Browse Source
MDEV-15566: System tablespace does not easily key rotate to unencrypted
MDEV-15566: System tablespace does not easily key rotate to unencrypted
Problem was that key rotation from encrypted to unecrypted was skipped when encryption is disabled (i.e. set global innodb-encrypt-tables=OFF). fil_crypt_needs_rotation If encryption is disabled (i.e. innodb-encrypt-tables=off) and there is tablespaces using default encryption (e.g. system tablespace) that are still encrypted state we need to rotate them from encrypted state to unencrypted state.pull/694/head
4 changed files with 156 additions and 36 deletions
-
41mysql-test/suite/encryption/r/innodb-remove-encryption.result
-
59mysql-test/suite/encryption/t/innodb-remove-encryption.test
-
46storage/innobase/fil/fil0crypt.cc
-
46storage/xtradb/fil/fil0crypt.cc
@ -0,0 +1,41 @@ |
|||
set global innodb_file_per_table=OFF; |
|||
call mtr.add_suppression("mysqld: file-key-management-filename is not set"); |
|||
call mtr.add_suppression("Plugin 'file_key_management' init function returned error."); |
|||
call mtr.add_suppression("Plugin 'file_key_management' registration as a ENCRYPTION failed."); |
|||
flush tables; |
|||
create table t1(a int not null primary key, b char(200)) engine=innodb; |
|||
|
|||
# Restart server with encryption |
|||
# Wait until encryption threads have encrypted all tablespaces |
|||
SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION = 0; |
|||
NAME |
|||
SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION <> 0; |
|||
NAME |
|||
mysql/innodb_table_stats |
|||
mysql/innodb_index_stats |
|||
./ibdata1 |
|||
# Success! |
|||
SELECT * from t1; |
|||
a b |
|||
# Now turn off encryption and wait for threads to decrypt all tablespaces |
|||
SET GLOBAL innodb_encrypt_tables = off; |
|||
SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION = 0; |
|||
NAME |
|||
mysql/innodb_table_stats |
|||
mysql/innodb_index_stats |
|||
./ibdata1 |
|||
SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION <> 0; |
|||
NAME |
|||
# Success! |
|||
|
|||
# Restart server with no encryption setup, there should be no crashes |
|||
SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION = 0; |
|||
NAME |
|||
mysql/innodb_table_stats |
|||
mysql/innodb_index_stats |
|||
./ibdata1 |
|||
SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION <> 0; |
|||
NAME |
|||
SELECT * from t1; |
|||
a b |
|||
DROP TABLE t1; |
@ -0,0 +1,59 @@ |
|||
--source include/have_innodb.inc |
|||
# Test uses restart |
|||
--source include/not_embedded.inc |
|||
--source filekeys_plugin.inc |
|||
|
|||
# |
|||
# MDEV-15566: System tablespace does not easily key rotate to unencrypted |
|||
# |
|||
|
|||
set global innodb_file_per_table=OFF; |
|||
|
|||
call mtr.add_suppression("mysqld: file-key-management-filename is not set"); |
|||
call mtr.add_suppression("Plugin 'file_key_management' init function returned error."); |
|||
call mtr.add_suppression("Plugin 'file_key_management' registration as a ENCRYPTION failed."); |
|||
flush tables; |
|||
|
|||
create table t1(a int not null primary key, b char(200)) engine=innodb; |
|||
|
|||
--echo |
|||
--echo # Restart server with encryption |
|||
-- let $restart_parameters=--plugin-load-add=$FILE_KEY_MANAGEMENT_SO --loose-file-key-management --loose-file-key-management-filename=$MYSQL_TEST_DIR/std_data/keys.txt --file-key-management-encryption-algorithm=aes_cbc --innodb-encrypt-tables=ON --innodb-encryption-threads=4 --innodb-tablespaces-encryption --innodb-encryption-rotate-key-age=15 |
|||
-- source include/restart_mysqld.inc |
|||
|
|||
--echo # Wait until encryption threads have encrypted all tablespaces |
|||
|
|||
--let $tables_count= `select count(*) from information_schema.tables where engine = 'InnoDB'` |
|||
--let $wait_timeout= 600 |
|||
--let $wait_condition=SELECT COUNT(*) = $tables_count FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION <> 0 AND ROTATING_OR_FLUSHING = 0; |
|||
--source include/wait_condition.inc |
|||
|
|||
SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION = 0; |
|||
SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION <> 0; |
|||
|
|||
--echo # Success! |
|||
|
|||
SELECT * from t1; |
|||
|
|||
--echo # Now turn off encryption and wait for threads to decrypt all tablespaces |
|||
SET GLOBAL innodb_encrypt_tables = off; |
|||
|
|||
--let $wait_condition=SELECT COUNT(*) = $tables_count FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION = 0 AND ROTATING_OR_FLUSHING = 0; |
|||
--source include/wait_condition.inc |
|||
|
|||
SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION = 0; |
|||
SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION <> 0; |
|||
|
|||
--echo # Success! |
|||
|
|||
--echo |
|||
--echo # Restart server with no encryption setup, there should be no crashes |
|||
--let $restart_parameters=--skip-file-key-management --innodb-encrypt-tables=OFF --innodb-encryption-threads=0 --innodb-tablespaces-encryption |
|||
-- source include/restart_mysqld.inc |
|||
|
|||
SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION = 0; |
|||
SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION <> 0; |
|||
|
|||
SELECT * from t1; |
|||
DROP TABLE t1; |
|||
|
Write
Preview
Loading…
Cancel
Save
Reference in new issue