#------------------------------------------------------------------------------ # InnoDB transparent encryption on redo log and undo log using xplugin #------------------------------------------------------------------------------ --source include/no_valgrind_without_big.inc --source include/have_innodb_max_16k.inc --source include/have_mysqlx_plugin.inc --let plugins= KEYRING_PLUGIN --source include/check_plugin_dir.inc # Create a table with encryption, should fail since keyring is not # loaded let $old_innodb_file_per_table = `SELECT @@innodb_file_per_table`; let $old_innodb_redo_log_encrypt = `SELECT @@innodb_redo_log_encrypt`; let $old_innodb_undo_log_encrypt = `SELECT @@innodb_undo_log_encrypt`; let $MYSQLD_BASEDIR= `select @@basedir`; --echo # Stop the MTR default DB server --source include/shutdown_mysqld.inc # Create path for ibdata* & undo* files both DBs --mkdir $MYSQL_TMP_DIR/innodb_undo_data_dir --mkdir $MYSQL_TMP_DIR/innodb_data_home_dir --mkdir $MYSQL_TMP_DIR/datadir # Set path for --datadir let $MYSQLD_DATADIR_1 = $MYSQL_TMP_DIR/datadir/data; # Set path for undo* files. let $MYSQLD_UNDO_DATADIR = $MYSQL_TMP_DIR/innodb_undo_data_dir; # Set path for ibdata* files. let $MYSQLD_HOME_DATA_DIR = $MYSQL_TMP_DIR/innodb_data_home_dir; let BOOTSTRAP_SQL=$MYSQL_TMP_DIR/boot.sql; --echo # create bootstrap file write_file $BOOTSTRAP_SQL; CREATE DATABASE test; EOF --echo # Prepare new datadir let NEW_CMD = $MYSQLD --no-defaults --initialize-insecure --innodb_data_home_dir=$MYSQLD_HOME_DATA_DIR --innodb_undo_directory=$MYSQLD_UNDO_DATADIR --innodb_dedicated_server=OFF --basedir=$MYSQLD_BASEDIR --datadir=$MYSQLD_DATADIR_1 --init-file=$BOOTSTRAP_SQL --secure-file-priv="" --early-plugin-load="keyring_file=$KEYRING_PLUGIN" --keyring_file_data=$MYSQL_TMP_DIR/mysecret_keyring $KEYRING_PLUGIN_OPT --cluster-id=1 --cluster-start-index=1 --cluster-info='127.0.0.1:29952@1' >$MYSQLTEST_VARDIR/tmp/bootstrap2.log 2>&1; --echo # Run the bootstrap command with keyring --exec $NEW_CMD --echo # Starting server with keyring plugin --replace_result $MYSQLD_HOME_DATA_DIR MYSQLD_HOME_DATA_DIR $MYSQLD_UNDO_DATADIR MYSQLD_UNDO_DATADIR $MYSQLD_DATADIR_1 MYSQLD_DATADIR --let $restart_parameters=restart: --innodb_data_home_dir=$MYSQLD_HOME_DATA_DIR --innodb_undo_directory=$MYSQLD_UNDO_DATADIR --datadir=$MYSQLD_DATADIR_1 --early-plugin-load="keyring_file=$KEYRING_PLUGIN" --loose-keyring_file_data=$MYSQL_TMP_DIR/mysecret_keyring $KEYRING_PLUGIN_OPT --source include/start_mysqld_no_echo.inc SELECT @@global.innodb_redo_log_encrypt; SELECT @@global.innodb_undo_log_encrypt; --let $dont_reset_global_status_variables= 1 --source include/xplugin_reset_and_wait.inc --write_file $MYSQL_TMP_DIR/log_encrypt_xplugin_test.tmp -->sql SELECT @@global.innodb_redo_log_encrypt; SET GLOBAL innodb_redo_log_encrypt = 1; SELECT @@global.innodb_redo_log_encrypt; SET GLOBAL innodb_undo_log_encrypt = 1; SELECT @@global.innodb_undo_log_encrypt; DROP DATABASE IF EXISTS tde_db; CREATE DATABASE tde_db; USE tde_db; CREATE TABLE tde_db.t_encrypt(c2 INT NOT NULL,c3 LONGBLOB) ENCRYPTION="Y" ENGINE = InnoDB; CREATE TABLE tde_db.t_non_encrypt(c2 INT NOT NULL,c3 LONGBLOB ) ENGINE = InnoDB; START TRANSACTION; INSERT INTO tde_db.t_encrypt(c2,c3) VALUES (1,CONCAT(REPEAT("a",6*512*512))); INSERT INTO tde_db.t_encrypt SELECT c2,c3 FROM tde_db.t_encrypt; INSERT INTO tde_db.t_encrypt SELECT c2,c3 FROM tde_db.t_encrypt; INSERT INTO tde_db.t_non_encrypt(c2,c3) VALUES (1,CONCAT(REPEAT("a",6*512*512))); INSERT INTO tde_db.t_non_encrypt SELECT c2,c3 FROM tde_db.t_non_encrypt; INSERT INTO tde_db.t_non_encrypt SELECT c2,c3 FROM tde_db.t_non_encrypt; COMMIT; SELECT c2,SUBSTRING(c3,1,10) FROM tde_db.t_encrypt; SELECT c2,SUBSTRING(c3,1,10) FROM tde_db.t_non_encrypt; START TRANSACTION; INSERT INTO tde_db.t_encrypt(c2,c3) VALUES (1,CONCAT(REPEAT("a",6*512*512))); INSERT INTO tde_db.t_encrypt SELECT c2,c3 FROM tde_db.t_encrypt; INSERT INTO tde_db.t_encrypt SELECT c2,c3 FROM tde_db.t_encrypt; INSERT INTO tde_db.t_non_encrypt(c2,c3) VALUES (1,CONCAT(REPEAT("a",6*512*512))); INSERT INTO tde_db.t_non_encrypt SELECT c2,c3 FROM tde_db.t_non_encrypt; INSERT INTO tde_db.t_non_encrypt SELECT c2,c3 FROM tde_db.t_non_encrypt; ROLLBACK; SELECT c2,SUBSTRING(c3,1,10) FROM tde_db.t_encrypt; SELECT c2,SUBSTRING(c3,1,10) FROM tde_db.t_non_encrypt; SET GLOBAL innodb_redo_log_encrypt = 0; SELECT @@global.innodb_redo_log_encrypt; SET GLOBAL innodb_undo_log_encrypt = 0; SELECT @@global.innodb_undo_log_encrypt; START TRANSACTION; INSERT INTO tde_db.t_encrypt(c2,c3) VALUES (1,CONCAT(REPEAT("a",6*512*512))); INSERT INTO tde_db.t_non_encrypt(c2,c3) VALUES (1,CONCAT(REPEAT("a",6*512*512))); COMMIT; START TRANSACTION; INSERT INTO tde_db.t_encrypt(c2,c3) VALUES (1,CONCAT(REPEAT("a",6*512*512))); INSERT INTO tde_db.t_non_encrypt(c2,c3) VALUES (1,CONCAT(REPEAT("a",6*512*512))); ROLLBACK; SELECT c2,SUBSTRING(c3,1,10) FROM tde_db.t_encrypt; SELECT c2,SUBSTRING(c3,1,10) FROM tde_db.t_non_encrypt; SELECT @@global.innodb_redo_log_encrypt; SET GLOBAL innodb_redo_log_encrypt = 1; SELECT @@global.innodb_undo_log_encrypt; SET GLOBAL innodb_undo_log_encrypt = 1; SELECT c2,SUBSTRING(c3,1,10) FROM tde_db.t_encrypt; SELECT c2,SUBSTRING(c3,1,10) FROM tde_db.t_non_encrypt; -->endsql EOF CREATE USER 'x_root'@'localhost' IDENTIFIED WITH 'mysql_native_password'; GRANT ALL ON *.* TO 'x_root'@'localhost' WITH GRANT OPTION; --sleep 3 # Run from xplugin --exec $MYSQLXTEST -ux_root --password='' --file=$MYSQL_TMP_DIR/log_encrypt_xplugin_test.tmp 2>&1 --remove_file $MYSQL_TMP_DIR/log_encrypt_xplugin_test.tmp DROP USER 'x_root'@'localhost'; SELECT @@global.innodb_redo_log_encrypt; SELECT @@global.innodb_undo_log_encrypt; --echo # Restarting server with keyring plugin --replace_result $MYSQLD_HOME_DATA_DIR MYSQLD_HOME_DATA_DIR $MYSQLD_UNDO_DATADIR MYSQLD_UNDO_DATADIR $MYSQLD_DATADIR_1 MYSQLD_DATADIR --let $restart_parameters=restart: --innodb_data_home_dir=$MYSQLD_HOME_DATA_DIR --innodb_undo_directory=$MYSQLD_UNDO_DATADIR --datadir=$MYSQLD_DATADIR_1 --early-plugin-load="keyring_file=$KEYRING_PLUGIN" --loose-keyring_file_data=$MYSQL_TMP_DIR/mysecret_keyring $KEYRING_PLUGIN_OPT --source include/start_mysqld_no_echo.inc SELECT c2,SUBSTRING(c3,1,10) FROM tde_db.t_encrypt; SELECT c2,SUBSTRING(c3,1,10) FROM tde_db.t_non_encrypt; DROP DATABASE tde_db; # restart the server with MTR default --let $restart_parameters= --source include/restart_mysqld.inc ## Cleanup --remove_file $MYSQLTEST_VARDIR/tmp/bootstrap2.log --remove_file $MYSQL_TMP_DIR/mysecret_keyring --remove_file $BOOTSTRAP_SQL --force-rmdir $MYSQL_TMP_DIR/datadir --force-rmdir $MYSQL_TMP_DIR/innodb_data_home_dir --force-rmdir $MYSQL_TMP_DIR/innodb_undo_data_dir --disable_query_log eval SET GLOBAL innodb_file_per_table=$old_innodb_file_per_table; eval SET GLOBAL innodb_redo_log_encrypt=$old_innodb_redo_log_encrypt; eval SET GLOBAL innodb_undo_log_encrypt=$old_innodb_undo_log_encrypt; --enable_query_log