mirror of
https://github.com/MariaDB/server.git
synced 2025-07-27 18:02:13 +03:00
MDEV-14398 innodb_encryption_rotate_key_age=0 causes innodb_encrypt_tables to be ignored
The statement
SET GLOBAL innodb_encryption_rotate_key_age=0;
would have the unwanted side effect that ENCRYPTION=DEFAULT tablespaces
would no longer be encrypted or decrypted according to the setting of
innodb_encrypt_tables.
We implement a trigger, so that whenever one of the following is executed:
SET GLOBAL innodb_encrypt_tables=OFF;
SET GLOBAL innodb_encrypt_tables=ON;
SET GLOBAL innodb_encrypt_tables=FORCE;
all wrong-state ENCRYPTION=DEFAULT tablespaces will be added to
fil_system_t::rotation_list, so that the encryption will be added
or removed.
Note: This will *NOT* happen automatically after a server restart.
Before reading the first page of a data file, InnoDB cannot know
the encryption status of the data file. The statement
SET GLOBAL innodb_encrypt_tables will have the side effect that
all not-yet-read InnoDB data files will be accessed in order to
determine the encryption status.
innodb_encrypt_tables_validate(): Stop disallowing
SET GLOBAL innodb_encrypt_tables when innodb_encryption_rotate_key_age=0.
This reverts part of commit 50eb40a2a8
that addressed MDEV-11738 and MDEV-11581.
fil_system_t::read_page0(): Trigger a call to fil_node_t::read_page0().
Refactored from fil_space_get_space().
fil_crypt_rotation_list_fill(): If innodb_encryption_rotate_key_age=0,
initialize fil_system->rotation_list. This is invoked both on
SET GLOBAL innodb_encrypt_tables and
on SET GLOBAL innodb_encryption_rotate_key_age=0.
fil_space_set_crypt_data(): Remove.
fil_parse_write_crypt_data(): Simplify the logic.
This is joint work with Marko Mäkelä.
This commit is contained in:
committed by
Marko Mäkelä
parent
2370eeb028
commit
ada1074bb1
@ -37,10 +37,6 @@ NAME ENCRYPTION_SCHEME CURRENT_KEY_ID
|
||||
enctests/t7 0 1
|
||||
enctests/t8 0 1
|
||||
enctests/t9 0 1
|
||||
SET GLOBAL innodb_encrypt_tables=OFF;
|
||||
ERROR 42000: Variable 'innodb_encrypt_tables' can't be set to the value of 'OFF'
|
||||
SET GLOBAL innodb_encrypt_tables=ON;
|
||||
ERROR 42000: Variable 'innodb_encrypt_tables' can't be set to the value of 'ON'
|
||||
# t1 default on expecting NOT FOUND
|
||||
NOT FOUND /secred/ in t1.ibd
|
||||
# t2 default on expecting NOT FOUND
|
||||
|
@ -0,0 +1,75 @@
|
||||
CREATE TABLE t1 (f1 INT, f2 VARCHAR(256))engine=innodb;
|
||||
INSERT INTO t1 VALUES(1, 'MariaDB'), (2, 'Robot'), (3, 'Science');
|
||||
INSERT INTO t1 SELECT * FROM t1;
|
||||
CREATE TABLE t2(f1 INT, f2 VARCHAR(256))engine=innodb;
|
||||
INSERT INTO t2 SELECT * FROM t1;
|
||||
CREATE TABLE t3(f1 INT, f2 VARCHAR(256))engine=innodb encrypted=yes;
|
||||
INSERT INTO t3 SELECT * FROM t1;
|
||||
# Restart the server with encryption
|
||||
# Wait until encryption threads have encrypted all tablespaces
|
||||
SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION = 0;
|
||||
NAME
|
||||
SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION <> 0;
|
||||
NAME
|
||||
innodb_system
|
||||
mysql/innodb_index_stats
|
||||
mysql/innodb_table_stats
|
||||
test/t1
|
||||
test/t2
|
||||
test/t3
|
||||
# Restart the server with innodb_encryption_rotate_key_age= 0
|
||||
create table t4 (f1 int not null)engine=innodb encrypted=NO;
|
||||
# Wait until encryption threads have encrypted all tablespaces
|
||||
SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION = 0;
|
||||
NAME
|
||||
test/t4
|
||||
SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION <> 0;
|
||||
NAME
|
||||
innodb_system
|
||||
mysql/innodb_index_stats
|
||||
mysql/innodb_table_stats
|
||||
test/t1
|
||||
test/t2
|
||||
test/t3
|
||||
# Disable encryption when innodb_encryption_rotate_key_age is 0
|
||||
set global innodb_encrypt_tables = OFF;
|
||||
# Wait until encryption threads to decrypt all unencrypted tablespaces
|
||||
SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION = 0;
|
||||
NAME
|
||||
innodb_system
|
||||
mysql/innodb_index_stats
|
||||
mysql/innodb_table_stats
|
||||
test/t1
|
||||
test/t2
|
||||
test/t4
|
||||
# Display only encrypted create tables (t3)
|
||||
SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION <> 0;
|
||||
NAME
|
||||
test/t3
|
||||
# Enable encryption when innodb_encryption_rotate_key_age is 0
|
||||
set global innodb_encrypt_tables = ON;
|
||||
# Wait until encryption threads to encrypt all unencrypted tablespaces
|
||||
SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION = 0;
|
||||
NAME
|
||||
test/t4
|
||||
# Display only unencrypted create tables (t4)
|
||||
SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION <> 0;
|
||||
NAME
|
||||
innodb_system
|
||||
mysql/innodb_index_stats
|
||||
mysql/innodb_table_stats
|
||||
test/t1
|
||||
test/t2
|
||||
test/t3
|
||||
SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION = 0;
|
||||
NAME
|
||||
test/t4
|
||||
SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION <> 0;
|
||||
NAME
|
||||
innodb_system
|
||||
mysql/innodb_index_stats
|
||||
mysql/innodb_table_stats
|
||||
test/t1
|
||||
test/t2
|
||||
test/t3
|
||||
DROP TABLE t4, t3, t2, t1;
|
Reference in New Issue
Block a user