From 4cea626c6eb9824db46a4bc0b159dab4ffec7e0f Mon Sep 17 00:00:00 2001 From: Catalin Besleaga Date: Thu, 30 Apr 2026 09:55:13 +0300 Subject: [PATCH] PS-11106 [9.7] Component Percona keyring encrypted file - Created component_percona_keyring_encrypted_file based on component_keyring_file. - Added cmake flag: WITH_COMPONENT_PERCONA_KEYRING_ENCRYPTED_FILE - New PBKDF2-based encrypt/decrypt API (aes.cc): Added aes_encrypt_pbkdf2 and aes_decrypt_pbkdf2 functions that derive a 256-bit AES key from a password using PKCS5_PBKDF2_HMAC (SHA-256). Refactored the internal EVP encrypt/decrypt logic into private helpers to avoid code duplication. - Encrypted backend (backend.cc): Renamed Keyring_file_backend to Keyring_encrypted_file_backend and wired in password-based encryption. On write, generates a random salt, IV, and iteration count; on read, parses v1 on-disk header ([version:1][salt:32][iterations:4 BE][iv:16][ciphertext]) and decrypts before JSON parsing. - Password config options (config.cc): The component configuration now requires exactly one of password (inline) or password_file (path to a file containing the password). Validation errors are emitted for missing, empty, or conflicting combinations. The keyring_component_status table reports or for the password field. --- components/keyrings/CMakeLists.txt | 1 + components/keyrings/common/encryption/aes.cc | 134 +- components/keyrings/common/encryption/aes.h | 22 + .../CMakeLists.txt | 96 + .../backend/backend.cc | 283 ++ .../backend/backend.h | 194 ++ .../component_callbacks.cc | 44 + .../config/config.cc | 258 ++ .../config/config.h | 78 + .../percona_keyring_encrypted_file.cc | 325 ++ .../percona_keyring_encrypted_file.h | 67 + .../keyring_encryption_service_definition.cc | 73 + .../keyring_generator_service_definition.cc | 49 + ...ys_metadata_iterator_service_definition.cc | 117 + .../keyring_load_service_definition.cc | 68 + ...yring_metadata_query_service_definition.cc | 116 + .../keyring_reader_service_definition.cc | 93 + .../keyring_writer_service_definition.cc | 56 + mysql-test/include/plugin.defs | 1 + ...rcona_component_keyring_encrypted_file.inc | 10 + .../inc/rpl_replica_setup_component.inc | 33 + .../inc/rpl_replica_teardown_component.inc | 21 + .../inc/rpl_setup_component.inc | 50 + .../inc/rpl_teardown_component.inc | 27 + .../inc/setup_component.inc | 27 + .../inc/setup_component_customized.inc | 23 + .../inc/teardown_component.inc | 16 + .../inc/teardown_component_customized.inc | 16 + .../r/alter_rename_table.result | 1778 ++++++++++ .../r/alter_table.result | 2861 +++++++++++++++++ .../r/clone_local_encrypt.result | 482 +++ .../r/clone_remote_encrypt.result | 485 +++ .../r/corrupt_keyring_file.result | 38 + .../r/create_table.result | 1023 ++++++ .../r/database.result | 1052 ++++++ .../r/dynamic_loading.result | 4 + .../r/empty_password.result | 31 + .../r/encrypt_explicit.result | 60 + .../r/engine.result | 175 + .../r/import_compress_encrypt.result | 110 + .../r/keyring_component_status.result | 41 + .../r/keyring_encryption_test.result | 32 + .../r/load.result | 13 + .../r/load_windows.result | 17 + .../r/log_encrypt_1.result | 125 + .../r/log_encrypt_2.result | 168 + .../r/log_encrypt_3.result | 197 ++ .../r/log_encrypt_4.result | 71 + .../r/log_encrypt_5.result | 85 + .../r/log_encrypt_6.result | 87 + .../r/log_encrypt_kill.result | 250 ++ .../r/migrate_keyring.result | 90 + .../r/mysql_ts_alter_encrypt_1.result | 221 ++ .../r/mysql_ts_alter_encrypt_2.result | 331 ++ .../r/mysqldump.result | 352 ++ .../r/no_password.result | 29 + .../r/password_and_password_file.result | 20 + .../r/password_file.result | 31 + .../r/password_file_not_found.result | 20 + .../r/reload_keyring.result | 31 + .../r/reload_wrong_password.result | 27 + .../r/rename_table.result | 910 ++++++ .../r/rpl_binlog_cache_encryption.result | 49 + ...l_binlog_cache_temp_file_encryption.result | 60 + .../r/rpl_default_table_encryption.result | 1190 +++++++ .../r/rpl_encryption.result | 140 + ...tion_master_key_generation_recovery.result | 80 + ...tion_master_key_rotation_at_startup.result | 105 + .../r/sensitive_variables.result | 54 + .../r/table_encrypt_1.result | 223 ++ .../r/table_encrypt_2.result | 174 + .../r/table_encrypt_3.result | 1425 ++++++++ .../r/table_encrypt_4.result | 164 + .../r/table_encrypt_5.result | 1043 ++++++ .../r/table_encrypt_6.result | 73 + .../r/table_encrypt_debug.result | 219 ++ .../r/table_encrypt_fts.result | 56 + .../r/table_encrypt_kill.result | 209 ++ .../r/tablespace.result | 692 ++++ .../r/tablespace_encrypt_1.result | 1045 ++++++ .../r/tablespace_encrypt_10.result | 528 +++ .../r/tablespace_encrypt_11.result | 95 + .../r/tablespace_encrypt_2.result | 440 +++ .../r/tablespace_encrypt_3.result | 167 + .../r/tablespace_encrypt_4.result | 622 ++++ .../r/tablespace_encrypt_5.result | 102 + .../r/tablespace_encrypt_6.result | 988 ++++++ .../r/tablespace_encrypt_7.result | 538 ++++ .../r/tablespace_encrypt_8.result | 46 + .../r/tablespace_encrypt_9.result | 88 + .../r/tablespace_with_tables.result | 1019 ++++++ .../r/udf_test.result | 319 ++ .../r/undo_encrypt_basic.result | 179 ++ .../r/undo_encrypt_bootstrap.result | 46 + .../r/undo_encrypt_crash.result | 45 + .../r/undo_tablespace_encrypt.result | 83 + .../r/wrong_password.result | 38 + .../t/alter_rename_table.test | 6 + .../t/alter_table.test | 6 + .../t/clone_local_encrypt-master.opt | 3 + .../t/clone_local_encrypt.test | 13 + .../t/clone_remote_encrypt-master.opt | 3 + .../t/clone_remote_encrypt.test | 11 + .../t/corrupt_keyring_file.test | 42 + .../t/create_table.test | 6 + .../t/database.test | 6 + .../t/dynamic_loading.test | 4 + .../t/empty_password.test | 41 + .../t/encrypt_explicit.test | 10 + .../t/engine.test | 4 + .../t/import_compress_encrypt.test | 9 + .../t/keyring_component_status.test | 5 + .../t/keyring_encryption_test.test | 9 + .../t/load.test | 5 + .../t/load_windows.test | 39 + .../t/log_encrypt_1.test | 10 + .../t/log_encrypt_2.test | 9 + .../t/log_encrypt_3.test | 10 + .../t/log_encrypt_4.test | 15 + .../t/log_encrypt_5.test | 14 + .../t/log_encrypt_6.test | 15 + .../t/log_encrypt_kill.test | 15 + .../t/migrate_keyring.test | 231 ++ .../t/mysql_ts_alter_encrypt_1.test | 25 + .../t/mysql_ts_alter_encrypt_2.test | 29 + .../t/mysqldump.test | 8 + .../t/no_password.test | 38 + .../t/password_and_password_file.test | 45 + .../t/password_file.test | 48 + .../t/password_file_not_found.test | 40 + .../t/reload_keyring.test | 20 + .../t/reload_wrong_password.test | 29 + .../t/rename_table.test | 6 + .../t/rpl_binlog_cache_encryption.test | 9 + ...rpl_binlog_cache_temp_file_encryption.test | 11 + .../t/rpl_default_table_encryption.test | 10 + .../t/rpl_encryption.test | 10 + ..._master_key_generation_recovery-master.opt | 1 + ...yption_master_key_generation_recovery.test | 10 + ..._master_key_rotation_at_startup-master.opt | 1 + ...yption_master_key_rotation_at_startup.test | 9 + .../t/sensitive_variables-master.opt | 1 + .../t/sensitive_variables.test | 5 + .../t/suite.opt | 1 + .../t/table_encrypt_1.test | 12 + .../t/table_encrypt_2.test | 9 + .../t/table_encrypt_3.test | 10 + .../t/table_encrypt_4.test | 10 + .../t/table_encrypt_5.test | 20 + .../t/table_encrypt_6.test | 11 + .../t/table_encrypt_debug.test | 20 + .../t/table_encrypt_fts.test | 10 + .../t/table_encrypt_kill-master.opt | 1 + .../t/table_encrypt_kill.test | 9 + .../t/tablespace.test | 6 + .../t/tablespace_encrypt_1-master.opt | 1 + .../t/tablespace_encrypt_1.test | 6 + .../t/tablespace_encrypt_10.test | 10 + .../t/tablespace_encrypt_11.test | 10 + .../t/tablespace_encrypt_2-master.opt | 1 + .../t/tablespace_encrypt_2.test | 10 + .../t/tablespace_encrypt_3.test | 7 + .../t/tablespace_encrypt_4.test | 6 + .../t/tablespace_encrypt_5-master.opt | 1 + .../t/tablespace_encrypt_5.test | 10 + .../t/tablespace_encrypt_6.test | 6 + .../t/tablespace_encrypt_7.test | 10 + .../t/tablespace_encrypt_8.test | 7 + .../t/tablespace_encrypt_9.test | 10 + .../t/tablespace_with_tables.test | 6 + .../t/udf_test-master.opt | 1 + .../t/udf_test.test | 8 + .../t/undo_encrypt_basic.test | 11 + .../t/undo_encrypt_bootstrap.test | 10 + .../t/undo_encrypt_crash.test | 10 + .../t/undo_tablespace_encrypt.test | 10 + .../t/wrong_password.test | 35 + 177 files changed, 27053 insertions(+), 37 deletions(-) create mode 100644 components/keyrings/percona_keyring_encrypted_file/CMakeLists.txt create mode 100644 components/keyrings/percona_keyring_encrypted_file/backend/backend.cc create mode 100644 components/keyrings/percona_keyring_encrypted_file/backend/backend.h create mode 100644 components/keyrings/percona_keyring_encrypted_file/component_callbacks.cc create mode 100644 components/keyrings/percona_keyring_encrypted_file/config/config.cc create mode 100644 components/keyrings/percona_keyring_encrypted_file/config/config.h create mode 100644 components/keyrings/percona_keyring_encrypted_file/percona_keyring_encrypted_file.cc create mode 100644 components/keyrings/percona_keyring_encrypted_file/percona_keyring_encrypted_file.h create mode 100644 components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_encryption_service_definition.cc create mode 100644 components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_generator_service_definition.cc create mode 100644 components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_keys_metadata_iterator_service_definition.cc create mode 100644 components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_load_service_definition.cc create mode 100644 components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_metadata_query_service_definition.cc create mode 100644 components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_reader_service_definition.cc create mode 100644 components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_writer_service_definition.cc create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/inc/have_percona_component_keyring_encrypted_file.inc create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/inc/rpl_replica_setup_component.inc create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/inc/rpl_replica_teardown_component.inc create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/inc/rpl_setup_component.inc create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/inc/rpl_teardown_component.inc create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/inc/setup_component.inc create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/inc/setup_component_customized.inc create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/inc/teardown_component.inc create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/inc/teardown_component_customized.inc create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/alter_rename_table.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/alter_table.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/clone_local_encrypt.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/clone_remote_encrypt.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/corrupt_keyring_file.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/create_table.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/database.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/dynamic_loading.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/empty_password.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/encrypt_explicit.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/engine.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/import_compress_encrypt.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/keyring_component_status.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/keyring_encryption_test.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/load.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/load_windows.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_1.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_2.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_3.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_4.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_5.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_6.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_kill.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/migrate_keyring.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/mysql_ts_alter_encrypt_1.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/mysql_ts_alter_encrypt_2.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/mysqldump.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/no_password.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/password_and_password_file.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/password_file.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/password_file_not_found.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/reload_keyring.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/reload_wrong_password.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/rename_table.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/rpl_binlog_cache_encryption.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/rpl_binlog_cache_temp_file_encryption.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/rpl_default_table_encryption.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/rpl_encryption.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/rpl_encryption_master_key_generation_recovery.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/rpl_encryption_master_key_rotation_at_startup.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/sensitive_variables.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_1.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_2.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_3.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_4.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_5.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_6.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_debug.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_fts.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_kill.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_1.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_10.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_11.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_2.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_3.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_4.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_5.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_6.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_7.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_8.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_9.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_with_tables.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/udf_test.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/undo_encrypt_basic.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/undo_encrypt_bootstrap.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/undo_encrypt_crash.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/undo_tablespace_encrypt.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/r/wrong_password.result create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/alter_rename_table.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/alter_table.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/clone_local_encrypt-master.opt create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/clone_local_encrypt.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/clone_remote_encrypt-master.opt create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/clone_remote_encrypt.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/corrupt_keyring_file.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/create_table.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/database.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/dynamic_loading.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/empty_password.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/encrypt_explicit.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/engine.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/import_compress_encrypt.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/keyring_component_status.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/keyring_encryption_test.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/load.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/load_windows.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_1.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_2.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_3.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_4.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_5.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_6.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_kill.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/migrate_keyring.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/mysql_ts_alter_encrypt_1.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/mysql_ts_alter_encrypt_2.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/mysqldump.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/no_password.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/password_and_password_file.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/password_file.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/password_file_not_found.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/reload_keyring.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/reload_wrong_password.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/rename_table.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_binlog_cache_encryption.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_binlog_cache_temp_file_encryption.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_default_table_encryption.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_encryption.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_encryption_master_key_generation_recovery-master.opt create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_encryption_master_key_generation_recovery.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_encryption_master_key_rotation_at_startup-master.opt create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_encryption_master_key_rotation_at_startup.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/sensitive_variables-master.opt create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/sensitive_variables.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/suite.opt create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_1.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_2.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_3.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_4.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_5.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_6.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_debug.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_fts.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_kill-master.opt create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_kill.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_1-master.opt create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_1.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_10.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_11.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_2-master.opt create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_2.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_3.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_4.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_5-master.opt create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_5.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_6.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_7.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_8.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_9.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_with_tables.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/udf_test-master.opt create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/udf_test.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/undo_encrypt_basic.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/undo_encrypt_bootstrap.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/undo_encrypt_crash.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/undo_tablespace_encrypt.test create mode 100644 mysql-test/suite/component_percona_keyring_encrypted_file/t/wrong_password.test diff --git a/components/keyrings/CMakeLists.txt b/components/keyrings/CMakeLists.txt index 26625ab35ef9..f576465456a7 100644 --- a/components/keyrings/CMakeLists.txt +++ b/components/keyrings/CMakeLists.txt @@ -27,6 +27,7 @@ ADD_SUBDIRECTORY(common) # Keyring_file component ADD_SUBDIRECTORY(keyring_file) +ADD_SUBDIRECTORY(percona_keyring_encrypted_file) ADD_SUBDIRECTORY(keyring_kmip) ADD_SUBDIRECTORY(keyring_kms) ADD_SUBDIRECTORY(keyring_vault) diff --git a/components/keyrings/common/encryption/aes.cc b/components/keyrings/common/encryption/aes.cc index 9d077c79836e..aaf0529147cc 100644 --- a/components/keyrings/common/encryption/aes.cc +++ b/components/keyrings/common/encryption/aes.cc @@ -29,7 +29,9 @@ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ #include #include +#include #include +#include #include @@ -134,13 +136,10 @@ size_t get_ciphertext_size(size_t input_size, const Keyring_aes_opmode mode) { : input_size; } -aes_return_status aes_encrypt(const unsigned char *source, - unsigned int source_length, unsigned char *dest, - const unsigned char *key, unsigned int key_length, - Keyring_aes_opmode mode, const unsigned char *iv, - bool padding, size_t *encrypted_length) { - if (encrypted_length == nullptr) return AES_OUTPUT_SIZE_NULL; - +static aes_return_status aes_evp_encrypt( + const unsigned char *source, unsigned int source_length, + unsigned char *dest, const EVP_CIPHER *cipher, const unsigned char *raw_key, + const unsigned char *iv, bool padding, size_t *encrypted_length) { #if OPENSSL_VERSION_NUMBER < 0x10100000L EVP_CIPHER_CTX stack_ctx; EVP_CIPHER_CTX *ctx = &stack_ctx; @@ -159,21 +158,11 @@ aes_return_status aes_encrypt(const unsigned char *source, #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ }); - const EVP_CIPHER *cipher = aes_evp_type(mode); - if (cipher == nullptr) return AES_INVALID_BLOCK_MODE; - - /* The real key to be used for encryption */ - std::unique_ptr rkey; - size_t rkey_size; - if (!aes_create_key(key, key_length, rkey, &rkey_size, mode)) - return AES_KEY_TRANSFORMATION_ERROR; - if (EVP_CIPHER_iv_length(cipher) > 0 && !iv) return AES_IV_EMPTY; int u_len, f_len; - if (!EVP_EncryptInit(ctx, cipher, rkey.get(), iv)) - return AES_ENCRYPTION_ERROR; + if (!EVP_EncryptInit(ctx, cipher, raw_key, iv)) return AES_ENCRYPTION_ERROR; if (!EVP_CIPHER_CTX_set_padding(ctx, padding)) return AES_ENCRYPTION_ERROR; if (!EVP_EncryptUpdate(ctx, dest, &u_len, source, source_length)) return AES_ENCRYPTION_ERROR; @@ -184,14 +173,10 @@ aes_return_status aes_encrypt(const unsigned char *source, return AES_OP_OK; } -aes_return_status aes_decrypt(const unsigned char *source, - unsigned int source_length, unsigned char *dest, - const unsigned char *key, unsigned int key_length, - enum Keyring_aes_opmode mode, - const unsigned char *iv, bool padding, - size_t *decrypted_length) { - if (decrypted_length == nullptr) return AES_OUTPUT_SIZE_NULL; - +static aes_return_status aes_evp_decrypt( + const unsigned char *source, unsigned int source_length, + unsigned char *dest, const EVP_CIPHER *cipher, const unsigned char *raw_key, + const unsigned char *iv, bool padding, size_t *decrypted_length) { #if OPENSSL_VERSION_NUMBER < 0x10100000L EVP_CIPHER_CTX stack_ctx; EVP_CIPHER_CTX *ctx = &stack_ctx; @@ -210,21 +195,11 @@ aes_return_status aes_decrypt(const unsigned char *source, #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ }); - const EVP_CIPHER *cipher = aes_evp_type(mode); - if (cipher == nullptr) return AES_INVALID_BLOCK_MODE; - - /* The real key to be used for encryption */ - std::unique_ptr rkey; - size_t rkey_size; - if (!aes_create_key(key, key_length, rkey, &rkey_size, mode)) - return AES_KEY_TRANSFORMATION_ERROR; - if (EVP_CIPHER_iv_length(cipher) > 0 && !iv) return AES_IV_EMPTY; int u_len, f_len; - if (!EVP_DecryptInit(ctx, aes_evp_type(mode), rkey.get(), iv)) - return AES_DECRYPTION_ERROR; + if (!EVP_DecryptInit(ctx, cipher, raw_key, iv)) return AES_DECRYPTION_ERROR; if (!EVP_CIPHER_CTX_set_padding(ctx, padding)) return AES_DECRYPTION_ERROR; if (!EVP_DecryptUpdate(ctx, dest, &u_len, source, source_length)) return AES_DECRYPTION_ERROR; @@ -236,4 +211,89 @@ aes_return_status aes_decrypt(const unsigned char *source, return AES_OP_OK; } +aes_return_status aes_encrypt(const unsigned char *source, + unsigned int source_length, unsigned char *dest, + const unsigned char *key, unsigned int key_length, + Keyring_aes_opmode mode, const unsigned char *iv, + bool padding, size_t *encrypted_length) { + if (encrypted_length == nullptr) return AES_OUTPUT_SIZE_NULL; + + const EVP_CIPHER *cipher = aes_evp_type(mode); + if (cipher == nullptr) return AES_INVALID_BLOCK_MODE; + + /* The real key to be used for encryption */ + std::unique_ptr rkey; + size_t rkey_size; + if (!aes_create_key(key, key_length, rkey, &rkey_size, mode)) + return AES_KEY_TRANSFORMATION_ERROR; + + return aes_evp_encrypt(source, source_length, dest, cipher, rkey.get(), iv, + padding, encrypted_length); +} + +aes_return_status aes_decrypt(const unsigned char *source, + unsigned int source_length, unsigned char *dest, + const unsigned char *key, unsigned int key_length, + enum Keyring_aes_opmode mode, + const unsigned char *iv, bool padding, + size_t *decrypted_length) { + if (decrypted_length == nullptr) return AES_OUTPUT_SIZE_NULL; + + const EVP_CIPHER *cipher = aes_evp_type(mode); + if (cipher == nullptr) return AES_INVALID_BLOCK_MODE; + + /* The real key to be used for encryption */ + std::unique_ptr rkey; + size_t rkey_size; + if (!aes_create_key(key, key_length, rkey, &rkey_size, mode)) + return AES_KEY_TRANSFORMATION_ERROR; + + return aes_evp_decrypt(source, source_length, dest, cipher, rkey.get(), iv, + padding, decrypted_length); +} + +aes_return_status aes_encrypt_pbkdf2( + const unsigned char *source, unsigned int source_length, + unsigned char *dest, const unsigned char *password, size_t password_len, + const unsigned char *salt, size_t salt_len, unsigned int iterations, + Keyring_aes_opmode mode, const unsigned char *iv, bool padding, + size_t *encrypted_length) { + if (encrypted_length == nullptr) return AES_OUTPUT_SIZE_NULL; + const EVP_CIPHER *cipher = aes_evp_type(mode); + if (cipher == nullptr) return AES_INVALID_BLOCK_MODE; + unsigned char raw_key[32]; + auto zero_key = + create_scope_guard([&] { OPENSSL_cleanse(raw_key, sizeof(raw_key)); }); + if (PKCS5_PBKDF2_HMAC(reinterpret_cast(password), + static_cast(password_len), salt, + static_cast(salt_len), + static_cast(iterations), EVP_sha256(), + static_cast(sizeof(raw_key)), raw_key) != 1) + return AES_KEY_TRANSFORMATION_ERROR; + return aes_evp_encrypt(source, source_length, dest, cipher, raw_key, iv, + padding, encrypted_length); +} + +aes_return_status aes_decrypt_pbkdf2( + const unsigned char *source, unsigned int source_length, + unsigned char *dest, const unsigned char *password, size_t password_len, + const unsigned char *salt, size_t salt_len, unsigned int iterations, + Keyring_aes_opmode mode, const unsigned char *iv, bool padding, + size_t *decrypted_length) { + if (decrypted_length == nullptr) return AES_OUTPUT_SIZE_NULL; + const EVP_CIPHER *cipher = aes_evp_type(mode); + if (cipher == nullptr) return AES_INVALID_BLOCK_MODE; + unsigned char raw_key[32]; + auto zero_key = + create_scope_guard([&] { OPENSSL_cleanse(raw_key, sizeof(raw_key)); }); + if (PKCS5_PBKDF2_HMAC(reinterpret_cast(password), + static_cast(password_len), salt, + static_cast(salt_len), + static_cast(iterations), EVP_sha256(), + static_cast(sizeof(raw_key)), raw_key) != 1) + return AES_KEY_TRANSFORMATION_ERROR; + return aes_evp_decrypt(source, source_length, dest, cipher, raw_key, iv, + padding, decrypted_length); +} + } // namespace keyring_common::aes_encryption diff --git a/components/keyrings/common/encryption/aes.h b/components/keyrings/common/encryption/aes.h index cbe1c6ccd97b..a36e6c17cf3e 100644 --- a/components/keyrings/common/encryption/aes.h +++ b/components/keyrings/common/encryption/aes.h @@ -92,6 +92,28 @@ aes_return_status aes_decrypt(const unsigned char *source, Keyring_aes_opmode mode, const unsigned char *iv, bool padding, size_t *decrypted_length); +/** + Encrypt using a password: derives a 256-bit AES key via PBKDF2-HMAC-SHA256 + and then encrypts with the requested mode. +*/ +aes_return_status aes_encrypt_pbkdf2( + const unsigned char *source, unsigned int source_length, + unsigned char *dest, const unsigned char *password, size_t password_len, + const unsigned char *salt, size_t salt_len, unsigned int iterations, + Keyring_aes_opmode mode, const unsigned char *iv, bool padding, + size_t *encrypted_length); + +/** + Decrypt using a password: derives a 256-bit AES key via PBKDF2-HMAC-SHA256 + and then decrypts with the requested mode. +*/ +aes_return_status aes_decrypt_pbkdf2( + const unsigned char *source, unsigned int source_length, + unsigned char *dest, const unsigned char *password, size_t password_len, + const unsigned char *salt, size_t salt_len, unsigned int iterations, + Keyring_aes_opmode mode, const unsigned char *iv, bool padding, + size_t *decrypted_length); + } // namespace keyring_common::aes_encryption #endif // !AES_INCLUDED diff --git a/components/keyrings/percona_keyring_encrypted_file/CMakeLists.txt b/components/keyrings/percona_keyring_encrypted_file/CMakeLists.txt new file mode 100644 index 000000000000..92f30c3d0898 --- /dev/null +++ b/components/keyrings/percona_keyring_encrypted_file/CMakeLists.txt @@ -0,0 +1,96 @@ +# Copyright (c) 2021, 2026, Oracle and/or its affiliates. +# Copyright (c) 2026 Percona LLC and/or its affiliates. All rights reserved. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License, version 2.0, +# as published by the Free Software Foundation. +# +# This program is designed to work with certain software (including +# but not limited to OpenSSL) that is licensed under separate terms, +# as designated in a particular file or component or in included license +# documentation. The authors of MySQL hereby grant you an additional +# permission to link the program and your derivative works with the +# separately licensed software that they have either included with +# the program or referenced in the documentation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License, version 2.0, for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + +IF (NOT DEFINED WITH_COMPONENT_PERCONA_KEYRING_ENCRYPTED_FILE AND + NOT DEFINED WITHOUT_COMPONENT_PERCONA_KEYRING_ENCRYPTED_FILE) + SET(WITH_COMPONENT_PERCONA_KEYRING_ENCRYPTED_FILE 1) +ENDIF() + +IF(NOT WITH_COMPONENT_PERCONA_KEYRING_ENCRYPTED_FILE) + RETURN() +ENDIF() + +ADD_DEFINITIONS(-DLOG_COMPONENT_TAG="component_percona_keyring_encrypted_file") + +INCLUDE_DIRECTORIES( + ${CMAKE_CURRENT_SOURCE_DIR} + ${BOOST_PATCHES_DIR} + ${BOOST_INCLUDE_DIR} +) + + +SET(PERCONA_KEYRING_ENCRYPTED_FILE_SOURCE + # Encryption handling + service_implementation/keyring_encryption_service_definition.cc + + # Generator handling + service_implementation/keyring_generator_service_definition.cc + + # Keyring load handling + service_implementation/keyring_load_service_definition.cc + + # Keys metadata iterator handling + service_implementation/keyring_keys_metadata_iterator_service_definition.cc + + # Metadata query handling + service_implementation/keyring_metadata_query_service_definition.cc + + # Reader handling + service_implementation/keyring_reader_service_definition.cc + + # Writer handling + service_implementation/keyring_writer_service_definition.cc + + # Backend handling + backend/backend.cc + + # Config handling + config/config.cc + + # Keyring file component handling + percona_keyring_encrypted_file.cc + + # Component callbacks + component_callbacks.cc +) + +SET(PERCONA_KEYRING_ENCRYPTED_FILE_LIBRARIES + keyring_common + OpenSSL::SSL OpenSSL::Crypto + library_mysys +) + +MYSQL_ADD_COMPONENT(percona_keyring_encrypted_file + ${PERCONA_KEYRING_ENCRYPTED_FILE_SOURCE} + LINK_LIBRARIES ${PERCONA_KEYRING_ENCRYPTED_FILE_LIBRARIES} + MODULE_ONLY +) + +TARGET_LINK_OPTIONS(component_percona_keyring_encrypted_file PRIVATE "${LINK_FLAG_NO_UNDEFINED}") + +IF(APPLE) + SET_TARGET_PROPERTIES(component_percona_keyring_encrypted_file PROPERTIES + LINK_FLAGS "-undefined dynamic_lookup") +ENDIF() + diff --git a/components/keyrings/percona_keyring_encrypted_file/backend/backend.cc b/components/keyrings/percona_keyring_encrypted_file/backend/backend.cc new file mode 100644 index 000000000000..f39a0f7a4c4e --- /dev/null +++ b/components/keyrings/percona_keyring_encrypted_file/backend/backend.cc @@ -0,0 +1,283 @@ +/* Copyright (c) 2021, 2026, Oracle and/or its affiliates. + Copyright (c) 2026 Percona LLC and/or its affiliates. All rights reserved. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License, version 2.0, + as published by the Free Software Foundation. + + This program is designed to work with certain software (including + but not limited to OpenSSL) that is licensed under separate terms, + as designated in a particular file or component or in included license + documentation. The authors of MySQL hereby grant you an additional + permission to link the program and your derivative works with the + separately licensed software that they have either included with + the program or referenced in the documentation. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License, version 2.0, for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ + +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include "backend.h" +#include "mysql/components/services/log_builtins.h" +#include "mysqld_error.h" + +namespace percona_keyring_encrypted_file::backend { + +using keyring_common::data::Data; +using keyring_common::data_file::File_reader; +using keyring_common::data_file::File_writer; +using keyring_common::json_data::Json_data_extension; +using keyring_common::json_data::Json_reader; +using keyring_common::json_data::Json_writer; +using keyring_common::json_data::output_vector; +using keyring_common::meta::Metadata; +using keyring_common::utils::get_random_data; + +Json_data_extension ext; + +Keyring_encrypted_file_backend::Keyring_encrypted_file_backend( + const std::string &keyring_file_name, const bool read_only, + const std::string &password, const uint32_t iterations) + : keyring_file_name_(keyring_file_name), + read_only_(read_only), + password_(password), + iterations_(iterations), + valid_(false) { + if (keyring_file_name_.length() == 0) { + LogComponentErr(ERROR_LEVEL, ER_KEYRING_COMPONENT_KEYRING_FILE_NAME_EMPTY); + return; + } + std::string data; + create_file_if_missing(keyring_file_name_); + { + const File_reader file_reader(keyring_file_name_, read_only_, data); + if (!file_reader.valid()) { + LogComponentErr(ERROR_LEVEL, + ER_KEYRING_COMPONENT_KEYRING_FILE_READ_FAILED, + keyring_file_name_.c_str()); + return; + } + } + + /* It is possible that file is empty and that's ok. */ + if (data.length()) { + std::string decrypted; + if (decrypt_data(data, decrypted)) { + LogComponentErr(ERROR_LEVEL, + ER_KEYRING_COMPONENT_KEYRING_FILE_DECRYPT_FAILED, + keyring_file_name_.c_str()); + return; + } + /* Read JSON data - format check */ + const Json_reader json_reader(decrypted); + if (!json_reader.valid()) { + LogComponentErr(ERROR_LEVEL, + ER_KEYRING_COMPONENT_KEYRING_FILE_INVALID_FORMAT, + keyring_file_name_.c_str()); + return; + } + /* Cache */ + json_writer_.set_data(decrypted); + } + valid_ = true; +} + +bool Keyring_encrypted_file_backend::load_cache( + keyring_common::operations::Keyring_operations< + Keyring_encrypted_file_backend> &operations) { + if (json_writer_.num_elements() == 0) return false; + const Json_reader json_reader(json_writer_.to_string()); + if (!json_reader.valid()) { + LogComponentErr(ERROR_LEVEL, + ER_KEYRING_COMPONENT_KEYRING_FILE_JSON_EXTRACT_FAILED); + return true; + } + if (json_reader.num_elements() != json_writer_.num_elements()) { + LogComponentErr(ERROR_LEVEL, + ER_KEYRING_COMPONENT_KEYRING_FILE_JSON_EXTRACT_FAILED); + return true; + } + for (size_t i = 0; i < json_reader.num_elements(); ++i) { + std::unique_ptr data_ext; + Metadata metadata; + Data data; + if (json_reader.get_element(i, metadata, data, data_ext)) { + LogComponentErr(ERROR_LEVEL, + ER_KEYRING_COMPONENT_KEYRING_FILE_KEY_EXTRACT_FAILED); + return true; + } + if (operations.insert(metadata, data)) return true; + } + return false; +} + +bool Keyring_encrypted_file_backend::get(const Metadata &, Data &) const { + /* Shouldn't have reached here. */ + return true; +} + +bool Keyring_encrypted_file_backend::store(const Metadata &metadata, + Data &data) { + if (!metadata.valid() || !data.valid()) return true; + if (json_writer_.add_element(metadata, data, ext)) return true; + if (write_to_file()) { + /* Erase stored entry */ + (void)json_writer_.remove_element(metadata, ext); + return true; + } + return false; +} + +bool Keyring_encrypted_file_backend::erase(const Metadata &metadata, + Data &data) { + if (!metadata.valid()) return true; + if (json_writer_.remove_element(metadata, ext)) return true; + if (write_to_file()) { + /* Add entry back */ + (void)json_writer_.add_element(metadata, data, ext); + return true; + } + return false; +} + +bool Keyring_encrypted_file_backend::generate(const Metadata &metadata, + Data &data, size_t length) { + if (!metadata.valid()) return true; + + const std::unique_ptr key(new unsigned char[length]); + if (!key) return true; + if (!get_random_data(key, length)) return true; + + pfs_string key_str; + key_str.assign(reinterpret_cast(key.get()), length); + data.set_data(keyring_common::data::Sensitive_data{key_str}); + + return store(metadata, data); +} + +bool Keyring_encrypted_file_backend::write_to_file() { + std::string ciphertext; + if (encrypt_data(json_writer_.to_string(), ciphertext)) return true; + const File_writer file_writer(keyring_file_name_, ciphertext); + return !file_writer.valid(); +} + +bool Keyring_encrypted_file_backend::encrypt_data(const std::string &plaintext, + std::string &ciphertext) { + using namespace keyring_common::aes_encryption; + const auto mode = Keyring_aes_opmode::keyring_aes_256_cbc; + + // Generate random salt for PBKDF2 + const std::unique_ptr salt( + new (std::nothrow) unsigned char[k_salt_size]); + if (!salt || !get_random_data(salt, k_salt_size)) return true; + + // Generate random IV for AES-CBC + const std::unique_ptr iv( + new (std::nothrow) unsigned char[k_iv_size]); + if (!iv || !get_random_data(iv, k_iv_size)) return true; + + const size_t cipher_size = get_ciphertext_size(plaintext.length(), mode); + const std::unique_ptr cipher_buf( + new (std::nothrow) unsigned char[cipher_size]); + if (!cipher_buf) return true; + + size_t encrypted_length = 0; + if (aes_encrypt_pbkdf2( + reinterpret_cast(plaintext.c_str()), + static_cast(plaintext.length()), cipher_buf.get(), + reinterpret_cast(password_.c_str()), + password_.length(), salt.get(), k_salt_size, iterations_, mode, + iv.get(), true, &encrypted_length) != AES_OP_OK) + return true; + + /* + On-disk format v1: + [version:1=0x01][salt:32][iterations:4 BE][iv:16][ciphertext] + */ + ciphertext.assign(1, static_cast(0x01)); /* version */ + ciphertext.append(reinterpret_cast(salt.get()), k_salt_size); + const uint8_t iters_be[4] = {static_cast((iterations_ >> 24) & 0xFF), + static_cast((iterations_ >> 16) & 0xFF), + static_cast((iterations_ >> 8) & 0xFF), + static_cast(iterations_ & 0xFF)}; + ciphertext.append(reinterpret_cast(iters_be), 4); + ciphertext.append(reinterpret_cast(iv.get()), k_iv_size); + ciphertext.append(reinterpret_cast(cipher_buf.get()), + encrypted_length); + return false; +} + +bool Keyring_encrypted_file_backend::decrypt_data(const std::string &raw, + std::string &plaintext) { + using namespace keyring_common::aes_encryption; + const auto mode = Keyring_aes_opmode::keyring_aes_256_cbc; + + /* + Parse v1 header offsets: + [0] version + [1-32] salt (32 bytes) + [33-36] iterations (big-endian uint32) + [37-52] iv (16 bytes) + [53+] ciphertext + */ + if (raw.length() <= k_header_size) return true; + + if (static_cast(raw[0]) != 0x01) return true; + + const auto *salt = reinterpret_cast(raw.c_str() + 1); + const uint32_t iterations = + (static_cast(static_cast(raw[33])) << 24) | + (static_cast(static_cast(raw[34])) << 16) | + (static_cast(static_cast(raw[35])) << 8) | + (static_cast(static_cast(raw[36]))); + const auto *iv = reinterpret_cast(raw.c_str() + 37); + const auto *cipher_data = + reinterpret_cast(raw.c_str() + k_header_size); + const size_t cipher_len = raw.length() - k_header_size; + + const std::unique_ptr plain_buf( + new (std::nothrow) unsigned char[cipher_len]); + if (!plain_buf) return true; + + size_t decrypted_length = 0; + if (aes_decrypt_pbkdf2( + cipher_data, static_cast(cipher_len), plain_buf.get(), + reinterpret_cast(password_.c_str()), + password_.length(), salt, k_salt_size, iterations, mode, iv, true, + &decrypted_length) != AES_OP_OK) + return true; + + plaintext.assign(reinterpret_cast(plain_buf.get()), + decrypted_length); + return false; +} + +void Keyring_encrypted_file_backend::create_file_if_missing( + const std::string &file_name) { + std::ifstream f(file_name.c_str()); + if (f.good()) + f.close(); + else { + std::ofstream o(file_name.c_str()); + o.close(); + } +} + +} // namespace percona_keyring_encrypted_file::backend diff --git a/components/keyrings/percona_keyring_encrypted_file/backend/backend.h b/components/keyrings/percona_keyring_encrypted_file/backend/backend.h new file mode 100644 index 000000000000..60ff615a5fc9 --- /dev/null +++ b/components/keyrings/percona_keyring_encrypted_file/backend/backend.h @@ -0,0 +1,194 @@ +/* Copyright (c) 2021, 2026, Oracle and/or its affiliates. + Copyright (c) 2026 Percona LLC and/or its affiliates. All rights reserved. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License, version 2.0, + as published by the Free Software Foundation. + + This program is designed to work with certain software (including + but not limited to OpenSSL) that is licensed under separate terms, + as designated in a particular file or component or in included license + documentation. The authors of MySQL hereby grant you an additional + permission to link the program and your derivative works with the + separately licensed software that they have either included with + the program or referenced in the documentation. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License, version 2.0, for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ + +#ifndef PERCONA_KEYRING_ENCRYPTED_FILE_BACKEND_INCLUDED +#define PERCONA_KEYRING_ENCRYPTED_FILE_BACKEND_INCLUDED + +#include +#include //size_t +#include + +#include +#include +#include + +namespace percona_keyring_encrypted_file::backend { +class Keyring_encrypted_file_backend final { + public: + explicit Keyring_encrypted_file_backend(const std::string &keyring_file_name, + bool read_only, + const std::string &password, + uint32_t iterations); + + ~Keyring_encrypted_file_backend() = default; + + /** + Fetch data + + @param [in] metadata Key + @param [out] data Value + + @returns Status of find operation + @retval false Entry found. Check data. + @retval true Entry missing. + */ + bool get(const keyring_common::meta::Metadata &metadata, + keyring_common::data::Data &data) const; + + /** + Store data + + @param [in] metadata Key + @param [in, out] data Value + + @returns Status of store operation + @retval false Entry stored successfully + @retval true Failure + */ + + bool store(const keyring_common::meta::Metadata &metadata, + keyring_common::data::Data &data); + + /** + Erase data located at given key + + @param [in] metadata Key + @param [in] data Value - not used. + + @returns Status of erase operation + @retval false Data deleted + @retval true Could not find or delete data + */ + bool erase(const keyring_common::meta::Metadata &metadata, + keyring_common::data::Data &data); + + /** + Generate random data and store it + + @param [in] metadata Key + @param [out] data Generated value + @param [in] length Length of data to be generated + + @returns Status of generate + store operation + @retval false Data generated and stored successfully + @retval true Error + + */ + bool generate(const keyring_common::meta::Metadata &metadata, + keyring_common::data::Data &data, size_t length); + + /** + Populate cache + + @param [in] operations Handle to operations class + + @returns status of cache insertion + @retval false Success + @retval true Failure + */ + bool load_cache(keyring_common::operations::Keyring_operations< + Keyring_encrypted_file_backend> &operations); + + /** Maximum data length supported */ + size_t maximum_data_length() const { return 16384; } + + /** Get number of elements stored in backend */ + size_t size() const { return json_writer_.num_elements(); } + + /** Validity */ + bool valid() const { return valid_; } + + private: + /* + On-disk format v1: + [version:1][salt:32][iterations:4 BE][iv:16][ciphertext] + */ + static constexpr size_t k_version_size = 1; + static constexpr size_t k_salt_size = 32; + static constexpr size_t k_iv_size = 16; + /* 1 (version) + 32 (salt) + 4 (iterations) + 16 (iv) */ + static constexpr size_t k_header_size = + k_version_size + k_salt_size + sizeof(uint32_t) + k_iv_size; + static_assert(k_header_size == (1 + 32 + 4 + 16), + "v1: Header size must be 53 bytes"); + /** + Write existing data to file. + This function overwrites existing data stored in the file. + + @returns Status of write operation. + @retval false Successfully written data to file + @retval true Error writing data to file + */ + bool write_to_file(); + + /** Create data file if missing */ + void create_file_if_missing(const std::string &file_name); + + /** + Encrypt plaintext using AES-256-CBC with a PBKDF2-derived key. + Output format: [version:1][salt:32][iterations:4BE][iv:16][ciphertext]. + + @param [in] plaintext Data to encrypt + @param [out] ciphertext Encrypted output + + @returns Status of encrypt operation + @retval false Success + @retval true Error + */ + bool encrypt_data(const std::string &plaintext, std::string &ciphertext); + + /** + Decrypt data previously produced by encrypt_data(). + Expects v1 format: [version:1][salt:32][iterations:4BE][iv:16][ciphertext]. + + @param [in] raw Raw bytes read from file + @param [out] plaintext Decrypted output + + @returns Status of decrypt operation + @retval false Success + @retval true Error (wrong password, truncated input, or corrupt data) + */ + bool decrypt_data(const std::string &raw, std::string &plaintext); + + /** Keyring file */ + std::string keyring_file_name_; + + /** Read only flag */ + bool read_only_; + + /** Password to be used to encrypt/decrypt file */ + std::string password_; + + /** PBKDF2 iteration count used when writing the file */ + uint32_t iterations_; + + /** In memory cache for keyring data */ + keyring_common::json_data::Json_writer json_writer_; + + /** Validity */ + bool valid_; +}; +} // namespace percona_keyring_encrypted_file::backend + +#endif // !PERCONA_KEYRING_ENCRYPTED_FILE_BACKEND_INCLUDED diff --git a/components/keyrings/percona_keyring_encrypted_file/component_callbacks.cc b/components/keyrings/percona_keyring_encrypted_file/component_callbacks.cc new file mode 100644 index 000000000000..02122f91a9e3 --- /dev/null +++ b/components/keyrings/percona_keyring_encrypted_file/component_callbacks.cc @@ -0,0 +1,44 @@ +/* Copyright (c) 2021, 2026, Oracle and/or its affiliates. + Copyright (c) 2026 Percona LLC and/or its affiliates. All rights reserved. + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License, version 2.0, +as published by the Free Software Foundation. + +This program is designed to work with certain software (including +but not limited to OpenSSL) that is licensed under separate terms, +as designated in a particular file or component or in included license +documentation. The authors of MySQL hereby grant you an additional +permission to link the program and your derivative works with the +separately licensed software that they have either included with +the program or referenced in the documentation. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License, version 2.0, for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ + +#include "percona_keyring_encrypted_file.h" + +namespace keyring_common::service_implementation { + +bool Component_callbacks::keyring_initialized() { + return percona_keyring_encrypted_file::g_keyring_file_inited; +} + +bool Component_callbacks::create_config( + std::unique_ptr &metadata) { + return percona_keyring_encrypted_file::config::create_config(metadata); +} + +} // namespace keyring_common::service_implementation + +namespace percona_keyring_encrypted_file { +/** Component callbacks */ +keyring_common::service_implementation::Component_callbacks + *g_component_callbacks = nullptr; +} // namespace percona_keyring_encrypted_file diff --git a/components/keyrings/percona_keyring_encrypted_file/config/config.cc b/components/keyrings/percona_keyring_encrypted_file/config/config.cc new file mode 100644 index 000000000000..0c2c36ab4b5d --- /dev/null +++ b/components/keyrings/percona_keyring_encrypted_file/config/config.cc @@ -0,0 +1,258 @@ +/* Copyright (c) 2021, 2026, Oracle and/or its affiliates. + Copyright (c) 2026 Percona LLC and/or its affiliates. All rights reserved. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License, version 2.0, + as published by the Free Software Foundation. + + This program is designed to work with certain software (including + but not limited to OpenSSL) that is licensed under separate terms, + as designated in a particular file or component or in included license + documentation. The authors of MySQL hereby grant you an additional + permission to link the program and your derivative works with the + separately licensed software that they have either included with + the program or referenced in the documentation. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License, version 2.0, for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ + +#include +#include + +#include "my_rapidjson_size_t.h" + +#include +#include +#include + +#include + +#include /* Config_reader */ +#include + +using keyring_common::config::Config_reader; +using percona_keyring_encrypted_file::g_config_pod; + +/** + In order to locate a shared library, we need it to export at least + one symbol. This way dlsym/GetProcAddress will be able to find it. +*/ +DLL_EXPORT int keyring_file_component_exported_symbol() { return 0; } + +namespace percona_keyring_encrypted_file::config { + +char *g_component_path = nullptr; +char *g_instance_path = nullptr; + +/* Component metadata */ +static const char *s_component_metadata[][2] = { + {"Component_name", "component_percona_keyring_encrypted_file"}, + {"Author", "Percona"}, + {"License", "GPL"}, + {"Implementation_name", "component_percona_keyring_encrypted_file"}, + {"Version", "1.0"}}; + +/* Config file name */ +const std::string config_file_name = + "component_percona_keyring_encrypted_file.cnf"; + +/* Config names */ +const std::string config_options[] = {"read_local_config", "path", + "read_only", "password", + "password_file", "iterations"}; + +template +bool get_mandatory_element(const std::unique_ptr &config_reader, + const std::string &element_name, T &element_value, + std::string &err) { + if (config_reader->get_element(element_name, element_value)) { + err = "Could not find '" + element_name + "' value in configuration file"; + return true; + } + return false; +} + +bool find_and_read_config_file(std::unique_ptr &config_pod, + std::string &err) { + config_pod = std::make_unique(); + if (!config_pod) { + err = "Failed to allocate memory for configuration details"; + return true; + } + /* Get shared library location */ + std::string path(g_component_path); + + auto set_config_path = [](std::string &full_path) -> bool { + if (full_path.length() == 0) return true; +#ifdef _WIN32 + full_path += "\\"; +#else + full_path += "/"; +#endif + full_path.append(config_file_name); + return false; + }; + if (set_config_path(path)) { + err = "Failed to set path to configuration file"; + return true; + } + + /* Read config file that's located at shared library location */ + std::unique_ptr config_reader(new (std::nothrow) + Config_reader(path)); + if (!config_reader->is_valid(err)) goto error; + { + bool read_local_config = false; + if (!config_reader->get_element(config_options[0], + read_local_config)) { + if (read_local_config) { + config_reader.reset(); + /* + Read config file from current working directory + We assume that when control reaches here, binary has set + current working directory appropriately. + */ + std::string instance_path(g_instance_path); + if (set_config_path(instance_path)) instance_path = config_file_name; + config_reader = std::make_unique(instance_path); + if (!config_reader->is_valid(err)) goto error; + } + } + } + if (get_mandatory_element(config_reader, config_options[1], + config_pod->config_file_path_, err)) + goto error; + if (get_mandatory_element(config_reader, config_options[2], + config_pod->read_only_, err)) + goto error; + { + const bool has_password = !config_reader->has_element(config_options[3]); + const bool has_password_file = + !config_reader->has_element(config_options[4]); + + if (!has_password && !has_password_file) { + err = + "Either 'password' or 'password_file' must be specified in " + "configuration file"; + goto error_custom; + } + if (has_password && has_password_file) { + err = + "Only one of 'password' or 'password_file' may be specified in " + "configuration file"; + goto error_custom; + } + + if (has_password) { + if (config_reader->get_element(config_options[3], + config_pod->password_)) { + err = "Could not find 'password' value in configuration file"; + goto error_custom; + } + } else { + if (config_reader->get_element(config_options[4], + config_pod->password_file_)) { + err = "Could not find 'password_file' value in configuration file"; + goto error_custom; + } + std::ifstream pf(config_pod->password_file_, + std::ios::in | std::ios::binary | std::ios::ate); + if (!pf.is_open()) { + err = "Could not open password file: " + config_pod->password_file_; + goto error_custom; + } + auto sz = pf.tellg(); + pf.seekg(0); + config_pod->password_.resize(static_cast(sz)); + pf.read(&config_pod->password_[0], sz); + if (pf.fail()) { + err = + "Failed to read password from file: " + config_pod->password_file_; + goto error_custom; + } + } + } + { + uint32_t iterations = 600000; + if (!config_reader->get_element(config_options[5], iterations)) + config_pod->iterations_ = iterations; + } + return false; +error_custom: + config_pod.reset(); + return true; +error: + config_pod.reset(); + return true; +} + +bool create_config( + std::unique_ptr>> + &metadata) { + metadata = + std::make_unique>>(); + if (metadata == nullptr) return true; + percona_keyring_encrypted_file::config::Config_pod config_pod; + bool global_config_available = false; + if (g_config_pod != nullptr) { + config_pod = *g_config_pod; + global_config_available = true; + } + + for (const auto *entry : + percona_keyring_encrypted_file::config::s_component_metadata) { + metadata->push_back(std::make_pair(entry[0], entry[1])); + } + + /* Status */ + metadata->push_back(std::make_pair( + "Component_status", percona_keyring_encrypted_file::g_component_callbacks + ->keyring_initialized() + ? "Active" + : "Disabled")); + + /* Backend file */ + metadata->push_back(std::make_pair( + "Data_file", + (global_config_available ? ((config_pod.config_file_path_.length() == 0) + ? "" + : config_pod.config_file_path_) + : ""))); + + /* Read only flag */ + metadata->push_back(std::make_pair( + "Read_only", + (global_config_available ? (config_pod.read_only_ ? "Yes" : "No") + : ""))); + + /* Password */ + metadata->push_back(std::make_pair( + "Password", + (global_config_available + ? (config_pod.password_.length() == 0 ? "" : "") + : ""))); + + /* Password_file */ + metadata->push_back(std::make_pair( + "Password_file", + (global_config_available ? (config_pod.password_file_.length() == 0 + ? "" + : config_pod.password_file_) + : ""))); + + /* Iterations */ + metadata->push_back( + std::make_pair("Iterations", global_config_available + ? std::to_string(config_pod.iterations_) + : "")); + + return false; +} + +} // namespace percona_keyring_encrypted_file::config diff --git a/components/keyrings/percona_keyring_encrypted_file/config/config.h b/components/keyrings/percona_keyring_encrypted_file/config/config.h new file mode 100644 index 000000000000..5e294df28ddb --- /dev/null +++ b/components/keyrings/percona_keyring_encrypted_file/config/config.h @@ -0,0 +1,78 @@ +/* Copyright (c) 2021, 2026, Oracle and/or its affiliates. + Copyright (c) 2026 Percona LLC and/or its affiliates. All rights reserved. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License, version 2.0, + as published by the Free Software Foundation. + + This program is designed to work with certain software (including + but not limited to OpenSSL) that is licensed under separate terms, + as designated in a particular file or component or in included license + documentation. The authors of MySQL hereby grant you an additional + permission to link the program and your derivative works with the + separately licensed software that they have either included with + the program or referenced in the documentation. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License, version 2.0, for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ + +#ifndef PERCONA_KEYRING_ENCRYPTED_FILE_CONFIG_INCLUDED +#define PERCONA_KEYRING_ENCRYPTED_FILE_CONFIG_INCLUDED + +#include +#include +#include +#include + +namespace percona_keyring_encrypted_file::config { + +/* Component path */ +extern char *g_component_path; + +/* Instance path */ +extern char *g_instance_path; + +/* Config details */ +class Config_pod { + public: + std::string config_file_path_; + std::string password_; + std::string password_file_; + bool read_only_; + uint32_t iterations_{600000}; +}; + +/** + Read configuration file + + @param [out] config_pod Configuration details + @param [out] err Error message + + @returns status of read operation + @retval false Success + @retval true Failure +*/ +bool find_and_read_config_file(std::unique_ptr &config_pod, + std::string &err); + +/** + Create configuration vector + + @param [out] metadata Configuration data + + @returns status of read operation + @retval false Success + @retval true Failure +*/ +bool create_config( + std::unique_ptr>> + &metadata); +} // namespace percona_keyring_encrypted_file::config + +#endif // !PERCONA_KEYRING_ENCRYPTED_FILE_CONFIG_INCLUDED diff --git a/components/keyrings/percona_keyring_encrypted_file/percona_keyring_encrypted_file.cc b/components/keyrings/percona_keyring_encrypted_file/percona_keyring_encrypted_file.cc new file mode 100644 index 000000000000..7aa4d462a7ff --- /dev/null +++ b/components/keyrings/percona_keyring_encrypted_file/percona_keyring_encrypted_file.cc @@ -0,0 +1,325 @@ +/* Copyright (c) 2021, 2026, Oracle and/or its affiliates. + Copyright (c) 2026 Percona LLC and/or its affiliates. All rights reserved. + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License, version 2.0, +as published by the Free Software Foundation. + +This program is designed to work with certain software (including +but not limited to OpenSSL) that is licensed under separate terms, +as designated in a particular file or component or in included license +documentation. The authors of MySQL hereby grant you an additional +permission to link the program and your derivative works with the +separately licensed software that they have either included with +the program or referenced in the documentation. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License, version 2.0, for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ + +#include +#include + +#include "percona_keyring_encrypted_file.h" + +/* Keyring_encryption_service_impl */ +#include +/* Keyring_generator_service_impl */ +#include +/* Keyring_load_service_impl */ +#include +/* Keyring_keys_metadata_iterator_service_impl */ +#include +/* Log_builtins_keyring */ +#include +/* Keyring_metadata_query_service_impl */ +#include +/* Keyring_reader_service_impl */ +#include +/* Keyring_writer_service_impl */ +#include + +/* clang-format off */ +/** + @page PAGE_COMPONENT_PERCONA_KEYRING_ENCRYPTED_FILE component_percona_keyring_encrypted_file + + This is keyring component services' implementation with encrypted file as backend to + store data. This component implements following keyring services: + + - keyring_aes + - keyring_generate + - keyring_keys_metadata_iterator + - keyring_component_status + - keyring_metadata_query + - keyring_reader + - keyring_reload + - keyring_writer + + Data is stored in JSON format. + @code + { + "version": "1.0", + "elements": [ + { + "user": "", + "data_id": "", + "data_type": "", + "data": "", + "extension": [] + }, + ... + ... + ] + } + @endcode + + For most parts, component_percona_keyring_encrypted_file relies on keyring_common library + for implementation. + + The component relies on component_percona_keyring_encrypted_file.cnf file for configuration. + + Location of this configuration file is same directory where component_percona_keyring_encrypted_file + shared library is located. This configuration file should contain information + in one of the following formats. + + 1. Signal component to read configuration from current working directory + @code + { + "read_local_config": true + } + @endcode + + 2. Details of data file and nature of keyring + @code + { + "path": , + "read_only": + } + @endcode + + If configuration file co-located with shared library signals to read + configuration locally, current working directory is searched for + component_percona_keyring_encrypted_file.cnf and expected format is 2. + + The component exposes following status information through + keyring_metadata_query service implementation. + + 1. Name of the keyring + 2. Author + 3. Implementation name + 4. Version + 5. Component status + 6. Data file location + 7. Read only status + + + Note: Implementation does not provide concurrency control. + That is responsibility of users of the services. + +*/ +/* clang-format on */ + +using keyring_common::operations::Keyring_operations; +using percona_keyring_encrypted_file::backend::Keyring_encrypted_file_backend; +using percona_keyring_encrypted_file::config::Config_pod; +using percona_keyring_encrypted_file::config::g_component_path; +using percona_keyring_encrypted_file::config::g_instance_path; + +/** Dependencies */ +REQUIRES_SERVICE_PLACEHOLDER(log_builtins); +REQUIRES_SERVICE_PLACEHOLDER(log_builtins_string); + +SERVICE_TYPE(log_builtins) * log_bi; +SERVICE_TYPE(log_builtins_string) * log_bs; + +namespace percona_keyring_encrypted_file { +/** Keyring operations object */ +Keyring_operations *g_keyring_operations = + nullptr; + +/** Keyring data source */ +Config_pod *g_config_pod = nullptr; + +/** Keyring state */ +bool g_keyring_file_inited = false; + +/** + Set path to component + + @param [in] component_path Path to component library + @param [in] instance_path Path to instance specific config + + @returns initialization status + @retval false Successful initialization + @retval true Error +*/ +bool set_paths(const char *component_path, const char *instance_path) { + char *save_c = g_component_path; + char *save_i = g_instance_path; + g_component_path = strdup(component_path != nullptr ? component_path : ""); + g_instance_path = strdup(instance_path != nullptr ? instance_path : ""); + if (g_component_path == nullptr || g_instance_path == nullptr) { + g_component_path = save_c; + g_instance_path = save_i; + return true; + } + + if (save_c != nullptr) free(save_c); + if (save_i != nullptr) free(save_i); + return false; +} + +/** + Initialize or re-initialize keyring. + 1. Read configuration file + 2. Read keyring file + 3. Initialize internal cache + + @param [out] err Error message + + @returns Status of read operations + @retval false Read config and data + @retval true Error reading config or data. + Existing data remains as it is. +*/ +bool init_or_reinit_keyring(std::string &err) { + /* Get config */ + std::unique_ptr new_config_pod; + if (percona_keyring_encrypted_file::config::find_and_read_config_file( + new_config_pod, err)) + return true; + + /* Initialize backend handler */ + std::unique_ptr new_backend = + std::make_unique( + new_config_pod->config_file_path_, new_config_pod->read_only_, + new_config_pod->password_, new_config_pod->iterations_); + if (!new_backend || !new_backend->valid()) { + err = "Failed to initialize keyring backend"; + return true; + } + + /* Create new operations class */ + auto *new_operations = + new (std::nothrow) Keyring_operations( + true, new_backend.release()); + if (new_operations == nullptr) { + err = "Failed to allocate memory for keyring operations"; + return true; + } + + if (!new_operations->valid()) { + delete new_operations; + err = "Failed to initialize keyring operations"; + return true; + } + + std::swap(g_keyring_operations, new_operations); + const Config_pod *current = g_config_pod; + g_config_pod = new_config_pod.release(); + delete current; + delete new_operations; + return false; +} + +/** + Initialization function for component - Used when loading the component +*/ +static mysql_service_status_t keyring_encrypted_file_init() { + log_bi = mysql_service_log_builtins; + log_bs = mysql_service_log_builtins_string; + g_component_callbacks = new (std::nothrow) + keyring_common::service_implementation::Component_callbacks(); + + return 0; +} + +/** + De-initialization function for component - Used when unloading the component +*/ +static mysql_service_status_t keyring_encrypted_file_deinit() { + g_keyring_file_inited = false; + if (g_component_path) free(g_component_path); + g_component_path = nullptr; + if (g_instance_path) free(g_instance_path); + g_instance_path = nullptr; + + delete g_keyring_operations; + g_keyring_operations = nullptr; + + delete g_config_pod; + g_config_pod = nullptr; + + delete g_component_callbacks; + g_component_callbacks = nullptr; + + return 0; +} + +} // namespace percona_keyring_encrypted_file + +/** ======================================================================= */ + +/** Component declaration related stuff */ + +/** This component provides implementation of following component services */ +KEYRING_AES_IMPLEMENTOR(component_percona_keyring_encrypted_file); +KEYRING_GENERATOR_IMPLEMENTOR(component_percona_keyring_encrypted_file); +KEYRING_LOAD_IMPLEMENTOR(component_percona_keyring_encrypted_file); +KEYRING_KEYS_METADATA_FORWARD_ITERATOR_IMPLEMENTOR( + component_percona_keyring_encrypted_file); +KEYRING_COMPONENT_STATUS_IMPLEMENTOR(component_percona_keyring_encrypted_file); +KEYRING_COMPONENT_METADATA_QUERY_IMPLEMENTOR( + component_percona_keyring_encrypted_file); +KEYRING_READER_IMPLEMENTOR(component_percona_keyring_encrypted_file); +KEYRING_WRITER_IMPLEMENTOR(component_percona_keyring_encrypted_file); +/* Used if log_builtins is not available */ +KEYRING_LOG_BUILTINS_IMPLEMENTOR(component_percona_keyring_encrypted_file); +KEYRING_LOG_BUILTINS_STRING_IMPLEMENTOR( + component_percona_keyring_encrypted_file); + +/** Component provides */ +BEGIN_COMPONENT_PROVIDES(component_percona_keyring_encrypted_file) +PROVIDES_SERVICE(component_percona_keyring_encrypted_file, keyring_aes), + PROVIDES_SERVICE(component_percona_keyring_encrypted_file, + keyring_generator), + PROVIDES_SERVICE(component_percona_keyring_encrypted_file, keyring_load), + PROVIDES_SERVICE(component_percona_keyring_encrypted_file, + keyring_keys_metadata_iterator), + PROVIDES_SERVICE(component_percona_keyring_encrypted_file, + keyring_component_status), + PROVIDES_SERVICE(component_percona_keyring_encrypted_file, + keyring_component_metadata_query), + PROVIDES_SERVICE(component_percona_keyring_encrypted_file, + keyring_reader_with_status), + PROVIDES_SERVICE(component_percona_keyring_encrypted_file, keyring_writer), + PROVIDES_SERVICE(component_percona_keyring_encrypted_file, log_builtins), + PROVIDES_SERVICE(component_percona_keyring_encrypted_file, + log_builtins_string), + END_COMPONENT_PROVIDES(); + +/** List of dependencies */ +BEGIN_COMPONENT_REQUIRES(component_percona_keyring_encrypted_file) +REQUIRES_SERVICE(log_builtins), REQUIRES_SERVICE(log_builtins_string), + END_COMPONENT_REQUIRES(); + +/** Component description */ +BEGIN_COMPONENT_METADATA(component_percona_keyring_encrypted_file) +METADATA("mysql.author", "Percona"), METADATA("mysql.license", "GPL"), + METADATA("component_keyring_file_service", "1"), END_COMPONENT_METADATA(); + +/** Component declaration */ +DECLARE_COMPONENT(component_percona_keyring_encrypted_file, + "component_percona_keyring_encrypted_file") +percona_keyring_encrypted_file::keyring_encrypted_file_init, + percona_keyring_encrypted_file::keyring_encrypted_file_deinit + END_DECLARE_COMPONENT(); + +/** Component contained in this library */ +DECLARE_LIBRARY_COMPONENTS &COMPONENT_REF( + component_percona_keyring_encrypted_file) END_DECLARE_LIBRARY_COMPONENTS diff --git a/components/keyrings/percona_keyring_encrypted_file/percona_keyring_encrypted_file.h b/components/keyrings/percona_keyring_encrypted_file/percona_keyring_encrypted_file.h new file mode 100644 index 000000000000..ebad09480924 --- /dev/null +++ b/components/keyrings/percona_keyring_encrypted_file/percona_keyring_encrypted_file.h @@ -0,0 +1,67 @@ +/* Copyright (c) 2021, 2026, Oracle and/or its affiliates. + Copyright (c) 2026 Percona LLC and/or its affiliates. All rights reserved. + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License, version 2.0, +as published by the Free Software Foundation. + +This program is designed to work with certain software (including +but not limited to OpenSSL) that is licensed under separate terms, +as designated in a particular file or component or in included license +documentation. The authors of MySQL hereby grant you an additional +permission to link the program and your derivative works with the +separately licensed software that they have either included with +the program or referenced in the documentation. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License, version 2.0, for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ + +#include +#include +#include +#include + +#include +#include +#include /* LogComponentErr */ +#include "mysql/components/component_implementation.h" +#include "mysql/components/services/registry.h" +#include "mysqld_error.h" /* Errors */ + +#include "backend/backend.h" +#include "config/config.h" + +extern SERVICE_TYPE(log_builtins) * log_bi; +extern SERVICE_TYPE(log_builtins_string) * log_bs; + +extern REQUIRES_SERVICE_PLACEHOLDER(registry); +extern REQUIRES_SERVICE_PLACEHOLDER(log_builtins); +extern REQUIRES_SERVICE_PLACEHOLDER(log_builtins_string); + +namespace percona_keyring_encrypted_file { +/** Keyring operations object */ +extern keyring_common::operations::Keyring_operations< + backend::Keyring_encrypted_file_backend> *g_keyring_operations; + +/** Component callbacks */ +extern keyring_common::service_implementation::Component_callbacks + *g_component_callbacks; + +/** Keyring data source */ +extern config::Config_pod *g_config_pod; + +/** Keyring state */ +extern bool g_keyring_file_inited; + +/* Initialize keyring */ +bool init_or_reinit_keyring(std::string &err); + +bool set_paths(const char *component_path, const char *instance_path); + +} // namespace percona_keyring_encrypted_file diff --git a/components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_encryption_service_definition.cc b/components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_encryption_service_definition.cc new file mode 100644 index 000000000000..d87134f2f071 --- /dev/null +++ b/components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_encryption_service_definition.cc @@ -0,0 +1,73 @@ +/* Copyright (c) 2021, 2026, Oracle and/or its affiliates. + Copyright (c) 2026 Percona LLC and/or its affiliates. All rights reserved. + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License, version 2.0, +as published by the Free Software Foundation. + +This program is designed to work with certain software (including +but not limited to OpenSSL) that is licensed under separate terms, +as designated in a particular file or component or in included license +documentation. The authors of MySQL hereby grant you an additional +permission to link the program and your derivative works with the +separately licensed software that they have either included with +the program or referenced in the documentation. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License, version 2.0, for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ + +#include + +#include +#include + +using percona_keyring_encrypted_file::g_component_callbacks; +using percona_keyring_encrypted_file::g_keyring_operations; +using percona_keyring_encrypted_file::backend::Keyring_encrypted_file_backend; +namespace keyring_common { + +using service_implementation::aes_decrypt_template; +using service_implementation::aes_encrypt_template; +using service_implementation::aes_get_encrypted_size_template; + +namespace service_definition { + +DEFINE_BOOL_METHOD(Keyring_aes_service_impl::get_size, + (size_t input_length, const char *mode, size_t block_size, + size_t *out_size)) { + return aes_get_encrypted_size_template(input_length, mode, block_size, + out_size); +} + +DEFINE_BOOL_METHOD(Keyring_aes_service_impl::encrypt, + (const char *data_id, const char *auth_id, const char *mode, + size_t block_size, const unsigned char *iv, int padding, + const unsigned char *data_buffer, size_t data_buffer_length, + unsigned char *out_buffer, size_t out_buffer_length, + size_t *out_length)) { + return aes_encrypt_template( + data_id, auth_id, mode, block_size, iv, padding, data_buffer, + data_buffer_length, out_buffer, out_buffer_length, out_length, + *g_keyring_operations, *g_component_callbacks); +} + +DEFINE_BOOL_METHOD(Keyring_aes_service_impl::decrypt, + (const char *data_id, const char *auth_id, const char *mode, + size_t block_size, const unsigned char *iv, int padding, + const unsigned char *data_buffer, size_t data_buffer_length, + unsigned char *out_buffer, size_t out_buffer_length, + size_t *out_length)) { + return aes_decrypt_template( + data_id, auth_id, mode, block_size, iv, padding, data_buffer, + data_buffer_length, out_buffer, out_buffer_length, out_length, + *g_keyring_operations, *g_component_callbacks); +} + +} // namespace service_definition +} // namespace keyring_common diff --git a/components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_generator_service_definition.cc b/components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_generator_service_definition.cc new file mode 100644 index 000000000000..11968970d3d2 --- /dev/null +++ b/components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_generator_service_definition.cc @@ -0,0 +1,49 @@ +/* Copyright (c) 2021, 2026, Oracle and/or its affiliates. + Copyright (c) 2026 Percona LLC and/or its affiliates. All rights reserved. + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License, version 2.0, +as published by the Free Software Foundation. + +This program is designed to work with certain software (including +but not limited to OpenSSL) that is licensed under separate terms, +as designated in a particular file or component or in included license +documentation. The authors of MySQL hereby grant you an additional +permission to link the program and your derivative works with the +separately licensed software that they have either included with +the program or referenced in the documentation. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License, version 2.0, for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ + +#include /* Globals */ + +#include +#include + +using percona_keyring_encrypted_file::g_component_callbacks; +using percona_keyring_encrypted_file::g_keyring_operations; +using percona_keyring_encrypted_file::backend::Keyring_encrypted_file_backend; + +namespace keyring_common { + +using service_implementation::generate_template; + +namespace service_definition { + +DEFINE_BOOL_METHOD(Keyring_generator_service_impl::generate, + (const char *data_id, const char *auth_id, + const char *data_type, size_t data_size)) { + return generate_template( + data_id, auth_id, data_type, data_size, *g_keyring_operations, + *g_component_callbacks); +} + +} // namespace service_definition +} // namespace keyring_common diff --git a/components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_keys_metadata_iterator_service_definition.cc b/components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_keys_metadata_iterator_service_definition.cc new file mode 100644 index 000000000000..e417518cf1e0 --- /dev/null +++ b/components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_keys_metadata_iterator_service_definition.cc @@ -0,0 +1,117 @@ +/* Copyright (c) 2021, 2026, Oracle and/or its affiliates. + Copyright (c) 2026 Percona LLC and/or its affiliates. All rights reserved. + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License, version 2.0, +as published by the Free Software Foundation. + +This program is designed to work with certain software (including +but not limited to OpenSSL) that is licensed under separate terms, +as designated in a particular file or component or in included license +documentation. The authors of MySQL hereby grant you an additional +permission to link the program and your derivative works with the +separately licensed software that they have either included with +the program or referenced in the documentation. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License, version 2.0, for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ + +#include + +#include /* Globals */ + +#include +#include + +using percona_keyring_encrypted_file::g_component_callbacks; +using percona_keyring_encrypted_file::g_keyring_operations; +using percona_keyring_encrypted_file::backend::Keyring_encrypted_file_backend; + +namespace keyring_common::service_definition { + +using service_implementation::deinit_keys_metadata_iterator_template; +using service_implementation::init_keys_metadata_iterator_template; +using service_implementation::keys_metadata_get_length_template; +using service_implementation::keys_metadata_get_template; +using service_implementation::keys_metadata_iterator_is_valid; +using service_implementation::keys_metadata_iterator_next; +DEFINE_BOOL_METHOD(Keyring_keys_metadata_iterator_service_impl::init, + (my_h_keyring_keys_metadata_iterator * forward_iterator)) { + std::unique_ptr> it; + const bool retval = + init_keys_metadata_iterator_template( + it, *g_keyring_operations, *g_component_callbacks); + if (!retval) + *forward_iterator = + reinterpret_cast(it.release()); + return retval; +} + +DEFINE_BOOL_METHOD(Keyring_keys_metadata_iterator_service_impl::deinit, + (my_h_keyring_keys_metadata_iterator forward_iterator)) { + std::unique_ptr> it; + it.reset(reinterpret_cast *>(forward_iterator)); + return deinit_keys_metadata_iterator_template( + it, *g_keyring_operations, *g_component_callbacks); +} + +DEFINE_BOOL_METHOD(Keyring_keys_metadata_iterator_service_impl::is_valid, + (my_h_keyring_keys_metadata_iterator forward_iterator)) { + std::unique_ptr> it; + it.reset(reinterpret_cast *>(forward_iterator)); + const bool retval = + keys_metadata_iterator_is_valid( + it, *g_keyring_operations, *g_component_callbacks); + /* Make sure we don't free the pointer */ + (void)it.release(); + return retval; +} + +DEFINE_BOOL_METHOD(Keyring_keys_metadata_iterator_service_impl::next, + (my_h_keyring_keys_metadata_iterator forward_iterator)) { + std::unique_ptr> it; + it.reset(reinterpret_cast *>(forward_iterator)); + const bool retval = + keys_metadata_iterator_next( + it, *g_keyring_operations, *g_component_callbacks); + /* Make sure we don't free the pointer */ + (void)it.release(); + return retval; +} + +DEFINE_BOOL_METHOD(Keyring_keys_metadata_iterator_service_impl::get_length, + (my_h_keyring_keys_metadata_iterator forward_iterator, + size_t *data_id_length, size_t *auth_id_length)) { + std::unique_ptr> it; + it.reset(reinterpret_cast *>(forward_iterator)); + const bool retval = + keys_metadata_get_length_template( + it, data_id_length, auth_id_length, *g_keyring_operations, + *g_component_callbacks); + /* Make sure we don't free the pointer */ + (void)it.release(); + return retval; +} + +DEFINE_BOOL_METHOD(Keyring_keys_metadata_iterator_service_impl::get, + (my_h_keyring_keys_metadata_iterator forward_iterator, + char *data_id, size_t data_id_length, char *auth_id, + size_t auth_id_length)) { + std::unique_ptr> it; + it.reset(reinterpret_cast *>(forward_iterator)); + const bool retval = + keys_metadata_get_template( + it, data_id, data_id_length, auth_id, auth_id_length, + *g_keyring_operations, *g_component_callbacks); + /* Make sure we don't free the pointer */ + (void)it.release(); + return retval; +} + +} // namespace keyring_common::service_definition diff --git a/components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_load_service_definition.cc b/components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_load_service_definition.cc new file mode 100644 index 000000000000..9ead171bff67 --- /dev/null +++ b/components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_load_service_definition.cc @@ -0,0 +1,68 @@ +/* Copyright (c) 2021, 2026, Oracle and/or its affiliates. + Copyright (c) 2026 Percona LLC and/or its affiliates. All rights reserved. + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License, version 2.0, +as published by the Free Software Foundation. + +This program is designed to work with certain software (including +but not limited to OpenSSL) that is licensed under separate terms, +as designated in a particular file or component or in included license +documentation. The authors of MySQL hereby grant you an additional +permission to link the program and your derivative works with the +separately licensed software that they have either included with +the program or referenced in the documentation. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License, version 2.0, for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ + +#include + +#include +#include + +using percona_keyring_encrypted_file::g_keyring_file_inited; +using percona_keyring_encrypted_file::init_or_reinit_keyring; +using percona_keyring_encrypted_file::set_paths; + +namespace keyring_common::service_definition { + +DEFINE_BOOL_METHOD(Keyring_load_service_impl::load, + (const char *component_path, const char *instance_path)) { + /* This component provides log_builtins itself, so the dynamic loader skips + acquiring it during init() (service is in services_provided). By the time + load() is called, load_do_acquire has filled mysql_service_log_builtins + from the registry. Re-initialize log_bi/log_bs here so LogComponentErr + works correctly throughout this function and its callees. */ + log_bi = mysql_service_log_builtins; + log_bs = mysql_service_log_builtins_string; + std::string err; + try { + if (set_paths(component_path, instance_path)) { + LogComponentErr(ERROR_LEVEL, ER_KEYRING_COMPONENT_NOT_INITIALIZED, + "Failed to set path to component"); + return true; + } + + if (init_or_reinit_keyring(err)) { + LogComponentErr(ERROR_LEVEL, ER_KEYRING_COMPONENT_NOT_INITIALIZED, + err.c_str()); + return true; + } + g_keyring_file_inited = true; + LogComponentErr(INFORMATION_LEVEL, ER_NOTE_KEYRING_COMPONENT_INITIALIZED); + return false; + } catch (...) { + LogComponentErr(ERROR_LEVEL, ER_KEYRING_COMPONENT_NOT_INITIALIZED, + "Got an exception while loading component"); + return true; + } +} + +} // namespace keyring_common::service_definition diff --git a/components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_metadata_query_service_definition.cc b/components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_metadata_query_service_definition.cc new file mode 100644 index 000000000000..0ec937a1b06a --- /dev/null +++ b/components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_metadata_query_service_definition.cc @@ -0,0 +1,116 @@ +/* Copyright (c) 2021, 2026, Oracle and/or its affiliates. + Copyright (c) 2026 Percona LLC and/or its affiliates. All rights reserved. + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License, version 2.0, +as published by the Free Software Foundation. + +This program is designed to work with certain software (including +but not limited to OpenSSL) that is licensed under separate terms, +as designated in a particular file or component or in included license +documentation. The authors of MySQL hereby grant you an additional +permission to link the program and your derivative works with the +separately licensed software that they have either included with +the program or referenced in the documentation. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License, version 2.0, for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ + +#include + +#include +#include + +using percona_keyring_encrypted_file::g_component_callbacks; +namespace keyring_common { + +using service_implementation::config_vector; +using service_implementation::keyring_metadata_query_deinit_template; +using service_implementation::keyring_metadata_query_get_length_template; +using service_implementation::keyring_metadata_query_get_template; +using service_implementation::keyring_metadata_query_init_template; +using service_implementation::keyring_metadata_query_is_valid_template; +using service_implementation:: + keyring_metadata_query_keyring_initialized_template; +using service_implementation::keyring_metadata_query_next_template; + +namespace service_definition { + +DEFINE_BOOL_METHOD(Keyring_metadata_query_service_impl::is_initialized, ()) { + return keyring_metadata_query_keyring_initialized_template( + *g_component_callbacks); +} + +DEFINE_BOOL_METHOD(Keyring_metadata_query_service_impl::init, + (my_h_keyring_component_metadata_iterator * + metadata_iterator)) { + *metadata_iterator = nullptr; + std::unique_ptr it; + const bool retval = + keyring_metadata_query_init_template(it, *g_component_callbacks); + if (!retval) + *metadata_iterator = + reinterpret_cast( + it.release()); + return retval; +} + +DEFINE_BOOL_METHOD( + Keyring_metadata_query_service_impl::deinit, + (my_h_keyring_component_metadata_iterator metadata_iterator)) { + std::unique_ptr it; + it.reset(reinterpret_cast(metadata_iterator)); + return keyring_metadata_query_deinit_template(it); +} + +DEFINE_BOOL_METHOD( + Keyring_metadata_query_service_impl::is_valid, + (my_h_keyring_component_metadata_iterator metadata_iterator)) { + std::unique_ptr it; + it.reset(reinterpret_cast(metadata_iterator)); + const bool retval = keyring_metadata_query_is_valid_template(it); + (void)it.release(); + return retval; +} + +DEFINE_BOOL_METHOD( + Keyring_metadata_query_service_impl::next, + (my_h_keyring_component_metadata_iterator metadata_iterator)) { + std::unique_ptr it; + it.reset(reinterpret_cast(metadata_iterator)); + const bool retval = keyring_metadata_query_next_template(it); + (void)it.release(); + return retval; +} + +DEFINE_BOOL_METHOD(Keyring_metadata_query_service_impl::get_length, + (my_h_keyring_component_metadata_iterator metadata_iterator, + size_t *key_buffer_length, size_t *value_buffer_length)) { + std::unique_ptr it; + it.reset(reinterpret_cast(metadata_iterator)); + const bool retval = keyring_metadata_query_get_length_template( + it, key_buffer_length, value_buffer_length); + (void)it.release(); + return retval; +} + +DEFINE_BOOL_METHOD(Keyring_metadata_query_service_impl::get, + (my_h_keyring_component_metadata_iterator metadata_iterator, + char *key_buffer, size_t key_buffer_len, char *value_buffer, + size_t value_buffer_len)) { + std::unique_ptr it; + it.reset(reinterpret_cast(metadata_iterator)); + const bool retval = keyring_metadata_query_get_template( + key_buffer, key_buffer_len, value_buffer, value_buffer_len, it); + (void)it.release(); + return retval; +} + +} // namespace service_definition +} // namespace keyring_common diff --git a/components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_reader_service_definition.cc b/components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_reader_service_definition.cc new file mode 100644 index 000000000000..d4e89dd2020b --- /dev/null +++ b/components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_reader_service_definition.cc @@ -0,0 +1,93 @@ +/* Copyright (c) 2021, 2026, Oracle and/or its affiliates. + Copyright (c) 2026 Percona LLC and/or its affiliates. All rights reserved. + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License, version 2.0, +as published by the Free Software Foundation. + +This program is designed to work with certain software (including +but not limited to OpenSSL) that is licensed under separate terms, +as designated in a particular file or component or in included license +documentation. The authors of MySQL hereby grant you an additional +permission to link the program and your derivative works with the +separately licensed software that they have either included with +the program or referenced in the documentation. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License, version 2.0, for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ + +#include + +#include +#include + +using percona_keyring_encrypted_file::g_component_callbacks; +using percona_keyring_encrypted_file::g_keyring_operations; +using percona_keyring_encrypted_file::backend::Keyring_encrypted_file_backend; + +namespace keyring_common { + +using service_implementation::deinit_reader_template; +using service_implementation::fetch_length_template; +using service_implementation::fetch_template; +using service_implementation::init_reader_template; + +namespace service_definition { + +DEFINE_BOOL_METHOD(Keyring_reader_service_impl::init, + (const char *data_id, const char *auth_id, + my_h_keyring_reader_object *reader_object)) { + std::unique_ptr> it; + const int retval = init_reader_template( + data_id, auth_id, it, *g_keyring_operations, *g_component_callbacks); + *reader_object = nullptr; + if (retval == 1) + *reader_object = reinterpret_cast(it.release()); + return retval < 0; +} + +DEFINE_BOOL_METHOD(Keyring_reader_service_impl::deinit, + (my_h_keyring_reader_object reader_object)) { + std::unique_ptr> it; + it.reset(reinterpret_cast *>(reader_object)); + return deinit_reader_template( + it, *g_keyring_operations, *g_component_callbacks); +} + +DEFINE_BOOL_METHOD(Keyring_reader_service_impl::fetch_length, + (my_h_keyring_reader_object reader_object, size_t *data_size, + size_t *data_type_size)) { + std::unique_ptr> it; + it.reset(reinterpret_cast *>(reader_object)); + const bool retval = fetch_length_template( + it, data_size, data_type_size, *g_keyring_operations, + *g_component_callbacks); + /* Make sure we don't free the pointer */ + (void)it.release(); + return retval; +} + +DEFINE_BOOL_METHOD(Keyring_reader_service_impl::fetch, + (my_h_keyring_reader_object reader_object, + unsigned char *data_buffer, size_t data_buffer_length, + size_t *data_size, char *data_type_buffer, + size_t data_type_buffer_length, size_t *data_type_size)) { + std::unique_ptr> it; + it.reset(reinterpret_cast *>(reader_object)); + const bool retval = fetch_template( + it, data_buffer, data_buffer_length, data_size, data_type_buffer, + data_type_buffer_length, data_type_size, *g_keyring_operations, + *g_component_callbacks); + /* Make sure we don't free the pointer */ + (void)it.release(); + return retval; +} + +} // namespace service_definition +} // namespace keyring_common diff --git a/components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_writer_service_definition.cc b/components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_writer_service_definition.cc new file mode 100644 index 000000000000..2a43c3c3af55 --- /dev/null +++ b/components/keyrings/percona_keyring_encrypted_file/service_implementation/keyring_writer_service_definition.cc @@ -0,0 +1,56 @@ +/* Copyright (c) 2021, 2026, Oracle and/or its affiliates. + Copyright (c) 2026 Percona LLC and/or its affiliates. All rights reserved. + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License, version 2.0, +as published by the Free Software Foundation. + +This program is designed to work with certain software (including +but not limited to OpenSSL) that is licensed under separate terms, +as designated in a particular file or component or in included license +documentation. The authors of MySQL hereby grant you an additional +permission to link the program and your derivative works with the +separately licensed software that they have either included with +the program or referenced in the documentation. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License, version 2.0, for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ + +#include + +#include +#include + +using percona_keyring_encrypted_file::g_component_callbacks; +using percona_keyring_encrypted_file::g_keyring_operations; +using percona_keyring_encrypted_file::backend::Keyring_encrypted_file_backend; + +namespace keyring_common { + +using service_implementation::remove_template; +using service_implementation::store_template; + +namespace service_definition { +DEFINE_BOOL_METHOD(Keyring_writer_service_impl::store, + (const char *data_id, const char *auth_id, + const unsigned char *data, size_t data_size, + const char *data_type)) { + return store_template( + data_id, auth_id, data, data_size, data_type, *g_keyring_operations, + *g_component_callbacks); +} + +DEFINE_BOOL_METHOD(Keyring_writer_service_impl::remove, + (const char *data_id, const char *auth_id)) { + return remove_template( + data_id, auth_id, *g_keyring_operations, *g_component_callbacks); +} + +} // namespace service_definition +} // namespace keyring_common diff --git a/mysql-test/include/plugin.defs b/mysql-test/include/plugin.defs index dd6dfce62a34..bbfc05723e15 100644 --- a/mysql-test/include/plugin.defs +++ b/mysql-test/include/plugin.defs @@ -156,6 +156,7 @@ component_reference_cache plugin_output_directory no REFERENCE_CACHE_COMP # keyring file component component_keyring_file plugin_output_directory yes KEYRING_FILE_COMPONENT component_keyring_file +component_percona_keyring_encrypted_file plugin_output_directory yes PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT component_percona_keyring_encrypted_file component_keyring_kmip plugin_output_directory yes KEYRING_KMIP_COMPONENT component_keyring_kmip component_keyring_kms plugin_output_directory yes KEYRING_KMS_COMPONENT component_keyring_kms diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/inc/have_percona_component_keyring_encrypted_file.inc b/mysql-test/suite/component_percona_keyring_encrypted_file/inc/have_percona_component_keyring_encrypted_file.inc new file mode 100644 index 000000000000..d701bb04048f --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/inc/have_percona_component_keyring_encrypted_file.inc @@ -0,0 +1,10 @@ +disable_query_log; + +# +# Check if the variable PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT is set +# +if (!$PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT) { + --skip test requires the environment variable \$PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT to be set (normally done by mtr if plugin exists), see the file plugin.defs +} + +enable_query_log; diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/inc/rpl_replica_setup_component.inc b/mysql-test/suite/component_percona_keyring_encrypted_file/inc/rpl_replica_setup_component.inc new file mode 100644 index 000000000000..6b433c0c1479 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/inc/rpl_replica_setup_component.inc @@ -0,0 +1,33 @@ +# Setup test to use keyring component on replica server only + +--echo # ---------------------------------------------------------------------- +--echo # Setup + +--source include/rpl/init_source_replica.inc + +--let RPL_PLUGIN_DIR_OPT = $PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_OPT + +--let COMPONENT_LIBRARY = `SELECT SUBSTRING_INDEX('$PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_LOAD', '=', -1)` +--let COMPONENT_DIR = $PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_DIR +--let COMPONENT_NAME = `SELECT SUBSTRING_INDEX('$COMPONENT_LIBRARY', '.', 1)` + +# Create keyring config for replica server + +--source include/rpl/connection_replica.inc +--let CURRENT_DATADIR = `SELECT @@datadir` + +# Create local keyring config +--let KEYRING_FILE_PATH = `SELECT CONCAT( '$MYSQLTEST_VARDIR', '/keyring_file_replica')` +--let KEYRING_CONFIG_CONTENT = `SELECT CONCAT('{ \"path\": \"', '$KEYRING_FILE_PATH','\", \"read_only\": false , \"password\": \"secret_password\", \"iterations\": 42 }')` +--source include/keyring_tests/helper/local_keyring_create_config.inc + +# Create local manifest file for current server instance +--let LOCAL_MANIFEST_CONTENT = `SELECT CONCAT('{ \"components\": \"file://', '$COMPONENT_NAME', '\" }')` +--source include/keyring_tests/helper/instance_create_manifest.inc + +--let REPLICA_DATADIR = $CURRENT_DATADIR +--let REPLICA_KEYRING_FILE_PATH = $KEYRING_FILE_PATH + +--source include/rpl/connection_source.inc +--let CURRENT_DATADIR = `SELECT @@datadir` +--echo # ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/inc/rpl_replica_teardown_component.inc b/mysql-test/suite/component_percona_keyring_encrypted_file/inc/rpl_replica_teardown_component.inc new file mode 100644 index 000000000000..8bf63637269c --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/inc/rpl_replica_teardown_component.inc @@ -0,0 +1,21 @@ +# Teardown + +--echo # ---------------------------------------------------------------------- +--echo # Teardown +# Remove local manifest file for current server instance +--let CURRENT_DATADIR = $REPLICA_DATADIR +--source include/keyring_tests/helper/instance_remove_manifest.inc + +# Remove keyring file +--let KEYRING_FILE_PATH = $REPLICA_KEYRING_FILE_PATH +--source include/keyring_tests/helper/local_keyring_file_remove.inc + +# Remove local keyring config +--let CURRENT_DATADIR = $REPLICA_DATADIR +--source include/keyring_tests/helper/local_keyring_remove_config.inc + +--source include/rpl/deinit.inc + +# Restart server without manifest file +--source include/keyring_tests/helper/cleanup_server_with_manifest.inc +--echo # ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/inc/rpl_setup_component.inc b/mysql-test/suite/component_percona_keyring_encrypted_file/inc/rpl_setup_component.inc new file mode 100644 index 000000000000..5b32412ebb57 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/inc/rpl_setup_component.inc @@ -0,0 +1,50 @@ +# Setup test to use keyring component + +--echo # ---------------------------------------------------------------------- +--echo # Setup +--let $rpl_skip_start_slave= 1 +--source include/rpl/init_source_replica.inc + +--let RPL_PLUGIN_DIR_OPT = $PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_OPT + +--let COMPONENT_LIBRARY = `SELECT SUBSTRING_INDEX('$PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_LOAD', '=', -1)` +--let COMPONENT_DIR = $PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_DIR +--let COMPONENT_NAME = `SELECT SUBSTRING_INDEX('$COMPONENT_LIBRARY', '.', 1)` + +# Create keyring config for primary server + +# Data directory location +--let CURRENT_DATADIR = `SELECT @@datadir` + +# Create local keyring config +--let KEYRING_FILE_PATH = `SELECT CONCAT( '$MYSQLTEST_VARDIR', '/keyring_file_primary')` +--let KEYRING_CONFIG_CONTENT = `SELECT CONCAT('{ \"path\": \"', '$KEYRING_FILE_PATH','\", \"read_only\": false , \"password\": \"secret_password\", \"iterations\": 42 }')` +--source include/keyring_tests/helper/local_keyring_create_config.inc + +# Create local manifest file for current server instance +--let LOCAL_MANIFEST_CONTENT = `SELECT CONCAT('{ \"components\": \"file://', '$COMPONENT_NAME', '\" }')` +--source include/keyring_tests/helper/instance_create_manifest.inc + +--let PRIMARY_DATADIR = $CURRENT_DATADIR +--let PRIMARY_KEYRING_FILE_PATH = $KEYRING_FILE_PATH + +# Create keyring config for replica server + +--source include/rpl/connection_replica.inc +--let CURRENT_DATADIR = `SELECT @@datadir` + +# Create local keyring config +--let KEYRING_FILE_PATH = `SELECT CONCAT( '$MYSQLTEST_VARDIR', '/keyring_file_replica')` +--let KEYRING_CONFIG_CONTENT = `SELECT CONCAT('{ \"path\": \"', '$KEYRING_FILE_PATH','\", \"read_only\": false , \"password\": \"secret_password\", \"iterations\": 42 }')` +--source include/keyring_tests/helper/local_keyring_create_config.inc + +# Create local manifest file for current server instance +--let LOCAL_MANIFEST_CONTENT = `SELECT CONCAT('{ \"components\": \"file://', '$COMPONENT_NAME', '\" }')` +--source include/keyring_tests/helper/instance_create_manifest.inc + +--let REPLICA_DATADIR = $CURRENT_DATADIR +--let REPLICA_KEYRING_FILE_PATH = $KEYRING_FILE_PATH + +--source include/rpl/connection_source.inc +--let CURRENT_DATADIR = `SELECT @@datadir` +--echo # ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/inc/rpl_teardown_component.inc b/mysql-test/suite/component_percona_keyring_encrypted_file/inc/rpl_teardown_component.inc new file mode 100644 index 000000000000..b9d4d32d1f65 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/inc/rpl_teardown_component.inc @@ -0,0 +1,27 @@ +# Teardown + +--echo # ---------------------------------------------------------------------- +--echo # Teardown +# Remove local manifest file for current server instance +--let CURRENT_DATADIR = $PRIMARY_DATADIR +--source include/keyring_tests/helper/instance_remove_manifest.inc +--let CURRENT_DATADIR = $REPLICA_DATADIR +--source include/keyring_tests/helper/instance_remove_manifest.inc + +# Remove keyring file +--let KEYRING_FILE_PATH = $PRIMARY_KEYRING_FILE_PATH +--source include/keyring_tests/helper/local_keyring_file_remove.inc +--let KEYRING_FILE_PATH = $REPLICA_KEYRING_FILE_PATH +--source include/keyring_tests/helper/local_keyring_file_remove.inc + +# Remove local keyring config +--let CURRENT_DATADIR = $PRIMARY_DATADIR +--source include/keyring_tests/helper/local_keyring_remove_config.inc +--let CURRENT_DATADIR = $REPLICA_DATADIR +--source include/keyring_tests/helper/local_keyring_remove_config.inc + +--source include/rpl/deinit.inc + +# Restart server without manifest file +--source include/keyring_tests/helper/cleanup_server_with_manifest.inc +--echo # ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/inc/setup_component.inc b/mysql-test/suite/component_percona_keyring_encrypted_file/inc/setup_component.inc new file mode 100644 index 000000000000..4c95253cd529 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/inc/setup_component.inc @@ -0,0 +1,27 @@ +# Setup test to use keyring component + +--echo # ---------------------------------------------------------------------- +--echo # Setup + +--let PLUGIN_DIR_OPT = $PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_OPT + +# Data directory location +--let CURRENT_DATADIR = `SELECT @@datadir` + +--let COMPONENT_LIBRARY = `SELECT SUBSTRING_INDEX('$PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_LOAD', '=', -1)` +--let COMPONENT_DIR = $PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_DIR +--let COMPONENT_NAME = `SELECT SUBSTRING_INDEX('$COMPONENT_LIBRARY', '.', 1)` + +# Create local keyring config +--let KEYRING_FILE_PATH = `SELECT CONCAT( '$MYSQLTEST_VARDIR', '/keyring_file')` +--let KEYRING_CONFIG_CONTENT = `SELECT CONCAT('{ \"path\": \"', '$KEYRING_FILE_PATH','\", \"read_only\": false, \"password\": \"secret_password\", \"iterations\": 42 }')` +--source include/keyring_tests/helper/local_keyring_create_config.inc + +# Create local manifest file for current server instance +--let LOCAL_MANIFEST_CONTENT = `SELECT CONCAT('{ \"components\": \"file://', '$COMPONENT_NAME', '\" }')` +--source include/keyring_tests/helper/instance_create_manifest.inc + +# Restart server with manifest file +--source include/keyring_tests/helper/start_server_with_manifest.inc +--echo # ---------------------------------------------------------------------- + diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/inc/setup_component_customized.inc b/mysql-test/suite/component_percona_keyring_encrypted_file/inc/setup_component_customized.inc new file mode 100644 index 000000000000..e0bbc0bf0e5e --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/inc/setup_component_customized.inc @@ -0,0 +1,23 @@ +# Setup test to use keyring component + +--echo # ---------------------------------------------------------------------- +--echo # Setup + +--let PLUGIN_DIR_OPT = $PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_OPT + +--let COMPONENT_LIBRARY = `SELECT SUBSTRING_INDEX('$PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_LOAD', '=', -1)` +--let COMPONENT_DIR = $PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_DIR +--let COMPONENT_NAME = `SELECT SUBSTRING_INDEX('$COMPONENT_LIBRARY', '.', 1)` +--let GLOBAL_MANIFEST_CONTENT = `SELECT CONCAT('{ \"components\": \"file://', '$COMPONENT_NAME', '\" }')` +# Create manifest file for mysqld binary +--source include/keyring_tests/helper/binary_create_customized_manifest.inc + +# Create global keyring config +--let KEYRING_FILE_PATH = `SELECT CONCAT( '$MYSQLTEST_VARDIR', '/keyring_file')` +--let KEYRING_CONFIG_CONTENT = `SELECT CONCAT('{ \"path\": \"', '$KEYRING_FILE_PATH','\", \"read_only\": false, \"password\": \"secret_password\", \"iterations\": 42 }')` +--source include/keyring_tests/helper/global_keyring_create_customized_config.inc + +# Restart server with manifest file +--source include/keyring_tests/helper/start_server_with_manifest.inc +--echo # ---------------------------------------------------------------------- + diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/inc/teardown_component.inc b/mysql-test/suite/component_percona_keyring_encrypted_file/inc/teardown_component.inc new file mode 100644 index 000000000000..af8e869c9df2 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/inc/teardown_component.inc @@ -0,0 +1,16 @@ +# Teardown + +--echo # ---------------------------------------------------------------------- +--echo # Teardown +# Remove local manifest file for current server instance +--source include/keyring_tests/helper/instance_remove_manifest.inc + +# Remove keyring file +--source include/keyring_tests/helper/local_keyring_file_remove.inc + +# Remove local keyring config +--source include/keyring_tests/helper/local_keyring_remove_config.inc + +# Restart server without manifest file +--source include/keyring_tests/helper/cleanup_server_with_manifest.inc +--echo # ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/inc/teardown_component_customized.inc b/mysql-test/suite/component_percona_keyring_encrypted_file/inc/teardown_component_customized.inc new file mode 100644 index 000000000000..78cbd57abe9e --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/inc/teardown_component_customized.inc @@ -0,0 +1,16 @@ +# Teardown + +--echo # ---------------------------------------------------------------------- +--echo # Teardown +# Remove keyring file +--source include/keyring_tests/helper/local_keyring_file_remove.inc + +# Drop global keyring config +--source include/keyring_tests/helper/global_keyring_remove_config.inc + +# Remove manifest file for mysqld binary +--source include/keyring_tests/helper/binary_remove_manifest.inc + +# Restart server without manifest file +--source include/keyring_tests/helper/cleanup_server_with_manifest.inc +--echo # ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/alter_rename_table.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/alter_rename_table.result new file mode 100644 index 000000000000..f9a224e80cb8 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/alter_rename_table.result @@ -0,0 +1,1778 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# +# WL#12261 Control (enforce and disable) table encryption +# +# Pre-define user u1, which is used in different tests below. +CREATE USER u1@localhost; +GRANT ALL ON db1.* TO u1@localhost; +GRANT ALL ON db2.* TO u1@localhost; +GRANT ALL ON sch1.* TO u1@localhost; +GRANT ALL ON sch2.* TO u1@localhost; +GRANT CREATE TABLESPACE, PROCESS, SYSTEM_VARIABLES_ADMIN ON *.* TO u1@localhost; +SET GLOBAL debug= '+d,skip_table_encryption_admin_check_for_set'; +# The test cases run ALTER TABLE RENAME to move tables from one database +# to another, with tables using file-per-table or general +# tablespace. And these operations are run in below configuration, +# +# - Setting table_encryption_privilege_check to true/false. +# - Setting per database default encryption to 'y' and 'n' +# - Setting table's encryption mode to 'y' and 'n'. +# - With and without user holding TABLE_ENCRYPTION_ADMIN privilege. +# - +# - Check for warnings generated. +# +````````````````````````````````````````````````````````` +# Test using innodb_file_per_table tablespace. +````````````````````````````````````````````````````````` +# table_encryption_privilege_check=false +# [ALTER TABLE ... RENAME ...] Case 1 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch1.ts (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='n'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +# 1.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ; +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +# 1.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ; +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +# 1.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ; +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ; +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ; +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ; +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +# [ALTER TABLE ... RENAME ...] Case 2 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch1.ts (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# 2.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ; +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ; +# 2.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ; +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ; +# 2.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ; +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ; +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ; +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ; +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +````````````````````````````````````````````````````````` +# table_encryption_privilege_check=true +````````````````````````````````````````````````````````` +# We expect failure when the table encryption does not match +# with default database encryption. +# [ALTER TABLE ... RENAME ...] Case 3 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch1.ts (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='n'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +# 3.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ; +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +# 3.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ; +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +# 3.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ; +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ; +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ; +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ; +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt2 +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1 +fpt1_renamed +fpt2 +ts1 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +# [ALTER TABLE ... RENAME ...] Case 4 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch1.ts (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='n'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +# 4.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ; +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ; +# 4.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ; +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ; +# 4.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ; +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ; +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ; +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ; +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +# Revoke TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +````````````````````````````````````````````````````````` +# We expect failure when the table encryption does not match +# with default database encryption. +# [ALTER TABLE ... RENAME ...] Case 5 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch1.ts (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +# 5.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ; +# 5.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ; +# 5.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ; +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ; +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ; +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ; +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1 +fpt1_renamed +fpt2 +ts1 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt2 +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +# [ALTER TABLE ... RENAME ...] Case 6 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch1.ts (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +# 6.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ; +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ; +# 6.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ; +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ; +# 6.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ; +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ; +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ; +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ; +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +# Revoke TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +````````````````````````````````````````````````````````` +# Test using general tablespace. +````````````````````````````````````````````````````````` +# table_encryption_privilege_check=false +# [ALTER TABLE ... RENAME ...] Case 7 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch1.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='n'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +# 7.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ; +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +# 7.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ; +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +# 7.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ; +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ; +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ; +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ; +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +DROP TABLESPACE ts1; +# [ALTER TABLE ... RENAME ...] Case 8 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch1.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# 8.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ; +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ; +# 8.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ; +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ; +# 8.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ; +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ; +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ; +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ; +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +DROP TABLESPACE ts1; +````````````````````````````````````````````````````````` +# table_encryption_privilege_check=true +````````````````````````````````````````````````````````` +# We expect failure when the table encryption does not match +# with default database encryption. +# [ALTER TABLE ... RENAME ...] Case 9 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch1.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='n'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +# 9.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ; +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +# 9.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ; +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +# 9.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ; +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ; +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ; +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ; +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt2 +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1 +fpt1_renamed +fpt2 +ts1 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +DROP TABLESPACE ts1; +# [ALTER TABLE ... RENAME ...] Case 10 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch1.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='n'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +# 10.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ; +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ; +# 10.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ; +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ; +# 10.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ; +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ; +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ; +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ; +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +# Revoke TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +DROP TABLESPACE ts1; +````````````````````````````````````````````````````````` +# We expect failure when the table encryption does not match +# with default database encryption. +# [ALTER TABLE ... RENAME ...] Case 11 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch1.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +# 11.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ; +# 11.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ; +# 11.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ; +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ; +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ; +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ; +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1 +fpt1_renamed +fpt2 +ts1 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt2 +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +DROP TABLESPACE ts1; +# [ALTER TABLE ... RENAME ...] Case 12 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch1.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +# 12.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ; +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ; +# 12.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ; +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ; +# 12.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ; +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ; +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ; +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ; +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +# Revoke TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +DROP TABLESPACE ts1; +````````````````````````````````````````````````````````` +# table_encryption_privilege_check=false +# [ALTER TABLE ... RENAME ...] Case 13 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch1.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='n'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +# 13.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ,MODIFY f1 CHAR(30); +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ,MODIFY f1 CHAR(30); +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +# 13.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ,MODIFY f1 CHAR(30); +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ,MODIFY f1 CHAR(30); +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +# 13.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ,MODIFY f1 CHAR(30); +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ,MODIFY f1 CHAR(30); +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ,MODIFY f1 CHAR(30); +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ,MODIFY f1 CHAR(30); +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +DROP TABLESPACE ts1; +# [ALTER TABLE ... RENAME ...] Case 14 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch1.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# 14.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ,MODIFY f1 CHAR(30); +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ,MODIFY f1 CHAR(30); +# 14.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ,MODIFY f1 CHAR(30); +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ,MODIFY f1 CHAR(30); +# 14.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ,MODIFY f1 CHAR(30); +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ,MODIFY f1 CHAR(30); +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ,MODIFY f1 CHAR(30); +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ,MODIFY f1 CHAR(30); +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +DROP TABLESPACE ts1; +````````````````````````````````````````````````````````` +# table_encryption_privilege_check=true +````````````````````````````````````````````````````````` +# We expect failure when the table encryption does not match +# with default database encryption. +# [ALTER TABLE ... RENAME ...] Case 15 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch1.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='n'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +# 15.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ,MODIFY f1 CHAR(30); +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ,MODIFY f1 CHAR(30); +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +# 15.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ,MODIFY f1 CHAR(30); +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ,MODIFY f1 CHAR(30); +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +# 15.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ,MODIFY f1 CHAR(30); +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ,MODIFY f1 CHAR(30); +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ,MODIFY f1 CHAR(30); +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ,MODIFY f1 CHAR(30); +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt2 +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1 +fpt1_renamed +fpt2 +ts1 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +DROP TABLESPACE ts1; +# [ALTER TABLE ... RENAME ...] Case 16 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch1.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='n'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +# 16.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ,MODIFY f1 CHAR(30); +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ,MODIFY f1 CHAR(30); +# 16.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ,MODIFY f1 CHAR(30); +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ,MODIFY f1 CHAR(30); +# 16.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ,MODIFY f1 CHAR(30); +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ,MODIFY f1 CHAR(30); +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ,MODIFY f1 CHAR(30); +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ,MODIFY f1 CHAR(30); +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +# Revoke TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +DROP TABLESPACE ts1; +````````````````````````````````````````````````````````` +# We expect failure when the table encryption does not match +# with default database encryption. +# [ALTER TABLE ... RENAME ...] Case 17 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch1.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +# 17.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ,MODIFY f1 CHAR(30); +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ,MODIFY f1 CHAR(30); +# 17.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ,MODIFY f1 CHAR(30); +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ,MODIFY f1 CHAR(30); +# 17.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ,MODIFY f1 CHAR(30); +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ,MODIFY f1 CHAR(30); +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ,MODIFY f1 CHAR(30); +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ,MODIFY f1 CHAR(30); +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1 +fpt1_renamed +fpt2 +ts1 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt2 +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +DROP TABLESPACE ts1; +# [ALTER TABLE ... RENAME ...] Case 18 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch1.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +# 18.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ,MODIFY f1 CHAR(30); +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ,MODIFY f1 CHAR(30); +# 18.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ,MODIFY f1 CHAR(30); +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ,MODIFY f1 CHAR(30); +# 18.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ,MODIFY f1 CHAR(30); +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ,MODIFY f1 CHAR(30); +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ,MODIFY f1 CHAR(30); +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ,MODIFY f1 CHAR(30); +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +# Revoke TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +DROP TABLESPACE ts1; +````````````````````````````````````````````````````````` +# table_encryption_privilege_check=false +# [ALTER TABLE ... RENAME ...] Case 19 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch1.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='n'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +# 19.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ,ADD f2 CHAR(30); +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ,ADD f2 CHAR(30); +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +# 19.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ,ADD f2 CHAR(30); +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ,ADD f2 CHAR(30); +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +# 19.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ,ADD f2 CHAR(30); +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ,ADD f2 CHAR(30); +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ,ADD f2 CHAR(30); +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ,ADD f2 CHAR(30); +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +DROP TABLESPACE ts1; +# [ALTER TABLE ... RENAME ...] Case 20 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch1.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# 20.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ,ADD f2 CHAR(30); +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ,ADD f2 CHAR(30); +# 20.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ,ADD f2 CHAR(30); +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ,ADD f2 CHAR(30); +# 20.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ,ADD f2 CHAR(30); +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ,ADD f2 CHAR(30); +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ,ADD f2 CHAR(30); +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ,ADD f2 CHAR(30); +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +DROP TABLESPACE ts1; +````````````````````````````````````````````````````````` +# table_encryption_privilege_check=true +````````````````````````````````````````````````````````` +# We expect failure when the table encryption does not match +# with default database encryption. +# [ALTER TABLE ... RENAME ...] Case 21 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch1.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='n'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +# 21.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ,ADD f2 CHAR(30); +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ,ADD f2 CHAR(30); +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +# 21.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ,ADD f2 CHAR(30); +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ,ADD f2 CHAR(30); +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +# 21.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ,ADD f2 CHAR(30); +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ,ADD f2 CHAR(30); +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ,ADD f2 CHAR(30); +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ,ADD f2 CHAR(30); +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt2 +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1 +fpt1_renamed +fpt2 +ts1 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +DROP TABLESPACE ts1; +# [ALTER TABLE ... RENAME ...] Case 22 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch1.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +# 22.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ,ADD f2 CHAR(30); +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ,ADD f2 CHAR(30); +# 22.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ,ADD f2 CHAR(30); +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ,ADD f2 CHAR(30); +# 22.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ,ADD f2 CHAR(30); +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ,ADD f2 CHAR(30); +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ,ADD f2 CHAR(30); +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ,ADD f2 CHAR(30); +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +# Revoke TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +DROP TABLESPACE ts1; +````````````````````````````````````````````````````````` +# We expect failure when the table encryption does not match +# with default database encryption. +# [ALTER TABLE ... RENAME ...] Case 23 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch1.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +# 23.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ,ADD f2 CHAR(30); +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ,ADD f2 CHAR(30); +# 23.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ,ADD f2 CHAR(30); +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ,ADD f2 CHAR(30); +# 23.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ,ADD f2 CHAR(30); +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ,ADD f2 CHAR(30); +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ,ADD f2 CHAR(30); +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ,ADD f2 CHAR(30); +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1 +fpt1_renamed +fpt2 +ts1 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt2 +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +DROP TABLESPACE ts1; +# [ALTER TABLE ... RENAME ...] Case 24 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch1.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +# 24.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ,ADD f2 CHAR(30); +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ,ADD f2 CHAR(30); +# 24.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ,ADD f2 CHAR(30); +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ,ADD f2 CHAR(30); +# 24.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ,ADD f2 CHAR(30); +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ,ADD f2 CHAR(30); +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ,ADD f2 CHAR(30); +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ,ADD f2 CHAR(30); +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +# Revoke TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +DROP TABLESPACE ts1; +# Cleanup +DROP USER u1@localhost; +SET GLOBAL debug= '-d,skip_table_encryption_admin_check_for_set'; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/alter_table.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/alter_table.result new file mode 100644 index 000000000000..5d26f72844e6 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/alter_table.result @@ -0,0 +1,2861 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# +# WL#12261 Control (enforce and disable) table encryption +# +# Pre-define user u1, which is used in different tests below. +CREATE USER u1@localhost; +GRANT ALL ON db1.* TO u1@localhost; +GRANT CREATE TABLESPACE, PROCESS, SYSTEM_VARIABLES_ADMIN ON *.* TO u1@localhost; +SET GLOBAL debug= '+d,skip_table_encryption_admin_check_for_set'; +# This test run ALTER TABLE in different configurations, +# +# - Setting table_encryption_privilege_check to true/false. +# - Setting default_table_encryption to true/false. +# - With and without user holding TABLE_ENCRYPTION_ADMIN privilege. +# - Test SHOW CREATE TABLE +# - Test INFORMATION_SCHEMA.TABLES.CREATE_OPTIONS +# - Check for warnings generated. +# +# See comments in alter_table.inc for more details. +````````````````````````````````````````````````````````` +# Test using user tablespace 'ts1' +````````````````````````````````````````````````````````` +# table_encryption_privilege_check=OFF and default per-db encryption OFF +# [ALTER TABLE] Case 1 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t2 TABLESPACE=ts1 ENCRYPTION='n'; +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t4 TABLESPACE=ts1 ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 +t2 +t3 +t4 +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +DROP TABLESPACE ts1; +# [ALTER TABLE] Case 2 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t2 TABLESPACE=ts1 ENCRYPTION='y'; +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t4 TABLESPACE=ts1 ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +t2 ENCRYPTION='y' +t3 ENCRYPTION='y' +t4 ENCRYPTION='y' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +DROP TABLESPACE ts1; +````````````````````````````````````````````````````````` +# Moving encrypted tablespace to unencrypted tablespace is rejected. +# [ALTER TABLE] Case 3 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='y'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t2 TABLESPACE=ts1 ENCRYPTION='n'; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t4 TABLESPACE=ts1 ENCRYPTION='n'; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 +t2 ENCRYPTION='y' +t3 +t4 ENCRYPTION='y' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +DROP TABLESPACE ts1; +# [ALTER TABLE] Case 4 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='y'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t2 TABLESPACE=ts1 ENCRYPTION='y'; +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t4 TABLESPACE=ts1 ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +t2 ENCRYPTION='y' +t3 ENCRYPTION='y' +t4 ENCRYPTION='y' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +DROP TABLESPACE ts1; +````````````````````````````````````````````````````````` +# table_encryption_privilege_check=OFF and default per-db encryption ON +# [ALTER TABLE] Case 5 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SET GLOBAL table_encryption_privilege_check=false; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +ALTER TABLE db1.t2 TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +ALTER TABLE db1.t4 TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='n' */ +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='n' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='n' +t2 ENCRYPTION='n' +t3 ENCRYPTION='n' +t4 ENCRYPTION='n' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +DROP TABLESPACE ts1; +# [ALTER TABLE] Case 6 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SET GLOBAL table_encryption_privilege_check=false; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t2 TABLESPACE=ts1 ENCRYPTION='y'; +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t4 TABLESPACE=ts1 ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +t2 ENCRYPTION='y' +t3 ENCRYPTION='y' +t4 ENCRYPTION='y' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +DROP TABLESPACE ts1; +````````````````````````````````````````````````````````` +# Moving encrypted tablespace to unencrypted tablespace is rejected. +# [ALTER TABLE] Case 7 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='y'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +ALTER TABLE db1.t2 TABLESPACE=ts1 ENCRYPTION='n'; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +ALTER TABLE db1.t4 TABLESPACE=ts1 ENCRYPTION='n'; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='n' +t2 ENCRYPTION='y' +t3 ENCRYPTION='n' +t4 ENCRYPTION='y' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +DROP TABLESPACE ts1; +# [ALTER TABLE] Case 8 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='y'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t2 TABLESPACE=ts1 ENCRYPTION='y'; +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t4 TABLESPACE=ts1 ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +t2 ENCRYPTION='y' +t3 ENCRYPTION='y' +t4 ENCRYPTION='y' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +DROP TABLESPACE ts1; +````````````````````````````````````````````````````````` +# table_encryption_privilege_check=ON and default per-db encryption OFF +# [ALTER TABLE] Case 9 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t2 TABLESPACE=ts1 ENCRYPTION='n'; +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t4 TABLESPACE=ts1 ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 +t2 +t3 +t4 +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +DROP TABLESPACE ts1; +````````````````````````````````````````````````````````` +# Request to create encrypted table to unencrypted database is rejected. +# [ALTER TABLE] Case 10 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +ALTER TABLE db1.t2 TABLESPACE=ts1 ENCRYPTION='y'; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +ALTER TABLE db1.t4 TABLESPACE=ts1 ENCRYPTION='y'; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 +t2 +t3 +t4 +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +DROP TABLESPACE ts1; +# [ALTER TABLE] Case 11 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +# Grant TABLE_ENCRYPTION_ADMIN if requested. +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t2 TABLESPACE=ts1 ENCRYPTION='y'; +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t4 TABLESPACE=ts1 ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +t2 ENCRYPTION='y' +t3 ENCRYPTION='y' +t4 ENCRYPTION='y' +# Cleanup +# REVOKE TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +DROP TABLESPACE tsA; +DROP TABLESPACE ts1; +````````````````````````````````````````````````````````` +# Moving encrypted tablespace to unencrypted tablespace is rejected. +# [ALTER TABLE] Case 12 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='y'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t2 TABLESPACE=ts1 ENCRYPTION='n'; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t4 TABLESPACE=ts1 ENCRYPTION='n'; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 +t2 ENCRYPTION='y' +t3 +t4 ENCRYPTION='y' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +DROP TABLESPACE ts1; +# [ALTER TABLE] Case 13 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='y'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t2 TABLESPACE=ts1 ENCRYPTION='y'; +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t4 TABLESPACE=ts1 ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +t2 ENCRYPTION='y' +t3 ENCRYPTION='y' +t4 ENCRYPTION='y' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +DROP TABLESPACE ts1; +````````````````````````````````````````````````````````` +# table_encryption_privilege_check=ON and default per-db encryption ON +# [ALTER TABLE] Case 14 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +ALTER TABLE db1.t2 TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +ALTER TABLE db1.t4 TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='n' */ +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='n' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='n' +t2 ENCRYPTION='n' +t3 ENCRYPTION='n' +t4 ENCRYPTION='n' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +DROP TABLESPACE ts1; +# [ALTER TABLE] Case 15 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t2 TABLESPACE=ts1 ENCRYPTION='y'; +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t4 TABLESPACE=ts1 ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +t2 ENCRYPTION='y' +t3 ENCRYPTION='y' +t4 ENCRYPTION='y' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +DROP TABLESPACE ts1; +# [ALTER TABLE] Case 16 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='y'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +ALTER TABLE db1.t2 TABLESPACE=ts1 ENCRYPTION='n'; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +ALTER TABLE db1.t4 TABLESPACE=ts1 ENCRYPTION='n'; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +t2 ENCRYPTION='y' +t3 ENCRYPTION='y' +t4 ENCRYPTION='y' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +DROP TABLESPACE ts1; +````````````````````````````````````````````````````````` +# Moving encrypted tablespace to unencrypted tablespace is rejected. +# [ALTER TABLE] Case 17 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='y'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +# Grant TABLE_ENCRYPTION_ADMIN if requested. +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t2 TABLESPACE=ts1 ENCRYPTION='n'; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t4 TABLESPACE=ts1 ENCRYPTION='n'; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='n' +t2 ENCRYPTION='y' +t3 ENCRYPTION='n' +t4 ENCRYPTION='y' +# Cleanup +# REVOKE TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +DROP TABLESPACE tsA; +DROP TABLESPACE ts1; +# [ALTER TABLE] Case 18 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='y'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t2 TABLESPACE=ts1 ENCRYPTION='y'; +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t4 TABLESPACE=ts1 ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +t2 ENCRYPTION='y' +t3 ENCRYPTION='y' +t4 ENCRYPTION='y' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +DROP TABLESPACE ts1; +````````````````````````````````````````````````````````` +# Using 'innodb_system' tablespace +````````````````````````````````````````````````````````` +# table_encryption_privilege_check=OFF and default per-db encryption OFF +# [ALTER TABLE] Case 19 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t2 TABLESPACE=innodb_system ENCRYPTION='n'; +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t4 TABLESPACE=innodb_system ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_system` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_system` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 +t2 +t3 +t4 +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +````````````````````````````````````````````````````````` +# Creating a encrypted table is rejected in system tablespace +# [ALTER TABLE] Case 20 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t2 TABLESPACE=innodb_system ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t4 TABLESPACE=innodb_system ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +t2 +t3 ENCRYPTION='y' +t4 +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +# [ALTER TABLE] Case 21 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t2 TABLESPACE=innodb_system ENCRYPTION='n'; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t4 TABLESPACE=innodb_system ENCRYPTION='n'; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 +t2 ENCRYPTION='y' +t3 +t4 ENCRYPTION='y' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +````````````````````````````````````````````````````````` +# Creating a encrypted table is rejected in system tablespace +# [ALTER TABLE] Case 22 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t2 TABLESPACE=innodb_system ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t4 TABLESPACE=innodb_system ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +t2 ENCRYPTION='y' +t3 ENCRYPTION='y' +t4 ENCRYPTION='y' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +````````````````````````````````````````````````````````` +# table_encryption_privilege_check=OFF and default per-db encryption ON +# [ALTER TABLE] Case 23 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SET GLOBAL table_encryption_privilege_check=false; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +ALTER TABLE db1.t2 TABLESPACE=innodb_system ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +ALTER TABLE db1.t4 TABLESPACE=innodb_system ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_system` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='n' */ +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_system` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='n' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='n' +t2 ENCRYPTION='n' +t3 ENCRYPTION='n' +t4 ENCRYPTION='n' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +````````````````````````````````````````````````````````` +# Creating a encrypted table is rejected in system tablespace +# [ALTER TABLE] Case 24 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SET GLOBAL table_encryption_privilege_check=false; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t2 TABLESPACE=innodb_system ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t4 TABLESPACE=innodb_system ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='n' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +t2 ENCRYPTION='n' +t3 ENCRYPTION='y' +t4 ENCRYPTION='n' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +# [ALTER TABLE] Case 25 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +ALTER TABLE db1.t2 TABLESPACE=innodb_system ENCRYPTION='n'; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +ALTER TABLE db1.t4 TABLESPACE=innodb_system ENCRYPTION='n'; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='n' +t2 ENCRYPTION='y' +t3 ENCRYPTION='n' +t4 ENCRYPTION='y' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +````````````````````````````````````````````````````````` +# Creating a encrypted table is rejected in system tablespace +# [ALTER TABLE] Case 26 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t2 TABLESPACE=innodb_system ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t4 TABLESPACE=innodb_system ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +t2 ENCRYPTION='y' +t3 ENCRYPTION='y' +t4 ENCRYPTION='y' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +````````````````````````````````````````````````````````` +# table_encryption_privilege_check=ON and default per-db encryption OFF +# [ALTER TABLE] Case 27 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t2 TABLESPACE=innodb_system ENCRYPTION='n'; +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t4 TABLESPACE=innodb_system ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_system` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_system` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 +t2 +t3 +t4 +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +````````````````````````````````````````````````````````` +# Request to create encrypted table to unencrypted database is rejected. +# [ALTER TABLE] Case 28 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +ALTER TABLE db1.t2 TABLESPACE=innodb_system ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +ALTER TABLE db1.t4 TABLESPACE=innodb_system ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 +t2 +t3 +t4 +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +````````````````````````````````````````````````````````` +# Creating a encrypted table is rejected in system tablespace +# [ALTER TABLE] Case 29 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +# Grant TABLE_ENCRYPTION_ADMIN if requested. +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t2 TABLESPACE=innodb_system ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t4 TABLESPACE=innodb_system ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +t2 +t3 ENCRYPTION='y' +t4 +# Cleanup +# REVOKE TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +DROP TABLESPACE tsA; +# [ALTER TABLE] Case 30 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t2 TABLESPACE=innodb_system ENCRYPTION='n'; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t4 TABLESPACE=innodb_system ENCRYPTION='n'; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 +t2 ENCRYPTION='y' +t3 +t4 ENCRYPTION='y' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +````````````````````````````````````````````````````````` +# Creating a encrypted table is rejected in system tablespace +# [ALTER TABLE] Case 31 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t2 TABLESPACE=innodb_system ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t4 TABLESPACE=innodb_system ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +t2 ENCRYPTION='y' +t3 ENCRYPTION='y' +t4 ENCRYPTION='y' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +````````````````````````````````````````````````````````` +# table_encryption_privilege_check=ON and default per-db encryption ON +# [ALTER TABLE] Case 32 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +ALTER TABLE db1.t2 TABLESPACE=innodb_system ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +ALTER TABLE db1.t4 TABLESPACE=innodb_system ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_system` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='n' */ +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_system` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='n' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='n' +t2 ENCRYPTION='n' +t3 ENCRYPTION='n' +t4 ENCRYPTION='n' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +````````````````````````````````````````````````````````` +# Creating a encrypted table is rejected in system tablespace +# [ALTER TABLE] Case 33 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t2 TABLESPACE=innodb_system ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t4 TABLESPACE=innodb_system ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='n' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +t2 ENCRYPTION='n' +t3 ENCRYPTION='y' +t4 ENCRYPTION='n' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +````````````````````````````````````````````````````````` +# Request to create unencrypted table under database with default +# encryption=ON is rejected. +# [ALTER TABLE] Case 34 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +ALTER TABLE db1.t2 TABLESPACE=innodb_system ENCRYPTION='n'; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +ALTER TABLE db1.t4 TABLESPACE=innodb_system ENCRYPTION='n'; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +t2 ENCRYPTION='y' +t3 ENCRYPTION='y' +t4 ENCRYPTION='y' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +# [ALTER TABLE] Case 35 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +# Grant TABLE_ENCRYPTION_ADMIN if requested. +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t2 TABLESPACE=innodb_system ENCRYPTION='n'; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t4 TABLESPACE=innodb_system ENCRYPTION='n'; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='n' +t2 ENCRYPTION='y' +t3 ENCRYPTION='n' +t4 ENCRYPTION='y' +# Cleanup +# REVOKE TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +DROP TABLESPACE tsA; +````````````````````````````````````````````````````````` +# Creating a encrypted table is rejected in system tablespace +# [ALTER TABLE] Case 36 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t2 TABLESPACE=innodb_system ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t4 TABLESPACE=innodb_system ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +t2 ENCRYPTION='y' +t3 ENCRYPTION='y' +t4 ENCRYPTION='y' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +````````````````````````````````````````````````````````` +# Test using 'innodb_file_per_table' +````````````````````````````````````````````````````````` +# table_encryption_privilege_check=OFF and default per-db encryption OFF +# [ALTER TABLE] Case 37 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t2 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t4 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 +t2 +t3 +t4 +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +# [ALTER TABLE] Case 38 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t2 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t4 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +t2 ENCRYPTION='y' +t3 ENCRYPTION='y' +t4 ENCRYPTION='y' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +# [ALTER TABLE] Case 39 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t2 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t4 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 +t2 +t3 +t4 +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +# [ALTER TABLE] Case 40 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t2 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t4 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +t2 ENCRYPTION='y' +t3 ENCRYPTION='y' +t4 ENCRYPTION='y' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +````````````````````````````````````````````````````````` +# table_encryption_privilege_check=OFF and default per-db encryption ON +# [ALTER TABLE] Case 41 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SET GLOBAL table_encryption_privilege_check=false; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +ALTER TABLE db1.t2 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +ALTER TABLE db1.t4 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='n' +t2 ENCRYPTION='n' +t3 ENCRYPTION='n' +t4 ENCRYPTION='n' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +# [ALTER TABLE] Case 42 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SET GLOBAL table_encryption_privilege_check=false; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t2 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t4 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +t2 ENCRYPTION='y' +t3 ENCRYPTION='y' +t4 ENCRYPTION='y' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +# [ALTER TABLE] Case 43 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +ALTER TABLE db1.t2 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +ALTER TABLE db1.t4 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='n' +t2 ENCRYPTION='n' +t3 ENCRYPTION='n' +t4 ENCRYPTION='n' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +# [ALTER TABLE] Case 44 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t2 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t4 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +t2 ENCRYPTION='y' +t3 ENCRYPTION='y' +t4 ENCRYPTION='y' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +````````````````````````````````````````````````````````` +# table_encryption_privilege_check=ON and default per-db encryption OFF +# [ALTER TABLE] Case 45 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t2 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t4 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 +t2 +t3 +t4 +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +````````````````````````````````````````````````````````` +# Request to create encrypted table to database with default +# encryption=OFF is rejected. +# [ALTER TABLE] Case 46 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +ALTER TABLE db1.t2 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +ALTER TABLE db1.t4 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 +t2 +t3 +t4 +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +# [ALTER TABLE] Case 47 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +# Grant TABLE_ENCRYPTION_ADMIN if requested. +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t2 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t4 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +t2 ENCRYPTION='y' +t3 ENCRYPTION='y' +t4 ENCRYPTION='y' +# Cleanup +# REVOKE TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +DROP TABLESPACE tsA; +# [ALTER TABLE] Case 48 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t2 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t4 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 +t2 +t3 +t4 +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +# [ALTER TABLE] Case 49 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t2 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t4 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +t2 ENCRYPTION='y' +t3 ENCRYPTION='y' +t4 ENCRYPTION='y' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +````````````````````````````````````````````````````````` +# table_encryption_privilege_check=ON and default per-db encryption ON +# [ALTER TABLE] Case 50 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +ALTER TABLE db1.t2 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +ALTER TABLE db1.t4 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='n' +t2 ENCRYPTION='n' +t3 ENCRYPTION='n' +t4 ENCRYPTION='n' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +# [ALTER TABLE] Case 51 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t2 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t4 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +t2 ENCRYPTION='y' +t3 ENCRYPTION='y' +t4 ENCRYPTION='y' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +````````````````````````````````````````````````````````` +# Request to create unencrypted table to database with default +# encryption=ON is rejected. +# [ALTER TABLE] Case 52 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +ALTER TABLE db1.t2 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +ALTER TABLE db1.t4 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `tsA` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +t2 ENCRYPTION='y' +t3 ENCRYPTION='y' +t4 ENCRYPTION='y' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +# [ALTER TABLE] Case 53 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +# Grant TABLE_ENCRYPTION_ADMIN if requested. +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t2 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ALTER TABLE db1.t4 TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='n' +t2 ENCRYPTION='n' +t3 ENCRYPTION='n' +t4 ENCRYPTION='n' +# Cleanup +# REVOKE TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +DROP TABLESPACE tsA; +# [ALTER TABLE] Case 54 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLESPACE tsA ADD DATAFILE 'ts_a.ibd' ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.t3 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +CREATE TABLE db1.t4 (f1 int) TABLESPACE=tsA ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +# Run ALTER TABLE and check for errors/warnings +ALTER TABLE db1.t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t2 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t3 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ALTER TABLE db1.t4 TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# Verify the ENCRYPTION clause value. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t3; +Table Create Table +t3 CREATE TABLE `t3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.t4; +Table Create Table +t4 CREATE TABLE `t4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_SCHEMA='db1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +t2 ENCRYPTION='y' +t3 ENCRYPTION='y' +t4 ENCRYPTION='y' +# Cleanup +DROP DATABASE db1; +DROP TABLESPACE tsA; +# Cleanup +DROP USER u1@localhost; +SET GLOBAL debug= '-d,skip_table_encryption_admin_check_for_set'; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/clone_local_encrypt.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/clone_local_encrypt.result new file mode 100644 index 000000000000..2b779f0fd4fa --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/clone_local_encrypt.result @@ -0,0 +1,482 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating custom global manifest file for MySQL server +# Creating custom global configuration file for keyring component: component_percona_keyring_encrypted_file +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# Prepare for creating Encrypted Table +# create bootstrap file +# Create and start mysqld with keyring plugin. +## Install plugin +INSTALL PLUGIN clone SONAME 'CLONE_PLUGIN'; +CREATE TABLE t1(col1 INT PRIMARY KEY, col2 int, col3 varchar(64), col4 BLOB); +CREATE TABLE t2(col1 INT PRIMARY KEY, col2 int, col3 varchar(64), col4 BLOB) +PARTITION BY KEY(col1) PARTITIONS 5; +CREATE PROCEDURE execute_dml( +p_dml_type INT, +p_key_min INT, +p_key_range INT, +p_loop_count INT, +p_frequency INT, +p_is_rand INT) +BEGIN +DECLARE v_idx INT DEFAULT 0; +DECLARE v_commit INT DEFAULT 0; +DECLARE v_key INT DEFAULT 0; +/* Loop and INSERT data at random position */ +WHILE(v_idx < p_loop_count) DO +/* Generate key between 1 to p_loop_count */ +IF p_is_rand = 1 THEN +SET v_key = p_key_min + FLOOR(RAND() * p_key_range); +ELSE +SET v_key = p_key_min + (v_idx % p_key_range); +END IF; +CASE p_dml_type +WHEN 0 THEN +SET @clol3_text = CONCAT('Clone Test Row - ', v_key); +INSERT INTO t1 VALUES(v_key, v_key * 10, +@clol3_text, REPEAT('Large Column Data ', 2048)) +ON DUPLICATE KEY UPDATE col2 = col2 + 1; +INSERT INTO t2 VALUES(v_key, v_key * 10, +@clol3_text, REPEAT('Large Column Data ', 2048)) +ON DUPLICATE KEY UPDATE col2 = col2 + 1; +WHEN 1 THEN +UPDATE t1 SET col2 = v_idx + 1 WHERE col1 = v_key; +UPDATE t2 SET col2 = v_idx + 1 WHERE col1 = v_key; +WHEN 2 THEN +DELETE FROM t1 WHERE col1 = v_key; +DELETE FROM t2 WHERE col1 = v_key; +ELSE +DELETE FROM t1; +DELETE FROM t2; +END CASE; +SET v_idx = v_idx + 1; +/* Commit or rollback work at specified frequency. */ +IF v_idx % p_frequency = 0 THEN +SET v_commit = FLOOR(RAND() * 2); +IF v_commit = 0 AND p_is_rand = 1 THEN +ROLLBACK; +START TRANSACTION; +ELSE +COMMIT; +START TRANSACTION; +END IF; +END IF; +END WHILE; +END| +# In connection default - starting clone +SET DEBUG_SYNC = 'clone_file_copy SIGNAL set_encryption WAIT_FOR resume_clone'; +SET GLOBAL clone_autotune_concurrency = OFF; +SET GLOBAL clone_max_concurrency = 8; +CLONE LOCAL DATA DIRECTORY = 'CLONE_DATADIR'; +# In connection con1 - Set redo and undo encryption +SET DEBUG_SYNC = 'now WAIT_FOR set_encryption'; +SHOW VARIABLES LIKE 'innodb_redo_log_encrypt'; +Variable_name Value +innodb_redo_log_encrypt OFF +SET GLOBAL innodb_redo_log_encrypt = ON; +SHOW VARIABLES LIKE 'innodb_redo_log_encrypt'; +Variable_name Value +innodb_redo_log_encrypt ON +SHOW VARIABLES LIKE 'innodb_undo_log_encrypt'; +Variable_name Value +innodb_undo_log_encrypt OFF +SET GLOBAL innodb_undo_log_encrypt = ON; +SHOW VARIABLES LIKE 'innodb_undo_log_encrypt'; +Variable_name Value +innodb_undo_log_encrypt ON +SET DEBUG_SYNC = 'now SIGNAL resume_clone'; +# In connection default - finishing Clone +SET GLOBAL innodb_redo_log_encrypt = OFF; +SET GLOBAL innodb_undo_log_encrypt = OFF; +DROP TABLE t1; +DROP TABLE t2; +CREATE TABLE t1(col1 INT PRIMARY KEY, col2 int, col3 varchar(64), col4 BLOB) +ROW_FORMAT = COMPRESSED ENCRYPTION = "Y"; +CREATE TABLESPACE tbs1 ADD DATAFILE 'tbs1_data1.ibd' ENCRYPTION="Y"; +CREATE TABLE t2(col1 INT PRIMARY KEY, col2 int, col3 varchar(64), col4 BLOB) +ENCRYPTION="Y" TABLESPACE = tbs1; +SET GLOBAL innodb_redo_log_encrypt = ON; +SHOW VARIABLES LIKE 'innodb_redo_log_encrypt'; +Variable_name Value +innodb_redo_log_encrypt ON +SET GLOBAL innodb_undo_log_encrypt = ON; +SHOW VARIABLES LIKE 'innodb_undo_log_encrypt'; +Variable_name Value +innodb_undo_log_encrypt ON +call execute_dml(0, 0, 200, 200, 100, 0); +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `col1` int NOT NULL, + `col2` int DEFAULT NULL, + `col3` varchar(64) DEFAULT NULL, + `col4` blob, + PRIMARY KEY (`col1`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1 ROW_FORMAT=COMPRESSED ENCRYPTION='Y' +SELECT count(*) from t1; +count(*) +200 +SELECT col1, col2, col3, SUBSTRING(col4, 1000, 32) FROM t1 ORDER BY col1 LIMIT 10; +col1 col2 col3 SUBSTRING(col4, 1000, 32) +0 0 Clone Test Row - 0 umn Data Large Column Data Large +1 10 Clone Test Row - 1 umn Data Large Column Data Large +2 20 Clone Test Row - 2 umn Data Large Column Data Large +3 30 Clone Test Row - 3 umn Data Large Column Data Large +4 40 Clone Test Row - 4 umn Data Large Column Data Large +5 50 Clone Test Row - 5 umn Data Large Column Data Large +6 60 Clone Test Row - 6 umn Data Large Column Data Large +7 70 Clone Test Row - 7 umn Data Large Column Data Large +8 80 Clone Test Row - 8 umn Data Large Column Data Large +9 90 Clone Test Row - 9 umn Data Large Column Data Large +SELECT col1, col2, col3, SUBSTRING(col4, 1000, 32) FROM t1 ORDER BY col1 DESC LIMIT 10; +col1 col2 col3 SUBSTRING(col4, 1000, 32) +199 1990 Clone Test Row - 199 umn Data Large Column Data Large +198 1980 Clone Test Row - 198 umn Data Large Column Data Large +197 1970 Clone Test Row - 197 umn Data Large Column Data Large +196 1960 Clone Test Row - 196 umn Data Large Column Data Large +195 1950 Clone Test Row - 195 umn Data Large Column Data Large +194 1940 Clone Test Row - 194 umn Data Large Column Data Large +193 1930 Clone Test Row - 193 umn Data Large Column Data Large +192 1920 Clone Test Row - 192 umn Data Large Column Data Large +191 1910 Clone Test Row - 191 umn Data Large Column Data Large +190 1900 Clone Test Row - 190 umn Data Large Column Data Large +SHOW CREATE TABLE t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `col1` int NOT NULL, + `col2` int DEFAULT NULL, + `col3` varchar(64) DEFAULT NULL, + `col4` blob, + PRIMARY KEY (`col1`) +) /*!50100 TABLESPACE `tbs1` */ ENGINE=InnoDB DEFAULT CHARSET=latin1 /*!80016 ENCRYPTION='Y' */ +SELECT count(*) from t2; +count(*) +200 +SELECT col1, col2, col3, SUBSTRING(col4, 1000, 32) FROM t2 ORDER BY col1 LIMIT 10; +col1 col2 col3 SUBSTRING(col4, 1000, 32) +0 0 Clone Test Row - 0 umn Data Large Column Data Large +1 10 Clone Test Row - 1 umn Data Large Column Data Large +2 20 Clone Test Row - 2 umn Data Large Column Data Large +3 30 Clone Test Row - 3 umn Data Large Column Data Large +4 40 Clone Test Row - 4 umn Data Large Column Data Large +5 50 Clone Test Row - 5 umn Data Large Column Data Large +6 60 Clone Test Row - 6 umn Data Large Column Data Large +7 70 Clone Test Row - 7 umn Data Large Column Data Large +8 80 Clone Test Row - 8 umn Data Large Column Data Large +9 90 Clone Test Row - 9 umn Data Large Column Data Large +SELECT col1, col2, col3, SUBSTRING(col4, 1000, 32) FROM t2 ORDER BY col1 DESC LIMIT 10; +col1 col2 col3 SUBSTRING(col4, 1000, 32) +199 1990 Clone Test Row - 199 umn Data Large Column Data Large +198 1980 Clone Test Row - 198 umn Data Large Column Data Large +197 1970 Clone Test Row - 197 umn Data Large Column Data Large +196 1960 Clone Test Row - 196 umn Data Large Column Data Large +195 1950 Clone Test Row - 195 umn Data Large Column Data Large +194 1940 Clone Test Row - 194 umn Data Large Column Data Large +193 1930 Clone Test Row - 193 umn Data Large Column Data Large +192 1920 Clone Test Row - 192 umn Data Large Column Data Large +191 1910 Clone Test Row - 191 umn Data Large Column Data Large +190 1900 Clone Test Row - 190 umn Data Large Column Data Large +SET GLOBAL innodb_buf_flush_list_now = 1; +SET GLOBAL clone_autotune_concurrency = OFF; +SET GLOBAL clone_max_concurrency = 8; +CLONE LOCAL DATA DIRECTORY = 'CLONE_DATADIR'; +select ID, STATE, ERROR_NO from performance_schema.clone_status; +ID STATE ERROR_NO +1 Completed 0 +select ID, STAGE, STATE from performance_schema.clone_progress; +ID STAGE STATE +1 DROP DATA Completed +1 FILE COPY Completed +1 PAGE COPY Completed +1 REDO COPY Completed +1 FILE SYNC Completed +1 RESTART Not Started +1 RECOVERY Not Started +# Restart cloned database +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `col1` int NOT NULL, + `col2` int DEFAULT NULL, + `col3` varchar(64) DEFAULT NULL, + `col4` blob, + PRIMARY KEY (`col1`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1 ROW_FORMAT=COMPRESSED ENCRYPTION='Y' +SELECT count(*) from t1; +count(*) +200 +SELECT col1, col3, SUBSTRING(col4, 1000, 32) FROM t1 ORDER BY col1 LIMIT 10; +col1 col3 SUBSTRING(col4, 1000, 32) +0 Clone Test Row - 0 umn Data Large Column Data Large +1 Clone Test Row - 1 umn Data Large Column Data Large +2 Clone Test Row - 2 umn Data Large Column Data Large +3 Clone Test Row - 3 umn Data Large Column Data Large +4 Clone Test Row - 4 umn Data Large Column Data Large +5 Clone Test Row - 5 umn Data Large Column Data Large +6 Clone Test Row - 6 umn Data Large Column Data Large +7 Clone Test Row - 7 umn Data Large Column Data Large +8 Clone Test Row - 8 umn Data Large Column Data Large +9 Clone Test Row - 9 umn Data Large Column Data Large +SELECT col1, col3, SUBSTRING(col4, 1000, 32) FROM t1 ORDER BY col1 DESC LIMIT 10; +col1 col3 SUBSTRING(col4, 1000, 32) +199 Clone Test Row - 199 umn Data Large Column Data Large +198 Clone Test Row - 198 umn Data Large Column Data Large +197 Clone Test Row - 197 umn Data Large Column Data Large +196 Clone Test Row - 196 umn Data Large Column Data Large +195 Clone Test Row - 195 umn Data Large Column Data Large +194 Clone Test Row - 194 umn Data Large Column Data Large +193 Clone Test Row - 193 umn Data Large Column Data Large +192 Clone Test Row - 192 umn Data Large Column Data Large +191 Clone Test Row - 191 umn Data Large Column Data Large +190 Clone Test Row - 190 umn Data Large Column Data Large +SHOW CREATE TABLE t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `col1` int NOT NULL, + `col2` int DEFAULT NULL, + `col3` varchar(64) DEFAULT NULL, + `col4` blob, + PRIMARY KEY (`col1`) +) /*!50100 TABLESPACE `tbs1` */ ENGINE=InnoDB DEFAULT CHARSET=latin1 /*!80016 ENCRYPTION='Y' */ +SELECT count(*) from t2; +count(*) +200 +SELECT col1, col3, SUBSTRING(col4, 1000, 32) FROM t2 ORDER BY col1 LIMIT 10; +col1 col3 SUBSTRING(col4, 1000, 32) +0 Clone Test Row - 0 umn Data Large Column Data Large +1 Clone Test Row - 1 umn Data Large Column Data Large +2 Clone Test Row - 2 umn Data Large Column Data Large +3 Clone Test Row - 3 umn Data Large Column Data Large +4 Clone Test Row - 4 umn Data Large Column Data Large +5 Clone Test Row - 5 umn Data Large Column Data Large +6 Clone Test Row - 6 umn Data Large Column Data Large +7 Clone Test Row - 7 umn Data Large Column Data Large +8 Clone Test Row - 8 umn Data Large Column Data Large +9 Clone Test Row - 9 umn Data Large Column Data Large +SELECT col1, col3, SUBSTRING(col4, 1000, 32) FROM t2 ORDER BY col1 DESC LIMIT 10; +col1 col3 SUBSTRING(col4, 1000, 32) +199 Clone Test Row - 199 umn Data Large Column Data Large +198 Clone Test Row - 198 umn Data Large Column Data Large +197 Clone Test Row - 197 umn Data Large Column Data Large +196 Clone Test Row - 196 umn Data Large Column Data Large +195 Clone Test Row - 195 umn Data Large Column Data Large +194 Clone Test Row - 194 umn Data Large Column Data Large +193 Clone Test Row - 193 umn Data Large Column Data Large +192 Clone Test Row - 192 umn Data Large Column Data Large +191 Clone Test Row - 191 umn Data Large Column Data Large +190 Clone Test Row - 190 umn Data Large Column Data Large +call execute_dml(3, 0, 1, 1, 1, 0); +call execute_dml(0, 0, 200, 200, 100, 0); +SELECT col1, col2, col3, SUBSTRING(col4, 1000, 32) FROM t1 ORDER BY col1 LIMIT 10; +col1 col2 col3 SUBSTRING(col4, 1000, 32) +0 0 Clone Test Row - 0 umn Data Large Column Data Large +1 10 Clone Test Row - 1 umn Data Large Column Data Large +2 20 Clone Test Row - 2 umn Data Large Column Data Large +3 30 Clone Test Row - 3 umn Data Large Column Data Large +4 40 Clone Test Row - 4 umn Data Large Column Data Large +5 50 Clone Test Row - 5 umn Data Large Column Data Large +6 60 Clone Test Row - 6 umn Data Large Column Data Large +7 70 Clone Test Row - 7 umn Data Large Column Data Large +8 80 Clone Test Row - 8 umn Data Large Column Data Large +9 90 Clone Test Row - 9 umn Data Large Column Data Large +SELECT col1, col2, col3, SUBSTRING(col4, 1000, 32) FROM t1 ORDER BY col1 DESC LIMIT 10; +col1 col2 col3 SUBSTRING(col4, 1000, 32) +199 1990 Clone Test Row - 199 umn Data Large Column Data Large +198 1980 Clone Test Row - 198 umn Data Large Column Data Large +197 1970 Clone Test Row - 197 umn Data Large Column Data Large +196 1960 Clone Test Row - 196 umn Data Large Column Data Large +195 1950 Clone Test Row - 195 umn Data Large Column Data Large +194 1940 Clone Test Row - 194 umn Data Large Column Data Large +193 1930 Clone Test Row - 193 umn Data Large Column Data Large +192 1920 Clone Test Row - 192 umn Data Large Column Data Large +191 1910 Clone Test Row - 191 umn Data Large Column Data Large +190 1900 Clone Test Row - 190 umn Data Large Column Data Large +SELECT col1, col2, col3, SUBSTRING(col4, 1000, 32) FROM t2 ORDER BY col1 LIMIT 10; +col1 col2 col3 SUBSTRING(col4, 1000, 32) +0 0 Clone Test Row - 0 umn Data Large Column Data Large +1 10 Clone Test Row - 1 umn Data Large Column Data Large +2 20 Clone Test Row - 2 umn Data Large Column Data Large +3 30 Clone Test Row - 3 umn Data Large Column Data Large +4 40 Clone Test Row - 4 umn Data Large Column Data Large +5 50 Clone Test Row - 5 umn Data Large Column Data Large +6 60 Clone Test Row - 6 umn Data Large Column Data Large +7 70 Clone Test Row - 7 umn Data Large Column Data Large +8 80 Clone Test Row - 8 umn Data Large Column Data Large +9 90 Clone Test Row - 9 umn Data Large Column Data Large +SET GLOBAL innodb_redo_log_encrypt = ON; +SET GLOBAL innodb_undo_log_encrypt = ON; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `col1` int NOT NULL, + `col2` int DEFAULT NULL, + `col3` varchar(64) DEFAULT NULL, + `col4` blob, + PRIMARY KEY (`col1`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1 ROW_FORMAT=COMPRESSED ENCRYPTION='Y' +SHOW CREATE TABLE t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `col1` int NOT NULL, + `col2` int DEFAULT NULL, + `col3` varchar(64) DEFAULT NULL, + `col4` blob, + PRIMARY KEY (`col1`) +) /*!50100 TABLESPACE `tbs1` */ ENGINE=InnoDB DEFAULT CHARSET=latin1 /*!80016 ENCRYPTION='Y' */ +# In connection default - Cloning database +SET DEBUG_SYNC = 'clone_file_copy SIGNAL start_dml1 WAIT_FOR resume_clone1'; +SET DEBUG_SYNC = 'clone_page_copy SIGNAL start_dml2 WAIT_FOR resume_clone2'; +SET GLOBAL clone_autotune_concurrency = OFF; +SET GLOBAL clone_max_concurrency = 8; +CLONE LOCAL DATA DIRECTORY = 'CLONE_DATADIR'; +# In connection con1 - Running Update Random [0 - 200 Key Range] +SET DEBUG_SYNC = 'now WAIT_FOR start_dml1'; +START TRANSACTION; +CALL execute_dml(1, 0, 200, 500, 100, 1); +COMMIT; +# Flush all dirty buffers +SET GLOBAL innodb_buf_flush_list_now = 1; +SET DEBUG_SYNC = 'now SIGNAL resume_clone1'; +SET DEBUG_SYNC = 'now WAIT_FOR start_dml2'; +START TRANSACTION; +CALL execute_dml(1, 0, 200, 500, 100, 1); +COMMIT; +SET DEBUG_SYNC = 'now SIGNAL resume_clone2'; +# In connection default - Cloning database +# Restart cloned database +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `col1` int NOT NULL, + `col2` int DEFAULT NULL, + `col3` varchar(64) DEFAULT NULL, + `col4` blob, + PRIMARY KEY (`col1`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1 ROW_FORMAT=COMPRESSED ENCRYPTION='Y' +SELECT count(*) from t1; +count(*) +200 +SELECT col1, col3, SUBSTRING(col4, 1000, 32) FROM t1 ORDER BY col1 LIMIT 10; +col1 col3 SUBSTRING(col4, 1000, 32) +0 Clone Test Row - 0 umn Data Large Column Data Large +1 Clone Test Row - 1 umn Data Large Column Data Large +2 Clone Test Row - 2 umn Data Large Column Data Large +3 Clone Test Row - 3 umn Data Large Column Data Large +4 Clone Test Row - 4 umn Data Large Column Data Large +5 Clone Test Row - 5 umn Data Large Column Data Large +6 Clone Test Row - 6 umn Data Large Column Data Large +7 Clone Test Row - 7 umn Data Large Column Data Large +8 Clone Test Row - 8 umn Data Large Column Data Large +9 Clone Test Row - 9 umn Data Large Column Data Large +SELECT col1, col3, SUBSTRING(col4, 1000, 32) FROM t1 ORDER BY col1 DESC LIMIT 10; +col1 col3 SUBSTRING(col4, 1000, 32) +199 Clone Test Row - 199 umn Data Large Column Data Large +198 Clone Test Row - 198 umn Data Large Column Data Large +197 Clone Test Row - 197 umn Data Large Column Data Large +196 Clone Test Row - 196 umn Data Large Column Data Large +195 Clone Test Row - 195 umn Data Large Column Data Large +194 Clone Test Row - 194 umn Data Large Column Data Large +193 Clone Test Row - 193 umn Data Large Column Data Large +192 Clone Test Row - 192 umn Data Large Column Data Large +191 Clone Test Row - 191 umn Data Large Column Data Large +190 Clone Test Row - 190 umn Data Large Column Data Large +SHOW CREATE TABLE t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `col1` int NOT NULL, + `col2` int DEFAULT NULL, + `col3` varchar(64) DEFAULT NULL, + `col4` blob, + PRIMARY KEY (`col1`) +) /*!50100 TABLESPACE `tbs1` */ ENGINE=InnoDB DEFAULT CHARSET=latin1 /*!80016 ENCRYPTION='Y' */ +SELECT count(*) from t2; +count(*) +200 +SELECT col1, col3, SUBSTRING(col4, 1000, 32) FROM t2 ORDER BY col1 LIMIT 10; +col1 col3 SUBSTRING(col4, 1000, 32) +0 Clone Test Row - 0 umn Data Large Column Data Large +1 Clone Test Row - 1 umn Data Large Column Data Large +2 Clone Test Row - 2 umn Data Large Column Data Large +3 Clone Test Row - 3 umn Data Large Column Data Large +4 Clone Test Row - 4 umn Data Large Column Data Large +5 Clone Test Row - 5 umn Data Large Column Data Large +6 Clone Test Row - 6 umn Data Large Column Data Large +7 Clone Test Row - 7 umn Data Large Column Data Large +8 Clone Test Row - 8 umn Data Large Column Data Large +9 Clone Test Row - 9 umn Data Large Column Data Large +SELECT col1, col3, SUBSTRING(col4, 1000, 32) FROM t2 ORDER BY col1 DESC LIMIT 10; +col1 col3 SUBSTRING(col4, 1000, 32) +199 Clone Test Row - 199 umn Data Large Column Data Large +198 Clone Test Row - 198 umn Data Large Column Data Large +197 Clone Test Row - 197 umn Data Large Column Data Large +196 Clone Test Row - 196 umn Data Large Column Data Large +195 Clone Test Row - 195 umn Data Large Column Data Large +194 Clone Test Row - 194 umn Data Large Column Data Large +193 Clone Test Row - 193 umn Data Large Column Data Large +192 Clone Test Row - 192 umn Data Large Column Data Large +191 Clone Test Row - 191 umn Data Large Column Data Large +190 Clone Test Row - 190 umn Data Large Column Data Large +call execute_dml(3, 0, 1, 1, 1, 0); +call execute_dml(0, 0, 200, 200, 100, 0); +SELECT col1, col2, col3, SUBSTRING(col4, 1000, 32) FROM t1 ORDER BY col1 LIMIT 10; +col1 col2 col3 SUBSTRING(col4, 1000, 32) +0 0 Clone Test Row - 0 umn Data Large Column Data Large +1 10 Clone Test Row - 1 umn Data Large Column Data Large +2 20 Clone Test Row - 2 umn Data Large Column Data Large +3 30 Clone Test Row - 3 umn Data Large Column Data Large +4 40 Clone Test Row - 4 umn Data Large Column Data Large +5 50 Clone Test Row - 5 umn Data Large Column Data Large +6 60 Clone Test Row - 6 umn Data Large Column Data Large +7 70 Clone Test Row - 7 umn Data Large Column Data Large +8 80 Clone Test Row - 8 umn Data Large Column Data Large +9 90 Clone Test Row - 9 umn Data Large Column Data Large +SELECT col1, col2, col3, SUBSTRING(col4, 1000, 32) FROM t1 ORDER BY col1 DESC LIMIT 10; +col1 col2 col3 SUBSTRING(col4, 1000, 32) +199 1990 Clone Test Row - 199 umn Data Large Column Data Large +198 1980 Clone Test Row - 198 umn Data Large Column Data Large +197 1970 Clone Test Row - 197 umn Data Large Column Data Large +196 1960 Clone Test Row - 196 umn Data Large Column Data Large +195 1950 Clone Test Row - 195 umn Data Large Column Data Large +194 1940 Clone Test Row - 194 umn Data Large Column Data Large +193 1930 Clone Test Row - 193 umn Data Large Column Data Large +192 1920 Clone Test Row - 192 umn Data Large Column Data Large +191 1910 Clone Test Row - 191 umn Data Large Column Data Large +190 1900 Clone Test Row - 190 umn Data Large Column Data Large +SELECT col1, col2, col3, SUBSTRING(col4, 1000, 32) FROM t2 ORDER BY col1 LIMIT 10; +col1 col2 col3 SUBSTRING(col4, 1000, 32) +0 0 Clone Test Row - 0 umn Data Large Column Data Large +1 10 Clone Test Row - 1 umn Data Large Column Data Large +2 20 Clone Test Row - 2 umn Data Large Column Data Large +3 30 Clone Test Row - 3 umn Data Large Column Data Large +4 40 Clone Test Row - 4 umn Data Large Column Data Large +5 50 Clone Test Row - 5 umn Data Large Column Data Large +6 60 Clone Test Row - 6 umn Data Large Column Data Large +7 70 Clone Test Row - 7 umn Data Large Column Data Large +8 80 Clone Test Row - 8 umn Data Large Column Data Large +9 90 Clone Test Row - 9 umn Data Large Column Data Large +SELECT col1, col2, col3, SUBSTRING(col4, 1000, 32) FROM t2 ORDER BY col1 DESC LIMIT 10; +col1 col2 col3 SUBSTRING(col4, 1000, 32) +199 1990 Clone Test Row - 199 umn Data Large Column Data Large +198 1980 Clone Test Row - 198 umn Data Large Column Data Large +197 1970 Clone Test Row - 197 umn Data Large Column Data Large +196 1960 Clone Test Row - 196 umn Data Large Column Data Large +195 1950 Clone Test Row - 195 umn Data Large Column Data Large +194 1940 Clone Test Row - 194 umn Data Large Column Data Large +193 1930 Clone Test Row - 193 umn Data Large Column Data Large +192 1920 Clone Test Row - 192 umn Data Large Column Data Large +191 1910 Clone Test Row - 191 umn Data Large Column Data Large +190 1900 Clone Test Row - 190 umn Data Large Column Data Large +DROP TABLE t1; +DROP TABLE t2; +DROP PROCEDURE execute_dml; +DROP TABLESPACE tbs1; +UNINSTALL PLUGIN clone; +SET DEBUG_SYNC = 'RESET'; +# ---------------------------------------------------------------------- +# Teardown +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing global configuration file for keyring component: component_percona_keyring_encrypted_file +# Removing global manifest file for MySQL server +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/clone_remote_encrypt.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/clone_remote_encrypt.result new file mode 100644 index 000000000000..36e5a7b1d3d4 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/clone_remote_encrypt.result @@ -0,0 +1,485 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating custom global manifest file for MySQL server +# Creating custom global configuration file for keyring component: component_percona_keyring_encrypted_file +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# Prepare for creating Encrypted Table +# create bootstrap file +# Create and start mysqld with keyring plugin. +## Install plugin +INSTALL PLUGIN clone SONAME 'CLONE_PLUGIN'; +CREATE TABLE t1(col1 INT PRIMARY KEY, col2 int, col3 varchar(64), col4 BLOB); +CREATE TABLE t2(col1 INT PRIMARY KEY, col2 int, col3 varchar(64), col4 BLOB) +PARTITION BY KEY(col1) PARTITIONS 5; +CREATE PROCEDURE execute_dml( +p_dml_type INT, +p_key_min INT, +p_key_range INT, +p_loop_count INT, +p_frequency INT, +p_is_rand INT) +BEGIN +DECLARE v_idx INT DEFAULT 0; +DECLARE v_commit INT DEFAULT 0; +DECLARE v_key INT DEFAULT 0; +/* Loop and INSERT data at random position */ +WHILE(v_idx < p_loop_count) DO +/* Generate key between 1 to p_loop_count */ +IF p_is_rand = 1 THEN +SET v_key = p_key_min + FLOOR(RAND() * p_key_range); +ELSE +SET v_key = p_key_min + (v_idx % p_key_range); +END IF; +CASE p_dml_type +WHEN 0 THEN +SET @clol3_text = CONCAT('Clone Test Row - ', v_key); +INSERT INTO t1 VALUES(v_key, v_key * 10, +@clol3_text, REPEAT('Large Column Data ', 2048)) +ON DUPLICATE KEY UPDATE col2 = col2 + 1; +INSERT INTO t2 VALUES(v_key, v_key * 10, +@clol3_text, REPEAT('Large Column Data ', 2048)) +ON DUPLICATE KEY UPDATE col2 = col2 + 1; +WHEN 1 THEN +UPDATE t1 SET col2 = v_idx + 1 WHERE col1 = v_key; +UPDATE t2 SET col2 = v_idx + 1 WHERE col1 = v_key; +WHEN 2 THEN +DELETE FROM t1 WHERE col1 = v_key; +DELETE FROM t2 WHERE col1 = v_key; +ELSE +DELETE FROM t1; +DELETE FROM t2; +END CASE; +SET v_idx = v_idx + 1; +/* Commit or rollback work at specified frequency. */ +IF v_idx % p_frequency = 0 THEN +SET v_commit = FLOOR(RAND() * 2); +IF v_commit = 0 AND p_is_rand = 1 THEN +ROLLBACK; +START TRANSACTION; +ELSE +COMMIT; +START TRANSACTION; +END IF; +END IF; +END WHILE; +END| +# In connection default - starting clone +SET DEBUG_SYNC = 'clone_file_copy SIGNAL set_encryption WAIT_FOR resume_clone'; +SET GLOBAL clone_autotune_concurrency = OFF; +SET GLOBAL clone_max_concurrency = 8; +SET GLOBAL clone_valid_donor_list = 'HOST:PORT'; +CLONE INSTANCE FROM USER@HOST:PORT IDENTIFIED BY '' DATA DIRECTORY = 'CLONE_DATADIR'; +# In connection con1 - Set redo and undo encryption +SET DEBUG_SYNC = 'now WAIT_FOR set_encryption'; +SHOW VARIABLES LIKE 'innodb_redo_log_encrypt'; +Variable_name Value +innodb_redo_log_encrypt OFF +SET GLOBAL innodb_redo_log_encrypt = ON; +SHOW VARIABLES LIKE 'innodb_redo_log_encrypt'; +Variable_name Value +innodb_redo_log_encrypt ON +SHOW VARIABLES LIKE 'innodb_undo_log_encrypt'; +Variable_name Value +innodb_undo_log_encrypt OFF +SET GLOBAL innodb_undo_log_encrypt = ON; +SHOW VARIABLES LIKE 'innodb_undo_log_encrypt'; +Variable_name Value +innodb_undo_log_encrypt ON +SET DEBUG_SYNC = 'now SIGNAL resume_clone'; +# In connection default - finishing Clone +SET GLOBAL innodb_redo_log_encrypt = OFF; +SET GLOBAL innodb_undo_log_encrypt = OFF; +DROP TABLE t1; +DROP TABLE t2; +CREATE TABLE t1(col1 INT PRIMARY KEY, col2 int, col3 varchar(64), col4 BLOB) +ROW_FORMAT = COMPRESSED ENCRYPTION = "Y"; +CREATE TABLESPACE tbs1 ADD DATAFILE 'tbs1_data1.ibd' ENCRYPTION="Y"; +CREATE TABLE t2(col1 INT PRIMARY KEY, col2 int, col3 varchar(64), col4 BLOB) +ENCRYPTION="Y" TABLESPACE = tbs1; +SET GLOBAL innodb_redo_log_encrypt = ON; +SHOW VARIABLES LIKE 'innodb_redo_log_encrypt'; +Variable_name Value +innodb_redo_log_encrypt ON +SET GLOBAL innodb_undo_log_encrypt = ON; +SHOW VARIABLES LIKE 'innodb_undo_log_encrypt'; +Variable_name Value +innodb_undo_log_encrypt ON +call execute_dml(0, 0, 200, 200, 100, 0); +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `col1` int NOT NULL, + `col2` int DEFAULT NULL, + `col3` varchar(64) DEFAULT NULL, + `col4` blob, + PRIMARY KEY (`col1`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1 ROW_FORMAT=COMPRESSED ENCRYPTION='Y' +SELECT count(*) from t1; +count(*) +200 +SELECT col1, col2, col3, SUBSTRING(col4, 1000, 32) FROM t1 ORDER BY col1 LIMIT 10; +col1 col2 col3 SUBSTRING(col4, 1000, 32) +0 0 Clone Test Row - 0 umn Data Large Column Data Large +1 10 Clone Test Row - 1 umn Data Large Column Data Large +2 20 Clone Test Row - 2 umn Data Large Column Data Large +3 30 Clone Test Row - 3 umn Data Large Column Data Large +4 40 Clone Test Row - 4 umn Data Large Column Data Large +5 50 Clone Test Row - 5 umn Data Large Column Data Large +6 60 Clone Test Row - 6 umn Data Large Column Data Large +7 70 Clone Test Row - 7 umn Data Large Column Data Large +8 80 Clone Test Row - 8 umn Data Large Column Data Large +9 90 Clone Test Row - 9 umn Data Large Column Data Large +SELECT col1, col2, col3, SUBSTRING(col4, 1000, 32) FROM t1 ORDER BY col1 DESC LIMIT 10; +col1 col2 col3 SUBSTRING(col4, 1000, 32) +199 1990 Clone Test Row - 199 umn Data Large Column Data Large +198 1980 Clone Test Row - 198 umn Data Large Column Data Large +197 1970 Clone Test Row - 197 umn Data Large Column Data Large +196 1960 Clone Test Row - 196 umn Data Large Column Data Large +195 1950 Clone Test Row - 195 umn Data Large Column Data Large +194 1940 Clone Test Row - 194 umn Data Large Column Data Large +193 1930 Clone Test Row - 193 umn Data Large Column Data Large +192 1920 Clone Test Row - 192 umn Data Large Column Data Large +191 1910 Clone Test Row - 191 umn Data Large Column Data Large +190 1900 Clone Test Row - 190 umn Data Large Column Data Large +SHOW CREATE TABLE t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `col1` int NOT NULL, + `col2` int DEFAULT NULL, + `col3` varchar(64) DEFAULT NULL, + `col4` blob, + PRIMARY KEY (`col1`) +) /*!50100 TABLESPACE `tbs1` */ ENGINE=InnoDB DEFAULT CHARSET=latin1 /*!80016 ENCRYPTION='Y' */ +SELECT count(*) from t2; +count(*) +200 +SELECT col1, col2, col3, SUBSTRING(col4, 1000, 32) FROM t2 ORDER BY col1 LIMIT 10; +col1 col2 col3 SUBSTRING(col4, 1000, 32) +0 0 Clone Test Row - 0 umn Data Large Column Data Large +1 10 Clone Test Row - 1 umn Data Large Column Data Large +2 20 Clone Test Row - 2 umn Data Large Column Data Large +3 30 Clone Test Row - 3 umn Data Large Column Data Large +4 40 Clone Test Row - 4 umn Data Large Column Data Large +5 50 Clone Test Row - 5 umn Data Large Column Data Large +6 60 Clone Test Row - 6 umn Data Large Column Data Large +7 70 Clone Test Row - 7 umn Data Large Column Data Large +8 80 Clone Test Row - 8 umn Data Large Column Data Large +9 90 Clone Test Row - 9 umn Data Large Column Data Large +SELECT col1, col2, col3, SUBSTRING(col4, 1000, 32) FROM t2 ORDER BY col1 DESC LIMIT 10; +col1 col2 col3 SUBSTRING(col4, 1000, 32) +199 1990 Clone Test Row - 199 umn Data Large Column Data Large +198 1980 Clone Test Row - 198 umn Data Large Column Data Large +197 1970 Clone Test Row - 197 umn Data Large Column Data Large +196 1960 Clone Test Row - 196 umn Data Large Column Data Large +195 1950 Clone Test Row - 195 umn Data Large Column Data Large +194 1940 Clone Test Row - 194 umn Data Large Column Data Large +193 1930 Clone Test Row - 193 umn Data Large Column Data Large +192 1920 Clone Test Row - 192 umn Data Large Column Data Large +191 1910 Clone Test Row - 191 umn Data Large Column Data Large +190 1900 Clone Test Row - 190 umn Data Large Column Data Large +SET GLOBAL innodb_buf_flush_list_now = 1; +SET GLOBAL clone_autotune_concurrency = OFF; +SET GLOBAL clone_max_concurrency = 8; +SET GLOBAL clone_valid_donor_list = 'HOST:PORT'; +CLONE INSTANCE FROM USER@HOST:PORT IDENTIFIED BY '' DATA DIRECTORY = 'CLONE_DATADIR'; +select ID, STATE, ERROR_NO from performance_schema.clone_status; +ID STATE ERROR_NO +1 Completed 0 +select ID, STAGE, STATE from performance_schema.clone_progress; +ID STAGE STATE +1 DROP DATA Completed +1 FILE COPY Completed +1 PAGE COPY Completed +1 REDO COPY Completed +1 FILE SYNC Completed +1 RESTART Not Started +1 RECOVERY Not Started +# Restart cloned database +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `col1` int NOT NULL, + `col2` int DEFAULT NULL, + `col3` varchar(64) DEFAULT NULL, + `col4` blob, + PRIMARY KEY (`col1`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1 ROW_FORMAT=COMPRESSED ENCRYPTION='Y' +SELECT count(*) from t1; +count(*) +200 +SELECT col1, col3, SUBSTRING(col4, 1000, 32) FROM t1 ORDER BY col1 LIMIT 10; +col1 col3 SUBSTRING(col4, 1000, 32) +0 Clone Test Row - 0 umn Data Large Column Data Large +1 Clone Test Row - 1 umn Data Large Column Data Large +2 Clone Test Row - 2 umn Data Large Column Data Large +3 Clone Test Row - 3 umn Data Large Column Data Large +4 Clone Test Row - 4 umn Data Large Column Data Large +5 Clone Test Row - 5 umn Data Large Column Data Large +6 Clone Test Row - 6 umn Data Large Column Data Large +7 Clone Test Row - 7 umn Data Large Column Data Large +8 Clone Test Row - 8 umn Data Large Column Data Large +9 Clone Test Row - 9 umn Data Large Column Data Large +SELECT col1, col3, SUBSTRING(col4, 1000, 32) FROM t1 ORDER BY col1 DESC LIMIT 10; +col1 col3 SUBSTRING(col4, 1000, 32) +199 Clone Test Row - 199 umn Data Large Column Data Large +198 Clone Test Row - 198 umn Data Large Column Data Large +197 Clone Test Row - 197 umn Data Large Column Data Large +196 Clone Test Row - 196 umn Data Large Column Data Large +195 Clone Test Row - 195 umn Data Large Column Data Large +194 Clone Test Row - 194 umn Data Large Column Data Large +193 Clone Test Row - 193 umn Data Large Column Data Large +192 Clone Test Row - 192 umn Data Large Column Data Large +191 Clone Test Row - 191 umn Data Large Column Data Large +190 Clone Test Row - 190 umn Data Large Column Data Large +SHOW CREATE TABLE t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `col1` int NOT NULL, + `col2` int DEFAULT NULL, + `col3` varchar(64) DEFAULT NULL, + `col4` blob, + PRIMARY KEY (`col1`) +) /*!50100 TABLESPACE `tbs1` */ ENGINE=InnoDB DEFAULT CHARSET=latin1 /*!80016 ENCRYPTION='Y' */ +SELECT count(*) from t2; +count(*) +200 +SELECT col1, col3, SUBSTRING(col4, 1000, 32) FROM t2 ORDER BY col1 LIMIT 10; +col1 col3 SUBSTRING(col4, 1000, 32) +0 Clone Test Row - 0 umn Data Large Column Data Large +1 Clone Test Row - 1 umn Data Large Column Data Large +2 Clone Test Row - 2 umn Data Large Column Data Large +3 Clone Test Row - 3 umn Data Large Column Data Large +4 Clone Test Row - 4 umn Data Large Column Data Large +5 Clone Test Row - 5 umn Data Large Column Data Large +6 Clone Test Row - 6 umn Data Large Column Data Large +7 Clone Test Row - 7 umn Data Large Column Data Large +8 Clone Test Row - 8 umn Data Large Column Data Large +9 Clone Test Row - 9 umn Data Large Column Data Large +SELECT col1, col3, SUBSTRING(col4, 1000, 32) FROM t2 ORDER BY col1 DESC LIMIT 10; +col1 col3 SUBSTRING(col4, 1000, 32) +199 Clone Test Row - 199 umn Data Large Column Data Large +198 Clone Test Row - 198 umn Data Large Column Data Large +197 Clone Test Row - 197 umn Data Large Column Data Large +196 Clone Test Row - 196 umn Data Large Column Data Large +195 Clone Test Row - 195 umn Data Large Column Data Large +194 Clone Test Row - 194 umn Data Large Column Data Large +193 Clone Test Row - 193 umn Data Large Column Data Large +192 Clone Test Row - 192 umn Data Large Column Data Large +191 Clone Test Row - 191 umn Data Large Column Data Large +190 Clone Test Row - 190 umn Data Large Column Data Large +call execute_dml(3, 0, 1, 1, 1, 0); +call execute_dml(0, 0, 200, 200, 100, 0); +SELECT col1, col2, col3, SUBSTRING(col4, 1000, 32) FROM t1 ORDER BY col1 LIMIT 10; +col1 col2 col3 SUBSTRING(col4, 1000, 32) +0 0 Clone Test Row - 0 umn Data Large Column Data Large +1 10 Clone Test Row - 1 umn Data Large Column Data Large +2 20 Clone Test Row - 2 umn Data Large Column Data Large +3 30 Clone Test Row - 3 umn Data Large Column Data Large +4 40 Clone Test Row - 4 umn Data Large Column Data Large +5 50 Clone Test Row - 5 umn Data Large Column Data Large +6 60 Clone Test Row - 6 umn Data Large Column Data Large +7 70 Clone Test Row - 7 umn Data Large Column Data Large +8 80 Clone Test Row - 8 umn Data Large Column Data Large +9 90 Clone Test Row - 9 umn Data Large Column Data Large +SELECT col1, col2, col3, SUBSTRING(col4, 1000, 32) FROM t1 ORDER BY col1 DESC LIMIT 10; +col1 col2 col3 SUBSTRING(col4, 1000, 32) +199 1990 Clone Test Row - 199 umn Data Large Column Data Large +198 1980 Clone Test Row - 198 umn Data Large Column Data Large +197 1970 Clone Test Row - 197 umn Data Large Column Data Large +196 1960 Clone Test Row - 196 umn Data Large Column Data Large +195 1950 Clone Test Row - 195 umn Data Large Column Data Large +194 1940 Clone Test Row - 194 umn Data Large Column Data Large +193 1930 Clone Test Row - 193 umn Data Large Column Data Large +192 1920 Clone Test Row - 192 umn Data Large Column Data Large +191 1910 Clone Test Row - 191 umn Data Large Column Data Large +190 1900 Clone Test Row - 190 umn Data Large Column Data Large +SELECT col1, col2, col3, SUBSTRING(col4, 1000, 32) FROM t2 ORDER BY col1 LIMIT 10; +col1 col2 col3 SUBSTRING(col4, 1000, 32) +0 0 Clone Test Row - 0 umn Data Large Column Data Large +1 10 Clone Test Row - 1 umn Data Large Column Data Large +2 20 Clone Test Row - 2 umn Data Large Column Data Large +3 30 Clone Test Row - 3 umn Data Large Column Data Large +4 40 Clone Test Row - 4 umn Data Large Column Data Large +5 50 Clone Test Row - 5 umn Data Large Column Data Large +6 60 Clone Test Row - 6 umn Data Large Column Data Large +7 70 Clone Test Row - 7 umn Data Large Column Data Large +8 80 Clone Test Row - 8 umn Data Large Column Data Large +9 90 Clone Test Row - 9 umn Data Large Column Data Large +SET GLOBAL innodb_redo_log_encrypt = ON; +SET GLOBAL innodb_undo_log_encrypt = ON; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `col1` int NOT NULL, + `col2` int DEFAULT NULL, + `col3` varchar(64) DEFAULT NULL, + `col4` blob, + PRIMARY KEY (`col1`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1 ROW_FORMAT=COMPRESSED ENCRYPTION='Y' +SHOW CREATE TABLE t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `col1` int NOT NULL, + `col2` int DEFAULT NULL, + `col3` varchar(64) DEFAULT NULL, + `col4` blob, + PRIMARY KEY (`col1`) +) /*!50100 TABLESPACE `tbs1` */ ENGINE=InnoDB DEFAULT CHARSET=latin1 /*!80016 ENCRYPTION='Y' */ +# In connection default - Cloning database +SET DEBUG_SYNC = 'clone_file_copy SIGNAL start_dml1 WAIT_FOR resume_clone1'; +SET DEBUG_SYNC = 'clone_page_copy SIGNAL start_dml2 WAIT_FOR resume_clone2'; +SET GLOBAL clone_autotune_concurrency = OFF; +SET GLOBAL clone_max_concurrency = 8; +SET GLOBAL clone_valid_donor_list = 'HOST:PORT'; +CLONE INSTANCE FROM USER@HOST:PORT IDENTIFIED BY '' DATA DIRECTORY = 'CLONE_DATADIR'; +# In connection con1 - Running Update Random [0 - 200 Key Range] +SET DEBUG_SYNC = 'now WAIT_FOR start_dml1'; +START TRANSACTION; +CALL execute_dml(1, 0, 200, 500, 100, 1); +COMMIT; +# Flush all dirty buffers +SET GLOBAL innodb_buf_flush_list_now = 1; +SET DEBUG_SYNC = 'now SIGNAL resume_clone1'; +SET DEBUG_SYNC = 'now WAIT_FOR start_dml2'; +START TRANSACTION; +CALL execute_dml(1, 0, 200, 500, 100, 1); +COMMIT; +SET DEBUG_SYNC = 'now SIGNAL resume_clone2'; +# In connection default - Cloning database +# Restart cloned database +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `col1` int NOT NULL, + `col2` int DEFAULT NULL, + `col3` varchar(64) DEFAULT NULL, + `col4` blob, + PRIMARY KEY (`col1`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1 ROW_FORMAT=COMPRESSED ENCRYPTION='Y' +SELECT count(*) from t1; +count(*) +200 +SELECT col1, col3, SUBSTRING(col4, 1000, 32) FROM t1 ORDER BY col1 LIMIT 10; +col1 col3 SUBSTRING(col4, 1000, 32) +0 Clone Test Row - 0 umn Data Large Column Data Large +1 Clone Test Row - 1 umn Data Large Column Data Large +2 Clone Test Row - 2 umn Data Large Column Data Large +3 Clone Test Row - 3 umn Data Large Column Data Large +4 Clone Test Row - 4 umn Data Large Column Data Large +5 Clone Test Row - 5 umn Data Large Column Data Large +6 Clone Test Row - 6 umn Data Large Column Data Large +7 Clone Test Row - 7 umn Data Large Column Data Large +8 Clone Test Row - 8 umn Data Large Column Data Large +9 Clone Test Row - 9 umn Data Large Column Data Large +SELECT col1, col3, SUBSTRING(col4, 1000, 32) FROM t1 ORDER BY col1 DESC LIMIT 10; +col1 col3 SUBSTRING(col4, 1000, 32) +199 Clone Test Row - 199 umn Data Large Column Data Large +198 Clone Test Row - 198 umn Data Large Column Data Large +197 Clone Test Row - 197 umn Data Large Column Data Large +196 Clone Test Row - 196 umn Data Large Column Data Large +195 Clone Test Row - 195 umn Data Large Column Data Large +194 Clone Test Row - 194 umn Data Large Column Data Large +193 Clone Test Row - 193 umn Data Large Column Data Large +192 Clone Test Row - 192 umn Data Large Column Data Large +191 Clone Test Row - 191 umn Data Large Column Data Large +190 Clone Test Row - 190 umn Data Large Column Data Large +SHOW CREATE TABLE t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `col1` int NOT NULL, + `col2` int DEFAULT NULL, + `col3` varchar(64) DEFAULT NULL, + `col4` blob, + PRIMARY KEY (`col1`) +) /*!50100 TABLESPACE `tbs1` */ ENGINE=InnoDB DEFAULT CHARSET=latin1 /*!80016 ENCRYPTION='Y' */ +SELECT count(*) from t2; +count(*) +200 +SELECT col1, col3, SUBSTRING(col4, 1000, 32) FROM t2 ORDER BY col1 LIMIT 10; +col1 col3 SUBSTRING(col4, 1000, 32) +0 Clone Test Row - 0 umn Data Large Column Data Large +1 Clone Test Row - 1 umn Data Large Column Data Large +2 Clone Test Row - 2 umn Data Large Column Data Large +3 Clone Test Row - 3 umn Data Large Column Data Large +4 Clone Test Row - 4 umn Data Large Column Data Large +5 Clone Test Row - 5 umn Data Large Column Data Large +6 Clone Test Row - 6 umn Data Large Column Data Large +7 Clone Test Row - 7 umn Data Large Column Data Large +8 Clone Test Row - 8 umn Data Large Column Data Large +9 Clone Test Row - 9 umn Data Large Column Data Large +SELECT col1, col3, SUBSTRING(col4, 1000, 32) FROM t2 ORDER BY col1 DESC LIMIT 10; +col1 col3 SUBSTRING(col4, 1000, 32) +199 Clone Test Row - 199 umn Data Large Column Data Large +198 Clone Test Row - 198 umn Data Large Column Data Large +197 Clone Test Row - 197 umn Data Large Column Data Large +196 Clone Test Row - 196 umn Data Large Column Data Large +195 Clone Test Row - 195 umn Data Large Column Data Large +194 Clone Test Row - 194 umn Data Large Column Data Large +193 Clone Test Row - 193 umn Data Large Column Data Large +192 Clone Test Row - 192 umn Data Large Column Data Large +191 Clone Test Row - 191 umn Data Large Column Data Large +190 Clone Test Row - 190 umn Data Large Column Data Large +call execute_dml(3, 0, 1, 1, 1, 0); +call execute_dml(0, 0, 200, 200, 100, 0); +SELECT col1, col2, col3, SUBSTRING(col4, 1000, 32) FROM t1 ORDER BY col1 LIMIT 10; +col1 col2 col3 SUBSTRING(col4, 1000, 32) +0 0 Clone Test Row - 0 umn Data Large Column Data Large +1 10 Clone Test Row - 1 umn Data Large Column Data Large +2 20 Clone Test Row - 2 umn Data Large Column Data Large +3 30 Clone Test Row - 3 umn Data Large Column Data Large +4 40 Clone Test Row - 4 umn Data Large Column Data Large +5 50 Clone Test Row - 5 umn Data Large Column Data Large +6 60 Clone Test Row - 6 umn Data Large Column Data Large +7 70 Clone Test Row - 7 umn Data Large Column Data Large +8 80 Clone Test Row - 8 umn Data Large Column Data Large +9 90 Clone Test Row - 9 umn Data Large Column Data Large +SELECT col1, col2, col3, SUBSTRING(col4, 1000, 32) FROM t1 ORDER BY col1 DESC LIMIT 10; +col1 col2 col3 SUBSTRING(col4, 1000, 32) +199 1990 Clone Test Row - 199 umn Data Large Column Data Large +198 1980 Clone Test Row - 198 umn Data Large Column Data Large +197 1970 Clone Test Row - 197 umn Data Large Column Data Large +196 1960 Clone Test Row - 196 umn Data Large Column Data Large +195 1950 Clone Test Row - 195 umn Data Large Column Data Large +194 1940 Clone Test Row - 194 umn Data Large Column Data Large +193 1930 Clone Test Row - 193 umn Data Large Column Data Large +192 1920 Clone Test Row - 192 umn Data Large Column Data Large +191 1910 Clone Test Row - 191 umn Data Large Column Data Large +190 1900 Clone Test Row - 190 umn Data Large Column Data Large +SELECT col1, col2, col3, SUBSTRING(col4, 1000, 32) FROM t2 ORDER BY col1 LIMIT 10; +col1 col2 col3 SUBSTRING(col4, 1000, 32) +0 0 Clone Test Row - 0 umn Data Large Column Data Large +1 10 Clone Test Row - 1 umn Data Large Column Data Large +2 20 Clone Test Row - 2 umn Data Large Column Data Large +3 30 Clone Test Row - 3 umn Data Large Column Data Large +4 40 Clone Test Row - 4 umn Data Large Column Data Large +5 50 Clone Test Row - 5 umn Data Large Column Data Large +6 60 Clone Test Row - 6 umn Data Large Column Data Large +7 70 Clone Test Row - 7 umn Data Large Column Data Large +8 80 Clone Test Row - 8 umn Data Large Column Data Large +9 90 Clone Test Row - 9 umn Data Large Column Data Large +SELECT col1, col2, col3, SUBSTRING(col4, 1000, 32) FROM t2 ORDER BY col1 DESC LIMIT 10; +col1 col2 col3 SUBSTRING(col4, 1000, 32) +199 1990 Clone Test Row - 199 umn Data Large Column Data Large +198 1980 Clone Test Row - 198 umn Data Large Column Data Large +197 1970 Clone Test Row - 197 umn Data Large Column Data Large +196 1960 Clone Test Row - 196 umn Data Large Column Data Large +195 1950 Clone Test Row - 195 umn Data Large Column Data Large +194 1940 Clone Test Row - 194 umn Data Large Column Data Large +193 1930 Clone Test Row - 193 umn Data Large Column Data Large +192 1920 Clone Test Row - 192 umn Data Large Column Data Large +191 1910 Clone Test Row - 191 umn Data Large Column Data Large +190 1900 Clone Test Row - 190 umn Data Large Column Data Large +DROP TABLE t1; +DROP TABLE t2; +DROP PROCEDURE execute_dml; +DROP TABLESPACE tbs1; +UNINSTALL PLUGIN clone; +SET DEBUG_SYNC = 'RESET'; +# ---------------------------------------------------------------------- +# Teardown +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing global configuration file for keyring component: component_percona_keyring_encrypted_file +# Removing global manifest file for MySQL server +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/corrupt_keyring_file.