Skip to content

Commit 0fe5b63

Browse files
yoshi-automationkolea2
yoshi-automation
and
kolea2
authored
feat: publish new fields for CMEK (#222)
* changes without context autosynth cannot find the source of changes triggered by earlier changes in this repository, or by version upgrades to tools such as linters. * Bump gapic-generator to 2.6.1. - Fix a scenario where generator attempts to assign a string to an integer in tests by using a separate value generator in test generation PiperOrigin-RevId: 336931287 Source-Author: Google APIs <[email protected]> Source-Date: Tue Oct 13 12:29:21 2020 -0700 Source-Repo: googleapis/googleapis Source-Sha: 3a935fab757e09c72afd4aa121147a4c97dccc3e Source-Link: googleapis/googleapis@3a935fa * chore: update grpc dependency to v1.33.1 PiperOrigin-RevId: 338646463 Source-Author: Google APIs <[email protected]> Source-Date: Fri Oct 23 03:57:15 2020 -0700 Source-Repo: googleapis/googleapis Source-Sha: 20b11dfe4538cd5da7b4c3dd7d2bf5b9922ff3ed Source-Link: googleapis/googleapis@20b11df * feat:Update BigtableTableAdmin GetIamPolicy to include the additional binding for Backup. feat:Change DeleteAppProfileRequest.ignore_warnings to REQUIRED. PiperOrigin-RevId: 339464550 Source-Author: Google APIs <[email protected]> Source-Date: Wed Oct 28 08:32:48 2020 -0700 Source-Repo: googleapis/googleapis Source-Sha: ccd6462d31e6422fd188b6590aa8d0ad03e7d9a3 Source-Link: googleapis/googleapis@ccd6462 * feat: migrate bigtable retry/timeout settings to gRPC's service configs Committer: @miraleung PiperOrigin-RevId: 346894665 Source-Author: Google APIs <[email protected]> Source-Date: Thu Dec 10 16:55:31 2020 -0800 Source-Repo: googleapis/googleapis Source-Sha: cbbd3170bcf217e36ae72f4ac522449bf861346f Source-Link: googleapis/googleapis@cbbd317 * chore: migrate bigtable to the Python microgenerator PiperOrigin-RevId: 356992836 Source-Author: Google APIs <[email protected]> Source-Date: Thu Feb 11 09:33:53 2021 -0800 Source-Repo: googleapis/googleapis Source-Sha: 1e0c7413684ca6f6322620ecfc0d3e0352933dc1 Source-Link: googleapis/googleapis@1e0c741 * chore: migrate StreetView to the {Java,Python} microgenerators Committer: @miraleung PiperOrigin-RevId: 357863594 Source-Author: Google APIs <[email protected]> Source-Date: Tue Feb 16 20:19:58 2021 -0800 Source-Repo: googleapis/googleapis Source-Sha: 8ca872ced04c96c05a36db3d2113d568ac814be8 Source-Link: googleapis/googleapis@8ca872c * feat: Publish new fields to support Customer Managed Encryption Keys (CMEK) on the existing Cloud Bigtable service methods. PiperOrigin-RevId: 359130387 Source-Author: Google APIs <[email protected]> Source-Date: Tue Feb 23 14:08:20 2021 -0800 Source-Repo: googleapis/googleapis Source-Sha: eabec5a21219401bad79e1cc7d900c1658aee5fd Source-Link: googleapis/googleapis@eabec5a * fix: Use rules_gapic to v0.5.0. Fixes handling parameters with spaces. Committer: @alexander-fenster PiperOrigin-RevId: 359364666 Source-Author: Google APIs <[email protected]> Source-Date: Wed Feb 24 14:01:05 2021 -0800 Source-Repo: googleapis/googleapis Source-Sha: c06bbe28cc7287a55bf7926ee48da2565854de7f Source-Link: googleapis/googleapis@c06bbe2 * fix noxfile Co-authored-by: Kristen O'Leary <[email protected]>
1 parent b7489b6 commit 0fe5b63

File tree

16 files changed

+407
-115
lines changed

16 files changed

+407
-115
lines changed

.gitignore

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -50,10 +50,8 @@ docs.metadata
5050

5151
# Virtual environment
5252
env/
53-
54-
# Test logs
5553
coverage.xml
56-
*sponge_log.xml
54+
sponge_log.xml
5755

