v8.5.7: update BR gcp_v2 storage (#23122)#23133
Open
ti-chi-bot wants to merge 1 commit into
Open
Conversation
ti-chi-bot
added
lgtm
size/M
14 tasks
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
lilin90
changed the title
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request updates the documentation for Google Cloud Storage (GCS) and Google Cloud KMS to cover the new gcp_v2 external storage backend introduced in TiKV v8.5.7. It details how to configure gcp_v2 for backups, restores, and encryption at rest, including support for Workload Identity Federation (WIF) and Application Default Credentials (ADC). The review feedback focuses on improving readability and adherence to the style guide by suggesting the use of active voice, addressing the reader directly in the second person ("you"), and eliminating unnecessary words.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
|
||
| > **Note:** | ||
| > | ||
| > The GCS JSON credentials explicitly passed to `gcp_v2` support only the `service_account` and `external_account` types. If you are using the `authorized_user` JSON generated by ADC and need TiKV to access GCS directly, it is recommended to set `--send-credentials-to-tikv=false` and configure ADC on each TiKV node. Otherwise, BR might send the `authorized_user` JSON to TiKV as an explicit credential, but `gcp_v2` does not accept this type of explicit JSON. |
Contributor
There was a problem hiding this comment.
Avoid passive voice and impersonal phrasing. Address the user directly in the second person ("you") to make the instructions clearer and more actionable.
Suggested change
| > The GCS JSON credentials explicitly passed to `gcp_v2` support only the `service_account` and `external_account` types. If you are using the `authorized_user` JSON generated by ADC and need TiKV to access GCS directly, it is recommended to set `--send-credentials-to-tikv=false` and configure ADC on each TiKV node. Otherwise, BR might send the `authorized_user` JSON to TiKV as an explicit credential, but `gcp_v2` does not accept this type of explicit JSON. | |
| > The GCS JSON credentials that you explicitly pass to `gcp_v2` support only the `service_account` and `external_account` types. If you are using the `authorized_user` JSON generated by ADC and need TiKV to access GCS directly, you should set `--send-credentials-to-tikv=false` and configure ADC on each TiKV node. Otherwise, BR might send the `authorized_user` JSON to TiKV as an explicit credential, but `gcp_v2` does not accept this type of explicit JSON. |
References
- Write in second person ('you') when addressing users and avoid passive voice. (link)
|
|
||
| > **Tip:** | ||
| > | ||
| > After `gcp_v2` is enabled, if GCS JSON credentials are not explicitly provided on the TiKV side, TiKV uses the Google Default Credentials flow. Therefore, when using ADC and setting `--send-credentials-to-tikv=false`, make sure that each TiKV node itself has a usable Google credentials environment. |
Contributor
There was a problem hiding this comment.
Avoid passive voice by rewriting the sentence to use active voice and addressing the user directly.
Suggested change
| > After `gcp_v2` is enabled, if GCS JSON credentials are not explicitly provided on the TiKV side, TiKV uses the Google Default Credentials flow. Therefore, when using ADC and setting `--send-credentials-to-tikv=false`, make sure that each TiKV node itself has a usable Google credentials environment. | |
| > After you enable `gcp_v2`, if you do not explicitly provide GCS JSON credentials on the TiKV side, TiKV uses the Google Default Credentials flow. Therefore, when using ADC and setting `--send-credentials-to-tikv=false`, make sure that each TiKV node itself has a usable Google credentials environment. |
References
- Avoid passive voice and write in second person ('you') when addressing users. (link)
|
|
||
| - `key-id` specifies the key ID of the KMS CMK. | ||
| - `credential-file-path` specifies the path of the authentication credentials file, which currently supports two types of credentials: Service Account and Authentication User. If the TiKV environment is already configured with [application default credentials](https://cloud.google.com/docs/authentication/application-default-credentials), there is no need to configure `credential-file-path`. | ||
| - When `vendor = "gcp"`, `credential-file-path` specifies the path of the verification credentials file, which currently supports two types of credentials: Service Account and Authentication User. If the TiKV operating environment is already configured with [application default credentials](https://cloud.google.com/docs/authentication/application-default-credentials), there is no need to configure `credential-file-path`. |
Contributor
There was a problem hiding this comment.
Avoid passive voice and impersonal phrasing. Use active voice and address the user directly in the second person ("you").
Suggested change
| - When `vendor = "gcp"`, `credential-file-path` specifies the path of the verification credentials file, which currently supports two types of credentials: Service Account and Authentication User. If the TiKV operating environment is already configured with [application default credentials](https://cloud.google.com/docs/authentication/application-default-credentials), there is no need to configure `credential-file-path`. | |
| - When `vendor = "gcp"`, `credential-file-path` specifies the path of the verification credentials file, which currently supports two types of credentials: Service Account and Authentication User. If the TiKV operating environment already has [application default credentials](https://cloud.google.com/docs/authentication/application-default-credentials), you do not need to configure `credential-file-path`. |
References
- Avoid passive voice and write in second person ('you') when addressing users. (link)
| ``` | ||
|
|
||
| - When `vendor = "gcp_v2"`, explicit credentials support only Service Account and `external_account`. | ||
| - If you are using an `authorized_user` JSON generated by ADC, you cannot directly configure that JSON as `credential-file-path`. In this case, omit `credential-file-path` and let TiKV obtain authentication information through [application default credentials](https://cloud.google.com/docs/authentication/application-default-credentials) in the operating environment. |
Contributor
There was a problem hiding this comment.