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/corrupt_keyring_file.result new file mode 100644 index 000000000000..5f0b2a10eff5 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/corrupt_keyring_file.result @@ -0,0 +1,38 @@ +# Phase 1: Normal startup to create and populate the keyring file +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +CALL mtr.add_suppression(".*The component is not initialized properly.*"); +CALL mtr.add_suppression(".*Failed to decrypt keyring file.*"); +ALTER INSTANCE ROTATE INNODB MASTER KEY; +# Overwrite the keyring file with garbage content +# Phase 2: Restart - backend must reject the corrupt file +# Re-starting mysql server with manifest file +# Keyring must be Disabled +SELECT * FROM performance_schema.keyring_component_status; +STATUS_KEY STATUS_VALUE +Component_name component_percona_keyring_encrypted_file +Author Percona +License GPL +Implementation_name component_percona_keyring_encrypted_file +Version 1.0 +Component_status Disabled +Data_file +Read_only +Password +Password_file +Iterations +# Error log must record the read failure +SELECT IF(COUNT(*) > 0, 'FOUND', 'NOT FOUND') AS error_present +FROM performance_schema.error_log +WHERE DATA LIKE '%Failed to decrypt keyring file%'; +error_present +FOUND +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/create_table.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/create_table.result new file mode 100644 index 000000000000..0b0436911d59 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/create_table.result @@ -0,0 +1,1023 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# +# WL#12261 Control (enforce and disable) table encryption +# +# Pre-define user u1, which is used in different tests below. +CREATE USER u1@localhost; +GRANT ALL ON db1.* TO u1@localhost; +GRANT CREATE TABLESPACE, PROCESS, SYSTEM_VARIABLES_ADMIN ON *.* TO u1@localhost; +SET GLOBAL debug= '+d,skip_table_encryption_admin_check_for_set'; +# This test run CREATE TABLE in different configurations, +# +# - Setting table_encryption_privilege_check to true/false. +# - Setting default_table_encryption to true/false. +# - With and without ENCRYPTION clause. +# - With and without user holding TABLE_ENCRYPTION_ADMIN privilege. +# - Test SHOW CREATE TABLE +# - Test INFORMATION_SCHEMA.TABLES.CREATE_OPTIONS +# - Check for warnings generated. +# +````````````````````````````````````````````````````````` +# Test CREATE TABLE on DATABASE with ENCRYPTION 'y/n' +# and with different values for system variable +# 'table_encryption_privilege_check' and 'default_table_encryption' +````````````````````````````````````````````````````````` +# CREATE TABLE without ENCRYPTION clause +# [CREATE TABLE] Case 1 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int); +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 2 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int); +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='Y' +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='Y' +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 3 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int); +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 4 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int); +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='Y' +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='Y' +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# CREATE TABLE with ENCRYPTION clause +# [CREATE TABLE] Case 5 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 6 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 7 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 8 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='n' +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# Fails as there is mismatch between table and database encryption. +# [CREATE TABLE] Case 9 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +# GRANT user the TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +# REVOKE TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 10 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 11 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# Fails as there is mismatch between table and database encryption. +# [CREATE TABLE] Case 12 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +# GRANT user the TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +# REVOKE TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# Check with invalid ENCRYPTION value +# [CREATE TABLE] Case 13 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='k'; +ERROR HY000: Invalid encryption option. +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# With innodb_file_per_table=off and +# Test CREATE TABLE without ENCRYPTION clause. +SET GLOBAL innodb_file_per_table = OFF; +# [CREATE TABLE] Case 14 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int); +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# Fails because we cannot created a encrypted table in system tablespace. +# [CREATE TABLE] Case 15 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int); +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 16 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int); +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# Fails because we cannot created a encrypted table in system tablespace. +# [CREATE TABLE] Case 17 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int); +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# With explicit ENCRYPTION clause +````````````````````````````````````````````````````````` +# Fails because we cannot created a encrypted table in system tablespace. +# [CREATE TABLE] Case 18 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 19 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# Fails because we cannot created a encrypted table in system tablespace. +# [CREATE TABLE] Case 20 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 21 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='n' +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# Fails because we cannot created a encrypted table in system tablespace. +# [CREATE TABLE] Case 22 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 23 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# Fails because we cannot created a encrypted table in system tablespace. +# [CREATE TABLE] Case 24 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 25 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +# GRANT user the TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +CREATE TABLE db1.t1 (f1 int) ENCRYPTION='n'; +# REVOKE TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# With innodb_file_per_table = ON. +# Test CREATE TABLE with explicit TABLESPACE=innodb_file_per_table +SET GLOBAL innodb_file_per_table = ON; +````````````````````````````````````````````````````````` +# Without ENCRYPTION clause +# [CREATE TABLE] Case 26 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=innodb_file_per_table; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 27 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=innodb_file_per_table; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='Y' +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='Y' +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 28 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=innodb_file_per_table; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 29 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=innodb_file_per_table; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='Y' +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='Y' +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# With ENCRYPTION clause +# [CREATE TABLE] Case 30 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 31 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 32 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 33 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='n' +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='n' +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# Fails as there is mismatch between table and database encryption. +# [CREATE TABLE] Case 34 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +# GRANT user the TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +# REVOKE TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 35 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 36 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# Fails as there is mismatch between table and database encryption. +# [CREATE TABLE] Case 37 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +# GRANT user the TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +# REVOKE TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# Test CREATE TABLE with TABLESPACE=innodb_system +````````````````````````````````````````````````````````` +# Without ENCRYPTION clause +# [CREATE TABLE] Case 38 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=innodb_system; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_system` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# Fails because we cannot created a encrypted table in system tablespace. +# [CREATE TABLE] Case 39 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=innodb_system; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 40 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=innodb_system; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_system` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# Fails because we cannot created a encrypted table in system tablespace. +# [CREATE TABLE] Case 41 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=innodb_system; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# With ENCRYPTION clause +````````````````````````````````````````````````````````` +# Fails because we cannot created a encrypted table in system tablespace. +# [CREATE TABLE] Case 42 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=innodb_system ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 43 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=innodb_system ENCRYPTION='n'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_system` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# Fails because we cannot created a encrypted table in system tablespace. +# [CREATE TABLE] Case 44 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=innodb_system ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 45 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=innodb_system ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_system` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='n' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='n' +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# Fails as there is mismatch between table and database encryption. +# The statement would fail even with user owning TABLE_ENCRYPTION_ADMIN +# with ER_ILLEGAL_HA_CREATE_OPTION because one cannot create +# encrypted table in system tablespace. +# [CREATE TABLE] Case 46 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=innodb_system ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 47 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=innodb_system ENCRYPTION='n'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_system` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +DROP TABLE db1.t1; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# Fails because we cannot created a encrypted table in system tablespace. +# [CREATE TABLE] Case 48 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=innodb_system ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# Fails as there is mismatch between table and database encryption. +# [CREATE TABLE] Case 49 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=innodb_system ENCRYPTION='n'; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +# GRANT user the TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=innodb_system ENCRYPTION='n'; +# REVOKE TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# Test CREATE TABLE with general TABLESPACE +````````````````````````````````````````````````````````` +# With unencrypted general tablespace and without ENCRYPTION clause. +# [CREATE TABLE] Case 50 ) +````````````````````````````````````````````````````````` +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +DROP TABLE db1.t1; +DROP DATABASE db1; +DROP TABLESPACE ts1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# Fails as there is mismatch between table and database encryption. +# The table ENCRYPTION clause is inherited from database and this +# does not match tablespace encryption type. +# [CREATE TABLE] Case 51 ) +````````````````````````````````````````````````````````` +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +DROP DATABASE db1; +DROP TABLESPACE ts1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 52 ) +````````````````````````````````````````````````````````` +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +DROP TABLE db1.t1; +DROP DATABASE db1; +DROP TABLESPACE ts1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# Fails as there is mismatch between table and database encryption. +# The table ENCRYPTION clause is inherited from database and this +# does not match tablespace encryption type. +# [CREATE TABLE] Case 53 ) +````````````````````````````````````````````````````````` +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +DROP DATABASE db1; +DROP TABLESPACE ts1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# With ENCRYPTION clause +# [CREATE TABLE] Case 54 ) +````````````````````````````````````````````````````````` +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +DROP TABLE db1.t1; +DROP DATABASE db1; +DROP TABLESPACE ts1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 55 ) +````````````````````````````````````````````````````````` +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +DROP TABLE db1.t1; +DROP DATABASE db1; +DROP TABLESPACE ts1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 56 ) +````````````````````````````````````````````````````````` +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +DROP TABLE db1.t1; +DROP DATABASE db1; +DROP TABLESPACE ts1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 57 ) +````````````````````````````````````````````````````````` +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='n' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='n' +DROP TABLE db1.t1; +DROP DATABASE db1; +DROP TABLESPACE ts1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# Fails as there is mismatch between table and database encryption. +# [CREATE TABLE] Case 58 ) +````````````````````````````````````````````````````````` +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +# GRANT user the TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +# REVOKE TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +DROP TABLESPACE ts1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 59 ) +````````````````````````````````````````````````````````` +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +DROP TABLE db1.t1; +DROP DATABASE db1; +DROP TABLESPACE ts1; +SET GLOBAL table_encryption_privilege_check=false; +# [CREATE TABLE] Case 60 ) +````````````````````````````````````````````````````````` +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +DROP TABLE db1.t1; +DROP DATABASE db1; +DROP TABLESPACE ts1; +SET GLOBAL table_encryption_privilege_check=false; +````````````````````````````````````````````````````````` +# Fails as there is mismatch between table and database encryption. +# [CREATE TABLE] Case 61 ) +````````````````````````````````````````````````````````` +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +# GRANT user the TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +# REVOKE TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +DROP TABLESPACE ts1; +SET GLOBAL table_encryption_privilege_check=false; +# Cleanup +DROP USER u1@localhost; +SET GLOBAL debug= '-d,skip_table_encryption_admin_check_for_set'; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/database.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/database.result new file mode 100644 index 000000000000..e9bc12dfb82e --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/database.result @@ -0,0 +1,1052 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# +# WL#12261 Control (enforce and disable) table encryption +# +# Pre-define user u1, which is used in different tests below. +CREATE USER u1@localhost; +GRANT ALL ON db1.* TO u1@localhost; +GRANT CREATE TABLESPACE, PROCESS, SYSTEM_VARIABLES_ADMIN ON *.* TO u1@localhost; +SET GLOBAL debug= '+d,skip_table_encryption_admin_check_for_set'; +# This test run CREATE/ALTER DATABASE in different configurations, +# +# - Setting table_encryption_privilege_check to true/false. +# - Setting default_table_encryption to true/false. +# - With and without ENCRYPTION clause. +# - With and without user holding TABLE_ENCRYPTION_ADMIN privilege. +# - Test SHOW CREATE DATABASE +# - Test INFORMATION_SCHEMA.SCHEMATA +# - Check for warnings generated. +# +````````````````````````````````````````````````````````` +# CREATE DATABASE without DEFAULT ENCRYPTION clause +# and with different values for system variable +# 'table_encryption_privilege_check' and 'default_table_encryption' +# [CREATE DATABASE] Case 1 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false;; +CREATE DATABASE db1; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 NO +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [CREATE DATABASE] Case 2 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=true;; +CREATE DATABASE db1; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 YES +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [CREATE DATABASE] Case 3 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=true; +SET SESSION default_table_encryption=false;; +CREATE DATABASE db1; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 NO +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [CREATE DATABASE] Case 4 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=true; +SET SESSION default_table_encryption=true;; +CREATE DATABASE db1; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 YES +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [CREATE DATABASE] Case 5 ) +````````````````````````````````````````````````````````` +# Granting TABLE_ENCRYPTION_ADMIN for user. +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +SET GLOBAL table_encryption_privilege_check=true; +SET SESSION default_table_encryption=false;; +CREATE DATABASE db1; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 NO +DROP DATABASE db1; +# Revoke TABLE_ENCRYPTION_ADMIN +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [CREATE DATABASE] Case 6 ) +````````````````````````````````````````````````````````` +# Granting TABLE_ENCRYPTION_ADMIN for user. +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +SET GLOBAL table_encryption_privilege_check=true; +SET SESSION default_table_encryption=true;; +CREATE DATABASE db1; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 YES +DROP DATABASE db1; +# Revoke TABLE_ENCRYPTION_ADMIN +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +````````````````````````````````````````````````````````` +# CREATE DATABASE with DEFAULT ENCRYPTION clause 'y/n' +# and with different values for system variable +# 'table_encryption_privilege_check' and 'default_table_encryption'. +# [CREATE DATABASE] Case 7 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false;; +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 YES +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [CREATE DATABASE] Case 8 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false;; +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 NO +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [CREATE DATABASE] Case 9 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=true;; +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 YES +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [CREATE DATABASE] Case 10 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=true;; +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 NO +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +````````````````````````````````````````````````````````` +# Without the keyword DEFAULT. +# [CREATE DATABASE] Case 11 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false;; +CREATE DATABASE db1 ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 YES +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [CREATE DATABASE] Case 12 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false;; +CREATE DATABASE db1 ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 NO +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [CREATE DATABASE] Case 13 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=true;; +CREATE DATABASE db1 ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 YES +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [CREATE DATABASE] Case 14 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=true;; +CREATE DATABASE db1 ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 NO +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +````````````````````````````````````````````````````````` +# We expect failure because the encryption request is different from +# global 'default_table_encryption' setting. +# [CREATE DATABASE] Case 15 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=true; +SET SESSION default_table_encryption=false;; +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +ERROR HY000: Database default encryption differ from 'default_table_encryption' setting, and user doesn't have enough privilege. +SHOW WARNINGS; +Level Code Message +Error 3827 Database default encryption differ from 'default_table_encryption' setting, and user doesn't have enough privilege. +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [CREATE DATABASE] Case 16 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=true; +SET SESSION default_table_encryption=false;; +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 NO +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [CREATE DATABASE] Case 17 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=true; +SET SESSION default_table_encryption=true;; +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 YES +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +````````````````````````````````````````````````````````` +# We expect failure because the encryption request is different from +# global 'default_table_encryption' setting. +# [CREATE DATABASE] Case 18 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=true; +SET SESSION default_table_encryption=true;; +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +ERROR HY000: Database default encryption differ from 'default_table_encryption' setting, and user doesn't have enough privilege. +SHOW WARNINGS; +Level Code Message +Error 3827 Database default encryption differ from 'default_table_encryption' setting, and user doesn't have enough privilege. +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [CREATE DATABASE] Case 19 ) +````````````````````````````````````````````````````````` +# Granting TABLE_ENCRYPTION_ADMIN for user. +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +SET GLOBAL table_encryption_privilege_check=true; +SET SESSION default_table_encryption=false;; +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 YES +DROP DATABASE db1; +# Revoke TABLE_ENCRYPTION_ADMIN +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [CREATE DATABASE] Case 20 ) +````````````````````````````````````````````````````````` +# Granting TABLE_ENCRYPTION_ADMIN for user. +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +SET GLOBAL table_encryption_privilege_check=true; +SET SESSION default_table_encryption=false;; +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 NO +DROP DATABASE db1; +# Revoke TABLE_ENCRYPTION_ADMIN +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [CREATE DATABASE] Case 21 ) +````````````````````````````````````````````````````````` +# Granting TABLE_ENCRYPTION_ADMIN for user. +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +SET GLOBAL table_encryption_privilege_check=true; +SET SESSION default_table_encryption=true;; +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 YES +DROP DATABASE db1; +# Revoke TABLE_ENCRYPTION_ADMIN +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [CREATE DATABASE] Case 22 ) +````````````````````````````````````````````````````````` +# Granting TABLE_ENCRYPTION_ADMIN for user. +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +SET GLOBAL table_encryption_privilege_check=true; +SET SESSION default_table_encryption=true;; +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 NO +DROP DATABASE db1; +# Revoke TABLE_ENCRYPTION_ADMIN +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +````````````````````````````````````````````````````````` +# With invalid value for DEFAULT ENCRYPTION +# [CREATE DATABASE] Case 23 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false;; +CREATE DATABASE db1 DEFAULT ENCRYPTION='k'; +ERROR HY000: Incorrect argument (should be Y or N) value: 'k' +SHOW WARNINGS; +Level Code Message +Error 1525 Incorrect argument (should be Y or N) value: 'k' +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +````````````````````````````````````````````````````````` +# Check with legacy syntax. +CREATE DATABASE `db1` /*!80016 DEFAULT ENCRYPTION='Y' */; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +DROP DATABASE db1; +````````````````````````````````````````````````````````` +# See that we ignore the clause with invalid mysql version. +CREATE DATABASE `db1` /*!99999 DEFAULT ENCRYPTION='Y' */; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +DROP DATABASE db1; +````````````````````````````````````````````````````````` +# ALTER DATABASE withDEFAULT ENCRYPTION clause 'y/n' +# and with different values for system variable +# 'table_encryption_privilege_check' and 'default_table_encryption' +````````````````````````````````````````````````````````` +# Following cases are with database DEFAULT ENCRYPTION 'y' +# [ALTER DATABASE] Case 1 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SET SESSION default_table_encryption=false;; +SET GLOBAL table_encryption_privilege_check=false; +ALTER DATABASE db1 DEFAULT ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 NO +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [ALTER DATABASE] Case 2 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SET SESSION default_table_encryption=false;; +SET GLOBAL table_encryption_privilege_check=false; +ALTER DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 YES +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [ALTER DATABASE] Case 3 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SET SESSION default_table_encryption=true;; +SET GLOBAL table_encryption_privilege_check=false; +ALTER DATABASE db1 DEFAULT ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 NO +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [ALTER DATABASE] Case 4 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SET SESSION default_table_encryption=true;; +SET GLOBAL table_encryption_privilege_check=false; +ALTER DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 YES +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [ALTER DATABASE] Case 5 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SET SESSION default_table_encryption=false;; +SET GLOBAL table_encryption_privilege_check=true; +ALTER DATABASE db1 DEFAULT ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 NO +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +````````````````````````````````````````````````````````` +# We expect failure because the encryption request is different from +# global 'default_table_encryption' setting. +# [ALTER DATABASE] Case 6 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SET SESSION default_table_encryption=false;; +SET GLOBAL table_encryption_privilege_check=true; +ALTER DATABASE db1 DEFAULT ENCRYPTION='y'; +ERROR HY000: Database default encryption differ from 'default_table_encryption' setting, and user doesn't have enough privilege. +SHOW WARNINGS; +Level Code Message +Error 3827 Database default encryption differ from 'default_table_encryption' setting, and user doesn't have enough privilege. +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 NO +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +````````````````````````````````````````````````````````` +# We expect failure because the encryption request is different from +# global 'default_table_encryption' setting. +# [ALTER DATABASE] Case 7 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SET SESSION default_table_encryption=true;; +SET GLOBAL table_encryption_privilege_check=true; +ALTER DATABASE db1 DEFAULT ENCRYPTION='n'; +ERROR HY000: Database default encryption differ from 'default_table_encryption' setting, and user doesn't have enough privilege. +SHOW WARNINGS; +Level Code Message +Error 3827 Database default encryption differ from 'default_table_encryption' setting, and user doesn't have enough privilege. +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 NO +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [ALTER DATABASE] Case 8 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SET SESSION default_table_encryption=true;; +SET GLOBAL table_encryption_privilege_check=true; +ALTER DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 YES +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [ALTER DATABASE] Case 9 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +# GRANT TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +SET SESSION default_table_encryption=false;; +SET GLOBAL table_encryption_privilege_check=true; +ALTER DATABASE db1 DEFAULT ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 NO +DROP DATABASE db1; +# REVOKE TABLE_ENCRYPTION_ADMIN +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [ALTER DATABASE] Case 10 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +# GRANT TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +SET SESSION default_table_encryption=false;; +SET GLOBAL table_encryption_privilege_check=true; +ALTER DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 YES +DROP DATABASE db1; +# REVOKE TABLE_ENCRYPTION_ADMIN +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [ALTER DATABASE] Case 11 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +# GRANT TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +SET SESSION default_table_encryption=true;; +SET GLOBAL table_encryption_privilege_check=true; +ALTER DATABASE db1 DEFAULT ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 NO +DROP DATABASE db1; +# REVOKE TABLE_ENCRYPTION_ADMIN +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [ALTER DATABASE] Case 12 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +# GRANT TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +SET SESSION default_table_encryption=true;; +SET GLOBAL table_encryption_privilege_check=true; +ALTER DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 YES +DROP DATABASE db1; +# REVOKE TABLE_ENCRYPTION_ADMIN +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +````````````````````````````````````````````````````````` +# Following cases are with database DEFAULT ENCRYPTION 'y' +# [ALTER DATABASE] Case 13 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SET SESSION default_table_encryption=false;; +SET GLOBAL table_encryption_privilege_check=false; +ALTER DATABASE db1 DEFAULT ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 NO +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [ALTER DATABASE] Case 14 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SET SESSION default_table_encryption=false;; +SET GLOBAL table_encryption_privilege_check=false; +ALTER DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 YES +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [ALTER DATABASE] Case 15 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SET SESSION default_table_encryption=true;; +SET GLOBAL table_encryption_privilege_check=false; +ALTER DATABASE db1 DEFAULT ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 NO +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [ALTER DATABASE] Case 16 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SET SESSION default_table_encryption=true;; +SET GLOBAL table_encryption_privilege_check=false; +ALTER DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 YES +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [ALTER DATABASE] Case 17 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SET SESSION default_table_encryption=false;; +SET GLOBAL table_encryption_privilege_check=true; +ALTER DATABASE db1 DEFAULT ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 NO +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +````````````````````````````````````````````````````````` +# We expect failure because the encryption request is different from +# global 'default_table_encryption' setting. +# [ALTER DATABASE] Case 18 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SET SESSION default_table_encryption=false;; +SET GLOBAL table_encryption_privilege_check=true; +ALTER DATABASE db1 DEFAULT ENCRYPTION='y'; +ERROR HY000: Database default encryption differ from 'default_table_encryption' setting, and user doesn't have enough privilege. +SHOW WARNINGS; +Level Code Message +Error 3827 Database default encryption differ from 'default_table_encryption' setting, and user doesn't have enough privilege. +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 YES +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +````````````````````````````````````````````````````````` +# We expect failure because the encryption request is different from +# global 'default_table_encryption' setting. +# [ALTER DATABASE] Case 19 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SET SESSION default_table_encryption=true;; +SET GLOBAL table_encryption_privilege_check=true; +ALTER DATABASE db1 DEFAULT ENCRYPTION='n'; +ERROR HY000: Database default encryption differ from 'default_table_encryption' setting, and user doesn't have enough privilege. +SHOW WARNINGS; +Level Code Message +Error 3827 Database default encryption differ from 'default_table_encryption' setting, and user doesn't have enough privilege. +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 YES +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [ALTER DATABASE] Case 20 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SET SESSION default_table_encryption=true;; +SET GLOBAL table_encryption_privilege_check=true; +ALTER DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 YES +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [ALTER DATABASE] Case 21 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +# GRANT TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +SET SESSION default_table_encryption=false;; +SET GLOBAL table_encryption_privilege_check=true; +ALTER DATABASE db1 DEFAULT ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 NO +DROP DATABASE db1; +# REVOKE TABLE_ENCRYPTION_ADMIN +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [ALTER DATABASE] Case 22 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +# GRANT TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +SET SESSION default_table_encryption=false;; +SET GLOBAL table_encryption_privilege_check=true; +ALTER DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 YES +DROP DATABASE db1; +# REVOKE TABLE_ENCRYPTION_ADMIN +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [ALTER DATABASE] Case 23 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +# GRANT TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +SET SESSION default_table_encryption=true;; +SET GLOBAL table_encryption_privilege_check=true; +ALTER DATABASE db1 DEFAULT ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 NO +DROP DATABASE db1; +# REVOKE TABLE_ENCRYPTION_ADMIN +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [ALTER DATABASE] Case 24 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +# GRANT TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +SET SESSION default_table_encryption=true;; +SET GLOBAL table_encryption_privilege_check=true; +ALTER DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 YES +DROP DATABASE db1; +# REVOKE TABLE_ENCRYPTION_ADMIN +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +````````````````````````````````````````````````````````` +# Invalid encryption option. +# [ALTER DATABASE] Case 25 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SET SESSION default_table_encryption=false;; +SET GLOBAL table_encryption_privilege_check=false; +ALTER DATABASE db1 DEFAULT ENCRYPTION='k'; +ERROR HY000: Incorrect argument (should be Y or N) value: 'k' +SHOW WARNINGS; +Level Code Message +Error 1525 Incorrect argument (should be Y or N) value: 'k' +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='Y' */ +SELECT SCHEMA_NAME, DEFAULT_ENCRYPTION +FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='db1'; +SCHEMA_NAME DEFAULT_ENCRYPTION +db1 YES +DROP DATABASE db1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# Cleanup +DROP USER u1@localhost; +SET GLOBAL debug= '-d,skip_table_encryption_admin_check_for_set'; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/dynamic_loading.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/dynamic_loading.result new file mode 100644 index 000000000000..34abf3d2d8c1 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/dynamic_loading.result @@ -0,0 +1,4 @@ +*** Building dlopen_checker utility +*** Checking for unresolved symbols +dlopen() succeeded: +*** Deleting dlopen_checker utility diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/empty_password.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/empty_password.result new file mode 100644 index 000000000000..8d2d574a6821 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/empty_password.result @@ -0,0 +1,31 @@ +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# Empty password: component must be Active; password shows as +SELECT * FROM performance_schema.keyring_component_status; +STATUS_KEY STATUS_VALUE +Component_name component_percona_keyring_encrypted_file +Author Percona +License GPL +Implementation_name component_percona_keyring_encrypted_file +Version 1.0 +Component_status Active +Data_file MYSQLTEST_VARDIR/keyring_file +Read_only No +Password +Password_file +Iterations 600000 +# Populate keyring file +ALTER INSTANCE ROTATE INNODB MASTER KEY; +# Restart with same empty password - encrypted file must still be readable +# Re-starting mysql server with manifest file +# Component must remain Active after restart +SELECT STATUS_KEY, STATUS_VALUE FROM performance_schema.keyring_component_status +WHERE STATUS_KEY = 'Component_status'; +STATUS_KEY STATUS_VALUE +Component_status Active +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/encrypt_explicit.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/encrypt_explicit.result new file mode 100644 index 000000000000..88b12742af55 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/encrypt_explicit.result @@ -0,0 +1,60 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating custom global manifest file for MySQL server +# Creating custom global configuration file for keyring component: component_percona_keyring_encrypted_file +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# +# wl9508: Show that explicit and implicit undo tablespaces can be encrypted. +# +use test; +CREATE table tab1(c1 int); +# create bootstrap file +# Stop the MTR default DB server +# Taking backup of global manifest file for MySQL server +# Run the bootstrap command of datadir1 +# Restore global manifest file for MySQL server from backup +SELECT @@datadir; +@@datadir +MYSQLD_DATADIR1/ +SELECT @@innodb_undo_log_encrypt; +@@innodb_undo_log_encrypt +1 +CREATE UNDO TABLESPACE undo_003 ADD DATAFILE 'undo_003.ibu'; +CREATE DATABASE nath; +use nath; +CREATE TABLE tab2(c1 int , c2 varchar(10)) Engine=InnoDB ENCRYPTION='Y'; +INSERT INTO tab2 VALUES(2, 'VISH'); +CREATE INDEX ix2 ON tab2(c2) ; +CREATE UNDO TABLESPACE undo_004 ADD DATAFILE 'undo_004.ibu'; +ALTER UNDO TABLESPACE undo_003 SET INACTIVE; +ALTER UNDO TABLESPACE undo_004 SET INACTIVE; +DELETE FROM tab2; +DROP UNDO TABLESPACE undo_003; +DROP UNDO TABLESPACE undo_004; +DROP TABLE tab2; +DROP DATABASE nath; +# Stop the encrypt server +# Taking backup of global manifest file for MySQL server +SELECT @@datadir; +@@datadir +MYSQLD_OLD_DATADIR +use test; +DROP TABLE tab1; +# +# bug#29006275 : ENCRYPTION MASTER KEY IS GENERATED WITH BLANK UUID +# +# Stop the non-encrypted server +# Run the bootstrap command of datadir1 +# Restore global manifest file for MySQL server from backup +# Show that a master key with a blank Server UUID is not used. +SELECT * FROM performance_schema.keyring_keys where KEY_ID='INNODBKey--1'; +KEY_ID KEY_OWNER BACKEND_KEY_ID +# Stop the encrypted server +# ---------------------------------------------------------------------- +# Teardown +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing global configuration file for keyring component: component_percona_keyring_encrypted_file +# Removing global manifest file for MySQL server +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/engine.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/engine.result new file mode 100644 index 000000000000..d2bf0cd0fed2 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/engine.result @@ -0,0 +1,175 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# +# WL#12261 Control (enforce and disable) table encryption +# +# Check for use of ENCRYPTION clause on tables using engines that +# does not support encryption. +# +# 1. Requesting encryption on SE that does not support encryption. +# +CREATE TABLE t1 (f1 INT NOT NULL) ENGINE=HEAP ENCRYPTION='y'; +ERROR 42000: The storage engine for the table doesn't support ENCRYPTION +CREATE TABLE t1 (f1 INT NOT NULL) ENGINE=MyISAM ENCRYPTION='y'; +ERROR 42000: The storage engine for the table doesn't support ENCRYPTION +CREATE TABLE t1 (f1 INT NOT NULL) ENGINE=MyISAM ENCRYPTION='w'; +ERROR 42000: The storage engine for the table doesn't support ENCRYPTION +# 2. +# Requesting unencrypted tables on SE that does not support +# encryption. This is allowed. Verify that we do not store +# ENCRYPTION clause. +# +CREATE TABLE t1 (f1 INT NOT NULL) ENGINE=HEAP ENCRYPTION='N'; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int NOT NULL +) ENGINE=MEMORY DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +DROP TABLE t1; +CREATE TABLE t1 (f1 INT NOT NULL) ENGINE=HEAP ENCRYPTION='n'; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int NOT NULL +) ENGINE=MEMORY DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +DROP TABLE t1; +CREATE TABLE t1 (f1 INT NOT NULL) ENGINE=MyISAM ENCRYPTION=''; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int NOT NULL +) ENGINE=MyISAM DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +DROP TABLE t1; +# 3. +# Move tables to and from different storage engine. +# +CREATE TABLE t1 (f1 INT NOT NULL) ENGINE=InnoDB ENCRYPTION='y'; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +# 4. +# Moving encrypted table to SE that doesn't support encryption. +ALTER TABLE t1 ENGINE=MyISAM; +ERROR 42000: The storage engine for the table doesn't support ENCRYPTION +ALTER TABLE t1 ENGINE=HEAP; +ERROR 42000: The storage engine for the table doesn't support ENCRYPTION +# 5. +# Moving encrypted table to SE that doesn't support encryption. +# with a explicit request to decrypt the table is allowed. +ALTER TABLE t1 ENGINE=MyISAM ENCRYPTION='n'; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int NOT NULL +) ENGINE=MyISAM DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +ALTER TABLE t1 ENGINE=Heap ENCRYPTION='N'; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int NOT NULL +) ENGINE=MEMORY DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +ALTER TABLE t1 ENGINE=CSV ENCRYPTION=''; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int NOT NULL +) ENGINE=CSV DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +# 6. +# Moving unencrypted table from SE that doesn't support encryption +# to SE that does support encryption is allowed. +ALTER TABLE t1 ENGINE=InnoDB ENCRYPTION='y'; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +DROP TABLE t1; +# Same as 4/5/6 using general tablespace: +# +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +CREATE TABLE t1 (f1 INT NOT NULL) TABLESPACE=ts1 ENCRYPTION='y'; +# 4. +# Moving encrypted table to SE that doesn't support encryption. +ALTER TABLE t1 ENGINE=MyISAM; +ERROR 42000: The storage engine for the table doesn't support ENCRYPTION +ALTER TABLE t1 ENGINE=HEAP; +ERROR 42000: The storage engine for the table doesn't support ENCRYPTION +# 5. +# Moving encrypted table to SE that doesn't support encryption. +# with a explicit request to decrypt the table is allowed. +ALTER TABLE t1 ENGINE=MyISAM ENCRYPTION='n'; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int NOT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=MyISAM DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +# 6. +# Moving unencrypted table from SE that doesn't support encryption +# to SE that does support encryption is allowed. +ALTER TABLE t1 ENGINE=InnoDB TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int NOT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 +ALTER TABLE t1 ENCRYPTION='y'; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int NOT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SELECT TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME='t1'; +TABLE_NAME CREATE_OPTIONS +t1 ENCRYPTION='y' +DROP TABLE t1; +DROP TABLESPACE ts1; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/import_compress_encrypt.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/import_compress_encrypt.result new file mode 100644 index 000000000000..a9582ea081d0 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/import_compress_encrypt.result @@ -0,0 +1,110 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# +# Bug#31313533 : IMPORT FAILS FOR ENCRYPT AND COMPRESSION ENABLED TDE TABLES +# +# SETUP +# +# Try to create a table with ZLib compression with strict mode OFF. +# If there is an error about Punch Hole not supported, make InnoDB +# think that Punch Hole is working but actually ignore the calls. +# +CREATE TABLE t1(c1 INT PRIMARY KEY) COMPRESSION="ZLIB"; +DROP TABLE t1; + +# Test 1 : Check that EXPORT and IMPORT is working fine on same FS + +CREATE TABLE t1(c1 int NOT NULL AUTO_INCREMENT, +c2 varchar(65000) DEFAULT NULL, +c3 varchar(255) GENERATED ALWAYS AS (substr(c2,2,100)) STORED, +c4 varchar(255) GENERATED ALWAYS AS (substr(c2,10,200)) VIRTUAL, +b bit(64) DEFAULT NULL, +p_c1 bigint DEFAULT NULL, +PRIMARY KEY (c1)) ENGINE=Innodb AUTO_INCREMENT=50001 DEFAULT CHARSET=latin1 COMPRESSION='zlib' ENCRYPTION='Y'; +SELECT c1, HEX(SUBSTRING(c2, 10, 10)), HEX(SUBSTRING(c3, 10, 10)), +HEX(SUBSTRING(c4, 10, 10)), HEX(b) +FROM t1 ORDER BY c1 limit 10; +c1 HEX(SUBSTRING(c2, 10, 10)) HEX(SUBSTRING(c3, 10, 10)) HEX(SUBSTRING(c4, 10, 10)) HEX(b) +50001 51AB8660A7143704DEA7 AB8660A7143704DEA78C A78C87578839E440B5B3 A +50002 51AB8660A7143704DEA7 AB8660A7143704DEA78C A78C87578839E440B5B3 A +50003 51AB8660A7143704DEA7 AB8660A7143704DEA78C A78C87578839E440B5B3 A +50004 51AB8660A7143704DEA7 AB8660A7143704DEA78C A78C87578839E440B5B3 A +50005 51AB8660A7143704DEA7 AB8660A7143704DEA78C A78C87578839E440B5B3 A +50006 51AB8660A7143704DEA7 AB8660A7143704DEA78C A78C87578839E440B5B3 A +50007 51AB8660A7143704DEA7 AB8660A7143704DEA78C A78C87578839E440B5B3 A +50008 51AB8660A7143704DEA7 AB8660A7143704DEA78C A78C87578839E440B5B3 A +50009 51AB8660A7143704DEA7 AB8660A7143704DEA78C A78C87578839E440B5B3 A +50010 51AB8660A7143704DEA7 AB8660A7143704DEA78C A78C87578839E440B5B3 A +# Flush tables for export +FLUSH TABLES t1 FOR EXPORT; +# Copy .cfp .cfg .ibd file to temp +UNLOCK TABLES; +DROP TABLE t1; +CREATE TABLE t1(c1 int NOT NULL AUTO_INCREMENT, +c2 varchar(65000) DEFAULT NULL, +c3 varchar(255) GENERATED ALWAYS AS (substr(c2,2,100)) STORED, +c4 varchar(255) GENERATED ALWAYS AS (substr(c2,10,200)) VIRTUAL, +b bit(64) DEFAULT NULL, +p_c1 bigint DEFAULT NULL, +PRIMARY KEY (c1)) ENGINE=Innodb AUTO_INCREMENT=50001 DEFAULT CHARSET=latin1 COMPRESSION='zlib' ENCRYPTION='Y'; +ALTER TABLE t1 DISCARD TABLESPACE; +# Copy .cfp/.cfg and .ibd files from temp to datadir +# Start import +ALTER TABLE t1 IMPORT TABLESPACE; +SELECT c1, HEX(SUBSTRING(c2, 10, 10)), HEX(SUBSTRING(c3, 10, 10)), +HEX(SUBSTRING(c4, 10, 10)), HEX(b) FROM t1 ORDER BY c1 limit 10; +c1 HEX(SUBSTRING(c2, 10, 10)) HEX(SUBSTRING(c3, 10, 10)) HEX(SUBSTRING(c4, 10, 10)) HEX(b) +50001 51AB8660A7143704DEA7 AB8660A7143704DEA78C A78C87578839E440B5B3 A +50002 51AB8660A7143704DEA7 AB8660A7143704DEA78C A78C87578839E440B5B3 A +50003 51AB8660A7143704DEA7 AB8660A7143704DEA78C A78C87578839E440B5B3 A +50004 51AB8660A7143704DEA7 AB8660A7143704DEA78C A78C87578839E440B5B3 A +50005 51AB8660A7143704DEA7 AB8660A7143704DEA78C A78C87578839E440B5B3 A +50006 51AB8660A7143704DEA7 AB8660A7143704DEA78C A78C87578839E440B5B3 A +50007 51AB8660A7143704DEA7 AB8660A7143704DEA78C A78C87578839E440B5B3 A +50008 51AB8660A7143704DEA7 AB8660A7143704DEA78C A78C87578839E440B5B3 A +50009 51AB8660A7143704DEA7 AB8660A7143704DEA78C A78C87578839E440B5B3 A +50010 51AB8660A7143704DEA7 AB8660A7143704DEA78C A78C87578839E440B5B3 A +# Cleanup +DROP TABLE t1; + +# Test 2 : Check that EXPORT and IMPORT is working fine on different FS + +# Copy and unzip the dir having cfg/cfg/ibd file from a different FS Block Size +CREATE TABLE t1(c1 int NOT NULL AUTO_INCREMENT, +c2 varchar(65000) DEFAULT NULL, +c3 varchar(255) GENERATED ALWAYS AS (substr(c2,2,100)) STORED, +c4 varchar(255) GENERATED ALWAYS AS (substr(c2,10,200)) VIRTUAL, +b bit(64) DEFAULT NULL, +p_c1 bigint DEFAULT NULL, +PRIMARY KEY (c1)) ENGINE=Innodb AUTO_INCREMENT=50001 DEFAULT CHARSET=latin1 COMPRESSION='zlib' ENCRYPTION='Y'; +ALTER TABLE t1 DISCARD TABLESPACE; +# Copy .cfp/.cfg and .ibd files from temp to datadir +# Start import +ALTER TABLE t1 IMPORT TABLESPACE; +SELECT c1, HEX(SUBSTRING(c2, 10, 10)), HEX(SUBSTRING(c3, 10, 10)), +HEX(SUBSTRING(c4, 10, 10)), HEX(b) FROM t1 ORDER BY c1 limit 10; +c1 HEX(SUBSTRING(c2, 10, 10)) HEX(SUBSTRING(c3, 10, 10)) HEX(SUBSTRING(c4, 10, 10)) HEX(b) +50001 066C8ADC3EC72175CA77 6C8ADC3EC72175CA77CE 77CEF1FBCA5BFE739000 A +50002 066C8ADC3EC72175CA77 6C8ADC3EC72175CA77CE 77CEF1FBCA5BFE739000 A +50003 066C8ADC3EC72175CA77 6C8ADC3EC72175CA77CE 77CEF1FBCA5BFE739000 A +50004 066C8ADC3EC72175CA77 6C8ADC3EC72175CA77CE 77CEF1FBCA5BFE739000 A +50005 066C8ADC3EC72175CA77 6C8ADC3EC72175CA77CE 77CEF1FBCA5BFE739000 A +50006 066C8ADC3EC72175CA77 6C8ADC3EC72175CA77CE 77CEF1FBCA5BFE739000 A +50007 066C8ADC3EC72175CA77 6C8ADC3EC72175CA77CE 77CEF1FBCA5BFE739000 A +50008 066C8ADC3EC72175CA77 6C8ADC3EC72175CA77CE 77CEF1FBCA5BFE739000 A +50009 066C8ADC3EC72175CA77 6C8ADC3EC72175CA77CE 77CEF1FBCA5BFE739000 A +50010 066C8ADC3EC72175CA77 6C8ADC3EC72175CA77CE 77CEF1FBCA5BFE739000 A +# Cleanup +DROP TABLE t1; +# Remove copied files +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/keyring_component_status.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/keyring_component_status.result new file mode 100644 index 000000000000..d8d422b9222d --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/keyring_component_status.result @@ -0,0 +1,41 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +CALL mtr.add_suppression("No suitable 'keyring_component_metadata_query' service implementation found to fulfill the request"); +# +# Bug#32390719: QUERYING KEYRING_COMPONENT_STATUS TABLE +# GENERATES AN ERROR IN THE SERVER LOG +# +SELECT * FROM performance_schema.keyring_component_status; +STATUS_KEY STATUS_VALUE +Component_name component_percona_keyring_encrypted_file +Author Percona +License GPL +Implementation_name component_percona_keyring_encrypted_file +Version 1.0 +Component_status Active +Data_file MYSQLTEST_VARDIR/keyring_file +Read_only No +Password +Password_file +Iterations 42 +SELECT PRIO, ERROR_CODE, SUBSYSTEM, DATA FROM performance_schema.error_log WHERE ERROR_CODE='MY-013712'; +PRIO ERROR_CODE SUBSYSTEM DATA +# Restarting server without keyring component +# Taking backup of local manifest file for MySQL server instance +SELECT * FROM performance_schema.keyring_component_status; +STATUS_KEY STATUS_VALUE +SELECT PRIO, ERROR_CODE, SUBSYSTEM, DATA FROM performance_schema.error_log WHERE ERROR_CODE='MY-013712'; +PRIO ERROR_CODE SUBSYSTEM DATA +Warning MY-013712 Server No suitable 'keyring_component_metadata_query' service implementation found to fulfill the request. +# Restore local manifest file for MySQL server instance from backup +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/keyring_encryption_test.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/keyring_encryption_test.result new file mode 100644 index 000000000000..2e46ecbd1ad2 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/keyring_encryption_test.result @@ -0,0 +1,32 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating custom global manifest file for MySQL server +# Creating custom global configuration file for keyring component: component_percona_keyring_encrypted_file +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# ---------------------------------------------------------------------- +# Setup +# Stop the running server. +# ---------------------------------------------------------------------- +# Keyring encryption tests +TIMESTAMP [Note] [MY-013713] [Keyring] Component component_percona_keyring_encrypted_file reported: 'Keyring component initialized successfully.' +TIMESTAMP [Note] [MY-013721] [Keyring] Component component_percona_keyring_encrypted_file reported: 'Could not find the data corresponding to Data ID: 'aes_key_invalid', Auth ID: 'keyring_aes_test'.' +TIMESTAMP [Note] [MY-013719] [Keyring] Component component_percona_keyring_encrypted_file reported: 'Key identified by Data ID: 'secret_key_1' and Auth ID: 'keyring_aes_test' is not of type AES.' +Plaintext: 'Quick brown fox jumped over the lazy dog.' +Successfully encrypted plaintext using AES-CBC-256 +TIMESTAMP [Note] [MY-013721] [Keyring] Component component_percona_keyring_encrypted_file reported: 'Could not find the data corresponding to Data ID: 'aes_key_invalid', Auth ID: 'keyring_aes_test'.' +TIMESTAMP [Note] [MY-013719] [Keyring] Component component_percona_keyring_encrypted_file reported: 'Key identified by Data ID: 'secret_key_1' and Auth ID: 'keyring_aes_test' is not of type AES.' +Successfully decrypted plaintext using AES-CBC-256 +Decrypted plaintext: 'Quick brown fox jumped over the lazy dog.' +Successfully tested AES functionality +# ---------------------------------------------------------------------- +# Cleanup +# Restart server +# ---------------------------------------------------------------------- +# ---------------------------------------------------------------------- +# Teardown +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing global configuration file for keyring component: component_percona_keyring_encrypted_file +# Removing global manifest file for MySQL server +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/load.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/load.result new file mode 100644 index 000000000000..0131161097d1 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/load.result @@ -0,0 +1,13 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/load_windows.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/load_windows.result new file mode 100644 index 000000000000..e8294a684403 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/load_windows.result @@ -0,0 +1,17 @@ +# +# Bug #32950322: SERVER GIVES ERROR WHILE LOADING COMPONENT ON WINDOWS +# +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_keyring_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +include/assert.inc [Expect MY-013709 to appear times.] +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_keyring_file +# Removing local configuration file for keyring component: component_keyring_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_1.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_1.result new file mode 100644 index 000000000000..2ff7711fbd96 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_1.result @@ -0,0 +1,125 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# Kill the server +CREATE TABLE t1(c1 INT, c2 char(20)) ENGINE = InnoDB; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` int DEFAULT NULL, + `c2` char(20) DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +INSERT INTO t1 VALUES(0, "aaaaa"); +INSERT INTO t1 VALUES(1, "bbbbb"); +INSERT INTO t1 VALUES(2, "ccccc"); +INSERT INTO t1 VALUES(3, "ddddd"); +INSERT INTO t1 VALUES(4, "eeeee"); +INSERT INTO t1 VALUES(5, "fffff"); +INSERT INTO t1 VALUES(6, "ggggg"); +INSERT INTO t1 VALUES(7, "hhhhh"); +INSERT INTO t1 VALUES(8, "iiiii"); +INSERT INTO t1 VALUES(9, "jjjjj"); +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +SELECT * FROM t1 ORDER BY c1 LIMIT 10; +c1 c2 +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +# Kill the server +SELECT * FROM t1 ORDER BY c1 LIMIT 10; +c1 c2 +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +DROP TABLE t1; +CREATE TABLE t1(c1 INT, c2 char(20)) ENGINE = InnoDB; +INSERT INTO t1 VALUES(0, "aaaaa"); +INSERT INTO t1 VALUES(1, "bbbbb"); +INSERT INTO t1 VALUES(2, "ccccc"); +INSERT INTO t1 VALUES(3, "ddddd"); +INSERT INTO t1 VALUES(4, "eeeee"); +INSERT INTO t1 VALUES(5, "fffff"); +INSERT INTO t1 VALUES(6, "ggggg"); +INSERT INTO t1 VALUES(7, "hhhhh"); +INSERT INTO t1 VALUES(8, "iiiii"); +INSERT INTO t1 VALUES(9, "jjjjj"); +# Kill the server +SELECT * FROM t1 ORDER BY c1 LIMIT 10; +c1 c2 +0 aaaaa +1 bbbbb +2 ccccc +3 ddddd +4 eeeee +5 fffff +6 ggggg +7 hhhhh +8 iiiii +9 jjjjj +DELETE FROM t1; +START TRANSACTION; +INSERT INTO t1 VALUES(0, "aaaaa"); +INSERT INTO t1 VALUES(1, "bbbbb"); +INSERT INTO t1 VALUES(2, "ccccc"); +INSERT INTO t1 VALUES(3, "ddddd"); +INSERT INTO t1 VALUES(4, "eeeee"); +INSERT INTO t1 VALUES(5, "fffff"); +INSERT INTO t1 VALUES(6, "ggggg"); +INSERT INTO t1 VALUES(7, "hhhhh"); +INSERT INTO t1 VALUES(8, "iiiii"); +INSERT INTO t1 VALUES(9, "jjjjj"); +# Kill the server +SELECT * FROM t1 ORDER BY c1 LIMIT 10; +c1 c2 +INSERT INTO t1 VALUES(0, "aaaaa"); +INSERT INTO t1 VALUES(1, "bbbbb"); +INSERT INTO t1 VALUES(2, "ccccc"); +INSERT INTO t1 VALUES(3, "ddddd"); +INSERT INTO t1 VALUES(4, "eeeee"); +INSERT INTO t1 VALUES(5, "fffff"); +INSERT INTO t1 VALUES(6, "ggggg"); +INSERT INTO t1 VALUES(7, "hhhhh"); +INSERT INTO t1 VALUES(8, "iiiii"); +INSERT INTO t1 VALUES(9, "jjjjj"); +SELECT * FROM t1 ORDER BY c1 LIMIT 10; +c1 c2 +0 aaaaa +1 bbbbb +2 ccccc +3 ddddd +4 eeeee +5 fffff +6 ggggg +7 hhhhh +8 iiiii +9 jjjjj +DROP TABLE t1; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_2.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_2.result new file mode 100644 index 000000000000..fa3f8038f0f4 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_2.result @@ -0,0 +1,168 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# Kill the server +SHOW VARIABLES LIKE "%innodb_redo_log_encrypt%"; +Variable_name Value +innodb_redo_log_encrypt ON +DROP TABLE IF EXISTS t1; +SET GLOBAL innodb_file_per_table = 1; +SELECT @@innodb_file_per_table; +@@innodb_file_per_table +1 +CREATE TABLE t1(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` int DEFAULT NULL, + `c2` char(20) DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='Y' +INSERT INTO t1 VALUES(0, "aaaaa"); +INSERT INTO t1 VALUES(1, "bbbbb"); +INSERT INTO t1 VALUES(2, "ccccc"); +INSERT INTO t1 VALUES(3, "ddddd"); +INSERT INTO t1 VALUES(4, "eeeee"); +INSERT INTO t1 VALUES(5, "fffff"); +INSERT INTO t1 VALUES(6, "ggggg"); +INSERT INTO t1 VALUES(7, "hhhhh"); +INSERT INTO t1 VALUES(8, "iiiii"); +INSERT INTO t1 VALUES(9, "jjjjj"); +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +SELECT * FROM t1 LIMIT 10; +c1 c2 +0 aaaaa +1 bbbbb +2 ccccc +3 ddddd +4 eeeee +5 fffff +6 ggggg +7 hhhhh +8 iiiii +9 jjjjj +# Kill the server +SHOW VARIABLES LIKE "%innodb_redo_log_encrypt%"; +Variable_name Value +innodb_redo_log_encrypt ON +SELECT * FROM t1 LIMIT 10; +c1 c2 +0 aaaaa +1 bbbbb +2 ccccc +3 ddddd +4 eeeee +5 fffff +6 ggggg +7 hhhhh +8 iiiii +9 jjjjj +ALTER INSTANCE ROTATE INNODB MASTER KEY; +DROP TABLE t1; +CREATE TABLE t1(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB; +INSERT INTO t1 VALUES(0, "aaaaa"); +INSERT INTO t1 VALUES(1, "bbbbb"); +INSERT INTO t1 VALUES(2, "ccccc"); +INSERT INTO t1 VALUES(3, "ddddd"); +INSERT INTO t1 VALUES(4, "eeeee"); +INSERT INTO t1 VALUES(5, "fffff"); +INSERT INTO t1 VALUES(6, "ggggg"); +INSERT INTO t1 VALUES(7, "hhhhh"); +INSERT INTO t1 VALUES(8, "iiiii"); +INSERT INTO t1 VALUES(9, "jjjjj"); +# Kill the server +SHOW VARIABLES LIKE "%innodb_redo_log_encrypt%"; +Variable_name Value +innodb_redo_log_encrypt ON +SELECT * FROM t1 LIMIT 10; +c1 c2 +0 aaaaa +1 bbbbb +2 ccccc +3 ddddd +4 eeeee +5 fffff +6 ggggg +7 hhhhh +8 iiiii +9 jjjjj +DROP TABLE t1; +# Kill the server +SHOW VARIABLES LIKE "%innodb_redo_log_encrypt%"; +Variable_name Value +innodb_redo_log_encrypt ON +SET block_encryption_mode = 'aes-256-cbc'; +DROP DATABASE IF EXISTS tde_db; +CREATE DATABASE tde_db; +CREATE TABLE tde_db.t1(c1 INT PRIMARY KEY, c2 char(50)) ENCRYPTION = 'Y' ENGINE = InnoDB; +INSERT INTO tde_db.t1 VALUES(0, 'abc'); +INSERT INTO tde_db.t1 VALUES(1, 'xyz'); +INSERT INTO tde_db.t1 VALUES(2, null); +INSERT INTO tde_db.t1 VALUES(3, null); +SELECT * FROM tde_db.t1 LIMIT 10; +c1 c2 +0 abc +1 xyz +2 NULL +3 NULL +ALTER INSTANCE ROTATE INNODB MASTER KEY; +SELECT * FROM tde_db.t1 LIMIT 10; +c1 c2 +0 abc +1 xyz +2 NULL +3 NULL +# Mysqldump output +SET @MYSQLDUMP_TEMP_LOG_BIN = @@SESSION.SQL_LOG_BIN; +SET @@SESSION.SQL_LOG_BIN= 0; +SET @@GLOBAL.GTID_PURGED=/*!80000 '+'*/ 'GTID_SET'; + +CREATE DATABASE /*!32312 IF NOT EXISTS*/ `tde_db` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */; + +USE `tde_db`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!50503 SET character_set_client = utf8mb4 */; +CREATE TABLE `t1` ( + `c1` int NOT NULL, + `c2` char(50) DEFAULT NULL, + PRIMARY KEY (`c1`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='Y'; +/*!40101 SET character_set_client = @saved_cs_client */; +INSERT INTO `t1` VALUES (0,'abc'),(1,'xyz'),(2,NULL),(3,NULL); +SET @@SESSION.SQL_LOG_BIN = @MYSQLDUMP_TEMP_LOG_BIN; +# Redirecting mysqldump output to MYSQL_TMP_DIR/mysqldump_encrypt.sql +DROP DATABASE tde_db; +RESET BINARY LOGS AND GTIDS; +Pattern "ALTER INSTANCE ROTATE INNODB MASTER KEY" found +# Loading tables from mysqldump_encrypt.sql +SELECT * FROM tde_db.t1 LIMIT 10; +c1 c2 +0 abc +1 xyz +2 NULL +3 NULL +INSERT INTO tde_db.t1 VALUES(4, null); +SELECT * FROM tde_db.t1 LIMIT 10; +c1 c2 +0 abc +1 xyz +2 NULL +3 NULL +4 NULL +DROP DATABASE tde_db; +# Kill the server +SET GLOBAL innodb_file_per_table=1; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_3.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_3.result new file mode 100644 index 000000000000..bdb9d561e5e8 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_3.result @@ -0,0 +1,197 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# Kill the server +CREATE DATABASE tde_db; +USE tde_db; +# Kill the server +SELECT @@global.innodb_redo_log_encrypt ; +@@global.innodb_redo_log_encrypt +1 +SET GLOBAL innodb_redo_log_encrypt = 1; +SELECT @@global.innodb_redo_log_encrypt ; +@@global.innodb_redo_log_encrypt +1 +CREATE TABLE tde_db.t1 (a BIGINT PRIMARY KEY, b LONGBLOB) ENGINE=InnoDB; +INSERT INTO t1 (a, b) VALUES (1, REPEAT('a', 6*512*512)); +SELECT a,LEFT(b,10) FROM tde_db.t1; +a LEFT(b,10) +1 aaaaaaaaaa +CREATE TABLE tde_db.t2 (a BIGINT PRIMARY KEY, b LONGBLOB) +ENCRYPTION='Y' ENGINE=InnoDB; +INSERT INTO t2 (a, b) VALUES (1, REPEAT('a', 6*512*512)); +SELECT a,LEFT(b,10) FROM tde_db.t2; +a LEFT(b,10) +1 aaaaaaaaaa +SET GLOBAL innodb_redo_log_encrypt = 0; +SELECT @@global.innodb_redo_log_encrypt ; +@@global.innodb_redo_log_encrypt +0 +CREATE TABLE tde_db.t3 (a BIGINT PRIMARY KEY, b LONGBLOB) ENGINE=InnoDB; +INSERT INTO t3 (a, b) VALUES (1, REPEAT('a', 6*512*512)); +SELECT a,LEFT(b,10) FROM tde_db.t3; +a LEFT(b,10) +1 aaaaaaaaaa +CREATE TABLE tde_db.t4 (a BIGINT PRIMARY KEY, b LONGBLOB) +ENCRYPTION='Y' ENGINE=InnoDB; +INSERT INTO t4 (a, b) VALUES (1, REPEAT('a', 6*512*512)); +SELECT a,LEFT(b,10) FROM tde_db.t4; +a LEFT(b,10) +1 aaaaaaaaaa +FLUSH LOGS; +# Kill the server +SELECT a,LEFT(b,10) FROM tde_db.t1; +a LEFT(b,10) +1 aaaaaaaaaa +SELECT a,LEFT(b,10) FROM tde_db.t2; +a LEFT(b,10) +1 aaaaaaaaaa +SELECT a,LEFT(b,10) FROM tde_db.t3; +a LEFT(b,10) +1 aaaaaaaaaa +SELECT a,LEFT(b,10) FROM tde_db.t4; +a LEFT(b,10) +1 aaaaaaaaaa +DROP TABLE tde_db.t1,tde_db.t2,tde_db.t3,tde_db.t4; +SELECT @@global.innodb_redo_log_encrypt ; +@@global.innodb_redo_log_encrypt +1 +CREATE TABLE tde_db.t1 (a BIGINT PRIMARY KEY, b LONGBLOB) ENGINE=InnoDB; +CREATE TABLE tde_db.t2 (a BIGINT PRIMARY KEY, b LONGBLOB) +ENCRYPTION='Y' ENGINE=InnoDB; +START TRANSACTION; +SET GLOBAL innodb_redo_log_encrypt = 1; +INSERT INTO t1 (a, b) VALUES (1, REPEAT('a', 6*512*512)); +INSERT INTO t2 (a, b) VALUES (1, REPEAT('a', 6*512*512)); +SELECT a,LEFT(b,10) FROM tde_db.t1; +a LEFT(b,10) +1 aaaaaaaaaa +SELECT a,LEFT(b,10) FROM tde_db.t2; +a LEFT(b,10) +1 aaaaaaaaaa +ROLLBACK; +START TRANSACTION; +INSERT INTO t1 (a, b) VALUES (2, REPEAT('a', 6*512*512)); +INSERT INTO t2 (a, b) VALUES (2, REPEAT('a', 6*512*512)); +SELECT a,LEFT(b,10) FROM tde_db.t1; +a LEFT(b,10) +2 aaaaaaaaaa +SELECT a,LEFT(b,10) FROM tde_db.t2; +a LEFT(b,10) +2 aaaaaaaaaa +COMMIT; +CREATE TABLE tde_db.t3 (a BIGINT PRIMARY KEY, b LONGBLOB) ENGINE=InnoDB; +CREATE TABLE tde_db.t4 (a BIGINT PRIMARY KEY, b LONGBLOB) +ENCRYPTION='Y' ENGINE=InnoDB; +START TRANSACTION; +SET GLOBAL innodb_redo_log_encrypt = 0; +SELECT @@global.innodb_redo_log_encrypt ; +@@global.innodb_redo_log_encrypt +0 +INSERT INTO t3 (a, b) VALUES (1, REPEAT('a', 6*512*512)); +INSERT INTO t4 (a, b) VALUES (1, REPEAT('a', 6*512*512)); +SELECT a,LEFT(b,10) FROM tde_db.t3; +a LEFT(b,10) +1 aaaaaaaaaa +SELECT a,LEFT(b,10) FROM tde_db.t4; +a LEFT(b,10) +1 aaaaaaaaaa +ROLLBACK; +START TRANSACTION; +INSERT INTO t3 (a, b) VALUES (2, REPEAT('a', 6*512*512)); +INSERT INTO t4 (a, b) VALUES (2, REPEAT('a', 6*512*512)); +SELECT a,LEFT(b,10) FROM tde_db.t3; +a LEFT(b,10) +2 aaaaaaaaaa +SELECT a,LEFT(b,10) FROM tde_db.t4; +a LEFT(b,10) +2 aaaaaaaaaa +COMMIT; +# Kill the server +SELECT a,LEFT(b,10) FROM tde_db.t1; +a LEFT(b,10) +2 aaaaaaaaaa +SELECT a,LEFT(b,10) FROM tde_db.t2; +a LEFT(b,10) +2 aaaaaaaaaa +SELECT a,LEFT(b,10) FROM tde_db.t3; +a LEFT(b,10) +2 aaaaaaaaaa +SELECT a,LEFT(b,10) FROM tde_db.t4; +a LEFT(b,10) +2 aaaaaaaaaa +SET GLOBAL innodb_redo_log_encrypt = 0; +SELECT @@global.innodb_redo_log_encrypt ; +@@global.innodb_redo_log_encrypt +0 +ALTER INSTANCE ROTATE INNODB MASTER KEY; +SELECT a,LEFT(b,10) FROM tde_db.t1; +a LEFT(b,10) +2 aaaaaaaaaa +SELECT a,LEFT(b,10) FROM tde_db.t2; +a LEFT(b,10) +2 aaaaaaaaaa +SELECT a,LEFT(b,10) FROM tde_db.t3; +a LEFT(b,10) +2 aaaaaaaaaa +SELECT a,LEFT(b,10) FROM tde_db.t4; +a LEFT(b,10) +2 aaaaaaaaaa +SET GLOBAL innodb_redo_log_encrypt = 1; +SELECT @@global.innodb_redo_log_encrypt ; +@@global.innodb_redo_log_encrypt +1 +ALTER INSTANCE ROTATE INNODB MASTER KEY; +SELECT a,LEFT(b,10) FROM tde_db.t1; +a LEFT(b,10) +2 aaaaaaaaaa +SELECT a,LEFT(b,10) FROM tde_db.t2; +a LEFT(b,10) +2 aaaaaaaaaa +SELECT a,LEFT(b,10) FROM tde_db.t3; +a LEFT(b,10) +2 aaaaaaaaaa +SELECT a,LEFT(b,10) FROM tde_db.t4; +a LEFT(b,10) +2 aaaaaaaaaa +CREATE USER encryptnonprivuser@localhost IDENTIFIED BY 'noauth'; +GRANT SELECT ON *.* to encryptnonprivuser@localhost; +FLUSH PRIVILEGES; +Warnings: +Warning 1681 'FLUSH PRIVILEGES' is deprecated and will be removed in a future release. +# In connection 1 - with encryptnonprivuser +SELECT @@global.innodb_redo_log_encrypt ; +@@global.innodb_redo_log_encrypt +1 +SET GLOBAL innodb_redo_log_encrypt = 0; +ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation +SELECT @@global.innodb_redo_log_encrypt ; +@@global.innodb_redo_log_encrypt +1 +SET GLOBAL innodb_undo_log_encrypt = 0; +ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation +SELECT @@global.innodb_undo_log_encrypt ; +@@global.innodb_undo_log_encrypt +0 +SET GLOBAL innodb_redo_log_encrypt = 1; +ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation +SELECT @@global.innodb_redo_log_encrypt ; +@@global.innodb_redo_log_encrypt +1 +SET GLOBAL innodb_undo_log_encrypt = 1; +ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation +SELECT @@global.innodb_undo_log_encrypt ; +@@global.innodb_undo_log_encrypt +0 +# In connection default +DROP TABLE tde_db.t1,tde_db.t2,tde_db.t3,tde_db.t4; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_4.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_4.result new file mode 100644 index 000000000000..0be347a9b64d --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_4.result @@ -0,0 +1,71 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating custom global manifest file for MySQL server +# Creating custom global configuration file for keyring component: component_percona_keyring_encrypted_file +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# create bootstrap file +# Stop the MTR default DB server +# Run the bootstrap command of datadir1 +# Start the DB server with datadir1 +SELECT @@global.innodb_redo_log_encrypt ; +@@global.innodb_redo_log_encrypt +1 +USE test; +CREATE TABLE tab1(c1 INT, c2 VARCHAR(30)); +INSERT INTO tab1 VALUES(1, 'Test consistency undo*'); +SELECT * FROM tab1; +c1 c2 +1 Test consistency undo* +CREATE TABLE tab2(c1 INT, c2 VARCHAR(30)) ENCRYPTION="Y"; +INSERT INTO tab2 VALUES(1, 'Test consistency undo*'); +SELECT * FROM tab2; +c1 c2 +1 Test consistency undo* +DROP TABLE tab1,tab2; +# Kill the server +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Taking backup of global manifest file for MySQL server +# Run the bootstrap command of datadir2, it should fail since the keyring is not loaded. +# Restore global manifest file for MySQL server from backup +# Run the bootstrap command of datadir2 +# Start the DB server with datadir2 +SELECT @@global.innodb_redo_log_encrypt ; +@@global.innodb_redo_log_encrypt +1 +USE test; +CREATE TABLE tab1(c1 INT, c2 VARCHAR(30)); +INSERT INTO tab1 VALUES(1, 'Test consistency undo*'); +SELECT * FROM tab1; +c1 c2 +1 Test consistency undo* +CREATE TABLE tab2(c1 INT, c2 VARCHAR(30)) ENCRYPTION="Y"; +INSERT INTO tab2 VALUES(1, 'Test consistency undo*'); +SELECT * FROM tab2; +c1 c2 +1 Test consistency undo* +DROP TABLE tab1,tab2; +# Kill the server +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Run the bootstrap command of datadir3 +# Start the DB server with datadir3 and keyring loaded. +SELECT @@global.innodb_redo_log_encrypt ; +@@global.innodb_redo_log_encrypt +0 +USE test; +CREATE TABLE tab1(c1 INT, c2 VARCHAR(30)); +INSERT INTO tab1 VALUES(1, 'Test consistency undo*'); +SELECT * FROM tab1; +c1 c2 +1 Test consistency undo* +CREATE TABLE tab2(c1 INT, c2 VARCHAR(30)) ENCRYPTION="Y"; +DROP TABLE tab1; +# Kill the server +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# ---------------------------------------------------------------------- +# Teardown +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing global configuration file for keyring component: component_percona_keyring_encrypted_file +# Removing global manifest file for MySQL server +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_5.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_5.result new file mode 100644 index 000000000000..a067043b8be9 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_5.result @@ -0,0 +1,85 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating custom global manifest file for MySQL server +# Creating custom global configuration file for keyring component: component_percona_keyring_encrypted_file +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# create bootstrap file +# Stop the MTR default DB server +# Run the bootstrap command of datadir1 +DROP DATABASE IF EXISTS tde_db; +CREATE DATABASE tde_db; +USE tde_db; +SET GLOBAL innodb_redo_log_encrypt = 1; +SET GLOBAL innodb_undo_log_encrypt = 1; +SELECT @@global.innodb_redo_log_encrypt ; +@@global.innodb_redo_log_encrypt +1 +CREATE TABLE tde_db.t1 (a BIGINT PRIMARY KEY, b LONGBLOB) ENGINE=InnoDB; +INSERT INTO t1 (a, b) VALUES (1, REPEAT('a', 6*512*512)); +SELECT a,LEFT(b,10) FROM tde_db.t1; +a LEFT(b,10) +1 aaaaaaaaaa +CREATE TABLE tde_db.t2 (a BIGINT PRIMARY KEY, b LONGBLOB) +ENCRYPTION='Y' ENGINE=InnoDB; +INSERT INTO t2 (a, b) VALUES (1, REPEAT('a', 6*512*512)); +SELECT a,LEFT(b,10) FROM tde_db.t2; +a LEFT(b,10) +1 aaaaaaaaaa +SET GLOBAL innodb_redo_log_encrypt = 0; +SET GLOBAL innodb_undo_log_encrypt = 0; +SELECT @@global.innodb_redo_log_encrypt ; +@@global.innodb_redo_log_encrypt +0 +CREATE TABLE tde_db.t3 (a BIGINT PRIMARY KEY, b LONGBLOB) ENGINE=InnoDB; +INSERT INTO t3 (a, b) VALUES (1, REPEAT('a', 6*512*512)); +SELECT a,LEFT(b,10) FROM tde_db.t3; +a LEFT(b,10) +1 aaaaaaaaaa +CREATE TABLE tde_db.t4 (a BIGINT PRIMARY KEY, b LONGBLOB) +ENCRYPTION='Y' ENGINE=InnoDB; +INSERT INTO t4 (a, b) VALUES (1, REPEAT('a', 6*512*512)); +SELECT a,LEFT(b,10) FROM tde_db.t4; +a LEFT(b,10) +1 aaaaaaaaaa +SET GLOBAL innodb_redo_log_encrypt = 1; +SET GLOBAL innodb_undo_log_encrypt = 1; +SELECT @@global.innodb_redo_log_encrypt ; +@@global.innodb_redo_log_encrypt +1 +CREATE TABLE tde_db.t5 (a BIGINT PRIMARY KEY, b LONGBLOB) ENGINE=InnoDB; +INSERT INTO t5 (a, b) VALUES (1, REPEAT('a', 6*512*512)); +SELECT a,LEFT(b,10) FROM tde_db.t5; +a LEFT(b,10) +1 aaaaaaaaaa +CREATE TABLE tde_db.t6 (a BIGINT PRIMARY KEY, b LONGBLOB) +ENCRYPTION='Y' ENGINE=InnoDB; +INSERT INTO t6 (a, b) VALUES (1, REPEAT('a', 6*512*512)); +SELECT a,LEFT(b,10) FROM tde_db.t6; +a LEFT(b,10) +1 aaaaaaaaaa +START TRANSACTION; +INSERT INTO t5 (a, b) VALUES (2, REPEAT('a', 6*512*512)); +INSERT INTO t6 (a, b) VALUES (2, REPEAT('a', 6*512*512)); +COMMIT; +START TRANSACTION; +INSERT INTO t5 (a, b) VALUES (3, REPEAT('a', 6*512*512)); +INSERT INTO t6 (a, b) VALUES (3, REPEAT('a', 6*512*512)); +ROLLBACK; +SELECT a,LEFT(b,10) FROM tde_db.t5; +a LEFT(b,10) +1 aaaaaaaaaa +2 aaaaaaaaaa +SELECT a,LEFT(b,10) FROM tde_db.t6; +a LEFT(b,10) +1 aaaaaaaaaa +2 aaaaaaaaaa +DROP TABLE tde_db.t1,tde_db.t2,tde_db.t3,tde_db.t4,tde_db.t5,tde_db.t6; +DROP DATABASE tde_db; +# ---------------------------------------------------------------------- +# Teardown +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing global configuration file for keyring component: component_percona_keyring_encrypted_file +# Removing global manifest file for MySQL server +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_6.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_6.result new file mode 100644 index 000000000000..d99ca77e67e3 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_6.result @@ -0,0 +1,87 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating custom global manifest file for MySQL server +# Creating custom global configuration file for keyring component: component_percona_keyring_encrypted_file +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# create bootstrap file +# Stop the MTR default DB server +# Run the bootstrap command of datadir1 +# Start the DB server with datadir1 +DROP DATABASE IF EXISTS tde_db; +CREATE DATABASE tde_db; +USE tde_db; +SELECT status_key, status_value FROM +performance_schema.keyring_component_status +WHERE status_key LIKE '%name%' OR status_key LIKE '%status%'; +status_key status_value +Component_name component_percona_keyring_encrypted_file +Implementation_name component_percona_keyring_encrypted_file +Component_status Active +SET GLOBAL innodb_redo_log_encrypt = 1; +SELECT @@global.innodb_redo_log_encrypt ; +@@global.innodb_redo_log_encrypt +1 +SELECT @@global.innodb_redo_log_encrypt ; +@@global.innodb_redo_log_encrypt +1 +CREATE TABLE tde_db.t1 (a BIGINT PRIMARY KEY, b LONGBLOB) ENGINE=InnoDB; +INSERT INTO t1 (a, b) VALUES (1, REPEAT('a', 6*512*512)); +SELECT a,LEFT(b,10) FROM tde_db.t1; +a LEFT(b,10) +1 aaaaaaaaaa +CREATE TABLE tde_db.t2 (a BIGINT PRIMARY KEY, b LONGBLOB) +ENCRYPTION='Y' ENGINE=InnoDB; +INSERT INTO t2 (a, b) VALUES (1, REPEAT('a', 6*512*512)); +SELECT a,LEFT(b,10) FROM tde_db.t2; +a LEFT(b,10) +1 aaaaaaaaaa +SELECT @@global.innodb_redo_log_encrypt ; +@@global.innodb_redo_log_encrypt +1 +CREATE TABLE tde_db.t3 (a BIGINT PRIMARY KEY, b LONGBLOB) ENGINE=InnoDB; +INSERT INTO t3 (a, b) VALUES (1, REPEAT('a', 6*512*512)); +SELECT a,LEFT(b,10) FROM tde_db.t3; +a LEFT(b,10) +1 aaaaaaaaaa +CREATE TABLE tde_db.t4 (a BIGINT PRIMARY KEY, b LONGBLOB) +ENCRYPTION='Y' ENGINE=InnoDB; +INSERT INTO t4 (a, b) VALUES (1, REPEAT('a', 6*512*512)); +SELECT a,LEFT(b,10) FROM tde_db.t4; +a LEFT(b,10) +1 aaaaaaaaaa +SELECT @@global.innodb_redo_log_encrypt ; +@@global.innodb_redo_log_encrypt +1 +CREATE TABLE tde_db.t5 (a BIGINT PRIMARY KEY, b LONGBLOB) ENGINE=InnoDB; +INSERT INTO t5 (a, b) VALUES (1, REPEAT('a', 6*512*512)); +SELECT a,LEFT(b,10) FROM tde_db.t5; +a LEFT(b,10) +1 aaaaaaaaaa +CREATE TABLE tde_db.t6 (a BIGINT PRIMARY KEY, b LONGBLOB) +ENCRYPTION='Y' ENGINE=InnoDB; +INSERT INTO t6 (a, b) VALUES (1, REPEAT('a', 6*512*512)); +SELECT a,LEFT(b,10) FROM tde_db.t6; +a LEFT(b,10) +1 aaaaaaaaaa +DROP DATABASE tde_db; +# Taking backup of global manifest file for MySQL server +# Try starting without keyring : Error +# Search for error message +Pattern "Redo log was encrypted, but keyring is not loaded" found +Pattern "Aborting" found +# Restart without keyring plugin possible if redo files removed +# Start the DB server with datadir1 +# Try starting without keyring and --innodb_force_recovery=SRV_FORCE_NO_LOG_REDO. +# Start the DB server with datadir1 +SELECT 1; +1 +1 +# Restore global manifest file for MySQL server from backup +# ---------------------------------------------------------------------- +# Teardown +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing global configuration file for keyring component: component_percona_keyring_encrypted_file +# Removing global manifest file for MySQL server +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_kill.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_kill.result new file mode 100644 index 000000000000..4e1b51312669 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/log_encrypt_kill.result @@ -0,0 +1,250 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating custom global manifest file for MySQL server +# Creating custom global configuration file for keyring component: component_percona_keyring_encrypted_file +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# Taking backup of global manifest file for MySQL server +SELECT @@global.innodb_redo_log_encrypt; +@@global.innodb_redo_log_encrypt +0 +SET GLOBAL innodb_redo_log_encrypt = 1; +SET GLOBAL innodb_undo_log_encrypt = 1; +Warnings: +Warning 7014 InnoDB: Undo log can't be encrypted if the keyring is not loaded. +SELECT status_key, status_value FROM +performance_schema.keyring_component_status +WHERE status_key LIKE '%name%' OR status_key LIKE '%status%'; +status_key status_value +CREATE TABLE tne_1(c1 INT, c2 varchar(2000)) ENGINE = InnoDB; +INSERT INTO tne_1 VALUES (1,REPEAT('a',1990)),(2,REPEAT('b',1990)),(100,REPEAT('c',1990)); +SELECT c1,LEFT(c2,10) FROM tne_1; +c1 LEFT(c2,10) +1 aaaaaaaaaa +2 bbbbbbbbbb +100 cccccccccc +DROP TABLE tne_1; +# Stop the MTR default DB server +Pattern "Can\'t set redo log files to be encrypted" found +# create bootstrap file +# Restore global manifest file for MySQL server from backup +# Prepare new datadir +# Run the bootstrap command with keyring +# Starting server with keyring plugin +SELECT @@global.innodb_redo_log_encrypt; +@@global.innodb_redo_log_encrypt +0 +SET GLOBAL innodb_redo_log_encrypt = 1; +SELECT @@global.innodb_undo_log_encrypt; +@@global.innodb_undo_log_encrypt +0 +SET GLOBAL innodb_undo_log_encrypt = 1; +SELECT @@global.innodb_undo_log_encrypt; +@@global.innodb_undo_log_encrypt +1 +SELECT status_key, status_value FROM +performance_schema.keyring_component_status +WHERE status_key LIKE '%name%' OR status_key LIKE '%status%'; +status_key status_value +Component_name component_percona_keyring_encrypted_file +Implementation_name component_percona_keyring_encrypted_file +Component_status Active +SET GLOBAL innodb_redo_log_encrypt = 0; +SELECT @@global.innodb_redo_log_encrypt; +@@global.innodb_redo_log_encrypt +0 +SET GLOBAL innodb_undo_log_encrypt = 0; +SELECT @@global.innodb_undo_log_encrypt; +@@global.innodb_undo_log_encrypt +0 +SELECT status_key, status_value FROM +performance_schema.keyring_component_status +WHERE status_key LIKE '%name%' OR status_key LIKE '%status%'; +status_key status_value +Component_name component_percona_keyring_encrypted_file +Implementation_name component_percona_keyring_encrypted_file +Component_status Active +DROP TABLE IF EXISTS t1; +DROP DATABASE IF EXISTS tde_db; +CREATE DATABASE tde_db; +USE tde_db; +CREATE TABLE tde_db.t_encrypt(c2 INT NOT NULL PRIMARY KEY, +c3 LONGBLOB +) ENCRYPTION="Y" ENGINE = InnoDB; +CREATE TABLE tde_db.t_non_encrypt(c2 INT NOT NULL PRIMARY KEY, +c3 LONGBLOB +) ENGINE = InnoDB; +CREATE PROCEDURE tde_db.populate_table_set_redo_encrypt(IN table_name VARCHAR(50)) +begin +declare i int default 1; +declare has_error int default 0; +DECLARE CONTINUE HANDLER FOR 1062 SET has_error = 1; +while (i <= 2000) DO +SET @sql_text = CONCAT('INSERT INTO ',table_name, '(c2,c3) VALUES (' , i,',' ,'CONCAT(REPEAT("a",6*512*512)))'); +PREPARE stmt FROM @sql_text; +EXECUTE stmt; +set i = i + 1; +IF i%10 = 0 THEN SET GLOBAL innodb_redo_log_encrypt = 1; +END IF; +IF i%20 = 0 THEN SET GLOBAL innodb_redo_log_encrypt = 0; +END IF; +IF i%15 = 0 THEN SET GLOBAL innodb_undo_log_encrypt = 1; +END IF; +IF i%30 = 0 THEN SET GLOBAL innodb_undo_log_encrypt = 0; +END IF; +end while; +end| +CREATE PROCEDURE tde_db.update_table(IN table_name VARCHAR(50)) +begin +declare i int default 1; +declare has_error int default 0; +DECLARE CONTINUE HANDLER FOR 1062 SET has_error = 1; +while (i <= 2000) DO +SET @sql_text = CONCAT('UPDATE ',table_name, ' SET c2 = c2 * -1 ORDER BY RAND() LIMIT 2'); +PREPARE stmt FROM @sql_text; +EXECUTE stmt; +set i = i + 1; +end while; +end| +CREATE PROCEDURE tde_db.delete_table(IN table_name VARCHAR(50)) +begin +declare i int default 1; +declare has_error int default 0; +DECLARE CONTINUE HANDLER FOR 1062 SET has_error = 1; +while (i <= 2000) DO +SET @sql_text = CONCAT('DELETE FROM ',table_name, ' ORDER BY RAND() LIMIT 2'); +PREPARE stmt FROM @sql_text; +EXECUTE stmt; +set i = i + 1; +end while; +end| +CREATE PROCEDURE tde_db.transaction_table(IN table_name VARCHAR(50)) +begin +declare i int default 1; +declare iflag int default -1; +declare has_error int default 0; +DECLARE CONTINUE HANDLER FOR 1062 SET has_error = 1; +SET i = 3000; +START TRANSACTION; +while (i <= 9000) DO +SET @sql_text = CONCAT('INSERT INTO ',table_name, '(c2,c3) VALUES (' , i,',' ,'CONCAT(REPEAT("a",6*512*512)))'); +PREPARE stmt FROM @sql_text; +EXECUTE stmt; +SET @sql_text = CONCAT('UPDATE ',table_name, ' SET c2 = c2 * -1 ORDER BY RAND() LIMIT 2'); +PREPARE stmt FROM @sql_text; +EXECUTE stmt; +set i = i + 1; +IF i%10 = 0 THEN SET GLOBAL innodb_redo_log_encrypt = 1; +END IF; +IF i%20 = 0 THEN SET GLOBAL innodb_redo_log_encrypt = 0; +END IF; +IF i%15 = 0 THEN SET GLOBAL innodb_undo_log_encrypt = 1; +END IF; +IF i%30 = 0 THEN SET GLOBAL innodb_undo_log_encrypt = 0; +END IF; +IF i%10 = 0 THEN +SET @sql_text = CONCAT('DELETE FROM ',table_name, ' ORDER BY RAND() LIMIT 2'); +PREPARE stmt FROM @sql_text; +EXECUTE stmt; +START TRANSACTION; +SET iflag = -1 * iflag; +END IF; +IF i%9 = 0 THEN +IF iflag < 0 THEN +COMMIT; +ELSE +ROLLBACK; +END IF; +END IF; +end while; +end| +CREATE PROCEDURE tde_db.create_table_rotate_key() +begin +declare i int default 1; +declare has_error int default 0; +DECLARE CONTINUE HANDLER FOR 1062 SET has_error = 1; +while (i <= 2000) DO +IF i%10 = 0 THEN +SET @sql_text = CONCAT('CREATE TABLE ',CONCAT('tde_db.t_non_encrypt_',encrypt,'_',i),' (c1 INT) ' ,' ENGINE=InnoDB'); +ELSE +SET @sql_text = CONCAT('CREATE TABLE ',CONCAT('tde_db.t_encrypt_',encrypt,'_',i),' (c1 INT) ENCRYPTION="Y"' ,' ENGINE=InnoDB'); +END IF; +PREPARE stmt FROM @sql_text; +EXECUTE stmt; +DEALLOCATE PREPARE stmt; +ALTER INSTANCE ROTATE INNODB MASTER KEY; +set i = i + 1; +end while; +end| +CREATE PROCEDURE tde_db.query_table(IN table_name VARCHAR(50)) +begin +declare i int default 1; +declare has_error int default 0; +DECLARE CONTINUE HANDLER FOR 1062 SET has_error = 1; +while (i <= 2000) DO +SET @sql_text = CONCAT('SELECT * FROM ',table_name, ' ORDER BY RAND() LIMIT 2'); +PREPARE stmt FROM @sql_text; +EXECUTE stmt; +set i = i + 1; +end while; +end| +# In connection con1 - Running insert with redo_log_encrypt variable +call tde_db.populate_table_set_redo_encrypt('tde_db.t_encrypt'); +# In connection con2 - Running insert on non encrypt table +call tde_db.populate_table_set_redo_encrypt('tde_db.t_non_encrypt'); +# Starting server with keyring +SELECT COUNT(*)>0 FROM tde_db.t_encrypt; +COUNT(*)>0 +# +SELECT COUNT(*)>0 FROM tde_db.t_non_encrypt; +COUNT(*)>0 +# +DELETE FROM tde_db.t_encrypt; +DELETE FROM tde_db.t_non_encrypt; +# In connection con1 - Running insert with redo_log_encrypt variable +call tde_db.populate_table_set_redo_encrypt('tde_db.t_encrypt'); +# In connection con2 - Running insert on non encrypt table +call tde_db.populate_table_set_redo_encrypt('tde_db.t_non_encrypt'); +# In connection con3 - Running update on encrypt +call tde_db.table_update('tde_db.t_encrypt'); +# In connection con4 - Running update non encrypt +call tde_db.table_update('tde_db.t_non_encrypt'); +# In connection con5 - Running delete on encrypt +call tde_db.table_delete('tde_db.t_encrypt'); +# In connection con6 - Running delete on non encrypt +call tde_db.table_delete('tde_db.t_non_encrypt'); +# In connection con7 - Running transaction on encrypt +call tde_db.transaction_table('tde_db.t_encrypt'); +# In connection con8 - Running transaction on non encrypt +call tde_db.transaction_table('tde_db.t_non_encrypt'); +# In connection con9 - Running create encrypt and non encrypt table with rotate key +call tde_db.create_table_rotate_key(); +# In connection con10 - Running query on encrypt table +call tde_db.query_table('tde_db.t_encrypt'); +# In connection con11 - Running query on non encrypt table +call tde_db.query_table('tde_db.t_non_encrypt'); +# Starting server with keyring +SELECT COUNT(*) > 1 FROM tde_db.t_encrypt; +COUNT(*) > 1 +# +SELECT COUNT(*) > 1 FROM tde_db.t_non_encrypt; +COUNT(*) > 1 +# +# In connection con1 - Running insert with redo_log_encrypt variable +call tde_db.populate_table_set_redo_encrypt('tde_db.t_encrypt'); +# In connection con2 - Running insert on non encrypt table +call tde_db.populate_table_set_redo_encrypt('tde_db.t_non_encrypt'); +DROP DATABASE tde_db; +# Taking backup of global manifest file for MySQL server +# restart +# Restore global manifest file for MySQL server from backup +# +# Cleanup +# +# ---------------------------------------------------------------------- +# Teardown +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing global configuration file for keyring component: component_percona_keyring_encrypted_file +# Removing global manifest file for MySQL server +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/migrate_keyring.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/migrate_keyring.result new file mode 100644 index 000000000000..265629537e77 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/migrate_keyring.result @@ -0,0 +1,90 @@ +*** Determining keyring component names +*** Setting up percona_keyring_encrypted_file component +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +*** Asserting that percona_keyring_encrypted_file is installed and active +*** Creating an encrypted table and filling it with some data +CREATE TABLE t1( +id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT, +PRIMARY KEY(id) +) ENCRYPTION="Y" ENGINE=InnoDB; +INSERT INTO t1 VALUES(DEFAULT); +*** Extracting InnoDB master key name +SELECT KEY_ID INTO @t1_key_id FROM performance_schema.keyring_keys; +*** Rotating InnoDB master key +ALTER INSTANCE ROTATE INNODB MASTER KEY; +*** Creating another encrypted table and filling it with some data +CREATE TABLE t2( +id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT, +PRIMARY KEY(id) +) ENCRYPTION="Y" ENGINE=InnoDB; +INSERT INTO t2 VALUES(42); +*** Extracting InnoDB master key name after rotation +SELECT KEY_ID INTO @t2_key_id FROM performance_schema.keyring_keys WHERE KEY_ID != @t1_key_id; +*** Installing keyring UDF plugin +*** Manually generating an AES key in the keyring via keyring_key_generate() UDF +SELECT keyring_key_generate ('CustomKey', 'AES', 32); +keyring_key_generate ('CustomKey', 'AES', 32) +1 +*** Extracting custom key metadata +SELECT KEY_ID INTO @custom_key_id FROM performance_schema.keyring_keys WHERE KEY_ID != @t1_key_id AND KEY_ID != @t2_key_id; +*** Uninstalling keyring UDF plugin +*** Preparing component_keyring_file config content + +************************************************************************************ +*** Checking percona_keyring_encrypted_file -> component_keyring_file migration *** +************************************************************************************ + +*** Stopping the server (original, with percona_keyring_encrypted_file) +include/stop_mysqld.inc [server 1] +*** Creating local component_keyring_file config +# Creating local configuration file for keyring component: component_keyring_file +*** Executing keyring data migration utility (percona_keyring_encrypted_file -> component_keyring_file) +*** Backing up local manifest file for current server instance with percona_keyring_encrypted_file +# Taking backup of local manifest file for MySQL server instance +*** Creating local manifest file for current server instance with component_keyring_file +# Creating manifest file for current MySQL server instance +*** Starting the server (with component_keyring_file) +# restart +*** Asserting that component_keyring_file is installed and active +*** Installing keyring UDF plugin once again after keyring component switch +*** Asserting that keys stored in percona_keyring_encrypted_file successfully migrated to component_keyring_file +*** Uninstalling keyring UDF plugin once again after keyring component switch +*** Asserting that data can be read from the sample tables +*** Preparing percona_keyring_encrypted_file config content for back-migration + +************************************************************************************ +*** Checking component_keyring_file -> percona_keyring_encrypted_file migration *** +************************************************************************************ + +*** Stopping the server (with component_keyring_file) +include/stop_mysqld.inc [server 1] +*** Creating local percona_keyring_encrypted_file config +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +*** Removing original encrypted keyring file to prepare a fresh migration destination +*** Executing keyring data migration utility (component_keyring_file -> percona_keyring_encrypted_file) +*** Removing component_keyring_file data file +*** Restoring local manifest file for current server instance with percona_keyring_encrypted_file +# Restore local manifest file for MySQL server instance from backup +*** Starting the server (with percona_keyring_encrypted_file) +# restart +*** Asserting that percona_keyring_encrypted_file is installed and active again +*** Installing keyring UDF plugin once again after keyring component switch back +*** Asserting that keys stored in component_keyring_file successfully migrated to percona_keyring_encrypted_file +*** Uninstalling keyring UDF plugin once again after keyring component switch back +*** Asserting that data can be read from the sample tables +*** Dropping the sample tables +DROP TABLE t2; +DROP TABLE t1; +*** Tearing down percona_keyring_encrypted_file component +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/mysql_ts_alter_encrypt_1.