forked from xelabs/tokudb
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
PS-3829 : Innodb key rotation. ALPHA
This PR implements Encryption threads for encryption/re-encryption/decryption of innodb tablespaces. It is based on MariaDB implementation ported from Google's patch. With this WL user can: 1) Change default KEYRING encryption key 2) Create a new table with KEYRING 3) Encrypt offline already existing tables with KEYRING (with alter) 4) Encrypt/re-encrypt online already existing tables with KEYRING (with innodb_online_encryption, innodb_online_encryption_rotate_key_age variables and innodb_online_encryption_threads) – including tables already encrypted with Master Key encryption. 5) Re-encrypt online already encrypted tables with newer version of encryption key (with variables innodb_online_encryption variable, innodb_online_encryption_threads, innodb_online_encryption_rotate_key_age). This WL also fixed the following bugs reported to MariaDB: (MDEV-17231) Encryption threads keep re-encrypting/encrypting corrupted pages (MDEV-17235) Data dictonary is not updated with encryption flags (MDEV-17234) In memory crypt_data is updated before page0 is updated (MDEV-17233) Page 0 is updated more than once when encryption completes (MDEV-17230) encryption_key_id from alter is ignored by encryption threads (MDEV-17229) Encryption threads ignore innodb_default_encryption_key_id
- Loading branch information
Robert Golebiowski
committed
Oct 30, 2018
1 parent
86bdf96
commit c7f44ee
Showing
316 changed files
with
37,635 additions
and
1,154 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
#ifndef create_info_encryption_key_h | ||
#define create_info_encryption_key_h | ||
|
||
//#ifndef UNIV_INNOCHECKSUM | ||
|
||
struct CreateInfoEncryptionKeyId | ||
{ | ||
CreateInfoEncryptionKeyId(bool was_encryption_key_id_set, | ||
uint encryption_key_id) | ||
: was_encryption_key_id_set(was_encryption_key_id_set) | ||
, encryption_key_id(encryption_key_id) | ||
{} | ||
|
||
CreateInfoEncryptionKeyId() | ||
: was_encryption_key_id_set(false) | ||
, encryption_key_id(FIL_DEFAULT_ENCRYPTION_KEY) | ||
{} | ||
|
||
bool was_encryption_key_id_set; | ||
uint encryption_key_id; | ||
}; | ||
|
||
//#endif // UNIV_INNOCHECKSUM | ||
|
||
#endif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
# InnoDB transparent tablespace data encryption | ||
# This test case will test basic encryption support features. | ||
|
||
--source include/no_valgrind_without_big.inc | ||
--source include/have_innodb.inc | ||
--source include/not_embedded.inc | ||
--source include/have_innodb_max_16k.inc | ||
--source include/have_debug.inc | ||
|
||
# Create a table with encryption, should fail since keyring is not | ||
# loaded | ||
call mtr.add_suppression("\\[Error\\] InnoDB: Encryption can't find master key, please check the keyring plugin is loaded."); | ||
call mtr.add_suppression("\\[ERROR\\] InnoDB: Failed to find tablespace for table `\.\.*`\.`\.\.*` in the cache."); | ||
call mtr.add_suppression("\\[ERROR\\] InnoDB: Operating system error number 2 in a file operation."); | ||
call mtr.add_suppression("\\[ERROR\\] InnoDB: The error means the system cannot find the path specified."); | ||
call mtr.add_suppression("\\[ERROR\\] InnoDB: Could not find a valid tablespace file for"); | ||
