. (link)
| - To restore a backup to a TiDB Cloud instance, grant `oss:ListObjects` and `oss:GetObject` permissions. | ||
| - In the **Resource** section, select the bucket and the objects in the bucket. | ||
|
|
||
| > **Tip** |
There was a problem hiding this comment.
For consistency with other tip blocks, please add a colon after **Tip**.
| > **Tip** | |
| > **Tip:** |
ti-chi-bot
bot
added
size/L
|
@wildpcww: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@grovecai: adding LGTM is restricted to approvers and reviewers in OWNERS files. DetailsIn response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
ti-chi-bot
bot
removed
the
missing-translation-status
3 participants
First-time contributors' checklist
What is changed, added or deleted? (Required)
Add storage access configuration for backup and restore
Which TiDB version(s) do your changes apply to? (Required)
Tips for choosing the affected version(s):
By default, CHOOSE MASTER ONLY so your changes will be applied to the next TiDB major or minor releases. If your PR involves a product feature behavior change or a compatibility change, CHOOSE THE AFFECTED RELEASE BRANCH(ES) AND MASTER.
For details, see tips for choosing the affected versions.
What is the related PR or file link(s)?
Do your changes match any of the following descriptions?