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/mysql_ts_alter_encrypt_1.result new file mode 100644 index 000000000000..26f8edc73ffc --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/mysql_ts_alter_encrypt_1.result @@ -0,0 +1,221 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- + +############################################################# +# TEST 1 : NORMAL ALTER ENCRYPT mysql TABLESPACE. +############################################################# + +######################################################################### +# RESTART 1 : WITH KEYRING +######################################################################### +SET debug='+d,skip_dd_table_access_check'; +# Initially, mysql should be unencrypted by default +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='mysql'; +NAME ENCRYPTION +mysql N +SELECT NAME,OPTIONS FROM mysql.tablespaces WHERE NAME='mysql'; +NAME OPTIONS +mysql encryption=N; +ALTER TABLESPACE mysql ENCRYPTION='Y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='mysql'; +NAME ENCRYPTION +mysql Y +SELECT NAME,OPTIONS FROM mysql.tablespaces WHERE NAME='mysql'; +NAME OPTIONS +mysql encryption=Y;explicit_encryption=1; +ALTER TABLESPACE mysql ENCRYPTION='N'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='mysql'; +NAME ENCRYPTION +mysql N +SELECT NAME,OPTIONS FROM mysql.tablespaces WHERE NAME='mysql'; +NAME OPTIONS +mysql encryption=N;explicit_encryption=1; + +############################################################# +# TEST 2 : CRASH DURING ALTER ENCRYPT mysql TABLESPACE. +############################################################# + +############################################################ +# ALTER TABLESPACE 1 : Unencrypted => Encrypted # +# (crash at page 10) # +############################################################ +# Set Encryption process to crash at page 10 +SET SESSION debug= '+d,alter_encrypt_tablespace_page_10'; +# Encrypt the tablespace. It will cause crash. +ALTER TABLESPACE mysql ENCRYPTION='Y'; +# Restart after crash +SET debug='+d,skip_dd_table_access_check'; +# Wait for Encryption processing to finish in background thread +set global innodb_buf_flush_list_now = 1; +# After restart/recovery, check that Encryption was roll-forward +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='mysql'; +NAME ENCRYPTION +mysql Y +SELECT NAME,OPTIONS FROM mysql.tablespaces WHERE NAME='mysql'; +NAME OPTIONS +mysql encryption=Y;explicit_encryption=1; +ALTER TABLESPACE mysql ENCRYPTION='Y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='mysql'; +NAME ENCRYPTION +mysql Y +SELECT NAME,OPTIONS FROM mysql.tablespaces WHERE NAME='mysql'; +NAME OPTIONS +mysql encryption=Y;explicit_encryption=1; +######################################################################### +# RESTART 2 : WITH KEYRING +######################################################################### +SET debug='+d,skip_dd_table_access_check'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='mysql'; +NAME ENCRYPTION +mysql Y +SELECT NAME,OPTIONS FROM mysql.tablespaces WHERE NAME='mysql'; +NAME OPTIONS +mysql encryption=Y;explicit_encryption=1; +############################################################ +# ALTER TABLESPACE 2 : Encrypted => Unencrypted # +# (crash at page 10) # +############################################################ +# Set Unencryption process to crash at page 10 +SET SESSION debug= '+d,alter_encrypt_tablespace_page_10'; +# Unencrypt the tablespace. It will cause crash. +ALTER TABLESPACE mysql ENCRYPTION='N'; +# Restart after crash +SET debug='+d,skip_dd_table_access_check'; +# Wait for Unencryption processing to finish in background thread +set global innodb_buf_flush_list_now = 1; +# After restart/recovery, check that Unencryption was roll-forward +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='mysql'; +NAME ENCRYPTION +mysql N +SELECT NAME,OPTIONS FROM mysql.tablespaces WHERE NAME='mysql'; +NAME OPTIONS +mysql encryption=N;explicit_encryption=1; +ALTER TABLESPACE mysql ENCRYPTION='N'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='mysql'; +NAME ENCRYPTION +mysql N +SELECT NAME,OPTIONS FROM mysql.tablespaces WHERE NAME='mysql'; +NAME OPTIONS +mysql encryption=N;explicit_encryption=1; +######################################################################### +# RESTART 3 : WITHOUT KEYRING +######################################################################### +# Taking backup of local manifest file for MySQL server instance +SET debug='+d,skip_dd_table_access_check'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='mysql'; +NAME ENCRYPTION +mysql N +SELECT NAME,OPTIONS FROM mysql.tablespaces WHERE NAME='mysql'; +NAME OPTIONS +mysql encryption=N;explicit_encryption=1; +############################################################# +# TEST 3 : CRASH BEFORE/AFTER ENCRYPTION PROCESSING. +############################################################# + +######################################################################### +# RESTART 4 : WITH KEYRING +######################################################################### +# Restore local manifest file for MySQL server instance from backup +SET debug='+d,skip_dd_table_access_check'; +ALTER TABLESPACE mysql ENCRYPTION='Y'; +SELECT NAME,OPTIONS FROM mysql.tablespaces WHERE NAME='mysql'; +NAME OPTIONS +mysql encryption=Y;explicit_encryption=1; +# Set server to crash just before encryption processing starts +SET SESSION debug="+d,alter_encrypt_tablespace_crash_before_processing"; +# Unencrypt the tablespace. It will cause crash. +ALTER TABLESPACE mysql ENCRYPTION='N'; +# Restart after crash +SET debug='+d,skip_dd_table_access_check'; +# Wait for Unencryption processing to finish in background thread +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='mysql'; +NAME ENCRYPTION +mysql Y +SELECT NAME,OPTIONS FROM mysql.tablespaces WHERE NAME='mysql'; +NAME OPTIONS +mysql encryption=Y;explicit_encryption=1; +# Set server to crash just after encryption processing finishes +SET SESSION debug="-d,alter_encrypt_tablespace_crash_before_processing"; +SET SESSION debug="+d,alter_encrypt_tablespace_crash_after_processing"; +# Unencrypt the tablespace. It will cause crash. +ALTER TABLESPACE mysql ENCRYPTION='N'; +# Restart after crash +SET debug='+d,skip_dd_table_access_check'; +# Wait for Unencryption processing to finish in background thread +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='mysql'; +NAME ENCRYPTION +mysql N +SELECT NAME,OPTIONS FROM mysql.tablespaces WHERE NAME='mysql'; +NAME OPTIONS +mysql encryption=N;explicit_encryption=1; +############################################################# +# TEST 4 : CRASH DURING KEY ROTATION. +############################################################# + +######################################################################### +# RESTART 5 : WITH KEYRING +######################################################################### +SET debug='+d,skip_dd_table_access_check'; +ALTER TABLESPACE mysql ENCRYPTION='Y'; +SELECT NAME,OPTIONS FROM mysql.tablespaces WHERE NAME='mysql'; +NAME OPTIONS +mysql encryption=Y;explicit_encryption=1; +# Set server to crash while rotating encryption +SET SESSION debug="+d,ib_crash_during_rotation_for_encryption"; +ALTER INSTANCE ROTATE INNODB MASTER KEY; +# Restart after crash +SET debug='+d,skip_dd_table_access_check'; +SELECT NAME,OPTIONS FROM mysql.tablespaces WHERE NAME='mysql'; +NAME OPTIONS +mysql encryption=Y;explicit_encryption=1; +SET SESSION debug="-d,ib_crash_during_rotation_for_encryption"; +ALTER INSTANCE ROTATE INNODB MASTER KEY; +SELECT NAME,OPTIONS FROM mysql.tablespaces WHERE NAME='mysql'; +NAME OPTIONS +mysql encryption=Y;explicit_encryption=1; +############################################################# +# TEST 5 : PRIVILEGE CHECK. +############################################################# + +CREATE DATABASE priv_test; +CREATE USER myuser@'localhost'; +GRANT ALL ON priv_test.* TO myuser@'localhost'; +#connection con1 +ALTER TABLESPACE mysql ENCRYPTION='Y'; +ERROR 42000: Access denied; you need (at least one of) the CREATE TABLESPACE privilege(s) for this operation +#connection default +GRANT CREATE TABLESPACE ON mysql.* TO myuser@'localhost'; +ERROR HY000: Incorrect usage of DB GRANT and GLOBAL PRIVILEGES +GRANT CREATE TABLESPACE ON *.* TO myuser@'localhost'; +#connection con1 +ALTER TABLESPACE mysql ENCRYPTION='N'; +#connection default +SELECT NAME,OPTIONS FROM mysql.tablespaces WHERE NAME='mysql'; +NAME OPTIONS +mysql encryption=N;explicit_encryption=1; +#connection con1 +ALTER TABLESPACE mysql ENCRYPTION='Y'; +#connection default +SELECT NAME,OPTIONS FROM mysql.tablespaces WHERE NAME='mysql'; +NAME OPTIONS +mysql encryption=Y;explicit_encryption=1; +DROP DATABASE priv_test; +DROP USER myuser@localhost; +########### +# Cleanup # +########### +ALTER TABLESPACE mysql ENCRYPTION='N'; +SELECT NAME,OPTIONS FROM mysql.tablespaces WHERE NAME='mysql'; +NAME OPTIONS +mysql encryption=N;explicit_encryption=1; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/mysql_ts_alter_encrypt_2.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/mysql_ts_alter_encrypt_2.result new file mode 100644 index 000000000000..4c6ae836323a --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/mysql_ts_alter_encrypt_2.result @@ -0,0 +1,331 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +######### +# SETUP # +######### + +# Taking backup of local manifest file for MySQL server instance +######################################################################### +# START : WITHOUT KEYRING +######################################################################### +ALTER TABLESPACE mysql ENCRYPTION='Y'; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +ALTER TABLESPACE mysql ENCRYPTION='N'; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +ALTER INSTANCE ROTATE INNODB MASTER KEY; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +######################################################################### +# RESTART 1 : WITH KEYRING +######################################################################### +# Restore local manifest file for MySQL server instance from backup +-------------------------------------------------- +By Default, mysql tablespace should be unencrypted +-------------------------------------------------- +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='mysql'; +NAME ENCRYPTION +mysql N +# Print result +table space is Encrypted. +ALTER TABLESPACE mysql ENCRYPTION='Y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='mysql'; +NAME ENCRYPTION +mysql Y +# Print result +table space is Encrypted. +----------------------------------------------------- +ALTER mysql TABLESPACE WITH INVALID ENCRYPTION OPTION +----------------------------------------------------- +ALTER TABLESPACE mysql ENCRYPTION='R'; +ERROR HY000: Invalid encryption option. +ALTER TABLESPACE mysql ENCRYPTION='TRUE'; +ERROR HY000: Invalid encryption option. +ALTER TABLESPACE mysql ENCRYPTION='True'; +ERROR HY000: Invalid encryption option. +ALTER TABLESPACE mysql ENCRYPTION='true'; +ERROR HY000: Invalid encryption option. +ALTER TABLESPACE mysql ENCRYPTION=TRUE; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'TRUE' at line 1 +ALTER TABLESPACE mysql ENCRYPTION=True; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'True' at line 1 +ALTER TABLESPACE mysql ENCRYPTION=true; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'true' at line 1 +ALTER TABLESPACE mysql ENCRYPTION='FALSE'; +ERROR HY000: Invalid encryption option. +ALTER TABLESPACE mysql ENCRYPTION='False'; +ERROR HY000: Invalid encryption option. +ALTER TABLESPACE mysql ENCRYPTION='false'; +ERROR HY000: Invalid encryption option. +ALTER TABLESPACE mysql ENCRYPTION=FALSE; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'FALSE' at line 1 +ALTER TABLESPACE mysql ENCRYPTION=False; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'False' at line 1 +ALTER TABLESPACE mysql ENCRYPTION=false; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'false' at line 1 +ALTER TABLESPACE mysql ENCRYPTION=0; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0' at line 1 +ALTER TABLESPACE mysql ENCRYPTION=1; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1' at line 1 +ALTER TABLESPACE mysql ENCRYPTION=null; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'null' at line 1 +ALTER TABLESPACE mysql ENCRYPTION=-1; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1' at line 1 +ALTER TABLESPACE mysql ENCRYPTION=n; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'n' at line 1 +ALTER TABLESPACE mysql ENCRYPTION=N; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'N' at line 1 +ALTER TABLESPACE mysql ENCRYPTION=y; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'y' at line 1 +ALTER TABLESPACE mysql ENCRYPTION=Y; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Y' at line 1 +ALTER TABLESPACE mysql ENCRYPTION='1'; +ERROR HY000: Invalid encryption option. +ALTER TABLESPACE mysql ENCRYPTION='1True'; +ERROR HY000: Invalid encryption option. +ALTER TABLESPACE mysql ENCRYPTION='@'; +ERROR HY000: Invalid encryption option. +ALTER TABLESPACE mysql ENCRYPTION='null'; +ERROR HY000: Invalid encryption option. +ALTER TABLESPACE mysql ENCRYPTION=''; +ERROR HY000: Invalid encryption option. +ALTER TABLESPACE mysql ENCRYPTION=""; +ERROR HY000: Invalid encryption option. +---------------------------------------------------- +ALTER MYSQL TABLESPACE WITH VALID ENCRYPTION OPTION +---------------------------------------------------- +ALTER TABLESPACE mysql ENCRYPTION='Y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='mysql'; +NAME ENCRYPTION +mysql Y +ALTER TABLESPACE mysql ENCRYPTION='y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='mysql'; +NAME ENCRYPTION +mysql Y +ALTER TABLESPACE mysql ENCRYPTION='n'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='mysql'; +NAME ENCRYPTION +mysql N +ALTER TABLESPACE mysql ENCRYPTION='N'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='mysql'; +NAME ENCRYPTION +mysql N +ALTER TABLESPACE mysql ENCRYPTION="Y"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='mysql'; +NAME ENCRYPTION +mysql Y +ALTER TABLESPACE mysql ENCRYPTION="y"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='mysql'; +NAME ENCRYPTION +mysql Y +ALTER TABLESPACE mysql ENCRYPTION="n"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='mysql'; +NAME ENCRYPTION +mysql N +ALTER TABLESPACE mysql ENCRYPTION="N"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='mysql'; +NAME ENCRYPTION +mysql N +----------------------------------------------------- +Create/Alter table using mysql.tablespace +----------------------------------------------------- +CREATE TABLE t1(i int) TABLESPACE mysql; +ERROR HY000: The table 't1' may not be created in the reserved tablespace 'mysql'. +CREATE TEMPORARY TABLE t1(i int) TABLESPACE mysql; +ERROR HY000: The table 't1' may not be created in the reserved tablespace 'mysql'. +CREATE TABLE t1(i int); +ALTER TABLE t1 TABLESPACE mysql; +ERROR HY000: The table 't1' may not be created in the reserved tablespace 'mysql'. +DROP TABLE t1; +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB; +CREATE TABLE t1(i int) TABLESPACE encrypt_ts; +ALTER TABLE t1 TABLESPACE mysql; +ERROR HY000: The table 't1' may not be created in the reserved tablespace 'mysql'. +DROP TABLE t1; +CREATE TABLE t1(i int) TABLESPACE innodb_system; +ALTER TABLE t1 TABLESPACE mysql; +ERROR HY000: The table 't1' may not be created in the reserved tablespace 'mysql'. +DROP TABLE t1; +ALTER TABLE mysql.component TABLESPACE mysql; +CREATE TEMPORARY TABLE t1(i int); +ALTER TABLE t1 TABLESPACE mysql; +ERROR HY000: The table 't1' may not be created in the reserved tablespace 'mysql'. +DROP TABLE t1; +----------------------------------------------------- +Create view using mysql.tablespace +----------------------------------------------------- +CREATE TABLE t1(i int); +INSERT INTO t1 VALUES(1); +INSERT INTO t1 SELECT * FROM t1; +INSERT INTO t1 SELECT * FROM t1; +INSERT INTO t1 SELECT * FROM t1; +INSERT INTO t1 SELECT * FROM t1; +CREATE VIEW v1 AS SELECT * FROM t1 TABLESPACE mysql; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'mysql' at line 1 +DROP TABLE t1; +------------------------------------------------------------ +Alter DD table part of mysql.tablespace to other tablespaces +------------------------------------------------------------ +ALTER TABLE mysql.events TABLESPACE innodb_file_per_table ENCRYPTION='Y'; +ERROR HY000: Access to data dictionary table 'mysql.events' is rejected. +ALTER TABLE mysql.events TABLESPACE innodb_file_per_table; +ERROR HY000: Access to data dictionary table 'mysql.events' is rejected. +ALTER TABLE mysql.events TABLESPACE innodb_temporary ENCRYPTION='Y'; +ERROR HY000: Access to data dictionary table 'mysql.events' is rejected. +ALTER TABLE mysql.events TABLESPACE innodb_temporary; +ERROR HY000: Access to data dictionary table 'mysql.events' is rejected. +ALTER TABLE mysql.events TABLESPACE innodb_system ENCRYPTION='Y'; +ERROR HY000: Access to data dictionary table 'mysql.events' is rejected. +ALTER TABLE mysql.events TABLESPACE innodb_system; +ERROR HY000: Access to data dictionary table 'mysql.events' is rejected. +ALTER TABLE mysql.events TABLESPACE encrypt_ts ENCRYPTION='Y'; +ERROR HY000: Access to data dictionary table 'mysql.events' is rejected. +ALTER TABLE mysql.events TABLESPACE encrypt_ts; +ERROR HY000: Access to data dictionary table 'mysql.events' is rejected. +DROP TABLESPACE encrypt_ts; +------------------------------------------------------- +Delete/truncate/drop DD table part of mysql tablespace +------------------------------------------------------- +DELETE FROM mysql.events; +ERROR HY000: Access to data dictionary table 'mysql.events' is rejected. +TRUNCATE TABLE mysql.events; +ERROR HY000: Access to data dictionary table 'mysql.events' is rejected. +DROP TABLE mysql.events; +ERROR HY000: Access to data dictionary table 'mysql.events' is rejected. +-------------------------------------------------- +Alter encryption of table part of mysql tablespace +-------------------------------------------------- +ALTER TABLE mysql.component ENCRYPTION='Y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +ALTER TABLE mysql.component ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +ALTER TABLE mysql.component ENCRYPTION='N'; +ALTER TABLE mysql.component ENCRYPTION='n'; +--------------------------------------------------------------------- +Metadata for a table in mysql ts should not show encryption attribute +--------------------------------------------------------------------- +SHOW CREATE TABLE mysql.plugin; +Table Create Table +plugin CREATE TABLE `plugin` ( + `name` varchar(64) NOT NULL DEFAULT '', + `dl` varchar(128) NOT NULL DEFAULT '', + PRIMARY KEY (`name`) +) /*!50100 TABLESPACE `mysql` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb3 STATS_PERSISTENT=0 ROW_FORMAT=DYNAMIC COMMENT='MySQL plugins' +------------------- +Drop mysql database +------------------- +DROP DATABASE mysql; +ERROR HY000: Access to system schema 'mysql' is rejected. +----------------------------------------------------- +Other DDL operation not allowed on 'mysql' tablespace +----------------------------------------------------- +CREATE TABLESPACE mysql ADD DATAFILE 'mysql.ibd' ENGINE=INNODB; +ERROR 42000: InnoDB: `mysql` is a reserved tablespace name. +DROP TABLESPACE mysql; +ERROR 42000: InnoDB: `mysql` is a reserved tablespace name. +ALTER TABLESPACE mysql RENAME TO xyz; +ERROR 42000: InnoDB: `mysql` is a reserved tablespace name. +######################################################################### +# Restart with same keyring option +# - tables in mysql ts should be accessible +######################################################################### +ALTER TABLESPACE mysql ENCRYPTION='Y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='mysql'; +NAME ENCRYPTION +mysql Y +SELECT help_keyword_id FROM mysql.help_keyword ORDER BY help_keyword_id LIMIT 2; +help_keyword_id +0 +1 +ALTER TABLESPACE mysql ENCRYPTION='N'; +ALTER TABLESPACE mysql ENCRYPTION='Y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='mysql'; +NAME ENCRYPTION +mysql Y +ALTER INSTANCE ROTATE INNODB MASTER KEY; +ALTER TABLESPACE mysql ENCRYPTION='N'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='mysql'; +NAME ENCRYPTION +mysql N +# Set Encryption process to wait after page 5 so that we can monitor +# progress in performance_schema table +SET DEBUG_SYNC = 'alter_encrypt_tablespace_wait_after_page5 SIGNAL s1 WAIT_FOR s2'; +ALTER TABLESPACE mysql ENCRYPTION='Y'; +# Monitoring connection +SET DEBUG_SYNC = 'now WAIT_FOR s1'; +# Wait for Encryption progress monitoring to appear in PFS table +# Wait for some progress to appear in PFS table +select WORK_COMPLETED +FROM performance_schema.events_stages_current +WHERE EVENT_NAME = 'stage/innodb/alter tablespace (encryption)'; +WORK_COMPLETED +5 +SET DEBUG_SYNC = 'now SIGNAL s2'; +# Default connection +# Once done, select count from PFS tables +SELECT COUNT(*) +FROM performance_schema.events_stages_current +WHERE EVENT_NAME='stage/innodb/alter tablespace (encryption)'; +COUNT(*) +0 +SELECT COUNT(*) +FROM performance_schema.events_stages_history +WHERE EVENT_NAME='stage/innodb/alter tablespace (encryption)'; +COUNT(*) +0 +SELECT COUNT(*) +FROM performance_schema.events_stages_history_long +WHERE EVENT_NAME='stage/innodb/alter tablespace (encryption)'; +COUNT(*) +3 +SELECT COUNT(*) +FROM performance_schema.events_stages_summary_global_by_event_name +WHERE EVENT_NAME = 'stage/innodb/alter tablespace (encryption)' AND +COUNT_STAR>0; +COUNT(*) +1 +COUNT(*) +1 +SELECT COUNT(*) +FROM performance_schema.events_stages_summary_by_user_by_event_name +WHERE EVENT_NAME = 'stage/innodb/alter tablespace (encryption)' AND +COUNT_STAR>0; +COUNT(*) +1 +SELECT COUNT(*) +FROM performance_schema.events_stages_summary_by_host_by_event_name +WHERE EVENT_NAME = 'stage/innodb/alter tablespace (encryption)' AND +COUNT_STAR>0; +COUNT(*) +1 +SELECT COUNT(*) +FROM performance_schema.events_stages_summary_by_account_by_event_name +WHERE EVENT_NAME = 'stage/innodb/alter tablespace (encryption)' AND +COUNT_STAR>0; +COUNT(*) +1 +# Check that Encryption done successfully. +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME='mysql'; +NAME ENCRYPTION +mysql Y +SELECT help_keyword_id FROM mysql.help_keyword ORDER BY help_keyword_id LIMIT 2; +help_keyword_id +0 +1 +########### +# Cleanup # +########### +ALTER TABLESPACE mysql ENCRYPTION='N'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='mysql'; +NAME ENCRYPTION +mysql N +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/mysqldump.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/mysqldump.result new file mode 100644 index 000000000000..7eb8644993dc --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/mysqldump.result @@ -0,0 +1,352 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# Pre-define user u1, which is used in different tests below. +CREATE USER u1@localhost; +GRANT ALL ON db1.* TO u1@localhost; +GRANT CREATE TABLESPACE, PROCESS, SYSTEM_VARIABLES_ADMIN ON *.* TO u1@localhost; +# This test run output (.sql) of mysqldump from 5.7, 8.0.12 and 8.0.13 +# in 8.0.15. +# +# The .sql files contain notes with tag wl12261 describing the +# modifications done to .sql to make it run on MySQL 8.0.15. +# It basically does two things a) removes ENCRYPTION=y for CVS and +# MEMORY engines. b) Adds a explicit ENCRYPTION='y' for tables +# using encryped general tablespace. +# +# The behavior of executing .sql with following variables would be +# same as the test behavior seen by encryption.* test results. +# +# - Setting table_encryption_privilege_check to true/false. +# - Setting default_table_encryption to true/false. +# - With and without user holding TABLE_ENCRYPTION_ADMIN privilege. +# +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd'; +CREATE TABLESPACE ts2 ADD DATAFILE 'ts2.ibd'; +CREATE TABLESPACE ts3 ADD DATAFILE 'ts3.ibd'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET latin1 */ /*!80016 DEFAULT ENCRYPTION='N' */ +SHOW CREATE TABLE db1.i1; +Table Create Table +i1 CREATE TABLE `i1` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=latin1 +SHOW CREATE TABLE db1.i2; +Table Create Table +i2 CREATE TABLE `i2` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=latin1 ENCRYPTION='y' +SHOW CREATE TABLE db1.i3; +Table Create Table +i3 CREATE TABLE `i3` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=latin1 +SHOW CREATE TABLE db1.i4; +Table Create Table +i4 CREATE TABLE `i4` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=latin1 +SHOW CREATE TABLE db1.i_ts1; +Table Create Table +i_ts1 CREATE TABLE `i_ts1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=latin1 +SHOW CREATE TABLE db1.i_ts2; +Table Create Table +i_ts2 CREATE TABLE `i_ts2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=latin1 +SHOW CREATE TABLE db1.i_ts3; +Table Create Table +i_ts3 CREATE TABLE `i_ts3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=latin1 +SHOW CREATE TABLE db1.i_part1; +Table Create Table +i_part1 CREATE TABLE `i_part1` ( + `id` int DEFAULT NULL, + `name` varchar(50) DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=latin1 +/*!50100 PARTITION BY RANGE (`id`) +(PARTITION p0 VALUES LESS THAN (10) ENGINE = InnoDB, + PARTITION p1 VALUES LESS THAN (20) ENGINE = InnoDB, + PARTITION p2 VALUES LESS THAN (30) ENGINE = InnoDB) */ +SHOW CREATE TABLE db1.i_part2; +Table Create Table +i_part2 CREATE TABLE `i_part2` ( + `id` int DEFAULT NULL, + `name` varchar(50) DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=latin1 ENCRYPTION='y' +/*!50100 PARTITION BY RANGE (`id`) +(PARTITION p0 VALUES LESS THAN (10) ENGINE = InnoDB, + PARTITION p1 VALUES LESS THAN (20) ENGINE = InnoDB, + PARTITION p2 VALUES LESS THAN (30) ENGINE = InnoDB) */ +SHOW CREATE TABLE db1.i_part3; +Table Create Table +i_part3 CREATE TABLE `i_part3` ( + `id` int DEFAULT NULL, + `name` varchar(50) DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=latin1 +/*!50100 PARTITION BY RANGE (`id`) +(PARTITION p0 VALUES LESS THAN (10) ENGINE = InnoDB, + PARTITION p1 VALUES LESS THAN (20) ENGINE = InnoDB, + PARTITION p2 VALUES LESS THAN (30) ENGINE = InnoDB) */ +SHOW CREATE TABLE db1.c1; +Table Create Table +c1 CREATE TABLE `c1` ( + `f1` int NOT NULL +) ENGINE=CSV DEFAULT CHARSET=latin1 +SHOW CREATE TABLE db1.c2; +Table Create Table +c2 CREATE TABLE `c2` ( + `f1` int NOT NULL +) ENGINE=CSV DEFAULT CHARSET=latin1 +SHOW CREATE TABLE db1.c3; +Table Create Table +c3 CREATE TABLE `c3` ( + `f1` int NOT NULL +) ENGINE=CSV DEFAULT CHARSET=latin1 +SHOW CREATE TABLE db1.h1; +Table Create Table +h1 CREATE TABLE `h1` ( + `f1` int DEFAULT NULL +) ENGINE=MEMORY DEFAULT CHARSET=latin1 +SHOW CREATE TABLE db1.h2; +Table Create Table +h2 CREATE TABLE `h2` ( + `f1` int DEFAULT NULL +) ENGINE=MEMORY DEFAULT CHARSET=latin1 +SHOW CREATE TABLE db1.h3; +Table Create Table +h3 CREATE TABLE `h3` ( + `f1` int DEFAULT NULL +) ENGINE=MEMORY DEFAULT CHARSET=latin1 +DROP DATABASE db1; +DROP TABLESPACE ts1; +DROP TABLESPACE ts2; +DROP TABLESPACE ts3; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd'; +CREATE TABLESPACE ts2 ADD DATAFILE 'ts2.ibd'; +CREATE TABLESPACE ts3 ADD DATAFILE 'ts3.ibd'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SHOW CREATE TABLE db1.i1; +Table Create Table +i1 CREATE TABLE `i1` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.i2; +Table Create Table +i2 CREATE TABLE `i2` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.i3; +Table Create Table +i3 CREATE TABLE `i3` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.i4; +Table Create Table +i4 CREATE TABLE `i4` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.i_ts1; +Table Create Table +i_ts1 CREATE TABLE `i_ts1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.i_ts2; +Table Create Table +i_ts2 CREATE TABLE `i_ts2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.i_ts3; +Table Create Table +i_ts3 CREATE TABLE `i_ts3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.i_part1; +Table Create Table +i_part1 CREATE TABLE `i_part1` ( + `id` int DEFAULT NULL, + `name` varchar(50) DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +/*!50100 PARTITION BY RANGE (`id`) +(PARTITION p0 VALUES LESS THAN (10) ENGINE = InnoDB, + PARTITION p1 VALUES LESS THAN (20) ENGINE = InnoDB, + PARTITION p2 VALUES LESS THAN (30) ENGINE = InnoDB) */ +SHOW CREATE TABLE db1.i_part2; +Table Create Table +i_part2 CREATE TABLE `i_part2` ( + `id` int DEFAULT NULL, + `name` varchar(50) DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +/*!50100 PARTITION BY RANGE (`id`) +(PARTITION p0 VALUES LESS THAN (10) ENGINE = InnoDB, + PARTITION p1 VALUES LESS THAN (20) ENGINE = InnoDB, + PARTITION p2 VALUES LESS THAN (30) ENGINE = InnoDB) */ +SHOW CREATE TABLE db1.i_part3; +Table Create Table +i_part3 CREATE TABLE `i_part3` ( + `id` int DEFAULT NULL, + `name` varchar(50) DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +/*!50100 PARTITION BY RANGE (`id`) +(PARTITION p0 VALUES LESS THAN (10) ENGINE = InnoDB, + PARTITION p1 VALUES LESS THAN (20) ENGINE = InnoDB, + PARTITION p2 VALUES LESS THAN (30) ENGINE = InnoDB) */ +SHOW CREATE TABLE db1.c1; +Table Create Table +c1 CREATE TABLE `c1` ( + `f1` int NOT NULL +) ENGINE=CSV DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.c2; +Table Create Table +c2 CREATE TABLE `c2` ( + `f1` int NOT NULL +) ENGINE=CSV DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.c3; +Table Create Table +c3 CREATE TABLE `c3` ( + `f1` int NOT NULL +) ENGINE=CSV DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.h1; +Table Create Table +h1 CREATE TABLE `h1` ( + `f1` int DEFAULT NULL +) ENGINE=MEMORY DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.h2; +Table Create Table +h2 CREATE TABLE `h2` ( + `f1` int DEFAULT NULL +) ENGINE=MEMORY DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.h3; +Table Create Table +h3 CREATE TABLE `h3` ( + `f1` int DEFAULT NULL +) ENGINE=MEMORY DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +DROP DATABASE db1; +DROP TABLESPACE ts1; +DROP TABLESPACE ts2; +DROP TABLESPACE ts3; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd'; +CREATE TABLESPACE ts2 ADD DATAFILE 'ts2.ibd' ENCRYPTION='n'; +CREATE TABLESPACE ts3 ADD DATAFILE 'ts3.ibd' ENCRYPTION='y'; +CREATE TABLESPACE ts4 ADD DATAFILE 'ts4.ibd'; +SHOW CREATE DATABASE db1; +Database Create Database +db1 CREATE DATABASE `db1` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */ +SHOW CREATE TABLE db1.i1; +Table Create Table +i1 CREATE TABLE `i1` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.i2; +Table Create Table +i2 CREATE TABLE `i2` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +SHOW CREATE TABLE db1.i3; +Table Create Table +i3 CREATE TABLE `i3` ( + `f1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.i_ts1; +Table Create Table +i_ts1 CREATE TABLE `i_ts1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.i_ts2; +Table Create Table +i_ts2 CREATE TABLE `i_ts2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts2` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.i_ts3; +Table Create Table +i_ts3 CREATE TABLE `i_ts3` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts3` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SHOW CREATE TABLE db1.i_ts4; +Table Create Table +i_ts4 CREATE TABLE `i_ts4` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts4` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.i_part1; +Table Create Table +i_part1 CREATE TABLE `i_part1` ( + `id` int DEFAULT NULL, + `name` varchar(50) DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +/*!50100 PARTITION BY RANGE (`id`) +(PARTITION p0 VALUES LESS THAN (10) ENGINE = InnoDB, + PARTITION p1 VALUES LESS THAN (20) ENGINE = InnoDB, + PARTITION p2 VALUES LESS THAN (30) ENGINE = InnoDB) */ +SHOW CREATE TABLE db1.i_part2; +Table Create Table +i_part2 CREATE TABLE `i_part2` ( + `id` int DEFAULT NULL, + `name` varchar(50) DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +/*!50100 PARTITION BY RANGE (`id`) +(PARTITION p0 VALUES LESS THAN (10) ENGINE = InnoDB, + PARTITION p1 VALUES LESS THAN (20) ENGINE = InnoDB, + PARTITION p2 VALUES LESS THAN (30) ENGINE = InnoDB) */ +SHOW CREATE TABLE db1.i_part3; +Table Create Table +i_part3 CREATE TABLE `i_part3` ( + `id` int DEFAULT NULL, + `name` varchar(50) DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +/*!50100 PARTITION BY RANGE (`id`) +(PARTITION p0 VALUES LESS THAN (10) ENGINE = InnoDB, + PARTITION p1 VALUES LESS THAN (20) ENGINE = InnoDB, + PARTITION p2 VALUES LESS THAN (30) ENGINE = InnoDB) */ +SHOW CREATE TABLE db1.c1; +Table Create Table +c1 CREATE TABLE `c1` ( + `f1` int NOT NULL +) ENGINE=CSV DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.c2; +Table Create Table +c2 CREATE TABLE `c2` ( + `f1` int NOT NULL +) ENGINE=CSV DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.c3; +Table Create Table +c3 CREATE TABLE `c3` ( + `f1` int NOT NULL +) ENGINE=CSV DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.h1; +Table Create Table +h1 CREATE TABLE `h1` ( + `f1` int DEFAULT NULL +) ENGINE=MEMORY DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.h2; +Table Create Table +h2 CREATE TABLE `h2` ( + `f1` int DEFAULT NULL +) ENGINE=MEMORY DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.h3; +Table Create Table +h3 CREATE TABLE `h3` ( + `f1` int DEFAULT NULL +) ENGINE=MEMORY DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +DROP DATABASE db1; +DROP TABLESPACE ts1; +DROP TABLESPACE ts2; +DROP TABLESPACE ts3; +DROP TABLESPACE ts4; +# Cleanup +DROP USER u1@localhost; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/no_password.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/no_password.result new file mode 100644 index 000000000000..1ffaf7dd235e --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/no_password.result @@ -0,0 +1,29 @@ +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +CALL mtr.add_suppression(".*The component is not initialized properly.*"); +# Re-starting mysql server with manifest file +# Component loaded but Disabled - neither 'password' nor 'password_file' in config +SELECT * FROM performance_schema.keyring_component_status; +STATUS_KEY STATUS_VALUE +Component_name component_percona_keyring_encrypted_file +Author Percona +License GPL +Implementation_name component_percona_keyring_encrypted_file +Version 1.0 +Component_status Disabled +Data_file +Read_only +Password +Password_file +Iterations +# Error log must record the config parse failure +SELECT IF(COUNT(*) > 0, 'FOUND', 'NOT FOUND') AS error_present +FROM performance_schema.error_log +WHERE DATA LIKE '%Either%password%password_file%must be specified%'; +error_present +FOUND +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/password_and_password_file.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/password_and_password_file.result new file mode 100644 index 000000000000..020b9d112f1f --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/password_and_password_file.result @@ -0,0 +1,20 @@ +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +CALL mtr.add_suppression(".*The component is not initialized properly.*"); +# Re-starting mysql server with manifest file +# Component must be Disabled - both 'password' and 'password_file' given +SELECT STATUS_KEY, STATUS_VALUE FROM performance_schema.keyring_component_status +WHERE STATUS_KEY = 'Component_status'; +STATUS_KEY STATUS_VALUE +Component_status Disabled +# Error log must record the mutual exclusivity violation +SELECT IF(COUNT(*) > 0, 'FOUND', 'NOT FOUND') AS error_present +FROM performance_schema.error_log +WHERE DATA LIKE '%Only one of%password%password_file%'; +error_present +FOUND +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/password_file.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/password_file.result new file mode 100644 index 000000000000..9fa91dc70ba3 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/password_file.result @@ -0,0 +1,31 @@ +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# password_file: component must be Active; Password shows , Password_file shows the path +SELECT * FROM performance_schema.keyring_component_status; +STATUS_KEY STATUS_VALUE +Component_name component_percona_keyring_encrypted_file +Author Percona +License GPL +Implementation_name component_percona_keyring_encrypted_file +Version 1.0 +Component_status Active +Data_file MYSQLTEST_VARDIR/keyring_file +Read_only No +Password +Password_file MYSQLTEST_VARDIR/keyring_password_file +Iterations 42 +# Populate keyring file +ALTER INSTANCE ROTATE INNODB MASTER KEY; +# Restart with the same password_file - encrypted file must still be readable +# Re-starting mysql server with manifest file +# Component must remain Active after restart +SELECT STATUS_KEY, STATUS_VALUE FROM performance_schema.keyring_component_status +WHERE STATUS_KEY = 'Component_status'; +STATUS_KEY STATUS_VALUE +Component_status Active +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/password_file_not_found.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/password_file_not_found.result new file mode 100644 index 000000000000..1faad40745b1 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/password_file_not_found.result @@ -0,0 +1,20 @@ +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +CALL mtr.add_suppression(".*The component is not initialized properly.*"); +# Re-starting mysql server with manifest file +# Component must be Disabled - password_file path does not exist +SELECT STATUS_KEY, STATUS_VALUE FROM performance_schema.keyring_component_status +WHERE STATUS_KEY = 'Component_status'; +STATUS_KEY STATUS_VALUE +Component_status Disabled +# Error log must record the file-open failure +SELECT IF(COUNT(*) > 0, 'FOUND', 'NOT FOUND') AS error_present +FROM performance_schema.error_log +WHERE DATA LIKE '%Could not open password file%'; +error_present +FOUND +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/reload_keyring.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/reload_keyring.result new file mode 100644 index 000000000000..17cf400da970 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/reload_keyring.result @@ -0,0 +1,31 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# Populate keyring file +ALTER INSTANCE ROTATE INNODB MASTER KEY; +# Reload with unchanged (correct) config must succeed +ALTER INSTANCE RELOAD KEYRING; +# Component must remain Active after successful reload +SELECT * FROM performance_schema.keyring_component_status; +STATUS_KEY STATUS_VALUE +Component_name component_percona_keyring_encrypted_file +Author Percona +License GPL +Implementation_name component_percona_keyring_encrypted_file +Version 1.0 +Component_status Active +Data_file MYSQLTEST_VARDIR/keyring_file +Read_only No +Password +Password_file +Iterations 42 +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/reload_wrong_password.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/reload_wrong_password.result new file mode 100644 index 000000000000..840a8f07ab64 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/reload_wrong_password.result @@ -0,0 +1,27 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +CALL mtr.add_suppression(".*The component is not initialized properly.*"); +CALL mtr.add_suppression(".*Failed to decrypt keyring file.*"); +ALTER INSTANCE ROTATE INNODB MASTER KEY; +# Update config to a different password without re-encrypting the file +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Reload must fail - config password does not match the encrypted file +ALTER INSTANCE RELOAD KEYRING; +ERROR HY000: Keyring reload failed. Please check error log for more details. +# Keyring state must be preserved despite failed reload +SELECT STATUS_KEY, STATUS_VALUE FROM performance_schema.keyring_component_status +WHERE STATUS_KEY = 'Component_status'; +STATUS_KEY STATUS_VALUE +Component_status Active +# Teardown +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/rename_table.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/rename_table.result new file mode 100644 index 000000000000..4e9af726527a --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/rename_table.result @@ -0,0 +1,910 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# +# WL#12261 Control (enforce and disable) table encryption +# +# Pre-define user u1, which is used in different tests below. +CREATE USER u1@localhost; +GRANT ALL ON db1.* TO u1@localhost; +GRANT ALL ON db2.* TO u1@localhost; +GRANT ALL ON sch1.* TO u1@localhost; +GRANT ALL ON sch2.* TO u1@localhost; +GRANT CREATE TABLESPACE, PROCESS, SYSTEM_VARIABLES_ADMIN ON *.* TO u1@localhost; +SET GLOBAL debug= '+d,skip_table_encryption_admin_check_for_set'; +# The test cases run RENAME TABLE to move tables from one database +# to another, with tables using file-per-table or general +# tablespace. And these operations are run in below configuration, +# +# - Setting table_encryption_privilege_check to true/false. +# - Setting per database default encryption to 'y' and 'n' +# - Setting table's encryption mode to 'y' and 'n'. +# - With and without user holding TABLE_ENCRYPTION_ADMIN privilege. +# - +# - Check for warnings generated. +# +````````````````````````````````````````````````````````` +# Test using innodb_file_per_table tablespace. +````````````````````````````````````````````````````````` +# table_encryption_privilege_check=false +# [ALTER TABLE ... RENAME ...] Case 1 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch1.ts (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='n'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +# 1.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +RENAME TABLE db1.fpt1 TO db2.fpt1_renamed; +RENAME TABLE db2.fpt1 TO db1.fpt1_renamed; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +# 1.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +RENAME TABLE db1.ts1 TO db2.ts1_rename; +RENAME TABLE db2.ts1 TO db1.ts1_rename; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +# 1.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +RENAME TABLE sch1.fpt TO sch1.fpt_renamed; +RENAME TABLE sch1.ts TO sch1.ts_renamed; +RENAME TABLE sch2.fpt TO sch2.fpt_renamed; +RENAME TABLE sch2.ts TO sch2.ts_renamed; +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +# [ALTER TABLE ... RENAME ...] Case 2 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch1.ts (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# 2.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +RENAME TABLE db1.fpt1 TO db2.fpt1_renamed; +RENAME TABLE db2.fpt1 TO db1.fpt1_renamed; +# 2.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +RENAME TABLE db1.ts1 TO db2.ts1_rename; +RENAME TABLE db2.ts1 TO db1.ts1_rename; +# 2.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +RENAME TABLE sch1.fpt TO sch1.fpt_renamed; +RENAME TABLE sch1.ts TO sch1.ts_renamed; +RENAME TABLE sch2.fpt TO sch2.fpt_renamed; +RENAME TABLE sch2.ts TO sch2.ts_renamed; +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +````````````````````````````````````````````````````````` +# table_encryption_privilege_check=true +````````````````````````````````````````````````````````` +# We expect failure when the table encryption does not match +# with default database encryption. +# [ALTER TABLE ... RENAME ...] Case 3 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch1.ts (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='n'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +# 3.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +RENAME TABLE db1.fpt1 TO db2.fpt1_renamed; +RENAME TABLE db2.fpt1 TO db1.fpt1_renamed; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +# 3.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +RENAME TABLE db1.ts1 TO db2.ts1_rename; +RENAME TABLE db2.ts1 TO db1.ts1_rename; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +# 3.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +RENAME TABLE sch1.fpt TO sch1.fpt_renamed; +RENAME TABLE sch1.ts TO sch1.ts_renamed; +RENAME TABLE sch2.fpt TO sch2.fpt_renamed; +RENAME TABLE sch2.ts TO sch2.ts_renamed; +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt2 +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1 +fpt1_renamed +fpt2 +ts1 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +# [ALTER TABLE ... RENAME ...] Case 4 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch1.ts (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='n'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +# 4.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ; +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ; +# 4.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ; +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ; +# 4.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ; +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ; +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ; +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ; +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +# Revoke TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +````````````````````````````````````````````````````````` +# We expect failure when the table encryption does not match +# with default database encryption. +# [ALTER TABLE ... RENAME ...] Case 5 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch1.ts (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +# 5.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +RENAME TABLE db1.fpt1 TO db2.fpt1_renamed; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +RENAME TABLE db2.fpt1 TO db1.fpt1_renamed; +# 5.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +RENAME TABLE db1.ts1 TO db2.ts1_rename; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +RENAME TABLE db2.ts1 TO db1.ts1_rename; +# 5.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +RENAME TABLE sch1.fpt TO sch1.fpt_renamed; +RENAME TABLE sch1.ts TO sch1.ts_renamed; +RENAME TABLE sch2.fpt TO sch2.fpt_renamed; +RENAME TABLE sch2.ts TO sch2.ts_renamed; +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1 +fpt1_renamed +fpt2 +ts1 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt2 +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +# [ALTER TABLE ... RENAME ...] Case 6 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch1.ts (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=innodb_file_per_table ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +# 6.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ; +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ; +# 6.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ; +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ; +# 6.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ; +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ; +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ; +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ; +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +# Revoke TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +````````````````````````````````````````````````````````` +# Test using general tablespace. +````````````````````````````````````````````````````````` +# table_encryption_privilege_check=false +# [ALTER TABLE ... RENAME ...] Case 7 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch1.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='n'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=false; +# 7.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +RENAME TABLE db1.fpt1 TO db2.fpt1_renamed; +RENAME TABLE db2.fpt1 TO db1.fpt1_renamed; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +# 7.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +RENAME TABLE db1.ts1 TO db2.ts1_rename; +RENAME TABLE db2.ts1 TO db1.ts1_rename; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +# 7.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +RENAME TABLE sch1.fpt TO sch1.fpt_renamed; +RENAME TABLE sch1.ts TO sch1.ts_renamed; +RENAME TABLE sch2.fpt TO sch2.fpt_renamed; +RENAME TABLE sch2.ts TO sch2.ts_renamed; +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +DROP TABLESPACE ts1; +# [ALTER TABLE ... RENAME ...] Case 8 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch1.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=false; +# 8.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +RENAME TABLE db1.fpt1 TO db2.fpt1_renamed; +RENAME TABLE db2.fpt1 TO db1.fpt1_renamed; +# 8.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +RENAME TABLE db1.ts1 TO db2.ts1_rename; +RENAME TABLE db2.ts1 TO db1.ts1_rename; +# 8.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +RENAME TABLE sch1.fpt TO sch1.fpt_renamed; +RENAME TABLE sch1.ts TO sch1.ts_renamed; +RENAME TABLE sch2.fpt TO sch2.fpt_renamed; +RENAME TABLE sch2.ts TO sch2.ts_renamed; +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +DROP TABLESPACE ts1; +````````````````````````````````````````````````````````` +# table_encryption_privilege_check=true +````````````````````````````````````````````````````````` +# We expect failure when the table encryption does not match +# with default database encryption. +# [ALTER TABLE ... RENAME ...] Case 9 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch1.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='n'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +# 9.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +RENAME TABLE db1.fpt1 TO db2.fpt1_renamed; +RENAME TABLE db2.fpt1 TO db1.fpt1_renamed; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +# 9.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +RENAME TABLE db1.ts1 TO db2.ts1_rename; +RENAME TABLE db2.ts1 TO db1.ts1_rename; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +# 9.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +RENAME TABLE sch1.fpt TO sch1.fpt_renamed; +RENAME TABLE sch1.ts TO sch1.ts_renamed; +RENAME TABLE sch2.fpt TO sch2.fpt_renamed; +RENAME TABLE sch2.ts TO sch2.ts_renamed; +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt2 +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1 +fpt1_renamed +fpt2 +ts1 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +DROP TABLESPACE ts1; +# [ALTER TABLE ... RENAME ...] Case 10 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='n'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch1.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='n'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +SET GLOBAL table_encryption_privilege_check=true; +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +# 10.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ; +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ; +# 10.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ; +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ; +# 10.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ; +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ; +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ; +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ; +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +# Revoke TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +DROP TABLESPACE ts1; +````````````````````````````````````````````````````````` +# We expect failure when the table encryption does not match +# with default database encryption. +# [ALTER TABLE ... RENAME ...] Case 11 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch1.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +# 11.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +RENAME TABLE db1.fpt1 TO db2.fpt1_renamed; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +RENAME TABLE db2.fpt1 TO db1.fpt1_renamed; +# 11.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +RENAME TABLE db1.ts1 TO db2.ts1_rename; +ERROR HY000: Table encryption differ from its database default encryption, and user doesn't have enough privilege. +RENAME TABLE db2.ts1 TO db1.ts1_rename; +# 11.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +RENAME TABLE sch1.fpt TO sch1.fpt_renamed; +RENAME TABLE sch1.ts TO sch1.ts_renamed; +RENAME TABLE sch2.fpt TO sch2.fpt_renamed; +RENAME TABLE sch2.ts TO sch2.ts_renamed; +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1 +fpt1_renamed +fpt2 +ts1 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt2 +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +DROP TABLESPACE ts1; +# [ALTER TABLE ... RENAME ...] Case 12 ) +````````````````````````````````````````````````````````` +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE db2 DEFAULT ENCRYPTION='n'; +CREATE DATABASE sch1 DEFAULT ENCRYPTION='y'; +CREATE DATABASE sch2 DEFAULT ENCRYPTION='n'; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +CREATE TABLE db1.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db1.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db1.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db2.fpt1 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.fpt2 (f1 int) ENCRYPTION='y'; +CREATE TABLE db2.ts1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db2.ts2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE sch1.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch1.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE sch2.fpt (f1 int) ENCRYPTION='y'; +CREATE TABLE sch2.ts (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +SET GLOBAL table_encryption_privilege_check=true; +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +# 12.1. +# Rename table using file-per-table tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.fpt1 RENAME db2.fpt1_renamed ; +ALTER TABLE db2.fpt1 RENAME db1.fpt1_renamed ; +# 12.2. +# Rename table using general tablespace from db encryption='y' +# to db with encryption='n' and viceversa +ALTER TABLE db1.ts1 RENAME db2.ts1_rename ; +ALTER TABLE db2.ts1 RENAME db1.ts1_rename ; +# 12.3. +# Rename table (using file-per-table/general tablespace) +# within the database never fails. +ALTER TABLE sch1.fpt RENAME sch1.fpt_renamed ; +ALTER TABLE sch1.ts RENAME sch1.ts_renamed ; +ALTER TABLE sch2.fpt RENAME sch2.fpt_renamed ; +ALTER TABLE sch2.ts RENAME sch2.ts_renamed ; +SET GLOBAL table_encryption_privilege_check=false; +SHOW TABLES IN db1; +Tables_in_db1 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN db2; +Tables_in_db2 +fpt1_renamed +fpt2 +ts1_rename +ts2 +SHOW TABLES IN sch1; +Tables_in_sch1 +fpt_renamed +ts_renamed +SHOW TABLES IN sch2; +Tables_in_sch2 +fpt_renamed +ts_renamed +# Revoke TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +DROP DATABASE db2; +DROP DATABASE sch1; +DROP DATABASE sch2; +DROP TABLESPACE ts1; +# Cleanup +DROP USER u1@localhost; +SET GLOBAL debug= '-d,skip_table_encryption_admin_check_for_set'; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/rpl_binlog_cache_encryption.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/rpl_binlog_cache_encryption.result new file mode 100644 index 000000000000..ebffacb4e27d --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/rpl_binlog_cache_encryption.result @@ -0,0 +1,49 @@ +# ---------------------------------------------------------------------- +# Setup +include/rpl/init_source_replica.inc +Warnings: +Note #### Sending passwords in plain text without SSL/TLS is extremely insecure. +Note #### Storing MySQL user name or password information in the connection metadata repository is not secure and is therefore not recommended. Please consider using the USER and PASSWORD connection options for START REPLICA; see the 'START REPLICA Syntax' in the MySQL Manual for more information. +[connection master] +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +[connection slave] +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +[connection master] +# ---------------------------------------------------------------------- +[connection slave] +[connection master] +# Part 1 - binlog_encryption = OFF +CREATE TABLE t1 (c1 INT PRIMARY KEY AUTO_INCREMENT, c2 TEXT); +# Inserting 50 transactions with save points +SHOW BINLOG EVENTS shall not fail on the un-encrypted binlog file +SHOW BINLOG EVENTS IN 'PLAIN_MASTER_FILE'; +# Restarting the server with "--binlog_encryption=ON" and keyring +include/rpl/restart_server.inc [server_number=1] +include/assert.inc [binlog_encryption option shall be ON] +include/assert.inc [Binary log is encrypted using 1st master key] +# Part 2 - binlog_encryption = ON +# Inserting 50 transactions with save points +SHOW BINLOG EVENTS shall not fail on the encrypted binlog file +SHOW BINLOG EVENTS IN 'ENCRYPTED_MASTER_FILE'; +# Restarting the server without "--binlog_encryption=ON" +include/rpl/restart_server.inc [server_number=1] +[connection slave] +include/rpl/start_replica.inc +[connection master] +include/rpl/sync_to_replica.inc +include/diff_tables.inc [master:t1, slave:t1] +[connection master] +DROP TABLE t1; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +include/rpl/deinit.inc +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/rpl_binlog_cache_temp_file_encryption.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/rpl_binlog_cache_temp_file_encryption.result new file mode 100644 index 000000000000..7c6d8b26a1f1 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/rpl_binlog_cache_temp_file_encryption.result @@ -0,0 +1,60 @@ +# ---------------------------------------------------------------------- +# Setup +include/rpl/init_source_replica.inc +Warnings: +Note #### Sending passwords in plain text without SSL/TLS is extremely insecure. +Note #### Storing MySQL user name or password information in the connection metadata repository is not secure and is therefore not recommended. Please consider using the USER and PASSWORD connection options for START REPLICA; see the 'START REPLICA Syntax' in the MySQL Manual for more information. +[connection master] +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +[connection slave] +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +[connection master] +# ---------------------------------------------------------------------- +include/rpl/stop_server.inc [server_number=1] +include/rpl/start_server.inc [server_number=1] +include/rpl/stop_server.inc [server_number=2] +include/rpl/start_server.inc [server_number=2] +[connection slave] +include/rpl/start_replica.inc +[connection master] +CREATE TABLE t1 (c1 TEXT) ENGINE=INNODB; +# Adding debug point 'ensure_binlog_cache_temporary_file_is_encrypted' to @@GLOBAL.debug +INSERT INTO t1 VALUES (REPEAT('123', 16384.0)); +# Removing debug point 'ensure_binlog_cache_temporary_file_is_encrypted' from @@GLOBAL.debug +SET GLOBAL binlog_encryption=OFF; +# Adding debug point 'ensure_binlog_cache_temp_file_encryption_is_disabled' to @@GLOBAL.debug +INSERT INTO t1 VALUES (REPEAT('off', 16384.0)); +# Removing debug point 'ensure_binlog_cache_temp_file_encryption_is_disabled' from @@GLOBAL.debug +SET GLOBAL binlog_encryption=ON; +# Adding debug point 'ensure_binlog_cache_temporary_file_is_encrypted' to @@GLOBAL.debug +INSERT INTO t1 VALUES (REPEAT('on1', 16384.0)); +# Removing debug point 'ensure_binlog_cache_temporary_file_is_encrypted' from @@GLOBAL.debug +# Adding debug point 'ensure_binlog_cache_is_reset' to @@GLOBAL.debug +INSERT INTO t1 VALUES ("567"); +BEGIN; +INSERT INTO t1 VALUES ("789"); +ROLLBACK; +# Removing debug point 'ensure_binlog_cache_is_reset' from @@GLOBAL.debug +include/rpl/sync_to_replica.inc +include/diff_tables.inc [master:t1,slave:t1] +[connection master] +DROP TABLE t1; +include/rpl/sync_to_replica.inc +[connection master] +SET GLOBAL binlog_encryption= OFF; +[connection slave] +SET GLOBAL binlog_encryption= OFF; +SET GLOBAL keyring_operations= ON; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +include/rpl/deinit.inc +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/rpl_default_table_encryption.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/rpl_default_table_encryption.result new file mode 100644 index 000000000000..3ace0c2f0079 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/rpl_default_table_encryption.result @@ -0,0 +1,1190 @@ +# ---------------------------------------------------------------------- +# Setup +include/rpl/init_source_replica.inc +Warnings: +Note #### Sending passwords in plain text without SSL/TLS is extremely insecure. +Note #### Storing MySQL user name or password information in the connection metadata repository is not secure and is therefore not recommended. Please consider using the USER and PASSWORD connection options for START REPLICA; see the 'START REPLICA Syntax' in the MySQL Manual for more information. +[connection master] +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +[connection slave] +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +[connection master] +# ---------------------------------------------------------------------- +include/rpl/stop_server.inc [server_number=1] +include/rpl/start_server.inc [server_number=1] +include/rpl/stop_server.inc [server_number=2] +include/rpl/start_server.inc [server_number=2] +[connection slave] +include/rpl/start_replica.inc +#### SETUP #### +[connection master] +SET @default_table_encryption_save = @@global.default_table_encryption; +include/rpl/sync_to_replica.inc +SET @default_table_encryption_save = @@global.default_table_encryption; +#### TEST #### +[connection master] +SET @@global.default_table_encryption = 0; +[connection slave] +SET @@global.default_table_encryption = 0; +[connection master] +SET @@session.default_table_encryption = 0; +==== CREATE DATABASE db [master_session:0 master_global:0 slave_global:0] ==== +# CREATE without ENCRYPTION: include the variable in the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE DATABASE db; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should contain default_table_encryption=0] +# Assert that object on master is "%ENCRYPTION='N'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='N'%" +[connection master] +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 1-0; +==== ALTER DATABASE db CHARACTER SET = utf8mb3 [master_session:0 master_global:0 slave_global:0] ==== +# ALTER: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +ALTER DATABASE db CHARACTER SET = utf8mb3; +Warnings: +Warning 1287 'utf8mb3' is deprecated and will be removed in a future release. Please use utf8mb4 instead +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "%ENCRYPTION='N'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='N'%" +[connection master] +DROP DATABASE db; +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 0; +==== CREATE DATABASE db DEFAULT ENCRYPTION = 'n' [master_session:0 master_global:0 slave_global:0] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE DATABASE db DEFAULT ENCRYPTION = 'n'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "%ENCRYPTION='N'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='N'%" +[connection master] +DROP DATABASE db; +include/rpl/sync_to_replica.inc +[connection master] +==== CREATE DATABASE db DEFAULT ENCRYPTION = 'y' [master_session:0 master_global:0 slave_global:0] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE DATABASE db DEFAULT ENCRYPTION = 'y'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "%ENCRYPTION='Y'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='Y'%" +[connection master] +DROP DATABASE db; +include/rpl/sync_to_replica.inc +[connection master] +==== CREATE TABLESPACE ts [master_session:0 master_global:0 slave_global:0] ==== +# CREATE without ENCRYPTION: include the variable in the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE TABLESPACE ts; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should contain default_table_encryption=0] +# Assert that object on master is "N" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "N" +[connection master] +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 1-0; +==== ALTER TABLESPACE ts RENAME TO ts2 [master_session:0 master_global:0 slave_global:0] ==== +# ALTER should not include the variable in the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +ALTER TABLESPACE ts RENAME TO ts2; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "N" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "N" +[connection master] +DROP TABLESPACE ts2; +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 0; +==== CREATE TABLESPACE ts ENCRYPTION = 'y' [master_session:0 master_global:0 slave_global:0] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE TABLESPACE ts ENCRYPTION = 'y'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "Y" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "Y" +[connection master] +DROP TABLESPACE ts; +include/rpl/sync_to_replica.inc +[connection master] +==== CREATE TABLESPACE ts ENCRYPTION = 'n' [master_session:0 master_global:0 slave_global:0] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE TABLESPACE ts ENCRYPTION = 'n'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "N" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "N" +[connection master] +DROP TABLESPACE ts; +include/rpl/sync_to_replica.inc +[connection master] +[connection master] +SET @@session.default_table_encryption = 1; +==== CREATE DATABASE db [master_session:1 master_global:0 slave_global:0] ==== +# CREATE without ENCRYPTION: include the variable in the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE DATABASE db; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should contain default_table_encryption=1] +# Assert that object on master is "%ENCRYPTION='Y'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='Y'%" +[connection master] +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 1-1; +==== ALTER DATABASE db CHARACTER SET = utf8mb3 [master_session:1 master_global:0 slave_global:0] ==== +# ALTER: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +ALTER DATABASE db CHARACTER SET = utf8mb3; +Warnings: +Warning 1287 'utf8mb3' is deprecated and will be removed in a future release. Please use utf8mb4 instead +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "%ENCRYPTION='Y'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='Y'%" +[connection master] +DROP DATABASE db; +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 1; +==== CREATE DATABASE db DEFAULT ENCRYPTION = 'n' [master_session:1 master_global:0 slave_global:0] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE DATABASE db DEFAULT ENCRYPTION = 'n'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "%ENCRYPTION='N'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='N'%" +[connection master] +DROP DATABASE db; +include/rpl/sync_to_replica.inc +[connection master] +==== CREATE DATABASE db DEFAULT ENCRYPTION = 'y' [master_session:1 master_global:0 slave_global:0] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE DATABASE db DEFAULT ENCRYPTION = 'y'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "%ENCRYPTION='Y'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='Y'%" +[connection master] +DROP DATABASE db; +include/rpl/sync_to_replica.inc +[connection master] +==== CREATE TABLESPACE ts [master_session:1 master_global:0 slave_global:0] ==== +# CREATE without ENCRYPTION: include the variable in the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE TABLESPACE ts; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should contain default_table_encryption=1] +# Assert that object on master is "Y" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "Y" +[connection master] +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 1-1; +==== ALTER TABLESPACE ts RENAME TO ts2 [master_session:1 master_global:0 slave_global:0] ==== +# ALTER should not include the variable in the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +ALTER TABLESPACE ts RENAME TO ts2; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "Y" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "Y" +[connection master] +DROP TABLESPACE ts2; +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 1; +==== CREATE TABLESPACE ts ENCRYPTION = 'y' [master_session:1 master_global:0 slave_global:0] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE TABLESPACE ts ENCRYPTION = 'y'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "Y" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "Y" +[connection master] +DROP TABLESPACE ts; +include/rpl/sync_to_replica.inc +[connection master] +==== CREATE TABLESPACE ts ENCRYPTION = 'n' [master_session:1 master_global:0 slave_global:0] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE TABLESPACE ts ENCRYPTION = 'n'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "N" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "N" +[connection master] +DROP TABLESPACE ts; +include/rpl/sync_to_replica.inc +[connection master] +[connection slave] +SET @@global.default_table_encryption = 1; +[connection master] +SET @@session.default_table_encryption = 0; +==== CREATE DATABASE db [master_session:0 master_global:0 slave_global:1] ==== +# CREATE without ENCRYPTION: include the variable in the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE DATABASE db; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should contain default_table_encryption=0] +# Assert that object on master is "%ENCRYPTION='N'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='N'%" +[connection master] +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 1-0; +==== ALTER DATABASE db CHARACTER SET = utf8mb3 [master_session:0 master_global:0 slave_global:1] ==== +# ALTER: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +ALTER DATABASE db CHARACTER SET = utf8mb3; +Warnings: +Warning 1287 'utf8mb3' is deprecated and will be removed in a future release. Please use utf8mb4 instead +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "%ENCRYPTION='N'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='N'%" +[connection master] +DROP DATABASE db; +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 0; +==== CREATE DATABASE db DEFAULT ENCRYPTION = 'n' [master_session:0 master_global:0 slave_global:1] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE DATABASE db DEFAULT ENCRYPTION = 'n'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "%ENCRYPTION='N'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='N'%" +[connection master] +DROP DATABASE db; +include/rpl/sync_to_replica.inc +[connection master] +==== CREATE DATABASE db DEFAULT ENCRYPTION = 'y' [master_session:0 master_global:0 slave_global:1] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE DATABASE db DEFAULT ENCRYPTION = 'y'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "%ENCRYPTION='Y'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='Y'%" +[connection master] +DROP DATABASE db; +include/rpl/sync_to_replica.inc +[connection master] +==== CREATE TABLESPACE ts [master_session:0 master_global:0 slave_global:1] ==== +# CREATE without ENCRYPTION: include the variable in the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE TABLESPACE ts; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should contain default_table_encryption=0] +# Assert that object on master is "N" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "N" +[connection master] +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 1-0; +==== ALTER TABLESPACE ts RENAME TO ts2 [master_session:0 master_global:0 slave_global:1] ==== +# ALTER should not include the variable in the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +ALTER TABLESPACE ts RENAME TO ts2; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "N" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "N" +[connection master] +DROP TABLESPACE ts2; +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 0; +==== CREATE TABLESPACE ts ENCRYPTION = 'y' [master_session:0 master_global:0 slave_global:1] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE TABLESPACE ts ENCRYPTION = 'y'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "Y" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "Y" +[connection master] +DROP TABLESPACE ts; +include/rpl/sync_to_replica.inc +[connection master] +==== CREATE TABLESPACE ts ENCRYPTION = 'n' [master_session:0 master_global:0 slave_global:1] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE TABLESPACE ts ENCRYPTION = 'n'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "N" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "N" +[connection master] +DROP TABLESPACE ts; +include/rpl/sync_to_replica.inc +[connection master] +[connection master] +SET @@session.default_table_encryption = 1; +==== CREATE DATABASE db [master_session:1 master_global:0 slave_global:1] ==== +# CREATE without ENCRYPTION: include the variable in the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE DATABASE db; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should contain default_table_encryption=1] +# Assert that object on master is "%ENCRYPTION='Y'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='Y'%" +[connection master] +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 1-1; +==== ALTER DATABASE db CHARACTER SET = utf8mb3 [master_session:1 master_global:0 slave_global:1] ==== +# ALTER: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +ALTER DATABASE db CHARACTER SET = utf8mb3; +Warnings: +Warning 1287 'utf8mb3' is deprecated and will be removed in a future release. Please use utf8mb4 instead +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "%ENCRYPTION='Y'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='Y'%" +[connection master] +DROP DATABASE db; +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 1; +==== CREATE DATABASE db DEFAULT ENCRYPTION = 'n' [master_session:1 master_global:0 slave_global:1] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE DATABASE db DEFAULT ENCRYPTION = 'n'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "%ENCRYPTION='N'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='N'%" +[connection master] +DROP DATABASE db; +include/rpl/sync_to_replica.inc +[connection master] +==== CREATE DATABASE db DEFAULT ENCRYPTION = 'y' [master_session:1 master_global:0 slave_global:1] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE DATABASE db DEFAULT ENCRYPTION = 'y'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "%ENCRYPTION='Y'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='Y'%" +[connection master] +DROP DATABASE db; +include/rpl/sync_to_replica.inc +[connection master] +==== CREATE TABLESPACE ts [master_session:1 master_global:0 slave_global:1] ==== +# CREATE without ENCRYPTION: include the variable in the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE TABLESPACE ts; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should contain default_table_encryption=1] +# Assert that object on master is "Y" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "Y" +[connection master] +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 1-1; +==== ALTER TABLESPACE ts RENAME TO ts2 [master_session:1 master_global:0 slave_global:1] ==== +# ALTER should not include the variable in the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +ALTER TABLESPACE ts RENAME TO ts2; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "Y" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "Y" +[connection master] +DROP TABLESPACE ts2; +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 1; +==== CREATE TABLESPACE ts ENCRYPTION = 'y' [master_session:1 master_global:0 slave_global:1] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE TABLESPACE ts ENCRYPTION = 'y'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "Y" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "Y" +[connection master] +DROP TABLESPACE ts; +include/rpl/sync_to_replica.inc +[connection master] +==== CREATE TABLESPACE ts ENCRYPTION = 'n' [master_session:1 master_global:0 slave_global:1] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE TABLESPACE ts ENCRYPTION = 'n'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "N" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "N" +[connection master] +DROP TABLESPACE ts; +include/rpl/sync_to_replica.inc +[connection master] +[connection master] +SET @@global.default_table_encryption = 1; +[connection slave] +SET @@global.default_table_encryption = 0; +[connection master] +SET @@session.default_table_encryption = 0; +==== CREATE DATABASE db [master_session:0 master_global:1 slave_global:0] ==== +# CREATE without ENCRYPTION: include the variable in the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE DATABASE db; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should contain default_table_encryption=0] +# Assert that object on master is "%ENCRYPTION='N'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='N'%" +[connection master] +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 1-0; +==== ALTER DATABASE db CHARACTER SET = utf8mb3 [master_session:0 master_global:1 slave_global:0] ==== +# ALTER: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +ALTER DATABASE db CHARACTER SET = utf8mb3; +Warnings: +Warning 1287 'utf8mb3' is deprecated and will be removed in a future release. Please use utf8mb4 instead +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "%ENCRYPTION='N'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='N'%" +[connection master] +DROP DATABASE db; +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 0; +==== CREATE DATABASE db DEFAULT ENCRYPTION = 'n' [master_session:0 master_global:1 slave_global:0] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE DATABASE db DEFAULT ENCRYPTION = 'n'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "%ENCRYPTION='N'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='N'%" +[connection master] +DROP DATABASE db; +include/rpl/sync_to_replica.inc +[connection master] +==== CREATE DATABASE db DEFAULT ENCRYPTION = 'y' [master_session:0 master_global:1 slave_global:0] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE DATABASE db DEFAULT ENCRYPTION = 'y'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "%ENCRYPTION='Y'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='Y'%" +[connection master] +DROP DATABASE db; +include/rpl/sync_to_replica.inc +[connection master] +==== CREATE TABLESPACE ts [master_session:0 master_global:1 slave_global:0] ==== +# CREATE without ENCRYPTION: include the variable in the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE TABLESPACE ts; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should contain default_table_encryption=0] +# Assert that object on master is "N" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "N" +[connection master] +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 1-0; +==== ALTER TABLESPACE ts RENAME TO ts2 [master_session:0 master_global:1 slave_global:0] ==== +# ALTER should not include the variable in the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +ALTER TABLESPACE ts RENAME TO ts2; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "N" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "N" +[connection master] +DROP TABLESPACE ts2; +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 0; +==== CREATE TABLESPACE ts ENCRYPTION = 'y' [master_session:0 master_global:1 slave_global:0] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE TABLESPACE ts ENCRYPTION = 'y'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "Y" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "Y" +[connection master] +DROP TABLESPACE ts; +include/rpl/sync_to_replica.inc +[connection master] +==== CREATE TABLESPACE ts ENCRYPTION = 'n' [master_session:0 master_global:1 slave_global:0] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE TABLESPACE ts ENCRYPTION = 'n'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "N" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "N" +[connection master] +DROP TABLESPACE ts; +include/rpl/sync_to_replica.inc +[connection master] +[connection master] +SET @@session.default_table_encryption = 1; +==== CREATE DATABASE db [master_session:1 master_global:1 slave_global:0] ==== +# CREATE without ENCRYPTION: include the variable in the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE DATABASE db; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should contain default_table_encryption=1] +# Assert that object on master is "%ENCRYPTION='Y'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='Y'%" +[connection master] +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 1-1; +==== ALTER DATABASE db CHARACTER SET = utf8mb3 [master_session:1 master_global:1 slave_global:0] ==== +# ALTER: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +ALTER DATABASE db CHARACTER SET = utf8mb3; +Warnings: +Warning 1287 'utf8mb3' is deprecated and will be removed in a future release. Please use utf8mb4 instead +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "%ENCRYPTION='Y'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='Y'%" +[connection master] +DROP DATABASE db; +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 1; +==== CREATE DATABASE db DEFAULT ENCRYPTION = 'n' [master_session:1 master_global:1 slave_global:0] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE DATABASE db DEFAULT ENCRYPTION = 'n'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "%ENCRYPTION='N'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='N'%" +[connection master] +DROP DATABASE db; +include/rpl/sync_to_replica.inc +[connection master] +==== CREATE DATABASE db DEFAULT ENCRYPTION = 'y' [master_session:1 master_global:1 slave_global:0] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE DATABASE db DEFAULT ENCRYPTION = 'y'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "%ENCRYPTION='Y'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='Y'%" +[connection master] +DROP DATABASE db; +include/rpl/sync_to_replica.inc +[connection master] +==== CREATE TABLESPACE ts [master_session:1 master_global:1 slave_global:0] ==== +# CREATE without ENCRYPTION: include the variable in the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE TABLESPACE ts; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should contain default_table_encryption=1] +# Assert that object on master is "Y" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "Y" +[connection master] +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 1-1; +==== ALTER TABLESPACE ts RENAME TO ts2 [master_session:1 master_global:1 slave_global:0] ==== +# ALTER should not include the variable in the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +ALTER TABLESPACE ts RENAME TO ts2; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "Y" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "Y" +[connection master] +DROP TABLESPACE ts2; +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 1; +==== CREATE TABLESPACE ts ENCRYPTION = 'y' [master_session:1 master_global:1 slave_global:0] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE TABLESPACE ts ENCRYPTION = 'y'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "Y" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "Y" +[connection master] +DROP TABLESPACE ts; +include/rpl/sync_to_replica.inc +[connection master] +==== CREATE TABLESPACE ts ENCRYPTION = 'n' [master_session:1 master_global:1 slave_global:0] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE TABLESPACE ts ENCRYPTION = 'n'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "N" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "N" +[connection master] +DROP TABLESPACE ts; +include/rpl/sync_to_replica.inc +[connection master] +[connection slave] +SET @@global.default_table_encryption = 1; +[connection master] +SET @@session.default_table_encryption = 0; +==== CREATE DATABASE db [master_session:0 master_global:1 slave_global:1] ==== +# CREATE without ENCRYPTION: include the variable in the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE DATABASE db; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should contain default_table_encryption=0] +# Assert that object on master is "%ENCRYPTION='N'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='N'%" +[connection master] +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 1-0; +==== ALTER DATABASE db CHARACTER SET = utf8mb3 [master_session:0 master_global:1 slave_global:1] ==== +# ALTER: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +ALTER DATABASE db CHARACTER SET = utf8mb3; +Warnings: +Warning 1287 'utf8mb3' is deprecated and will be removed in a future release. Please use utf8mb4 instead +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "%ENCRYPTION='N'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='N'%" +[connection master] +DROP DATABASE db; +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 0; +==== CREATE DATABASE db DEFAULT ENCRYPTION = 'n' [master_session:0 master_global:1 slave_global:1] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE DATABASE db DEFAULT ENCRYPTION = 'n'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "%ENCRYPTION='N'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='N'%" +[connection master] +DROP DATABASE db; +include/rpl/sync_to_replica.inc +[connection master] +==== CREATE DATABASE db DEFAULT ENCRYPTION = 'y' [master_session:0 master_global:1 slave_global:1] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE DATABASE db DEFAULT ENCRYPTION = 'y'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "%ENCRYPTION='Y'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='Y'%" +[connection master] +DROP DATABASE db; +include/rpl/sync_to_replica.inc +[connection master] +==== CREATE TABLESPACE ts [master_session:0 master_global:1 slave_global:1] ==== +# CREATE without ENCRYPTION: include the variable in the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE TABLESPACE ts; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should contain default_table_encryption=0] +# Assert that object on master is "N" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "N" +[connection master] +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 1-0; +==== ALTER TABLESPACE ts RENAME TO ts2 [master_session:0 master_global:1 slave_global:1] ==== +# ALTER should not include the variable in the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +ALTER TABLESPACE ts RENAME TO ts2; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "N" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "N" +[connection master] +DROP TABLESPACE ts2; +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 0; +==== CREATE TABLESPACE ts ENCRYPTION = 'y' [master_session:0 master_global:1 slave_global:1] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE TABLESPACE ts ENCRYPTION = 'y'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "Y" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "Y" +[connection master] +DROP TABLESPACE ts; +include/rpl/sync_to_replica.inc +[connection master] +==== CREATE TABLESPACE ts ENCRYPTION = 'n' [master_session:0 master_global:1 slave_global:1] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE TABLESPACE ts ENCRYPTION = 'n'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "N" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "N" +[connection master] +DROP TABLESPACE ts; +include/rpl/sync_to_replica.inc +[connection master] +[connection master] +SET @@session.default_table_encryption = 1; +==== CREATE DATABASE db [master_session:1 master_global:1 slave_global:1] ==== +# CREATE without ENCRYPTION: include the variable in the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE DATABASE db; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should contain default_table_encryption=1] +# Assert that object on master is "%ENCRYPTION='Y'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='Y'%" +[connection master] +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 1-1; +==== ALTER DATABASE db CHARACTER SET = utf8mb3 [master_session:1 master_global:1 slave_global:1] ==== +# ALTER: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +ALTER DATABASE db CHARACTER SET = utf8mb3; +Warnings: +Warning 1287 'utf8mb3' is deprecated and will be removed in a future release. Please use utf8mb4 instead +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "%ENCRYPTION='Y'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='Y'%" +[connection master] +DROP DATABASE db; +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 1; +==== CREATE DATABASE db DEFAULT ENCRYPTION = 'n' [master_session:1 master_global:1 slave_global:1] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE DATABASE db DEFAULT ENCRYPTION = 'n'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "%ENCRYPTION='N'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='N'%" +[connection master] +DROP DATABASE db; +include/rpl/sync_to_replica.inc +[connection master] +==== CREATE DATABASE db DEFAULT ENCRYPTION = 'y' [master_session:1 master_global:1 slave_global:1] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE DATABASE db DEFAULT ENCRYPTION = 'y'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "%ENCRYPTION='Y'%" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "%ENCRYPTION='Y'%" +[connection master] +DROP DATABASE db; +include/rpl/sync_to_replica.inc +[connection master] +==== CREATE TABLESPACE ts [master_session:1 master_global:1 slave_global:1] ==== +# CREATE without ENCRYPTION: include the variable in the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE TABLESPACE ts; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should contain default_table_encryption=1] +# Assert that object on master is "Y" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "Y" +[connection master] +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 1-1; +==== ALTER TABLESPACE ts RENAME TO ts2 [master_session:1 master_global:1 slave_global:1] ==== +# ALTER should not include the variable in the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +ALTER TABLESPACE ts RENAME TO ts2; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "Y" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "Y" +[connection master] +DROP TABLESPACE ts2; +include/rpl/sync_to_replica.inc +[connection master] +SET @@session.default_table_encryption = 1; +==== CREATE TABLESPACE ts ENCRYPTION = 'y' [master_session:1 master_global:1 slave_global:1] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE TABLESPACE ts ENCRYPTION = 'y'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "Y" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "Y" +[connection master] +DROP TABLESPACE ts; +include/rpl/sync_to_replica.inc +[connection master] +==== CREATE TABLESPACE ts ENCRYPTION = 'n' [master_session:1 master_global:1 slave_global:1] ==== +# CREATE with ENCRYPTION: exclude the variable from the binlog +[connection slave] +include/rpl/stop_applier.inc +include/rpl/start_applier.inc +[connection master] +include/rpl/save_binlog_file_position.inc +CREATE TABLESPACE ts ENCRYPTION = 'n'; +# Assert that binlog is as expected +include/assert_grep.inc [Binlog should not contain default_table_encryption] +# Assert that object on master is "N" +include/rpl/sync_to_replica.inc +# Assert that object on slave is "N" +[connection master] +DROP TABLESPACE ts; +include/rpl/sync_to_replica.inc +[connection master] +#### CLEANUP #### +[connection master] +SET @@global.default_table_encryption = @default_table_encryption_save; +[connection slave] +SET @@global.default_table_encryption = @default_table_encryption_save; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +include/rpl/deinit.inc +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/rpl_encryption.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/rpl_encryption.result new file mode 100644 index 000000000000..4b9b6ea071ad --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/rpl_encryption.result @@ -0,0 +1,140 @@ +# ---------------------------------------------------------------------- +# Setup +include/rpl/init_source_replica.inc +Warnings: +Note #### Sending passwords in plain text without SSL/TLS is extremely insecure. +Note #### Storing MySQL user name or password information in the connection metadata repository is not secure and is therefore not recommended. Please consider using the USER and PASSWORD connection options for START REPLICA; see the 'START REPLICA Syntax' in the MySQL Manual for more information. +[connection master] +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +[connection slave] +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +[connection master] +# ---------------------------------------------------------------------- +[connection slave] +[connection master] +# Part 1 +SET @@GLOBAL.binlog_encryption = ON; +ERROR HY000: Unable to recover binlog encryption master key, please check if keyring is loaded. +include/assert.inc [binlog_encryption option shall be OFF] +include/assert.inc [Binary log was not rotated] +include/assert.inc [Binary log is not encrypted] +include/assert.inc [1st binary log is not encrypted on source] +include/rpl/stop_server.inc [server_number=1] +# Taking backup of local manifest file for MySQL server instance +Starting the server with "--binlog_encryption=ON" but no keyring installed +include/assert_grep.inc [Server failed to initialize binlog encryption] +include/assert_grep.inc [Server aborted to start] +# Part 2 +# Restore local manifest file for MySQL server instance from backup +Starting the source with "--binlog_encryption=ON" and keyring installed +include/rpl/start_server.inc [server_number=1] +include/assert.inc [binlog_encryption option shall be ON] +include/assert.inc [2nd binary log is encrypted on source] +include/assert.inc [Binary log is encrypted using 1st master key] +include/assert.inc [Binary log rotated as expected at source startup] +SET PERSIST binlog_encryption = ON; +Restart the source with keyring installed +include/rpl/restart_server.inc [server_number=1] +include/assert.inc [binlog_encryption option shall be ON] +include/assert.inc [3rd binary log is encrypted on source] +include/assert.inc [Binary log is encrypted using 1st master key] +include/assert.inc [Binary log rotated as expected at source startup] +[connection slave] +include/assert.inc [1st binary log is not encrypted on replica] +include/assert.inc [Relay log is not encrypted for slave-relay-bin.000001] +Restart the replica with keyring installed +include/rpl/restart_server.inc [server_number=2] +include/assert.inc [binlog_encryption option shall be OFF] +include/assert.inc [2nd binary log is not encrypted on replica] +include/assert.inc [Relay log is not encrypted for slave-relay-bin.000002] +SET GLOBAL binlog_encryption = ON; +include/assert.inc [binlog_encryption option shall be ON] +include/assert.inc [3rd binary log is encrypted on replica] +include/assert.inc [Binary log rotated as expected at server startup] +include/assert.inc [New binary log is encrypted using 1st master key] +include/assert.inc [Relay log rotated as expected at server startup] +include/assert.inc [Relay log is encrypted for slave-relay-bin.000003] +# Adding debug point 'verify_unusable_encryption_keys_are_purged' to @@GLOBAL.debug +ALTER INSTANCE ROTATE BINLOG MASTER KEY; +# Removing debug point 'verify_unusable_encryption_keys_are_purged' from @@GLOBAL.debug +include/assert.inc [The third relay log is re-encrypted using second master key] +include/assert.inc [The after relay log is encrypted using second master key] +# Part 3 +[connection master] +CREATE TABLE t1 (c1 INT PRIMARY KEY); +INSERT INTO t1 (c1) VALUES (1), (2), (3); +INSERT INTO t1 (c1) VALUES (4), (5), (6); +[connection slave] +include/rpl/start_replica.inc +[connection master] +include/rpl/sync_to_replica.inc +# Part 4 +[connection slave] +# Taking backup of local keyring file for keyring component: component_percona_keyring_encrypted_file +ALTER INSTANCE RELOAD KEYRING; +SET GLOBAL keyring_operations = OFF; +[connection master] +include/rpl/sync_to_replica.inc +FLUSH LOGS; +include/assert.inc [5th binary log is encrypted on replica] +include/assert.inc [Binary log rotated as expected by the FLUSH LOGS] +include/assert.inc [New binary log is still encrypted] +include/rpl/wait_for_applier_error.inc [errno=13121] +include/rpl/stop_receiver.inc +RESET REPLICA ALL; +include/assert.inc [New relay log is still encrypted] +CHANGE REPLICATION SOURCE TO SOURCE_HOST='127.0.0.1', SOURCE_PORT=MASTER_MYPORT, SOURCE_USER='root'; +Warnings: +Note 1759 Sending passwords in plain text without SSL/TLS is extremely insecure. +Note 1760 Storing MySQL user name or password information in the connection metadata repository is not secure and is therefore not recommended. Please consider using the USER and PASSWORD connection options for START REPLICA; see the 'START REPLICA Syntax' in the MySQL Manual for more information. +include/assert.inc [New relay log is still encrypted] +START REPLICA SQL_THREAD; +include/rpl/wait_for_applier_error.inc [errno=13117] +SET GLOBAL binlog_encryption = OFF; +include/assert.inc [6th binary log is not encrypted on replica] +include/assert.inc [Binary log rotated as expected when disabling the option] +include/assert.inc [New binary log is not encrypted] +RESET REPLICA ALL; +include/assert.inc [New relay log is not encrypted] +CHANGE REPLICATION SOURCE TO SOURCE_HOST='127.0.0.1', SOURCE_PORT=MASTER_MYPORT, SOURCE_USER='root'; +Warnings: +Note 1759 Sending passwords in plain text without SSL/TLS is extremely insecure. +Note 1760 Storing MySQL user name or password information in the connection metadata repository is not secure and is therefore not recommended. Please consider using the USER and PASSWORD connection options for START REPLICA; see the 'START REPLICA Syntax' in the MySQL Manual for more information. +include/assert.inc [New relay log is not encrypted] +include/rpl/start_replica.inc +# Restoring local keyring file from backup for keyring component: component_percona_keyring_encrypted_file +[connection master] +third_binary_log: master-bin.000003 +include/assert.inc [the third binary log is encrypted using first master key] +# Part 5 +# Adding debug point 'verify_unusable_encryption_keys_are_purged' to @@GLOBAL.debug +ALTER INSTANCE ROTATE BINLOG MASTER KEY; +# Removing debug point 'verify_unusable_encryption_keys_are_purged' from @@GLOBAL.debug +include/assert.inc [the fourth binary log is encrypted on source] +include/assert.inc [the third binary log is re-encrypted using second master key] +include/assert.inc [the fourth binary log is encrypted using second master key] +SET PERSIST binlog_encryption = OFF; +include/assert.inc [5th binary log is not encrypted on source] +ALTER INSTANCE ROTATE BINLOG MASTER KEY; +ERROR HY000: Cannot rotate binary log master key when 'binlog-encryption' is off. +RESET PERSIST; +[connection master] +DROP TABLE t1; +include/rpl/sync_to_replica.inc +[connection master] +SET GLOBAL binlog_encryption= OFF; +[connection slave] +SET GLOBAL keyring_operations= ON; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +include/rpl/deinit.inc +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/rpl_encryption_master_key_generation_recovery.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/rpl_encryption_master_key_generation_recovery.result new file mode 100644 index 000000000000..4d4a5bf11a55 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/rpl_encryption_master_key_generation_recovery.result @@ -0,0 +1,80 @@ +# ---------------------------------------------------------------------- +# Setup +include/rpl/init_source_replica.inc +Warnings: +Note #### Sending passwords in plain text without SSL/TLS is extremely insecure. +Note #### Storing MySQL user name or password information in the connection metadata repository is not secure and is therefore not recommended. Please consider using the USER and PASSWORD connection options for START REPLICA; see the 'START REPLICA Syntax' in the MySQL Manual for more information. +[connection master] +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +[connection slave] +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +[connection master] +# ---------------------------------------------------------------------- +include/rpl/stop_server.inc [server_number=1] +# Force the server to fail storing new master key index +Try to restart the master enabling the option with debug instrumentation +include/assert_grep.inc [Server reported: Failed to store key] +include/assert_grep.inc [Server failed to initialize binlog encryption] +include/assert_grep.inc [Server aborted to start] +# Force the server to fail generating new master key +Try to restart the master enabling the option with debug instrumentation +include/assert_grep.inc [Server reported: Failed to generate key] +include/assert_grep.inc [Server failed to initialize binlog encryption] +include/assert_grep.inc [Server aborted to start] +# Force the server to fail storing master key index +Try to restart the master enabling the option with debug instrumentation +include/assert_grep.inc [Server reported: Failed to store key] +include/assert_grep.inc [Server failed to initialize binlog encryption] +include/assert_grep.inc [Server aborted to start] +Restart the master enabling the option +include/rpl/start_server.inc [server_number=1] +include/assert.inc [binlog_encryption option shall be ON] +include/assert.inc [Binary log rotated] +include/assert.inc [2th binary log is encrypted on master] +CREATE TABLE t1 (c1 INT PRIMARY KEY); +INSERT INTO t1 (c1) VALUES (1),(2),(3); +INSERT INTO t1 (c1) VALUES (4),(5),(6); +[connection slave] +include/assert.inc [1st binary log is not encrypted on slave] +Restart the slave with keyring installed +include/rpl/restart_server.inc [server_number=2] +include/assert.inc [binlog_encryption option shall be OFF] +include/assert.inc [2nd binary log is not encrypted on slave] +# Force the server to fail storing new master key index +SET GLOBAL binlog_encryption = ON; +ERROR HY000: Failed to store key, please check if keyring is loaded. +include/assert.inc [binlog_encryption option shall be OFF] +include/assert.inc [Binary log did not rotated] +# Force the server to fail generating new master key +SET GLOBAL binlog_encryption = ON; +ERROR HY000: Failed to generate key, please check if keyring is loaded. +include/assert.inc [binlog_encryption option shall be OFF] +include/assert.inc [Binary log did not rotated] +# Force the server to fail storing master key index +SET GLOBAL binlog_encryption = ON; +ERROR HY000: Failed to store key, please check if keyring is loaded. +include/assert.inc [binlog_encryption option shall be OFF] +include/assert.inc [Binary log did not rotated] +SET GLOBAL binlog_encryption = ON; +include/assert.inc [Binary log rotated] +include/assert.inc [5th binary log is encrypted on slave] +include/rpl/start_replica.inc +[connection master] +SET GLOBAL binlog_encryption = OFF; +DROP TABLE t1; +include/rpl/sync_to_replica.inc +SET GLOBAL binlog_encryption = OFF; +[connection master] +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +include/rpl/deinit.inc +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/rpl_encryption_master_key_rotation_at_startup.