5856
# System test environment variables.
5957
system_tests/local_test_setup

.kokoro/build.sh

Lines changed: 0 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -40,16 +40,6 @@ python3 -m pip uninstall --yes --quiet nox-automation
4040
python3 -m pip install --upgrade --quiet nox
4141
python3 -m nox --version
4242

43-
# If this is a continuous build, send the test log to the FlakyBot.
44-
# See https://github.com/googleapis/repo-automation-bots/tree/master/packages/flakybot.
45-
if [[ $KOKORO_BUILD_ARTIFACTS_SUBDIR = *"continuous"* ]]; then
46-
cleanup() {
47-
chmod +x $KOKORO_GFILE_DIR/linux_amd64/flakybot
48-
$KOKORO_GFILE_DIR/linux_amd64/flakybot
49-
}
50-
trap cleanup EXIT HUP
51-
fi
52-
5343
# If NOX_SESSION is set, it only runs the specified session,
5444
# otherwise run all the sessions.
5545
if [[ -n "${NOX_SESSION:-}" ]]; then

google/cloud/bigtable_admin_v2/__init__.py

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,7 @@
7676
from .types.table import Backup
7777
from .types.table import BackupInfo
7878
from .types.table import ColumnFamily
79+
from .types.table import EncryptionInfo
7980
from .types.table import GcRule
8081
from .types.table import RestoreInfo
8182
from .types.table import RestoreSourceType
@@ -87,7 +88,7 @@
8788
"AppProfile",
8889
"Backup",
8990
"BackupInfo",
90-
"BigtableInstanceAdminClient",
91+
"BigtableTableAdminClient",
9192
"CheckConsistencyRequest",
9293
"CheckConsistencyResponse",
9394
"Cluster",
@@ -109,6 +110,7 @@
109110
"DeleteSnapshotRequest",
110111
"DeleteTableRequest",
111112
"DropRowRangeRequest",
113+
"EncryptionInfo",
112114
"GcRule",
113115
"GenerateConsistencyTokenRequest",
114116
"GenerateConsistencyTokenResponse",
@@ -149,5 +151,5 @@
149151
"UpdateBackupRequest",
150152
"UpdateClusterMetadata",
151153
"UpdateInstanceMetadata",
152-
"BigtableTableAdminClient",
154+
"BigtableInstanceAdminClient",
153155
)

google/cloud/bigtable_admin_v2/proto/instance.proto

Lines changed: 26 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
// Copyright 2019 Google LLC.
1+
// Copyright 2021 Google LLC
22
//
33
// Licensed under the Apache License, Version 2.0 (the "License");
44
// you may not use this file except in compliance with the License.
@@ -11,7 +11,6 @@
1111
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
1212
// See the License for the specific language governing permissions and
1313
// limitations under the License.
14-
//
1514

1615
syntax = "proto3";
1716

@@ -28,6 +27,10 @@ option java_outer_classname = "InstanceProto";
2827
option java_package = "com.google.bigtable.admin.v2";
2928
option php_namespace = "Google\\Cloud\\Bigtable\\Admin\\V2";
3029
option ruby_package = "Google::Cloud::Bigtable::Admin::V2";
30+
option (google.api.resource_definition) = {
31+
type: "cloudkms.googleapis.com/CryptoKey"
32+
pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}"
33+
};
3134

3235
// A collection of Bigtable [Tables][google.bigtable.admin.v2.Table] and
3336
// the resources that serve them.
@@ -113,6 +116,22 @@ message Cluster {
113116
pattern: "projects/{project}/instances/{instance}/clusters/{cluster}"
114117
};
115118

