mirror of
https://github.com/MariaDB/server.git
synced 2025-02-15 18:05:32 +01:00
50eb40a2a8
MDEV-11581: Mariadb starts InnoDB encryption threads
when key has not changed or data scrubbing turned off
Background: Key rotation is based on background threads
(innodb-encryption-threads) periodically going through
all tablespaces on fil_system. For each tablespace
current used key version is compared to max key age
(innodb-encryption-rotate-key-age). This process
naturally takes CPU. Similarly, in same time need for
scrubbing is investigated. Currently, key rotation
is fully supported on Amazon AWS key management plugin
only but InnoDB does not have knowledge what key
management plugin is used.
This patch re-purposes innodb-encryption-rotate-key-age=0
to disable key rotation and background data scrubbing.
All new tables are added to special list for key rotation
and key rotation is based on sending a event to
background encryption threads instead of using periodic
checking (i.e. timeout).
fil0fil.cc: Added functions fil_space_acquire_low()
to acquire a tablespace when it could be dropped concurrently.
This function is used from fil_space_acquire() or
fil_space_acquire_silent() that will not print
any messages if we try to acquire space that does not exist.
fil_space_release() to release a acquired tablespace.
fil_space_next() to iterate tablespaces in fil_system
using fil_space_acquire() and fil_space_release().
Similarly, fil_space_keyrotation_next() to iterate new
list fil_system->rotation_list where new tables.
are added if key rotation is disabled.
Removed unnecessary functions fil_get_first_space_safe()
fil_get_next_space_safe()
fil_node_open_file(): After page 0 is read read also
crypt_info if it is not yet read.
btr_scrub_lock_dict_func()
buf_page_check_corrupt()
buf_page_encrypt_before_write()
buf_merge_or_delete_for_page()
lock_print_info_all_transactions()
row_fts_psort_info_init()
row_truncate_table_for_mysql()
row_drop_table_for_mysql()
Use fil_space_acquire()/release() to access fil_space_t.
buf_page_decrypt_after_read():
Use fil_space_get_crypt_data() because at this point
we might not yet have read page 0.
fil0crypt.cc/fil0fil.h: Lot of changes. Pass fil_space_t* directly
to functions needing it and store fil_space_t* to rotation state.
Use fil_space_acquire()/release() when iterating tablespaces
and removed unnecessary is_closing from fil_crypt_t. Use
fil_space_t::is_stopping() to detect when access to
tablespace should be stopped. Removed unnecessary
fil_space_get_crypt_data().
fil_space_create(): Inform key rotation that there could
be something to do if key rotation is disabled and new
table with encryption enabled is created.
Remove unnecessary functions fil_get_first_space_safe()
and fil_get_next_space_safe(). fil_space_acquire()
and fil_space_release() are used instead. Moved
fil_space_get_crypt_data() and fil_space_set_crypt_data()
to fil0crypt.cc.
fsp_header_init(): Acquire fil_space_t*, write crypt_data
and release space.
check_table_options()
Renamed FIL_SPACE_ENCRYPTION_* TO FIL_ENCRYPTION_*
i_s.cc: Added ROTATING_OR_FLUSHING field to
information_schema.innodb_tablespace_encryption
to show current status of key rotation.
59 lines
2.1 KiB
Text
59 lines
2.1 KiB
Text
SET @start_global_value = @@global.innodb_encryption_threads;
|
|
SHOW VARIABLES LIKE 'innodb_encrypt%';
|
|
Variable_name Value
|
|
innodb_encrypt_log ON
|
|
innodb_encrypt_tables ON
|
|
innodb_encryption_rotate_key_age 15
|
|
innodb_encryption_rotation_iops 100
|
|
innodb_encryption_threads 4
|
|
DESCRIBE INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION;
|
|
Field Type Null Key Default Extra
|
|
SPACE int(11) unsigned NO 0
|
|
NAME varchar(655) YES NULL
|
|
ENCRYPTION_SCHEME int(11) unsigned NO 0
|
|
KEYSERVER_REQUESTS int(11) unsigned NO 0
|
|
MIN_KEY_VERSION int(11) unsigned NO 0
|
|
CURRENT_KEY_VERSION int(11) unsigned NO 0
|
|
KEY_ROTATION_PAGE_NUMBER bigint(21) unsigned YES NULL
|
|
KEY_ROTATION_MAX_PAGE_NUMBER bigint(21) unsigned YES NULL
|
|
CURRENT_KEY_ID int(11) unsigned NO 0
|
|
ROTATING_OR_FLUSHING int(1) unsigned NO 0
|
|
# Wait max 5 min for key encryption threads to encrypt one space
|
|
# Success!
|
|
# Wait max 10 min for key encryption threads to encrypt all space
|
|
# Success!
|
|
# Now turn off encryption and wait for threads to decrypt everything
|
|
SET GLOBAL innodb_encrypt_tables = off;
|
|
# Wait max 10 min for key encryption threads to decrypt all space
|
|
# Success!
|
|
# Shutdown innodb_encryption_threads
|
|
SET GLOBAL innodb_encryption_threads=0;
|
|
# Turn on encryption
|
|
# since threads are off tables should remain unencrypted
|
|
SET GLOBAL innodb_encrypt_tables = on;
|
|
# Wait 15s to check that nothing gets encrypted
|
|
# Success!
|
|
# Startup innodb_encryption_threads
|
|
SET GLOBAL innodb_encryption_threads=@start_global_value;
|
|
# Wait 1 min to check that it start encrypting again
|
|
# Success!
|
|
#
|
|
# Check that restart with encryption turned off works
|
|
# even if spaces are encrypted
|
|
#
|
|
# First wait max 10 min for key encryption threads to encrypt all spaces
|
|
# Success!
|
|
# Restart mysqld --innodb_encrypt_tables=0 --innodb_encryption_threads=0
|
|
SHOW VARIABLES LIKE 'innodb_encrypt%';
|
|
Variable_name Value
|
|
innodb_encrypt_log ON
|
|
innodb_encrypt_tables OFF
|
|
innodb_encryption_rotate_key_age 15
|
|
innodb_encryption_rotation_iops 100
|
|
innodb_encryption_threads 0
|
|
SELECT COUNT(*) > 0 as should_be_1
|
|
FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION
|
|
WHERE MIN_KEY_VERSION <> 0;
|
|
should_be_1
|
|
1
|
|
# Restart mysqld again...with default options
|