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/rpl_encryption_master_key_rotation_at_startup.result new file mode 100644 index 000000000000..f7bad30f1fdb --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/rpl_encryption_master_key_rotation_at_startup.result @@ -0,0 +1,105 @@ +# ---------------------------------------------------------------------- +# Setup +include/rpl/init_source_replica.inc +Warnings: +Note #### Sending passwords in plain text without SSL/TLS is extremely insecure. +Note #### Storing MySQL user name or password information in the connection metadata repository is not secure and is therefore not recommended. Please consider using the USER and PASSWORD connection options for START REPLICA; see the 'START REPLICA Syntax' in the MySQL Manual for more information. +[connection master] +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +[connection slave] +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +[connection master] +# ---------------------------------------------------------------------- +Restart the master enabling the rotate option only +include/rpl/restart_server.inc [server_number=1] +include/assert.inc [binlog_encryption option shall be OFF] +include/assert_grep.inc [Server ignored binlog_rotate_encryption_master_key_at_startup] +include/assert.inc [Binary log rotated] +include/assert.inc [2nd binary log is not encrypted on master] +include/rpl/stop_server.inc [server_number=1] +# Force the server to fail storing master key index +Try to restart the master enabling the options with debug instrumentation +include/assert_grep.inc [Server reported: Failed to store key] +include/assert_grep.inc [Server failed to initialize binlog encryption] +include/assert_grep.inc [Server did not failed to rotate binlog encryption master key at startup] +include/assert_grep.inc [Server aborted to start] +Restart the master enabling the options +include/rpl/start_server.inc [server_number=1] +include/assert.inc [binlog_encryption option shall be ON] +include/assert.inc [Binary log rotated] +include/assert.inc [3rd binary log is encrypted on master] +include/assert.inc [Binary log is encrypted with 2nd key] +include/rpl/stop_server.inc [server_number=1] +# Force the server to fail storing master key index +Try to restart the master enabling the options with debug instrumentation +include/assert_grep.inc [Server reported: Failed to store key] +include/assert_grep.inc [Server failed to initialize binlog encryption] +include/assert_grep.inc [Server did not failed to rotate binlog encryption master key at startup] +include/assert_grep.inc [Server aborted to start] +Restart the master enabling just the binlog_encryption option +include/rpl/start_server.inc [server_number=1] +include/assert.inc [binlog_encryption option shall be ON] +include/assert.inc [Binary log rotated] +include/assert.inc [4th binary log is encrypted on master] +include/assert.inc [Binary log is encrypted with 3th key] +CREATE TABLE t1 (c1 INT PRIMARY KEY AUTO_INCREMENT, c2 TEXT); +INSERT INTO t1 (c2) VALUES ("MySQL"); +Restart the master enabling the options to generate key #4 +include/rpl/restart_server.inc [server_number=1] +include/assert.inc [binlog_encryption option shall be ON] +include/assert.inc [Binary log rotated as expected] +include/assert.inc [Binary log is encrypted with key #4] +INSERT INTO t1 (c2) VALUES ("MySQL"); +Restart the master enabling the options to generate key #5 +include/rpl/restart_server.inc [server_number=1] +include/assert.inc [binlog_encryption option shall be ON] +include/assert.inc [Binary log rotated as expected] +include/assert.inc [Binary log is encrypted with key #5] +INSERT INTO t1 (c2) VALUES ("MySQL"); +Restart the master enabling the options to generate key #6 +include/rpl/restart_server.inc [server_number=1] +include/assert.inc [binlog_encryption option shall be ON] +include/assert.inc [Binary log rotated as expected] +include/assert.inc [Binary log is encrypted with key #6] +INSERT INTO t1 (c2) VALUES ("MySQL"); +Restart the master enabling the options to generate key #7 +include/rpl/restart_server.inc [server_number=1] +include/assert.inc [binlog_encryption option shall be ON] +include/assert.inc [Binary log rotated as expected] +include/assert.inc [Binary log is encrypted with key #7] +INSERT INTO t1 (c2) VALUES ("MySQL"); +Restart the master enabling the options to generate key #8 +include/rpl/restart_server.inc [server_number=1] +include/assert.inc [binlog_encryption option shall be ON] +include/assert.inc [Binary log rotated as expected] +include/assert.inc [Binary log is encrypted with key #8] +INSERT INTO t1 (c2) VALUES ("MySQL"); +Restart the master enabling the options to generate key #9 +include/rpl/restart_server.inc [server_number=1] +include/assert.inc [binlog_encryption option shall be ON] +include/assert.inc [Binary log rotated as expected] +include/assert.inc [Binary log is encrypted with key #9] +INSERT INTO t1 (c2) VALUES ("MySQL"); +[connection slave] +include/rpl/start_replica.inc +[connection master] +SET GLOBAL binlog_encryption = OFF; +DROP TABLE t1; +include/rpl/sync_to_replica.inc +include/rpl/stop_replica.inc +include/rpl/restart_server.inc [server_number=1] +[connection slave] +SET GLOBAL keyring_operations= ON; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +include/rpl/deinit.inc +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/sensitive_variables.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/sensitive_variables.result new file mode 100644 index 000000000000..05f90d07c6fc --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/sensitive_variables.result @@ -0,0 +1,54 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# +# WL#13469: secure storage for sensitive system variables +# +# ---------------------------------------------------------------------- +# 1. Tests for persisted SENSITIVE variables +INSTALL COMPONENT "file://component_test_sensitive_system_variables"; +CREATE USER wl13469_no_privilege; +SET PERSIST test_component.sensitive_string_1 = 'haha'; +SET PERSIST_ONLY test_component.sensitive_ro_string_1 = 'haha'; + +include/assert.inc [PFS table persisted_variables should show SENSITIVE variables for users with SENSITIVE_VARIABLES_OBSERVER privilege] + +include/assert.inc [PFS table persisted_variables should not show SENSITIVE variables for users without SENSITIVE_VARIABLES_OBSERVER privilege] +DROP USER wl13469_no_privilege; +# Stop the running server. +# Restart server with keyring component +SELECT a.variable_name, b.variable_value, a.variable_source FROM performance_schema.variables_info AS a, performance_schema.global_variables AS b WHERE a.variable_name = b.variable_name AND a.variable_name LIKE 'test_component.sensitive%'; +variable_name variable_value variable_source +test_component.sensitive_ro_string_1 haha PERSISTED +test_component.sensitive_ro_string_2 COMPILED +test_component.sensitive_ro_string_3 COMPILED +test_component.sensitive_string_1 haha PERSISTED +test_component.sensitive_string_2 COMPILED +test_component.sensitive_string_3 COMPILED +SET PERSIST test_component.sensitive_string_2 = 'hoho'; +SET PERSIST_ONLY test_component.sensitive_ro_string_2 = 'hoho'; +SET PERSIST test_component.sensitive_string_3 = 'hoho'; +SET PERSIST_ONLY test_component.sensitive_ro_string_3 = 'hoho'; +# Stop the running server. +# Restart server with keyring component +SELECT a.variable_name, b.variable_value, a.variable_source FROM performance_schema.variables_info AS a, performance_schema.global_variables AS b WHERE a.variable_name = b.variable_name AND a.variable_name LIKE 'test_component.sensitive%'; +variable_name variable_value variable_source +test_component.sensitive_ro_string_1 haha PERSISTED +test_component.sensitive_ro_string_2 hoho PERSISTED +test_component.sensitive_ro_string_3 hoho PERSISTED +test_component.sensitive_string_1 haha PERSISTED +test_component.sensitive_string_2 hoho PERSISTED +test_component.sensitive_string_3 hoho PERSISTED +RESET PERSIST; +UNINSTALL COMPONENT "file://component_test_sensitive_system_variables"; +# ---------------------------------------------------------------------- +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_1.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_1.result new file mode 100644 index 000000000000..36cd00e8fbd0 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_1.result @@ -0,0 +1,223 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +SET GLOBAL innodb_file_per_table = 0; +SELECT @@innodb_file_per_table; +@@innodb_file_per_table +0 +CREATE TABLE t1(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +SHOW WARNINGS; +Level Code Message +Error 3825 Request to create 'encrypted' table while using an 'unencrypted' tablespace. +SET GLOBAL innodb_file_per_table = 1; +SELECT @@innodb_file_per_table; +@@innodb_file_per_table +1 +CREATE TABLE t1(c int) ENCRYPTION="Y" tablespace innodb_system; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +SHOW WARNINGS; +Level Code Message +Error 3825 Request to create 'encrypted' table while using an 'unencrypted' tablespace. +CREATE TABLE t1(c int) ENCRYPTION="N" tablespace innodb_system; +DROP TABLE t1; +CREATE TEMPORARY TABLE t1(c int) ENCRYPTION="Y"; +ERROR HY000: InnoDB: ENCRYPTION is not accepted for temporary tablespace. For temporary tablespace encryption please use innodb_temp_tablespace_encrypt variable. +SHOW WARNINGS; +Level Code Message +Error 1478 InnoDB: ENCRYPTION is not accepted for temporary tablespace. For temporary tablespace encryption please use innodb_temp_tablespace_encrypt variable. +Error 1031 Table storage engine for 't1' doesn't have this option +CREATE TEMPORARY TABLE t1(c int) ENCRYPTION="N"; +ERROR HY000: InnoDB: ENCRYPTION is not accepted for temporary tablespace. For temporary tablespace encryption please use innodb_temp_tablespace_encrypt variable. +SHOW WARNINGS; +Level Code Message +Error 1478 InnoDB: ENCRYPTION is not accepted for temporary tablespace. For temporary tablespace encryption please use innodb_temp_tablespace_encrypt variable. +Error 1031 Table storage engine for 't1' doesn't have this option +CREATE TABLE t1(c int) ENCRYPTION="R" ENGINE = InnoDB; +ERROR HY000: Invalid encryption option. +CREATE TABLE t1(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB; +INSERT INTO t1 VALUES(0, "aaaaa"); +INSERT INTO t1 VALUES(1, "bbbbb"); +INSERT INTO t1 VALUES(2, "ccccc"); +INSERT INTO t1 VALUES(3, "ddddd"); +INSERT INTO t1 VALUES(4, "eeeee"); +INSERT INTO t1 VALUES(5, "fffff"); +INSERT INTO t1 VALUES(6, "ggggg"); +INSERT INTO t1 VALUES(7, "hhhhh"); +INSERT INTO t1 VALUES(8, "iiiii"); +INSERT INTO t1 VALUES(9, "jjjjj"); +# Kill the server +SELECT * FROM t1 ORDER BY c1 LIMIT 10; +c1 c2 +0 aaaaa +1 bbbbb +2 ccccc +3 ddddd +4 eeeee +5 fffff +6 ggggg +7 hhhhh +8 iiiii +9 jjjjj +ALTER TABLE t1 ENCRYPTION="N", algorithm=inplace; +ERROR 0A000: ALGORITHM=INPLACE is not supported. Reason: Cannot alter encryption attribute by inplace algorithm.. Try ALGORITHM=COPY. +ALTER TABLE t1 TABLESPACE=`innodb_system`; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +ALTER TABLE t1 ENCRYPTION="N", algorithm=copy; +SELECT * FROM t1 ORDER BY c1 LIMIT 10; +c1 c2 +0 aaaaa +1 bbbbb +2 ccccc +3 ddddd +4 eeeee +5 fffff +6 ggggg +7 hhhhh +8 iiiii +9 jjjjj +DROP TABLE t1; +CREATE TABLE t1 (c1 int) ENCRYPTION='N'; +ALTER TABLE t1 ENCRYPTION='P',algorithm=copy; +ERROR HY000: Invalid encryption option. +ALTER TABLE t1 ADD KEY k1 (c1) ,algorithm=inplace; +ALTER TABLE t1 ENCRYPTION='Y',algorithm=inplace; +ERROR 0A000: ALGORITHM=INPLACE is not supported. Reason: Cannot alter encryption attribute by inplace algorithm.. Try ALGORITHM=COPY. +drop table t1; +CREATE TABLE t1(c1 INT PRIMARY KEY) COMPRESSION = "ZLIB" ENCRYPTION = "Y" ENGINE = InnoDB; +INSERT INTO t1 VALUES(0), (1), (2), (3), (4), (5), (6), (7), (8), (9); +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` int NOT NULL, + PRIMARY KEY (`c1`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci COMPRESSION='ZLIB' ENCRYPTION='Y' +FLUSH TABLES t1 WITH READ LOCK; +UNLOCK TABLES; +SELECT * FROM t1 ORDER BY c1 LIMIT 10; +c1 +0 +1 +2 +3 +4 +5 +6 +7 +8 +9 +SELECT * FROM t1 ORDER BY c1; +c1 +0 +1 +2 +3 +4 +5 +6 +7 +8 +9 +DROP TABLE t1; +CREATE TABLE t1(c1 int null) ENCRYPTION='Y' ROW_FORMAT=compressed; +INSERT INTO t1 VALUES(0), (1), (2), (3), (4), (5), (6), (7), (8), (9); +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ROW_FORMAT=COMPRESSED ENCRYPTION='Y' +FLUSH TABLES t1 WITH READ LOCK; +UNLOCK TABLES; +SELECT * FROM t1 ORDER BY c1 LIMIT 10; +c1 +0 +1 +2 +3 +4 +5 +6 +7 +8 +9 +SELECT * FROM t1 ORDER BY c1; +c1 +0 +1 +2 +3 +4 +5 +6 +7 +8 +9 +DROP TABLE t1; +CREATE TABLE t1(c1 INT PRIMARY KEY, g geometry not null, spatial index(g)) ENCRYPTION = "Y" ENGINE = InnoDB; +INSERT INTO t1 VALUES(0, POINT(0, 0)); +INSERT INTO t1 VALUES(1, POINT(1, 1)); +INSERT INTO t1 VALUES(2, POINT(2, 2)); +INSERT INTO t1 VALUES(3, POINT(3, 3)); +INSERT INTO t1 VALUES(4, POINT(4, 4)); +INSERT INTO t1 VALUES(5, POINT(5, 5)); +INSERT INTO t1 VALUES(6, POINT(6, 6)); +INSERT INTO t1 VALUES(7, POINT(7, 7)); +INSERT INTO t1 VALUES(8, POINT(8, 8)); +INSERT INTO t1 VALUES(9, POINT(9, 9)); +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` int NOT NULL, + `g` geometry NOT NULL, + PRIMARY KEY (`c1`), + SPATIAL KEY `g` (`g`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='Y' +FLUSH TABLES t1 WITH READ LOCK; +UNLOCK TABLES; +SELECT c1, ST_AsText(g) FROM t1 ORDER BY c1 LIMIT 10; +c1 ST_AsText(g) +0 POINT(0 0) +1 POINT(1 1) +2 POINT(2 2) +3 POINT(3 3) +4 POINT(4 4) +5 POINT(5 5) +6 POINT(6 6) +7 POINT(7 7) +8 POINT(8 8) +9 POINT(9 9) +SELECT c1, ST_AsText(g) FROM t1 ORDER BY c1 LIMIT 10; +c1 ST_AsText(g) +0 POINT(0 0) +1 POINT(1 1) +2 POINT(2 2) +3 POINT(3 3) +4 POINT(4 4) +5 POINT(5 5) +6 POINT(6 6) +7 POINT(7 7) +8 POINT(8 8) +9 POINT(9 9) +DROP TABLE t1; +SET GLOBAL innodb_file_per_table=OFF; +CREATE TABLE t1 (c1 int); +ALTER TABLE t1 COMPRESSION='zlib'; +ERROR HY000: Table storage engine 'InnoDB' does not support the create option 'COMPRESSION' +SHOW WARNINGS; +Level Code Message +Warning 138 InnoDB: Page Compression is not supported for the system tablespace +Error 1478 Table storage engine 'InnoDB' does not support the create option 'COMPRESSION' +ALTER TABLE t1 ENCRYPTION='Y',ALGORITHM=COPY; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +SET GLOBAL innodb_file_per_table=1; +DROP TABLE t1; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_2.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_2.result new file mode 100644 index 000000000000..662c8190ceaa --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_2.result @@ -0,0 +1,174 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +DROP TABLE IF EXISTS t1; +SET GLOBAL innodb_file_per_table = 1; +SELECT @@innodb_file_per_table; +@@innodb_file_per_table +1 +CREATE TABLE t1(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` int DEFAULT NULL, + `c2` char(20) DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='Y' +INSERT INTO t1 VALUES(0, "aaaaa"); +INSERT INTO t1 VALUES(1, "bbbbb"); +INSERT INTO t1 VALUES(2, "ccccc"); +INSERT INTO t1 VALUES(3, "ddddd"); +INSERT INTO t1 VALUES(4, "eeeee"); +INSERT INTO t1 VALUES(5, "fffff"); +INSERT INTO t1 VALUES(6, "ggggg"); +INSERT INTO t1 VALUES(7, "hhhhh"); +INSERT INTO t1 VALUES(8, "iiiii"); +INSERT INTO t1 VALUES(9, "jjjjj"); +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +SELECT * FROM t1 LIMIT 10; +c1 c2 +0 aaaaa +1 bbbbb +2 ccccc +3 ddddd +4 eeeee +5 fffff +6 ggggg +7 hhhhh +8 iiiii +9 jjjjj +SELECT * FROM t1 LIMIT 10; +c1 c2 +0 aaaaa +1 bbbbb +2 ccccc +3 ddddd +4 eeeee +5 fffff +6 ggggg +7 hhhhh +8 iiiii +9 jjjjj +ALTER INSTANCE ROTATE INNODB MASTER KEY; +DROP TABLE t1; +CREATE TABLE t1(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB; +INSERT INTO t1 VALUES(0, "aaaaa"); +INSERT INTO t1 VALUES(1, "bbbbb"); +INSERT INTO t1 VALUES(2, "ccccc"); +INSERT INTO t1 VALUES(3, "ddddd"); +INSERT INTO t1 VALUES(4, "eeeee"); +INSERT INTO t1 VALUES(5, "fffff"); +INSERT INTO t1 VALUES(6, "ggggg"); +INSERT INTO t1 VALUES(7, "hhhhh"); +INSERT INTO t1 VALUES(8, "iiiii"); +INSERT INTO t1 VALUES(9, "jjjjj"); +SELECT * FROM t1 LIMIT 10; +c1 c2 +0 aaaaa +1 bbbbb +2 ccccc +3 ddddd +4 eeeee +5 fffff +6 ggggg +7 hhhhh +8 iiiii +9 jjjjj +DROP TABLE t1; +SET block_encryption_mode = 'aes-256-cbc'; +DROP DATABASE IF EXISTS tde_db; +CREATE DATABASE tde_db; +CREATE TABLE tde_db.t1(c1 INT PRIMARY KEY, c2 char(50)) ENCRYPTION = 'Y' ENGINE = InnoDB; +INSERT INTO tde_db.t1 VALUES(0, 'abc'); +INSERT INTO tde_db.t1 VALUES(1, 'xyz'); +INSERT INTO tde_db.t1 VALUES(2, null); +INSERT INTO tde_db.t1 VALUES(3, null); +SELECT * FROM tde_db.t1 LIMIT 10; +c1 c2 +0 abc +1 xyz +2 NULL +3 NULL +ALTER INSTANCE ROTATE INNODB MASTER KEY; +SELECT * FROM tde_db.t1 LIMIT 10; +c1 c2 +0 abc +1 xyz +2 NULL +3 NULL +# Mysqldump output +SET @MYSQLDUMP_TEMP_LOG_BIN = @@SESSION.SQL_LOG_BIN; +SET @@SESSION.SQL_LOG_BIN= 0; +SET @@GLOBAL.GTID_PURGED=/*!80000 '+'*/ 'GTID_SET'; + +CREATE DATABASE /*!32312 IF NOT EXISTS*/ `tde_db` /*!40100 DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci */ /*!80016 DEFAULT ENCRYPTION='N' */; + +USE `tde_db`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!50503 SET character_set_client = utf8mb4 */; +CREATE TABLE `t1` ( + `c1` int NOT NULL, + `c2` char(50) DEFAULT NULL, + PRIMARY KEY (`c1`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='Y'; +/*!40101 SET character_set_client = @saved_cs_client */; +INSERT INTO `t1` VALUES (0,'abc'),(1,'xyz'),(2,NULL),(3,NULL); +SET @@SESSION.SQL_LOG_BIN = @MYSQLDUMP_TEMP_LOG_BIN; +# Redirecting mysqldump output to MYSQL_TMP_DIR/mysqldump_encrypt.sql +DROP DATABASE tde_db; +RESET BINARY LOGS AND GTIDS; +Pattern "ALTER INSTANCE ROTATE INNODB MASTER KEY" found +# Loading tables from mysqldump_encrypt.sql +SELECT * FROM tde_db.t1 LIMIT 10; +c1 c2 +0 abc +1 xyz +2 NULL +3 NULL +INSERT INTO tde_db.t1 VALUES(4, null); +SELECT * FROM tde_db.t1 LIMIT 10; +c1 c2 +0 abc +1 xyz +2 NULL +3 NULL +4 NULL +DROP DATABASE tde_db; +# +# Bug #26634507 CREATE_OPTIONS FLD IN INFORMATION_SCHEMA.TABLES NOT +# FILLING PROPERLY. +# The CREATE_OPTIONS field from I_S.TABLES should show the option +# 'ENCRYPTION='. +# +CREATE TABLE not_encrypted1 (col1 INT) ENCRYPTION='n'; +CREATE TABLE not_encrypted2 (col1 INT) ENCRYPTION='N'; +CREATE TABLE encrypted1 (col1 INT) ENCRYPTION='y'; +CREATE TABLE encrypted2 (col1 INT) ENCRYPTION='Y'; +SELECT TABLE_SCHEMA, TABLE_NAME, CREATE_OPTIONS +FROM INFORMATION_SCHEMA.TABLES +WHERE TABLE_NAME like '%encrypted%' + ORDER BY TABLE_NAME; +TABLE_SCHEMA TABLE_NAME CREATE_OPTIONS +test encrypted1 ENCRYPTION='y' +test encrypted2 ENCRYPTION='Y' +test not_encrypted1 +test not_encrypted2 +DROP TABLE encrypted1; +DROP TABLE not_encrypted1; +DROP TABLE encrypted2; +DROP TABLE not_encrypted2; +SET GLOBAL innodb_file_per_table=1; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_3.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_3.result new file mode 100644 index 000000000000..2a05c3138afc --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_3.result @@ -0,0 +1,1425 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# Taking backup of local manifest file for MySQL server instance +# Create encrypt table before loading keyring +SET GLOBAL innodb_file_per_table = 1; +SELECT @@innodb_file_per_table; +@@innodb_file_per_table +1 +DROP TABLE IF EXISTS t_encrypt; +CREATE TABLE t_encrypt(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +ALTER INSTANCE ROTATE INNODB MASTER KEY; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +# Starting server with keyring +# Restore local manifest file for MySQL server instance from backup +DROP DATABASE IF EXISTS tde_db; +DROP TABLE IF EXISTS tde_db.t_encrypt; +CREATE DATABASE tde_db; +SET GLOBAL innodb_file_per_table = 1; +SELECT @@innodb_file_per_table; +@@innodb_file_per_table +1 +CREATE TABLE tde_db.t_encrypt(c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENCRYPTION="Y" ENGINE = InnoDB; +SHOW CREATE TABLE tde_db.t_encrypt; +Table Create Table +t_encrypt CREATE TABLE `t_encrypt` ( + `c4` json DEFAULT NULL, + `c5` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_a')) STORED, + `c6` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_b')) VIRTUAL, + `c7` point NOT NULL /*!80003 SRID 0 */, + SPATIAL KEY `idx2` (`c7`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='Y' +INSERT INTO tde_db.t_encrypt(c4,c7) VALUES('{ "key_a": 1, "key_b": 2, "key_c": 3 }',ST_GeomFromText('POINT(383293632 1754448)')); +INSERT INTO tde_db.t_encrypt(c4,c7) select c4,c7 from tde_db.t_encrypt; +SELECT c4,c5,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +c4 c5 ST_AsText(c7) +{"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +{"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +SELECT c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +c4 c5 c6 ST_AsText(c7) +{"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +{"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SHOW CREATE TABLE tde_db.t_encrypt; +Table Create Table +t_encrypt CREATE TABLE `t_encrypt` ( + `c4` json DEFAULT NULL, + `c5` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_a')) STORED, + `c6` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_b')) VIRTUAL, + `c7` point NOT NULL /*!80003 SRID 0 */, + SPATIAL KEY `idx2` (`c7`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='Y' +# In connection 1 +LOCK TABLES tde_db.t_encrypt WRITE; +# In connection default +SHOW OPEN TABLES LIKE 't_encrypt'; +Database Table In_use Name_locked +tde_db t_encrypt 1 0 +"ALTER INSTANCE.." do not conflict with "LOCK TABLE .." COMMAND +ALTER INSTANCE ROTATE INNODB MASTER KEY; +# In connection 1 +INSERT INTO tde_db.t_encrypt(c4,c7) VALUES('{ "key_a": 1, "key_b": 2, "key_c": 3 }',ST_GeomFromText('POINT(383293632 1754448)')); +SELECT c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +c4 c5 c6 ST_AsText(c7) +{"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +{"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +{"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +UNLOCK TABLES; +# In connection default +SELECT c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +c4 c5 c6 ST_AsText(c7) +{"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +{"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +{"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +c4 c5 c6 ST_AsText(c7) +{"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +{"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +{"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +DROP DATABASE tde_db; +SET GLOBAL innodb_file_per_table=1; +DROP DATABASE IF EXISTS tde_db; +CREATE DATABASE tde_db; +USE tde_db; +DROP TABLE IF EXISTS tde_db.t_encrypt; +DROP TABLE IF EXISTS tde_db.t_encrypt_1; +SET GLOBAL innodb_file_per_table = 1; +SELECT @@innodb_file_per_table; +@@innodb_file_per_table +1 +CREATE TABLE tde_db.t_encrypt(c1 INT, c2 char(20), c3 BLOB) ENCRYPTION="Y" ENGINE = InnoDB; +CREATE TABLE tde_db.t_encrypt_1(c1 INT, c2 char(20)) ENCRYPTION="Yes" ENGINE = InnoDB; +ERROR HY000: Invalid encryption option. +CREATE TABLE tde_db.t_encrypt_1(c1 INT, c2 char(20)) ENCRYPTION="y" ENGINE = InnoDB; +DROP TABLE tde_db.t_encrypt_1; +CREATE TABLE tde_db.t_encrypt_1(c1 INT, c2 char(20),c3 BLOB) ENGINE = InnoDB; +SHOW CREATE TABLE tde_db.t_encrypt; +Table Create Table +t_encrypt CREATE TABLE `t_encrypt` ( + `c1` int DEFAULT NULL, + `c2` char(20) DEFAULT NULL, + `c3` blob +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='Y' +INSERT INTO tde_db.t_encrypt VALUES(0, "aaaaa",repeat('A', 20000)); +INSERT INTO tde_db.t_encrypt select * from tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt select * from tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt select * from tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt select * from tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt select * from tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt select * from tde_db.t_encrypt; +SELECT c1,c2,right(c3, 20) FROM tde_db.t_encrypt LIMIT 10; +c1 c2 right(c3, 20) +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +#Insert into non encrypted table +INSERT INTO tde_db.t_encrypt_1 SELECT * FROM tde_db.t_encrypt; +SELECT c1,c2,right(c3, 20) FROM tde_db.t_encrypt_1 LIMIT 10; +c1 c2 right(c3, 20) +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +SELECT COUNT(*) FROM tde_db.t_encrypt_1; +COUNT(*) +64 +# Starting server with keyring restart with keying +SELECT c1,c2,right(c3, 20) FROM tde_db.t_encrypt LIMIT 10; +c1 c2 right(c3, 20) +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +SELECT COUNT(*) FROM tde_db.t_encrypt; +COUNT(*) +64 +#check non encrypted table +SELECT c1,c2,right(c3, 20) FROM tde_db.t_encrypt_1 LIMIT 10; +c1 c2 right(c3, 20) +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +SELECT COUNT(*) FROM tde_db.t_encrypt_1; +COUNT(*) +64 +DROP TABLE tde_db.t_encrypt; +DROP TABLE tde_db.t_encrypt_1; +SET GLOBAL innodb_file_per_table=1; +DROP DATABASE IF EXISTS tde_db; +DROP TABLE IF EXISTS tde_db.t_encrypt; +CREATE DATABASE tde_db; +USE tde_db; +# File per table is set 0. Encryption not possible. +SET GLOBAL innodb_file_per_table = 0; +SELECT @@innodb_file_per_table; +@@innodb_file_per_table +0 +CREATE TABLE tde_db.t_encrypt(c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENCRYPTION="Y" ENGINE = InnoDB; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +SHOW WARNINGS; +Level Code Message +Error 3825 Request to create 'encrypted' table while using an 'unencrypted' tablespace. +SET GLOBAL innodb_file_per_table = 1; +SELECT @@innodb_file_per_table; +@@innodb_file_per_table +1 +CREATE TABLESPACE s_alt1 ADD DATAFILE 's_alt1.ibd'; +CREATE TABLE tde_db.t_encrypt (a int, b text) ENCRYPTION="Y" TABLESPACE=`s_alt1` ENGINE=InnoDB; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +SHOW WARNINGS; +Level Code Message +Error 3825 Request to create 'encrypted' table while using an 'unencrypted' tablespace. +DROP TABLESPACE s_alt1; +CREATE TEMPORARY TABLE tde_db.t_encrypt (a int, b text) ENCRYPTION="Y" ENGINE=InnoDB; +ERROR HY000: InnoDB: ENCRYPTION is not accepted for temporary tablespace. For temporary tablespace encryption please use innodb_temp_tablespace_encrypt variable. +SHOW WARNINGS; +Level Code Message +Error 1478 InnoDB: ENCRYPTION is not accepted for temporary tablespace. For temporary tablespace encryption please use innodb_temp_tablespace_encrypt variable. +Error 1031 Table storage engine for 't_encrypt' doesn't have this option +CREATE TABLE tde_db.t_encrypt_myisam (a int, b text) ENCRYPTION="Y" ENGINE=MyISAM; +ERROR 42000: The storage engine for the table doesn't support ENCRYPTION +CREATE PROCEDURE tde_db.row_format_t_encrypt(row_form VARCHAR(1000)) +begin +declare i int default 1; +declare has_error int default 0; +DECLARE CONTINUE HANDLER FOR 1062 SET has_error = 1; +DROP TABLE IF EXISTS tde_db.t_encrypt; +SET @sql_text = CONCAT('CREATE TABLE tde_db.t_encrypt ('," c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY,c3 VARCHAR(255), c4 JSON ,c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED,c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL,c7 POINT NOT NULL SRID 0,spatial INDEX idx2 (c7) ) ", ' ENCRYPTION="Y" ', row_form ,' ENGINE=InnoDB'); +PREPARE stmt FROM @sql_text; +EXECUTE stmt; +DEALLOCATE PREPARE stmt; +SHOW CREATE TABLE tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt(c3,c4,c7) VALUES (REPEAT('a',200),'{ "key_a": 1, "key_b": 2, "key_c": 3 }',ST_GeomFromText('POINT(383293632 1754448)')); +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +SELECT COUNT(*) FROM tde_db.t_encrypt; +SELECT c2,c4,c5,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +SELECT c2,c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +DELETE FROM tde_db.t_encrypt WHERE c2 > 10; +UPDATE tde_db.t_encrypt SET c2 = 100 WHERE c2=1; +SELECT c2,c4,c5,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +SELECT c2,c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +SHOW CREATE TABLE tde_db.t_encrypt; +end| +call tde_db.row_format_t_encrypt(" ROW_FORMAT=DYNAMIC "); +Table Create Table +t_encrypt CREATE TABLE `t_encrypt` ( + `c2` int NOT NULL AUTO_INCREMENT, + `c3` varchar(255) DEFAULT NULL, + `c4` json DEFAULT NULL, + `c5` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_a')) STORED, + `c6` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_b')) VIRTUAL, + `c7` point NOT NULL /*!80003 SRID 0 */, + PRIMARY KEY (`c2`), + SPATIAL KEY `idx2` (`c7`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ROW_FORMAT=DYNAMIC ENCRYPTION='Y' +COUNT(*) +32 +c2 c4 c5 ST_AsText(c7) +1 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +13 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +14 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +c2 c4 c5 c6 ST_AsText(c7) +1 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +c2 c4 c5 ST_AsText(c7) +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +100 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +c2 c4 c5 c6 ST_AsText(c7) +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +100 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +Table Create Table +t_encrypt CREATE TABLE `t_encrypt` ( + `c2` int NOT NULL AUTO_INCREMENT, + `c3` varchar(255) DEFAULT NULL, + `c4` json DEFAULT NULL, + `c5` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_a')) STORED, + `c6` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_b')) VIRTUAL, + `c7` point NOT NULL /*!80003 SRID 0 */, + PRIMARY KEY (`c2`), + SPATIAL KEY `idx2` (`c7`) +) ENGINE=InnoDB AUTO_INCREMENT=101 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ROW_FORMAT=DYNAMIC ENCRYPTION='Y' +# restart with keying +SELECT c2,c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +c2 c4 c5 c6 ST_AsText(c7) +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +100 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT COUNT(*) FROM tde_db.t_encrypt; +COUNT(*) +8 +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +SELECT COUNT(*) FROM tde_db.t_encrypt; +COUNT(*) +16 +call tde_db.row_format_t_encrypt(" ROW_FORMAT=COMPACT "); +Table Create Table +t_encrypt CREATE TABLE `t_encrypt` ( + `c2` int NOT NULL AUTO_INCREMENT, + `c3` varchar(255) DEFAULT NULL, + `c4` json DEFAULT NULL, + `c5` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_a')) STORED, + `c6` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_b')) VIRTUAL, + `c7` point NOT NULL /*!80003 SRID 0 */, + PRIMARY KEY (`c2`), + SPATIAL KEY `idx2` (`c7`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ROW_FORMAT=COMPACT ENCRYPTION='Y' +COUNT(*) +32 +c2 c4 c5 ST_AsText(c7) +1 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +13 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +14 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +c2 c4 c5 c6 ST_AsText(c7) +1 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +c2 c4 c5 ST_AsText(c7) +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +100 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +c2 c4 c5 c6 ST_AsText(c7) +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +100 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +Table Create Table +t_encrypt CREATE TABLE `t_encrypt` ( + `c2` int NOT NULL AUTO_INCREMENT, + `c3` varchar(255) DEFAULT NULL, + `c4` json DEFAULT NULL, + `c5` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_a')) STORED, + `c6` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_b')) VIRTUAL, + `c7` point NOT NULL /*!80003 SRID 0 */, + PRIMARY KEY (`c2`), + SPATIAL KEY `idx2` (`c7`) +) ENGINE=InnoDB AUTO_INCREMENT=101 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ROW_FORMAT=COMPACT ENCRYPTION='Y' +# restart with keying +SELECT c2,c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +c2 c4 c5 c6 ST_AsText(c7) +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +100 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT COUNT(*) FROM tde_db.t_encrypt; +COUNT(*) +8 +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +SELECT COUNT(*) FROM tde_db.t_encrypt; +COUNT(*) +16 +call tde_db.row_format_t_encrypt(" ROW_FORMAT=REDUNDANT "); +Table Create Table +t_encrypt CREATE TABLE `t_encrypt` ( + `c2` int NOT NULL AUTO_INCREMENT, + `c3` varchar(255) DEFAULT NULL, + `c4` json DEFAULT NULL, + `c5` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_a')) STORED, + `c6` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_b')) VIRTUAL, + `c7` point NOT NULL /*!80003 SRID 0 */, + PRIMARY KEY (`c2`), + SPATIAL KEY `idx2` (`c7`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ROW_FORMAT=REDUNDANT ENCRYPTION='Y' +COUNT(*) +32 +c2 c4 c5 ST_AsText(c7) +1 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +13 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +14 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +c2 c4 c5 c6 ST_AsText(c7) +1 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +c2 c4 c5 ST_AsText(c7) +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +100 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +c2 c4 c5 c6 ST_AsText(c7) +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +100 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +Table Create Table +t_encrypt CREATE TABLE `t_encrypt` ( + `c2` int NOT NULL AUTO_INCREMENT, + `c3` varchar(255) DEFAULT NULL, + `c4` json DEFAULT NULL, + `c5` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_a')) STORED, + `c6` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_b')) VIRTUAL, + `c7` point NOT NULL /*!80003 SRID 0 */, + PRIMARY KEY (`c2`), + SPATIAL KEY `idx2` (`c7`) +) ENGINE=InnoDB AUTO_INCREMENT=101 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ROW_FORMAT=REDUNDANT ENCRYPTION='Y' +# restart with keying +SELECT c2,c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +c2 c4 c5 c6 ST_AsText(c7) +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +100 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT COUNT(*) FROM tde_db.t_encrypt; +COUNT(*) +8 +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +SELECT COUNT(*) FROM tde_db.t_encrypt; +COUNT(*) +16 +call tde_db.row_format_t_encrypt(" ROW_FORMAT=COMPRESSED " ); +Table Create Table +t_encrypt CREATE TABLE `t_encrypt` ( + `c2` int NOT NULL AUTO_INCREMENT, + `c3` varchar(255) DEFAULT NULL, + `c4` json DEFAULT NULL, + `c5` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_a')) STORED, + `c6` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_b')) VIRTUAL, + `c7` point NOT NULL /*!80003 SRID 0 */, + PRIMARY KEY (`c2`), + SPATIAL KEY `idx2` (`c7`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ROW_FORMAT=COMPRESSED ENCRYPTION='Y' +COUNT(*) +32 +c2 c4 c5 ST_AsText(c7) +1 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +13 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +14 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +c2 c4 c5 c6 ST_AsText(c7) +1 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +c2 c4 c5 ST_AsText(c7) +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +100 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +c2 c4 c5 c6 ST_AsText(c7) +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +100 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +Table Create Table +t_encrypt CREATE TABLE `t_encrypt` ( + `c2` int NOT NULL AUTO_INCREMENT, + `c3` varchar(255) DEFAULT NULL, + `c4` json DEFAULT NULL, + `c5` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_a')) STORED, + `c6` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_b')) VIRTUAL, + `c7` point NOT NULL /*!80003 SRID 0 */, + PRIMARY KEY (`c2`), + SPATIAL KEY `idx2` (`c7`) +) ENGINE=InnoDB AUTO_INCREMENT=101 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ROW_FORMAT=COMPRESSED ENCRYPTION='Y' +# restart with keying +SELECT c2,c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +c2 c4 c5 c6 ST_AsText(c7) +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +100 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT COUNT(*) FROM tde_db.t_encrypt; +COUNT(*) +8 +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +SELECT COUNT(*) FROM tde_db.t_encrypt; +COUNT(*) +16 +call tde_db.row_format_t_encrypt(" ROW_FORMAT=COMPRESSED KEY_BLOCK_SIZE=4 "); +Table Create Table +t_encrypt CREATE TABLE `t_encrypt` ( + `c2` int NOT NULL AUTO_INCREMENT, + `c3` varchar(255) DEFAULT NULL, + `c4` json DEFAULT NULL, + `c5` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_a')) STORED, + `c6` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_b')) VIRTUAL, + `c7` point NOT NULL /*!80003 SRID 0 */, + PRIMARY KEY (`c2`), + SPATIAL KEY `idx2` (`c7`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ROW_FORMAT=COMPRESSED KEY_BLOCK_SIZE=4 ENCRYPTION='Y' +COUNT(*) +32 +c2 c4 c5 ST_AsText(c7) +1 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +13 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +14 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +c2 c4 c5 c6 ST_AsText(c7) +1 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +c2 c4 c5 ST_AsText(c7) +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +100 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +c2 c4 c5 c6 ST_AsText(c7) +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +100 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +Table Create Table +t_encrypt CREATE TABLE `t_encrypt` ( + `c2` int NOT NULL AUTO_INCREMENT, + `c3` varchar(255) DEFAULT NULL, + `c4` json DEFAULT NULL, + `c5` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_a')) STORED, + `c6` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_b')) VIRTUAL, + `c7` point NOT NULL /*!80003 SRID 0 */, + PRIMARY KEY (`c2`), + SPATIAL KEY `idx2` (`c7`) +) ENGINE=InnoDB AUTO_INCREMENT=101 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ROW_FORMAT=COMPRESSED KEY_BLOCK_SIZE=4 ENCRYPTION='Y' +# restart with keying +SELECT c2,c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +c2 c4 c5 c6 ST_AsText(c7) +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +100 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT COUNT(*) FROM tde_db.t_encrypt; +COUNT(*) +8 +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +SELECT COUNT(*) FROM tde_db.t_encrypt; +COUNT(*) +16 +# Create partition table +DROP TABLE tde_db.t_encrypt; +CREATE TABLE tde_db.t_encrypt (c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY,c3 VARCHAR(255), c4 JSON ,c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED,c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL ) ENCRYPTION="Y" ENGINE=InnoDB PARTITION BY RANGE (c2) (PARTITION p1 VALUES LESS THAN (4),PARTITION p2 VALUES LESS THAN (8),PARTITION p3 VALUES LESS THAN (1000)) ; +SHOW CREATE TABLE tde_db.t_encrypt; +Table Create Table +t_encrypt CREATE TABLE `t_encrypt` ( + `c2` int NOT NULL AUTO_INCREMENT, + `c3` varchar(255) DEFAULT NULL, + `c4` json DEFAULT NULL, + `c5` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_a')) STORED, + `c6` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_b')) VIRTUAL, + PRIMARY KEY (`c2`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='Y' +/*!50100 PARTITION BY RANGE (`c2`) +(PARTITION p1 VALUES LESS THAN (4) ENGINE = InnoDB, + PARTITION p2 VALUES LESS THAN (8) ENGINE = InnoDB, + PARTITION p3 VALUES LESS THAN (1000) ENGINE = InnoDB) */ +INSERT INTO tde_db.t_encrypt(c3,c4) VALUES (REPEAT('a',200),'{ "key_a": 1, "key_b": 2, "key_c": 3 }'); +INSERT INTO tde_db.t_encrypt(c3,c4) SELECT c3,c4 FROM tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt(c3,c4) SELECT c3,c4 FROM tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt(c3,c4) SELECT c3,c4 FROM tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt(c3,c4) SELECT c3,c4 FROM tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt(c3,c4) SELECT c3,c4 FROM tde_db.t_encrypt; +SELECT c2,c4,c5 FROM tde_db.t_encrypt ORDER BY c2 LIMIT 10; +c2 c4 c5 +1 {"key_a": 1, "key_b": 2, "key_c": 3} 1 +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 +5 {"key_a": 1, "key_b": 2, "key_c": 3} 1 +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 +10 {"key_a": 1, "key_b": 2, "key_c": 3} 1 +SELECT c2,c4,c5,c6 FROM tde_db.t_encrypt ORDER BY c2 LIMIT 10; +c2 c4 c5 c6 +1 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +5 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +10 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +DELETE FROM tde_db.t_encrypt WHERE c2 > 10; +UPDATE tde_db.t_encrypt SET c2 = 100 WHERE c2=1; +SELECT c2,c4,c5 FROM tde_db.t_encrypt ORDER BY c2 LIMIT 10; +c2 c4 c5 +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 +5 {"key_a": 1, "key_b": 2, "key_c": 3} 1 +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 +10 {"key_a": 1, "key_b": 2, "key_c": 3} 1 +100 {"key_a": 1, "key_b": 2, "key_c": 3} 1 +SELECT c2,c4,c5,c6 FROM tde_db.t_encrypt ORDER BY c2 LIMIT 10; +c2 c4 c5 c6 +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +4 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +5 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +6 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +7 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +10 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +100 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +ALTER TABLE tde_db.t_encrypt TRUNCATE PARTITION p2; +SELECT c2,c4,c5 FROM tde_db.t_encrypt ORDER BY c2 LIMIT 10; +c2 c4 c5 +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 +10 {"key_a": 1, "key_b": 2, "key_c": 3} 1 +100 {"key_a": 1, "key_b": 2, "key_c": 3} 1 +SELECT c2,c4,c5,c6 FROM tde_db.t_encrypt ORDER BY c2 LIMIT 10; +c2 c4 c5 c6 +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +10 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +100 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +SHOW CREATE TABLE tde_db.t_encrypt; +Table Create Table +t_encrypt CREATE TABLE `t_encrypt` ( + `c2` int NOT NULL AUTO_INCREMENT, + `c3` varchar(255) DEFAULT NULL, + `c4` json DEFAULT NULL, + `c5` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_a')) STORED, + `c6` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_b')) VIRTUAL, + PRIMARY KEY (`c2`) +) ENGINE=InnoDB AUTO_INCREMENT=101 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='Y' +/*!50100 PARTITION BY RANGE (`c2`) +(PARTITION p1 VALUES LESS THAN (4) ENGINE = InnoDB, + PARTITION p2 VALUES LESS THAN (8) ENGINE = InnoDB, + PARTITION p3 VALUES LESS THAN (1000) ENGINE = InnoDB) */ +# restart with keying +SELECT c2,c4,c5,c6 FROM tde_db.t_encrypt ORDER BY c2 LIMIT 10; +c2 c4 c5 c6 +2 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +3 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +8 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +9 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +10 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +100 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 +DROP TABLE tde_db.t_encrypt; +DROP DATABASE tde_db; +SET GLOBAL innodb_file_per_table=1; +DROP DATABASE IF EXISTS tde_db; +DROP TABLE IF EXISTS tde_db. t_encrypt; +CREATE DATABASE tde_db; +USE tde_db; +SET GLOBAL innodb_file_per_table = 1; +SELECT @@innodb_file_per_table; +@@innodb_file_per_table +1 +CREATE TABLE tde_db.t_encrypt(c2 INT NOT NULL PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENCRYPTION="Y" ENGINE = InnoDB; +CREATE PROCEDURE tde_db.populate_t_encrypt() +begin +declare i int default 1; +declare has_error int default 0; +DECLARE CONTINUE HANDLER FOR 1062 SET has_error = 1; +while (i <= 2000) DO +insert into tde_db.t_encrypt(c2,c3,c4,c7) VALUES(i,CONCAT(REPEAT('a',200),LPAD(CAST(i AS CHAR),4,'0')),'{ "key_a": 1, "key_b": 2, "key_c": 3 }',ST_GeomFromText('POINT(383293632 1754448)')); +set i = i + 1; +end while; +end| +CREATE PROCEDURE tde_db.populate_t_encrypt_small() +begin +declare i int default 1; +declare has_error int default 0; +DECLARE CONTINUE HANDLER FOR 1062 SET has_error = 1; +while (i <= 500) DO +insert into tde_db.t_encrypt(c2,c3,c4,c7) VALUES(i,CONCAT(REPEAT('a',200),LPAD(CAST(i AS CHAR),4,'0')),'{ "key_a": 1, "key_b": 2, "key_c": 3 }',ST_GeomFromText('POINT(383293632 1754448)')); +set i = i + 1; +end while; +end| +CREATE PROCEDURE tde_db.read_t_encrypt() +begin +declare i int default 1; +while (i <= 30) DO +SELECT * FROM (SELECT * FROM tde_db.t_encrypt ORDER BY RAND() LIMIT 1) AS A WHERE A.c2 < 0 ; +set i = i + 1; +end while; +end| +CREATE PROCEDURE tde_db.rotate_master_key() +begin +declare i int default 1; +declare has_error int default 0; +while (i <= 500) DO +ALTER INSTANCE ROTATE INNODB MASTER KEY; +set i = i + 1; +end while; +end| +CREATE PROCEDURE tde_db.create_encrypt_table(encrypt VARCHAR(5)) +begin +declare i int default 1; +declare has_error int default 0; +while (i <= 50) DO +SET @sql_text = CONCAT('CREATE TABLE ',CONCAT('tde_db.t_encrypt_',encrypt,'_',i),' (c1 INT) ENCRYPTION="',encrypt,'"' ,' ENGINE=InnoDB'); +PREPARE stmt FROM @sql_text; +EXECUTE stmt; +DEALLOCATE PREPARE stmt; +set i = i + 1; +end while; +end| +SHOW CREATE TABLE tde_db.t_encrypt; +Table Create Table +t_encrypt CREATE TABLE `t_encrypt` ( + `c2` int NOT NULL, + `c3` char(255) DEFAULT 'No text', + `c4` json DEFAULT NULL, + `c5` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_a')) STORED, + `c6` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_b')) VIRTUAL, + `c7` point NOT NULL /*!80003 SRID 0 */, + PRIMARY KEY (`c2`), + SPATIAL KEY `idx2` (`c7`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='Y' +# In connection con1 - Running insert +call tde_db.populate_t_encrypt(); +# In connection con2 - Running insert +call tde_db.populate_t_encrypt_small(); +# In connection con3 : Running select +call tde_db.read_t_encrypt(); +# In connection con4 : Running select +call tde_db.read_t_encrypt(); +# In connection con5 - Running "alter instance" +call tde_db.rotate_master_key(); +# In connection con6 - Running "create table" +call tde_db.create_encrypt_table("Y"); +# In connection con7 - Running "create table" +call tde_db.create_encrypt_table("N"); +# In connection con1 +# In connection con2 +# In connection con3 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +# In connection con4 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +c2 c3 c4 c5 c6 c7 +# In connection con5 +# In connection con6 +# In connection con7 +USE tde_db; +SELECT c2,right(c3,20),c4,c5,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +c2 right(c3,20) c4 c5 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0002 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0003 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0004 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0005 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0006 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0007 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0008 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0009 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0010 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0002 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0003 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0004 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0005 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0006 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0007 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0008 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0009 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0010 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT COUNT(*) FROM tde_db.t_encrypt; +COUNT(*) +2000 +SELECT c2,right(c3,20),c4,c5,ST_AsText(c7) FROM tde_db.t_encrypt WHERE c2%200 = 0; +c2 right(c3,20) c4 c5 ST_AsText(c7) +200 aaaaaaaaaaaaaaaa0200 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +400 aaaaaaaaaaaaaaaa0400 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +600 aaaaaaaaaaaaaaaa0600 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +800 aaaaaaaaaaaaaaaa0800 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +1000 aaaaaaaaaaaaaaaa1000 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +1200 aaaaaaaaaaaaaaaa1200 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +1400 aaaaaaaaaaaaaaaa1400 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +1600 aaaaaaaaaaaaaaaa1600 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +1800 aaaaaaaaaaaaaaaa1800 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +2000 aaaaaaaaaaaaaaaa2000 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt WHERE c2%200 = 0; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +200 aaaaaaaaaaaaaaaa0200 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +400 aaaaaaaaaaaaaaaa0400 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +600 aaaaaaaaaaaaaaaa0600 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +800 aaaaaaaaaaaaaaaa0800 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +1000 aaaaaaaaaaaaaaaa1000 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +1200 aaaaaaaaaaaaaaaa1200 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +1400 aaaaaaaaaaaaaaaa1400 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +1600 aaaaaaaaaaaaaaaa1600 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +1800 aaaaaaaaaaaaaaaa1800 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2000 aaaaaaaaaaaaaaaa2000 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +# restart with keying +SELECT c2,right(c3,20),c4,c5,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +c2 right(c3,20) c4 c5 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0002 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0003 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0004 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0005 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0006 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0007 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0008 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0009 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0010 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0002 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0003 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0004 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0005 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0006 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0007 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0008 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0009 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0010 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT COUNT(*) FROM tde_db.t_encrypt; +COUNT(*) +2000 +SELECT c2,right(c3,20),c4,c5,ST_AsText(c7) FROM tde_db.t_encrypt WHERE c2%200 = 0; +c2 right(c3,20) c4 c5 ST_AsText(c7) +200 aaaaaaaaaaaaaaaa0200 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +400 aaaaaaaaaaaaaaaa0400 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +600 aaaaaaaaaaaaaaaa0600 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +800 aaaaaaaaaaaaaaaa0800 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +1000 aaaaaaaaaaaaaaaa1000 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +1200 aaaaaaaaaaaaaaaa1200 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +1400 aaaaaaaaaaaaaaaa1400 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +1600 aaaaaaaaaaaaaaaa1600 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +1800 aaaaaaaaaaaaaaaa1800 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +2000 aaaaaaaaaaaaaaaa2000 {"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt WHERE c2%200 = 0; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +200 aaaaaaaaaaaaaaaa0200 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +400 aaaaaaaaaaaaaaaa0400 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +600 aaaaaaaaaaaaaaaa0600 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +800 aaaaaaaaaaaaaaaa0800 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +1000 aaaaaaaaaaaaaaaa1000 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +1200 aaaaaaaaaaaaaaaa1200 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +1400 aaaaaaaaaaaaaaaa1400 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +1600 aaaaaaaaaaaaaaaa1600 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +1800 aaaaaaaaaaaaaaaa1800 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2000 aaaaaaaaaaaaaaaa2000 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +DROP DATABASE tde_db; +SET GLOBAL innodb_file_per_table=1; +DROP DATABASE IF EXISTS tde_db; +CREATE DATABASE tde_db; +USE tde_db; +DROP TABLE IF EXISTS tde_db.t_encrypt; +SET GLOBAL innodb_file_per_table = 1; +SELECT @@innodb_file_per_table; +@@innodb_file_per_table +1 +CREATE TABLE tde_db.t_encrypt(c1 INT, c2 char(20), c3 BLOB) ENCRYPTION="Y" ENGINE = InnoDB; +SHOW CREATE TABLE tde_db.t_encrypt; +Table Create Table +t_encrypt CREATE TABLE `t_encrypt` ( + `c1` int DEFAULT NULL, + `c2` char(20) DEFAULT NULL, + `c3` blob +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='Y' +INSERT INTO tde_db.t_encrypt VALUES(0, "aaaaa",repeat('A', 20000)); +INSERT INTO tde_db.t_encrypt select * from tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt select * from tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt select * from tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt select * from tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt select * from tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt select * from tde_db.t_encrypt; +SELECT c1,c2,right(c3, 20) FROM tde_db.t_encrypt LIMIT 10; +c1 c2 right(c3, 20) +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +CREATE USER encryptprivuser@localhost IDENTIFIED BY 'auth'; +GRANT ALL PRIVILEGES ON *.* to encryptprivuser@localhost; +FLUSH PRIVILEGES; +Warnings: +Warning 1681 'FLUSH PRIVILEGES' is deprecated and will be removed in a future release. +CREATE USER encryptnonprivuser@localhost IDENTIFIED BY 'noauth'; +GRANT SELECT ON *.* to encryptnonprivuser@localhost; +FLUSH PRIVILEGES; +Warnings: +Warning 1681 'FLUSH PRIVILEGES' is deprecated and will be removed in a future release. +SELECT c1,c2,right(c3, 20) FROM tde_db.t_encrypt LIMIT 10; +c1 c2 right(c3, 20) +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +# In connection 1 +SELECT CURRENT_USER(); +CURRENT_USER() +encryptprivuser@localhost +SELECT c1,c2,right(c3, 20) FROM tde_db.t_encrypt LIMIT 10; +c1 c2 right(c3, 20) +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +ALTER INSTANCE ROTATE INNODB MASTER KEY; +SELECT c1,c2,right(c3, 20) FROM tde_db.t_encrypt LIMIT 10; +c1 c2 right(c3, 20) +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +# In connection 2 +SELECT CURRENT_USER(); +CURRENT_USER() +encryptnonprivuser@localhost +SELECT c1,c2,right(c3, 20) FROM tde_db.t_encrypt LIMIT 10; +c1 c2 right(c3, 20) +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +ALTER INSTANCE ROTATE INNODB MASTER KEY; +ERROR 42000: Access denied; you need (at least one of) the SUPER or ENCRYPTION_KEY_ADMIN privilege(s) for this operation +CREATE TABLE tde_db.t_encrypt_np(c1 INT, c2 char(20), c3 BLOB) ENCRYPTION="Y" ENGINE = InnoDB; +ERROR 42000: CREATE command denied to user 'encryptnonprivuser'@'localhost' for table 't_encrypt_np' +SELECT c1,c2,right(c3, 20) FROM tde_db.t_encrypt LIMIT 10; +c1 c2 right(c3, 20) +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +# In connection default +# Starting server with keyring +SELECT c1,c2,right(c3, 20) FROM tde_db.t_encrypt LIMIT 10; +c1 c2 right(c3, 20) +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +0 aaaaa AAAAAAAAAAAAAAAAAAAA +DROP USER encryptnonprivuser@localhost; +DROP USER encryptprivuser@localhost; +DROP TABLE tde_db.t_encrypt; +SET GLOBAL innodb_file_per_table=1; +DROP DATABASE IF EXISTS tde_db; +CREATE DATABASE tde_db; +USE tde_db; +DROP TABLE IF EXISTS tde_db.t_encrypt; +SET GLOBAL innodb_file_per_table = 1; +SELECT @@innodb_file_per_table; +@@innodb_file_per_table +1 +CREATE TABLE tde_db.t_encrypt(c1 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, c2 char(100), c3 BLOB , FULLTEXT INDEX `idx1` (c2)) ENCRYPTION="Y" ENGINE = InnoDB; +CREATE TABLE tde_db.t_encrypt1(c11 INT , c22 char(100), c33 BLOB , FULLTEXT INDEX `idx1` (c22)) ENCRYPTION="Y" ENGINE = InnoDB; +SHOW CREATE TABLE tde_db.t_encrypt; +Table Create Table +t_encrypt CREATE TABLE `t_encrypt` ( + `c1` int NOT NULL AUTO_INCREMENT, + `c2` char(100) DEFAULT NULL, + `c3` blob, + PRIMARY KEY (`c1`), + FULLTEXT KEY `idx1` (`c2`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='Y' +CREATE TABLE tde_db.t_encrypt2 (f1 INT PRIMARY KEY, f2 CHAR(100), +FOREIGN KEY (f1) REFERENCES tde_db.t_encrypt(c1) ON UPDATE CASCADE) ENCRYPTION="Y" ENGINE=InnoDB; +CREATE TRIGGER tde_db.trigger_encrypt_table AFTER INSERT ON tde_db.t_encrypt +FOR EACH ROW +begin +INSERT INTO tde_db.t_encrypt1 SET c11 = NEW.c1*-1, c22 = NEW.c2 , c33 = NEW.c3; +end| +INSERT INTO tde_db.t_encrypt(c2,c3) VALUES("transparanet tablespace encryption",repeat('A', 200)); +INSERT INTO tde_db.t_encrypt(c2,c3) VALUES("general tablespace option",repeat('A', 200)); +INSERT INTO tde_db.t_encrypt(c2,c3) VALUES("page level encryption",repeat('A', 200)); +INSERT INTO tde_db.t_encrypt2(f1,f2) VALUES(1,"transparanet tablespace encryption"); +INSERT INTO tde_db.t_encrypt2(f1,f2) VALUES(2,"general tablespace option"); +SELECT c1,c2,right(c3, 20) FROM tde_db.t_encrypt LIMIT 10; +c1 c2 right(c3, 20) +1 transparanet tablespace encryption AAAAAAAAAAAAAAAAAAAA +2 general tablespace option AAAAAAAAAAAAAAAAAAAA +3 page level encryption AAAAAAAAAAAAAAAAAAAA +SELECT c1,c2,right(c3, 20) FROM tde_db.t_encrypt WHERE MATCH c2 AGAINST ('tablespace'); +c1 c2 right(c3, 20) +1 transparanet tablespace encryption AAAAAAAAAAAAAAAAAAAA +2 general tablespace option AAAAAAAAAAAAAAAAAAAA +SELECT c1,c2,right(c3, 20) FROM tde_db.t_encrypt WHERE MATCH c2 AGAINST ('tablespace' IN BOOLEAN MODE); +c1 c2 right(c3, 20) +1 transparanet tablespace encryption AAAAAAAAAAAAAAAAAAAA +2 general tablespace option AAAAAAAAAAAAAAAAAAAA +SELECT c1,c2,right(c3, 20) FROM tde_db.t_encrypt WHERE MATCH c2 AGAINST ('+tablespace -encryption' IN BOOLEAN MODE); +c1 c2 right(c3, 20) +2 general tablespace option AAAAAAAAAAAAAAAAAAAA +ALTER TABLE tde_db.t_encrypt DROP INDEX idx1; +SELECT c1,c2,right(c3, 20) FROM tde_db.t_encrypt LIMIT 10; +c1 c2 right(c3, 20) +1 transparanet tablespace encryption AAAAAAAAAAAAAAAAAAAA +2 general tablespace option AAAAAAAAAAAAAAAAAAAA +3 page level encryption AAAAAAAAAAAAAAAAAAAA +ALTER TABLE tde_db.t_encrypt ADD COLUMN c4 CHAR(20) DEFAULT 'text'; +SELECT c1,c2,right(c3, 20),c4 FROM tde_db.t_encrypt LIMIT 10; +c1 c2 right(c3, 20) c4 +1 transparanet tablespace encryption AAAAAAAAAAAAAAAAAAAA text +2 general tablespace option AAAAAAAAAAAAAAAAAAAA text +3 page level encryption AAAAAAAAAAAAAAAAAAAA text +CREATE VIEW tde_db.t_encrypt_view AS SELECT c1,c2 FROM tde_db.t_encrypt; +SELECT c2 FROM tde_db.t_encrypt_view LIMIT 10; +c2 +transparanet tablespace encryption +general tablespace option +page level encryption +SELECT A.c2,B.c2,right(B.c3,20) FROM tde_db.t_encrypt_view A , tde_db.t_encrypt B WHERE A.c2 = B.c2; +c2 c2 right(B.c3,20) +transparanet tablespace encryption transparanet tablespace encryption AAAAAAAAAAAAAAAAAAAA +general tablespace option general tablespace option AAAAAAAAAAAAAAAAAAAA +page level encryption page level encryption AAAAAAAAAAAAAAAAAAAA +DROP VIEW tde_db.t_encrypt_view; +SELECT c11,c22,right(c33, 20) FROM tde_db.t_encrypt1 LIMIT 10; +c11 c22 right(c33, 20) +-1 transparanet tablespace encryption AAAAAAAAAAAAAAAAAAAA +-2 general tablespace option AAAAAAAAAAAAAAAAAAAA +-3 page level encryption AAAAAAAAAAAAAAAAAAAA +INSERT INTO tde_db.t_encrypt2(f1,f2) VALUES(2,"general tablespace option"); +ERROR 23000: Duplicate entry '2' for key 't_encrypt2.PRIMARY' +INSERT INTO tde_db.t_encrypt2(f1,f2) VALUES(8,"general tablespace option"); +ERROR 23000: Cannot add or update a child row: a foreign key constraint fails (`tde_db`.`t_encrypt2`, CONSTRAINT `t_encrypt2_ibfk_1` FOREIGN KEY (`f1`) REFERENCES `t_encrypt` (`c1`) ON UPDATE CASCADE) +SELECT f1,f2 FROM tde_db.t_encrypt2; +f1 f2 +1 transparanet tablespace encryption +2 general tablespace option +UPDATE tde_db.t_encrypt SET c1=10 WHERE c1=1; +SELECT f1,f2 FROM tde_db.t_encrypt2; +f1 f2 +2 general tablespace option +10 transparanet tablespace encryption +DROP DATABASE tde_db; +SET GLOBAL innodb_file_per_table=1; +DROP DATABASE IF EXISTS tde_db; +CREATE DATABASE tde_db; +USE tde_db; +DROP TABLE IF EXISTS tde_db.t_encrypt; +SET GLOBAL innodb_file_per_table = 1; +SELECT @@innodb_file_per_table; +@@innodb_file_per_table +1 +CREATE TABLE tde_db.t_encrypt (c2 INT NOT NULL AUTO_INCREMENT ,c3 VARCHAR(255), c4 JSON ,c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED,c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL,c7 POINT NOT NULL SRID 0,spatial INDEX idx2 (c7) , PRIMARY KEY (c2,c3(100))) ENCRYPTION="Y" ENGINE=InnoDB; +CREATE PROCEDURE tde_db.txn_t_encrypt() +BEGIN +declare i int default 0; +declare rowcnt int default 0; +START TRANSACTION; +WHILE (i <= 2000) DO +SET i = i + 1; +SET rowcnt = rowcnt + 1; +INSERT INTO tde_db.t_encrypt(c3,c4,c7) VALUES (CONCAT(REPEAT('a',10),REPEAT(i,10)),'{ "key_a": 1, "key_b": 2, "key_c": 3 }',ST_GeomFromText('POINT(383293632 1754448)')); +IF (rowcnt = 3) THEN +UPDATE tde_db.t_encrypt SET c4 = '{ "key_a": 21, "key_b": 22, "key_c": 23 }' WHERE c2 = i-1 ; +DELETE FROM tde_db.t_encrypt WHERE c2 = i; +SAVEPOINT A; +END IF; +IF (rowcnt = 5) THEN +UPDATE tde_db.t_encrypt SET c4 = '{ "key_a": 41, "key_b": 42, "key_c": 43 }' WHERE c2 = i-1 ; +DELETE FROM tde_db.t_encrypt WHERE c2 = i; +SAVEPOINT B; +END IF; +IF (rowcnt = 10) THEN +ROLLBACK TO SAVEPOINT A; +COMMIT; +SET rowcnt = 0; +START TRANSACTION; +END IF; +END WHILE; +COMMIT; +end| +call tde_db.txn_t_encrypt(); +SELECT COUNT(*) FROM tde_db.t_encrypt; +COUNT(*) +401 +SELECT c2,RIGHT(c3,20),c4 FROM tde_db.t_encrypt LIMIT 10; +c2 RIGHT(c3,20) c4 +1 aaaaaaaaaa1111111111 {"key_a": 1, "key_b": 2, "key_c": 3} +2 aaaaaaaaaa2222222222 {"key_a": 21, "key_b": 22, "key_c": 23} +11 11111111111111111111 {"key_a": 1, "key_b": 2, "key_c": 3} +12 12121212121212121212 {"key_a": 21, "key_b": 22, "key_c": 23} +21 21212121212121212121 {"key_a": 1, "key_b": 2, "key_c": 3} +22 22222222222222222222 {"key_a": 21, "key_b": 22, "key_c": 23} +31 31313131313131313131 {"key_a": 1, "key_b": 2, "key_c": 3} +32 32323232323232323232 {"key_a": 21, "key_b": 22, "key_c": 23} +41 41414141414141414141 {"key_a": 1, "key_b": 2, "key_c": 3} +42 42424242424242424242 {"key_a": 21, "key_b": 22, "key_c": 23} +SELECT c2,RIGHT(c3,20),c4 FROM tde_db.t_encrypt WHERE c2 > 500 AND c2 < 600; +c2 RIGHT(c3,20) c4 +501 01501501501501501501 {"key_a": 1, "key_b": 2, "key_c": 3} +502 02502502502502502502 {"key_a": 21, "key_b": 22, "key_c": 23} +511 11511511511511511511 {"key_a": 1, "key_b": 2, "key_c": 3} +512 12512512512512512512 {"key_a": 21, "key_b": 22, "key_c": 23} +521 21521521521521521521 {"key_a": 1, "key_b": 2, "key_c": 3} +522 22522522522522522522 {"key_a": 21, "key_b": 22, "key_c": 23} +531 31531531531531531531 {"key_a": 1, "key_b": 2, "key_c": 3} +532 32532532532532532532 {"key_a": 21, "key_b": 22, "key_c": 23} +541 41541541541541541541 {"key_a": 1, "key_b": 2, "key_c": 3} +542 42542542542542542542 {"key_a": 21, "key_b": 22, "key_c": 23} +551 51551551551551551551 {"key_a": 1, "key_b": 2, "key_c": 3} +552 52552552552552552552 {"key_a": 21, "key_b": 22, "key_c": 23} +561 61561561561561561561 {"key_a": 1, "key_b": 2, "key_c": 3} +562 62562562562562562562 {"key_a": 21, "key_b": 22, "key_c": 23} +571 71571571571571571571 {"key_a": 1, "key_b": 2, "key_c": 3} +572 72572572572572572572 {"key_a": 21, "key_b": 22, "key_c": 23} +581 81581581581581581581 {"key_a": 1, "key_b": 2, "key_c": 3} +582 82582582582582582582 {"key_a": 21, "key_b": 22, "key_c": 23} +591 91591591591591591591 {"key_a": 1, "key_b": 2, "key_c": 3} +592 92592592592592592592 {"key_a": 21, "key_b": 22, "key_c": 23} +SELECT c2,RIGHT(c3,20),c4 FROM tde_db.t_encrypt ORDER BY c2 DESC LIMIT 10; +c2 RIGHT(c3,20) c4 +2001 20012001200120012001 {"key_a": 1, "key_b": 2, "key_c": 3} +1992 19921992199219921992 {"key_a": 21, "key_b": 22, "key_c": 23} +1991 19911991199119911991 {"key_a": 1, "key_b": 2, "key_c": 3} +1982 19821982198219821982 {"key_a": 21, "key_b": 22, "key_c": 23} +1981 19811981198119811981 {"key_a": 1, "key_b": 2, "key_c": 3} +1972 19721972197219721972 {"key_a": 21, "key_b": 22, "key_c": 23} +1971 19711971197119711971 {"key_a": 1, "key_b": 2, "key_c": 3} +1962 19621962196219621962 {"key_a": 21, "key_b": 22, "key_c": 23} +1961 19611961196119611961 {"key_a": 1, "key_b": 2, "key_c": 3} +1952 19521952195219521952 {"key_a": 21, "key_b": 22, "key_c": 23} +# Starting server with keyring +SELECT COUNT(*) FROM tde_db.t_encrypt; +COUNT(*) +401 +SELECT c2,RIGHT(c3,20),c4 FROM tde_db.t_encrypt LIMIT 10; +c2 RIGHT(c3,20) c4 +1 aaaaaaaaaa1111111111 {"key_a": 1, "key_b": 2, "key_c": 3} +2 aaaaaaaaaa2222222222 {"key_a": 21, "key_b": 22, "key_c": 23} +11 11111111111111111111 {"key_a": 1, "key_b": 2, "key_c": 3} +12 12121212121212121212 {"key_a": 21, "key_b": 22, "key_c": 23} +21 21212121212121212121 {"key_a": 1, "key_b": 2, "key_c": 3} +22 22222222222222222222 {"key_a": 21, "key_b": 22, "key_c": 23} +31 31313131313131313131 {"key_a": 1, "key_b": 2, "key_c": 3} +32 32323232323232323232 {"key_a": 21, "key_b": 22, "key_c": 23} +41 41414141414141414141 {"key_a": 1, "key_b": 2, "key_c": 3} +42 42424242424242424242 {"key_a": 21, "key_b": 22, "key_c": 23} +SELECT c2,RIGHT(c3,20),c4 FROM tde_db.t_encrypt WHERE c2 > 500 AND c2 < 600; +c2 RIGHT(c3,20) c4 +501 01501501501501501501 {"key_a": 1, "key_b": 2, "key_c": 3} +502 02502502502502502502 {"key_a": 21, "key_b": 22, "key_c": 23} +511 11511511511511511511 {"key_a": 1, "key_b": 2, "key_c": 3} +512 12512512512512512512 {"key_a": 21, "key_b": 22, "key_c": 23} +521 21521521521521521521 {"key_a": 1, "key_b": 2, "key_c": 3} +522 22522522522522522522 {"key_a": 21, "key_b": 22, "key_c": 23} +531 31531531531531531531 {"key_a": 1, "key_b": 2, "key_c": 3} +532 32532532532532532532 {"key_a": 21, "key_b": 22, "key_c": 23} +541 41541541541541541541 {"key_a": 1, "key_b": 2, "key_c": 3} +542 42542542542542542542 {"key_a": 21, "key_b": 22, "key_c": 23} +551 51551551551551551551 {"key_a": 1, "key_b": 2, "key_c": 3} +552 52552552552552552552 {"key_a": 21, "key_b": 22, "key_c": 23} +561 61561561561561561561 {"key_a": 1, "key_b": 2, "key_c": 3} +562 62562562562562562562 {"key_a": 21, "key_b": 22, "key_c": 23} +571 71571571571571571571 {"key_a": 1, "key_b": 2, "key_c": 3} +572 72572572572572572572 {"key_a": 21, "key_b": 22, "key_c": 23} +581 81581581581581581581 {"key_a": 1, "key_b": 2, "key_c": 3} +582 82582582582582582582 {"key_a": 21, "key_b": 22, "key_c": 23} +591 91591591591591591591 {"key_a": 1, "key_b": 2, "key_c": 3} +592 92592592592592592592 {"key_a": 21, "key_b": 22, "key_c": 23} +SELECT c2,RIGHT(c3,20),c4 FROM tde_db.t_encrypt ORDER BY c2 DESC LIMIT 10; +c2 RIGHT(c3,20) c4 +2001 20012001200120012001 {"key_a": 1, "key_b": 2, "key_c": 3} +1992 19921992199219921992 {"key_a": 21, "key_b": 22, "key_c": 23} +1991 19911991199119911991 {"key_a": 1, "key_b": 2, "key_c": 3} +1982 19821982198219821982 {"key_a": 21, "key_b": 22, "key_c": 23} +1981 19811981198119811981 {"key_a": 1, "key_b": 2, "key_c": 3} +1972 19721972197219721972 {"key_a": 21, "key_b": 22, "key_c": 23} +1971 19711971197119711971 {"key_a": 1, "key_b": 2, "key_c": 3} +1962 19621962196219621962 {"key_a": 21, "key_b": 22, "key_c": 23} +1961 19611961196119611961 {"key_a": 1, "key_b": 2, "key_c": 3} +1952 19521952195219521952 {"key_a": 21, "key_b": 22, "key_c": 23} +DROP DATABASE tde_db; +# Global privilege ENCRYPTION_KEY_ADMIN can replace super. +USE test; +CREATE USER encryption_admin@localhost IDENTIFIED BY 'foo'; +GRANT ENCRYPTION_KEY_ADMIN, CREATE ON *.* TO encryption_admin@localhost; +CREATE TABLE t1(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB; +ALTER INSTANCE ROTATE INNODB MASTER KEY; +REVOKE ENCRYPTION_KEY_ADMIN ON *.* FROM encryption_admin@localhost; +ALTER INSTANCE ROTATE INNODB MASTER KEY; +ERROR 42000: Access denied; you need (at least one of) the SUPER or ENCRYPTION_KEY_ADMIN privilege(s) for this operation +DROP USER encryption_admin@localhost; +DROP TABLE t1; +SET GLOBAL innodb_file_per_table=1; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_4.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_4.result new file mode 100644 index 000000000000..cde5dceceec6 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_4.result @@ -0,0 +1,164 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +DROP TABLE IF EXISTS t1; +SET GLOBAL innodb_file_per_table = 1; +SELECT @@innodb_file_per_table; +@@innodb_file_per_table +1 +# Create a table with encryption +CREATE TABLE t1(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` int DEFAULT NULL, + `c2` char(20) DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='Y' +INSERT INTO t1 VALUES(0, "aaaaa"); +INSERT INTO t1 VALUES(1, "bbbbb"); +INSERT INTO t1 VALUES(2, "ccccc"); +INSERT INTO t1 VALUES(3, "ddddd"); +INSERT INTO t1 VALUES(4, "eeeee"); +INSERT INTO t1 VALUES(5, "fffff"); +INSERT INTO t1 VALUES(6, "ggggg"); +INSERT INTO t1 VALUES(7, "hhhhh"); +INSERT INTO t1 VALUES(8, "iiiii"); +INSERT INTO t1 VALUES(9, "jjjjj"); +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +SELECT * FROM t1 LIMIT 10; +c1 c2 +0 aaaaa +1 bbbbb +2 ccccc +3 ddddd +4 eeeee +5 fffff +6 ggggg +7 hhhhh +8 iiiii +9 jjjjj +# Test export/import encrypted tablespace. +FLUSH TABLES test.t1 FOR EXPORT; +UNLOCK TABLES; +ALTER TABLE test.t1 DISCARD TABLESPACE; +ALTER TABLE test.t1 IMPORT TABLESPACE; +CHECK TABLE test.t1; +Table Op Msg_type Msg_text +test.t1 check status OK +SHOW CREATE TABLE test.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` int DEFAULT NULL, + `c2` char(20) DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='Y' +SELECT * FROM test.t1 LIMIT 10; +c1 c2 +0 aaaaa +1 bbbbb +2 ccccc +3 ddddd +4 eeeee +5 fffff +6 ggggg +7 hhhhh +8 iiiii +9 jjjjj +SELECT * FROM test.t1 LIMIT 10; +c1 c2 +0 aaaaa +1 bbbbb +2 ccccc +3 ddddd +4 eeeee +5 fffff +6 ggggg +7 hhhhh +8 iiiii +9 jjjjj +ALTER TABLE test.t1 DISCARD TABLESPACE; +# Try import in another session. +ALTER TABLE test.t1 IMPORT TABLESPACE; +SELECT * FROM test.t1 LIMIT 10; +c1 c2 +0 aaaaa +1 bbbbb +2 ccccc +3 ddddd +4 eeeee +5 fffff +6 ggggg +7 hhhhh +8 iiiii +9 jjjjj +ALTER TABLE test.t1 DISCARD TABLESPACE; +# Import without .cfg file is posible +# copying .cfp and .ibd file +ALTER TABLE test.t1 IMPORT TABLESPACE; +Warnings: +Warning 1810 InnoDB: IO Read error: (2, No such file or directory) Error opening './test/t1.cfg', will attempt to import without schema verification +SELECT * FROM test.t1 LIMIT 10; +c1 c2 +0 aaaaa +1 bbbbb +2 ccccc +3 ddddd +4 eeeee +5 fffff +6 ggggg +7 hhhhh +8 iiiii +9 jjjjj +ALTER INSTANCE ROTATE INNODB MASTER KEY; +SELECT * FROM test.t1 LIMIT 10; +c1 c2 +0 aaaaa +1 bbbbb +2 ccccc +3 ddddd +4 eeeee +5 fffff +6 ggggg +7 hhhhh +8 iiiii +9 jjjjj +ALTER TABLE test.t1 DISCARD TABLESPACE; +# Import without .cfp file +# copying .cfg and .ibd file +ALTER TABLE test.t1 IMPORT TABLESPACE; +ERROR HY000: Schema mismatch (Table is in an encrypted tablespace, but the encryption meta-data file cannot be found while importing.) +ALTER INSTANCE ROTATE INNODB MASTER KEY; +# Import without .idb file +# copying .cfp and .cfg file +ALTER TABLE test.t1 IMPORT TABLESPACE; +ERROR HY000: Internal error: Cannot reset LSNs in table `test`.`t1` : Tablespace not found +ALTER INSTANCE ROTATE INNODB MASTER KEY; +# Schema mismatch dest table without encryption - fix result +DROP TABLE t1; +CREATE TABLE test.t1(c1 INT, c2 char(20)) ENGINE = InnoDB; +ALTER TABLE test.t1 DISCARD TABLESPACE; +ALTER TABLE test.t1 IMPORT TABLESPACE; +ERROR HY000: Schema mismatch (Encryption attribute in the file does not match the dictionary.) +# Import got expected error. +DROP TABLE t1; +CREATE TABLE test.t1(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB; +ALTER TABLE test.t1 DISCARD TABLESPACE; +SET SESSION DEBUG="+d, fsp_header_rotate_encryption_failure"; +ALTER TABLE test.t1 IMPORT TABLESPACE; +ERROR HY000: Got error 168 - 'Unknown (generic) error from engine' from storage engine +Warnings: +Note 1051 Unknown table 'test.t1' +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_5.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_5.result new file mode 100644 index 000000000000..1e20ddad3970 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_5.result @@ -0,0 +1,1043 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +DROP DATABASE IF EXISTS tde_db; +DROP TABLE IF EXISTS tde_db. t_encrypt; +CREATE DATABASE tde_db; +USE tde_db; +SET GLOBAL innodb_file_per_table = 1; +SELECT @@innodb_file_per_table; +@@innodb_file_per_table +1 +CREATE PROCEDURE tde_db.init_setup() +begin +/* Create encrypt table with encryption */ +CREATE TABLE tde_db.t_encrypt(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENCRYPTION="Y" ENGINE = InnoDB; +/* Create table without encryption */ +CREATE TABLE tde_db.t_non_encrypt(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENGINE = InnoDB; +/* insert into encrypt table */ +INSERT INTO tde_db.t_encrypt(c3,c4,c7) VALUES(CONCAT(REPEAT('a',200),LPAD(CAST(1 AS CHAR),4,'0')),'{ "key_a": 1, "key_b": 2, "key_c": 3 }',ST_GeomFromText('POINT(383293632 1754448)')); +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +SELECT '/* select tde_db.t_encrypt */'; +SELECT COUNT(*) FROM tde_db.t_encrypt; +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +/* insert into non encrypt table */ +INSERT INTO tde_db.t_non_encrypt(c2,c3,c4,c7) SELECT c2,c3,c4,c7 FROM tde_db.t_encrypt; +SELECT '/* select tde_db.t_non_encrypt */'; +SELECT COUNT(*) FROM tde_db.t_non_encrypt; +SELECT c2 ,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt LIMIT 10; +ALTER INSTANCE ROTATE INNODB MASTER KEY; +CREATE TABLE tde_db.t_encrypt_2(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENCRYPTION="Y" ENGINE = InnoDB; +CREATE TABLE tde_db.t_non_encrypt_2(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENGINE = InnoDB; +/* insert into encrypt table 2 */ +INSERT INTO tde_db.t_encrypt_2(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +SELECT '/* select tde_db.t_encrypt_2 */'; +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +SELECT c2 ,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt_2 LIMIT 10; +/* insert into NON encrypt table 2 */ +INSERT INTO tde_db.t_non_encrypt_2(c2,c3,c4,c7) SELECT c2,c3,c4,c7 FROM tde_db.t_encrypt; +SELECT '/* select tde_db.t_non_encrypt_2 */'; +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; +SELECT c2 ,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt_2 LIMIT 10; +end| +#----------------------------------------------------------------------- +# init tables +call tde_db.init_setup(); +/* select tde_db.t_encrypt */ +/* select tde_db.t_encrypt */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_non_encrypt */ +/* select tde_db.t_non_encrypt */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_encrypt_2 */ +/* select tde_db.t_encrypt_2 */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_non_encrypt_2 */ +/* select tde_db.t_non_encrypt_2 */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT status_key, status_value FROM +performance_schema.keyring_component_status +WHERE status_key LIKE '%name%' OR status_key LIKE '%status%'; +status_key status_value +Component_name component_percona_keyring_encrypted_file +Implementation_name component_percona_keyring_encrypted_file +Component_status Active +# Taking backup of local keyring file for keyring component: component_percona_keyring_encrypted_file +ALTER INSTANCE RELOAD KEYRING; +# Select non encrypt table : Pass +SELECT COUNT(*) FROM tde_db.t_non_encrypt; +COUNT(*) +64 +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; +COUNT(*) +64 +# Select encrypt table : No Error (master key is cached) +SELECT c2 ,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT c2 ,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt_2 LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT COUNT(*) FROM tde_db.t_encrypt; +COUNT(*) +64 +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +COUNT(*) +64 +# Error on "ALTER INSTANCE ..." +ALTER INSTANCE ROTATE INNODB MASTER KEY; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +# new encrypt table creation is blocked after uninstall +CREATE TABLE tde_db.t_encrypt_3(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENCRYPTION="Y" ENGINE = InnoDB; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +# new non encrypt table +CREATE TABLE tde_db.t_non_encrypt_3(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENGINE = InnoDB; +DROP TABLE tde_db.t_encrypt , tde_db.t_encrypt_2 ; +DROP TABLE tde_db.t_non_encrypt , tde_db.t_non_encrypt_2 , tde_db.t_non_encrypt_3; +# Restoring local keyring file from backup for keyring component: component_percona_keyring_encrypted_file +ALTER INSTANCE RELOAD KEYRING; +#----------------------------------------------------------------------- +# Test 1 : Restart with same keyring option , all tables accesible +SELECT status_key, status_value FROM +performance_schema.keyring_component_status +WHERE status_key LIKE '%name%' OR status_key LIKE '%status%'; +status_key status_value +Component_name component_percona_keyring_encrypted_file +Implementation_name component_percona_keyring_encrypted_file +Component_status Active +# init tables +call tde_db.init_setup(); +/* select tde_db.t_encrypt */ +/* select tde_db.t_encrypt */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_non_encrypt */ +/* select tde_db.t_non_encrypt */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_encrypt_2 */ +/* select tde_db.t_encrypt_2 */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_non_encrypt_2 */ +/* select tde_db.t_non_encrypt_2 */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +# restart with same keyring option +SELECT COUNT(*) FROM tde_db.t_encrypt; +COUNT(*) +64 +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT COUNT(*) FROM tde_db.t_non_encrypt; +COUNT(*) +64 +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +COUNT(*) +64 +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt_2 LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; +COUNT(*) +64 +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt_2 LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +# insert into old encrypt tables +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +COUNT(*) +64 +INSERT INTO tde_db.t_encrypt_2(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +COUNT(*) +128 +# insert into old non encrypt tables +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; +COUNT(*) +64 +INSERT INTO tde_db.t_non_encrypt_2(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; +COUNT(*) +128 +# update into old encrypt tables +UPDATE tde_db.t_encrypt_2 SET c2 = 1000 WHERE c2 = 1; +SELECT COUNT(*) FROM tde_db.t_encrypt_2 WHERE c2 = 1000 ; +COUNT(*) +1 +# update into old non encrypt tables +UPDATE tde_db.t_non_encrypt_2 SET c2 = 1000 WHERE c2 = 1; +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2 WHERE c2 = 1000 ; +COUNT(*) +1 +# delete into old encrypt tables +DELETE FROM tde_db.t_encrypt_2 WHERE c2 = 1000 ; +SELECT COUNT(*) FROM tde_db.t_encrypt_2 WHERE c2 = 1000 ; +COUNT(*) +0 +# delete into old non encrypt tables +DELETE FROM tde_db.t_non_encrypt_2 WHERE c2 = 1000 ; +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2 WHERE c2 = 1000 ; +COUNT(*) +0 +# new table +CREATE TABLE tde_db.t_encrypt_4(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENCRYPTION="Y" ENGINE = InnoDB; +CREATE TABLE tde_db.t_non_encrypt_4(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENGINE = InnoDB; +INSERT INTO tde_db.t_encrypt_4(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +INSERT INTO tde_db.t_non_encrypt_4(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +SELECT COUNT(*) FROM tde_db.t_encrypt_4; +COUNT(*) +64 +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt_4 LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT COUNT(*) FROM tde_db.t_non_encrypt_4; +COUNT(*) +64 +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt_4 LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +ALTER INSTANCE ROTATE INNODB MASTER KEY; +SELECT COUNT(*) FROM tde_db.t_encrypt; +COUNT(*) +64 +SELECT COUNT(*) FROM tde_db.t_non_encrypt; +COUNT(*) +64 +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +COUNT(*) +127 +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; +COUNT(*) +127 +SELECT COUNT(*) FROM tde_db.t_encrypt_4; +COUNT(*) +64 +SELECT COUNT(*) FROM tde_db.t_non_encrypt_4; +COUNT(*) +64 +DROP TABLE tde_db.t_encrypt , tde_db.t_encrypt_2 , tde_db.t_encrypt_4; +DROP TABLE tde_db.t_non_encrypt , tde_db.t_non_encrypt_2 , tde_db.t_non_encrypt_4; +#----------------------------------------------------------------------- +# Test 2 : Restart without keyring option - old encrypt table not +# accessible but rest are. +SELECT status_key, status_value FROM +performance_schema.keyring_component_status +WHERE status_key LIKE '%name%' OR status_key LIKE '%status%'; +status_key status_value +Component_name component_percona_keyring_encrypted_file +Implementation_name component_percona_keyring_encrypted_file +Component_status Active +# init tables +call tde_db.init_setup(); +/* select tde_db.t_encrypt */ +/* select tde_db.t_encrypt */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_non_encrypt */ +/* select tde_db.t_non_encrypt */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_encrypt_2 */ +/* select tde_db.t_encrypt_2 */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_non_encrypt_2 */ +/* select tde_db.t_non_encrypt_2 */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +# Taking backup of local manifest file for MySQL server instance +# restart without keyring +# encrypt table not accessible +SELECT COUNT(*) FROM tde_db.t_encrypt; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +# NON encrypt table are accessible +SELECT COUNT(*) FROM tde_db.t_non_encrypt; +COUNT(*) +64 +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; +COUNT(*) +64 +# encrypt table not possible +CREATE TABLE tde_db.t_non_encrypt_4(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENCRYPTION="Y" ENGINE = InnoDB; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +# non encrypt table possible +CREATE TABLE tde_db.t_non_encrypt_4(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENGINE = InnoDB; +INSERT INTO tde_db.t_non_encrypt_4(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_non_encrypt; +SELECT COUNT(*) FROM tde_db.t_non_encrypt_4; +COUNT(*) +64 +ALTER INSTANCE ROTATE INNODB MASTER KEY; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +# encrypt table not accessible +SELECT COUNT(*) FROM tde_db.t_encrypt; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +DROP TABLE tde_db.t_encrypt , tde_db.t_encrypt_2; +DROP TABLE tde_db.t_non_encrypt , tde_db.t_non_encrypt_2 ,tde_db.t_non_encrypt_4; +DROP DATABASE tde_db; +# Restore local manifest file for MySQL server instance from backup +# Initial setup +# Starting server with keyring +DROP DATABASE IF EXISTS tde_db; +CREATE DATABASE tde_db; +USE tde_db; +SET GLOBAL innodb_file_per_table = 1; +SELECT @@innodb_file_per_table; +@@innodb_file_per_table +1 +CREATE PROCEDURE tde_db.init_setup() +begin +/* Create encrypt table with encryption */ +CREATE TABLE tde_db.t_encrypt(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENCRYPTION="Y" ENGINE = InnoDB; +/* Create NON encrypt table with encryption */ +CREATE TABLE tde_db.t_non_encrypt(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENGINE = InnoDB; +/* insert into encrypt table */ +INSERT INTO tde_db.t_encrypt(c3,c4,c7) VALUES(CONCAT(REPEAT('a',200),LPAD(CAST(1 AS CHAR),4,'0')),'{ "key_a": 1, "key_b": 2, "key_c": 3 }',ST_GeomFromText('POINT(383293632 1754448)')); +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +SELECT '/* select tde_db.t_encrypt */'; +SELECT COUNT(*) FROM tde_db.t_encrypt; +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +/* insert into non encrypt table */ +INSERT INTO tde_db.t_non_encrypt(c2,c3,c4,c7) SELECT c2,c3,c4,c7 FROM tde_db.t_encrypt; +SELECT '/* select tde_db.t_non_encrypt */'; +SELECT COUNT(*) FROM tde_db.t_non_encrypt; +SELECT c2 ,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt LIMIT 10; +ALTER INSTANCE ROTATE INNODB MASTER KEY; +CREATE TABLE tde_db.t_encrypt_2(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENCRYPTION="Y" ENGINE = InnoDB; +CREATE TABLE tde_db.t_non_encrypt_2(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENGINE = InnoDB; +/* insert into encrypt table 2 */ +INSERT INTO tde_db.t_encrypt_2(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +SELECT '/* select tde_db.t_encrypt_2 */'; +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +SELECT c2 ,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt_2 LIMIT 10; +/* insert into NON encrypt table 2 */ +INSERT INTO tde_db.t_non_encrypt_2(c2,c3,c4,c7) SELECT c2,c3,c4,c7 FROM tde_db.t_encrypt; +SELECT '/* select tde_db.t_non_encrypt_2 */'; +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; +SELECT c2 ,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt_2 LIMIT 10; +end| +# Test 3 : Restart without empty keyring but later restore +# Access all tables +#----------------------------------------------------------------------- +# init tables +call tde_db.init_setup(); +/* select tde_db.t_encrypt */ +/* select tde_db.t_encrypt */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_non_encrypt */ +/* select tde_db.t_non_encrypt */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_encrypt_2 */ +/* select tde_db.t_encrypt_2 */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_non_encrypt_2 */ +/* select tde_db.t_non_encrypt_2 */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +# Taking backup of local keyring file for keyring component: component_percona_keyring_encrypted_file +# restart without keyring +# Restoring local keyring file from backup for keyring component: component_percona_keyring_encrypted_file +ALTER INSTANCE RELOAD KEYRING; +SELECT COUNT(*) FROM tde_db.t_encrypt; +COUNT(*) +64 +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT COUNT(*) FROM tde_db.t_non_encrypt; +COUNT(*) +64 +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +COUNT(*) +64 +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt_2 LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; +COUNT(*) +64 +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt_2 LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +# insert into old encrypt tables +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +COUNT(*) +64 +INSERT INTO tde_db.t_encrypt_2(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +COUNT(*) +128 +# insert into old non encrypt tables +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; +COUNT(*) +64 +INSERT INTO tde_db.t_non_encrypt_2(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; +COUNT(*) +128 +# update into old encrypt tables +UPDATE tde_db.t_encrypt_2 SET c2 = 1000 WHERE c2 = 1; +SELECT COUNT(*) FROM tde_db.t_encrypt_2 WHERE c2 = 1000 ; +COUNT(*) +1 +# update into old non encrypt tables +UPDATE tde_db.t_non_encrypt_2 SET c2 = 1000 WHERE c2 = 1; +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2 WHERE c2 = 1000 ; +COUNT(*) +1 +# delete into old encrypt tables +DELETE FROM tde_db.t_encrypt_2 WHERE c2 = 1000 ; +SELECT COUNT(*) FROM tde_db.t_encrypt_2 WHERE c2 = 1000 ; +COUNT(*) +0 +# delete into old non encrypt tables +DELETE FROM tde_db.t_non_encrypt_2 WHERE c2 = 1000 ; +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2 WHERE c2 = 1000 ; +COUNT(*) +0 +# new table +CREATE TABLE tde_db.t_encrypt_4(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENCRYPTION="Y" ENGINE = InnoDB; +CREATE TABLE tde_db.t_non_encrypt_4(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENGINE = InnoDB; +INSERT INTO tde_db.t_encrypt_4(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +INSERT INTO tde_db.t_non_encrypt_4(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +SELECT COUNT(*) FROM tde_db.t_encrypt_4; +COUNT(*) +64 +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt_4 LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT COUNT(*) FROM tde_db.t_non_encrypt_4; +COUNT(*) +64 +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt_4 LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +ALTER INSTANCE ROTATE INNODB MASTER KEY; +SELECT COUNT(*) FROM tde_db.t_encrypt; +COUNT(*) +64 +SELECT COUNT(*) FROM tde_db.t_non_encrypt; +COUNT(*) +64 +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +COUNT(*) +127 +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; +COUNT(*) +127 +SELECT COUNT(*) FROM tde_db.t_encrypt_4; +COUNT(*) +64 +SELECT COUNT(*) FROM tde_db.t_non_encrypt_4; +COUNT(*) +64 +DROP TABLE tde_db.t_encrypt , tde_db.t_encrypt_2 , tde_db.t_encrypt_4; +DROP TABLE tde_db.t_non_encrypt , tde_db.t_non_encrypt_2 , tde_db.t_non_encrypt_4; +# Taking backup of local keyring file for keyring component: component_percona_keyring_encrypted_file +ALTER INSTANCE RELOAD KEYRING; +CREATE TABLE tde_db.t_encrypt_4(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENCRYPTION="Y" ENGINE = InnoDB; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +ALTER INSTANCE ROTATE INNODB MASTER KEY; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +# Restoring local keyring file from backup for keyring component: component_percona_keyring_encrypted_file +ALTER INSTANCE RELOAD KEYRING; +#----------------------------------------------------------------------- +# Test 4 : Restart with new keyring_data_file +# Old encrypt table not accessible , non encrypt tables accessible +# And creation of new encrypt,non encrypt table is also posible +# restart with keyring to load initial data +SELECT status_key, status_value FROM +performance_schema.keyring_component_status +WHERE status_key LIKE '%name%' OR status_key LIKE '%status%'; +status_key status_value +Component_name component_percona_keyring_encrypted_file +Implementation_name component_percona_keyring_encrypted_file +Component_status Active +# init tables +call tde_db.init_setup(); +/* select tde_db.t_encrypt */ +/* select tde_db.t_encrypt */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_non_encrypt */ +/* select tde_db.t_non_encrypt */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_encrypt_2 */ +/* select tde_db.t_encrypt_2 */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_non_encrypt_2 */ +/* select tde_db.t_non_encrypt_2 */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +# restart with with different keyring file +# Taking backup of local keyring file for keyring component: component_percona_keyring_encrypted_file +# encrypt table not accessible +SELECT COUNT(*) FROM tde_db.t_encrypt; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +# NON encrypt table are accessible +SELECT COUNT(*) FROM tde_db.t_non_encrypt; +COUNT(*) +64 +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; +COUNT(*) +64 +# new encrypt table is possible +CREATE TABLE tde_db.t_encrypt_4(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENCRYPTION="Y" ENGINE = InnoDB; +# non encrypt table possible +CREATE TABLE tde_db.t_non_encrypt_4(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENGINE = InnoDB; +INSERT INTO tde_db.t_encrypt_4(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_non_encrypt; +SELECT COUNT(*) FROM tde_db.t_encrypt_4; +COUNT(*) +64 +INSERT INTO tde_db.t_non_encrypt_4(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_non_encrypt; +SELECT COUNT(*) FROM tde_db.t_non_encrypt_4; +COUNT(*) +64 +ALTER INSTANCE ROTATE INNODB MASTER KEY; +# old encrypt table not accessible +SELECT COUNT(*) FROM tde_db.t_encrypt; +Got one of the listed errors +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +Got one of the listed errors +# NON encrypt old table are accessible +SELECT COUNT(*) FROM tde_db.t_non_encrypt; +COUNT(*) +64 +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; +COUNT(*) +64 +# new encrypt table accessible +SELECT COUNT(*) FROM tde_db.t_encrypt_4; +COUNT(*) +64 +# new NON encrypt table accessible +SELECT COUNT(*) FROM tde_db.t_non_encrypt_4; +COUNT(*) +64 +DROP TABLE tde_db.t_encrypt , tde_db.t_encrypt_2 ,tde_db.t_encrypt_4; +DROP TABLE tde_db.t_non_encrypt , tde_db.t_non_encrypt_2 ,tde_db.t_non_encrypt_4; +DROP DATABASE tde_db; +# Restoring local keyring file from backup for keyring component: component_percona_keyring_encrypted_file +ALTER INSTANCE RELOAD KEYRING; +SET GLOBAL innodb_file_per_table=1; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_6.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_6.result new file mode 100644 index 000000000000..225b7cce1e5a --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_6.result @@ -0,0 +1,73 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# Taking backup of local manifest file for MySQL server instance +CREATE TABLE t1(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +CREATE TABLE t1(c1 INT, c2 char(20)) ENGINE = InnoDB; +ALTER TABLE t1 ENCRYPTION="Y", algorithm=copy; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +DROP TABLE t1; +# Restore local manifest file for MySQL server instance from backup +CREATE TABLE t1(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` int DEFAULT NULL, + `c2` char(20) DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='Y' +INSERT INTO t1 VALUES(0, "aaaaa"); +INSERT INTO t1 VALUES(1, "bbbbb"); +INSERT INTO t1 VALUES(2, "ccccc"); +INSERT INTO t1 VALUES(3, "ddddd"); +INSERT INTO t1 VALUES(4, "eeeee"); +INSERT INTO t1 VALUES(5, "fffff"); +INSERT INTO t1 VALUES(6, "ggggg"); +INSERT INTO t1 VALUES(7, "hhhhh"); +INSERT INTO t1 VALUES(8, "iiiii"); +INSERT INTO t1 VALUES(9, "jjjjj"); +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +SELECT * FROM t1 ORDER BY c1 LIMIT 10; +c1 c2 +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +# Taking backup of local manifest file for MySQL server instance +SELECT * FROM t1 ORDER BY c1 LIMIT 10; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +# Restore local manifest file for MySQL server instance from backup +SELECT * FROM t1 ORDER BY c1 LIMIT 10; +c1 c2 +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +DROP TABLE t1; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_debug.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_debug.result new file mode 100644 index 000000000000..31b376c329cc --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_debug.result @@ -0,0 +1,219 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +SET GLOBAL innodb_file_per_table = 1; +SELECT @@innodb_file_per_table; +@@innodb_file_per_table +1 +DROP DATABASE IF EXISTS tde_db; +CREATE DATABASE tde_db; +USE tde_db; +# +# Set encryption ON for table `mysql` +# +ALTER TABLESPACE mysql ENCRYPTION='Y'; +SET debug='+d,skip_dd_table_access_check'; +SELECT NAME,OPTIONS FROM mysql.tablespaces WHERE OPTIONS LIKE '%encryption=Y%'; +NAME OPTIONS +mysql encryption=Y;explicit_encryption=1; +SET debug='-d,skip_dd_table_access_check'; +# +# Test crash point `ib_crash_during_rotation_for_encryption` +# +SET SESSION DEBUG="+d,ib_encryption_rotate_crash"; +CREATE TABLE tde_db.t1(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB; +SET debug='+d,skip_dd_table_access_check'; +SELECT NAME,OPTIONS FROM mysql.tablespaces WHERE OPTIONS LIKE '%encryption=Y%'; +NAME OPTIONS +mysql encryption=Y;explicit_encryption=1; +tde_db/t1 autoextend_size=0;encryption=Y; +SET debug='-d,skip_dd_table_access_check'; +SHOW CREATE TABLE tde_db.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` int DEFAULT NULL, + `c2` char(20) DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='Y' +INSERT INTO tde_db.t1 VALUES(0, "aaaaa"); +INSERT INTO tde_db.t1 VALUES(1, "bbbbb"); +INSERT INTO tde_db.t1 VALUES(2, "ccccc"); +INSERT INTO tde_db.t1 VALUES(3, "ddddd"); +# Execute the statement that causes the crash +ALTER INSTANCE ROTATE INNODB MASTER KEY; +ERROR HY000: Lost connection to MySQL server during query +SET SESSION DEBUG="-d,ib_encryption_rotate_crash"; +Pattern "ib_encryption_rotate_crash" found +# Show that encryption is OK +SET debug='+d,skip_dd_table_access_check'; +SELECT NAME,OPTIONS FROM mysql.tablespaces WHERE OPTIONS LIKE '%encryption=Y%'; +NAME OPTIONS +mysql encryption=Y;explicit_encryption=1; +tde_db/t1 autoextend_size=0;encryption=Y; +SET debug='-d,skip_dd_table_access_check'; +INSERT INTO tde_db.t1 VALUES(4, "eeeee"); +SELECT * FROM tde_db.t1 ORDER BY c1; +c1 c2 +0 aaaaa +1 bbbbb +2 ccccc +3 ddddd +4 eeeee +# Create a second table with encryption +CREATE TABLE tde_db.t2(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB; +SHOW CREATE TABLE tde_db.