Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

br: update azure sdk and introduce 2 features of azure blob storage #14131

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
+35 −3
Open

br: update azure sdk and introduce 2 features of azure blob storage #14131

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
68efa97
draft
Leavrth Jun 1, 2023
17952be
fix typos
Leavrth Jun 5, 2023
c629678
fix typos
Leavrth Jun 5, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 13 additions & 3 deletions br/backup-and-restore-storages.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,9 @@ BACKUP DATABASE * TO 's3://bucket-name/prefix' SEND_CREDENTIALS_TO_TIKV = FALSE;

- `account-name`:存储账户名
- `account-key`:访问密钥
- `access-tier`:上传对象的存储类别,例如 `Hot`、`Cool`、`Archive`,默认为 `Hot`
- `sas-token`:共享访问签名
- `access-tier`:上传对象的存储类别,例如 `Hot`、`Cool`、`Archive`,默认值为该存储账户的默认访问层。
- `encryption-scope`:服务端加密

</div>
</SimpleTab>
Expand Down Expand Up @@ -185,11 +187,15 @@ BACKUP DATABASE * TO 's3://bucket-name/prefix' SEND_CREDENTIALS_TO_TIKV = FALSE;
</div>
<div label="Azure Blob Storage" value="azure">

- 方式一:指定访问密钥
- 方式一:指定共享访问签名

在 URI 配置 `account-name` 和 `sas-token`,则使用该参数指定的共享访问签名。由于共享访问签名中带有 `&` 的字符,需要在编码为 `%26` 后,再添加到 URI 中。你也可以直接对整个 sas-token 进行一次编码。

- 方式二:指定访问密钥

在 URI 配置 `account-name` 和 `account-key`,则使用该参数指定的密钥。除了在 URI 中指定密钥文件外,还支持 br 命令行工具读取 `$AZURE_STORAGE_KEY` 的方式。

- 方式二:使用 Azure AD 备份恢复
- 方式三:使用 Azure AD 备份恢复

在 br 命令行工具运行环境配置环境变量 `$AZURE_CLIENT_ID`、`$AZURE_TENANT_ID` 和 `$AZURE_CLIENT_SECRET`。

Expand Down Expand Up @@ -245,6 +251,10 @@ BACKUP DATABASE * TO 's3://bucket-name/prefix' SEND_CREDENTIALS_TO_TIKV = FALSE;

TiDB 备份恢复功能支持对备份到 Amazon S3 的数据进行 S3 服务端加密 (SSE)。S3 服务端加密也支持使用用户自行创建的 AWS KMS 密钥,详细信息请参考 [BR S3 服务端加密](/encryption-at-rest.md#br-s3-服务端加密)。

### Azure Blob Storage 存储服务端加密备份数据

TiDB 备份恢复功能支持对备份到 Azure Blob Storage 的数据设置 Azure 服务端加密范围 (Encryption Scope),为同一存储账户不同备份数据间创建安全边界,详细信息请参考 [BR Azure Blob Storage 服务端加密范围](/encryption-at-rest.md#br-azure-blob-storage-服务端加密范围)。

## 存储服务其他功能支持

TiDB 备份恢复功能从 v6.3.0 支持 AWS S3 Object Lock 功能。你可以在 AWS 中开启 [S3 Object Lock](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html) 功能来防止备份数据写入后被修改或者删除。
22 changes: 22 additions & 0 deletions encryption-at-rest.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -308,3 +308,25 @@ TiFlash 在 v4.0.9 同样对加密元数据操作进行了优化,其兼容性
```
./br restore full --pd <pd-address> --storage "s3://<bucket>/<prefix>"
```

## BR Azure Blob Storage 服务端加密范围

使用 BR 备份数据到 Azure Blob Storage 时,若要为备份数据指定加密范围,需要传递 `--azblob.encryption-scope` 参数(或添加到 URI 中)并将参数值设置为指定的加密范围名。参见 Azure 文档中的 [上传具有加密范围的 blob](https://learn.microsoft.com/en-us/azure/storage/blobs/encryption-scope-manage?tabs=powershell#upload-a-blob-with-an-encryption-scope)。示例如下:

传递 `--azblob.encryption-scope` 参数

```
./br backup full --pd <pd-address> --storage "azure://<bucket>/<prefix>" --azblob.encryption-scope scope1
```

或添加到 URI 中

```
./br backup full --pd <pd-address> --storage "azure://<bucket>/<prefix>?encryption-scope=scope1"
```

恢复备份时,不需要指定 `--azblob.encryption-scope` 参数。 Azure Blob Storage 将自动相应进行解密。示例如下:

```
./br backup full --pd <pd-address> --storage "azure://<bucket>/<prefix>"
```