119+
// Cloud Key Management Service (Cloud KMS) settings for a CMEK-protected
120+
// cluster.
121+
message EncryptionConfig {
122+
// Describes the Cloud KMS encryption key that will be used to protect the
123+
// destination Bigtable cluster. The requirements for this key are:
124+
// 1) The Cloud Bigtable service account associated with the project that
125+
// contains this cluster must be granted the
126+
// `cloudkms.cryptoKeyEncrypterDecrypter` role on the CMEK key.
127+
// 2) Only regional keys can be used and the region of the CMEK key must
128+
// match the region of the cluster.
129+
// 3) All clusters within an instance must use the same CMEK key.
130+
string kms_key_name = 1 [(google.api.resource_reference) = {
131+
type: "cloudkms.googleapis.com/CryptoKey"
132+
}];
133+
}
134+
116135
// Possible states of a cluster.
117136
enum State {
118137
// The state of the cluster could not be determined.
@@ -162,6 +181,10 @@ message Cluster {
162181
// The type of storage used by this cluster to serve its
163182
// parent instance's tables, unless explicitly overridden.
164183
StorageType default_storage_type = 5;
184+
185+
// Immutable. The encryption configuration for CMEK-protected clusters.
186+
EncryptionConfig encryption_config = 6
187+
[(google.api.field_behavior) = IMMUTABLE];
165188
}
166189

167190
// A configuration object describing how Cloud Bigtable should treat traffic
@@ -194,7 +217,7 @@ message AppProfile {
194217

195218
// (`OutputOnly`)
196219
// The unique name of the app profile. Values are of the form
197-
// `projects/<project>/instances/<instance>/appProfiles/[_a-zA-Z0-9][-_.a-zA-Z0-9]*`.
220+
// `projects/{project}/instances/{instance}/appProfiles/[_a-zA-Z0-9][-_.a-zA-Z0-9]*`.
198221
string name = 1;
199222

200223
// Strongly validated etag for optimistic concurrency control. Preserve the

google/cloud/bigtable_admin_v2/proto/table.proto

Lines changed: 70 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
// Copyright 2020 Google LLC
1+
// Copyright 2021 Google LLC
22
//
33
// Licensed under the Apache License, Version 2.0 (the "License");
44
// you may not use this file except in compliance with the License.
@@ -20,6 +20,7 @@ import "google/api/field_behavior.proto";
2020
import "google/api/resource.proto";
2121
import "google/protobuf/duration.proto";
2222
import "google/protobuf/timestamp.proto";
23+
import "google/rpc/status.proto";
2324

2425
option csharp_namespace = "Google.Cloud.Bigtable.Admin.V2";
2526
option go_package = "google.golang.org/genproto/googleapis/bigtable/admin/v2;admin";
@@ -28,6 +29,10 @@ option java_outer_classname = "TableProto";
2829
option java_package = "com.google.bigtable.admin.v2";
2930
option php_namespace = "Google\\Cloud\\Bigtable\\Admin\\V2";
3031
option ruby_package = "Google::Cloud::Bigtable::Admin::V2";
32+
option (google.api.resource_definition) = {
33+
type: "cloudkms.googleapis.com/CryptoKeyVersion"
34+
pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}"
35+
};
3136

3237
// Indicates the type of the restore source.
3338
enum RestoreSourceType {
@@ -92,6 +97,14 @@ message Table {
9297

9398
// Output only. The state of replication for the table in this cluster.
9499
ReplicationState replication_state = 1;
100+
101+
// Output only. The encryption information for the table in this cluster.
102+
// If the encryption key protecting this resource is customer managed, then
103+
// its version can be rotated in Cloud Key Management Service (Cloud KMS).
104+
// The primary version of the key and its status will be reflected here when
105+
// changes propagate from Cloud KMS.
106+
repeated EncryptionInfo encryption_info = 2
107+
[(google.api.field_behavior) = OUTPUT_ONLY];
95108
}
96109

97110
// Possible timestamp granularities to use when keeping multiple versions
@@ -120,20 +133,23 @@ message Table {
120133
// state.
121134
REPLICATION_VIEW = 3;
122135

136+
// Only populates 'name' and fields related to the table's encryption state.
137+
ENCRYPTION_VIEW = 5;
138+
123139
// Populates all fields.
124140
FULL = 4;
125141
}
126142

127-
// Output only. The unique name of the table. Values are of the form
128-
// `projects/<project>/instances/<instance>/tables/[_a-zA-Z0-9][-_.a-zA-Z0-9]*`.
143+
// The unique name of the table. Values are of the form
144+
// `projects/{project}/instances/{instance}/tables/[_a-zA-Z0-9][-_.a-zA-Z0-9]*`.
129145
// Views: `NAME_ONLY`, `SCHEMA_VIEW`, `REPLICATION_VIEW`, `FULL`
130146
string name = 1;
131147