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `c1` int DEFAULT NULL, + `c2` char(20) DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='Y' +SET debug='+d,skip_dd_table_access_check'; +SELECT NAME,OPTIONS FROM mysql.tablespaces WHERE OPTIONS LIKE '%encryption=Y%'; +NAME OPTIONS +mysql encryption=Y;explicit_encryption=1; +tde_db/t1 autoextend_size=0;encryption=Y; +tde_db/t2 autoextend_size=0;encryption=Y; +SET debug='-d,skip_dd_table_access_check'; +INSERT INTO tde_db.t2 VALUES(0, "aaaaa"); +INSERT INTO tde_db.t2 VALUES(1, "bbbbb"); +# Remove the current auto.cnf file to make sure a new server uuid is +# generated at restart. +# Execute the statement that causes the crash +SET SESSION DEBUG="+d,ib_encryption_rotate_crash"; +ALTER INSTANCE ROTATE INNODB MASTER KEY; +ERROR HY000: Lost connection to MySQL server during query +SET SESSION DEBUG="-d,ib_encryption_rotate_crash"; +Pattern "ib_encryption_rotate_crash" found +# Show that encryption is OK +SET debug='+d,skip_dd_table_access_check'; +SELECT NAME,OPTIONS FROM mysql.tablespaces WHERE OPTIONS LIKE '%encryption=Y%'; +NAME OPTIONS +mysql encryption=Y;explicit_encryption=1; +tde_db/t1 autoextend_size=0;encryption=Y; +tde_db/t2 autoextend_size=0;encryption=Y; +SET debug='-d,skip_dd_table_access_check'; +INSERT INTO tde_db.t1 VALUES(5, "fffff"); +SELECT * FROM tde_db.t1 ORDER BY c1; +c1 c2 +0 aaaaa +1 bbbbb +2 ccccc +3 ddddd +4 eeeee +5 fffff +SELECT * FROM tde_db.t2 ORDER BY c1; +c1 c2 +0 aaaaa +1 bbbbb +# Rotate Encryption again without the Crash +ALTER INSTANCE ROTATE INNODB MASTER KEY; +SELECT * FROM tde_db.t1 ORDER BY c1 ; +c1 c2 +0 aaaaa +1 bbbbb +2 ccccc +3 ddddd +4 eeeee +5 fffff +# Show that encryption is OK +SET debug='+d,skip_dd_table_access_check'; +SELECT NAME,OPTIONS FROM mysql.tablespaces WHERE OPTIONS LIKE '%encryption=Y%'; +NAME OPTIONS +mysql encryption=Y;explicit_encryption=1; +tde_db/t1 autoextend_size=0;encryption=Y; +tde_db/t2 autoextend_size=0;encryption=Y; +SET debug='-d,skip_dd_table_access_check'; +SELECT * FROM tde_db.t1 ORDER BY c1 ; +c1 c2 +0 aaaaa +1 bbbbb +2 ccccc +3 ddddd +4 eeeee +5 fffff +SELECT * FROM tde_db.t2 ORDER BY c1 ; +c1 c2 +0 aaaaa +1 bbbbb +DROP TABLE tde_db.t2; +ALTER TABLESPACE mysql ENCRYPTION='N'; +SET debug='+d,skip_dd_table_access_check'; +SELECT NAME,OPTIONS FROM mysql.tablespaces WHERE OPTIONS LIKE '%encryption=Y%'; +NAME OPTIONS +tde_db/t1 autoextend_size=0;encryption=Y; +SET debug='-d,skip_dd_table_access_check'; +# +# Test crash point `ib_crash_during_create_for_encryption` during a CREATE TABLE +# +SET SESSION DEBUG="+d,ib_crash_during_create_for_encryption"; +# Execute the statement that causes the crash +CREATE TABLE tde_db.t2(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB; +ERROR HY000: Lost connection to MySQL server during query +SET SESSION DEBUG="-d,ib_crash_during_create_for_encryption"; +# Show encrypted tables. +SET debug='+d,skip_dd_table_access_check'; +SELECT NAME,OPTIONS FROM mysql.tablespaces WHERE OPTIONS LIKE '%encryption=Y%'; +NAME OPTIONS +tde_db/t1 autoextend_size=0;encryption=Y; +SET debug='-d,skip_dd_table_access_check'; +SELECT * FROM tde_db.t1 ORDER BY c1 LIMIT 5; +c1 c2 +0 aaaaa +1 bbbbb +2 ccccc +3 ddddd +4 eeeee +INSERT INTO tde_db.t1 VALUES(6, "ggggg"); +SELECT * FROM tde_db.t1 ORDER BY c1 ; +c1 c2 +0 aaaaa +1 bbbbb +2 ccccc +3 ddddd +4 eeeee +5 fffff +6 ggggg +SELECT * FROM tde_db.t2; +ERROR 42S02: Table 'tde_db.t2' doesn't exist +# +# Test crash point `ib_crash_during_decrypt_page` during an IMPORT TABLESPACE +# +FLUSH TABLE tde_db.t1 FOR EXPORT; +UNLOCK TABLES; +ALTER TABLE tde_db.t1 DISCARD TABLESPACE; +SET SESSION DEBUG="+d,ib_crash_during_decrypt_page"; +# Execute the statement that causes the crash +ALTER TABLE tde_db.t1 IMPORT TABLESPACE; +ERROR HY000: Lost connection to MySQL server during query +SET SESSION DEBUG="-d,ib_crash_during_decrypt_page"; +INSERT INTO tde_db.t1 VALUES(7, "hhhhh"); +ERROR HY000: Tablespace is discarded for table, 't1' +SELECT * FROM tde_db.t1 ORDER BY c1 ; +ERROR HY000: Tablespace is discarded for table, 't1' +DROP TABLE tde_db.t1; +DROP DATABASE tde_db; +# +# Bug #27307740 [ERROR] [MY-011066] INNODB: CORRUPT LOG RECORD FOUND +# DURING CRASH RECOVERY +# +CREATE DATABASE tde_db; +CREATE TABLE tde_db.test_tbl(c1 int) ENCRYPTION="Y" ENGINE=InnoDB; +SET SESSION DEBUG="+d, keyring_generate_fail"; +ALTER INSTANCE ROTATE INNODB MASTER KEY; +ERROR HY000: Lost connection to MySQL server during query +SET SESSION debug="-d, keyring_generate_fail"; +SELECT COUNT(*) FROM tde_db.test_tbl; +COUNT(*) +0 +DROP TABLE tde_db.test_tbl; +DROP DATABASE tde_db; +SET GLOBAL innodb_file_per_table=1; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_fts.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_fts.result new file mode 100644 index 000000000000..3aebe649b831 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_fts.result @@ -0,0 +1,56 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# +# Bug#30787535 : FULLTEXT INDEX TABLES CREATED IN ENCRYPTED SCHEMA ARE NOT ENCRYPTED +# +######### +# SETUP # +######### + +######################################################################### +# 1 : WITH KEYRING +######################################################################### +# Create a new 'unencrypted' table +CREATE TABLE t1 (id INT UNSIGNED AUTO_INCREMENT NOT NULL PRIMARY KEY, +C1 TEXT(500), +C2 VARCHAR(200), +C3 VARCHAR(200)) ENCRYPTION='N' ENGINE=InnoDB; +set global innodb_buf_flush_list_now = 1; +# --------------------------------------------------------------- +# Test 1 : t1 un-encrypted, FTS tables should also be unencrypted +# --------------------------------------------------------------- +# Check that tablespace file is not encrypted +# Print result +table space is Unencrypted. +CREATE FULLTEXT INDEX idx ON t1(C1); +Warnings: +Warning 124 InnoDB rebuilding table to add column FTS_DOC_ID +set global innodb_buf_flush_list_now = 1; +# Check that FTS tablespaces file is not encrypted +# Print result +table space is Unencrypted. +# --------------------------------------------------------------- +# Test 1 : t1 encrypted, FTS tables should also be unencrypted +# --------------------------------------------------------------- +ALTER TABLE t1 ENCRYPTION='Y'; +# Check that tablespace file is encrypted now +# Print result +table space is Encrypted. +# Check that FTS tablespace file is encrypted now +# Print result +table space is Encrypted. +########### +# CLEANUP # +########### +DROP TABLE test.t1; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_kill.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_kill.result new file mode 100644 index 000000000000..fcf4bcdc9316 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/table_encrypt_kill.result @@ -0,0 +1,209 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +DROP DATABASE IF EXISTS tde_db; +DROP TABLE IF EXISTS tde_db. t_encrypt; +CREATE DATABASE tde_db; +USE tde_db; +SET GLOBAL innodb_file_per_table = 1; +SELECT @@innodb_file_per_table; +@@innodb_file_per_table +1 +CREATE TABLE tde_db.t_encrypt(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON, +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENCRYPTION="Y" ENGINE = InnoDB; +CREATE TABLE tde_db.t_non_encrypt(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON, +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENGINE = InnoDB; +CREATE PROCEDURE tde_db.populate_t_encrypt() +begin +declare i int default 1; +declare has_error int default 0; +DECLARE CONTINUE HANDLER FOR 1062 SET has_error = 1; +while (i <= 5000) DO +insert into tde_db.t_encrypt(c2,c3,c4,c7) VALUES(i,CONCAT(REPEAT('a',200),LPAD(CAST(i AS CHAR),4,'0')),'{ "key_a": 1, "key_b": 2, "key_c": 3 }',ST_GeomFromText('POINT(383293632 1754448)')); +set i = i + 1; +end while; +end| +CREATE PROCEDURE tde_db.populate_t_non_encrypt() +begin +declare i int default 1; +declare has_error int default 0; +DECLARE CONTINUE HANDLER FOR 1062 SET has_error = 1; +while (i <= 5000) DO +insert into tde_db.t_non_encrypt(c2,c3,c4,c7) VALUES(i,CONCAT(REPEAT('a',200),LPAD(CAST(i AS CHAR),4,'0')),'{ "key_a": 1, "key_b": 2, "key_c": 3 }',ST_GeomFromText('POINT(383293632 1754448)')); +set i = i + 1; +end while; +end| +CREATE PROCEDURE tde_db.update_t_encrypt() +begin +declare i int default 1; +declare ustr varchar(1000); +declare has_error int default 0; +DECLARE CONTINUE HANDLER FOR 1062 SET has_error = 1; +while (i <= 5000) DO +SET @sql_text = CONCAT (' UPDATE tde_db.t_encrypt SET c3 =', 'CONCAT(REPEAT(a,200),LPAD(CAST(',i, 'AS CHAR),4,0) ORDER BY RAND() LIMIT 1'); +PREPARE stmt FROM @sql_text; +EXECUTE stmt; +DEALLOCATE PREPARE stmt; +set i = i + 1; +end while; +end| +CREATE PROCEDURE tde_db.delete_t_encrypt() +begin +declare i int default 1; +declare ustr varchar(1000); +declare has_error int default 0; +DECLARE CONTINUE HANDLER FOR 1062 SET has_error = 1; +while (i <= 5000) DO +SET @sql_text = CONCAT (' DELETE FROM tde_db.t_encrypt LIMIT 1'); +PREPARE stmt FROM @sql_text; +EXECUTE stmt; +DEALLOCATE PREPARE stmt; +set i = i + 1; +end while; +end| +CREATE PROCEDURE tde_db.read_t_encrypt() +begin +declare i int default 1; +while (i <= 5000) DO +SELECT * FROM (SELECT * FROM tde_db.t_encrypt ORDER BY RAND() LIMIT 1) AS A WHERE A.c2 < 0 ; +set i = i + 1; +end while; +end| +CREATE PROCEDURE tde_db.alter_t_encrypt() +begin +declare i int default 1; +declare has_error int default 0; +while (i <= 5000) DO +ALTER INSTANCE ROTATE INNODB MASTER KEY; +set i = i + 1; +end while; +end| +CREATE PROCEDURE tde_db.create_t_encrypt(encrypt VARCHAR(5), tcnt INT) +begin +declare i int default 1; +declare has_error int default 0; +DECLARE CONTINUE HANDLER FOR 1050 SET has_error = 1; +SET i = tcnt ; +while (i <= 5000) DO +SET @sql_text = CONCAT('CREATE TABLE ',CONCAT('tde_db.t_encrypt_',encrypt,'_',i),' (c1 INT) ENCRYPTION="',encrypt,'"',' ENGINE=InnoDB'); +PREPARE stmt FROM @sql_text; +EXECUTE stmt; +DEALLOCATE PREPARE stmt; +set i = i + 1; +end while; +end| +SHOW CREATE TABLE tde_db.t_encrypt; +Table Create Table +t_encrypt CREATE TABLE `t_encrypt` ( + `c2` int NOT NULL AUTO_INCREMENT, + `c3` char(255) DEFAULT 'No text', + `c4` json DEFAULT NULL, + `c5` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_a')) STORED, + `c6` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_b')) VIRTUAL, + `c7` point NOT NULL /*!80003 SRID 0 */, + PRIMARY KEY (`c2`), + SPATIAL KEY `idx2` (`c7`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='Y' +# Case1: insert on encrypt and non encrypt table in parallel during kill +# In connection con1 - Running insert on encrypt table +call tde_db.populate_t_encrypt(); +# In connection con2 - Running insert on encrypt table +call tde_db.populate_t_encrypt(); +# In connection con3 - Running insert into non encrypt table +call tde_db.populate_t_non_encrypt(); +# kill and restart the server +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +INSERT INTO tde_db.t_encrypt(c2,c3,c4,c7) VALUES(10000,CONCAT(REPEAT('a',200),LPAD(CAST(1 AS CHAR),4,'0')),'{ "key_a": 1, "key_b": 2, "key_c": 3 }',ST_GeomFromText('POINT(383293632 1754448)')); +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt LIMIT 10; +INSERT INTO tde_db.t_non_encrypt(c2,c3,c4,c7) VALUES(10000,CONCAT(REPEAT('a',200),LPAD(CAST(1 AS CHAR),4,'0')),'{ "key_a": 1, "key_b": 2, "key_c": 3 }',ST_GeomFromText('POINT(383293632 1754448)')); +SELECT 1; +1 +1 +# Case2: insert/update/delete on encrypt in parallel during kill +DROP TABLE tde_db.t_encrypt; +DROP TABLE tde_db.t_non_encrypt; +CREATE TABLE tde_db.t_encrypt(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON, +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENCRYPTION="Y" ENGINE = InnoDB; +CREATE TABLE tde_db.t_non_encrypt(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON, +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENGINE = InnoDB; +# In connection con1 - Running insert on encrypt table +call tde_db.populate_t_encrypt(); +# In connection con2 - Running update on encrypt table +call tde_db.update_t_encrypt(); +# In connection con3 - Running delete on encrypt table +call tde_db.delete_t_encrypt(); +# kill and restart the server +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +INSERT INTO tde_db.t_encrypt(c2,c3,c4,c7) VALUES(10000,CONCAT(REPEAT('a',200),LPAD(CAST(1 AS CHAR),4,'0')),'{ "key_a": 1, "key_b": 2, "key_c": 3 }',ST_GeomFromText('POINT(383293632 1754448)')); +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt LIMIT 10; +INSERT INTO tde_db.t_non_encrypt(c2,c3,c4,c7) VALUES(10000,CONCAT(REPEAT('a',200),LPAD(CAST(1 AS CHAR),4,'0')),'{ "key_a": 1, "key_b": 2, "key_c": 3 }',ST_GeomFromText('POINT(383293632 1754448)')); +SELECT 1; +1 +1 +# Case3: select,create and insert on encrypt in parallel during kill +DROP TABLE tde_db.t_encrypt; +DROP TABLE tde_db.t_non_encrypt; +CREATE TABLE tde_db.t_encrypt(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON, +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENCRYPTION="Y" ENGINE = InnoDB; +CREATE TABLE tde_db.t_non_encrypt(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON, +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENGINE = InnoDB; +# In connection con1 - Running insert on encrypt table +call tde_db.populate_t_encrypt(); +# In connection con2 - Running select on encrypt table +call tde_db.read_t_encrypt(); +# kill and restart the server +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +INSERT INTO tde_db.t_encrypt(c2,c3,c4,c7) VALUES(10000,CONCAT(REPEAT('a',200),LPAD(CAST(1 AS CHAR),4,'0')),'{ "key_a": 1, "key_b": 2, "key_c": 3 }',ST_GeomFromText('POINT(383293632 1754448)')); +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt LIMIT 10; +INSERT INTO tde_db.t_non_encrypt(c2,c3,c4,c7) VALUES(10000,CONCAT(REPEAT('a',200),LPAD(CAST(1 AS CHAR),4,'0')),'{ "key_a": 1, "key_b": 2, "key_c": 3 }',ST_GeomFromText('POINT(383293632 1754448)')); +SELECT 1; +1 +1 +DROP DATABASE tde_db; +SET GLOBAL innodb_file_per_table=1; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace.result new file mode 100644 index 000000000000..5087cbdaa773 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace.result @@ -0,0 +1,692 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# +# WL#12261 Control (enforce and disable) table encryption +# +# Pre-define user u1, which is used in different tests below. +CREATE USER u1@localhost; +GRANT ALL ON db1.* TO u1@localhost; +GRANT CREATE TABLESPACE, PROCESS, SYSTEM_VARIABLES_ADMIN ON *.* TO u1@localhost; +SET GLOBAL debug= '+d,skip_table_encryption_admin_check_for_set'; +# This test run CREATE/ALTER TABLESPACE in different configurations, +# +# - Setting table_encryption_privilege_check to true/false. +# - Setting default_table_encryption to true/false. +# - With and without ENCRYPTION clause. +# - With and without user holding TABLE_ENCRYPTION_ADMIN privilege. +# - Test INFORMATION_SCHEMA.INNODB_TABLESPACES +# - Check for warnings generated. +# +````````````````````````````````````````````````````````` +# CREATE TABLESPACE with explicit ENCRYPTION clause +# table_encryption_privilege_check=false +# [CREATE TABLESPACE] Case 1 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 N +DROP TABLESPACE ts1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [CREATE TABLESPACE] Case 2 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=true; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +DROP TABLESPACE ts1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +````````````````````````````````````````````````````````` +# table_encryption_privilege_check=true +# [CREATE TABLESPACE] Case 3 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=true; +SET SESSION default_table_encryption=false; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 N +DROP TABLESPACE ts1; +# Check that we never fail with TABLE_ENCRYPTION_ADMIN +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 N +DROP TABLESPACE ts1; +# Revoke TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [CREATE TABLESPACE] Case 4 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=true; +SET SESSION default_table_encryption=true; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +DROP TABLESPACE ts1; +# Check that we never fail with TABLE_ENCRYPTION_ADMIN +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +DROP TABLESPACE ts1; +# Revoke TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +````````````````````````````````````````````````````````` +# CREATE TABLESPACE with explicit ENCRYPTION clause +# table_encryption_privilege_check=false +# [CREATE TABLESPACE] Case 5 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +DROP TABLESPACE ts1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [CREATE TABLESPACE] Case 6 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 N +DROP TABLESPACE ts1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [CREATE TABLESPACE] Case 7 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=true; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +DROP TABLESPACE ts1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [CREATE TABLESPACE] Case 8 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=true; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 N +DROP TABLESPACE ts1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +````````````````````````````````````````````````````````` +# table_encryption_privilege_check=true +# [CREATE TABLESPACE] Case 9 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=true; +SET SESSION default_table_encryption=false; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +SHOW WARNINGS; +ERROR HY000: Tablespace encryption differ from 'default_table_encryption' setting, and user doesn't have enough privilege. +# Check that we never fail with TABLE_ENCRYPTION_ADMIN +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +DROP TABLESPACE ts1; +# Revoke TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [CREATE TABLESPACE] Case 10 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=true; +SET SESSION default_table_encryption=false; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 N +DROP TABLESPACE ts1; +# Check that we never fail with TABLE_ENCRYPTION_ADMIN +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 N +DROP TABLESPACE ts1; +# Revoke TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [CREATE TABLESPACE] Case 11 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=true; +SET SESSION default_table_encryption=true; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +DROP TABLESPACE ts1; +# Check that we never fail with TABLE_ENCRYPTION_ADMIN +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +DROP TABLESPACE ts1; +# Revoke TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [CREATE TABLESPACE] Case 12 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=true; +SET SESSION default_table_encryption=true; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +SHOW WARNINGS; +ERROR HY000: Tablespace encryption differ from 'default_table_encryption' setting, and user doesn't have enough privilege. +# Check that we never fail with TABLE_ENCRYPTION_ADMIN +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 N +DROP TABLESPACE ts1; +# Revoke TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +````````````````````````````````````````````````````````` +# Check for invalid ENCRYPTION clause value. +# [CREATE TABLESPACE] Case 13 ) +````````````````````````````````````````````````````````` +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='k'; +SHOW WARNINGS; +ERROR HY000: Invalid encryption option. +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +````````````````````````````````````````````````````````` +# The test cases run ALTER TABLESPACE (with no tables) +# See test tablespace_with_tables.test. +````````````````````````````````````````````````````````` +# Unencrypted TABLESPACE to Unencrypted TABLESPACE (Nop) +# +# [ALTER TABLESPACE] Case 1 ) +````````````````````````````````````````````````````````` +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 N +SET SESSION default_table_encryption=false; +SET GLOBAL table_encryption_privilege_check=false; +ALTER TABLESPACE ts1 ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 N +DROP TABLESPACE ts1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [ALTER TABLESPACE] Case 2 ) +````````````````````````````````````````````````````````` +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 N +SET SESSION default_table_encryption=false; +SET GLOBAL table_encryption_privilege_check=true; +ALTER TABLESPACE ts1 ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 N +DROP TABLESPACE ts1; +# Check that we never fail with TABLE_ENCRYPTION_ADMIN +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 N +SET GLOBAL table_encryption_privilege_check=true; +ALTER TABLESPACE ts1 ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 N +DROP TABLESPACE ts1; +# Revoke TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +````````````````````````````````````````````````````````` +# Encrypted TABLESPACE to Encrypted TABLESPACE (Nop) +# +# [ALTER TABLESPACE] Case 3 ) +````````````````````````````````````````````````````````` +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +SET SESSION default_table_encryption=true; +SET GLOBAL table_encryption_privilege_check=false; +ALTER TABLESPACE ts1 ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +DROP TABLESPACE ts1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [ALTER TABLESPACE] Case 4 ) +````````````````````````````````````````````````````````` +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +SET SESSION default_table_encryption=true; +SET GLOBAL table_encryption_privilege_check=true; +ALTER TABLESPACE ts1 ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +DROP TABLESPACE ts1; +# Check that we never fail with TABLE_ENCRYPTION_ADMIN +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +SET GLOBAL table_encryption_privilege_check=true; +ALTER TABLESPACE ts1 ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +DROP TABLESPACE ts1; +# Revoke TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +````````````````````````````````````````````````````````` +# Unencrypted TABLESPACE to encrypted TABLESPACE +# with database encryption default 'n' +# +# [ALTER TABLESPACE] Case 5 ) +````````````````````````````````````````````````````````` +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 N +SET SESSION default_table_encryption=false; +SET GLOBAL table_encryption_privilege_check=false; +ALTER TABLESPACE ts1 ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +DROP TABLESPACE ts1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [ALTER TABLESPACE] Case 6 ) +````````````````````````````````````````````````````````` +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 N +SET SESSION default_table_encryption=false; +SET GLOBAL table_encryption_privilege_check=true; +ALTER TABLESPACE ts1 ENCRYPTION='y'; +ERROR HY000: Tablespace encryption differ from 'default_table_encryption' setting, and user doesn't have enough privilege. +SHOW WARNINGS; +Level Code Message +Error 3828 Tablespace encryption differ from 'default_table_encryption' setting, and user doesn't have enough privilege. +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 N +DROP TABLESPACE ts1; +# Check that we never fail with TABLE_ENCRYPTION_ADMIN +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 N +SET GLOBAL table_encryption_privilege_check=true; +ALTER TABLESPACE ts1 ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +DROP TABLESPACE ts1; +# Revoke TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +````````````````````````````````````````````````````````` +# Unencrypted TABLESPACE to encrypted TABLESPACE +# with database encryption default 'y' +# +# [ALTER TABLESPACE] Case 7 ) +````````````````````````````````````````````````````````` +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 N +SET SESSION default_table_encryption=true; +SET GLOBAL table_encryption_privilege_check=false; +ALTER TABLESPACE ts1 ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +DROP TABLESPACE ts1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [ALTER TABLESPACE] Case 8 ) +````````````````````````````````````````````````````````` +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 N +SET SESSION default_table_encryption=true; +SET GLOBAL table_encryption_privilege_check=true; +ALTER TABLESPACE ts1 ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +DROP TABLESPACE ts1; +# Check that we never fail with TABLE_ENCRYPTION_ADMIN +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='n'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 N +SET GLOBAL table_encryption_privilege_check=true; +ALTER TABLESPACE ts1 ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +DROP TABLESPACE ts1; +# Revoke TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +````````````````````````````````````````````````````````` +# Encrypted TABLESPACE to unencrypted TABLESPACE +# with database encryption default 'n' +# +# [ALTER TABLESPACE] Case 9 ) +````````````````````````````````````````````````````````` +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +SET SESSION default_table_encryption=false; +SET GLOBAL table_encryption_privilege_check=false; +ALTER TABLESPACE ts1 ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 N +DROP TABLESPACE ts1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [ALTER TABLESPACE] Case 10 ) +````````````````````````````````````````````````````````` +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +SET SESSION default_table_encryption=false; +SET GLOBAL table_encryption_privilege_check=true; +ALTER TABLESPACE ts1 ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 N +DROP TABLESPACE ts1; +# Check that we never fail with TABLE_ENCRYPTION_ADMIN +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +SET GLOBAL table_encryption_privilege_check=true; +ALTER TABLESPACE ts1 ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 N +DROP TABLESPACE ts1; +# Revoke TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +````````````````````````````````````````````````````````` +# Encrypted TABLESPACE to unencrypted TABLESPACE +# with database encryption default 'y' +# +# [ALTER TABLESPACE] Case 11 ) +````````````````````````````````````````````````````````` +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +SET SESSION default_table_encryption=true; +SET GLOBAL table_encryption_privilege_check=false; +ALTER TABLESPACE ts1 ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 N +DROP TABLESPACE ts1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# [ALTER TABLESPACE] Case 12 ) +````````````````````````````````````````````````````````` +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +SET SESSION default_table_encryption=true; +SET GLOBAL table_encryption_privilege_check=true; +ALTER TABLESPACE ts1 ENCRYPTION='n'; +ERROR HY000: Tablespace encryption differ from 'default_table_encryption' setting, and user doesn't have enough privilege. +SHOW WARNINGS; +Level Code Message +Error 3828 Tablespace encryption differ from 'default_table_encryption' setting, and user doesn't have enough privilege. +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +DROP TABLESPACE ts1; +# Check that we never fail with TABLE_ENCRYPTION_ADMIN +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +SET GLOBAL table_encryption_privilege_check=true; +ALTER TABLESPACE ts1 ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 N +DROP TABLESPACE ts1; +# Revoke TABLE_ENCRYPTION_ADMIN from user. +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +````````````````````````````````````````````````````````` +# Check for Invalid encryption option. +# [ALTER TABLESPACE] Case 13 ) +````````````````````````````````````````````````````````` +CREATE TABLESPACE ts1 ADD DATAFILE 'ts1.ibd' ENCRYPTION='y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +SET SESSION default_table_encryption=false; +SET GLOBAL table_encryption_privilege_check=false; +ALTER TABLESPACE ts1 ENCRYPTION='k'; +ERROR HY000: Invalid encryption option. +SHOW WARNINGS; +Level Code Message +Error 3184 Invalid encryption option. +Error 1533 Failed to alter: TABLESPACE ts1 +Error 1030 Got error 168 - 'Unknown (generic) error from engine' from storage engine +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE 'ts1'; +NAME ENCRYPTION +ts1 Y +DROP TABLESPACE ts1; +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# Cleanup +DROP USER u1@localhost; +SET GLOBAL debug= '-d,skip_table_encryption_admin_check_for_set'; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_1.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_1.result new file mode 100644 index 000000000000..d8553e90f291 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_1.result @@ -0,0 +1,1045 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +######################################################################### +# START : WITHOUT KEYRING +######################################################################### +# Taking backup of local manifest file for MySQL server instance +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption='Y'; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB; +ALTER TABLESPACE encrypt_ts ENCRYPTION="Y"; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +DROP TABLESPACE encrypt_ts; +######################################################################### +# RESTART 1 : WITH KEYRING +######################################################################### +# Restore local manifest file for MySQL server instance from backup +DROP TABLE IF EXISTS t1; +--------------------------- +SYSTEM TABLESPACE +--------------------------- +CREATE TABLE t1(c int) ENCRYPTION="Y" tablespace innodb_system ENGINE = InnoDB; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +SHOW WARNINGS; +Level Code Message +Error 3825 Request to create 'encrypted' table while using an 'unencrypted' tablespace. +SET GLOBAL innodb_file_per_table = 0; +SELECT @@innodb_file_per_table; +@@innodb_file_per_table +0 +CREATE TABLE t1(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +SHOW WARNINGS; +Level Code Message +Error 3825 Request to create 'encrypted' table while using an 'unencrypted' tablespace. +CREATE TABLE t1(c1 INT, c2 char(20)) ENCRYPTION="N" ENGINE = InnoDB; +SHOW WARNINGS; +Level Code Message +DROP TABLE t1; +CREATE TABLE t1(c int) ENCRYPTION="Y" tablespace innodb_system ENGINE = InnoDB; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +SHOW WARNINGS; +Level Code Message +Error 3825 Request to create 'encrypted' table while using an 'unencrypted' tablespace. +CREATE TABLE t1(c int) ENCRYPTION="N" tablespace innodb_system ENGINE = InnoDB; +SHOW WARNINGS; +Level Code Message +DROP TABLE t1; +SET GLOBAL innodb_file_per_table = 1; +SELECT @@innodb_file_per_table; +@@innodb_file_per_table +1 +ALTER TABLESPACE innodb_system ENCRYPTION='Y'; +ERROR 42000: InnoDB: `innodb_system` is a reserved tablespace name. +--------------------------- +TEMPORARY TABLESPACE +--------------------------- +CREATE TEMPORARY TABLE t1(c int) ENCRYPTION="Y"; +ERROR HY000: InnoDB: ENCRYPTION is not accepted for temporary tablespace. For temporary tablespace encryption please use innodb_temp_tablespace_encrypt variable. +SHOW WARNINGS; +Level Code Message +Error 1478 InnoDB: ENCRYPTION is not accepted for temporary tablespace. For temporary tablespace encryption please use innodb_temp_tablespace_encrypt variable. +Error 1031 Table storage engine for 't1' doesn't have this option +CREATE TEMPORARY TABLE t1(c int) ENCRYPTION="N"; +ERROR HY000: InnoDB: ENCRYPTION is not accepted for temporary tablespace. For temporary tablespace encryption please use innodb_temp_tablespace_encrypt variable. +SHOW WARNINGS; +Level Code Message +Error 1478 InnoDB: ENCRYPTION is not accepted for temporary tablespace. For temporary tablespace encryption please use innodb_temp_tablespace_encrypt variable. +Error 1031 Table storage engine for 't1' doesn't have this option +------------------------------------------------ +CREATE TABLESPACE WITH INVALID ENCRYPTION OPTION +------------------------------------------------ +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption='R'; +ERROR HY000: Invalid encryption option. +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption=y; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'y' at line 1 +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption=Y; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Y' at line 1 +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption=n; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'n' at line 1 +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption=N; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'N' at line 1 +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption=1; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1' at line 1 +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption=0; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0' at line 1 +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption=null; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'null' at line 1 +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption='TRUE'; +ERROR HY000: Invalid encryption option. +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption=TRUE; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'TRUE' at line 1 +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption=True; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'True' at line 1 +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption='True'; +ERROR HY000: Invalid encryption option. +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption='true'; +ERROR HY000: Invalid encryption option. +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption=true; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'true' at line 1 +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption=FALSE; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'FALSE' at line 1 +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption='FALSE'; +ERROR HY000: Invalid encryption option. +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption=False; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'False' at line 1 +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption='False'; +ERROR HY000: Invalid encryption option. +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption=false; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'false' at line 1 +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption='false'; +ERROR HY000: Invalid encryption option. +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption=-1; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1' at line 1 +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption=''; +ERROR HY000: Invalid encryption option. +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption=""; +ERROR HY000: Invalid encryption option. +---------------------------------------------------- +CREATE ENCRYPTED TABLESPACE IN MyISAM STORAGE ENGINE +---------------------------------------------------- +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=MyISAM encryption='Y'; +ERROR HY000: Table storage engine 'MyISAM' does not support the create option 'CREATE TABLESPACE' +SHOW WARNINGS; +Level Code Message +Error 1478 Table storage engine 'MyISAM' does not support the create option 'CREATE TABLESPACE' +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=MyISAM encryption='y'; +ERROR HY000: Table storage engine 'MyISAM' does not support the create option 'CREATE TABLESPACE' +SHOW WARNINGS; +Level Code Message +Error 1478 Table storage engine 'MyISAM' does not support the create option 'CREATE TABLESPACE' +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=MyISAM encryption='N'; +ERROR HY000: Table storage engine 'MyISAM' does not support the create option 'CREATE TABLESPACE' +SHOW WARNINGS; +Level Code Message +Error 1478 Table storage engine 'MyISAM' does not support the create option 'CREATE TABLESPACE' +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=MyISAM encryption='n'; +ERROR HY000: Table storage engine 'MyISAM' does not support the create option 'CREATE TABLESPACE' +SHOW WARNINGS; +Level Code Message +Error 1478 Table storage engine 'MyISAM' does not support the create option 'CREATE TABLESPACE' +---------------------------------------------------- +CREATE ENCRYPTED TABLESPACE IN MEMORY STORAGE ENGINE +---------------------------------------------------- +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=Memory encryption='Y'; +ERROR HY000: Table storage engine 'MEMORY' does not support the create option 'CREATE TABLESPACE' +SHOW WARNINGS; +Level Code Message +Error 1478 Table storage engine 'MEMORY' does not support the create option 'CREATE TABLESPACE' +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=Memory encryption='y'; +ERROR HY000: Table storage engine 'MEMORY' does not support the create option 'CREATE TABLESPACE' +SHOW WARNINGS; +Level Code Message +Error 1478 Table storage engine 'MEMORY' does not support the create option 'CREATE TABLESPACE' +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=Memory encryption='N'; +ERROR HY000: Table storage engine 'MEMORY' does not support the create option 'CREATE TABLESPACE' +SHOW WARNINGS; +Level Code Message +Error 1478 Table storage engine 'MEMORY' does not support the create option 'CREATE TABLESPACE' +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=Memory encryption='n'; +ERROR HY000: Table storage engine 'MEMORY' does not support the create option 'CREATE TABLESPACE' +SHOW WARNINGS; +Level Code Message +Error 1478 Table storage engine 'MEMORY' does not support the create option 'CREATE TABLESPACE' +---------------------------------------------- +CREATE TABLESPACE WITH VALID ENCRYPTION OPTION +---------------------------------------------- +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption='Y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +DROP TABLESPACE encrypt_ts; +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption='y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +DROP TABLESPACE encrypt_ts; +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption='n'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +DROP TABLESPACE encrypt_ts; +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption='N'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +DROP TABLESPACE encrypt_ts; +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption="Y"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +DROP TABLESPACE encrypt_ts; +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption="y"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +DROP TABLESPACE encrypt_ts; +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption="n"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +DROP TABLESPACE encrypt_ts; +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB encryption="N"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +DROP TABLESPACE encrypt_ts; +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +----------------------------------------------- +ALTER TABLESPACE WITH INVALID ENCRYPTION OPTION +----------------------------------------------- +ALTER TABLESPACE encrypt_ts ENCRYPTION='R'; +ERROR HY000: Invalid encryption option. +ALTER TABLESPACE encrypt_ts ENCRYPTION=1; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1' at line 1 +ALTER TABLESPACE encrypt_ts ENCRYPTION=0; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0' at line 1 +ALTER TABLESPACE encrypt_ts ENCRYPTION=TRUE; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'TRUE' at line 1 +ALTER TABLESPACE encrypt_ts ENCRYPTION='TRUE'; +ERROR HY000: Invalid encryption option. +ALTER TABLESPACE encrypt_ts ENCRYPTION=True; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'True' at line 1 +ALTER TABLESPACE encrypt_ts ENCRYPTION='True'; +ERROR HY000: Invalid encryption option. +ALTER TABLESPACE encrypt_ts ENCRYPTION=true; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'true' at line 1 +ALTER TABLESPACE encrypt_ts ENCRYPTION='true'; +ERROR HY000: Invalid encryption option. +ALTER TABLESPACE encrypt_ts ENCRYPTION=FALSE; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'FALSE' at line 1 +ALTER TABLESPACE encrypt_ts ENCRYPTION='FALSE'; +ERROR HY000: Invalid encryption option. +ALTER TABLESPACE encrypt_ts ENCRYPTION=False; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'False' at line 1 +ALTER TABLESPACE encrypt_ts ENCRYPTION='False'; +ERROR HY000: Invalid encryption option. +ALTER TABLESPACE encrypt_ts ENCRYPTION=false; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'false' at line 1 +ALTER TABLESPACE encrypt_ts ENCRYPTION='false'; +ERROR HY000: Invalid encryption option. +ALTER TABLESPACE encrypt_ts ENCRYPTION=null; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'null' at line 1 +ALTER TABLESPACE encrypt_ts ENCRYPTION=n; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'n' at line 1 +ALTER TABLESPACE encrypt_ts ENCRYPTION=N; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'N' at line 1 +ALTER TABLESPACE encrypt_ts ENCRYPTION=y; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'y' at line 1 +ALTER TABLESPACE encrypt_ts ENCRYPTION=N; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'N' at line 1 +ALTER TABLESPACE encrypt_ts ENCRYPTION=-1; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1' at line 1 +ALTER TABLESPACE encrypt_ts ENCRYPTION=''; +ERROR HY000: Invalid encryption option. +ALTER TABLESPACE encrypt_ts ENCRYPTION=""; +ERROR HY000: Invalid encryption option. +--------------------------------------------- +ALTER TABLESPACE WITH VALID ENCRYPTION OPTION +--------------------------------------------- +ALTER TABLESPACE encrypt_ts ENCRYPTION='N'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +ALTER TABLESPACE encrypt_ts ENCRYPTION="N"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +ALTER TABLESPACE encrypt_ts ENCRYPTION='n'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +ALTER TABLESPACE encrypt_ts ENCRYPTION="n"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +ALTER TABLESPACE encrypt_ts ENCRYPTION='n'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +ALTER TABLESPACE encrypt_ts ENCRYPTION="n"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +ALTER TABLESPACE encrypt_ts ENCRYPTION='N'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +ALTER TABLESPACE encrypt_ts ENCRYPTION="N"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +ALTER TABLESPACE encrypt_ts ENCRYPTION="Y"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +ALTER TABLESPACE encrypt_ts ENCRYPTION="Y"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +ALTER TABLESPACE encrypt_ts ENCRYPTION='y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +ALTER TABLESPACE encrypt_ts ENCRYPTION="y"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +ALTER TABLESPACE encrypt_ts ENCRYPTION='y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +ALTER TABLESPACE encrypt_ts ENCRYPTION="y"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +ALTER TABLESPACE encrypt_ts ENCRYPTION="Y"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +ALTER TABLESPACE encrypt_ts ENCRYPTION='n'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +ALTER TABLESPACE encrypt_ts ENCRYPTION="n"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +ALTER TABLESPACE encrypt_ts ENCRYPTION='y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +ALTER TABLESPACE encrypt_ts ENCRYPTION="y"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +ALTER TABLESPACE encrypt_ts ENCRYPTION='N'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +ALTER TABLESPACE encrypt_ts ENCRYPTION="N"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +ALTER TABLESPACE encrypt_ts ENCRYPTION='y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +ALTER TABLESPACE encrypt_ts ENCRYPTION="y"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +ALTER TABLESPACE encrypt_ts ENCRYPTION='n'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +ALTER TABLESPACE encrypt_ts ENCRYPTION="n"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +ALTER TABLESPACE encrypt_ts ENCRYPTION="Y"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +ALTER TABLESPACE encrypt_ts ENCRYPTION='N'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +ALTER TABLESPACE encrypt_ts ENCRYPTION="N"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +----------------------------------------- +CREATE/ALTER TABLE in FILE-PER-TABLE TABLESPACE +----------------------------------------- +CREATE TABLE t1(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='test/t1'; +NAME ENCRYPTION +test/t1 Y +SELECT TABLE_SCHEMA,TABLE_NAME,ENGINE,CREATE_OPTIONS FROM information_schema.tables WHERE TABLE_NAME="t1"; +TABLE_SCHEMA TABLE_NAME ENGINE CREATE_OPTIONS +test t1 InnoDB ENCRYPTION='Y' +SHOW CREATE TABLE test.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` int DEFAULT NULL, + `c2` char(20) DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='Y' +ALTER TABLE t1 encryption="N"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='test/t1'; +NAME ENCRYPTION +test/t1 N +SELECT TABLE_SCHEMA,TABLE_NAME,ENGINE,CREATE_OPTIONS FROM information_schema.tables WHERE TABLE_NAME="t1"; +TABLE_SCHEMA TABLE_NAME ENGINE CREATE_OPTIONS +test t1 InnoDB +SHOW CREATE TABLE test.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` int DEFAULT NULL, + `c2` char(20) DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +DROP TABLE t1; +CREATE TABLE t1(c1 INT, c2 char(20)) ENCRYPTION="N" ENGINE = InnoDB; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='test/t1'; +NAME ENCRYPTION +test/t1 N +SELECT TABLE_SCHEMA,TABLE_NAME,ENGINE,CREATE_OPTIONS FROM information_schema.tables WHERE TABLE_NAME="t1"; +TABLE_SCHEMA TABLE_NAME ENGINE CREATE_OPTIONS +test t1 InnoDB +SHOW CREATE TABLE test.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` int DEFAULT NULL, + `c2` char(20) DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +ALTER TABLE t1 encryption="Y"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='test/t1'; +NAME ENCRYPTION +test/t1 Y +SELECT TABLE_SCHEMA,TABLE_NAME,ENGINE,CREATE_OPTIONS FROM information_schema.tables WHERE TABLE_NAME="t1"; +TABLE_SCHEMA TABLE_NAME ENGINE CREATE_OPTIONS +test t1 InnoDB ENCRYPTION='Y' +SHOW CREATE TABLE test.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` int DEFAULT NULL, + `c2` char(20) DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='Y' +DROP TABLE t1; +CREATE TABLE t1(c1 INT, c2 char(20)) TABLESPACE=innodb_file_per_table ENCRYPTION="Y" ENGINE = InnoDB; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='test/t1'; +NAME ENCRYPTION +test/t1 Y +SELECT TABLE_SCHEMA,TABLE_NAME,ENGINE,CREATE_OPTIONS FROM information_schema.tables WHERE TABLE_NAME="t1"; +TABLE_SCHEMA TABLE_NAME ENGINE CREATE_OPTIONS +test t1 InnoDB ENCRYPTION='Y' +SHOW CREATE TABLE test.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` int DEFAULT NULL, + `c2` char(20) DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='Y' +ALTER TABLE t1 encryption="N"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='test/t1'; +NAME ENCRYPTION +test/t1 N +SELECT TABLE_SCHEMA,TABLE_NAME,ENGINE,CREATE_OPTIONS FROM information_schema.tables WHERE TABLE_NAME="t1"; +TABLE_SCHEMA TABLE_NAME ENGINE CREATE_OPTIONS +test t1 InnoDB +SHOW CREATE TABLE test.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` int DEFAULT NULL, + `c2` char(20) DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +DROP TABLE t1; +CREATE TABLE t1(c1 INT, c2 char(20)) TABLESPACE=innodb_file_per_table ENCRYPTION="N" ENGINE = InnoDB; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='test/t1'; +NAME ENCRYPTION +test/t1 N +SELECT TABLE_SCHEMA,TABLE_NAME,ENGINE,CREATE_OPTIONS FROM information_schema.tables WHERE TABLE_NAME="t1"; +TABLE_SCHEMA TABLE_NAME ENGINE CREATE_OPTIONS +test t1 InnoDB +SHOW CREATE TABLE test.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` int DEFAULT NULL, + `c2` char(20) DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +ALTER TABLE t1 encryption="Y"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='test/t1'; +NAME ENCRYPTION +test/t1 Y +SELECT TABLE_SCHEMA,TABLE_NAME,ENGINE,CREATE_OPTIONS FROM information_schema.tables WHERE TABLE_NAME="t1"; +TABLE_SCHEMA TABLE_NAME ENGINE CREATE_OPTIONS +test t1 InnoDB ENCRYPTION='Y' +SHOW CREATE TABLE test.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` int DEFAULT NULL, + `c2` char(20) DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='Y' +DROP TABLE t1; +CREATE TABLE t1(c1 INT, c2 char(20)) TABLESPACE=encrypt_ts ENGINE = InnoDB; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='test/t1'; +NAME ENCRYPTION +SELECT TABLE_SCHEMA,TABLE_NAME,ENGINE,CREATE_OPTIONS FROM information_schema.tables WHERE TABLE_NAME="t1"; +TABLE_SCHEMA TABLE_NAME ENGINE CREATE_OPTIONS +test t1 InnoDB +SHOW CREATE TABLE test.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` int DEFAULT NULL, + `c2` char(20) DEFAULT NULL +) /*!50100 TABLESPACE `encrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +DROP TABLE t1; +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +CREATE TABLE t1(c1 INT, c2 char(20)) TABLESPACE=encrypt_ts ENCRYPTION='Y' ENGINE = InnoDB; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='test/t1'; +NAME ENCRYPTION +SELECT TABLE_SCHEMA,TABLE_NAME,ENGINE,CREATE_OPTIONS FROM information_schema.tables WHERE TABLE_NAME="t1"; +TABLE_SCHEMA TABLE_NAME ENGINE CREATE_OPTIONS +test t1 InnoDB ENCRYPTION='Y' +SHOW CREATE TABLE test.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` int DEFAULT NULL, + `c2` char(20) DEFAULT NULL +) /*!50100 TABLESPACE `encrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +DROP TABLE t1; +-------------------------- +CREATE/ALTER TABLE IN GENERAL TABLESPACE +-------------------------- +CREATE TABLE t1(c1 INT, c2 char(20)) TABLESPACE encrypt_ts ENCRYPTION="Y" ENGINE = InnoDB; +DROP TABLE t1; +CREATE TABLE t1(c1 INT, c2 char(20)) TABLESPACE encrypt_ts ENCRYPTION="N" ENGINE = InnoDB; +ERROR HY000: Request to create 'unencrypted' table while using an 'encrypted' tablespace. +SHOW WARNINGS; +Level Code Message +Error 3825 Request to create 'unencrypted' table while using an 'encrypted' tablespace. +CREATE TABLE t1(c1 INT, c2 char(20)) TABLESPACE encrypt_ts ENCRYPTION="R" ENGINE = InnoDB; +ERROR HY000: Invalid encryption option. +SHOW WARNINGS; +Level Code Message +Error 3184 Invalid encryption option. +Error 1031 Table storage engine for 't1' doesn't have this option +CREATE TABLE t1(c1 INT, c2 char(20)) TABLESPACE encrypt_ts ENCRYPTION='Y' ENGINE = InnoDB; +ALTER TABLE t1 encryption='Y'; +ALTER TABLE t1 encryption='N'; +ERROR HY000: Request to create 'unencrypted' table while using an 'encrypted' tablespace. +ALTER TABLE t1 encryption='R'; +ERROR HY000: Invalid encryption option. +DROP TABLE t1; +ALTER TABLESPACE encrypt_ts ENCRYPTION='N'; +CREATE TABLE t1(c1 INT, c2 char(20)) TABLESPACE encrypt_ts ENCRYPTION="N" ENGINE = InnoDB; +DROP TABLE t1; +CREATE TABLE t1(c1 INT, c2 char(20)) TABLESPACE encrypt_ts ENCRYPTION="Y" ENGINE = InnoDB; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +SHOW WARNINGS; +Level Code Message +Error 3825 Request to create 'encrypted' table while using an 'unencrypted' tablespace. +CREATE TABLE t1(c1 INT, c2 char(20)) TABLESPACE encrypt_ts ENCRYPTION="R" ENGINE = InnoDB; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +SHOW WARNINGS; +Level Code Message +Error 3825 Request to create 'encrypted' table while using an 'unencrypted' tablespace. +CREATE TABLE t1(c1 INT, c2 char(20)) TABLESPACE encrypt_ts ENGINE = InnoDB; +ALTER TABLE t1 encryption='Y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +ALTER TABLE t1 encryption='N'; +ALTER TABLE t1 encryption='R'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +DROP TABLE t1; +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +CREATE TABLE t1(c1 INT, c2 char(20)) ENGINE = InnoDB TABLESPACE encrypt_ts ENCRYPTION='Y'; +SELECT TABLE_SCHEMA,TABLE_NAME,ENGINE,CREATE_OPTIONS FROM information_schema.tables WHERE TABLE_NAME="t1"; +TABLE_SCHEMA TABLE_NAME ENGINE CREATE_OPTIONS +test t1 InnoDB ENCRYPTION='Y' +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` int DEFAULT NULL, + `c2` char(20) DEFAULT NULL +) /*!50100 TABLESPACE `encrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +INSERT INTO t1 VALUES(0, "aaaaa"); +INSERT INTO t1 VALUES(1, "bbbbb"); +INSERT INTO t1 VALUES(2, "ccccc"); +INSERT INTO t1 VALUES(3, "ddddd"); +INSERT INTO t1 VALUES(4, "eeeee"); +INSERT INTO t1 VALUES(5, "fffff"); +INSERT INTO t1 VALUES(6, "ggggg"); +INSERT INTO t1 VALUES(7, "hhhhh"); +INSERT INTO t1 VALUES(8, "iiiii"); +INSERT INTO t1 VALUES(9, "jjjjj"); +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +SELECT * FROM t1 ORDER BY c1 LIMIT 10; +c1 c2 +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +######################################################################### +# RESTART 2 : WITHOUT KEYRING +######################################################################### +# Taking backup of local manifest file for MySQL server instance +SELECT * FROM t1 ORDER BY c1 LIMIT 10; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +######################################################################### +# RESTART 3 : WITH KEYRING +######################################################################### +# Restore local manifest file for MySQL server instance from backup +SELECT * FROM t1 ORDER BY c1 LIMIT 10; +c1 c2 +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +SET GLOBAL innodb_file_per_table=1; +DROP TABLE t1; +CREATE TABLE t1(c2 char(100) , FULLTEXT INDEX `idx1` (c2)) ENGINE=InnoDB +tablespace=encrypt_ts ENCRYPTION='Y'; +ALTER TABLE t1 DROP INDEX idx1; +ALTER TABLE t1 ADD COLUMN c4 CHAR(20); +DROP TABLE t1; +---------------------- +ALGORITHM=COPY/INPLACE +---------------------- +ALTER TABLESPACE encrypt_ts ENCRYPTION="N", algorithm=copy; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'algorithm=copy' at line 1 +ALTER TABLESPACE encrypt_ts ENCRYPTION="N", algorithm=inplace; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'algorithm=inplace' at line 1 +DROP TABLESPACE encrypt_ts; +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' ENCRYPTION="N", algorithm=copy; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'algorithm=copy' at line 1 +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' ENCRYPTION="N", algorithm=inplace; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'algorithm=inplace' at line 1 +----------- +COMPRESSION +----------- +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' COMPRESSION = "ZLIB" ENCRYPTION = "Y" ENGINE = InnoDB; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'COMPRESSION = "ZLIB" ENCRYPTION = "Y" ENGINE = InnoDB' at line 1 +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' ENCRYPTION = "Y" ENGINE = InnoDB; +ALTER TABLESPACE encrypt_ts COMPRESSION = "ZLIB"; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'COMPRESSION = "ZLIB"' at line 1 +DROP TABLESPACE encrypt_ts; +CREATE TABLESPACE encryt_ts_1k ADD DATAFILE 'encrypt_ts_1k.ibd' FILE_BLOCK_SIZE=1k ENCRYPTION='Y'; +CREATE TABLESPACE encryt_ts_2k ADD DATAFILE 'encrypt_ts_2k.ibd' FILE_BLOCK_SIZE=2k ENCRYPTION='Y'; +CREATE TABLESPACE encryt_ts_4k ADD DATAFILE 'encrypt_ts_4k.ibd' FILE_BLOCK_SIZE=4k ENCRYPTION='Y'; +CREATE TABLESPACE encryt_ts_8k ADD DATAFILE 'encrypt_ts_8k.ibd' FILE_BLOCK_SIZE=8k ENCRYPTION='Y'; +CREATE TABLESPACE encryt_ts_16k ADD DATAFILE 'encrypt_ts_16k.ibd' FILE_BLOCK_SIZE=16k ENCRYPTION='Y'; +CREATE TABLESPACE encryt_ts_32k ADD DATAFILE 'encrypt_ts_32k.ibd' FILE_BLOCK_SIZE=32k ENCRYPTION='Y'; +ERROR HY000: InnoDB: Cannot create a tablespace with FILE_BLOCK_SIZE=32768 because INNODB_PAGE_SIZE=16384. +SHOW WARNINGS; +Level Code Message +Error 1478 InnoDB: Cannot create a tablespace with FILE_BLOCK_SIZE=32768 because INNODB_PAGE_SIZE=16384. +Error 1528 Failed to create TABLESPACE encryt_ts_32k +Error 1031 Table storage engine for 'encryt_ts_32k' doesn't have this option +DROP tablespace encryt_ts_1k; +DROP tablespace encryt_ts_2k; +DROP tablespace encryt_ts_4k; +DROP tablespace encryt_ts_8k; +DROP tablespace encryt_ts_16k; +CREATE TABLESPACE encrypt_ts ENCRYPTION='Y' ADD DATAFILE 'encrypt_ts.ibd' ENGINE = InnoDB AUTOEXTEND_SIZE = 10M +MAX_SIZE = 100M NODEGROUP = 5 WAIT COMMENT = 'TABLESPACE ENCRYPTION' INITIAL_SIZE = 100M EXTENT_SIZE = 100M; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ADD DATAFILE 'encrypt_ts.ibd' ENGINE = InnoDB AUTOEXTEND_SIZE = 10M +MAX_SIZE = 1' at line 1 +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' ENCRYPTION='Y' ENGINE = InnoDB AUTOEXTEND_SIZE = 12M +MAX_SIZE = 100M NODEGROUP = 5 WAIT COMMENT = 'TABLESPACE ENCRYPTION' INITIAL_SIZE = 100M EXTENT_SIZE = 100M; +DROP TABLESPACE encrypt_ts; +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' ENGINE = InnoDB ENCRYPTION='Y' AUTOEXTEND_SIZE = 12M +MAX_SIZE = 100M NODEGROUP = 5 WAIT COMMENT = 'TABLESPACE ENCRYPTION' INITIAL_SIZE = 100M EXTENT_SIZE = 100M; +DROP TABLESPACE encrypt_ts; +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' ENGINE = InnoDB AUTOEXTEND_SIZE = 12M ENCRYPTION='Y' +MAX_SIZE = 100M NODEGROUP = 5 WAIT COMMENT = 'TABLESPACE ENCRYPTION' INITIAL_SIZE = 100M EXTENT_SIZE = 100M; +DROP TABLESPACE encrypt_ts; +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' ENGINE = InnoDB AUTOEXTEND_SIZE = 12M MAX_SIZE = 100M +ENCRYPTION='Y' NODEGROUP = 5 WAIT COMMENT = 'TABLESPACE ENCRYPTION' INITIAL_SIZE = 100M EXTENT_SIZE = 100M; +DROP TABLESPACE encrypt_ts; +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' ENGINE = InnoDB AUTOEXTEND_SIZE = 12M MAX_SIZE = 100M +NODEGROUP = 5 ENCRYPTION='Y' WAIT COMMENT = 'TABLESPACE ENCRYPTION' INITIAL_SIZE = 100M EXTENT_SIZE = 100M; +DROP TABLESPACE encrypt_ts; +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' ENGINE = InnoDB AUTOEXTEND_SIZE = 12M MAX_SIZE = 100M +NODEGROUP = 5 WAIT ENCRYPTION='Y' COMMENT = 'TABLESPACE ENCRYPTION' INITIAL_SIZE = 100M EXTENT_SIZE = 100M; +DROP TABLESPACE encrypt_ts; +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' ENGINE = InnoDB AUTOEXTEND_SIZE = 12M MAX_SIZE = 100M +NODEGROUP = 5 WAIT COMMENT = 'TABLESPACE ENCRYPTION' ENCRYPTION='Y' INITIAL_SIZE = 100M EXTENT_SIZE = 100M; +DROP TABLESPACE encrypt_ts; +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' ENGINE = InnoDB AUTOEXTEND_SIZE = 12M MAX_SIZE = 100M +NODEGROUP = 5 WAIT COMMENT = 'TABLESPACE ENCRYPTION' INITIAL_SIZE = 100M ENCRYPTION='Y'EXTENT_SIZE = 100M; +DROP TABLESPACE encrypt_ts; +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' ENGINE = InnoDB AUTOEXTEND_SIZE = 12M MAX_SIZE = 100M +NODEGROUP = 5 WAIT COMMENT = 'TABLESPACE ENCRYPTION' INITIAL_SIZE = 100M EXTENT_SIZE = 100M ENCRYPTION='Y'; +DROP TABLESPACE encrypt_ts; +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' ENGINE = InnoDB ENCRYPTION='Y'; +CREATE TABLE t1(c1 INT, c2 char(20)) ENGINE = InnoDB TABLESPACE encrypt_ts ENCRYPTION='Y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='test/t1'; +NAME ENCRYPTION +SELECT TABLE_SCHEMA,TABLE_NAME,ENGINE,CREATE_OPTIONS FROM information_schema.tables WHERE TABLE_NAME="t1"; +TABLE_SCHEMA TABLE_NAME ENGINE CREATE_OPTIONS +test t1 InnoDB ENCRYPTION='Y' +SHOW CREATE TABLE test.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` int DEFAULT NULL, + `c2` char(20) DEFAULT NULL +) /*!50100 TABLESPACE `encrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +ALTER TABLESPACE encrypt_ts RENAME TO encrypt_ts_renamed; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts_renamed'; +NAME ENCRYPTION +encrypt_ts_renamed Y +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='test/t1'; +NAME ENCRYPTION +SELECT TABLE_SCHEMA,TABLE_NAME,ENGINE,CREATE_OPTIONS FROM information_schema.tables WHERE TABLE_NAME="t1"; +TABLE_SCHEMA TABLE_NAME ENGINE CREATE_OPTIONS +test t1 InnoDB ENCRYPTION='Y' +SHOW CREATE TABLE test.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` int DEFAULT NULL, + `c2` char(20) DEFAULT NULL +) /*!50100 TABLESPACE `encrypt_ts_renamed` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +DROP TABLE t1; +DROP TABLESPACE encrypt_ts_renamed; +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' ENGINE = InnoDB ENCRYPTION='Y'; +CREATE PROCEDURE populate_t1() +BEGIN +DECLARE i int DEFAULT 1; +START TRANSACTION; +WHILE (i <= 10) DO +INSERT INTO t1 VALUES (i,CONCAT('a', i)); +SET i = i + 1; +END WHILE; +COMMIT; +END| +CREATE TABLE t1(c1 INT, c2 char(20)) ENGINE = InnoDB TABLESPACE encrypt_ts ENCRYPTION='Y' ROW_FORMAT=COMPRESSED; +ERROR HY000: InnoDB: Tablespace `encrypt_ts` cannot contain a COMPRESSED table +SHOW WARNINGS; +Level Code Message +Error 1478 InnoDB: Tablespace `encrypt_ts` cannot contain a COMPRESSED table +Error 1031 Table storage engine for 't1' doesn't have this option +CREATE TABLE t1(c1 INT, c2 char(20)) ENGINE = InnoDB TABLESPACE encrypt_ts ENCRYPTION='Y' ROW_FORMAT=FIXED; +ERROR HY000: Table storage engine for 't1' doesn't have this option +CREATE TABLE t1(c1 INT, c2 char(20)) ENGINE = InnoDB TABLESPACE encrypt_ts ENCRYPTION='Y' ROW_FORMAT=DYNAMIC; +DROP TABLE t1; +CREATE TABLE t1(c1 INT, c2 char(20)) ENGINE = InnoDB TABLESPACE encrypt_ts ENCRYPTION='Y' ROW_FORMAT=REDUNDANT; +DROP TABLE t1; +CREATE TABLE t1(c1 INT, c2 char(20)) ENGINE = InnoDB TABLESPACE encrypt_ts ENCRYPTION='Y' ROW_FORMAT=COMPACT; +DROP TABLE t1; +DROP PROCEDURE populate_t1; +CREATE TABLE t1(c1 INT, c2 char(20)) ENGINE = InnoDB TABLESPACE encrypt_ts ENCRYPTION='Y' KEY_BLOCK_SIZE=1; +ERROR HY000: InnoDB: Tablespace `encrypt_ts` cannot contain a COMPRESSED table +SHOW WARNINGS; +Level Code Message +Error 1478 InnoDB: Tablespace `encrypt_ts` cannot contain a COMPRESSED table +Error 1031 Table storage engine for 't1' doesn't have this option +DROP TABLESPACE encrypt_ts; +SET block_encryption_mode = 'aes-256-cbc'; +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' ENGINE = InnoDB ENCRYPTION='Y'; +DROP DATABASE IF EXISTS tde_db; +CREATE DATABASE tde_db; +CREATE TABLE tde_db.t1(c1 INT PRIMARY KEY, c2 char(50)) ENGINE = InnoDB TABLESPACE encrypt_ts ENCRYPTION='Y'; +INSERT INTO tde_db.t1 VALUES(0, 'abc'); +INSERT INTO tde_db.t1 VALUES(1, 'xyz'); +INSERT INTO tde_db.t1 VALUES(2, null); +INSERT INTO tde_db.t1 VALUES(3, null); +SELECT * FROM tde_db.t1 LIMIT 10; +c1 c2 +0 abc +1 xyz +2 NULL +3 NULL +ALTER INSTANCE ROTATE INNODB MASTER KEY; +SELECT * FROM tde_db.t1 LIMIT 10; +c1 c2 +0 abc +1 xyz +2 NULL +3 NULL +DROP DATABASE tde_db; +DROP TABLESPACE encrypt_ts; +DROP DATABASE IF EXISTS tde_db; +CREATE DATABASE tde_db; +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' ENCRYPTION ='Y' ENGINE=InnoDB; +CREATE TABLE tde_db.t_encrypt(c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) ENGINE=InnoDB TABLESPACE=encrypt_ts ENCRYPTION='Y'; +SHOW CREATE TABLE tde_db.t_encrypt; +Table Create Table +t_encrypt CREATE TABLE `t_encrypt` ( + `c4` json DEFAULT NULL, + `c5` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_a')) STORED, + `c6` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_b')) VIRTUAL, + `c7` point NOT NULL /*!80003 SRID 0 */, + SPATIAL KEY `idx2` (`c7`) +) /*!50100 TABLESPACE `encrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +INSERT INTO tde_db.t_encrypt(c4,c7) VALUES('{ "key_a": 1, "key_b": 2, "key_c": 3 }',ST_GeomFromText('POINT(383293632 1754448)')); +INSERT INTO tde_db.t_encrypt(c4,c7) select c4,c7 from tde_db.t_encrypt; +SELECT c4,c5,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +c4 c5 ST_AsText(c7) +{"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +{"key_a": 1, "key_b": 2, "key_c": 3} 1 POINT(383293632 1754448) +SELECT c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +c4 c5 c6 ST_AsText(c7) +{"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +{"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SHOW CREATE TABLE tde_db.t_encrypt; +Table Create Table +t_encrypt CREATE TABLE `t_encrypt` ( + `c4` json DEFAULT NULL, + `c5` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_a')) STORED, + `c6` int GENERATED ALWAYS AS (json_extract(`c4`,_utf8mb4'$.key_b')) VIRTUAL, + `c7` point NOT NULL /*!80003 SRID 0 */, + SPATIAL KEY `idx2` (`c7`) +) /*!50100 TABLESPACE `encrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +DROP TABLE IF EXISTS tde_db.t_encrypt; +CREATE TABLE tde_db.t_encrypt(c1 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, c2 char(100), c3 BLOB , FULLTEXT INDEX `idx1` (c2)) ENGINE=InnoDB TABLESPACE=encrypt_ts ENCRYPTION='Y'; +CREATE TABLE tde_db.t_encrypt1(c11 INT , c22 char(100), c33 BLOB , FULLTEXT INDEX `idx1` (c22)) ENGINE=InnoDB TABLESPACE=encrypt_ts ENCRYPTION='Y'; +SHOW CREATE TABLE tde_db.t_encrypt; +Table Create Table +t_encrypt CREATE TABLE `t_encrypt` ( + `c1` int NOT NULL AUTO_INCREMENT, + `c2` char(100) DEFAULT NULL, + `c3` blob, + PRIMARY KEY (`c1`), + FULLTEXT KEY `idx1` (`c2`) +) /*!50100 TABLESPACE `encrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +SHOW CREATE TABLE tde_db.t_encrypt1; +Table Create Table +t_encrypt1 CREATE TABLE `t_encrypt1` ( + `c11` int DEFAULT NULL, + `c22` char(100) DEFAULT NULL, + `c33` blob, + FULLTEXT KEY `idx1` (`c22`) +) /*!50100 TABLESPACE `encrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +CREATE TABLE tde_db.t_encrypt2 (f1 INT PRIMARY KEY, f2 CHAR(100), +FOREIGN KEY (f1) REFERENCES tde_db.t_encrypt(c1) ON UPDATE CASCADE) ENGINE=InnoDB TABLESPACE=encrypt_ts ENCRYPTION='Y'; +CREATE TRIGGER tde_db.trigger_encrypt_table AFTER INSERT ON tde_db.t_encrypt +FOR EACH ROW +begin +INSERT INTO tde_db.t_encrypt1 SET c11 = NEW.c1*-1, c22 = NEW.c2 , c33 = NEW.c3; +end| +INSERT INTO tde_db.t_encrypt(c2,c3) VALUES("transparent tablespace encryption",repeat('A', 200)); +INSERT INTO tde_db.t_encrypt(c2,c3) VALUES("general tablespace option",repeat('A', 200)); +INSERT INTO tde_db.t_encrypt(c2,c3) VALUES("page level encryption",repeat('A', 200)); +INSERT INTO tde_db.t_encrypt2(f1,f2) VALUES(1,"transparent tablespace encryption"); +INSERT INTO tde_db.t_encrypt2(f1,f2) VALUES(2,"general tablespace option"); +SELECT c1,c2,right(c3, 20) FROM tde_db.t_encrypt LIMIT 10; +c1 c2 right(c3, 20) +1 transparent tablespace encryption AAAAAAAAAAAAAAAAAAAA +2 general tablespace option AAAAAAAAAAAAAAAAAAAA +3 page level encryption AAAAAAAAAAAAAAAAAAAA +SELECT c1,c2,right(c3, 20) FROM tde_db.t_encrypt WHERE MATCH c2 AGAINST ('tablespace'); +c1 c2 right(c3, 20) +1 transparent tablespace encryption AAAAAAAAAAAAAAAAAAAA +2 general tablespace option AAAAAAAAAAAAAAAAAAAA +SELECT c1,c2,right(c3, 20) FROM tde_db.t_encrypt WHERE MATCH c2 AGAINST ('tablespace' IN BOOLEAN MODE); +c1 c2 right(c3, 20) +1 transparent tablespace encryption AAAAAAAAAAAAAAAAAAAA +2 general tablespace option AAAAAAAAAAAAAAAAAAAA +SELECT c1,c2,right(c3, 20) FROM tde_db.t_encrypt WHERE MATCH c2 AGAINST ('+tablespace -encryption' IN BOOLEAN MODE); +c1 c2 right(c3, 20) +2 general tablespace option AAAAAAAAAAAAAAAAAAAA +ALTER TABLE tde_db.t_encrypt DROP INDEX idx1; +SELECT c1,c2,right(c3, 20) FROM tde_db.t_encrypt LIMIT 10; +c1 c2 right(c3, 20) +1 transparent tablespace encryption AAAAAAAAAAAAAAAAAAAA +2 general tablespace option AAAAAAAAAAAAAAAAAAAA +3 page level encryption AAAAAAAAAAAAAAAAAAAA +ALTER TABLE tde_db.t_encrypt ADD COLUMN c4 CHAR(20) DEFAULT 'text'; +SELECT c1,c2,right(c3, 20),c4 FROM tde_db.t_encrypt LIMIT 10; +c1 c2 right(c3, 20) c4 +1 transparent tablespace encryption AAAAAAAAAAAAAAAAAAAA text +2 general tablespace option AAAAAAAAAAAAAAAAAAAA text +3 page level encryption AAAAAAAAAAAAAAAAAAAA text +CREATE VIEW tde_db.t_encrypt_view AS SELECT c1,c2 FROM tde_db.t_encrypt; +SELECT c2 FROM tde_db.t_encrypt_view LIMIT 10; +c2 +transparent tablespace encryption +general tablespace option +page level encryption +SELECT A.c2,B.c2,right(B.c3,20) FROM tde_db.t_encrypt_view A , tde_db.t_encrypt B WHERE A.c2 = B.c2; +c2 c2 right(B.c3,20) +transparent tablespace encryption transparent tablespace encryption AAAAAAAAAAAAAAAAAAAA +general tablespace option general tablespace option AAAAAAAAAAAAAAAAAAAA +page level encryption page level encryption AAAAAAAAAAAAAAAAAAAA +DROP VIEW tde_db.t_encrypt_view; +SELECT c11,c22,right(c33, 20) FROM tde_db.t_encrypt1 LIMIT 10; +c11 c22 right(c33, 20) +-1 transparent tablespace encryption AAAAAAAAAAAAAAAAAAAA +-2 general tablespace option AAAAAAAAAAAAAAAAAAAA +-3 page level encryption AAAAAAAAAAAAAAAAAAAA +INSERT INTO tde_db.t_encrypt2(f1,f2) VALUES(2,"general tablespace option"); +ERROR 23000: Duplicate entry '2' for key 't_encrypt2.PRIMARY' +INSERT INTO tde_db.t_encrypt2(f1,f2) VALUES(8,"general tablespace option"); +ERROR 23000: Cannot add or update a child row: a foreign key constraint fails (`tde_db`.`t_encrypt2`, CONSTRAINT `t_encrypt2_ibfk_1` FOREIGN KEY (`f1`) REFERENCES `t_encrypt` (`c1`) ON UPDATE CASCADE) +SELECT f1,f2 FROM tde_db.t_encrypt2; +f1 f2 +1 transparent tablespace encryption +2 general tablespace option +UPDATE tde_db.t_encrypt SET c1=10 WHERE c1=1; +SELECT f1,f2 FROM tde_db.t_encrypt2; +f1 f2 +2 general tablespace option +10 transparent tablespace encryption +DROP DATABASE tde_db; +DROP DATABASE IF EXISTS tde_db; +CREATE DATABASE tde_db; +USE tde_db; +DROP TABLE IF EXISTS tde_db.t_encrypt; +CREATE TABLE tde_db.t_encrypt (c2 INT NOT NULL AUTO_INCREMENT ,c3 VARCHAR(255), c4 JSON ,c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED,c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL,c7 POINT NOT NULL SRID 0,spatial INDEX idx2 (c7) , PRIMARY KEY (c2,c3(100))) ENGINE=InnoDB TABLESPACE=encrypt_ts ENCRYPTION='Y'; +CREATE PROCEDURE tde_db.txn_t_encrypt() +BEGIN +declare i int default 0; +declare rowcnt int default 0; +START TRANSACTION; +WHILE (i <= 2000) DO +SET i = i + 1; +SET rowcnt = rowcnt + 1; +INSERT INTO tde_db.t_encrypt(c3,c4,c7) VALUES (CONCAT(REPEAT('a',10),REPEAT(i,10)),'{ "key_a": 1, "key_b": 2, "key_c": 3 }',ST_GeomFromText('POINT(383293632 1754448)')); +IF (rowcnt = 3) THEN +UPDATE tde_db.t_encrypt SET c4 = '{ "key_a": 21, "key_b": 22, "key_c": 23 }' WHERE c2 = i-1 ; +DELETE FROM tde_db.t_encrypt WHERE c2 = i; +SAVEPOINT A; +END IF; +IF (rowcnt = 5) THEN +UPDATE tde_db.t_encrypt SET c4 = '{ "key_a": 41, "key_b": 42, "key_c": 43 }' WHERE c2 = i-1 ; +DELETE FROM tde_db.t_encrypt WHERE c2 = i; +SAVEPOINT B; +END IF; +IF (rowcnt = 10) THEN +ROLLBACK TO SAVEPOINT A; +COMMIT; +SET rowcnt = 0; +START TRANSACTION; +END IF; +END WHILE; +COMMIT; +end| +call tde_db.txn_t_encrypt(); +SELECT COUNT(*) FROM tde_db.t_encrypt; +COUNT(*) +401 +SELECT c2,RIGHT(c3,20),c4 FROM tde_db.t_encrypt LIMIT 10; +c2 RIGHT(c3,20) c4 +1 aaaaaaaaaa1111111111 {"key_a": 1, "key_b": 2, "key_c": 3} +2 aaaaaaaaaa2222222222 {"key_a": 21, "key_b": 22, "key_c": 23} +11 11111111111111111111 {"key_a": 1, "key_b": 2, "key_c": 3} +12 12121212121212121212 {"key_a": 21, "key_b": 22, "key_c": 23} +21 21212121212121212121 {"key_a": 1, "key_b": 2, "key_c": 3} +22 22222222222222222222 {"key_a": 21, "key_b": 22, "key_c": 23} +31 31313131313131313131 {"key_a": 1, "key_b": 2, "key_c": 3} +32 32323232323232323232 {"key_a": 21, "key_b": 22, "key_c": 23} +41 41414141414141414141 {"key_a": 1, "key_b": 2, "key_c": 3} +42 42424242424242424242 {"key_a": 21, "key_b": 22, "key_c": 23} +SELECT c2,RIGHT(c3,20),c4 FROM tde_db.t_encrypt WHERE c2 > 500 AND c2 < 600; +c2 RIGHT(c3,20) c4 +501 01501501501501501501 {"key_a": 1, "key_b": 2, "key_c": 3} +502 02502502502502502502 {"key_a": 21, "key_b": 22, "key_c": 23} +511 11511511511511511511 {"key_a": 1, "key_b": 2, "key_c": 3} +512 12512512512512512512 {"key_a": 21, "key_b": 22, "key_c": 23} +521 21521521521521521521 {"key_a": 1, "key_b": 2, "key_c": 3} +522 22522522522522522522 {"key_a": 21, "key_b": 22, "key_c": 23} +531 31531531531531531531 {"key_a": 1, "key_b": 2, "key_c": 3} +532 32532532532532532532 {"key_a": 21, "key_b": 22, "key_c": 23} +541 41541541541541541541 {"key_a": 1, "key_b": 2, "key_c": 3} +542 42542542542542542542 {"key_a": 21, "key_b": 22, "key_c": 23} +551 51551551551551551551 {"key_a": 1, "key_b": 2, "key_c": 3} +552 52552552552552552552 {"key_a": 21, "key_b": 22, "key_c": 23} +561 61561561561561561561 {"key_a": 1, "key_b": 2, "key_c": 3} +562 62562562562562562562 {"key_a": 21, "key_b": 22, "key_c": 23} +571 71571571571571571571 {"key_a": 1, "key_b": 2, "key_c": 3} +572 72572572572572572572 {"key_a": 21, "key_b": 22, "key_c": 23} +581 81581581581581581581 {"key_a": 1, "key_b": 2, "key_c": 3} +582 82582582582582582582 {"key_a": 21, "key_b": 22, "key_c": 23} +591 91591591591591591591 {"key_a": 1, "key_b": 2, "key_c": 3} +592 92592592592592592592 {"key_a": 21, "key_b": 22, "key_c": 23} +SELECT c2,RIGHT(c3,20),c4 FROM tde_db.t_encrypt ORDER BY c2 DESC LIMIT 10; +c2 RIGHT(c3,20) c4 +2001 20012001200120012001 {"key_a": 1, "key_b": 2, "key_c": 3} +1992 19921992199219921992 {"key_a": 21, "key_b": 22, "key_c": 23} +1991 19911991199119911991 {"key_a": 1, "key_b": 2, "key_c": 3} +1982 19821982198219821982 {"key_a": 21, "key_b": 22, "key_c": 23} +1981 19811981198119811981 {"key_a": 1, "key_b": 2, "key_c": 3} +1972 19721972197219721972 {"key_a": 21, "key_b": 22, "key_c": 23} +1971 19711971197119711971 {"key_a": 1, "key_b": 2, "key_c": 3} +1962 19621962196219621962 {"key_a": 21, "key_b": 22, "key_c": 23} +1961 19611961196119611961 {"key_a": 1, "key_b": 2, "key_c": 3} +1952 19521952195219521952 {"key_a": 21, "key_b": 22, "key_c": 23} +DROP DATABASE tde_db; +DROP TABLESPACE encrypt_ts; +######################################################################### +# RESTART 4 : WITH KEYRING AND --INNODB_DIRECTORIES +######################################################################### +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'MYSQL_TMP_DIR/encrypt_ts.ibd' ENCRYPTION='Y'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +CREATE DATABASE tde_db; +CREATE TABLE tde_db.t1(c1 INT PRIMARY KEY, c2 char(50)) ENGINE = InnoDB TABLESPACE encrypt_ts ENCRYPTION='Y'; +INSERT INTO tde_db.t1 VALUES(0, 'abc'); +INSERT INTO tde_db.t1 VALUES(1, 'xyz'); +SELECT * FROM tde_db.t1; +c1 c2 +0 abc +1 xyz +# Remote tablespace listing +encrypt_ts.ibd +DROP TABLE tde_db.t1; +DROP DATABASE tde_db; +######################################################################### +# Cleanup +######################################################################### +DROP TABLESPACE encrypt_ts; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_10.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_10.result new file mode 100644 index 000000000000..a84c2ff4576f --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_10.result @@ -0,0 +1,528 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# START : WITHOUT KEYRING + +######### +# SETUP # +######### +# Taking backup of local manifest file for MySQL server instance +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' ENGINE=InnoDB ENCRYPTION="N"; +CREATE TABLE t1(c1 char(100)) ENGINE=InnoDB TABLESPACE encrypt_ts; +set global innodb_buf_flush_list_now = 1; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +#-------------------------- TEST 1 -------------------------------------# +# RESTART 1 : WITH KEYRING +# Restore local manifest file for MySQL server instance from backup +######################################################################## +# ALTER TABLESPACE : Unencrypted => Encrypted # +######################################################################## +# Set process to crash at page 10 +SET SESSION debug= '+d,alter_encrypt_tablespace_page_10'; +# Encrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +# RESTART 2 : WITH KEYRING COMPONENT after crash and cause resume operation +# to crash just before flushing page 0 at the end +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +Got one of the listed errors +# Search the pattern in error log +Pattern "Resuming ENCRYPTION for tablespace encrypt_ts" found +Pattern "Finished ENCRYPTION for tablespace encrypt_ts" not found +# RESTART 3 : Normal. In this restart resume operation should finish successfully +# Wait for Encryption processing to finish in background thread +# Search the pattern in error log +Pattern "Resuming ENCRYPTION for tablespace encrypt_ts" found +Pattern "Finished ENCRYPTION for tablespace encrypt_ts" found +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +######################################################################## +# ALTER TABLESPACE : Encrypted => Unencrypted # +######################################################################## +# Set process to crash at page 10 +SET SESSION debug= '+d,alter_encrypt_tablespace_page_10'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +# Unencrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='N'; +# RESTART 4 : WITH KEYRING COMPONENT after crash and cause resume operation +# to crash just before flushing page 0 at the end +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +Got one of the listed errors +# Search the pattern in error log +Pattern "Resuming DECRYPTION for tablespace encrypt_ts" found +Pattern "Finished DECRYPTION for tablespace encrypt_ts" not found +# RESTART 5 : Normal. In this restart resume operation should finish successfully +# Wait for Encryption processing to finish in background thread +# Search the pattern in error log +Pattern "Resuming DECRYPTION for tablespace encrypt_ts" found +Pattern "Finished DECRYPTION for tablespace encrypt_ts" found +# RESTART 6 : WITHOUT KEYRING COMPONENT +# Taking backup of local manifest file for MySQL server instance +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +# Restore local manifest file for MySQL server instance from backup +#-------------------------- TEST 2 -------------------------------------# +# RESTART 7 : WITH KEYRING +######################################################################## +# ALTER TABLESPACE : Unencrypted => Encrypted # +######################################################################## +# Set process to crash at page 10 +SET SESSION debug= '+d,alter_encrypt_tablespace_page_10'; +# Encrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +# RESTART 8 : WITH KEYRING COMPONENT after crash and cause resume operation +# to crash just after flushing page 0 at the end +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +Got one of the listed errors +# Search the pattern in error log +Pattern "Resuming ENCRYPTION for tablespace encrypt_ts" found +Pattern "Finished ENCRYPTION for tablespace encrypt_ts" not found +# RESTART 9 : Normal. In this restart resume operation should finish successfully +# Wait for Encryption processing to finish in background thread +# Search the pattern in error log +Pattern "Resuming ENCRYPTION for tablespace encrypt_ts" found +Pattern "Finished ENCRYPTION for tablespace encrypt_ts" found +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +######################################################################## +# ALTER TABLESPACE : Encrypted => Unencrypted # +######################################################################## +# Set process to crash at page 10 +SET SESSION debug= '+d,alter_encrypt_tablespace_page_10'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +# Unencrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='N'; +# RESTART 10 : WITH KEYRING COMPONENT after crash and cause resume operation +# to crash just after flushing page 0 at the end +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +Got one of the listed errors +# Search the pattern in error log +Pattern "Resuming DECRYPTION for tablespace encrypt_ts" found +Pattern "Finished DECRYPTION for tablespace encrypt_ts" not found +# RESTART 11 : Normal. In this restart resume operation should finish successfully +# Wait for Encryption processing to finish in background thread +# Search the pattern in error log +Pattern "Resuming DECRYPTION for tablespace encrypt_ts" found +Pattern "Finished DECRYPTION for tablespace encrypt_ts" found +# RESTART 12 : WITHOUT KEYRING COMPONENT +# Taking backup of local manifest file for MySQL server instance +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +# Restore local manifest file for MySQL server instance from backup +#-------------------------- TEST 3 -------------------------------------# +# RESTART 13 : WITH KEYRING +######################################################################## +# ALTER TABLESPACE : Unencrypted => Encrypted # +######################################################################## +# Set process to crash at page 10 +SET SESSION debug= '+d,alter_encrypt_tablespace_page_10'; +# Encrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +# RESTART 14 : WITH KEYRING COMPONENT after crash and cause resume operation +# to crash just before resetting_progress on page 0 +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +Got one of the listed errors +# Search the pattern in error log +Pattern "Resuming ENCRYPTION for tablespace encrypt_ts" found +Pattern "Finished ENCRYPTION for tablespace encrypt_ts" not found +# RESTART 15 : Normal. In this restart resume operation should finish successfully +# Wait for Encryption processing to finish in background thread +# Search the pattern in error log +Pattern "Resuming ENCRYPTION for tablespace encrypt_ts" found +Pattern "Finished ENCRYPTION for tablespace encrypt_ts" found +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +######################################################################## +# ALTER TABLESPACE : Encrypted => Unencrypted # +######################################################################## +# Set process to crash at page 10 +SET SESSION debug= '+d,alter_encrypt_tablespace_page_10'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +# Unencrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='N'; +# RESTART 16 : WITH KEYRING COMPONENT after crash and cause resume operation +# to crash just before resetting_progress on page 0 +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +Got one of the listed errors +# Search the pattern in error log +Pattern "Resuming DECRYPTION for tablespace encrypt_ts" found +Pattern "Finished DECRYPTION for tablespace encrypt_ts" not found +# RESTART 17 : Normal. In this restart resume operation should finish successfully +# Wait for Encryption processing to finish in background thread +# Search the pattern in error log +Pattern "Resuming DECRYPTION for tablespace encrypt_ts" found +Pattern "Finished DECRYPTION for tablespace encrypt_ts" found +# RESTART 18 : WITHOUT KEYRING COMPONENT +# Taking backup of local manifest file for MySQL server instance +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +# Restore local manifest file for MySQL server instance from backup +#-------------------------- TEST 4 -------------------------------------# +# RESTART 19 : WITH KEYRING +# Encrypt the tablespace. +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +######################################################################## +# ALTER TABLESPACE : Encrypted => Unencrypted # +######################################################################## +# Set process to crash at page 10 +SET SESSION debug= '+d,alter_encrypt_tablespace_page_10'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +# Unencrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='N'; +# RESTART 20 : WITH KEYRING COMPONENT after crash and cause resume operation +# to crash just before updating flags +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +Got one of the listed errors +# Search the pattern in error log +Pattern "Resuming DECRYPTION for tablespace encrypt_ts" found +Pattern "Finished DECRYPTION for tablespace encrypt_ts" not found +# RESTART 21 : Normal. In this restart resume operation should finish successfully +# Wait for Encryption processing to finish in background thread +# Search the pattern in error log +Pattern "Resuming DECRYPTION for tablespace encrypt_ts" found +Pattern "Finished DECRYPTION for tablespace encrypt_ts" found +# RESTART 22 : WITHOUT KEYRING COMPONENT +# Taking backup of local manifest file for MySQL server instance +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +# Restore local manifest file for MySQL server instance from backup +#-------------------------- TEST 5 -------------------------------------# +# RESTART 23 : WITH KEYRING +######################################################################## +# ALTER TABLESPACE : Unencrypted => Encrypted # +######################################################################## +# Set process to crash at page 10 +SET SESSION debug= '+d,alter_encrypt_tablespace_page_10'; +# Encrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +# RESTART 24 : WITH KEYRING COMPONENT after crash and cause resume operation +# to crash just before encryption processing is started +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +Got one of the listed errors +# Search the pattern in error log +Pattern "Resuming ENCRYPTION for tablespace encrypt_ts" found +Pattern "Finished ENCRYPTION for tablespace encrypt_ts" not found +# RESTART 25 : Normal. In this restart resume operation should finish successfully +# Wait for Encryption processing to finish in background thread +# Search the pattern in error log +Pattern "Resuming ENCRYPTION for tablespace encrypt_ts" found +Pattern "Finished ENCRYPTION for tablespace encrypt_ts" found +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +######################################################################## +# ALTER TABLESPACE : Encrypted => Unencrypted # +######################################################################## +# Set process to crash at page 10 +SET SESSION debug= '+d,alter_encrypt_tablespace_page_10'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +# Unencrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='N'; +# RESTART 26 : WITH KEYRING COMPONENT after crash and cause resume operation +# to crash just before encryption processing is started +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +Got one of the listed errors +# Search the pattern in error log +Pattern "Resuming DECRYPTION for tablespace encrypt_ts" found +Pattern "Finished DECRYPTION for tablespace encrypt_ts" not found +# RESTART 27 : Normal. In this restart resume operation should finish successfully +# Wait for Encryption processing to finish in background thread +# Search the pattern in error log +Pattern "Resuming DECRYPTION for tablespace encrypt_ts" found +Pattern "Finished DECRYPTION for tablespace encrypt_ts" found +# RESTART 28 : WITHOUT KEYRING COMPONENT +# Taking backup of local manifest file for MySQL server instance +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +# Restore local manifest file for MySQL server instance from backup +#-------------------------- TEST 6 -------------------------------------# +# RESTART 29 : WITH KEYRING +######################################################################## +# ALTER TABLESPACE : Unencrypted => Encrypted # +######################################################################## +# Set process to crash at page 10 +SET SESSION debug= '+d,alter_encrypt_tablespace_page_10'; +# Encrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +# RESTART 30 : WITH KEYRING COMPONENT after crash and cause resume operation +# to crash just after encryption processing is finished +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +Got one of the listed errors +# Search the pattern in error log +Pattern "Resuming ENCRYPTION for tablespace encrypt_ts" found +Pattern "Finished ENCRYPTION for tablespace encrypt_ts" not found +# RESTART 31 : Normal. In this restart resume operation should finish successfully +# Wait for Encryption processing to finish in background thread +# Search the pattern in error log +Pattern "Resuming ENCRYPTION for tablespace encrypt_ts" found +Pattern "Finished ENCRYPTION for tablespace encrypt_ts" found +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +######################################################################## +# ALTER TABLESPACE : Encrypted => Unencrypted # +######################################################################## +# Set process to crash at page 10 +SET SESSION debug= '+d,alter_encrypt_tablespace_page_10'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +# Unencrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='N'; +# RESTART 32 : WITH KEYRING COMPONENT after crash and cause resume operation +# to crash just after encryption processing is finished +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +Got one of the listed errors +# Search the pattern in error log +Pattern "Resuming DECRYPTION for tablespace encrypt_ts" found +Pattern "Finished DECRYPTION for tablespace encrypt_ts" not found +# RESTART 33 : Normal. In this restart resume operation should finish successfully +# Wait for Encryption processing to finish in background thread +# Search the pattern in error log +Pattern "Resuming DECRYPTION for tablespace encrypt_ts" found +Pattern "Finished DECRYPTION for tablespace encrypt_ts" found +# RESTART 34 : WITHOUT KEYRING COMPONENT +# Taking backup of local manifest file for MySQL server instance +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +# Restore local manifest file for MySQL server instance from backup +#-------------------------- TEST 7 -------------------------------------# +# RESTART 35 : WITH KEYRING +######################################################################## +# ALTER TABLESPACE : Unencrypted => Encrypted # +######################################################################## +# Set process to crash at page 10 +SET SESSION debug= '+d,alter_encrypt_tablespace_page_10'; +# Encrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +# RESTART 36 : WITH KEYRING COMPONENT after crash and cause resume operation +# to crash just after inserting DDL Log Entry +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +Got one of the listed errors +# Search the pattern in error log +Pattern "Resuming ENCRYPTION for tablespace encrypt_ts" found +Pattern "Finished ENCRYPTION for tablespace encrypt_ts" not found +# RESTART 37 : Normal. In this restart resume operation should finish successfully +# Wait for Encryption processing to finish in background thread +# Search the pattern in error log +Pattern "Resuming ENCRYPTION for tablespace encrypt_ts" found +Pattern "Finished ENCRYPTION for tablespace encrypt_ts" found +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +######################################################################## +# ALTER TABLESPACE : Encrypted => Unencrypted # +######################################################################## +# Set process to crash at page 10 +SET SESSION debug= '+d,alter_encrypt_tablespace_page_10'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +# Unencrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='N'; +# RESTART 38 : WITH KEYRING COMPONENT after crash and cause resume operation +# to crash just after inserting DDL Log Entry +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +Got one of the listed errors +# Search the pattern in error log +Pattern "Resuming DECRYPTION for tablespace encrypt_ts" found +Pattern "Finished DECRYPTION for tablespace encrypt_ts" not found +# RESTART 39 : Normal. In this restart resume operation should finish successfully +# Wait for Encryption processing to finish in background thread +# Search the pattern in error log +Pattern "Resuming DECRYPTION for tablespace encrypt_ts" found +Pattern "Finished DECRYPTION for tablespace encrypt_ts" found +# RESTART 40 : WITHOUT KEYRING COMPONENT +# Taking backup of local manifest file for MySQL server instance +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +# Restore local manifest file for MySQL server instance from backup +########### +# Cleanup # +########### +DROP TABLE t1; +DROP TABLESPACE encrypt_ts; +# RESTART 41 : final +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_11.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_11.result new file mode 100644 index 000000000000..02eeddb1cb04 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_11.result @@ -0,0 +1,95 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +######### +# SETUP # +######### +######################################################################### +# RESTART 1 : WITH KEYRING PLUGIN +######################################################################### +#-------------------------- TEST 1 -------------------------------------# +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' ENGINE=InnoDB ENCRYPTION="N"; +CREATE TABLE t1(c1 char(100)) ENGINE=InnoDB TABLESPACE encrypt_ts; +set global innodb_buf_flush_list_now = 1; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +# Set Encryption process to crash just after making DDL Entry +SET SESSION debug= '+d,alter_encrypt_tablespace_crash_after_ddl_entry'; +# Encrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +######################################################################### +# RESTART 2 : WITH KEYRING PLUGIN after crash +######################################################################### +# INJECT error TOO_MANY_CONCURRENT_TXNS in startup location DDL_Log_remove_inject_startup_error_1. +# It will cause FATAL error and server abort. +# Search the failure pattern in error log +Pattern "ENCRYPTION for tablespace encrypt_ts:[0-9]+ could not be done successfully" found +DROP TABLE t1; +DROP TABLESPACE encrypt_ts; +######################################################################### +# RESTART 3 : normally +######################################################################### +#-------------------------- TEST 2 -------------------------------------# +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' ENGINE=InnoDB ENCRYPTION="N"; +CREATE TABLE t1(c1 char(100)) ENGINE=InnoDB TABLESPACE encrypt_ts; +set global innodb_buf_flush_list_now = 1; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +# Set Encryption process to crash just after making DDL Entry +SET SESSION debug= '+d,alter_encrypt_tablespace_crash_after_ddl_entry'; +# Encrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +######################################################################### +# RESTART 4 : WITH KEYRING PLUGIN after crash +######################################################################### +# INJECT error TOO_MANY_CONCURRENT_TXNS in startup location DDL_Log_remove_inject_startup_error_2. +# It will cause FATAL error and server abort. +# Search the failure pattern in error log +Pattern "\[FATAL\] Error in DDL Log recovery during Post-Recovery processing." found +######################################################################### +# RESTART 4 : normally +######################################################################### +DROP TABLE t1; +DROP TABLESPACE encrypt_ts; +########### +# Cleanup # +########### +######################################################################### +# RESTART 5 : final +######################################################################### +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_2.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_2.result new file mode 100644 index 000000000000..128eba922479 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_2.result @@ -0,0 +1,440 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +######################################################################### +# START : WITHOUT KEYRING +######################################################################### +# Taking backup of local manifest file for MySQL server instance +######### +# SETUP # +######### +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' ENGINE=InnoDB ENCRYPTION="N"; +CREATE TABLE t1(c1 char(100)) ENGINE=InnoDB TABLESPACE encrypt_ts; +set global innodb_buf_flush_list_now = 1; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +############################################################# +# TEST 1 : CRASH DURING ALTER ENCRYPT A TABLESPACE. +############################################################# + +######################################################################### +# RESTART 1 : WITH KEYRING +######################################################################### +# Restore local manifest file for MySQL server instance from backup +############################################################ +# ALTER TABLESPACE 1 : Unencrypted => Encrypted # +# (crash at page 10) # +############################################################ +# Set Encryption process to crash at page 10 +SET SESSION debug= '+d,alter_encrypt_tablespace_page_10'; +# Encrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +# Restart after crash +# Wait for Encryption processing to finish in background thread +set global innodb_buf_flush_list_now = 1; +# After restart/recovery, check that Encryption was roll-forward +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +######################################################################### +# RESTART 2 : WITHOUT KEYRING +######################################################################### +# Taking backup of local manifest file for MySQL server instance +SELECT * FROM t1 LIMIT 10; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +######################################################################### +# RESTART 3 : WITH KEYRING +######################################################################### +# Restore local manifest file for MySQL server instance from backup +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +############################################################ +# ALTER TABLESPACE 2 : Encrypted => Unencrypted # +# (crash at page 10) # +############################################################ +# Set Unencryption process to crash at page 10 +SET SESSION debug= '+d,alter_encrypt_tablespace_page_10'; +# Unencrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='N'; +# Restart after crash +# Wait for Unencryption processing to finish in background thread +set global innodb_buf_flush_list_now = 1; +# After restart/recovery, check that Unencryption was roll-forward +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +######################################################################### +# RESTART 4 : WITHOUT KEYRING +######################################################################### +# Taking backup of local manifest file for MySQL server instance +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +#################################################################### +# TEST 2 : CRASH DURING ALTER ENCRYPT A TABLESPACE (Compressed). +#################################################################### + +CREATE TABLESPACE compress_ts ADD DATAFILE 'compress_ts.ibd' ENGINE=InnoDB +ENCRYPTION="N" FILE_BLOCK_SIZE=8192; +CREATE TABLE t2(c1 char(100)) ENGINE=InnoDB TABLESPACE compress_ts +ROW_FORMAT=COMPRESSED KEY_BLOCK_SIZE=8; +set global innodb_buf_flush_list_now = 1; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME='compress_ts'; +NAME ENCRYPTION +compress_ts N +SELECT * FROM t2 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +######################################################################### +# RESTART 5 : WITH KEYRING +######################################################################### +# Restore local manifest file for MySQL server instance from backup +############################################################ +# ALTER TABLESPACE 1 : Unencrypted => Encrypted # +# (crash at page 10) # +############################################################ +# Set Encryption process to crash at page 10 +SET SESSION debug= '+d,alter_encrypt_tablespace_page_10'; +# Encrypt the tablespace. It will cause crash. +ALTER TABLESPACE compress_ts ENCRYPTION='Y'; +# Restart after crash +# Wait for Encryption processing to finish in background thread +set global innodb_buf_flush_list_now = 1; +# After restart/recovery, check that Encryption was roll-forward +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME='compress_ts'; +NAME ENCRYPTION +compress_ts Y +SELECT * FROM t2 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +######################################################################### +# RESTART 6 : WITHOUT KEYRING +######################################################################### +# Taking backup of local manifest file for MySQL server instance +SELECT * FROM t2 LIMIT 10; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +######################################################################### +# RESTART 7 WITH KEYRING +######################################################################### +# Restore local manifest file for MySQL server instance from backup +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME='compress_ts'; +NAME ENCRYPTION +compress_ts Y +SELECT * FROM t2 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +############################################################ +# ALTER TABLESPACE 2 : Encrypted => Unencrypted # +# (crash at page 10) # +############################################################ +# Set Unencryption process to crash at page 10 +SET SESSION debug= '+d,alter_encrypt_tablespace_page_10'; +# Unencrypt the tablespace. It will cause crash. +ALTER TABLESPACE compress_ts ENCRYPTION='N'; +# Restart after crash +# Wait for Unencryption processing to finish in background thread +set global innodb_buf_flush_list_now = 1; +# After restart/recovery, check that Unencryption was roll-forward +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME='compress_ts'; +NAME ENCRYPTION +compress_ts N +SELECT * FROM t2 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +######################################################################### +# RESTART 8 : WITHOUT KEYRING +######################################################################### +# Taking backup of local manifest file for MySQL server instance +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t2 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +DROP TABLE t2; +DROP TABLESPACE compress_ts; +############################################################# +# TEST 3 : CRASH BEFORE/AFTER ENCRYPTION PROCESSING. +############################################################# + +######################################################################### +# RESTART 9 : WITH KEYRING +######################################################################### +# Restore local manifest file for MySQL server instance from backup +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +# Set server to crash just before encryption processing starts +SET SESSION debug="+d,alter_encrypt_tablespace_crash_before_processing"; +# Unencrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='N'; +# Restart after crash +# Wait for Unencryption processing to finish in background thread +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +# Set server to crash just after encryption processing finishes +SET SESSION debug="-d,alter_encrypt_tablespace_crash_before_processing"; +SET SESSION debug="+d,alter_encrypt_tablespace_crash_after_processing"; +# Unencrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='N'; +# Restart after crash +# Wait for Unencryption processing to finish in background thread +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +############################################################# +# TEST 4 : CRASH DURING KEY ROTATION. +############################################################# + +######################################################################### +# RESTART 10 : WITH KEYRING +######################################################################### +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +# Set server to crash while rotating encryption +SET SESSION debug="+d,ib_crash_during_rotation_for_encryption"; +ALTER INSTANCE ROTATE INNODB MASTER KEY; +# Restart after crash +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SET SESSION debug="-d,ib_crash_during_rotation_for_encryption"; +ALTER INSTANCE ROTATE INNODB MASTER KEY; +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +############################################################### +# TEST 5 : CRASH DURING CREATING AN ENCRYPTED TABLESPACE +############################################################### + +# Set server to crash while creating an encrypted tablespace +SET SESSION debug="+d,ib_crash_during_create_tablespace_for_encryption"; +# Try to create an encrypted tablespace. It will cause server to crash. +CREATE TABLESPACE encrypt_ts_2 ADD DATAFILE 'encrypt_ts_2.ibd' ENGINE=InnoDB ENCRYPTION="Y"; +# Restart after crash +SET SESSION debug="-d,ib_crash_during_create_tablespace_for_encryption"; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE "%encrypt_ts%"; +NAME ENCRYPTION +encrypt_ts Y +############################################################### +# TEST 6 : DMLs ALLOWED AND DDLs BLOCKED TEST +############################################################### +SELECT ENABLED FROM performance_schema.setup_instruments +WHERE NAME='wait/lock/metadata/sql/mdl'; +ENABLED +YES +SET DEBUG_SYNC = 'innodb_alter_encrypt_tablespace SIGNAL s1 WAIT_FOR s2'; +ALTER TABLESPACE encrypt_ts ENCRYPTION='N';; +# Session 2 +SET DEBUG_SYNC = 'now WAIT_FOR s1'; +OBJECT_TYPE OBJECT_NAME LOCK_TYPE LOCK_DURATION LOCK_STATUS +TABLESPACE encrypt_ts EXCLUSIVE TRANSACTION GRANTED +DESCRIBE t1; +Field Type Null Key Default Extra +c1 char(100) YES NULL +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` char(100) DEFAULT NULL +) /*!50100 TABLESPACE `encrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +SELECT COUNT(*) FROM t1; +COUNT(*) +4096 +INSERT INTO t1 VALUES ("SOME VALUES"); +SELECT COUNT(*) from t1; +COUNT(*) +4097 +ALTER TABLE t1 ADD COLUMN (c2 int);; +# Monitoring session +OBJECT_TYPE OBJECT_NAME LOCK_TYPE LOCK_DURATION LOCK_STATUS +TABLESPACE encrypt_ts EXCLUSIVE TRANSACTION GRANTED +# Wait for MDL request by con2 to appear in metadata_locks table. +OBJECT_TYPE OBJECT_NAME LOCK_TYPE LOCK_DURATION LOCK_STATUS +TABLE t1 SHARED_UPGRADABLE TRANSACTION PENDING +SET DEBUG_SYNC = 'now SIGNAL s2'; +# Connection default +# Connection con2 +# Connection default +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME LIKE "%encrypt_ts%"; +NAME ENCRYPTION +encrypt_ts N +DESCRIBE t1; +Field Type Null Key Default Extra +c1 char(100) YES NULL +c2 int YES NULL +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` char(100) DEFAULT NULL, + `c2` int DEFAULT NULL +) /*!50100 TABLESPACE `encrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +########### +# Cleanup # +########### +DROP TABLE t1; +DROP TABLESPACE encrypt_ts; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_3.