call mtr.add_suppression("ibd can't be decrypted , please confirm the keyfile is match and keyring plugin is loaded."); | ||
call mtr.add_suppression("\\[Warning\\] InnoDB: Ignoring tablespace .* because it could not be opened"); | ||
call mtr.add_suppression("\\[ERROR\\] InnoDB: If you are installing InnoDB, remember that you must create directories yourself, InnoDB does not create them."); | ||
|
||
--let $restart_parameters="$KEYRING_RESTART_PARAM" | ||
--let $restart_hide_args= 1 | ||
--source include/restart_mysqld.inc | ||
|
||
--disable_warnings | ||
DROP TABLE IF EXISTS t1; | ||
--enable_warnings | ||
|
||
let $innodb_file_per_table = `SELECT @@innodb_file_per_table`; | ||
SET GLOBAL innodb_file_per_table=ON; | ||
|
||
eval CREATE TABLE t1 (id int unsigned NOT NULL auto_increment PRIMARY KEY, val varchar(20) NOT NULL) ENCRYPTION="$encryption_type" ENGINE=InnoDB; | ||
|
||
INSERT INTO t1 (val) VALUES ('Sydney'), ('Melbourne'), ('Brisbane'), ('Perth'), ('Adelaide'); | ||
|
||
#ALTER TABLE t1 ENCRYPTION = "KEYRING"; | ||
#ALTER TABLE t1 ENCRYPTION = 'Y'; | ||
|
||
#ALTER TABLE t1 ADD COLUMN is_capital char(1) NOT NULL DEFAULT 'N' AFTER val; | ||
#SHOW CREATE TABLE t1; | ||
|
||
LET $MYSQLD_DATADIR = `select @@datadir`; | ||
let SEARCH_FILE = $MYSQLD_DATADIR/test/t1.ibd; | ||
let SEARCH_PATTERN=Sydney; | ||
# The string should not be found, since it's encrypted. | ||
--source include/search_pattern.inc | ||
|
||
# Cleanup | ||
eval SET GLOBAL innodb_file_per_table=$innodb_file_per_table; | ||
DROP TABLE t1; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
SET default_storage_engine = InnoDB; | ||
CREATE TABLE t1 (pk INT PRIMARY KEY, c VARCHAR(256)); | ||
CREATE TABLE t2 AS SELECT * FROM t1; | ||
drop table t1,t2; | ||
SET GLOBAL innodb_encryption_threads = 0; | ||
SET GLOBAL innodb_encryption_threads = 4; | ||
CREATE TABLE `table10_int_autoinc` (`col_int_key` int, pk int auto_increment, `col_int` int, key (`col_int_key` ),primary key (pk)) engine=innodb; | ||
INSERT /*! IGNORE */ INTO table10_int_autoinc VALUES (NULL, NULL, -474021888) , (1, NULL, NULL) , (1141047296, NULL, NULL) , (NULL, NULL, NULL) , (NULL, NULL, 1) , (NULL, NULL, 9) , (0, NULL, 1225785344) , (NULL, NULL, 1574174720) , (2, NULL, NULL) , (6, NULL, 3); | ||
CREATE TABLE `table1_int_autoinc` (`col_int_key` int, pk int auto_increment, `col_int` int,key (`col_int_key` ), primary key (pk)) engine=innodb; | ||
CREATE TABLE `table0_int_autoinc` (`col_int_key` int, pk int auto_increment, `col_int` int, key (`col_int_key` ),primary key (pk)) engine=innodb; | ||
INSERT /*! IGNORE */ INTO table1_int_autoinc VALUES (4, NULL, NULL); | ||
INSERT IGNORE INTO `table0_int_autoinc` ( `col_int_key` ) VALUES ( 1 ), ( 3 ), ( 4 ), ( 1 ); | ||
INSERT IGNORE INTO `table1_int_autoinc` ( `col_int` ) VALUES ( 1 ), ( 0 ), ( 7 ), ( 9 ); | ||
INSERT IGNORE INTO `table10_int_autoinc` ( `col_int` ) VALUES ( 6 ), ( 2 ), ( 3 ), ( 6 ); | ||
drop table if exists create_or_replace_t, table1_int_autoinc, table0_int_autoinc, table10_int_autoinc; | ||
SET GLOBAL innodb_encrypt_tables = ONLINE_FROM_KEYRING_TO_UNENCRYPTED; | ||
SET GLOBAL innodb_encryption_threads = 4; | ||
# Wait max 10 min for key encryption threads to decrypt all spaces | ||
# Success! | ||
SET GLOBAL innodb_encryption_threads = 0; | ||
SET GLOBAL innodb_encrypt_tables = ONLINE_FROM_KEYRING_TO_UNENCRYPTED; | ||
# restart |
Oops, something went wrong.