132148
// Output only. Map from cluster ID to per-cluster table state.
133149
// If it could not be determined whether or not the table has data in a
134150
// particular cluster (for example, if its zone is unavailable), then
135151
// there will be an entry for the cluster with UNKNOWN `replication_status`.
136-
// Views: `REPLICATION_VIEW`, `FULL`
152+
// Views: `REPLICATION_VIEW`, `ENCRYPTION_VIEW`, `FULL`
137153
map<string, ClusterState> cluster_states = 2;
138154

139155
// (`CreationOnly`)
@@ -196,6 +212,51 @@ message GcRule {
196212
}
197213
}
198214

215+
// Encryption information for a given resource.
216+
// If this resource is protected with customer managed encryption, the in-use
217+
// Cloud Key Management Service (Cloud KMS) key version is specified along with
218+
// its status.
219+
message EncryptionInfo {
220+
// Possible encryption types for a resource.
221+
enum EncryptionType {
222+
// Encryption type was not specified, though data at rest remains encrypted.
223+
ENCRYPTION_TYPE_UNSPECIFIED = 0;
224+
225+
// The data backing this resource is encrypted at rest with a key that is
226+
// fully managed by Google. No key version or status will be populated.
227+
// This is the default state.
228+
GOOGLE_DEFAULT_ENCRYPTION = 1;
229+
230+
// The data backing this resource is encrypted at rest with a key that is
231+
// managed by the customer.
232+
// The in-use version of the key and its status are populated for
233+
// CMEK-protected tables.
234+
// CMEK-protected backups are pinned to the key version that was in use at
235+
// the time the backup was taken. This key version is populated but its
236+
// status is not tracked and is reported as `UNKNOWN`.
237+
CUSTOMER_MANAGED_ENCRYPTION = 2;
238+
}
239+
240+
// Output only. The type of encryption used to protect this resource.
241+
EncryptionType encryption_type = 3
242+
[(google.api.field_behavior) = OUTPUT_ONLY];
243+
244+
// Output only. The status of encrypt/decrypt calls on underlying data for
245+
// this resource. Regardless of status, the existing data is always encrypted
246+
// at rest.
247+
google.rpc.Status encryption_status = 4
248+
[(google.api.field_behavior) = OUTPUT_ONLY];
249+
250+
// Output only. The version of the Cloud KMS key specified in the parent
251+
// cluster that is in use for the data underlying this table.
252+
string kms_key_version = 2 [
253+
(google.api.field_behavior) = OUTPUT_ONLY,
254+
(google.api.resource_reference) = {
255+
type: "cloudkms.googleapis.com/CryptoKeyVersion"
256+
}
257+
];
258+
}
259+
199260
// A snapshot of a table at a particular time. A snapshot can be used as a
200261
// checkpoint for data restoration or a data source for a new table.
201262
//
@@ -225,7 +286,7 @@ message Snapshot {
225286

226287
// Output only. The unique name of the snapshot.
227288
// Values are of the form
228-
// `projects/<project>/instances/<instance>/clusters/<cluster>/snapshots/<snapshot>`.
289+
// `projects/{project}/instances/{instance}/clusters/{cluster}/snapshots/{snapshot}`.
229290
string name = 1;
230291

231292
// Output only. The source table at the time the snapshot was taken.
@@ -318,6 +379,10 @@ message Backup {
318379

319380
// Output only. The current state of the backup.
320381
State state = 7 [(google.api.field_behavior) = OUTPUT_ONLY];
382+
383+
// Output only. The encryption information for the backup.
384+
EncryptionInfo encryption_info = 9
385+
[(google.api.field_behavior) = OUTPUT_ONLY];
321386
}
322387

323388
// Information about a backup.

google/cloud/bigtable_admin_v2/services/bigtable_instance_admin/async_client.py

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,10 @@ class BigtableInstanceAdminAsyncClient:
6262
)
6363
cluster_path = staticmethod(BigtableInstanceAdminClient.cluster_path)
6464
parse_cluster_path = staticmethod(BigtableInstanceAdminClient.parse_cluster_path)
65+
crypto_key_path = staticmethod(BigtableInstanceAdminClient.crypto_key_path)
66+
parse_crypto_key_path = staticmethod(
67+
BigtableInstanceAdminClient.parse_crypto_key_path
68+
)
6569
instance_path = staticmethod(BigtableInstanceAdminClient.instance_path)
6670
parse_instance_path = staticmethod(BigtableInstanceAdminClient.parse_instance_path)
6771

google/cloud/bigtable_admin_v2/services/bigtable_instance_admin/client.py

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -201,6 +201,27 @@ def parse_cluster_path(path: str) -> Dict[str, str]:
201201
)
202202
return m.groupdict() if m else {}
203203