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_3.result new file mode 100644 index 000000000000..83431fdad5cf --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_3.result @@ -0,0 +1,167 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +######################################################################### +# START : WITHOUT KEYRING PLUGIN +######################################################################### +# Taking backup of local manifest file for MySQL server instance +######### +# SETUP # +######### +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' + ENGINE=InnoDB ENCRYPTION="N"; +CREATE TABLE t1(c1 char(100)) ENGINE=InnoDB TABLESPACE encrypt_ts; +set global innodb_buf_flush_list_now = 1; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +######################################################################### +# RESTART 1 : WITH KEYRING PLUGIN +######################################################################### +# Restore local manifest file for MySQL server instance from backup +# Monitoring connection +UPDATE performance_schema.setup_consumers SET ENABLED='YES'; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM performance_schema.setup_consumers +WHERE NAME LIKE "%stages%"; +NAME ENABLED +events_stages_current YES +events_stages_history YES +events_stages_history_long YES +SELECT * FROM performance_schema.setup_instruments +WHERE NAME LIKE "%encryption%"; +NAME ENABLED TIMED PROPERTIES FLAGS VOLATILITY DOCUMENTATION +wait/synch/mutex/innodb/resume_encryption_cond_mutex YES YES NULL 0 NULL +wait/synch/cond/innodb/resume_encryption_cond YES YES NULL 0 NULL +stage/innodb/alter tablespace (encryption) YES YES progress NULL 0 NULL +select count(*) from performance_schema.events_stages_current +WHERE EVENT_NAME='stage/innodb/alter tablespace (encryption)'; +count(*) +0 +# Default connection +############################################################ +# ALTER TABLESPACE 1 : Unencrypted => Encrypted # +############################################################ + +# Set Encryption process to wait after page 5 so that we can monitor +# progress in performance_schema table +SET DEBUG_SYNC = 'alter_encrypt_tablespace_wait_after_page5 SIGNAL s1 WAIT_FOR s2'; +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +# Monitoring connection +SET DEBUG_SYNC = 'now WAIT_FOR s1'; +# Wait for Encryption progress monitoring to appear in PFS table +# Wait for some progress to appear in PFS table +select WORK_ESTIMATED, WORK_COMPLETED +FROM performance_schema.events_stages_current +WHERE EVENT_NAME = 'stage/innodb/alter tablespace (encryption)'; +WORK_ESTIMATED WORK_COMPLETED +6 5 +SET DEBUG_SYNC = 'now SIGNAL s2'; +# Default connection +# Once done, select count from PFS tables +SELECT COUNT(*) +FROM performance_schema.events_stages_current +WHERE EVENT_NAME='stage/innodb/alter tablespace (encryption)'; +COUNT(*) +0 +SELECT COUNT(*) +FROM performance_schema.events_stages_history +WHERE EVENT_NAME='stage/innodb/alter tablespace (encryption)'; +COUNT(*) +1 +SELECT COUNT(*) +FROM performance_schema.events_stages_history_long +WHERE EVENT_NAME='stage/innodb/alter tablespace (encryption)'; +COUNT(*) +1 +SELECT COUNT(*) +FROM performance_schema.events_stages_summary_global_by_event_name +WHERE EVENT_NAME = 'stage/innodb/alter tablespace (encryption)' AND +COUNT_STAR>0; +COUNT(*) +1 +COUNT(*) +1 +SELECT COUNT(*) +FROM performance_schema.events_stages_summary_by_user_by_event_name +WHERE EVENT_NAME = 'stage/innodb/alter tablespace (encryption)' AND +COUNT_STAR>0; +COUNT(*) +1 +SELECT COUNT(*) +FROM performance_schema.events_stages_summary_by_host_by_event_name +WHERE EVENT_NAME = 'stage/innodb/alter tablespace (encryption)' AND +COUNT_STAR>0; +COUNT(*) +1 +SELECT COUNT(*) +FROM performance_schema.events_stages_summary_by_account_by_event_name +WHERE EVENT_NAME = 'stage/innodb/alter tablespace (encryption)' AND +COUNT_STAR>0; +COUNT(*) +1 +# Check that Encryption done successfully. +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES +WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +######################################################################### +# RESTART 2 : WITHOUT KEYRING PLUGIN +######################################################################### +# Taking backup of local manifest file for MySQL server instance +SELECT * FROM t1 LIMIT 10; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +######################################################################### +# RESTART 3 : WITH KEYRING PLUGIN +######################################################################### +# Restore local manifest file for MySQL server instance from backup +UPDATE performance_schema.setup_consumers SET ENABLED='NO'; +ALTER TABLESPACE encrypt_ts ENCRYPTION='N'; +########### +# Cleanup # +########### +SELECT COUNT(*) FROM t1; +COUNT(*) +32 +DROP TABLE t1; +DROP TABLESPACE encrypt_ts; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_4.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_4.result new file mode 100644 index 000000000000..733f287d2052 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_4.result @@ -0,0 +1,622 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +######################################################################### +# START : WITHOUT KEYRING PLUGIN +######################################################################### +# Taking backup of local manifest file for MySQL server instance +######### +# SETUP # +######### +######################################################################### +# RESTART 1 : WITH KEYRING PLUGIN +######################################################################### +# Restore local manifest file for MySQL server instance from backup +######################################################################### +# Non Partitioned Table # +######################################################################### + +DROP TABLE IF EXISTS t1; +# Create an Encrypted and an Unencrypted tablespace +CREATE TABLESPACE encrypt_ts add datafile 'encrypt_ts.ibd' ENCRYPTION='Y'; +CREATE TABLESPACE unencrypt_ts add datafile 'unencrypt_ts.ibd' ENCRYPTION='N'; +# Create table with "encryption" option in general tablespace +CREATE TABLE t1 (c int) TABLESPACE=encrypt_ts ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +DROP TABLE t1; +CREATE TABLE t1 (c int) TABLESPACE=encrypt_ts ENCRYPTION='n'; +ERROR HY000: Request to create 'unencrypted' table while using an 'encrypted' tablespace. +SHOW WARNINGS; +Level Code Message +Error 3825 Request to create 'unencrypted' table while using an 'encrypted' tablespace. +CREATE TABLE t1 (c int) TABLESPACE=innodb_system ENCRYPTION='y'; +ERROR HY000: Request to create 'encrypted' table while using an 'unencrypted' tablespace. +SHOW WARNINGS; +Level Code Message +Error 3825 Request to create 'encrypted' table while using an 'unencrypted' tablespace. +CREATE TABLE t1 (c int) TABLESPACE=innodb_system ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +DROP TABLE t1; +#------------------------------------------------------- +# general [encrypted] => general [unencrypted] +CREATE TABLE t1 (c int) TABLESPACE=encrypt_ts ENCRYPTION='Y'; +ALTER TABLE t1 TABLESPACE=unencrypt_ts ENCRYPTION='N', ALGORITHM=INPLACE; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +ALTER TABLE t1 TABLESPACE=unencrypt_ts ENCRYPTION='N', ALGORITHM=COPY; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +# general [unencrypted] => general [encrypted] +DROP TABLE t1; +CREATE TABLE t1 (c int) TABLESPACE=unencrypt_ts; +ALTER TABLE t1 TABLESPACE=encrypt_ts ENCRYPTION='Y', ALGORITHM=INPLACE; +ERROR 0A000: ALGORITHM=INPLACE is not supported. Reason: Cannot alter encryption attribute by inplace algorithm.. Try ALGORITHM=COPY. +# Changing encryption type without explicit ENCRYPTION clause fails. +ALTER TABLE t1 TABLESPACE=encrypt_ts, ALGORITHM=COPY; +ERROR HY000: Request to create 'unencrypted' table while using an 'encrypted' tablespace. +ALTER TABLE t1 TABLESPACE=encrypt_ts, ALGORITHM=INPLACE; +ERROR HY000: Request to create 'unencrypted' table while using an 'encrypted' tablespace. +DROP TABLE t1; +CREATE TABLE t1 (c int) TABLESPACE=unencrypt_ts; +ALTER TABLE t1 TABLESPACE=encrypt_ts ENCRYPTION='Y', ALGORITHM=COPY; +#------------------------------------------------------- +# general [encrypted] => file-per-table [unencrypted] +DROP TABLE t1; +CREATE TABLE t1 (c int) TABLESPACE=encrypt_ts ENCRYPTION='Y'; +ALTER TABLE t1 TABLESPACE=innodb_file_per_table, ALGORITHM=INPLACE; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +ALTER TABLE t1 TABLESPACE=innodb_file_per_table, ALGORITHM=COPY; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +ALTER TABLE t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n', ALGORITHM=INPLACE; +ERROR 0A000: ALGORITHM=INPLACE is not supported. Reason: Cannot alter encryption attribute by inplace algorithm.. Try ALGORITHM=COPY. +ALTER TABLE t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n', ALGORITHM=COPY; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +DROP TABLE t1; +# general [encrypted] => file-per-table [encrypted] +CREATE TABLE t1 (c int) TABLESPACE=encrypt_ts ENCRYPTION= 'Y'; +ALTER TABLE t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y', ALGORITHM=INPLACE; +ALTER TABLE t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y', ALGORITHM=COPY; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +#------------------------------------------------------- +# general [unencrypted] => file-per-table [unencrypted] +DROP TABLE t1; +CREATE TABLE t1 (c int) TABLESPACE=unencrypt_ts; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL +) /*!50100 TABLESPACE `unencrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +ALTER TABLE t1 TABLESPACE=innodb_file_per_table, ALGORITHM=INPLACE; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +DROP TABLE t1; +CREATE TABLE t1 (c int) TABLESPACE=unencrypt_ts; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL +) /*!50100 TABLESPACE `unencrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +ALTER TABLE t1 TABLESPACE=innodb_file_per_table, ALGORITHM=COPY; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +# general [unencrypted] => file-per-table [encrypted] +DROP TABLE t1; +CREATE TABLE t1 (c int) TABLESPACE=unencrypt_ts; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL +) /*!50100 TABLESPACE `unencrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +ALTER TABLE t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y', ALGORITHM=INPLACE; +ERROR 0A000: ALGORITHM=INPLACE is not supported. Reason: Cannot alter encryption attribute by inplace algorithm.. Try ALGORITHM=COPY. +ALTER TABLE t1 TABLESPACE=innodb_file_per_table ENCRYPTION='y', ALGORITHM=COPY; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +# general [unencrypted] => file-per-table [unencrypted] +DROP TABLE t1; +CREATE TABLE t1 (c int) TABLESPACE=unencrypt_ts; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL +) /*!50100 TABLESPACE `unencrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +ALTER TABLE t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n', ALGORITHM=INPLACE; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +DROP TABLE t1; +CREATE TABLE t1 (c int) TABLESPACE=unencrypt_ts; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL +) /*!50100 TABLESPACE `unencrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +ALTER TABLE t1 TABLESPACE=innodb_file_per_table ENCRYPTION='n', ALGORITHM=COPY; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +#------------------------------------------------------- +# file-per-table [unencrypted] => general [encrypted] +DROP TABLE t1; +CREATE TABLE t1 (c int) ENCRYPTION='n'; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +ALTER TABLE t1 TABLESPACE=encrypt_ts ENCRYPTION='Y', ALGORITHM=INPLACE; +ERROR 0A000: ALGORITHM=INPLACE is not supported. Reason: Cannot alter encryption attribute by inplace algorithm.. Try ALGORITHM=COPY. +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +DROP TABLE t1; +CREATE TABLE t1 (c int) ENCRYPTION='n'; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +ALTER TABLE t1 TABLESPACE=encrypt_ts ENCRYPTION='Y', ALGORITHM=COPY; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL +) /*!50100 TABLESPACE `encrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +# file-per-table [encrypted] => general [encrypted] +DROP TABLE t1; +CREATE TABLE t1 (c int) ENCRYPTION='y'; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +ALTER TABLE t1 TABLESPACE=encrypt_ts, ALGORITHM=INPLACE; +DROP TABLE t1; +CREATE TABLE t1 (c int) ENCRYPTION='y'; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +ALTER TABLE t1 TABLESPACE=encrypt_ts, ALGORITHM=COPY; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL +) /*!50100 TABLESPACE `encrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +# file-per-table [encrypted] => general [unencrypted] +DROP TABLE t1; +CREATE TABLE t1 (c int) ENCRYPTION='y'; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci ENCRYPTION='y' +ALTER TABLE t1 TABLESPACE=unencrypt_ts ENCRYPTION='N', ALGORITHM=INPLACE; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +ALTER TABLE t1 TABLESPACE=unencrypt_ts ENCRYPTION='N', ALGORITHM=COPY; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +# file-per-table [unencrypted] => general [unencrypted] +DROP TABLE t1; +CREATE TABLE t1 (c int) ENCRYPTION='n'; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +ALTER TABLE t1 TABLESPACE=unencrypt_ts, ALGORITHM=INPLACE; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL +) /*!50100 TABLESPACE `unencrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +DROP TABLE t1; +CREATE TABLE t1 (c int) ENCRYPTION='n'; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +ALTER TABLE t1 TABLESPACE=unencrypt_ts, ALGORITHM=COPY; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL +) /*!50100 TABLESPACE `unencrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +DROP TABLE t1; +#------------------------------------------------------- +# ALTER TABLE ADD COLUMN/INDEX WITH MOVING TO DIFFERENT TABLESPACE +CREATE TABLESPACE encrypt_ts1 add datafile 'encrypt_ts1.ibd' ENCRYPTION='Y'; +CREATE TABLESPACE unencrypt_ts1 add datafile 'unencrypt_ts1.ibd' ENCRYPTION='N'; +# ALGORITHM=DEFAULT +CREATE TABLE t1 (c int) TABLESPACE=encrypt_ts ENCRYPTION='Y'; +ALTER TABLE t1 ADD c2 char(10), TABLESPACE=unencrypt_ts ENCRYPTION='N'; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +ALTER TABLE t1 ADD c2 char(10), TABLESPACE=encrypt_ts1; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL, + `c2` char(10) DEFAULT NULL +) /*!50100 TABLESPACE `encrypt_ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +ALTER TABLE t1 ADD INDEX (c), TABLESPACE=encrypt_ts; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL, + `c2` char(10) DEFAULT NULL, + KEY `c` (`c`) +) /*!50100 TABLESPACE `encrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +DROP TABLE t1; +CREATE TABLE t1 (c int) TABLESPACE=unencrypt_ts; +ALTER TABLE t1 ADD c2 char(10), TABLESPACE=unencrypt_ts1; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL, + `c2` char(10) DEFAULT NULL +) /*!50100 TABLESPACE `unencrypt_ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +ALTER TABLE t1 ADD INDEX (c), TABLESPACE=unencrypt_ts; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL, + `c2` char(10) DEFAULT NULL, + KEY `c` (`c`) +) /*!50100 TABLESPACE `unencrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +ALTER TABLE t1 ADD INDEX (c2), TABLESPACE=encrypt_ts ENCRYPTION='Y'; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL, + `c2` char(10) DEFAULT NULL, + KEY `c` (`c`), + KEY `c2` (`c2`) +) /*!50100 TABLESPACE `encrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +DROP TABLE t1; +# ALGORITHM=INPLACE +CREATE TABLE t1 (c int) TABLESPACE=encrypt_ts ENCRYPTION='Y'; +ALTER TABLE t1 ADD c2 char(10), TABLESPACE=unencrypt_ts ENCRYPTION='N', ALGORITHM=INPLACE; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +ALTER TABLE t1 ADD c2 char(10), TABLESPACE=encrypt_ts1 ENCRYPTION='Y', ALGORITHM=INPLACE; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL, + `c2` char(10) DEFAULT NULL +) /*!50100 TABLESPACE `encrypt_ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +ALTER TABLE t1 ADD INDEX (c), TABLESPACE=encrypt_ts, ALGORITHM=INPLACE; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL, + `c2` char(10) DEFAULT NULL, + KEY `c` (`c`) +) /*!50100 TABLESPACE `encrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +DROP TABLE t1; +CREATE TABLE t1 (c int) TABLESPACE=unencrypt_ts; +ALTER TABLE t1 ADD c2 char(10), TABLESPACE=unencrypt_ts1, ALGORITHM=INPLACE; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL, + `c2` char(10) DEFAULT NULL +) /*!50100 TABLESPACE `unencrypt_ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +ALTER TABLE t1 ADD INDEX (c), TABLESPACE=unencrypt_ts, ALGORITHM=INPLACE; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL, + `c2` char(10) DEFAULT NULL, + KEY `c` (`c`) +) /*!50100 TABLESPACE `unencrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +ALTER TABLE t1 ADD INDEX (c2), TABLESPACE=encrypt_ts ENCRYPTION='Y', ALGORITHM=INPLACE; +ERROR 0A000: ALGORITHM=INPLACE is not supported. Reason: Cannot alter encryption attribute by inplace algorithm.. Try ALGORITHM=COPY. +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL, + `c2` char(10) DEFAULT NULL, + KEY `c` (`c`) +) /*!50100 TABLESPACE `unencrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +DROP TABLE t1; +# ALGORITHM=COPY +CREATE TABLE t1 (c int) TABLESPACE=encrypt_ts ENCRYPTION='Y'; +ALTER TABLE t1 ADD c2 char(10), TABLESPACE=unencrypt_ts ENCRYPTION='N', ALGORITHM=COPY; +ERROR HY000: Source tablespace is encrypted but target tablespace is not. +ALTER TABLE t1 ADD c2 char(10), TABLESPACE=encrypt_ts1, ALGORITHM=COPY; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL, + `c2` char(10) DEFAULT NULL +) /*!50100 TABLESPACE `encrypt_ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +ALTER TABLE t1 ADD INDEX (c), TABLESPACE=encrypt_ts, ALGORITHM=COPY; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL, + `c2` char(10) DEFAULT NULL, + KEY `c` (`c`) +) /*!50100 TABLESPACE `encrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +DROP TABLE t1; +CREATE TABLE t1 (c int) TABLESPACE=unencrypt_ts; +ALTER TABLE t1 ADD c2 char(10), TABLESPACE=unencrypt_ts1, ALGORITHM=COPY; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL, + `c2` char(10) DEFAULT NULL +) /*!50100 TABLESPACE `unencrypt_ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +ALTER TABLE t1 ADD INDEX (c), TABLESPACE=unencrypt_ts, ALGORITHM=COPY; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL, + `c2` char(10) DEFAULT NULL, + KEY `c` (`c`) +) /*!50100 TABLESPACE `unencrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +ALTER TABLE t1 ADD INDEX (c2), TABLESPACE=encrypt_ts ENCRYPTION='Y', ALGORITHM=COPY; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c` int DEFAULT NULL, + `c2` char(10) DEFAULT NULL, + KEY `c` (`c`), + KEY `c2` (`c2`) +) /*!50100 TABLESPACE `encrypt_ts` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +DROP TABLE t1; +######################################################################### +# Partitioned Table # +######################################################################### + +DROP TABLE IF EXISTS t1; +# Create table without explicit tablespace name +CREATE TABLE t1 (id INT, name VARCHAR(50)) +PARTITION BY RANGE(id) ( +PARTITION p0 VALUES LESS THAN (10), +PARTITION p1 VALUES LESS THAN (20), +PARTITION p2 VALUES LESS THAN (30)); +# Try to ALTER TABLE to have general tablespace at table level +ALTER TABLE t1 TABLESPACE=unencrypt_ts; +ERROR HY000: InnoDB : A partitioned table is not allowed in a shared tablespace. +SHOW WARNINGS; +Level Code Message +Error 1478 InnoDB : A partitioned table is not allowed in a shared tablespace. +# Alter encryption option +ALTER TABLE t1 ENCRYPTION='Y'; +DROP TABLE t1; +# Create table with general tablespace at table level +CREATE TABLE t1 (id INT, name VARCHAR(50)) +TABLESPACE=encrypt_ts ENCRYPTION='Y' + PARTITION BY RANGE(id) ( +PARTITION p0 VALUES LESS THAN (10), +PARTITION p1 VALUES LESS THAN (20), +PARTITION p2 VALUES LESS THAN (30)); +ERROR HY000: InnoDB : A partitioned table is not allowed in a shared tablespace. +SHOW WARNINGS; +Level Code Message +Error 1478 InnoDB : A partitioned table is not allowed in a shared tablespace. +Error 1030 Got error 122 - 'Internal (unspecified) error in handler' from storage engine +# Create table with system tablespace at table level +CREATE TABLE t1 (id INT, name VARCHAR(50)) +TABLESPACE=innodb_system +PARTITION BY RANGE(id) ( +PARTITION p0 VALUES LESS THAN (10), +PARTITION p1 VALUES LESS THAN (20), +PARTITION p2 VALUES LESS THAN (30)); +ERROR HY000: InnoDB : A partitioned table is not allowed in a shared tablespace. +SHOW WARNINGS; +Level Code Message +Error 1478 InnoDB : A partitioned table is not allowed in a shared tablespace. +Error 1030 Got error 122 - 'Internal (unspecified) error in handler' from storage engine +# Create table with innodb_file_per_table tablespace at table level +CREATE TABLE t1 (id INT, name VARCHAR(50)) +TABLESPACE=innodb_file_per_table +PARTITION BY RANGE(id) ( +PARTITION p0 VALUES LESS THAN (10), +PARTITION p1 VALUES LESS THAN (20), +PARTITION p2 VALUES LESS THAN (30)); +DROP TABLE t1; +# Create table with general tablespace at partition level +CREATE TABLE t1 (id INT, name VARCHAR(50)) ENCRYPTION='Y' + PARTITION BY RANGE(id) ( +PARTITION p0 VALUES LESS THAN (10), +PARTITION p1 VALUES LESS THAN (20), +PARTITION p2 VALUES LESS THAN (30) TABLESPACE=encrypt_ts); +ERROR HY000: InnoDB : A partitioned table is not allowed in a shared tablespace. +SHOW WARNINGS; +Level Code Message +Error 1478 InnoDB : A partitioned table is not allowed in a shared tablespace. +Error 1030 Got error 122 - 'Internal (unspecified) error in handler' from storage engine +# Create table with system tablespace at partition level +CREATE TABLE t1 (id INT, name VARCHAR(50)) +PARTITION BY RANGE(id) ( +PARTITION p0 VALUES LESS THAN (10), +PARTITION p1 VALUES LESS THAN (20), +PARTITION p2 VALUES LESS THAN (30) TABLESPACE=innodb_system); +ERROR HY000: InnoDB : A partitioned table is not allowed in a shared tablespace. +SHOW WARNINGS; +Level Code Message +Error 1478 InnoDB : A partitioned table is not allowed in a shared tablespace. +Error 1030 Got error 122 - 'Internal (unspecified) error in handler' from storage engine +# Create table with innodb_file_per_table tablespace at partition level +CREATE TABLE t1 (id INT, name VARCHAR(50)) +PARTITION BY RANGE(id) ( +PARTITION p0 VALUES LESS THAN (10), +PARTITION p1 VALUES LESS THAN (20), +PARTITION p2 VALUES LESS THAN (30) TABLESPACE=innodb_file_per_table); +DROP TABLE t1; +# Create table with ENCRYPTION='y' option +CREATE TABLE t1 (id INT, name VARCHAR(50)) +ENCRYPTION='Y' + PARTITION BY RANGE(id) ( +PARTITION p0 VALUES LESS THAN (10), +PARTITION p1 VALUES LESS THAN (20), +PARTITION p2 VALUES LESS THAN (30)); +INSERT INTO t1 VALUES (5,'test'); +INSERT INTO t1 VALUES (12,'test1'); +INSERT INTO t1 VALUES (22,'test2'); +# Truncate specific partition of encrypted table +ALTER TABLE t1 TRUNCATE PARTITION p0; +# Alter encryption option +ALTER TABLE t1 ENCRYPTION='N'; +DROP TABLE t1; +# Create table with ENCRYPTION='y' option and innodb_file_per_table +# tablespace at table level +CREATE TABLE t1 (id INT, name VARCHAR(50)) +ENCRYPTION='Y' TABLESPACE=innodb_file_per_table +PARTITION BY RANGE(id) ( +PARTITION p0 VALUES LESS THAN (10), +PARTITION p1 VALUES LESS THAN (20), +PARTITION p2 VALUES LESS THAN (30)); +# Alter encryption option +ALTER TABLE t1 ENCRYPTION='N'; +# Alter table to move a partition to general tablespace. +ALTER TABLE t1 REORGANIZE PARTITION P2 INTO ( +PARTITION P2 VALUES LESS THAN (30) TABLESPACE=encrypt_ts); +ERROR HY000: Request to create 'unencrypted' table while using an 'encrypted' tablespace. +SHOW WARNINGS; +Level Code Message +Error 3825 Request to create 'unencrypted' table while using an 'encrypted' tablespace. +ALTER TABLE t1 REORGANIZE PARTITION P2 INTO ( +PARTITION P2 VALUES LESS THAN (30) TABLESPACE=unencrypt_ts); +ERROR HY000: InnoDB : A partitioned table is not allowed in a shared tablespace. +SHOW WARNINGS; +Level Code Message +Error 1478 InnoDB : A partitioned table is not allowed in a shared tablespace. +Error 1030 Got error 122 - 'Internal (unspecified) error in handler' from storage engine +# Alter table to move a partition to system tablespace. +ALTER TABLE t1 REORGANIZE PARTITION P2 INTO ( +PARTITION P2 VALUES LESS THAN (30) TABLESPACE=innodb_system); +ERROR HY000: InnoDB : A partitioned table is not allowed in a shared tablespace. +SHOW WARNINGS; +Level Code Message +Error 1478 InnoDB : A partitioned table is not allowed in a shared tablespace. +Error 1030 Got error 122 - 'Internal (unspecified) error in handler' from storage engine +# Alter table to move a partition to file_per_table tablespace. +ALTER TABLE t1 REORGANIZE PARTITION P2 INTO ( +PARTITION P2 VALUES LESS THAN (30) TABLESPACE=innodb_file_per_table); +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `id` int DEFAULT NULL, + `name` varchar(50) DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +/*!50100 PARTITION BY RANGE (`id`) +(PARTITION p0 VALUES LESS THAN (10) TABLESPACE = `innodb_file_per_table` ENGINE = InnoDB, + PARTITION p1 VALUES LESS THAN (20) TABLESPACE = `innodb_file_per_table` ENGINE = InnoDB, + PARTITION P2 VALUES LESS THAN (30) TABLESPACE = `innodb_file_per_table` ENGINE = InnoDB) */ +# Alter table to add a new partition in general tablespace +ALTER TABLE t1 ADD PARTITION ( +PARTITION p3 VALUES LESS THAN (40) tablespace=encrypt_ts); +ERROR HY000: Request to create 'unencrypted' table while using an 'encrypted' tablespace. +SHOW WARNINGS; +Level Code Message +Error 3825 Request to create 'unencrypted' table while using an 'encrypted' tablespace. +ALTER TABLE t1 ADD PARTITION ( +PARTITION p3 VALUES LESS THAN (40) tablespace=unencrypt_ts); +ERROR HY000: InnoDB : A partitioned table is not allowed in a shared tablespace. +SHOW WARNINGS; +Level Code Message +Error 1478 InnoDB : A partitioned table is not allowed in a shared tablespace. +Error 1030 Got error 122 - 'Internal (unspecified) error in handler' from storage engine +# Alter table to add a new partition in innodb_system tablespace +ALTER TABLE t1 ADD PARTITION ( +PARTITION p3 VALUES LESS THAN (40) tablespace=innodb_system); +ERROR HY000: InnoDB : A partitioned table is not allowed in a shared tablespace. +SHOW WARNINGS; +Level Code Message +Error 1478 InnoDB : A partitioned table is not allowed in a shared tablespace. +Error 1030 Got error 122 - 'Internal (unspecified) error in handler' from storage engine +# Alter table to add a new partition in innodb_file_per_table tablespace +ALTER TABLE t1 ADD PARTITION ( +PARTITION p3 VALUES LESS THAN (40) tablespace=innodb_file_per_table); +# Alter table to add a new partition without giving tablespace +ALTER TABLE t1 ADD PARTITION ( +PARTITION p4 VALUES LESS THAN (50)); +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `id` int DEFAULT NULL, + `name` varchar(50) DEFAULT NULL +) /*!50100 TABLESPACE `innodb_file_per_table` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +/*!50100 PARTITION BY RANGE (`id`) +(PARTITION p0 VALUES LESS THAN (10) TABLESPACE = `innodb_file_per_table` ENGINE = InnoDB, + PARTITION p1 VALUES LESS THAN (20) TABLESPACE = `innodb_file_per_table` ENGINE = InnoDB, + PARTITION P2 VALUES LESS THAN (30) TABLESPACE = `innodb_file_per_table` ENGINE = InnoDB, + PARTITION p3 VALUES LESS THAN (40) TABLESPACE = `innodb_file_per_table` ENGINE = InnoDB, + PARTITION p4 VALUES LESS THAN (50) TABLESPACE = `innodb_file_per_table` ENGINE = InnoDB) */ +# Alter table to add a new partition with encryption option at partition +# level. +ALTER TABLE t1 ADD PARTITION ( +PARTITION p5 VALUES LESS THAN (60) encryption='Y'); +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'encryption='Y')' at line 2 +DROP TABLE t1; +# Create table with ENCRYPTION='y' option and general tablespace +# at table level +CREATE TABLE t1 (id INT, name VARCHAR(50)) +ENCRYPTION='Y' TABLESPACE=encrypt_ts +PARTITION BY RANGE(id) ( +PARTITION p0 VALUES LESS THAN (10), +PARTITION p1 VALUES LESS THAN (20), +PARTITION p2 VALUES LESS THAN (30)); +ERROR HY000: InnoDB : A partitioned table is not allowed in a shared tablespace. +SHOW WARNINGS; +Level Code Message +Error 1478 InnoDB : A partitioned table is not allowed in a shared tablespace. +Error 1030 Got error 122 - 'Internal (unspecified) error in handler' from storage engine +# Create table with ENCRYPTION='y' option and general tablespace +# at partition level +CREATE TABLE t1 (id INT, name VARCHAR(50)) +ENCRYPTION='Y' + PARTITION BY RANGE(id) ( +PARTITION p0 VALUES LESS THAN (10), +PARTITION p1 VALUES LESS THAN (20), +PARTITION p2 VALUES LESS THAN (30) TABLESPACE=encrypt_ts); +ERROR HY000: InnoDB : A partitioned table is not allowed in a shared tablespace. +SHOW WARNINGS; +Level Code Message +Error 1478 InnoDB : A partitioned table is not allowed in a shared tablespace. +Error 1030 Got error 122 - 'Internal (unspecified) error in handler' from storage engine +########### +# Cleanup # +########### +DROP TABLE IF EXISTS t1; +DROP TABLESPACE encrypt_ts; +DROP TABLESPACE encrypt_ts1; +DROP TABLESPACE unencrypt_ts; +DROP TABLESPACE unencrypt_ts1; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_5.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_5.result new file mode 100644 index 000000000000..0ef2504e7c2e --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_5.result @@ -0,0 +1,102 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +######### +# SETUP # +######### + +######################################################################### +# WITH KEYRING +######################################################################### +# Create a new 'unencrypted' tablespace 'encrypt_ts' +SELECT NAME, FLAG, SPACE_TYPE FROM information_schema.INNODB_TABLESPACES +where NAME="encrypt_ts"; +NAME FLAG SPACE_TYPE +create tablespace encrypt_ts add datafile 'encrypt_ts.ibd' + engine=INNODB encryption='N'; +SELECT NAME, FLAG, SPACE_TYPE FROM information_schema.INNODB_TABLESPACES +where NAME="encrypt_ts"; +NAME FLAG SPACE_TYPE +encrypt_ts 18432 General +# Create a table test.t1 in 'encrypt_ts' tablespace and insert some records. +create table test.t1 (c char(20)) tablespace encrypt_ts; +insert into test.t1 values ("samplerecord"); +set global innodb_buf_flush_list_now = 1; +############################################################# +# INITIAL SETUP : Tablespace is created as unencrypted # +# A table is created and rows are inserted # +############################################################# +# Check that tablespace file is not encrypted yet +# Print result +table space is Unencrypted. +############################################################ +# ALTER TABLESPACE 1 : Unencrypted => Encrypted # +############################################################ +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +set global innodb_buf_flush_list_now = 1; +# Check that tablespace file is encrypted now +# Print result +table space is Encrypted. +############################################################ +# ALTER TABLESPACE 2 : Encrypted => Unencrypted # +############################################################ +ALTER TABLESPACE encrypt_ts ENCRYPTION='N'; +set global innodb_buf_flush_list_now = 1; +# Check that tablespace file is not encrypted now +# Print result +table space is Unencrypted. + +################# CRASH/RECOVERY TESTING ################### + +############################################################ +# ALTER TABLESPACE 3 : Unencrypted => Encrypted # +# (crash at page 10) # +############################################################ +SELECT COUNT(*) FROM test.t1; +COUNT(*) +4096 +set global innodb_buf_flush_list_now = 1; +# Check that tablespace file is still unencrypted +# Print result +table space is Unencrypted. +# Set Encryption process to crash at page 10 +SET SESSION debug= '+d,alter_encrypt_tablespace_page_10'; +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +# Wait for Encryption processing to finish in background thread +# After restart/recovery, check that Encryption was roll-forward and +# tablespace file is encrypted now +# Print result +table space is Encrypted. +############################################################ +# ALTER TABLESPACE 4 : Encrypted => Unencrypted # +# (crash at page 10) # +############################################################ +SELECT COUNT(*) FROM test.t1; +COUNT(*) +4096 +# Check that tablespace file is Encrypted +# Print result +table space is Encrypted. +# Set Encryption process to crash after page 10 +SET SESSION debug= '+d,alter_encrypt_tablespace_page_10'; +ALTER TABLESPACE encrypt_ts ENCRYPTION='N'; +# Wait for Unencryption processing to finish in background thread +# After restart/recovery, check that Unencryption was roll-forward and +# tablespace file is Unencrypted now +# Print result +table space is Unencrypted. +########### +# CLEANUP # +########### +DROP TABLE test.t1; +DROP TABLESPACE encrypt_ts; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_6.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_6.result new file mode 100644 index 000000000000..3d43d6a7b341 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_6.result @@ -0,0 +1,988 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +######################################################################### +# RESTART 1 : WITH KEYRING +######################################################################### +######### +# SETUP # +######### +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' ENCRYPTION ='Y' ENGINE=InnoDB; +CREATE TABLESPACE encrypt_ts1 ADD DATAFILE 'encrypt_ts1.ibd' ENCRYPTION ='N' ENGINE=InnoDB; +DROP DATABASE IF EXISTS tde_db; +DROP TABLE IF EXISTS tde_db. t_encrypt; +CREATE DATABASE tde_db; +USE tde_db; +CREATE PROCEDURE tde_db.init_setup() +begin +/* Create table in encrypted tablespace */ +CREATE TABLE tde_db.t_encrypt(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) TABLESPACE=encrypt_ts ENCRYPTION='Y' ENGINE = InnoDB; +/* Create table in non-encrypted tablesapce */ +CREATE TABLE tde_db.t_non_encrypt(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) TABLESPACE=encrypt_ts1 ENGINE = InnoDB; +/* insert into encrypted table */ +INSERT INTO tde_db.t_encrypt(c3,c4,c7) VALUES(CONCAT(REPEAT('a',200),LPAD(CAST(1 AS CHAR),4,'0')),'{ "key_a": 1, "key_b": 2, "key_c": 3 }',ST_GeomFromText('POINT(383293632 1754448)')); +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +INSERT INTO tde_db.t_encrypt(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +SELECT '/* select tde_db.t_encrypt */'; +SELECT COUNT(*) FROM tde_db.t_encrypt; +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +/* insert into non encrypted table */ +INSERT INTO tde_db.t_non_encrypt(c2,c3,c4,c7) SELECT c2,c3,c4,c7 FROM tde_db.t_encrypt; +SELECT '/* select tde_db.t_non_encrypt */'; +SELECT COUNT(*) FROM tde_db.t_non_encrypt; +SELECT c2 ,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt LIMIT 10; +ALTER INSTANCE ROTATE INNODB MASTER KEY; +CREATE TABLE tde_db.t_encrypt_2(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) TABLESPACE=encrypt_ts ENCRYPTION='Y' ENGINE = InnoDB; +CREATE TABLE tde_db.t_non_encrypt_2(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) TABLESPACE=encrypt_ts1 ENGINE = InnoDB; +/* insert into encrypted table 2 */ +INSERT INTO tde_db.t_encrypt_2(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +SELECT '/* select tde_db.t_encrypt_2 */'; +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +SELECT c2 ,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt_2 LIMIT 10; +/* insert into NON encrypted table 2 */ +INSERT INTO tde_db.t_non_encrypt_2(c2,c3,c4,c7) SELECT c2,c3,c4,c7 FROM tde_db.t_encrypt; +SELECT '/* select tde_db.t_non_encrypt_2 */'; +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; +SELECT c2 ,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt_2 LIMIT 10; +end| +#----------------------------------------------------------------------- +# Initialize tables +call tde_db.init_setup(); +/* select tde_db.t_encrypt */ +/* select tde_db.t_encrypt */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_non_encrypt */ +/* select tde_db.t_non_encrypt */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_encrypt_2 */ +/* select tde_db.t_encrypt_2 */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_non_encrypt_2 */ +/* select tde_db.t_non_encrypt_2 */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT status_key, status_value FROM +performance_schema.keyring_component_status +WHERE status_key LIKE '%name%' OR status_key LIKE '%status%'; +status_key status_value +Component_name component_percona_keyring_encrypted_file +Implementation_name component_percona_keyring_encrypted_file +Component_status Active +# Taking backup of local keyring file for keyring component: component_percona_keyring_encrypted_file +ALTER INSTANCE RELOAD KEYRING; +# Select non encrypted tables : Pass +SELECT COUNT(*) FROM tde_db.t_non_encrypt; +COUNT(*) +64 +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; +COUNT(*) +64 +# Select encrypted tables : No Error (-master key is cached) +SELECT c2 ,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT c2 ,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt_2 LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT COUNT(*) FROM tde_db.t_encrypt; +COUNT(*) +64 +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +COUNT(*) +64 +# Error on "ALTER INSTANCE ..." +ALTER INSTANCE ROTATE INNODB MASTER KEY; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +# new table creation in encrypted tablespace is allowed after uninstall +CREATE TABLE tde_db.t_encrypt_3(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) TABLESPACE=encrypt_ts ENCRYPTION='Y' ENGINE = InnoDB; +# new table in non-encrypted tablespace is allowed after uninstall +CREATE TABLE tde_db.t_non_encrypt_3(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) TABLESPACE=encrypt_ts1 ENGINE = InnoDB; +DROP TABLE tde_db.t_encrypt , tde_db.t_encrypt_2 , tde_db.t_encrypt_3 ; +DROP TABLE tde_db.t_non_encrypt , tde_db.t_non_encrypt_2 , tde_db.t_non_encrypt_3; +######################################################################### +# Test 1 : Restart with same keyring option +# - all tables accessible +######################################################################### +# Restoring local keyring file from backup for keyring component: component_percona_keyring_encrypted_file +ALTER INSTANCE RELOAD KEYRING; +SELECT status_key, status_value FROM +performance_schema.keyring_component_status +WHERE status_key LIKE '%name%' OR status_key LIKE '%status%'; +status_key status_value +Component_name component_percona_keyring_encrypted_file +Implementation_name component_percona_keyring_encrypted_file +Component_status Active +# Initialize tables +call tde_db.init_setup(); +/* select tde_db.t_encrypt */ +/* select tde_db.t_encrypt */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_non_encrypt */ +/* select tde_db.t_non_encrypt */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_encrypt_2 */ +/* select tde_db.t_encrypt_2 */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_non_encrypt_2 */ +/* select tde_db.t_non_encrypt_2 */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +# restart with same keyring option +# All tables must be accessible +SELECT COUNT(*) FROM tde_db.t_encrypt; +COUNT(*) +64 +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT COUNT(*) FROM tde_db.t_non_encrypt; +COUNT(*) +64 +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +COUNT(*) +64 +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt_2 LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; +COUNT(*) +64 +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt_2 LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +# Insert into old encrypted tables +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +COUNT(*) +64 +INSERT INTO tde_db.t_encrypt_2(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +COUNT(*) +128 +# Insert into old non encrypted tables +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; +COUNT(*) +64 +INSERT INTO tde_db.t_non_encrypt_2(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; +COUNT(*) +128 +# Update into old encrypted tables +UPDATE tde_db.t_encrypt_2 SET c2 = 1000 WHERE c2 = 1; +SELECT COUNT(*) FROM tde_db.t_encrypt_2 WHERE c2 = 1000 ; +COUNT(*) +1 +# Update into old non encrypted tables +UPDATE tde_db.t_non_encrypt_2 SET c2 = 1000 WHERE c2 = 1; +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2 WHERE c2 = 1000 ; +COUNT(*) +1 +# Delete from old encrypted tables +DELETE FROM tde_db.t_encrypt_2 WHERE c2 = 1000 ; +SELECT COUNT(*) FROM tde_db.t_encrypt_2 WHERE c2 = 1000 ; +COUNT(*) +0 +# Delete from old non encrypted tables +DELETE FROM tde_db.t_non_encrypt_2 WHERE c2 = 1000 ; +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2 WHERE c2 = 1000 ; +COUNT(*) +0 +# Create new tables +CREATE TABLE tde_db.t_encrypt_4(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) TABLESPACE=encrypt_ts ENCRYPTION='Y' ENGINE = InnoDB; +CREATE TABLE tde_db.t_non_encrypt_4(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) TABLESPACE=encrypt_ts1 ENGINE = InnoDB; +INSERT INTO tde_db.t_encrypt_4(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +INSERT INTO tde_db.t_non_encrypt_4(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +SELECT COUNT(*) FROM tde_db.t_encrypt_4; +COUNT(*) +64 +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt_4 LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT COUNT(*) FROM tde_db.t_non_encrypt_4; +COUNT(*) +64 +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt_4 LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +ALTER INSTANCE ROTATE INNODB MASTER KEY; +SELECT COUNT(*) FROM tde_db.t_encrypt; +COUNT(*) +64 +SELECT COUNT(*) FROM tde_db.t_non_encrypt; +COUNT(*) +64 +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +COUNT(*) +127 +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; +COUNT(*) +127 +SELECT COUNT(*) FROM tde_db.t_encrypt_4; +COUNT(*) +64 +SELECT COUNT(*) FROM tde_db.t_non_encrypt_4; +COUNT(*) +64 +DROP TABLE tde_db.t_encrypt , tde_db.t_encrypt_2 , tde_db.t_encrypt_4; +DROP TABLE tde_db.t_non_encrypt , tde_db.t_non_encrypt_2 , tde_db.t_non_encrypt_4; +######################################################################### +# Test 2 : Restart without keyring option +# - old encrypted tables accessible +# - unencryption tables are accessible +######################################################################### +SELECT status_key, status_value FROM +performance_schema.keyring_component_status +WHERE status_key LIKE '%name%' OR status_key LIKE '%status%'; +status_key status_value +Component_name component_percona_keyring_encrypted_file +Implementation_name component_percona_keyring_encrypted_file +Component_status Active +# Initialize tables +call tde_db.init_setup(); +/* select tde_db.t_encrypt */ +/* select tde_db.t_encrypt */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_non_encrypt */ +/* select tde_db.t_non_encrypt */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_encrypt_2 */ +/* select tde_db.t_encrypt_2 */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_non_encrypt_2 */ +/* select tde_db.t_non_encrypt_2 */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +# restart without keyring +# Taking backup of local manifest file for MySQL server instance +# Encrypted tables must not be accessible +SELECT COUNT(*) FROM tde_db.t_encrypt; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +# Unencrypted tables must be accessible +SELECT COUNT(*) FROM tde_db.t_non_encrypt; +COUNT(*) +64 +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; +COUNT(*) +64 +# Creating table in encrypted tablespace must not be possible as tablespace +# would be missing +CREATE TABLE tde_db.t_encrypt_4(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) TABLESPACE=encrypt_ts ENCRYPTION='Y' ENGINE = InnoDB; +ERROR HY000: InnoDB: A general tablespace named `encrypt_ts` cannot be found. +# Creating table in unencrypted tablespace must be possible +CREATE TABLE tde_db.t_non_encrypt_4(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) TABLESPACE=encrypt_ts1 ENGINE = InnoDB; +INSERT INTO tde_db.t_non_encrypt_4(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_non_encrypt; +SELECT COUNT(*) FROM tde_db.t_non_encrypt_4; +COUNT(*) +64 +ALTER INSTANCE ROTATE INNODB MASTER KEY; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +# Encrypted tables must not be accessible +SELECT COUNT(*) FROM tde_db.t_encrypt; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +DROP TABLE tde_db.t_encrypt , tde_db.t_encrypt_2; +DROP TABLE tde_db.t_non_encrypt , tde_db.t_non_encrypt_2 ,tde_db.t_non_encrypt_4; +######################################################################### +# Test 3 : Restart and reload keyring using command +# - All tables must be accessible +######################################################################### +# Restore local manifest file for MySQL server instance from backup +SELECT status_key, status_value FROM +performance_schema.keyring_component_status +WHERE status_key LIKE '%name%' OR status_key LIKE '%status%'; +status_key status_value +Component_name component_percona_keyring_encrypted_file +Implementation_name component_percona_keyring_encrypted_file +Component_status Active +# Initalize tables +call tde_db.init_setup(); +/* select tde_db.t_encrypt */ +/* select tde_db.t_encrypt */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_non_encrypt */ +/* select tde_db.t_non_encrypt */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_encrypt_2 */ +/* select tde_db.t_encrypt_2 */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_non_encrypt_2 */ +/* select tde_db.t_non_encrypt_2 */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +# Taking backup of local keyring file for keyring component: component_percona_keyring_encrypted_file +# restart without keyring +# Restoring local keyring file from backup for keyring component: component_percona_keyring_encrypted_file +ALTER INSTANCE RELOAD KEYRING; +# All tables must be accessible +SELECT COUNT(*) FROM tde_db.t_encrypt; +COUNT(*) +64 +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT COUNT(*) FROM tde_db.t_non_encrypt; +COUNT(*) +64 +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +COUNT(*) +64 +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt_2 LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; +COUNT(*) +64 +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt_2 LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +# Insert into old encrypted tables +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +COUNT(*) +64 +INSERT INTO tde_db.t_encrypt_2(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +COUNT(*) +128 +# Insert into old non encrypted tables +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; +COUNT(*) +64 +INSERT INTO tde_db.t_non_encrypt_2(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; +COUNT(*) +128 +# Update into old encrypted tables +UPDATE tde_db.t_encrypt_2 SET c2 = 1000 WHERE c2 = 1; +SELECT COUNT(*) FROM tde_db.t_encrypt_2 WHERE c2 = 1000 ; +COUNT(*) +1 +# Update into old non encrypted tables +UPDATE tde_db.t_non_encrypt_2 SET c2 = 1000 WHERE c2 = 1; +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2 WHERE c2 = 1000 ; +COUNT(*) +1 +# Delete from old encrypted tables +DELETE FROM tde_db.t_encrypt_2 WHERE c2 = 1000 ; +SELECT COUNT(*) FROM tde_db.t_encrypt_2 WHERE c2 = 1000 ; +COUNT(*) +0 +# Delete from old non encrypted tables +DELETE FROM tde_db.t_non_encrypt_2 WHERE c2 = 1000 ; +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2 WHERE c2 = 1000 ; +COUNT(*) +0 +# Create new tables +CREATE TABLE tde_db.t_encrypt_4(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) TABLESPACE=encrypt_ts ENCRYPTION='Y' ENGINE = InnoDB; +CREATE TABLE tde_db.t_non_encrypt_4(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) TABLESPACE=encrypt_ts1 ENGINE = InnoDB; +INSERT INTO tde_db.t_encrypt_4(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +INSERT INTO tde_db.t_non_encrypt_4(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_encrypt; +SELECT COUNT(*) FROM tde_db.t_encrypt_4; +COUNT(*) +64 +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_encrypt_4 LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +SELECT COUNT(*) FROM tde_db.t_non_encrypt_4; +COUNT(*) +64 +SELECT c2,right(c3,20),c4,c5,c6,ST_AsText(c7) FROM tde_db.t_non_encrypt_4 LIMIT 10; +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +ALTER INSTANCE ROTATE INNODB MASTER KEY; +SELECT COUNT(*) FROM tde_db.t_encrypt; +COUNT(*) +64 +SELECT COUNT(*) FROM tde_db.t_non_encrypt; +COUNT(*) +64 +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +COUNT(*) +127 +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; +COUNT(*) +127 +SELECT COUNT(*) FROM tde_db.t_encrypt_4; +COUNT(*) +64 +SELECT COUNT(*) FROM tde_db.t_non_encrypt_4; +COUNT(*) +64 +DROP TABLE tde_db.t_encrypt , tde_db.t_encrypt_2 , tde_db.t_encrypt_4; +DROP TABLE tde_db.t_non_encrypt , tde_db.t_non_encrypt_2 , tde_db.t_non_encrypt_4; +# Taking backup of local keyring file for keyring component: component_percona_keyring_encrypted_file +ALTER INSTANCE RELOAD KEYRING; +CREATE TABLE tde_db.t_encrypt_4(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) TABLESPACE=encrypt_ts ENCRYPTION='Y' ENGINE = InnoDB; +ALTER INSTANCE ROTATE INNODB MASTER KEY; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +DROP TABLE tde_db.t_encrypt_4; +# Restoring local keyring file from backup for keyring component: component_percona_keyring_encrypted_file +ALTER INSTANCE RELOAD KEYRING; +######################################################################### +# Test 4 : Restart with new keyring_data_file +# - Old encrypted tables not accessible +# - Non encrypted tables accessible +# - Creation of new tables in encrypted/unencrypted tablespace +# is also posible +######################################################################### +# init tables +call tde_db.init_setup(); +/* select tde_db.t_encrypt */ +/* select tde_db.t_encrypt */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_non_encrypt */ +/* select tde_db.t_non_encrypt */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_encrypt_2 */ +/* select tde_db.t_encrypt_2 */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +5 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +10 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +/* select tde_db.t_non_encrypt_2 */ +/* select tde_db.t_non_encrypt_2 */ +COUNT(*) +64 +c2 right(c3,20) c4 c5 c6 ST_AsText(c7) +1 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +2 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +3 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +4 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +6 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +7 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +8 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +9 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +13 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +14 aaaaaaaaaaaaaaaa0001 {"key_a": 1, "key_b": 2, "key_c": 3} 1 2 POINT(383293632 1754448) +# Taking backup of local keyring file for keyring component: component_percona_keyring_encrypted_file +# restart with with different keyring file +# old encrypted tables not accessible +SELECT COUNT(*) FROM tde_db.t_encrypt; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +# NON encrypted tables accessible +SELECT COUNT(*) FROM tde_db.t_non_encrypt; +COUNT(*) +64 +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; +COUNT(*) +64 +# new encrypted tablespace possible +CREATE TABLESPACE encrypt_ts2 ADD DATAFILE 'encrypt_ts2.ibd' ENCRYPTION ='Y' ENGINE=InnoDB; +# new table in new encrypted tablespace possible +CREATE TABLE tde_db.t_encrypt_4(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) TABLESPACE encrypt_ts2 ENCRYPTION='Y' ENGINE = InnoDB; +# new table in non encrypted tablespace possible +CREATE TABLE tde_db.t_non_encrypt_4(c2 INT NOT NULL AUTO_INCREMENT PRIMARY KEY, +c3 CHAR(255) Default 'No text', +c4 JSON , +c5 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_a')) STORED, +c6 INT GENERATED ALWAYS AS (JSON_EXTRACT(c4,'$.key_b')) VIRTUAL, +c7 POINT NOT NULL SRID 0, +spatial INDEX idx2 (c7) +) TABLESPACE=encrypt_ts1 ENGINE = InnoDB; +INSERT INTO tde_db.t_encrypt_4(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_non_encrypt; +SELECT COUNT(*) FROM tde_db.t_encrypt_4; +COUNT(*) +64 +INSERT INTO tde_db.t_non_encrypt_4(c3,c4,c7) SELECT c3,c4,c7 FROM tde_db.t_non_encrypt; +SELECT COUNT(*) FROM tde_db.t_non_encrypt_4; +COUNT(*) +64 +ALTER INSTANCE ROTATE INNODB MASTER KEY; +# Old encrypted tables in encrypted tablespace must not be accessible +SELECT COUNT(*) FROM tde_db.t_encrypt; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +SELECT COUNT(*) FROM tde_db.t_encrypt_2; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +# Old unencrypted table must be accessible +SELECT COUNT(*) FROM tde_db.t_non_encrypt; +COUNT(*) +64 +SELECT COUNT(*) FROM tde_db.t_non_encrypt_2; +COUNT(*) +64 +# New encrypted tables must be accessible +SELECT COUNT(*) FROM tde_db.t_encrypt_4; +COUNT(*) +64 +# New unencrypted tables must be accessible +SELECT COUNT(*) FROM tde_db.t_non_encrypt_4; +COUNT(*) +64 +########### +# CLEANUP # +########### +DROP TABLE tde_db.t_encrypt , tde_db.t_encrypt_2 ,tde_db.t_encrypt_4; +DROP TABLE tde_db.t_non_encrypt , tde_db.t_non_encrypt_2 ,tde_db.t_non_encrypt_4; +DROP DATABASE tde_db; +DROP TABLESPACE encrypt_ts; +DROP TABLESPACE encrypt_ts1; +DROP TABLESPACE encrypt_ts2; +# Restoring local keyring file from backup for keyring component: component_percona_keyring_encrypted_file +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_7.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_7.result new file mode 100644 index 000000000000..7cc68596be70 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_7.result @@ -0,0 +1,538 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +######################################################################### +# START : WITHOUT KEYRING PLUGIN +######################################################################### +# Taking backup of local manifest file for MySQL server instance +######### +# SETUP # +######### +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' ENGINE=InnoDB ENCRYPTION="N"; +CREATE TABLE t1(c1 char(100)) ENGINE=InnoDB TABLESPACE encrypt_ts; +set global innodb_buf_flush_list_now = 1; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +#-------------------------- TEST 0 -------------------------------------# +######################################################################### +# RESTART 1 : WITH KEYRING PLUGIN +######################################################################### +# Restore local manifest file for MySQL server instance from backup +######################################################################## +# ALTER TABLESPACE 1 : Unencrypted => Encrypted # +# crash just before flushing page 0 at the end # +######################################################################## +# Set process to crash just before flushing page 0 at the end +SET SESSION debug= '+d,alter_encrypt_tablespace_crash_after_ddl_entry'; +# Encrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +######################################################################### +# RESTART 2 : WITH KEYRING PLUGIN after crash +######################################################################### +# Wait for Encryption processing to finish in background thread +set global innodb_buf_flush_list_now = 1; +# After restart/recovery, check that Encryption was roll-forward +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +######################################################################### +# RESTART 3 : WITHOUT KEYRING PLUGIN +######################################################################### +# Taking backup of local manifest file for MySQL server instance +SELECT * FROM t1 LIMIT 10; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +######################################################################### +# RESTART 4 : WITH KEYRING PLUGIN +######################################################################### +# Restore local manifest file for MySQL server instance from backup +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +######################################################################## +# ALTER TABLESPACE 2 : Encrypted => Unencrypted # +# crash just before flushing page 0 at the end # +######################################################################## +# Set process to crash just before flushing page 0 at the end +SET SESSION debug= '+d,alter_encrypt_tablespace_crash_after_ddl_entry'; +# Unencrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='N'; +######################################################################### +# RESTART 5 : WITH KEYRING PLUGIN after crash +######################################################################### +# Wait for Unencryption processing to finish in background thread +set global innodb_buf_flush_list_now = 1; +# After restart/recovery, check that Unencryption was roll-forward +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +######################################################################### +# RESTART 6 : WITHOUT KEYRING PLUGIN +######################################################################### +# Taking backup of local manifest file for MySQL server instance +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +#-------------------------- TEST 1 -------------------------------------# +######################################################################### +# RESTART 7 : WITH KEYRING PLUGIN +######################################################################### +# Restore local manifest file for MySQL server instance from backup +######################################################################## +# ALTER TABLESPACE 1 : Unencrypted => Encrypted # +# crash just before flushing page 0 at the end # +######################################################################## +# Set process to crash just before flushing page 0 at the end +SET SESSION debug= '+d,alter_encrypt_tablespace_crash_before_flushing_page_0'; +# Encrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +######################################################################### +# RESTART 8 : WITH KEYRING PLUGIN after crash +######################################################################### +# Wait for Encryption processing to finish in background thread +set global innodb_buf_flush_list_now = 1; +# After restart/recovery, check that Encryption was roll-forward +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +######################################################################### +# RESTART 9 : WITHOUT KEYRING PLUGIN +######################################################################### +# Taking backup of local manifest file for MySQL server instance +SELECT * FROM t1 LIMIT 10; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +######################################################################### +# RESTART 10 : WITH KEYRING PLUGIN +######################################################################### +# Restore local manifest file for MySQL server instance from backup +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +######################################################################## +# ALTER TABLESPACE 2 : Encrypted => Unencrypted # +# crash just before flushing page 0 at the end # +######################################################################## +# Set process to crash just before flushing page 0 at the end +SET SESSION debug= '+d,alter_encrypt_tablespace_crash_before_flushing_page_0'; +# Unencrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='N'; +######################################################################### +# RESTART 11 : WITH KEYRING PLUGIN after crash +######################################################################### +# Wait for Unencryption processing to finish in background thread +set global innodb_buf_flush_list_now = 1; +# After restart/recovery, check that Unencryption was roll-forward +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +######################################################################### +# RESTART 12 : WITHOUT KEYRING PLUGIN +######################################################################### +# Taking backup of local manifest file for MySQL server instance +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +######################################################################### +# RESTART 13 : WITH KEYRING PLUGIN +######################################################################### +# Restore local manifest file for MySQL server instance from backup +######################################################################## +# ALTER TABLESPACE 3 : Unencrypted => Encrypted # +# crash just after flushing page 0 at the end # +######################################################################## +# Set process to crash just after flushing page 0 at the end +SET SESSION debug= '+d,alter_encrypt_tablespace_crash_after_flushing_page_0'; +# Encrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +######################################################################### +# RESTART 14 : WITH KEYRING PLUGIN after crash +######################################################################### +# Wait for Encryption processing to finish in background thread +set global innodb_buf_flush_list_now = 1; +# After restart/recovery, check that Encryption was roll-forward +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +######################################################################### +# RESTART 15 : WITHOUT KEYRING PLUGIN +######################################################################### +# Taking backup of local manifest file for MySQL server instance +SELECT * FROM t1 LIMIT 10; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +######################################################################### +# RESTART 16 : WITH KEYRING PLUGIN +######################################################################### +# Restore local manifest file for MySQL server instance from backup +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts Y +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +######################################################################## +# ALTER TABLESPACE 4 : Encrypted => Unencrypted # +# crash just after flushing page 0 at the end # +######################################################################## +# Set process to crash just after flushing page 0 at the end +SET SESSION debug= '+d,alter_encrypt_tablespace_crash_after_flushing_page_0'; +# Unencrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='N'; +######################################################################### +# RESTART 17 : WITH KEYRING PLUGIN after crash +######################################################################### +# Wait for Unencryption processing to finish in background thread +set global innodb_buf_flush_list_now = 1; +# After restart/recovery, check that Unencryption was roll-forward +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +######################################################################### +# RESTART 18 : WITHOUT KEYRING PLUGIN +######################################################################### +# Taking backup of local manifest file for MySQL server instance +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +#-------------------------- TEST 2 -------------------------------------# +######################################################################### +# RESTART 19 : WITH KEYRING PLUGIN +######################################################################### +# Restore local manifest file for MySQL server instance from backup +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +######################################################################## +# ALTER TABLESPACE 5 : Encrypted => unencrypted # +# crash just before updating ts flags on page0 # +######################################################################## +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +# Set process to crash just after flushing page 0 at the end +SET SESSION debug= '+d,alter_encrypt_tablespace_crash_before_updating_flags'; +# Unencrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='N'; +######################################################################### +# RESTART 20 : WITH KEYRING PLUGIN after crash +######################################################################### +# Wait for Unencryption processing to finish in background thread +set global innodb_buf_flush_list_now = 1; +# After restart/recovery, check that Unencryption was roll-forward +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +######################################################################### +# RESTART 21 : WITHOUT KEYRING PLUGIN +######################################################################### +# Taking backup of local manifest file for MySQL server instance +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +######################################################################### +# RESTART 22 : WITH KEYRING PLUGIN +######################################################################### +# Restore local manifest file for MySQL server instance from backup +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +######################################################################## +# ALTER TABLESPACE 6 : Encrypted => unencrypted # +# crash just before resetting progress onpage 0 # +######################################################################## +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +# Set process to crash just after flushing page 0 at the end +SET SESSION debug= '+d,alter_encrypt_tablespace_crash_before_resetting_progress'; +# Unencrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='N'; +######################################################################### +# RESTART 23 : WITH KEYRING PLUGIN after crash +######################################################################### +# Wait for Unencryption processing to finish in background thread +set global innodb_buf_flush_list_now = 1; +# After restart/recovery, check that Unencryption was roll-forward +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +######################################################################### +# RESTART 24: WITHOUT KEYRING PLUGIN +######################################################################### +# Taking backup of local manifest file for MySQL server instance +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +#-------------------------- TEST 3 -------------------------------------# +######################################################################### +# RESTART 25 : WITH KEYRING PLUGIN +######################################################################### +# Restore local manifest file for MySQL server instance from backup +DROP TABLE t1; +DROP TABLESPACE encrypt_ts; +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd'; +CREATE TABLE t1 (C CHAR(10)) TABLESPACE=encrypt_ts; +SET GLOBAL innodb_limit_optimistic_insert_debug=2; +INSERT INTO t1 VALUES("SOMEVALUE"); +INSERT INTO t1 VALUES("SOMEVALUE"); +INSERT INTO t1 VALUES("SOMEVALUE"); +INSERT INTO t1 VALUES("SOMEVALUE"); +INSERT INTO t1 VALUES("SOMEVALUE"); +INSERT INTO t1 VALUES("SOMEVALUE"); +INSERT INTO t1 VALUES("SOMEVALUE"); +# Make sure checkpoint is not moved +SET GLOBAL innodb_log_checkpoint_now = ON; +SET GLOBAL innodb_page_cleaner_disabled_debug = 1; +SET GLOBAL innodb_dict_stats_disabled_debug = 1; +SET GLOBAL innodb_master_thread_disabled_debug = 1; +# Following encryption will create a new tablespace key (KEY1) +# KEY1 will be written on REDO log +ALTER TABLESPACE encrypt_ts encryption='Y'; +# Following unencryption will remove tablespace key +ALTER TABLESPACE encrypt_ts encryption='N'; +SET SESSION debug= '+d,alter_encrypt_tablespace_page_6'; +SET SESSION debug= '+d,flush_each_dirtied_page'; +# Following encryption will create a new tablespace key (KEY2) +# KEY2 will be written on REDO log +# Flush dirtied pages encrypted with KEY2 before crash +ALTER TABLESPACE encrypt_ts encryption='Y'; +######################################################################### +# RESTART 26: WITH KEYRING PLUGIN after crash +######################################################################### +########### +# Cleanup # +########### +DROP TABLE t1; +DROP TABLESPACE encrypt_ts; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_8.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_8.result new file mode 100644 index 000000000000..e255936321b6 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_8.result @@ -0,0 +1,46 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +######################################################################### +# RESTART 1 : WITH KEYRING +######################################################################### +SET SESSION debug= '+d,ddl_btree_build_insert_return_interrupt'; + +######### +# SETUP # +######### +CREATE PROCEDURE populate_t1() +BEGIN +DECLARE i int DEFAULT 1; +START TRANSACTION; +WHILE (i <= 10000) DO +INSERT INTO t1 VALUES (i, i, CONCAT('a', i)); +SET i = i + 1; +END WHILE; +COMMIT; +END| +CREATE TABLE t1(class INT, id INT, title VARCHAR(100)) encryption='N'; +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' encryption='N'; +ALTER TABLE t1 TABLESPACE=encrypt_ts, ALGORITHM=INPLACE; +ERROR 70100: Query execution was interrupted +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +######################################################################### +# RESTART 2 : WITH KEYRING PLUGIN +######################################################################### +ALTER TABLESPACE encrypt_ts ENCRYPTION='N'; +########### +# Cleanup # +########### +DROP TABLE t1; +DROP TABLESPACE encrypt_ts; +DROP PROCEDURE populate_t1; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_9.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_9.result new file mode 100644 index 000000000000..f4207e0ab41d --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_encrypt_9.result @@ -0,0 +1,88 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +######################################################################### +# START : WITHOUT KEYRING PLUGIN +######################################################################### +# Taking backup of local manifest file for MySQL server instance +######### +# SETUP # +######### +CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' ENGINE=InnoDB ENCRYPTION="N"; +CREATE TABLE t1(c1 char(100)) ENGINE=InnoDB TABLESPACE encrypt_ts; +set global innodb_buf_flush_list_now = 1; +SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='encrypt_ts'; +NAME ENCRYPTION +encrypt_ts N +SELECT * FROM t1 LIMIT 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +############################################################# +# TEST 1 : CRASH DURING ALTER ENCRYPT A TABLESPACE. +############################################################# + +######################################################################### +# RESTART 1 : WITH KEYRING PLUGIN +######################################################################### +# Restore local manifest file for MySQL server instance from backup +############################################################ +# ALTER TABLESPACE 1 : Unencrypted => Encrypted # +# (crash at page 10) # +############################################################ +# Set Encryption process to crash at page 10 +SET SESSION debug= '+d,alter_encrypt_tablespace_page_10'; +SET GLOBAL innodb_log_checkpoint_now = ON; +SET GLOBAL innodb_page_cleaner_disabled_debug = 1; +SET GLOBAL innodb_dict_stats_disabled_debug = 1; +SET GLOBAL innodb_master_thread_disabled_debug = 1; +# Encrypt the tablespace. It will cause crash. +ALTER TABLESPACE encrypt_ts ENCRYPTION='Y'; +# Restart after crash without Keyring plugin loaded +# Taking backup of local manifest file for MySQL server instance +Pattern "CORRUPT LOG RECORD FOUND" found +# Server shouldn't have restarted, so query should fail. +SELECT * from test.t1 limit 10; +Got one of the listed errors +######################################################################### +# RESTART 2 : WITH KEYRING PLUGIN +######################################################################### +# Restore local manifest file for MySQL server instance from backup +# Server should have restarted properly. +SELECT * from test.t1 limit 10; +c1 +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +SOME VALUES +########### +# Cleanup # +########### +DROP TABLE t1; +DROP TABLESPACE encrypt_ts; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_with_tables.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_with_tables.result new file mode 100644 index 000000000000..a57cdfc32c21 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/tablespace_with_tables.result @@ -0,0 +1,1019 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# +# WL#12261 Control (enforce and disable) table encryption +# +# Pre-define user u1, which is used in different tests below. +CREATE USER u1@localhost; +GRANT ALL ON db1.* TO u1@localhost; +GRANT CREATE TABLESPACE, PROCESS, SYSTEM_VARIABLES_ADMIN ON *.* TO u1@localhost; +SET GLOBAL debug= '+d,skip_table_encryption_admin_check_for_set'; +# The test cases run ALTER TABLESPACE to check its encryption mode. +# The importance of this test is to check the way ALTER TABLESPACE +# updates the ENCRYPTION clause of tables in it. +# We run this command in various configuration as, +# +# - Setting table_encryption_privilege_check to true/false. +# - Setting per database default encryption to true/false. +# - With and without user holding TABLE_ENCRYPTION_ADMIN privilege. +# - Check for warnings generated. +# +````````````````````````````````````````````````````````` +# Unencrypted TABLESPACE to Unencrypted TABLESPACE (Nop) +# [ALTER TABLESPACE] Case 1 ) +````````````````````````````````````````````````````````` +# Create required schema to run ALTER TABLESPACE. +CREATE TABLESPACE ts1 ADD DATAFILE 'df_u.ibd' ENCRYPTION='n'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE db1.t2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SET SESSION default_table_encryption=false; +# Run ALTER TABLESPACE +SET GLOBAL table_encryption_privilege_check=false; +ALTER TABLESPACE ts1 ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# clean up +DROP DATABASE db1; +DROP TABLESPACE ts1; +# +# [ALTER TABLESPACE] Case 2 ) +````````````````````````````````````````````````````````` +# Create required schema to run ALTER TABLESPACE. +CREATE TABLESPACE ts1 ADD DATAFILE 'df_u.ibd' ENCRYPTION='n'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE db1.t2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SET SESSION default_table_encryption=false; +# Run ALTER TABLESPACE +SET GLOBAL table_encryption_privilege_check=true; +ALTER TABLESPACE ts1 ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# clean up +DROP DATABASE db1; +DROP TABLESPACE ts1; +# +````````````````````````````````````````````````````````` +# Encrypted TABLESPACE to Encrypted TABLESPACE (Nop) +# [ALTER TABLESPACE] Case 3 ) +````````````````````````````````````````````````````````` +# Create required schema to run ALTER TABLESPACE. +CREATE TABLESPACE ts1 ADD DATAFILE 'df_u.ibd' ENCRYPTION='y'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SET SESSION default_table_encryption=true; +# Run ALTER TABLESPACE +SET GLOBAL table_encryption_privilege_check=false; +ALTER TABLESPACE ts1 ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# clean up +DROP DATABASE db1; +DROP TABLESPACE ts1; +# +# [ALTER TABLESPACE] Case 4 ) +````````````````````````````````````````````````````````` +# Create required schema to run ALTER TABLESPACE. +CREATE TABLESPACE ts1 ADD DATAFILE 'df_u.ibd' ENCRYPTION='y'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SET SESSION default_table_encryption=true; +# Run ALTER TABLESPACE +SET GLOBAL table_encryption_privilege_check=true; +ALTER TABLESPACE ts1 ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# clean up +DROP DATABASE db1; +DROP TABLESPACE ts1; +# +# [ALTER TABLESPACE] Case 5 ) +````````````````````````````````````````````````````````` +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +# Create required schema to run ALTER TABLESPACE. +CREATE TABLESPACE ts1 ADD DATAFILE 'df_u.ibd' ENCRYPTION='y'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SET SESSION default_table_encryption=true; +# Run ALTER TABLESPACE +SET GLOBAL table_encryption_privilege_check=true; +ALTER TABLESPACE ts1 ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# clean up +# Revoke TABLE_ENCRYPTION_ADMIN from user +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +DROP TABLESPACE ts1; +# +````````````````````````````````````````````````````````` +# Unencrypted TABLESPACE to encrypted TABLESPACE +# with database encryption default 'n' +# [ALTER TABLESPACE] Case 6 ) +````````````````````````````````````````````````````````` +# Create required schema to run ALTER TABLESPACE. +CREATE TABLESPACE ts1 ADD DATAFILE 'df_u.ibd' ENCRYPTION='n'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE db1.t2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SET SESSION default_table_encryption=true; +# Run ALTER TABLESPACE +SET GLOBAL table_encryption_privilege_check=false; +ALTER TABLESPACE ts1 ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# clean up +DROP DATABASE db1; +DROP TABLESPACE ts1; +# +````````````````````````````````````````````````````````` +# Reject creating encrypted table in database with default encryption='n' +# [ALTER TABLESPACE] Case 7 ) +````````````````````````````````````````````````````````` +# Create required schema to run ALTER TABLESPACE. +CREATE TABLESPACE ts1 ADD DATAFILE 'df_u.ibd' ENCRYPTION='n'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE db1.t2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SET SESSION default_table_encryption=true; +# Run ALTER TABLESPACE +SET GLOBAL table_encryption_privilege_check=true; +ALTER TABLESPACE ts1 ENCRYPTION='y'; +ERROR HY000: This tablespace can't be encrypted, because one of table's schema has default encryption OFF and user doesn't have enough privilege. +SHOW WARNINGS; +Level Code Message +Error 3829 This tablespace can't be encrypted, because one of table's schema has default encryption OFF and user doesn't have enough privilege. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# clean up +DROP DATABASE db1; +DROP TABLESPACE ts1; +# +# [ALTER TABLESPACE] Case 8 ) +````````````````````````````````````````````````````````` +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +# Create required schema to run ALTER TABLESPACE. +CREATE TABLESPACE ts1 ADD DATAFILE 'df_u.ibd' ENCRYPTION='n'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE db1.t2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SET SESSION default_table_encryption=true; +# Run ALTER TABLESPACE +SET GLOBAL table_encryption_privilege_check=true; +ALTER TABLESPACE ts1 ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# clean up +# Revoke TABLE_ENCRYPTION_ADMIN from user +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +DROP TABLESPACE ts1; +# +# With some tables without ENCRYPTION clause; +# [ALTER TABLESPACE] Case 9 ) +````````````````````````````````````````````````````````` +# Create required schema to run ALTER TABLESPACE. +CREATE TABLESPACE ts1 ADD DATAFILE 'df_u.ibd' ENCRYPTION='n'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE db1.t2 (f1 int) TABLESPACE=ts1; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SET SESSION default_table_encryption=true; +# Run ALTER TABLESPACE +SET GLOBAL table_encryption_privilege_check=false; +ALTER TABLESPACE ts1 ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# clean up +DROP DATABASE db1; +DROP TABLESPACE ts1; +# +````````````````````````````````````````````````````````` +# Reject creating encrypted table in database with default encryption='n' +# [ALTER TABLESPACE] Case 10 ) +````````````````````````````````````````````````````````` +# Create required schema to run ALTER TABLESPACE. +CREATE TABLESPACE ts1 ADD DATAFILE 'df_u.ibd' ENCRYPTION='n'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE db1.t2 (f1 int) TABLESPACE=ts1; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SET SESSION default_table_encryption=true; +# Run ALTER TABLESPACE +SET GLOBAL table_encryption_privilege_check=true; +ALTER TABLESPACE ts1 ENCRYPTION='y'; +ERROR HY000: This tablespace can't be encrypted, because one of table's schema has default encryption OFF and user doesn't have enough privilege. +SHOW WARNINGS; +Level Code Message +Error 3829 This tablespace can't be encrypted, because one of table's schema has default encryption OFF and user doesn't have enough privilege. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# clean up +DROP DATABASE db1; +DROP TABLESPACE ts1; +# +# [ALTER TABLESPACE] Case 11 ) +````````````````````````````````````````````````````````` +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +# Create required schema to run ALTER TABLESPACE. +CREATE TABLESPACE ts1 ADD DATAFILE 'df_u.ibd' ENCRYPTION='n'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +CREATE TABLE db1.t2 (f1 int) TABLESPACE=ts1; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SET SESSION default_table_encryption=true; +# Run ALTER TABLESPACE +SET GLOBAL table_encryption_privilege_check=true; +ALTER TABLESPACE ts1 ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# clean up +# Revoke TABLE_ENCRYPTION_ADMIN from user +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +DROP TABLESPACE ts1; +# +# With all tables without ENCRYPTION clause; +# [ALTER TABLESPACE] Case 12 ) +````````````````````````````````````````````````````````` +# Create required schema to run ALTER TABLESPACE. +CREATE TABLESPACE ts1 ADD DATAFILE 'df_u.ibd' ENCRYPTION='n'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1; +CREATE TABLE db1.t2 (f1 int) TABLESPACE=ts1; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SET SESSION default_table_encryption=true; +# Run ALTER TABLESPACE +SET GLOBAL table_encryption_privilege_check=false; +ALTER TABLESPACE ts1 ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# clean up +DROP DATABASE db1; +DROP TABLESPACE ts1; +# +````````````````````````````````````````````````````````` +# Request to create encrypted tablespace with default_table_encryption='n' +# [ALTER TABLESPACE] Case 13 ) +````````````````````````````````````````````````````````` +# Create required schema to run ALTER TABLESPACE. +CREATE TABLESPACE ts1 ADD DATAFILE 'df_u.ibd' ENCRYPTION='n'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1; +CREATE TABLE db1.t2 (f1 int) TABLESPACE=ts1; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SET SESSION default_table_encryption=true; +# Run ALTER TABLESPACE +SET GLOBAL table_encryption_privilege_check=true; +ALTER TABLESPACE ts1 ENCRYPTION='y'; +ERROR HY000: This tablespace can't be encrypted, because one of table's schema has default encryption OFF and user doesn't have enough privilege. +SHOW WARNINGS; +Level Code Message +Error 3829 This tablespace can't be encrypted, because one of table's schema has default encryption OFF and user doesn't have enough privilege. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# clean up +DROP DATABASE db1; +DROP TABLESPACE ts1; +# +# [ALTER TABLESPACE] Case 14 ) +````````````````````````````````````````````````````````` +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +# Create required schema to run ALTER TABLESPACE. +CREATE TABLESPACE ts1 ADD DATAFILE 'df_u.ibd' ENCRYPTION='n'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1; +CREATE TABLE db1.t2 (f1 int) TABLESPACE=ts1; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SET SESSION default_table_encryption=true; +# Run ALTER TABLESPACE +SET GLOBAL table_encryption_privilege_check=true; +ALTER TABLESPACE ts1 ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# clean up +# Revoke TABLE_ENCRYPTION_ADMIN from user +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +DROP TABLESPACE ts1; +# +````````````````````````````````````````````````````````` +# Unencrypted TABLESPACE to encrypted TABLESPACE +# with database encryption 'y' +# [ALTER TABLESPACE] Case 15 ) +````````````````````````````````````````````````````````` +# Create required schema to run ALTER TABLESPACE. +CREATE TABLESPACE ts1 ADD DATAFILE 'df_u.ibd' ENCRYPTION='n'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='n' */ +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='n' */ +SET SESSION default_table_encryption=true; +# Run ALTER TABLESPACE +SET GLOBAL table_encryption_privilege_check=false; +ALTER TABLESPACE ts1 ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# clean up +DROP DATABASE db1; +DROP TABLESPACE ts1; +# +# [ALTER TABLESPACE] Case 16 ) +````````````````````````````````````````````````````````` +# Create required schema to run ALTER TABLESPACE. +CREATE TABLESPACE ts1 ADD DATAFILE 'df_u.ibd' ENCRYPTION='n'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='n' */ +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='n' */ +SET SESSION default_table_encryption=true; +# Run ALTER TABLESPACE +SET GLOBAL table_encryption_privilege_check=true; +ALTER TABLESPACE ts1 ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# clean up +DROP DATABASE db1; +DROP TABLESPACE ts1; +# +# [ALTER TABLESPACE] Case 17 ) +````````````````````````````````````````````````````````` +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +# Create required schema to run ALTER TABLESPACE. +CREATE TABLESPACE ts1 ADD DATAFILE 'df_u.ibd' ENCRYPTION='n'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +CREATE TABLE db1.t2 (f1 int) TABLESPACE=ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='n' */ +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='n' */ +SET SESSION default_table_encryption=true; +# Run ALTER TABLESPACE +SET GLOBAL table_encryption_privilege_check=true; +ALTER TABLESPACE ts1 ENCRYPTION='y'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='Y' */ +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# clean up +# Revoke TABLE_ENCRYPTION_ADMIN from user +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +DROP TABLESPACE ts1; +# +# Case 17.1 With some tables without ENCRYPTION clause; +# CREATE table using unencrypted tablespace without +# ENCRYPTION clause would inherit ENCRYPTION from database. +# This makes CREATE TABLE fail because the ENCRYPTION clause +# and the tablespace encryption type mismatches. The test +# encryption.create_table does test this. +# Case 17.2 With all tables without ENCRYPTION clause; +# Behavior would be same as described in Case 17.1 +````````````````````````````````````````````````````````` +# Encrypted TABLESPACE to unencrypted TABLESPACE +# with database encryption 'n' +# [ALTER TABLESPACE] Case 18 ) +````````````````````````````````````````````````````````` +# Create required schema to run ALTER TABLESPACE. +CREATE TABLESPACE ts1 ADD DATAFILE 'df_u.ibd' ENCRYPTION='y'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SET SESSION default_table_encryption=false; +# Run ALTER TABLESPACE +SET GLOBAL table_encryption_privilege_check=false; +ALTER TABLESPACE ts1 ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# clean up +DROP DATABASE db1; +DROP TABLESPACE ts1; +# +# [ALTER TABLESPACE] Case 19 ) +````````````````````````````````````````````````````````` +# Create required schema to run ALTER TABLESPACE. +CREATE TABLESPACE ts1 ADD DATAFILE 'df_u.ibd' ENCRYPTION='y'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SET SESSION default_table_encryption=false; +# Run ALTER TABLESPACE +SET GLOBAL table_encryption_privilege_check=true; +ALTER TABLESPACE ts1 ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# clean up +DROP DATABASE db1; +DROP TABLESPACE ts1; +# +# [ALTER TABLESPACE] Case 20 ) +````````````````````````````````````````````````````````` +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +# Create required schema to run ALTER TABLESPACE. +CREATE TABLESPACE ts1 ADD DATAFILE 'df_u.ibd' ENCRYPTION='y'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='n'; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SET SESSION default_table_encryption=false; +# Run ALTER TABLESPACE +SET GLOBAL table_encryption_privilege_check=true; +ALTER TABLESPACE ts1 ENCRYPTION='n'; +SHOW WARNINGS; +Level Code Message +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# clean up +# Revoke TABLE_ENCRYPTION_ADMIN from user +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +DROP TABLESPACE ts1; +# +````````````````````````````````````````````````````````` +# Encrypted TABLESPACE to unencrypted TABLESPACE +# with database encryption 'y' +# [ALTER TABLESPACE] Case 21 ) +````````````````````````````````````````````````````````` +# Create required schema to run ALTER TABLESPACE. +CREATE TABLESPACE ts1 ADD DATAFILE 'df_u.ibd' ENCRYPTION='y'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SET SESSION default_table_encryption=false; +# Run ALTER TABLESPACE +SET GLOBAL table_encryption_privilege_check=false; +ALTER TABLESPACE ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SHOW WARNINGS; +Level Code Message +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='N' */ +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='N' */ +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# clean up +DROP DATABASE db1; +DROP TABLESPACE ts1; +# +````````````````````````````````````````````````````````` +# Request to create unencrypted tablespace with default_table_encryption='y' +# [ALTER TABLESPACE] Case 22 ) +````````````````````````````````````````````````````````` +# Create required schema to run ALTER TABLESPACE. +CREATE TABLESPACE ts1 ADD DATAFILE 'df_u.ibd' ENCRYPTION='y'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SET SESSION default_table_encryption=false; +# Run ALTER TABLESPACE +SET GLOBAL table_encryption_privilege_check=true; +ALTER TABLESPACE ts1 ENCRYPTION='n'; +ERROR HY000: This tablespace can't be decrypted, because one of table's schema has default encryption ON and user doesn't have enough privilege. +SHOW WARNINGS; +Level Code Message +Error 3830 This tablespace can't be decrypted, because one of table's schema has default encryption ON and user doesn't have enough privilege. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# clean up +DROP DATABASE db1; +DROP TABLESPACE ts1; +# +# [ALTER TABLESPACE] Case 23 ) +````````````````````````````````````````````````````````` +# Grant user with TABLE_ENCRYPTION_ADMIN +GRANT TABLE_ENCRYPTION_ADMIN ON *.* TO u1@localhost; +# Create required schema to run ALTER TABLESPACE. +CREATE TABLESPACE ts1 ADD DATAFILE 'df_u.ibd' ENCRYPTION='y'; +CREATE DATABASE db1 DEFAULT ENCRYPTION='y'; +CREATE TABLE db1.t1 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +CREATE TABLE db1.t2 (f1 int) TABLESPACE=ts1 ENCRYPTION='y'; +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='y' */ +SET SESSION default_table_encryption=false; +# Run ALTER TABLESPACE +SET GLOBAL table_encryption_privilege_check=true; +ALTER TABLESPACE ts1 ENCRYPTION='n'; +Warnings: +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SHOW WARNINGS; +Level Code Message +Warning 3824 Creating an unencrypted table in a database with default encryption enabled. +SHOW CREATE TABLE db1.t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='N' */ +SHOW CREATE TABLE db1.t2; +Table Create Table +t2 CREATE TABLE `t2` ( + `f1` int DEFAULT NULL +) /*!50100 TABLESPACE `ts1` */ ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci /*!80016 ENCRYPTION='N' */ +SET GLOBAL table_encryption_privilege_check=false; +SET SESSION default_table_encryption=false; +# clean up +# Revoke TABLE_ENCRYPTION_ADMIN from user +REVOKE TABLE_ENCRYPTION_ADMIN ON *.* FROM u1@localhost; +DROP DATABASE db1; +DROP TABLESPACE ts1; +# +# Clean up. +DROP USER u1@localhost; +SET GLOBAL debug= '-d,skip_table_encryption_admin_check_for_set'; +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/udf_test.