Improve clarity and conciseness by using active voice and refining the phrasing.
Suggested change
| - If you are using an `authorized_user` JSON generated by ADC, you cannot directly configure that JSON as `credential-file-path`. In this case, omit `credential-file-path` and let TiKV obtain authentication information through [application default credentials](https://cloud.google.com/docs/authentication/application-default-credentials) in the operating environment. | |
| - If you are using an `authorized_user` JSON file generated by ADC, you cannot directly configure that JSON file as `credential-file-path`. In this case, omit `credential-file-path` to let TiKV obtain the authentication information using [application default credentials](https://cloud.google.com/docs/authentication/application-default-credentials) in the operating environment. |
References
- Avoid unnecessary words and prefer active voice. (link)
|
|
||
| - When `vendor = "gcp_v2"`, explicit credentials support only Service Account and `external_account`. | ||
| - If you are using an `authorized_user` JSON generated by ADC, you cannot directly configure that JSON as `credential-file-path`. In this case, omit `credential-file-path` and let TiKV obtain authentication information through [application default credentials](https://cloud.google.com/docs/authentication/application-default-credentials) in the operating environment. | ||
| - The old `vendor = "gcp"` does not support using `external_account` as explicit credentials, so WIF cannot be used in this way. |
Contributor
There was a problem hiding this comment.
Avoid passive voice ("cannot be used") by using active voice with the second person ("you").
Suggested change
| - The old `vendor = "gcp"` does not support using `external_account` as explicit credentials, so WIF cannot be used in this way. | |
| - The old `vendor = "gcp"` does not support using `external_account` as explicit credentials, so you cannot use WIF in this way. |
References
- Avoid passive voice and write in second person ('you') when addressing users. (link)
|
|
||
| ### `gcp-v2-enable` <span class="version-mark">New in v8.5.7</span> | ||
|
|
||
| + Whether to enable the `gcp_v2` external storage backend when using Google Cloud Storage (GCS) to execute full backup or restore. |
Contributor
There was a problem hiding this comment.
Address the user directly in the second person ("you") to make the description more active and natural.
Suggested change
| + Whether to enable the `gcp_v2` external storage backend when using Google Cloud Storage (GCS) to execute full backup or restore. | |
| + Whether to enable the `gcp_v2` external storage backend when you use Google Cloud Storage (GCS) to perform a full backup or restore. |
References
- Write in second person ('you') when addressing users. (link)
|
|
||
| + Whether to enable the `gcp_v2` external storage backend when using Google Cloud Storage (GCS) to execute full backup or restore. | ||
| + Default value: `true` | ||
| + When this configuration item is `true`, TiKV uses the `gcp_v2` implementation to access GCS; when this configuration item is `false`, TiKV continues to use the old GCS implementation. |
Contributor
There was a problem hiding this comment.
Simplify the sentence to make it more concise and easier to read.
Suggested change
| + When this configuration item is `true`, TiKV uses the `gcp_v2` implementation to access GCS; when this configuration item is `false`, TiKV continues to use the old GCS implementation. | |
| + If this configuration item is `true`, TiKV uses the `gcp_v2` implementation to access GCS; when it is `false`, TiKV continues to use the old GCS implementation. |
References
- Avoid unnecessary words and repetition. (link)
|
|
||
| ### `gcp-v2-enable` <span class="version-mark">New in v8.5.7</span> | ||
|
|
||
| + Whether to enable the `gcp_v2` external storage backend when using Google Cloud Storage (GCS) for log backup. |
Contributor
There was a problem hiding this comment.
Address the user directly in the second person ("you") to make the description more active and natural.
Suggested change
| + Whether to enable the `gcp_v2` external storage backend when using Google Cloud Storage (GCS) for log backup. | |
| + Whether to enable the `gcp_v2` external storage backend when you use Google Cloud Storage (GCS) for log backup. |
References
- Write in second person ('you') when addressing users. (link)
|
|
||
| + Whether to enable the `gcp_v2` external storage backend when using Google Cloud Storage (GCS) for log backup. | ||
| + Default value: `true` | ||
| + When this configuration item is `true`, TiKV uses the `gcp_v2` implementation to access GCS; when this configuration item is `false`, TiKV continues to use the old GCS implementation. |
Contributor
There was a problem hiding this comment.
Simplify the sentence to make it more concise and easier to read.
Suggested change
| + When this configuration item is `true`, TiKV uses the `gcp_v2` implementation to access GCS; when this configuration item is `false`, TiKV continues to use the old GCS implementation. | |
| + If this configuration item is `true`, TiKV uses the `gcp_v2` implementation to access GCS; when it is `false`, TiKV continues to use the old GCS implementation. |
References
- Avoid unnecessary words and repetition. (link)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated cherry-pick of #23122
First-time contributors' checklist
What is changed, added or deleted? (Required)
Which TiDB version(s) do your changes apply to? (Required)
Tips for choosing the affected version(s):
By default, CHOOSE MASTER ONLY so your changes will be applied to the next TiDB major or minor releases. If your PR involves a product feature behavior change or a compatibility change, CHOOSE THE AFFECTED RELEASE BRANCH(ES) AND MASTER.
For details, see tips for choosing the affected versions (in Chinese).
What is the related PR or file link(s)?
Do your changes match any of the following descriptions?