204+
@staticmethod
205+
def crypto_key_path(
206+
project: str, location: str, key_ring: str, crypto_key: str,
207+
) -> str:
208+
"""Return a fully-qualified crypto_key string."""
209+
return "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}".format(
210+
project=project,
211+
location=location,
212+
key_ring=key_ring,
213+
crypto_key=crypto_key,
214+
)
215+
216+
@staticmethod
217+
def parse_crypto_key_path(path: str) -> Dict[str, str]:
218+
"""Parse a crypto_key path into its component segments."""
219+
m = re.match(
220+
r"^projects/(?P<project>.+?)/locations/(?P<location>.+?)/keyRings/(?P<key_ring>.+?)/cryptoKeys/(?P<crypto_key>.+?)$",
221+
path,
222+
)
223+
return m.groupdict() if m else {}
224+
204225
@staticmethod
205226
def instance_path(project: str, instance: str,) -> str:
206227
"""Return a fully-qualified instance string."""

google/cloud/bigtable_admin_v2/services/bigtable_table_admin/async_client.py

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,12 @@ class BigtableTableAdminAsyncClient:
6161
parse_backup_path = staticmethod(BigtableTableAdminClient.parse_backup_path)
6262
cluster_path = staticmethod(BigtableTableAdminClient.cluster_path)
6363
parse_cluster_path = staticmethod(BigtableTableAdminClient.parse_cluster_path)
64+
crypto_key_version_path = staticmethod(
65+
BigtableTableAdminClient.crypto_key_version_path
66+
)
67+
parse_crypto_key_version_path = staticmethod(
68+
BigtableTableAdminClient.parse_crypto_key_version_path
69+
)
6470
instance_path = staticmethod(BigtableTableAdminClient.instance_path)
6571
parse_instance_path = staticmethod(BigtableTableAdminClient.parse_instance_path)
6672
snapshot_path = staticmethod(BigtableTableAdminClient.snapshot_path)

google/cloud/bigtable_admin_v2/services/bigtable_table_admin/client.py

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -202,6 +202,32 @@ def parse_cluster_path(path: str) -> Dict[str, str]:
202202
)
203203
return m.groupdict() if m else {}
204204

205+
@staticmethod
206+
def crypto_key_version_path(
207+
project: str,
208+
location: str,
209+
key_ring: str,
210+
crypto_key: str,
211+
crypto_key_version: str,
212+
) -> str:
213+
"""Return a fully-qualified crypto_key_version string."""
214+
return "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}".format(
215+
project=project,
216+
location=location,
217+
key_ring=key_ring,
218+
crypto_key=crypto_key,
219+
crypto_key_version=crypto_key_version,
220+
)
221+
222+
@staticmethod
223+
def parse_crypto_key_version_path(path: str) -> Dict[str, str]:
224+
"""Parse a crypto_key_version path into its component segments."""
225+
m = re.match(
226+
r"^projects/(?P<project>.+?)/locations/(?P<location>.+?)/keyRings/(?P<key_ring>.+?)/cryptoKeys/(?P<crypto_key>.+?)/cryptoKeyVersions/(?P<crypto_key_version>.+?)$",
227+
path,
228+
)
229+
return m.groupdict() if m else {}
230+
205231
@staticmethod
206232
def instance_path(project: str, instance: str,) -> str:
207233
"""Return a fully-qualified instance string."""

google/cloud/bigtable_admin_v2/types/__init__.py

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,7 @@
5353
Table,
5454
ColumnFamily,
5555
GcRule,
56+
EncryptionInfo,
5657
Snapshot,
5758
Backup,
5859
BackupInfo,
@@ -122,6 +123,7 @@
122123
"Table",
123124
"ColumnFamily",
124125
"GcRule",
126+
"EncryptionInfo",
125127
"Snapshot",
126128
"Backup",
127129
"BackupInfo",

0 commit comments

Comments
 (0)