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/udf_test.result new file mode 100644 index 000000000000..6da5cddf828a --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/udf_test.result @@ -0,0 +1,319 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# ---------------------------------------------------------------------- +# Setting up Keyring UDFs +INSTALL PLUGIN keyring_udf SONAME 'keyring_udf.so'; +CREATE FUNCTION keyring_key_store RETURNS INTEGER SONAME 'keyring_udf.so'; +CREATE FUNCTION keyring_key_generate RETURNS INTEGER SONAME 'keyring_udf.so'; +CREATE FUNCTION keyring_key_fetch RETURNS sTRING SONAME 'keyring_udf.so'; +CREATE FUNCTION keyring_key_type_fetch RETURNS STRING SONAME 'keyring_udf.so'; +CREATE FUNCTION keyring_key_length_fetch RETURNS INTEGER SONAME 'keyring_udf.so'; +CREATE FUNCTION keyring_key_remove RETURNS INTEGER SONAME 'keyring_udf.so'; +# ---------------------------------------------------------------------- +# Tests for AES key type +# keyring_key_generate tests +SELECT keyring_key_generate('AES_g1', 'AES', 16); +keyring_key_generate('AES_g1', 'AES', 16) +1 +SELECT keyring_key_generate('AES_g2', 'AES', 32); +keyring_key_generate('AES_g2', 'AES', 32) +1 +SELECT keyring_key_generate('AES_g3', 'AES', 64); +keyring_key_generate('AES_g3', 'AES', 64) +1 +# keyring_key_store tests +SELECT keyring_key_store('AES_s1', 'AES', 'Quick brown fox jumped over the lazy dog'); +keyring_key_store('AES_s1', 'AES', 'Quick brown fox jumped over the lazy dog') +1 +SELECT keyring_key_store('AES_s2', 'AES', 'Old MacDonald had a farm'); +keyring_key_store('AES_s2', 'AES', 'Old MacDonald had a farm') +1 +SELECT keyring_key_store('AES_s3', 'AES', 'Quis custodiet ipsos custodes'); +keyring_key_store('AES_s3', 'AES', 'Quis custodiet ipsos custodes') +1 +# keyring_key_fetch tests +SELECT keyring_key_fetch('AES_g1') INTO @aes_g1_fetched; +SELECT keyring_key_fetch('AES_g2') INTO @aes_g2_fetched; +SELECT keyring_key_fetch('AES_g3') INTO @aes_g3_fetched; +SELECT LENGTH(@aes_g1_fetched); +LENGTH(@aes_g1_fetched) +16 +SELECT LENGTH(@aes_g2_fetched); +LENGTH(@aes_g2_fetched) +32 +SELECT LENGTH(@aes_g3_fetched); +LENGTH(@aes_g3_fetched) +64 +SELECT keyring_key_fetch('AES_s1'); +keyring_key_fetch('AES_s1') +Quick brown fox jumped over the lazy dog +SELECT keyring_key_fetch('AES_s2'); +keyring_key_fetch('AES_s2') +Old MacDonald had a farm +SELECT keyring_key_fetch('AES_s3'); +keyring_key_fetch('AES_s3') +Quis custodiet ipsos custodes +# keyring key_type_fetch tests +SELECT keyring_key_type_fetch('AES_g1'); +keyring_key_type_fetch('AES_g1') +AES +SELECT keyring_key_type_fetch('AES_g2'); +keyring_key_type_fetch('AES_g2') +AES +SELECT keyring_key_type_fetch('AES_g3'); +keyring_key_type_fetch('AES_g3') +AES +SELECT keyring_key_type_fetch('AES_s1'); +keyring_key_type_fetch('AES_s1') +AES +SELECT keyring_key_type_fetch('AES_s2'); +keyring_key_type_fetch('AES_s2') +AES +SELECT keyring_key_type_fetch('AES_s3'); +keyring_key_type_fetch('AES_s3') +AES +# keyring key_length_fetch tests +SELECT keyring_key_length_fetch('AES_g1'); +keyring_key_length_fetch('AES_g1') +16 +SELECT keyring_key_length_fetch('AES_g2'); +keyring_key_length_fetch('AES_g2') +32 +SELECT keyring_key_length_fetch('AES_g3'); +keyring_key_length_fetch('AES_g3') +64 +SELECT keyring_key_length_fetch('AES_s1'); +keyring_key_length_fetch('AES_s1') +40 +SELECT keyring_key_length_fetch('AES_s2'); +keyring_key_length_fetch('AES_s2') +24 +SELECT keyring_key_length_fetch('AES_s3'); +keyring_key_length_fetch('AES_s3') +29 +# Restarting the server +# keyring_key_fetch tests after restart +SELECT keyring_key_fetch('AES_g1') INTO @aes_g1_fetched_after_restart; +SELECT keyring_key_fetch('AES_g2') INTO @aes_g2_fetched_after_restart; +SELECT keyring_key_fetch('AES_g3') INTO @aes_g3_fetched_after_restart; +SELECT LENGTH(@aes_g1_fetched_after_restart); +LENGTH(@aes_g1_fetched_after_restart) +16 +SELECT LENGTH(@aes_g2_fetched_after_restart); +LENGTH(@aes_g2_fetched_after_restart) +32 +SELECT LENGTH(@aes_g3_fetched_after_restart); +LENGTH(@aes_g3_fetched_after_restart) +64 +SELECT keyring_key_fetch('AES_s1'); +keyring_key_fetch('AES_s1') +Quick brown fox jumped over the lazy dog +SELECT keyring_key_fetch('AES_s2'); +keyring_key_fetch('AES_s2') +Old MacDonald had a farm +SELECT keyring_key_fetch('AES_s3'); +keyring_key_fetch('AES_s3') +Quis custodiet ipsos custodes +# keyring key_type_fetch tests after restart +SELECT keyring_key_type_fetch('AES_g1'); +keyring_key_type_fetch('AES_g1') +AES +SELECT keyring_key_type_fetch('AES_g2'); +keyring_key_type_fetch('AES_g2') +AES +SELECT keyring_key_type_fetch('AES_g3'); +keyring_key_type_fetch('AES_g3') +AES +# keyring key_length_fetch tests after restart +SELECT keyring_key_length_fetch('AES_g1'); +keyring_key_length_fetch('AES_g1') +16 +SELECT keyring_key_length_fetch('AES_g2'); +keyring_key_length_fetch('AES_g2') +32 +SELECT keyring_key_length_fetch('AES_g3'); +keyring_key_length_fetch('AES_g3') +64 +# keyring_key_remove tests +SELECT keyring_key_remove('AES_g1'); +keyring_key_remove('AES_g1') +1 +SELECT keyring_key_remove('AES_g2'); +keyring_key_remove('AES_g2') +1 +SELECT keyring_key_remove('AES_g3'); +keyring_key_remove('AES_g3') +1 +SELECT keyring_key_remove('AES_s1'); +keyring_key_remove('AES_s1') +1 +SELECT keyring_key_remove('AES_s2'); +keyring_key_remove('AES_s2') +1 +SELECT keyring_key_remove('AES_s3'); +keyring_key_remove('AES_s3') +1 +# Tests for SECRET key type +# keyring_key_generate tests +SELECT keyring_key_generate('SECRET_g1', 'SECRET', 16); +keyring_key_generate('SECRET_g1', 'SECRET', 16) +1 +SELECT keyring_key_generate('SECRET_g2', 'SECRET', 32); +keyring_key_generate('SECRET_g2', 'SECRET', 32) +1 +SELECT keyring_key_generate('SECRET_g3', 'SECRET', 64); +keyring_key_generate('SECRET_g3', 'SECRET', 64) +1 +# keyring_key_store tests +SELECT keyring_key_store('SECRET_s1', 'SECRET', 'Quick brown fox jumped over the lazy dog'); +keyring_key_store('SECRET_s1', 'SECRET', 'Quick brown fox jumped over the lazy dog') +1 +SELECT keyring_key_store('SECRET_s2', 'SECRET', 'Old MacDonald had a farm'); +keyring_key_store('SECRET_s2', 'SECRET', 'Old MacDonald had a farm') +1 +SELECT keyring_key_store('SECRET_s3', 'SECRET', 'Quis custodiet ipsos custodes'); +keyring_key_store('SECRET_s3', 'SECRET', 'Quis custodiet ipsos custodes') +1 +# keyring_key_fetch tests +SELECT keyring_key_fetch('SECRET_g1') INTO @secret_g1_fetched; +SELECT keyring_key_fetch('SECRET_g2') INTO @secret_g2_fetched; +SELECT keyring_key_fetch('SECRET_g3') INTO @secret_g3_fetched; +SELECT LENGTH(@secret_g1_fetched); +LENGTH(@secret_g1_fetched) +16 +SELECT LENGTH(@secret_g2_fetched); +LENGTH(@secret_g2_fetched) +32 +SELECT LENGTH(@secret_g3_fetched); +LENGTH(@secret_g3_fetched) +64 +SELECT keyring_key_fetch('SECRET_s1'); +keyring_key_fetch('SECRET_s1') +Quick brown fox jumped over the lazy dog +SELECT keyring_key_fetch('SECRET_s2'); +keyring_key_fetch('SECRET_s2') +Old MacDonald had a farm +SELECT keyring_key_fetch('SECRET_s3'); +keyring_key_fetch('SECRET_s3') +Quis custodiet ipsos custodes +# keyring key_type_fetch tests +SELECT keyring_key_type_fetch('SECRET_g1'); +keyring_key_type_fetch('SECRET_g1') +SECRET +SELECT keyring_key_type_fetch('SECRET_g2'); +keyring_key_type_fetch('SECRET_g2') +SECRET +SELECT keyring_key_type_fetch('SECRET_g3'); +keyring_key_type_fetch('SECRET_g3') +SECRET +SELECT keyring_key_type_fetch('SECRET_s1'); +keyring_key_type_fetch('SECRET_s1') +SECRET +SELECT keyring_key_type_fetch('SECRET_s2'); +keyring_key_type_fetch('SECRET_s2') +SECRET +SELECT keyring_key_type_fetch('SECRET_s3'); +keyring_key_type_fetch('SECRET_s3') +SECRET +# keyring key_length_fetch tests +SELECT keyring_key_length_fetch('SECRET_g1'); +keyring_key_length_fetch('SECRET_g1') +16 +SELECT keyring_key_length_fetch('SECRET_g2'); +keyring_key_length_fetch('SECRET_g2') +32 +SELECT keyring_key_length_fetch('SECRET_g3'); +keyring_key_length_fetch('SECRET_g3') +64 +SELECT keyring_key_length_fetch('SECRET_s1'); +keyring_key_length_fetch('SECRET_s1') +40 +SELECT keyring_key_length_fetch('SECRET_s2'); +keyring_key_length_fetch('SECRET_s2') +24 +SELECT keyring_key_length_fetch('SECRET_s3'); +keyring_key_length_fetch('SECRET_s3') +29 +# Restarting the server +# keyring_key_fetch tests after restart +SELECT keyring_key_fetch('SECRET_g1') INTO @secret_g1_fetched_after_restart; +SELECT keyring_key_fetch('SECRET_g2') INTO @secret_g2_fetched_after_restart; +SELECT keyring_key_fetch('SECRET_g3') INTO @secret_g3_fetched_after_restart; +SELECT LENGTH(@secret_g1_fetched_after_restart); +LENGTH(@secret_g1_fetched_after_restart) +16 +SELECT LENGTH(@secret_g2_fetched_after_restart); +LENGTH(@secret_g2_fetched_after_restart) +32 +SELECT LENGTH(@secret_g3_fetched_after_restart); +LENGTH(@secret_g3_fetched_after_restart) +64 +SELECT keyring_key_fetch('SECRET_s1'); +keyring_key_fetch('SECRET_s1') +Quick brown fox jumped over the lazy dog +SELECT keyring_key_fetch('SECRET_s2'); +keyring_key_fetch('SECRET_s2') +Old MacDonald had a farm +SELECT keyring_key_fetch('SECRET_s3'); +keyring_key_fetch('SECRET_s3') +Quis custodiet ipsos custodes +# keyring key_type_fetch tests after restart +SELECT keyring_key_type_fetch('SECRET_g1'); +keyring_key_type_fetch('SECRET_g1') +SECRET +SELECT keyring_key_type_fetch('SECRET_g2'); +keyring_key_type_fetch('SECRET_g2') +SECRET +SELECT keyring_key_type_fetch('SECRET_g3'); +keyring_key_type_fetch('SECRET_g3') +SECRET +# keyring key_length_fetch tests after restart +SELECT keyring_key_length_fetch('SECRET_g1'); +keyring_key_length_fetch('SECRET_g1') +16 +SELECT keyring_key_length_fetch('SECRET_g2'); +keyring_key_length_fetch('SECRET_g2') +32 +SELECT keyring_key_length_fetch('SECRET_g3'); +keyring_key_length_fetch('SECRET_g3') +64 +# keyring_key_remove tests +SELECT keyring_key_remove('SECRET_g1'); +keyring_key_remove('SECRET_g1') +1 +SELECT keyring_key_remove('SECRET_g2'); +keyring_key_remove('SECRET_g2') +1 +SELECT keyring_key_remove('SECRET_g3'); +keyring_key_remove('SECRET_g3') +1 +SELECT keyring_key_remove('SECRET_s1'); +keyring_key_remove('SECRET_s1') +1 +SELECT keyring_key_remove('SECRET_s2'); +keyring_key_remove('SECRET_s2') +1 +SELECT keyring_key_remove('SECRET_s3'); +keyring_key_remove('SECRET_s3') +1 +# ---------------------------------------------------------------------- +# Clean-up +DROP FUNCTION keyring_key_store; +DROP FUNCTION keyring_key_fetch; +DROP FUNCTION keyring_key_remove; +DROP FUNCTION keyring_key_generate; +DROP FUNCTION keyring_key_type_fetch; +DROP FUNCTION keyring_key_length_fetch; +UNINSTALL PLUGIN keyring_udf; +# ---------------------------------------------------------------------- +# ---------------------------------------------------------------------- +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/undo_encrypt_basic.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/undo_encrypt_basic.result new file mode 100644 index 000000000000..0b84a184c1d6 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/undo_encrypt_basic.result @@ -0,0 +1,179 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating custom global manifest file for MySQL server +# Creating custom global configuration file for keyring component: component_percona_keyring_encrypted_file +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# WL#9289 InnoDB transparent tablespace data encryption for undo log +# create bootstrap file +# Stop the MTR default DB server +# Test1: bootstrap with 2 undo tablespaces and with keyring. +# Run the bootstrap command with keyring +# Start the DB server with undo log encryption disabled, and no keyring. +# Taking backup of global manifest file for MySQL server +# Enable undo log encryption, should report error in server log, since keyring is not loaded. +SET GLOBAL innodb_undo_log_encrypt = ON; +Warnings: +Warning 7014 InnoDB: Undo log can't be encrypted if the keyring is not loaded. +CREATE TABLE t1(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB; +ERROR HY000: Can't find master key from keyring, please check in the server log if a keyring is loaded and initialized successfully. +# Start the DB server with undo log encryption disabled and keyring loaded. It should success. +# Restore global manifest file for MySQL server from backup +# Enable undo log encryption, shouldn't report error in server log. +SET GLOBAL innodb_undo_log_encrypt = ON; +CREATE TABLE t1(c1 INT, c2 char(20)) ENCRYPTION='Y' ENGINE = InnoDB; +SHOW CREATE TABLE t1; +Table Create Table +t1 CREATE TABLE `t1` ( + `c1` int DEFAULT NULL, + `c2` char(20) DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=latin1 ENCRYPTION='Y' +INSERT INTO t1 VALUES(0, "aaaaa"); +INSERT INTO t1 VALUES(1, "bbbbb"); +INSERT INTO t1 VALUES(2, "ccccc"); +INSERT INTO t1 VALUES(3, "ddddd"); +INSERT INTO t1 VALUES(4, "eeeee"); +INSERT INTO t1 VALUES(5, "fffff"); +INSERT INTO t1 VALUES(6, "ggggg"); +INSERT INTO t1 VALUES(7, "hhhhh"); +INSERT INTO t1 VALUES(8, "iiiii"); +INSERT INTO t1 VALUES(9, "jjjjj"); +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +INSERT INTO t1 select * from t1; +CREATE TABLE t2(c1 INT, c2 char(20)) ENGINE = InnoDB; +INSERT INTO t2 select * from t1; +SELECT * FROM t1 ORDER BY c1 LIMIT 10; +c1 c2 +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +SELECT * FROM t2 ORDER BY c1 LIMIT 10; +c1 c2 +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +# Start the DB server with undo log encryption enabled and keyring loaded. It should success. +SELECT * FROM t1 ORDER BY c1 LIMIT 10; +c1 c2 +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +SELECT * FROM t2 ORDER BY c1 LIMIT 10; +c1 c2 +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +0 aaaaa +DROP TABLE t1,t2; +# Search for particular string of encryption metadata, should success since it's encrypted. +Pattern "lCC" found +CREATE TABLE t1(c1 INT, c2 char(20)) ENGINE = InnoDB; +START TRANSACTION; +INSERT INTO t1 VALUES(0, "aaaaa"); +INSERT INTO t1 VALUES(1, "bbbbb"); +SET GLOBAL innodb_undo_log_encrypt = OFF; +INSERT INTO t1 VALUES(2, "ccccc"); +INSERT INTO t1 VALUES(3, "ddddd"); +SET GLOBAL innodb_undo_log_encrypt = ON; +INSERT INTO t1 VALUES(4, "eeeee"); +INSERT INTO t1 VALUES(5, "fffff"); +COMMIT; +START TRANSACTION; +INSERT INTO t1 VALUES(6, "ggggg"); +SET GLOBAL innodb_undo_log_encrypt = OFF; +INSERT INTO t1 VALUES(7, "hhhhh"); +INSERT INTO t1 VALUES(8, "iiiii"); +SET GLOBAL innodb_undo_log_encrypt = ON; +INSERT INTO t1 VALUES(9, "jjjjj"); +# Kill and restart to confirm the encryption info can be retrieved properly. +# Kill the server +SELECT * FROM t1 ORDER BY c1 LIMIT 10; +c1 c2 +0 aaaaa +1 bbbbb +2 ccccc +3 ddddd +4 eeeee +5 fffff +DELETE FROM t1; +START TRANSACTION; +INSERT INTO t1 VALUES(0, "aaaaa"); +INSERT INTO t1 VALUES(1, "bbbbb"); +INSERT INTO t1 VALUES(2, "ccccc"); +INSERT INTO t1 VALUES(3, "ddddd"); +INSERT INTO t1 VALUES(4, "eeeee"); +INSERT INTO t1 VALUES(5, "fffff"); +INSERT INTO t1 VALUES(6, "ggggg"); +INSERT INTO t1 VALUES(7, "hhhhh"); +INSERT INTO t1 VALUES(8, "iiiii"); +INSERT INTO t1 VALUES(9, "jjjjj"); +# Start the DB server with undo log encryption disabled and keyring loaded. It should succeed. +SELECT * FROM t1 ORDER BY c1 LIMIT 10; +c1 c2 +ALTER INSTANCE ROTATE INNODB MASTER KEY; +INSERT INTO t1 VALUES(0, "aaaaa"); +INSERT INTO t1 VALUES(1, "bbbbb"); +INSERT INTO t1 VALUES(2, "ccccc"); +INSERT INTO t1 VALUES(3, "ddddd"); +INSERT INTO t1 VALUES(4, "eeeee"); +INSERT INTO t1 VALUES(5, "fffff"); +INSERT INTO t1 VALUES(6, "ggggg"); +INSERT INTO t1 VALUES(7, "hhhhh"); +INSERT INTO t1 VALUES(8, "iiiii"); +INSERT INTO t1 VALUES(9, "jjjjj"); +FLUSH ENGINE LOGS; +# Start the DB server with undo log encryption and keyring loaded. It should success. +SELECT * FROM t1 ORDER BY c1 LIMIT 10; +c1 c2 +0 aaaaa +1 bbbbb +2 ccccc +3 ddddd +4 eeeee +5 fffff +6 ggggg +7 hhhhh +8 iiiii +9 jjjjj +# Cleanup +DROP TABLE t1; +# restart the server with MTR default +# Remove residue files +# ---------------------------------------------------------------------- +# Teardown +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing global configuration file for keyring component: component_percona_keyring_encrypted_file +# Removing global manifest file for MySQL server +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/undo_encrypt_bootstrap.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/undo_encrypt_bootstrap.result new file mode 100644 index 000000000000..1c0c2997c836 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/undo_encrypt_bootstrap.result @@ -0,0 +1,46 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating custom global manifest file for MySQL server +# Creating custom global configuration file for keyring component: component_percona_keyring_encrypted_file +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# create bootstrap file +# Stop the MTR default DB server +# Taking backup of global manifest file for MySQL server +# Run the bootstrap command with no keyring +# Restore global manifest file for MySQL server from backup +# Run the bootstrap command with keyring +# Search for particular string of encryption metadata, should success since it's encrypted. +Pattern "lCC" found +# Taking backup of global manifest file for MySQL server +# Start the DB server with undo log encryption disabled and keyring loaded. It should success. +# Restore global manifest file for MySQL server from backup +SET GLOBAL innodb_undo_log_encrypt = ON; +CREATE TABLE tab1(c1 INT, c2 VARCHAR(30)); +START TRANSACTION; +INSERT INTO tab1 VALUES (100,REPEAT('a',5)),(200,REPEAT('b',5)); +SELECT * FROM tab1; +c1 c2 +100 aaaaa +200 bbbbb +COMMIT; +SET GLOBAL innodb_undo_log_encrypt = OFF; +START TRANSACTION; +INSERT INTO tab1 VALUES (300,REPEAT('a',5)),(400,REPEAT('b',5)); +COMMIT; +SELECT * FROM tab1; +c1 c2 +100 aaaaa +200 bbbbb +300 aaaaa +400 bbbbb +DROP TABLE tab1; +Pattern "lCC" found +Pattern "lCC" found +# ---------------------------------------------------------------------- +# Teardown +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing global configuration file for keyring component: component_percona_keyring_encrypted_file +# Removing global manifest file for MySQL server +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/undo_encrypt_crash.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/undo_encrypt_crash.result new file mode 100644 index 000000000000..ea44059db8eb --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/undo_encrypt_crash.result @@ -0,0 +1,45 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating custom global manifest file for MySQL server +# Creating custom global configuration file for keyring component: component_percona_keyring_encrypted_file +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# +# bug#30209760 : ASSERTION FAILURE: SRV0START.CC:969:SUCCESS THREAD +# +######### +# SETUP # +######### +# Create path for ibdata* & undo* files +# create bootstrap file +# Stop the MTR default DB server +######################################################################### +# INITIALIZE NEW SERVER +######################################################################### +# Taking backup of global manifest file for MySQL server +# Server should be initialized successfully. +######################################################################### +# RESTART 2 : WITH KEYRING. +innodb_undo_log_encrypt=ON. +Crash server before purge thread could start. +######################################################################### +# Restore global manifest file for MySQL server from backup +######################################################################### +# RESTART 3 : WITH KEYRING. +innodb_undo_log_encrypt=ON. +Skip rotating default master key in master thread +######################################################################### +######################################################################### +# RESTART 4 : WITH KEYRING. +innodb_undo_log_encrypt=OFF. +######################################################################### +########### +# CLEANUP # +########### +# ---------------------------------------------------------------------- +# Teardown +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing global configuration file for keyring component: component_percona_keyring_encrypted_file +# Removing global manifest file for MySQL server +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/undo_tablespace_encrypt.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/undo_tablespace_encrypt.result new file mode 100644 index 000000000000..63bb21060a27 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/undo_tablespace_encrypt.result @@ -0,0 +1,83 @@ +# ---------------------------------------------------------------------- +# Setup +# Creating custom global manifest file for MySQL server +# Creating custom global configuration file for keyring component: component_percona_keyring_encrypted_file +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +# +# Bug #29492911 : ENABLING UNDO-TABLESPACE ENCRYPTION DOESN'T MARK TABLESPACE ENCRYPTION FLAG +# +SHOW VARIABLES LIKE "%innodb_undo_log_encrypt%"; +Variable_name Value +innodb_undo_log_encrypt OFF +# Taking backup of global manifest file for MySQL server +############################################################################### +# With keyring and innodb_undo_log_encrypt=ON +############################################################################### +# Restore global manifest file for MySQL server from backup +SHOW VARIABLES LIKE "%innodb_undo_log_encrypt%"; +Variable_name Value +innodb_undo_log_encrypt ON +# Create a new UNDO tablespace. Should be created as ENCRYPTED. +CREATE UNDO TABLESPACE undo_3 ADD DATAFILE 'undo_3.ibu'; +SELECT NAME, SPACE_TYPE, ENCRYPTION, STATE FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE SPACE_TYPE='Undo'; +NAME SPACE_TYPE ENCRYPTION STATE +innodb_undo_001 Undo Y active +innodb_undo_002 Undo Y active +undo_3 Undo Y active +SET GLOBAL innodb_undo_log_encrypt=OFF; +SHOW VARIABLES LIKE "%innodb_undo_log_encrypt%"; +Variable_name Value +innodb_undo_log_encrypt OFF +SELECT NAME, SPACE_TYPE, ENCRYPTION, STATE FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE SPACE_TYPE='Undo'; +NAME SPACE_TYPE ENCRYPTION STATE +innodb_undo_001 Undo N active +innodb_undo_002 Undo N active +undo_3 Undo N active +# Create a new UNDO tablespace. Should be created as UNENCRYPTED. +CREATE UNDO TABLESPACE undo_4 ADD DATAFILE 'undo_4.ibu'; +SELECT NAME, SPACE_TYPE, ENCRYPTION, STATE FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE SPACE_TYPE='Undo'; +NAME SPACE_TYPE ENCRYPTION STATE +innodb_undo_001 Undo N active +innodb_undo_002 Undo N active +undo_3 Undo N active +undo_4 Undo N active +SET GLOBAL innodb_undo_log_encrypt=ON; +SHOW VARIABLES LIKE "%innodb_undo_log_encrypt%"; +Variable_name Value +innodb_undo_log_encrypt ON +SELECT NAME, SPACE_TYPE, ENCRYPTION, STATE FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE SPACE_TYPE='Undo'; +NAME SPACE_TYPE ENCRYPTION STATE +innodb_undo_001 Undo Y active +innodb_undo_002 Undo Y active +undo_3 Undo Y active +undo_4 Undo Y active +############################################################################### +# With keyring and innodb_undo_log_encrypt=OFF +############################################################################### +ALTER UNDO TABLESPACE undo_3 set INACTIVE; +SELECT NAME, SPACE_TYPE, ENCRYPTION, STATE FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE SPACE_TYPE='Undo'; +NAME SPACE_TYPE ENCRYPTION STATE +innodb_undo_001 Undo N active +innodb_undo_002 Undo N active +undo_3 Undo N inactive +undo_4 Undo N active +DROP UNDO TABLESPACE undo_3; +ALTER UNDO TABLESPACE undo_4 set INACTIVE; +SELECT NAME, SPACE_TYPE, ENCRYPTION, STATE FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE SPACE_TYPE='Undo'; +NAME SPACE_TYPE ENCRYPTION STATE +innodb_undo_001 Undo N active +innodb_undo_002 Undo N active +undo_4 Undo N inactive +DROP UNDO TABLESPACE undo_4; +SELECT NAME, SPACE_TYPE, ENCRYPTION, STATE FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE SPACE_TYPE='Undo'; +NAME SPACE_TYPE ENCRYPTION STATE +innodb_undo_001 Undo N active +innodb_undo_002 Undo N active +# ---------------------------------------------------------------------- +# Teardown +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing global configuration file for keyring component: component_percona_keyring_encrypted_file +# Removing global manifest file for MySQL server +# Restarting server without the manifest file +# ---------------------------------------------------------------------- diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/r/wrong_password.result b/mysql-test/suite/component_percona_keyring_encrypted_file/r/wrong_password.result new file mode 100644 index 000000000000..326778c47a04 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/r/wrong_password.result @@ -0,0 +1,38 @@ +# Phase 1: Start with correct password and populate the keyring file +# ---------------------------------------------------------------------- +# Setup +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Creating manifest file for current MySQL server instance +# Re-starting mysql server with manifest file +# ---------------------------------------------------------------------- +CALL mtr.add_suppression(".*The component is not initialized properly.*"); +CALL mtr.add_suppression(".*Failed to decrypt keyring file.*"); +ALTER INSTANCE ROTATE INNODB MASTER KEY; +# Phase 2: Restart with a wrong password +# Creating local configuration file for keyring component: component_percona_keyring_encrypted_file +# Re-starting mysql server with manifest file +# Keyring must be Disabled - wrong password cannot decrypt the file +SELECT * FROM performance_schema.keyring_component_status; +STATUS_KEY STATUS_VALUE +Component_name component_percona_keyring_encrypted_file +Author Percona +License GPL +Implementation_name component_percona_keyring_encrypted_file +Version 1.0 +Component_status Disabled +Data_file +Read_only +Password +Password_file +Iterations +# Error log must record the decryption failure +SELECT IF(COUNT(*) > 0, 'FOUND', 'NOT FOUND') AS error_present +FROM performance_schema.error_log +WHERE DATA LIKE '%Failed to decrypt keyring file%'; +error_present +FOUND +# Teardown +# Removing manifest file for current MySQL server instance +# Removing local keyring file for keyring component: component_percona_keyring_encrypted_file +# Removing local configuration file for keyring component: component_percona_keyring_encrypted_file +# Restarting server without the manifest file diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/alter_rename_table.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/alter_rename_table.test new file mode 100644 index 000000000000..9a351b6a6d72 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/alter_rename_table.test @@ -0,0 +1,6 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/have_debug.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/encryption/alter_rename_table_tests.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/alter_table.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/alter_table.test new file mode 100644 index 000000000000..0d96c750a0f4 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/alter_table.test @@ -0,0 +1,6 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/have_debug.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/encryption/alter_table_tests.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/clone_local_encrypt-master.opt b/mysql-test/suite/component_percona_keyring_encrypted_file/t/clone_local_encrypt-master.opt new file mode 100644 index 000000000000..3d385b83ea9f --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/clone_local_encrypt-master.opt @@ -0,0 +1,3 @@ +$CLONE_PLUGIN_OPT +$EXAMPLE_PLUGIN_OPT +--log_error_verbosity=3 diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/clone_local_encrypt.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/clone_local_encrypt.test new file mode 100644 index 000000000000..2336c767c6e5 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/clone_local_encrypt.test @@ -0,0 +1,13 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/big_test.inc +--source include/not_parallel.inc +--source include/have_innodb_max_16k.inc +--source include/have_debug_sync.inc +--source include/count_sessions.inc + +# This test must be not be run in parallel with other tests because +# it requires global manifest file to load keyring component directly + +--source ../inc/setup_component_customized.inc +--source include/keyring_tests/mats/clone_local_encrypt.inc +--source ../inc/teardown_component_customized.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/clone_remote_encrypt-master.opt b/mysql-test/suite/component_percona_keyring_encrypted_file/t/clone_remote_encrypt-master.opt new file mode 100644 index 000000000000..3d385b83ea9f --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/clone_remote_encrypt-master.opt @@ -0,0 +1,3 @@ +$CLONE_PLUGIN_OPT +$EXAMPLE_PLUGIN_OPT +--log_error_verbosity=3 diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/clone_remote_encrypt.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/clone_remote_encrypt.test new file mode 100644 index 000000000000..21b67c41ad39 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/clone_remote_encrypt.test @@ -0,0 +1,11 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +# Test remote clone with different table types with debug sync + +--source include/have_innodb_max_16k.inc + +--let $HOST = 127.0.0.1 +--let $PORT =`select @@port` +--let $USER = root +--let remote_clone = 1 + +--source clone_local_encrypt.test diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/corrupt_keyring_file.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/corrupt_keyring_file.test new file mode 100644 index 000000000000..db458c1c8825 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/corrupt_keyring_file.test @@ -0,0 +1,42 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc + +# Test: corrupt_keyring_file +# Verifies that a keyring file containing arbitrary bytes (not valid +# IV+ciphertext) is rejected cleanly. The component must report Disabled +# status and log a read failure rather than crashing or silently discarding +# existing keys. + +--echo # Phase 1: Normal startup to create and populate the keyring file +--source ../inc/setup_component.inc + +CALL mtr.add_suppression(".*The component is not initialized properly.*"); +CALL mtr.add_suppression(".*Failed to decrypt keyring file.*"); + +ALTER INSTANCE ROTATE INNODB MASTER KEY; + +--echo # Overwrite the keyring file with garbage content +--perl + use strict; + my $file_path = $ENV{'KEYRING_FILE_PATH'}; + open(my $fh, '>', $file_path) or die "Cannot open '$file_path': $!"; + print $fh "This is corrupted keyring data"; + close($fh); +EOF + +--echo # Phase 2: Restart - backend must reject the corrupt file +--source include/keyring_tests/helper/start_server_with_manifest.inc + +--echo # Keyring must be Disabled +--replace_result $MYSQLTEST_VARDIR MYSQLTEST_VARDIR +SELECT * FROM performance_schema.keyring_component_status; + +--echo # Error log must record the read failure +SELECT IF(COUNT(*) > 0, 'FOUND', 'NOT FOUND') AS error_present + FROM performance_schema.error_log + WHERE DATA LIKE '%Failed to decrypt keyring file%'; + +--echo # Teardown +--source include/keyring_tests/helper/instance_remove_manifest.inc +--source include/keyring_tests/helper/local_keyring_file_remove.inc +--source include/keyring_tests/helper/local_keyring_remove_config.inc +--source include/keyring_tests/helper/cleanup_server_with_manifest.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/create_table.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/create_table.test new file mode 100644 index 000000000000..0fcb85bbd09f --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/create_table.test @@ -0,0 +1,6 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/have_debug.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/mats/create_table_tests.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/database.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/database.test new file mode 100644 index 000000000000..f620a1b98c3c --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/database.test @@ -0,0 +1,6 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/have_debug.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/mats/database.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/dynamic_loading.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/dynamic_loading.test new file mode 100644 index 000000000000..a832e9cd1de9 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/dynamic_loading.test @@ -0,0 +1,4 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc + +--let $DLOPEN_CHECKER_LIBRARY_PATH = $PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_DIR/$PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT +--source include/keyring_tests/mats/dynamic_loading.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/empty_password.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/empty_password.test new file mode 100644 index 000000000000..79ce4dfbc758 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/empty_password.test @@ -0,0 +1,41 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc + +# Test: empty_password +# Verifies that an empty string is a valid password value: the component +# initializes successfully, can store and retrieve keys, and survives a +# restart with the same empty password. + +--let PLUGIN_DIR_OPT = $PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_OPT +--let CURRENT_DATADIR = `SELECT @@datadir` +--let COMPONENT_LIBRARY = `SELECT SUBSTRING_INDEX('$PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_LOAD', '=', -1)` +--let COMPONENT_DIR = $PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_DIR +--let COMPONENT_NAME = `SELECT SUBSTRING_INDEX('$COMPONENT_LIBRARY', '.', 1)` + +--let KEYRING_FILE_PATH = `SELECT CONCAT( '$MYSQLTEST_VARDIR', '/keyring_file')` +--let KEYRING_CONFIG_CONTENT = `SELECT CONCAT('{ \"path\": \"', '$KEYRING_FILE_PATH','\", \"read_only\": false, \"password\": \"\"}')` +--source include/keyring_tests/helper/local_keyring_create_config.inc + +--let LOCAL_MANIFEST_CONTENT = `SELECT CONCAT('{ \"components\": \"file://', '$COMPONENT_NAME', '\" }')` +--source include/keyring_tests/helper/instance_create_manifest.inc + +--source include/keyring_tests/helper/start_server_with_manifest.inc + +--echo # Empty password: component must be Active; password shows as +--replace_result $MYSQLTEST_VARDIR MYSQLTEST_VARDIR +SELECT * FROM performance_schema.keyring_component_status; + +--echo # Populate keyring file +ALTER INSTANCE ROTATE INNODB MASTER KEY; + +--echo # Restart with same empty password - encrypted file must still be readable +--source include/keyring_tests/helper/start_server_with_manifest.inc + +--echo # Component must remain Active after restart +SELECT STATUS_KEY, STATUS_VALUE FROM performance_schema.keyring_component_status + WHERE STATUS_KEY = 'Component_status'; + +--echo # Teardown +--source include/keyring_tests/helper/instance_remove_manifest.inc +--source include/keyring_tests/helper/local_keyring_file_remove.inc +--source include/keyring_tests/helper/local_keyring_remove_config.inc +--source include/keyring_tests/helper/cleanup_server_with_manifest.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/encrypt_explicit.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/encrypt_explicit.test new file mode 100644 index 000000000000..39d883aab793 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/encrypt_explicit.test @@ -0,0 +1,10 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/big_test.inc +--source include/not_parallel.inc +--source include/have_innodb_16k.inc +# This test must be not be run in parallel with other tests because +# it requires global manifest file to load keyring component directly + +--source ../inc/setup_component_customized.inc +--source include/keyring_tests/innodb/encrypt_explicit.inc +--source ../inc/teardown_component_customized.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/engine.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/engine.test new file mode 100644 index 000000000000..5e4706f6316f --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/engine.test @@ -0,0 +1,4 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source ../inc/setup_component.inc +--source include/keyring_tests/encryption/engine.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/import_compress_encrypt.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/import_compress_encrypt.test new file mode 100644 index 000000000000..6de0205aacc4 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/import_compress_encrypt.test @@ -0,0 +1,9 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +# InnoDB tablespace import with compression + encryption +--source include/have_lowercase0.inc +--source include/have_innodb_16k.inc +--source include/have_punch_hole.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/innodb/import_compress_encrypt.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/keyring_component_status.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/keyring_component_status.test new file mode 100644 index 000000000000..c70190e690c1 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/keyring_component_status.test @@ -0,0 +1,5 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/mats/keyring_component_status.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/keyring_encryption_test.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/keyring_encryption_test.test new file mode 100644 index 000000000000..d0f7d0b5c31b --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/keyring_encryption_test.test @@ -0,0 +1,9 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/big_test.inc +--source include/not_parallel.inc +--source ../inc/setup_component_customized.inc + +--let KEYRING_COMPONENT = $COMPONENT_NAME +--source include/keyring_tests/mats/keyring_encryption.inc + +--source ../inc/teardown_component_customized.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/load.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/load.test new file mode 100644 index 000000000000..2475f8c4a217 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/load.test @@ -0,0 +1,5 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +# Load-Unload test for component_keyring_file + +--source ../inc/setup_component.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/load_windows.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/load_windows.test new file mode 100644 index 000000000000..eb3ad38b1e41 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/load_windows.test @@ -0,0 +1,39 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/windows.inc + +--echo # +--echo # Bug #32950322: SERVER GIVES ERROR WHILE LOADING COMPONENT ON WINDOWS +--echo # + +--echo # ---------------------------------------------------------------------- +--echo # Setup + +--let PLUGIN_DIR_OPT = $PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_OPT + +# Data directory location +--let CURRENT_DATADIR = `SELECT @@datadir` + +--let COMPONENT_LIBRARY = `SELECT SUBSTRING_INDEX('$PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_LOAD', '=', -1)` +--let COMPONENT_DIR = $PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_DIR +--let COMPONENT_NAME = `SELECT SUBSTRING_INDEX('$COMPONENT_LIBRARY', '.', 1)` + +# Create local keyring config +--let KEYRING_FILE_PATH = `SELECT CONCAT( '$MYSQLTEST_VARDIR', '/keyring_file')` +--let KEYRING_CONFIG_CONTENT = `SELECT CONCAT('{ \"path\": \"', '$KEYRING_FILE_PATH','\", \"read_only\": false, \"password\": \"secret_password\", \"iterations\": 42 }')` +--source include/keyring_tests/helper/local_keyring_create_config.inc + +# Create local windows line ending manifest file for current server instance +--let LOCAL_MANIFEST_CONTENT = `SELECT CONCAT('{\r\n \"components\": \"file://', '$COMPONENT_NAME', '\"\r\n }\r\n')` +--source include/keyring_tests/helper/instance_create_manifest.inc + +# Restart server with manifest file +--source include/keyring_tests/helper/start_server_with_manifest.inc +--echo # ---------------------------------------------------------------------- + +# Success criteria: should not produce warnings and should load the component +--let $expected_errors=0 +--let $assert_text= Expect MY-013709 to appear $expected_error times. +-- let $assert_cond= [SELECT COUNT(*) as received_errors FROM performance_schema.error_log WHERE error_code="MY-013709", received_errors, 1] = $expected_errors +--source include/assert.inc + +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_1.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_1.test new file mode 100644 index 000000000000..afe599b18dd6 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_1.test @@ -0,0 +1,10 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +# WL#9290 InnoDB: Support transparent tablespace data encryption for redo log +# This test case will test basic redo log encryption support features. + +--source include/no_valgrind_without_big.inc +--source include/have_innodb_max_16k.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/mats/log_encrypt_1.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_2.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_2.test new file mode 100644 index 000000000000..f0e77e4fb2c6 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_2.test @@ -0,0 +1,9 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +# WL#9290 InnoDB: Support transparent tablespace data encryption for redo log +# This test case will test basic redo log encryption support features. + +--source include/no_valgrind_without_big.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/innodb/log_encrypt_2.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_3.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_3.test new file mode 100644 index 000000000000..a56d66dfbd05 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_3.test @@ -0,0 +1,10 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +# WL#9290 InnoDB: Support transparent tablespace data encryption for redo log +# This test case will test basic redo log encryption support features. + +--source include/no_valgrind_without_big.inc +--source include/have_innodb_max_16k.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/innodb/log_encrypt_3.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_4.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_4.test new file mode 100644 index 000000000000..d90b31380836 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_4.test @@ -0,0 +1,15 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/big_test.inc +--source include/not_parallel.inc +# InnoDB transparent encryption on redo log. +# This test case will check innodb_redo_innodb/log_encrypt=ON/OFF with bootstrap +# and start server by setting innodb_redo_innodb/log_encrypt=ON/OFF + +--source include/no_valgrind_without_big.inc +--source include/have_innodb_max_16k.inc +# This test must be not be run in parallel with other tests because +# it requires global manifest file to load keyring component directly + +--source ../inc/setup_component_customized.inc +--source include/keyring_tests/innodb/log_encrypt_4.inc +--source ../inc/teardown_component_customized.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_5.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_5.test new file mode 100644 index 000000000000..8a8fbc9466bb --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_5.test @@ -0,0 +1,14 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/big_test.inc +--source include/not_parallel.inc +# InnoDB transparent encryption on redo log. +# This test case will test basic encryption support features. + +--source include/no_valgrind_without_big.inc +--source include/not_windows.inc +# This test must be not be run in parallel with other tests because +# it requires global manifest file to load keyring component directly + +--source ../inc/setup_component_customized.inc +--source include/keyring_tests/innodb/log_encrypt_5.inc +--source ../inc/teardown_component_customized.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_6.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_6.test new file mode 100644 index 000000000000..52ca3c1d955d --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_6.test @@ -0,0 +1,15 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/big_test.inc +--source include/not_parallel.inc +# Test tries restart after redo log encryption is enabled +# - Error :restart without keyring +# - Pass :restart without keyring and --innodb_force_recovery=6 +# - Pass :remove redo files,restart without keyring + +--source include/no_valgrind_without_big.inc +# This test must be not be run in parallel with other tests because +# it requires global manifest file to load keyring component directly + +--source ../inc/setup_component_customized.inc +--source include/keyring_tests/innodb/log_encrypt_6.inc +--source ../inc/teardown_component_customized.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_kill.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_kill.test new file mode 100644 index 000000000000..e98d1abbd5db --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/log_encrypt_kill.test @@ -0,0 +1,15 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/big_test.inc +--source include/not_parallel.inc +# InnoDB transparent encryption on redo log and undo log +# This test case will test basic encryption support with +# concuurent execution and + +--source include/no_valgrind_without_big.inc +--source include/have_innodb_max_16k.inc +# This test must be not be run in parallel with other tests because +# it requires global manifest file to load keyring component directly + +--source ../inc/setup_component_customized.inc +--source include/keyring_tests/innodb/log_encrypt_kill.inc +--source ../inc/teardown_component_customized.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/migrate_keyring.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/migrate_keyring.test new file mode 100644 index 000000000000..829103da3f56 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/migrate_keyring.test @@ -0,0 +1,231 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/have_component_keyring_file.inc + +--echo *** Determining keyring component names +--let $MYSQLD_DATADIR = `SELECT @@datadir` + +--let $ENCRYPTED_FILE_COMPONENT_LIBRARY = `SELECT SUBSTRING_INDEX('$PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_LOAD', '=', -1)` +--let $ENCRYPTED_FILE_COMPONENT_NAME = `SELECT SUBSTRING_INDEX('$ENCRYPTED_FILE_COMPONENT_LIBRARY', '.', 1)` + +--let $KEYRING_FILE_COMPONENT_LIBRARY = `SELECT SUBSTRING_INDEX('$KEYRING_FILE_COMPONENT_LOAD', '=', -1)` +--let $KEYRING_FILE_COMPONENT_NAME = `SELECT SUBSTRING_INDEX('$KEYRING_FILE_COMPONENT_LIBRARY', '.', 1)` + +--echo *** Setting up percona_keyring_encrypted_file component +--source ../inc/setup_component.inc + +--echo *** Asserting that percona_keyring_encrypted_file is installed and active +--assert (`SELECT STATUS_VALUE = '$ENCRYPTED_FILE_COMPONENT_NAME' FROM performance_schema.keyring_component_status WHERE STATUS_KEY = 'Component_name'`) +--assert (`SELECT STATUS_VALUE = 'Active' FROM performance_schema.keyring_component_status WHERE STATUS_KEY = 'Component_status'`) + +--echo *** Creating an encrypted table and filling it with some data +CREATE TABLE t1( + id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT, + PRIMARY KEY(id) +) ENCRYPTION="Y" ENGINE=InnoDB; +INSERT INTO t1 VALUES(DEFAULT); +--let $t1_checksum = query_get_value(CHECKSUM TABLE t1, Checksum, 1) + +--echo *** Extracting InnoDB master key name +SELECT KEY_ID INTO @t1_key_id FROM performance_schema.keyring_keys; +--let $stored_t1_key_id = `SELECT @t1_key_id` + +--echo *** Rotating InnoDB master key +ALTER INSTANCE ROTATE INNODB MASTER KEY; + +--echo *** Creating another encrypted table and filling it with some data +CREATE TABLE t2( + id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT, + PRIMARY KEY(id) +) ENCRYPTION="Y" ENGINE=InnoDB; +INSERT INTO t2 VALUES(42); +--let $t2_checksum = query_get_value(CHECKSUM TABLE t2, Checksum, 1) + +--echo *** Extracting InnoDB master key name after rotation +SELECT KEY_ID INTO @t2_key_id FROM performance_schema.keyring_keys WHERE KEY_ID != @t1_key_id; +--let $stored_t2_key_id = `SELECT @t2_key_id` + +--echo *** Installing keyring UDF plugin +--disable_query_log +eval INSTALL PLUGIN keyring_udf SONAME '$KEYRING_UDF'; +eval CREATE FUNCTION keyring_key_generate RETURNS INTEGER SONAME '$KEYRING_UDF'; +eval CREATE FUNCTION keyring_key_type_fetch RETURNS STRING SONAME '$KEYRING_UDF'; +eval CREATE FUNCTION keyring_key_length_fetch RETURNS INTEGER SONAME '$KEYRING_UDF'; +eval CREATE FUNCTION keyring_key_fetch RETURNS STRING SONAME '$KEYRING_UDF'; +--enable_query_log + +--echo *** Manually generating an AES key in the keyring via keyring_key_generate() UDF +--let $stored_custom_key_id = CustomKey +--let $stored_custom_key_type = AES +--let $stored_custom_key_length = 32 +eval SELECT keyring_key_generate ('$stored_custom_key_id', '$stored_custom_key_type', $stored_custom_key_length); + +--echo *** Extracting custom key metadata +SELECT KEY_ID INTO @custom_key_id FROM performance_schema.keyring_keys WHERE KEY_ID != @t1_key_id AND KEY_ID != @t2_key_id; +--assert (`SELECT @custom_key_id = '$stored_custom_key_id'`) +--assert (`SELECT keyring_key_type_fetch(@custom_key_id) = '$stored_custom_key_type'`) +--assert (`SELECT keyring_key_length_fetch(@custom_key_id) = '$stored_custom_key_length'`) +--let $stored_custom_key_data_hex = `SELECT HEX(keyring_key_fetch(@custom_key_id))` + +--echo *** Uninstalling keyring UDF plugin +--disable_query_log +DROP FUNCTION keyring_key_fetch; +DROP FUNCTION keyring_key_length_fetch; +DROP FUNCTION keyring_key_type_fetch; +DROP FUNCTION keyring_key_generate; +UNINSTALL PLUGIN keyring_udf; +--enable_query_log + +--echo *** Preparing component_keyring_file config content +--let $KEYRING_FILE_DATA_FILE_PATH = `SELECT CONCAT('$MYSQLTEST_VARDIR', '/keyring_file_plain')` +--let $KEYRING_FILE_CONFIG_CONTENT = `SELECT JSON_OBJECT('path', '$KEYRING_FILE_DATA_FILE_PATH', 'read_only', FALSE)` +--let $LOCAL_KEYRING_FILE_MANIFEST_CONTENT = `SELECT JSON_OBJECT('components', CONCAT('file://', '$KEYRING_FILE_COMPONENT_NAME'))` + + +--echo +--echo ************************************************************************************ +--echo *** Checking percona_keyring_encrypted_file -> component_keyring_file migration *** +--echo ************************************************************************************ +--echo + +--echo *** Stopping the server (original, with percona_keyring_encrypted_file) +--source include/stop_mysqld.inc + +--echo *** Creating local component_keyring_file config +--let COMPONENT_NAME = $KEYRING_FILE_COMPONENT_NAME +--let CURRENT_DATADIR = $MYSQLD_DATADIR +--let KEYRING_CONFIG_CONTENT = $KEYRING_FILE_CONFIG_CONTENT +--source include/keyring_tests/helper/local_keyring_create_config.inc + +--echo *** Executing keyring data migration utility (percona_keyring_encrypted_file -> component_keyring_file) +--exec $MYSQL_MIGRATE_KEYRING --component-dir=$PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_DIR --source-keyring=$ENCRYPTED_FILE_COMPONENT_NAME --source-keyring-configuration-dir=$MYSQLD_DATADIR --destination-keyring=$KEYRING_FILE_COMPONENT_NAME --destination-keyring-configuration-dir=$MYSQLD_DATADIR >/dev/null 2>&1 + +--echo *** Backing up local manifest file for current server instance with percona_keyring_encrypted_file +--let CURRENT_DATADIR = $MYSQLD_DATADIR +--source include/keyring_tests/helper/instance_backup_manifest.inc + +--echo *** Creating local manifest file for current server instance with component_keyring_file +--let CURRENT_DATADIR = $MYSQLD_DATADIR +--let LOCAL_MANIFEST_CONTENT = $LOCAL_KEYRING_FILE_MANIFEST_CONTENT +--source include/keyring_tests/helper/instance_create_manifest.inc + +--echo *** Starting the server (with component_keyring_file) +--let $restart_parameters = restart: $KEYRING_FILE_COMPONENT_OPT +--let $do_not_echo_parameters = 1 +--source include/start_mysqld.inc + +--echo *** Asserting that component_keyring_file is installed and active +--assert (`SELECT STATUS_VALUE = '$KEYRING_FILE_COMPONENT_NAME' FROM performance_schema.keyring_component_status WHERE STATUS_KEY = 'Component_name'`) +--assert (`SELECT STATUS_VALUE = 'Active' FROM performance_schema.keyring_component_status WHERE STATUS_KEY = 'Component_status'`) + +--echo *** Installing keyring UDF plugin once again after keyring component switch +--disable_query_log +eval INSTALL PLUGIN keyring_udf SONAME '$KEYRING_UDF'; +eval CREATE FUNCTION keyring_key_type_fetch RETURNS STRING SONAME '$KEYRING_UDF'; +eval CREATE FUNCTION keyring_key_length_fetch RETURNS INTEGER SONAME '$KEYRING_UDF'; +eval CREATE FUNCTION keyring_key_fetch RETURNS STRING SONAME '$KEYRING_UDF'; +--enable_query_log + +--echo *** Asserting that keys stored in percona_keyring_encrypted_file successfully migrated to component_keyring_file +--assert (`SELECT COUNT(*) = 1 FROM performance_schema.keyring_keys WHERE KEY_ID = '$stored_t1_key_id'`) +--assert (`SELECT COUNT(*) = 1 FROM performance_schema.keyring_keys WHERE KEY_ID = '$stored_t2_key_id'`) +--assert (`SELECT COUNT(*) = 1 FROM performance_schema.keyring_keys WHERE KEY_ID = '$stored_custom_key_id'`) + +--assert (`SELECT keyring_key_type_fetch('$stored_custom_key_id') = '$stored_custom_key_type'`) +--assert (`SELECT keyring_key_length_fetch('$stored_custom_key_id') = '$stored_custom_key_length'`) +--assert (`SELECT HEX(keyring_key_fetch('$stored_custom_key_id')) = '$stored_custom_key_data_hex'`) + +--echo *** Uninstalling keyring UDF plugin once again after keyring component switch +--disable_query_log +DROP FUNCTION keyring_key_fetch; +DROP FUNCTION keyring_key_length_fetch; +DROP FUNCTION keyring_key_type_fetch; +UNINSTALL PLUGIN keyring_udf; +--enable_query_log + +--echo *** Asserting that data can be read from the sample tables +--let $t1_checksum_after_switch = query_get_value(CHECKSUM TABLE t1, Checksum, 1) +--assert (`SELECT $t1_checksum_after_switch = $t1_checksum`) +--let $t2_checksum_after_switch = query_get_value(CHECKSUM TABLE t2, Checksum, 1) +--assert (`SELECT $t2_checksum_after_switch = $t2_checksum`) + +--echo *** Preparing percona_keyring_encrypted_file config content for back-migration +--let $ENCRYPTED_FILE_DATA_FILE_PATH = `SELECT CONCAT('$MYSQLTEST_VARDIR', '/keyring_file')` +--let $ENCRYPTED_FILE_CONFIG_CONTENT = `SELECT CONCAT('{ "path": "', '$ENCRYPTED_FILE_DATA_FILE_PATH', '", "read_only": false, "password": "secret_password", "iterations": 42 }')` +--let $LOCAL_ENCRYPTED_FILE_MANIFEST_CONTENT = `SELECT JSON_OBJECT('components', CONCAT('file://', '$ENCRYPTED_FILE_COMPONENT_NAME'))` + + +--echo +--echo ************************************************************************************ +--echo *** Checking component_keyring_file -> percona_keyring_encrypted_file migration *** +--echo ************************************************************************************ +--echo + +--echo *** Stopping the server (with component_keyring_file) +--source include/stop_mysqld.inc + +--echo *** Creating local percona_keyring_encrypted_file config +--let COMPONENT_NAME = $ENCRYPTED_FILE_COMPONENT_NAME +--let CURRENT_DATADIR = $MYSQLD_DATADIR +--let KEYRING_CONFIG_CONTENT = $ENCRYPTED_FILE_CONFIG_CONTENT +--source include/keyring_tests/helper/local_keyring_create_config.inc + +--echo *** Removing original encrypted keyring file to prepare a fresh migration destination +--remove_file $ENCRYPTED_FILE_DATA_FILE_PATH + +--echo *** Executing keyring data migration utility (component_keyring_file -> percona_keyring_encrypted_file) +--exec $MYSQL_MIGRATE_KEYRING --verbose --component-dir=$PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_DIR --source-keyring=$KEYRING_FILE_COMPONENT_NAME --source-keyring-configuration-dir=$MYSQLD_DATADIR --destination-keyring=$ENCRYPTED_FILE_COMPONENT_NAME --destination-keyring-configuration-dir=$MYSQLD_DATADIR 2>&1 >/dev/null + +--echo *** Removing component_keyring_file data file +--remove_file $KEYRING_FILE_DATA_FILE_PATH + +--echo *** Restoring local manifest file for current server instance with percona_keyring_encrypted_file +--let CURRENT_DATADIR = $MYSQLD_DATADIR +--source include/keyring_tests/helper/instance_restore_manifest.inc + +--echo *** Starting the server (with percona_keyring_encrypted_file) +--let $restart_parameters = restart: $PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_OPT +--let $do_not_echo_parameters = 1 +--source include/start_mysqld.inc + +--echo *** Asserting that percona_keyring_encrypted_file is installed and active again +--assert (`SELECT STATUS_VALUE = '$ENCRYPTED_FILE_COMPONENT_NAME' FROM performance_schema.keyring_component_status WHERE STATUS_KEY = 'Component_name'`) +--assert (`SELECT STATUS_VALUE = 'Active' FROM performance_schema.keyring_component_status WHERE STATUS_KEY = 'Component_status'`) + +--echo *** Installing keyring UDF plugin once again after keyring component switch back +--disable_query_log +eval INSTALL PLUGIN keyring_udf SONAME '$KEYRING_UDF'; +eval CREATE FUNCTION keyring_key_type_fetch RETURNS STRING SONAME '$KEYRING_UDF'; +eval CREATE FUNCTION keyring_key_length_fetch RETURNS INTEGER SONAME '$KEYRING_UDF'; +eval CREATE FUNCTION keyring_key_fetch RETURNS STRING SONAME '$KEYRING_UDF'; +--enable_query_log + +--echo *** Asserting that keys stored in component_keyring_file successfully migrated to percona_keyring_encrypted_file +--assert (`SELECT COUNT(*) = 1 FROM performance_schema.keyring_keys WHERE KEY_ID = '$stored_t1_key_id'`) +--assert (`SELECT COUNT(*) = 1 FROM performance_schema.keyring_keys WHERE KEY_ID = '$stored_t2_key_id'`) +--assert (`SELECT COUNT(*) = 1 FROM performance_schema.keyring_keys WHERE KEY_ID = '$stored_custom_key_id'`) + +--assert (`SELECT keyring_key_type_fetch('$stored_custom_key_id') = '$stored_custom_key_type'`) +--assert (`SELECT keyring_key_length_fetch('$stored_custom_key_id') = '$stored_custom_key_length'`) +--assert (`SELECT HEX(keyring_key_fetch('$stored_custom_key_id')) = '$stored_custom_key_data_hex'`) + +--echo *** Uninstalling keyring UDF plugin once again after keyring component switch back +--disable_query_log +DROP FUNCTION keyring_key_fetch; +DROP FUNCTION keyring_key_length_fetch; +DROP FUNCTION keyring_key_type_fetch; +UNINSTALL PLUGIN keyring_udf; +--enable_query_log + +--echo *** Asserting that data can be read from the sample tables +--let $t1_checksum_after_switch = query_get_value(CHECKSUM TABLE t1, Checksum, 1) +--assert (`SELECT $t1_checksum_after_switch = $t1_checksum`) +--let $t2_checksum_after_switch = query_get_value(CHECKSUM TABLE t2, Checksum, 1) +--assert (`SELECT $t2_checksum_after_switch = $t2_checksum`) + + +--echo *** Dropping the sample tables +DROP TABLE t2; +DROP TABLE t1; + +--echo *** Tearing down percona_keyring_encrypted_file component +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/mysql_ts_alter_encrypt_1.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/mysql_ts_alter_encrypt_1.test new file mode 100644 index 000000000000..561c57188ca1 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/mysql_ts_alter_encrypt_1.test @@ -0,0 +1,25 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +################################################################################ +# InnoDB transparent tablespace data encryption for mysql tablespace. +# For mysql tablespace, this test will test +# 1 - Normal alter encryption +# - encryption='y' to encryption='n' +# - encryption='n' to encryption='y' +# 2 - Crash during altering mysql tablespace encryption +# - encryption='y' to encryption='n' +# - encryption='n' to encryption='y' +# 3 - Crash +# - just before encryption processing starts +# - just after encryption processing finishes +# 4 - Crash during master key rotation +# 5 - Privilege check +################################################################################ + +--source include/big_test.inc +--source include/have_debug.inc +# Disable in valgrind because of timeout, cf. Bug#22760145 +--source include/not_valgrind.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/mats/mysql_ts_alter_encrypt_1.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/mysql_ts_alter_encrypt_2.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/mysql_ts_alter_encrypt_2.test new file mode 100644 index 000000000000..5404703a8565 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/mysql_ts_alter_encrypt_2.test @@ -0,0 +1,29 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +################################################################################ +# InnoDB transparent tablespace data encryption for mysql.tablespace. +# For mysql.tablespace, this test will test +# 1 - Alter mysql.tablespace with +# - and without loading keyring plugin +# - valid/invalid encryption option +# -ENCRYPTION='n' to ENCRYPTION='y' +# 2 - Actual encryption taking place or not +# 3 - Create/Alter table using mysql.tablespace +# 4 - Alter table part of innodb_file_per_table/general/innodb_system/mysql ts to mysql ts +# 5 - Create view using mysql.tablespace +# 6 - Delete/truncate/drop DD table part of mysql tablespace +# 7 - Changing encryption attribute of tables in mysql tablespace +# 8 - Restart with same keyring plugin option and access mysql tables +# 9 - Restart without keyring plugin option, Install plugin explicitly and alter encryption to Y +# 10 - Monitor progress of encryption in performance_schema table +# 11 - Rename/drop mysql tablespace +# 12 - Create tablespace with name as mysql +################################################################################ + +--source include/big_test.inc +--source include/have_debug.inc +# Disable in valgrind because of timeout, cf. Bug#22760145 +--source include/not_valgrind.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/innodb/mysql_ts_alter_encrypt_2.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/mysqldump.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/mysqldump.test new file mode 100644 index 000000000000..9be5ff5abcf8 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/mysqldump.test @@ -0,0 +1,8 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/have_debug.inc +--source include/no_valgrind_without_big.inc +--source include/have_case_sensitive_file_system.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/encryption/mysqldump.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/no_password.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/no_password.test new file mode 100644 index 000000000000..c5c4fe652bcb --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/no_password.test @@ -0,0 +1,38 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc + +# Test: no_password +# Verifies that initialization fails gracefully when the 'password' field is +# absent from the keyring configuration file. + +--let PLUGIN_DIR_OPT = $PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_OPT +--let CURRENT_DATADIR = `SELECT @@datadir` +--let COMPONENT_LIBRARY = `SELECT SUBSTRING_INDEX('$PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_LOAD', '=', -1)` +--let COMPONENT_DIR = $PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_DIR +--let COMPONENT_NAME = `SELECT SUBSTRING_INDEX('$COMPONENT_LIBRARY', '.', 1)` + +--let KEYRING_FILE_PATH = `SELECT CONCAT( '$MYSQLTEST_VARDIR', '/keyring_file')` +# Config intentionally omits the 'password' field +--let KEYRING_CONFIG_CONTENT = `SELECT CONCAT('{ \"path\": \"', '$KEYRING_FILE_PATH','\", \"read_only\": false }')` +--source include/keyring_tests/helper/local_keyring_create_config.inc + +--let LOCAL_MANIFEST_CONTENT = `SELECT CONCAT('{ \"components\": \"file://', '$COMPONENT_NAME', '\" }')` +--source include/keyring_tests/helper/instance_create_manifest.inc + +CALL mtr.add_suppression(".*The component is not initialized properly.*"); + +--source include/keyring_tests/helper/start_server_with_manifest.inc + +--echo # Component loaded but Disabled - neither 'password' nor 'password_file' in config +--replace_result $MYSQLTEST_VARDIR MYSQLTEST_VARDIR +SELECT * FROM performance_schema.keyring_component_status; + +--echo # Error log must record the config parse failure +SELECT IF(COUNT(*) > 0, 'FOUND', 'NOT FOUND') AS error_present + FROM performance_schema.error_log + WHERE DATA LIKE '%Either%password%password_file%must be specified%'; + +--echo # Teardown +--source include/keyring_tests/helper/instance_remove_manifest.inc +--source include/keyring_tests/helper/local_keyring_file_remove.inc +--source include/keyring_tests/helper/local_keyring_remove_config.inc +--source include/keyring_tests/helper/cleanup_server_with_manifest.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/password_and_password_file.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/password_and_password_file.test new file mode 100644 index 000000000000..3f2c4105c8c6 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/password_and_password_file.test @@ -0,0 +1,45 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc + +# Test: password_and_password_file +# Verifies that specifying both 'password' and 'password_file' in the config +# is rejected: the component must report Disabled status and log an error. + +--let PLUGIN_DIR_OPT = $PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_OPT +--let CURRENT_DATADIR = `SELECT @@datadir` +--let COMPONENT_LIBRARY = `SELECT SUBSTRING_INDEX('$PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_LOAD', '=', -1)` +--let COMPONENT_DIR = $PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_DIR +--let COMPONENT_NAME = `SELECT SUBSTRING_INDEX('$COMPONENT_LIBRARY', '.', 1)` + +--let KEYRING_FILE_PATH = `SELECT CONCAT('$MYSQLTEST_VARDIR', '/keyring_file')` +--let PASSWORD_FILE_PATH = `SELECT CONCAT('$MYSQLTEST_VARDIR', '/keyring_password_file')` + +--write_file $PASSWORD_FILE_PATH +secret_password +EOF + +# Config specifies both 'password' and 'password_file' - mutually exclusive +--let KEYRING_CONFIG_CONTENT = `SELECT CONCAT('{ \"path\": \"', '$KEYRING_FILE_PATH', '\", \"read_only\": false, \"password\": \"secret_password\", \"password_file\": \"', '$PASSWORD_FILE_PATH', '\", \"iterations\": 42 }')` +--source include/keyring_tests/helper/local_keyring_create_config.inc + +--let LOCAL_MANIFEST_CONTENT = `SELECT CONCAT('{ \"components\": \"file://', '$COMPONENT_NAME', '\" }')` +--source include/keyring_tests/helper/instance_create_manifest.inc + +CALL mtr.add_suppression(".*The component is not initialized properly.*"); + +--source include/keyring_tests/helper/start_server_with_manifest.inc + +--echo # Component must be Disabled - both 'password' and 'password_file' given +SELECT STATUS_KEY, STATUS_VALUE FROM performance_schema.keyring_component_status + WHERE STATUS_KEY = 'Component_status'; + +--echo # Error log must record the mutual exclusivity violation +SELECT IF(COUNT(*) > 0, 'FOUND', 'NOT FOUND') AS error_present + FROM performance_schema.error_log + WHERE DATA LIKE '%Only one of%password%password_file%'; + +--echo # Teardown +--remove_file $PASSWORD_FILE_PATH +--source include/keyring_tests/helper/instance_remove_manifest.inc +--source include/keyring_tests/helper/local_keyring_file_remove.inc +--source include/keyring_tests/helper/local_keyring_remove_config.inc +--source include/keyring_tests/helper/cleanup_server_with_manifest.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/password_file.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/password_file.test new file mode 100644 index 000000000000..aab63e3a3821 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/password_file.test @@ -0,0 +1,48 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc + +# Test: password_file +# Verifies that using 'password_file' works identically to 'password': +# the component initializes, can store keys, and survives a restart. + +--let PLUGIN_DIR_OPT = $PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_OPT +--let CURRENT_DATADIR = `SELECT @@datadir` +--let COMPONENT_LIBRARY = `SELECT SUBSTRING_INDEX('$PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_LOAD', '=', -1)` +--let COMPONENT_DIR = $PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_DIR +--let COMPONENT_NAME = `SELECT SUBSTRING_INDEX('$COMPONENT_LIBRARY', '.', 1)` + +--let KEYRING_FILE_PATH = `SELECT CONCAT('$MYSQLTEST_VARDIR', '/keyring_file')` +--let PASSWORD_FILE_PATH = `SELECT CONCAT('$MYSQLTEST_VARDIR', '/keyring_password_file')` + +# Write the password to a separate file (treated as a raw BLOB) +--write_file $PASSWORD_FILE_PATH +secret_password +EOF + +--let KEYRING_CONFIG_CONTENT = `SELECT CONCAT('{ \"path\": \"', '$KEYRING_FILE_PATH', '\", \"read_only\": false, \"password_file\": \"', '$PASSWORD_FILE_PATH', '\", \"iterations\": 42 }')` +--source include/keyring_tests/helper/local_keyring_create_config.inc + +--let LOCAL_MANIFEST_CONTENT = `SELECT CONCAT('{ \"components\": \"file://', '$COMPONENT_NAME', '\" }')` +--source include/keyring_tests/helper/instance_create_manifest.inc + +--source include/keyring_tests/helper/start_server_with_manifest.inc + +--echo # password_file: component must be Active; Password shows , Password_file shows the path +--replace_result $MYSQLTEST_VARDIR MYSQLTEST_VARDIR +SELECT * FROM performance_schema.keyring_component_status; + +--echo # Populate keyring file +ALTER INSTANCE ROTATE INNODB MASTER KEY; + +--echo # Restart with the same password_file - encrypted file must still be readable +--source include/keyring_tests/helper/start_server_with_manifest.inc + +--echo # Component must remain Active after restart +SELECT STATUS_KEY, STATUS_VALUE FROM performance_schema.keyring_component_status + WHERE STATUS_KEY = 'Component_status'; + +--echo # Teardown +--remove_file $PASSWORD_FILE_PATH +--source include/keyring_tests/helper/instance_remove_manifest.inc +--source include/keyring_tests/helper/local_keyring_file_remove.inc +--source include/keyring_tests/helper/local_keyring_remove_config.inc +--source include/keyring_tests/helper/cleanup_server_with_manifest.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/password_file_not_found.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/password_file_not_found.test new file mode 100644 index 000000000000..60d945ed7fe6 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/password_file_not_found.test @@ -0,0 +1,40 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc + +# Test: password_file_not_found +# Verifies that when 'password_file' points to a non-existent file the +# component fails to initialize and reports Disabled status. + +--let PLUGIN_DIR_OPT = $PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_OPT +--let CURRENT_DATADIR = `SELECT @@datadir` +--let COMPONENT_LIBRARY = `SELECT SUBSTRING_INDEX('$PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_LOAD', '=', -1)` +--let COMPONENT_DIR = $PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_DIR +--let COMPONENT_NAME = `SELECT SUBSTRING_INDEX('$COMPONENT_LIBRARY', '.', 1)` + +--let KEYRING_FILE_PATH = `SELECT CONCAT('$MYSQLTEST_VARDIR', '/keyring_file')` +# Point to a path that does not exist +--let PASSWORD_FILE_PATH = `SELECT CONCAT('$MYSQLTEST_VARDIR', '/this_file_does_not_exist')` + +--let KEYRING_CONFIG_CONTENT = `SELECT CONCAT('{ \"path\": \"', '$KEYRING_FILE_PATH', '\", \"read_only\": false, \"password_file\": \"', '$PASSWORD_FILE_PATH', '\", \"iterations\": 42 }')` +--source include/keyring_tests/helper/local_keyring_create_config.inc + +--let LOCAL_MANIFEST_CONTENT = `SELECT CONCAT('{ \"components\": \"file://', '$COMPONENT_NAME', '\" }')` +--source include/keyring_tests/helper/instance_create_manifest.inc + +CALL mtr.add_suppression(".*The component is not initialized properly.*"); + +--source include/keyring_tests/helper/start_server_with_manifest.inc + +--echo # Component must be Disabled - password_file path does not exist +SELECT STATUS_KEY, STATUS_VALUE FROM performance_schema.keyring_component_status + WHERE STATUS_KEY = 'Component_status'; + +--echo # Error log must record the file-open failure +SELECT IF(COUNT(*) > 0, 'FOUND', 'NOT FOUND') AS error_present + FROM performance_schema.error_log + WHERE DATA LIKE '%Could not open password file%'; + +--echo # Teardown +--source include/keyring_tests/helper/instance_remove_manifest.inc +--source include/keyring_tests/helper/local_keyring_file_remove.inc +--source include/keyring_tests/helper/local_keyring_remove_config.inc +--source include/keyring_tests/helper/cleanup_server_with_manifest.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/reload_keyring.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/reload_keyring.test new file mode 100644 index 000000000000..68e2c587e218 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/reload_keyring.test @@ -0,0 +1,20 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc + +# Test: reload_keyring +# Verifies that ALTER INSTANCE RELOAD KEYRING succeeds when the password +# in the config matches the encrypted file, and that the component remains +# Active with keys still accessible after the reload. + +--source ../inc/setup_component.inc + +--echo # Populate keyring file +ALTER INSTANCE ROTATE INNODB MASTER KEY; + +--echo # Reload with unchanged (correct) config must succeed +ALTER INSTANCE RELOAD KEYRING; + +--echo # Component must remain Active after successful reload +--replace_result $MYSQLTEST_VARDIR MYSQLTEST_VARDIR +SELECT * FROM performance_schema.keyring_component_status; + +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/reload_wrong_password.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/reload_wrong_password.test new file mode 100644 index 000000000000..666299e5746e --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/reload_wrong_password.test @@ -0,0 +1,29 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc + +# Test: reload_wrong_password +# Verifies that ALTER INSTANCE RELOAD KEYRING fails gracefully when the +# password in the config does not match the encryption of the on-disk file, +# and that the existing in-memory keyring state is preserved (reload is +# non-destructive on failure). + +--source ../inc/setup_component.inc + +CALL mtr.add_suppression(".*The component is not initialized properly.*"); +CALL mtr.add_suppression(".*Failed to decrypt keyring file.*"); + +ALTER INSTANCE ROTATE INNODB MASTER KEY; + +--echo # Update config to a different password without re-encrypting the file +--let KEYRING_CONFIG_CONTENT = `SELECT CONCAT('{ \"path\": \"', '$KEYRING_FILE_PATH','\", \"read_only\": false, \"password\": \"new_password\", \"iterations\": 42 }')` +--source include/keyring_tests/helper/local_keyring_create_config.inc + +--echo # Reload must fail - config password does not match the encrypted file +--error ER_RELOAD_KEYRING_FAILURE +ALTER INSTANCE RELOAD KEYRING; + +--echo # Keyring state must be preserved despite failed reload +SELECT STATUS_KEY, STATUS_VALUE FROM performance_schema.keyring_component_status + WHERE STATUS_KEY = 'Component_status'; + +--echo # Teardown +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/rename_table.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/rename_table.test new file mode 100644 index 000000000000..bf42a1e74215 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/rename_table.test @@ -0,0 +1,6 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/have_debug.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/encryption/rename_table_tests.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_binlog_cache_encryption.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_binlog_cache_encryption.test new file mode 100644 index 000000000000..a16b6cab1776 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_binlog_cache_encryption.test @@ -0,0 +1,9 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +# Adding big test option for this test. +--source include/big_test.inc + +--source ../inc/rpl_setup_component.inc + +--source include/keyring_tests/binlog/rpl_binlog_cache_encryption.inc + +--source ../inc/rpl_teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_binlog_cache_temp_file_encryption.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_binlog_cache_temp_file_encryption.test new file mode 100644 index 000000000000..4ab9fea84f3f --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_binlog_cache_temp_file_encryption.test @@ -0,0 +1,11 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/not_group_replication_plugin.inc +--source include/have_binlog_format_row.inc +# Restrict the test runs to only debug builds, since we set DEBUG point in the test. +--source include/have_debug.inc + +--source ../inc/rpl_setup_component.inc + +--source include/keyring_tests/binlog/rpl_binlog_cache_temp_file_encryption.inc + +--source ../inc/rpl_teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_default_table_encryption.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_default_table_encryption.test new file mode 100644 index 000000000000..245fc23bf1ff --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_default_table_encryption.test @@ -0,0 +1,10 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +# This test case is binary log format agnostic +--source include/have_binlog_format_row.inc +--source include/have_debug.inc + +--source ../inc/rpl_setup_component.inc + +--source include/keyring_tests/binlog/rpl_default_table_encryption.inc + +--source ../inc/rpl_teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_encryption.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_encryption.test new file mode 100644 index 000000000000..edf7ae1d8848 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_encryption.test @@ -0,0 +1,10 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +# This test case is binary log format agnostic +--source include/have_binlog_format_row.inc +--source include/have_debug.inc + +--source ../inc/rpl_setup_component.inc + +--source include/keyring_tests/mats/rpl_encryption.inc + +--source ../inc/rpl_teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_encryption_master_key_generation_recovery-master.opt b/mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_encryption_master_key_generation_recovery-master.opt new file mode 100644 index 000000000000..7e98bb9769a9 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_encryption_master_key_generation_recovery-master.opt @@ -0,0 +1 @@ +--log-error=$MYSQL_TMP_DIR/master.err diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_encryption_master_key_generation_recovery.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_encryption_master_key_generation_recovery.test new file mode 100644 index 000000000000..88f70bbdbc16 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_encryption_master_key_generation_recovery.test @@ -0,0 +1,10 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/have_debug.inc +# This test case is binary log format agnostic +--source include/have_binlog_format_row.inc + +--source ../inc/rpl_setup_component.inc + +--source include/keyring_tests/mats/rpl_encryption_master_key_generation_recovery.inc + +--source ../inc/rpl_teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_encryption_master_key_rotation_at_startup-master.opt b/mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_encryption_master_key_rotation_at_startup-master.opt new file mode 100644 index 000000000000..7e98bb9769a9 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_encryption_master_key_rotation_at_startup-master.opt @@ -0,0 +1 @@ +--log-error=$MYSQL_TMP_DIR/master.err diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_encryption_master_key_rotation_at_startup.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_encryption_master_key_rotation_at_startup.test new file mode 100644 index 000000000000..67bc30cd8f17 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/rpl_encryption_master_key_rotation_at_startup.test @@ -0,0 +1,9 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/have_debug.inc +# This test case is binary log format agnostic +--source include/have_binlog_format_row.inc + +--source ../inc/rpl_setup_component.inc +--source include/keyring_tests/binlog/rpl_encryption_master_key_rotation_at_startup.inc +--let $rpl_only_running_threads= 1 +--source ../inc/rpl_teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/sensitive_variables-master.opt b/mysql-test/suite/component_percona_keyring_encrypted_file/t/sensitive_variables-master.opt new file mode 100644 index 000000000000..b6364fa291fd --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/sensitive_variables-master.opt @@ -0,0 +1 @@ +$TEST_SENSITIVE_SYSTEM_VARIABLES_OPT diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/sensitive_variables.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/sensitive_variables.test new file mode 100644 index 000000000000..4b4018198f18 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/sensitive_variables.test @@ -0,0 +1,5 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/sensitive_variables/sensitive_variables.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/suite.opt b/mysql-test/suite/component_percona_keyring_encrypted_file/t/suite.opt new file mode 100644 index 000000000000..c53947b853d3 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/suite.opt @@ -0,0 +1 @@ +$PERCONA_KEYRING_ENCRYPTED_FILE_COMPONENT_OPT diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_1.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_1.test new file mode 100644 index 000000000000..c663e1dda298 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_1.test @@ -0,0 +1,12 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +# InnoDB transparent tablespace data encryption +# This test case will test basic encryption support features. + +--source include/no_valgrind_without_big.inc +--source include/have_innodb_max_16k.inc +--source include/have_debug.inc +--source include/have_punch_hole.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/mats/table_encrypt_1.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_2.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_2.test new file mode 100644 index 000000000000..d63b3c7658cb --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_2.test @@ -0,0 +1,9 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +# InnoDB transparent tablespace data encryption +# This test case will test basic encryption support features. + +--source include/no_valgrind_without_big.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/mats/table_encrypt_2.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_3.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_3.test new file mode 100644 index 000000000000..9d605438d0fa --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_3.test @@ -0,0 +1,10 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +# InnoDB transparent tablespace data encryption +# This test case will test basic encryption support features. + +--source include/no_valgrind_without_big.inc +--source include/have_innodb_max_16k.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/innodb/table_encrypt_3.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_4.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_4.test new file mode 100644 index 000000000000..c34e1e021c64 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_4.test @@ -0,0 +1,10 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +# InnoDB transparent tablespace data encryption +# This test case will test export/import encrypted tablespace. + +--source include/no_valgrind_without_big.inc +--source include/have_debug.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/innodb/table_encrypt_4.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_5.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_5.test new file mode 100644 index 000000000000..47148896b6b6 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_5.test @@ -0,0 +1,20 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +#------------------------------------------------------------------------------ +# InnoDB transparent tablespace data encryption +# +# This test create encrypt , non encrypt tables and try to access them after +# restarting with different combinitions such as +# - restart with same server option (acccess all tables) +# - restart without keyring options(encrypt table not accessible , rest are) +# - restart with keyring option but using new key_file_data +# (old encrypt table not accessible , rest are. New encrypt +# table creation possible) +# +#------------------------------------------------------------------------------ +# InnoDB transparent tablespace data encryption + +--source include/no_valgrind_without_big.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/innodb/table_encrypt_5.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_6.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_6.test new file mode 100644 index 000000000000..7c3a17e9ea4b --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_6.test @@ -0,0 +1,11 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +# Test negative scenarios, lifted from other innodb/table_encrypt tests +# +# Create a table with encryption, should fail since keyring is not +# loaded + +--source include/have_debug.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/mats/table_encrypt_6.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_debug.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_debug.test new file mode 100644 index 000000000000..d5e555e67f63 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_debug.test @@ -0,0 +1,20 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +#------------------------------------------------------------------------------ +# InnoDB transparent tablespace data encryption +# This test case will test basic recovery from known DBUG_SUICIDE point . +# - ib_crash_during_rotation_for_encryption (assert during key rotation) +# - ib_crash_during_create_for_encryption (assert during create) +# - ib_crash_during_decrypt_page (assert during page decryption) +#------------------------------------------------------------------------------ + + --source include/no_valgrind_without_big.inc +# Disable in valgrind because of timeout, cf. Bug#22760145 +--source include/not_valgrind.inc +# Avoid CrashReporter popup on Mac +--source include/not_crashrep.inc +# innodb-force-recovery-crash needs debug +--source include/have_debug.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/innodb/table_encrypt_debug.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_fts.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_fts.test new file mode 100644 index 000000000000..b525d4ec81d0 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_fts.test @@ -0,0 +1,10 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/have_debug.inc +# Disable in valgrind because of timeout, cf. Bug#22760145 +--source include/not_valgrind.inc +# Waiting time when (re)starting the server +--let $explicit_default_wait_counter=10000; + +--source ../inc/setup_component.inc +--source include/keyring_tests/innodb/table_encrypt_fts.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_kill-master.opt b/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_kill-master.opt new file mode 100644 index 000000000000..f4f26850b8a3 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_kill-master.opt @@ -0,0 +1 @@ +--innodb_buffer_pool_size=256M diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_kill.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_kill.test new file mode 100644 index 000000000000..304bf0cc8676 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/table_encrypt_kill.test @@ -0,0 +1,9 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/no_valgrind_without_big.inc +--source include/big_test.inc +# Avoid CrashReporter popup on Mac +--source include/not_crashrep.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/innodb/table_encrypt_kill.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace.test new file mode 100644 index 000000000000..fcb7e743601e --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace.test @@ -0,0 +1,6 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/have_debug.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/mats/tablespace.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_1-master.opt b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_1-master.opt new file mode 100644 index 000000000000..5df3ea9cdec1 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_1-master.opt @@ -0,0 +1 @@ +--initialize --innodb_page_size=16k diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_1.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_1.test new file mode 100644 index 000000000000..229771e0974d --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_1.test @@ -0,0 +1,6 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/no_valgrind_without_big.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/mats/tablespace_encrypt_1.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_10.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_10.test new file mode 100644 index 000000000000..0d8ef7da5151 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_10.test @@ -0,0 +1,10 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/have_debug.inc +--source include/big_test.inc +--source include/no_valgrind_without_big.inc +# Disable in valgrind because of timeout, cf. Bug#22760145 +--source include/not_valgrind.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/innodb/tablespace_encrypt_10.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_11.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_11.test new file mode 100644 index 000000000000..03ee288d099d --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_11.test @@ -0,0 +1,10 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/have_debug.inc +--source include/big_test.inc +--source include/no_valgrind_without_big.inc +# Disable in valgrind because of timeout, cf. Bug#22760145 +--source include/not_valgrind.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/innodb/tablespace_encrypt_11.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_2-master.opt b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_2-master.opt new file mode 100644 index 000000000000..5df3ea9cdec1 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_2-master.opt @@ -0,0 +1 @@ +--initialize --innodb_page_size=16k diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_2.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_2.test new file mode 100644 index 000000000000..a9a226e94b6f --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_2.test @@ -0,0 +1,10 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/big_test.inc +--source include/have_debug.inc +# --source include/no_valgrind_without_big.inc +# Disable in valgrind because of timeout, cf. Bug#22760145 +--source include/not_valgrind.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/mats/tablespace_encrypt_2.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_3.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_3.test new file mode 100644 index 000000000000..7586ff51d7bc --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_3.test @@ -0,0 +1,7 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/no_valgrind_without_big.inc +--source include/have_debug.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/innodb/tablespace_encrypt_3.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_4.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_4.test new file mode 100644 index 000000000000..0c04c143b13e --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_4.test @@ -0,0 +1,6 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/no_valgrind_without_big.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/innodb/tablespace_encrypt_4.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_5-master.opt b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_5-master.opt new file mode 100644 index 000000000000..5df3ea9cdec1 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_5-master.opt @@ -0,0 +1 @@ +--initialize --innodb_page_size=16k diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_5.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_5.test new file mode 100644 index 000000000000..1e9627099ee7 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_5.test @@ -0,0 +1,10 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/have_debug.inc +--source include/big_test.inc +# --source include/no_valgrind_without_big.inc +# Disable in valgrind because of timeout, cf. Bug#22760145 +--source include/not_valgrind.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/innodb/tablespace_encrypt_5.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_6.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_6.test new file mode 100644 index 000000000000..d8fe90453c0f --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_6.test @@ -0,0 +1,6 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/no_valgrind_without_big.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/mats/tablespace_encrypt_6.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_7.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_7.test new file mode 100644 index 000000000000..097fcb7dbd0b --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_7.test @@ -0,0 +1,10 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/big_test.inc +--source include/have_debug.inc +# --source include/no_valgrind_without_big.inc +# Disable in valgrind because of timeout, cf. Bug#22760145 +--source include/not_valgrind.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/innodb/tablespace_encrypt_7.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_8.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_8.test new file mode 100644 index 000000000000..22c4f43ad089 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_8.test @@ -0,0 +1,7 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/no_valgrind_without_big.inc +--source include/have_debug.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/innodb/tablespace_encrypt_8.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_9.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_9.test new file mode 100644 index 000000000000..e11c1913259d --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_encrypt_9.test @@ -0,0 +1,10 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/have_debug.inc +--source include/big_test.inc +--source include/no_valgrind_without_big.inc +# Disable in valgrind because of timeout, cf. Bug#22760145 +--source include/not_valgrind.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/innodb/tablespace_encrypt_9.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_with_tables.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_with_tables.test new file mode 100644 index 000000000000..63178dd3ceef --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/tablespace_with_tables.test @@ -0,0 +1,6 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/have_debug.inc + +--source ../inc/setup_component.inc +--source include/keyring_tests/encryption/tablespace_with_tables_tests.inc +--source ../inc/teardown_component.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/udf_test-master.opt b/mysql-test/suite/component_percona_keyring_encrypted_file/t/udf_test-master.opt new file mode 100644 index 000000000000..61ad7d05024b --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/udf_test-master.opt @@ -0,0 +1 @@ +$KEYRING_UDF_OPT diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/udf_test.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/udf_test.test new file mode 100644 index 000000000000..62eacbf97148 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/udf_test.test @@ -0,0 +1,8 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +# Keyring UDF tests with component_keyring_file + +--source ../inc/setup_component.inc +--source include/keyring_tests/mats/keyring_udf_test.inc +--source ../inc/teardown_component.inc + + diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/undo_encrypt_basic.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/undo_encrypt_basic.test new file mode 100644 index 000000000000..a58f77779674 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/undo_encrypt_basic.test @@ -0,0 +1,11 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/big_test.inc +--source include/not_parallel.inc +--source include/no_valgrind_without_big.inc +--source include/have_innodb_max_16k.inc +# This test must be not be run in parallel with other tests because +# it requires global manifest file to load keyring component directly + +--source ../inc/setup_component_customized.inc +--source include/keyring_tests/mats/undo_encrypt_basic.inc +--source ../inc/teardown_component_customized.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/undo_encrypt_bootstrap.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/undo_encrypt_bootstrap.test new file mode 100644 index 000000000000..23e57b9347b9 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/undo_encrypt_bootstrap.test @@ -0,0 +1,10 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/big_test.inc +--source include/not_parallel.inc +--source include/big_test.inc +# This test must be not be run in parallel with other tests because +# it requires global manifest file to load keyring component directly + +--source ../inc/setup_component_customized.inc +--source include/keyring_tests/mats/undo_encrypt_bootstrap.inc +--source ../inc/teardown_component_customized.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/undo_encrypt_crash.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/undo_encrypt_crash.test new file mode 100644 index 000000000000..710d205a2109 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/undo_encrypt_crash.test @@ -0,0 +1,10 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/big_test.inc +--source include/not_parallel.inc +--source include/have_debug.inc +# This test must be not be run in parallel with other tests because +# it requires global manifest file to load keyring component directly + +--source ../inc/setup_component_customized.inc +--source include/keyring_tests/innodb/undo_encrypt_crash.inc +--source ../inc/teardown_component_customized.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/undo_tablespace_encrypt.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/undo_tablespace_encrypt.test new file mode 100644 index 000000000000..172ce7c87007 --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/undo_tablespace_encrypt.test @@ -0,0 +1,10 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc +--source include/big_test.inc +--source include/not_parallel.inc +--source include/have_innodb_16k.inc +# This test must be not be run in parallel with other tests because +# it requires global manifest file to load keyring component directly + +--source ../inc/setup_component_customized.inc +--source include/keyring_tests/innodb/undo_tablespace_encrypt.inc +--source ../inc/teardown_component_customized.inc diff --git a/mysql-test/suite/component_percona_keyring_encrypted_file/t/wrong_password.test b/mysql-test/suite/component_percona_keyring_encrypted_file/t/wrong_password.test new file mode 100644 index 000000000000..b1f55340795c --- /dev/null +++ b/mysql-test/suite/component_percona_keyring_encrypted_file/t/wrong_password.test @@ -0,0 +1,35 @@ +--source ../inc/have_percona_component_keyring_encrypted_file.inc + +# Test: wrong_password +# Verifies that a keyring file encrypted with one password cannot be opened +# with a different password. The component must report Disabled status and +# log a read failure. + +--echo # Phase 1: Start with correct password and populate the keyring file +--source ../inc/setup_component.inc + +CALL mtr.add_suppression(".*The component is not initialized properly.*"); +CALL mtr.add_suppression(".*Failed to decrypt keyring file.*"); + +ALTER INSTANCE ROTATE INNODB MASTER KEY; + +--echo # Phase 2: Restart with a wrong password +--let KEYRING_CONFIG_CONTENT = `SELECT CONCAT('{ \"path\": \"', '$KEYRING_FILE_PATH','\", \"read_only\": false, \"password\": \"wrong_password\", \"iterations\": 42 }')` +--source include/keyring_tests/helper/local_keyring_create_config.inc + +--source include/keyring_tests/helper/start_server_with_manifest.inc + +--echo # Keyring must be Disabled - wrong password cannot decrypt the file +--replace_result $MYSQLTEST_VARDIR MYSQLTEST_VARDIR +SELECT * FROM performance_schema.keyring_component_status; + +--echo # Error log must record the decryption failure +SELECT IF(COUNT(*) > 0, 'FOUND', 'NOT FOUND') AS error_present + FROM performance_schema.error_log + WHERE DATA LIKE '%Failed to decrypt keyring file%'; + +--echo # Teardown +--source include/keyring_tests/helper/instance_remove_manifest.inc +--source include/keyring_tests/helper/local_keyring_file_remove.inc +--source include/keyring_tests/helper/local_keyring_remove_config.inc +--source include/keyring_tests/helper/cleanup_server_with_manifest.inc