236 lines
10 KiB
Plaintext
236 lines
10 KiB
Plaintext
# InnoDB transparent encryption on redo log.
|
|
# This test case will test basic encryption support features.
|
|
|
|
--source include/no_valgrind_without_big.inc
|
|
--source include/have_innodb_max_16k.inc
|
|
|
|
#Suppress following messages from myslqd log
|
|
--disable_query_log
|
|
call mtr.add_suppression("keyring_file initialization failure. Please check if the keyring_file_data points to readable keyring file or keyring file can be created in the specified location. The keyring_file will stay unusable until correct path to the keyring file gets provided");
|
|
call mtr.add_suppression("Error while loading keyring content. The keyring might be malformed");
|
|
call mtr.add_suppression("ibd can't be decrypted, please confirm the keyfile is match and keyring plugin is loaded.");
|
|
call mtr.add_suppression("\\[Warning\\] .* Plugin mysqlx reported.*");
|
|
call mtr.add_suppression("\\[Warning\\] .* Ignoring tablespace .* because it could not be opened");
|
|
call mtr.add_suppression("\\[ERROR\\] .* Encryption can't find master key, please check the keyring plugin is loaded.");
|
|
call mtr.add_suppression("\\[ERROR\\] .* Failed to find tablespace for table `\.\.*`\.`\.\.*` in the cache.");
|
|
call mtr.add_suppression("\\[ERROR\\] .* Can't set redo log tablespace to be encrypted.");
|
|
--enable_query_log
|
|
|
|
let $old_innodb_file_per_table = `SELECT @@innodb_file_per_table`;
|
|
let $old_innodb_redo_log_encrypt = `SELECT @@innodb_redo_log_encrypt`;
|
|
|
|
--disable_warnings
|
|
DROP DATABASE IF EXISTS tde_db;
|
|
CREATE DATABASE tde_db;
|
|
USE tde_db;
|
|
--enable_warnings
|
|
# Server is not started with keyring plugin and run innodb_redo_log_encrypt=ON
|
|
# Expected Result : Variable is ignored.
|
|
# bug : expect warning or error
|
|
SET GLOBAL innodb_redo_log_encrypt = 1;
|
|
|
|
SHOW WARNINGS;
|
|
--let $wait_condition=SELECT @@global.innodb_redo_log_encrypt = 0
|
|
--source include/wait_condition.inc
|
|
|
|
CREATE TABLE tde_db.t4 (a BIGINT PRIMARY KEY, b LONGBLOB) ENGINE=InnoDB;
|
|
INSERT INTO t4 (a, b) VALUES (1, REPEAT('a', 6*512*512));
|
|
SELECT a,LEFT(b,10) FROM tde_db.t4;
|
|
# Restart server
|
|
--source include/restart_mysqld.inc
|
|
SELECT a,LEFT(b,10) FROM tde_db.t4;
|
|
DROP TABLE tde_db.t4;
|
|
|
|
|
|
--disable_warnings
|
|
DROP DATABASE IF EXISTS tde_db;
|
|
CREATE DATABASE tde_db;
|
|
USE tde_db;
|
|
--enable_warnings
|
|
|
|
|
|
# Start server with --early-plugin-load and --innodb_redo_log_encrypt=ON .
|
|
# Explicitly run , INSTALL PLUGIN keyring_file SONAME 'keyring_file.so'
|
|
# Expected : plugin already installed
|
|
|
|
--echo # Starting server with keyring plugin
|
|
let $restart_parameters = restart: --early-plugin-load="keyring_file=$KEYRING_PLUGIN" --loose-keyring_file_data=$MYSQL_TMP_DIR/my_key_log3 $KEYRING_PLUGIN_OPT --innodb_redo_log_encrypt=ON ;
|
|
--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR $KEYRING_PLUGIN_OPT --plugin-dir=KEYRING_PLUGIN_PATH $KEYRING_PLUGIN keyring_file.so
|
|
--source include/restart_mysqld.inc
|
|
SELECT @@global.innodb_redo_log_encrypt ;
|
|
--replace_regex /\.dll/.so/
|
|
--error ER_UDF_EXISTS
|
|
eval INSTALL PLUGIN keyring_file SONAME '$KEYRING_PLUGIN';
|
|
UNINSTALL PLUGIN keyring_file;
|
|
|
|
--echo # Starting server with keyring plugin
|
|
let $restart_parameters = restart: --early-plugin-load="keyring_file=$KEYRING_PLUGIN" --loose-keyring_file_data=$MYSQL_TMP_DIR/my_key_log3 $KEYRING_PLUGIN_OPT --innodb_redo_log_encrypt=ON ;
|
|
--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR $KEYRING_PLUGIN_OPT --plugin-dir=KEYRING_PLUGIN_PATH $KEYRING_PLUGIN keyring_file.so
|
|
--source include/restart_mysqld.inc
|
|
SET GLOBAL innodb_redo_log_encrypt = 0;
|
|
SELECT @@global.innodb_redo_log_encrypt ;
|
|
--replace_regex /\.dll/.so/
|
|
--error ER_UDF_EXISTS
|
|
eval INSTALL PLUGIN keyring_file SONAME '$KEYRING_PLUGIN';
|
|
UNINSTALL PLUGIN keyring_file;
|
|
|
|
|
|
# Flush logs
|
|
# (closes and reopens any flushable logs for installed storage engines.
|
|
# This causes InnoDB to flush its logs to disk. )
|
|
let $restart_parameters = restart: --early-plugin-load="keyring_file=$KEYRING_PLUGIN" --loose-keyring_file_data=$MYSQL_TMP_DIR/my_key_log3 $KEYRING_PLUGIN_OPT --innodb_redo_log_encrypt=ON ;
|
|
--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR $KEYRING_PLUGIN_OPT --plugin-dir=KEYRING_PLUGIN_PATH $KEYRING_PLUGIN keyring_file.so
|
|
--source include/restart_mysqld.inc
|
|
SELECT @@global.innodb_redo_log_encrypt ;
|
|
SET GLOBAL innodb_redo_log_encrypt = 1;
|
|
SELECT @@global.innodb_redo_log_encrypt ;
|
|
CREATE TABLE tde_db.t1 (a BIGINT PRIMARY KEY, b LONGBLOB) ENGINE=InnoDB;
|
|
INSERT INTO t1 (a, b) VALUES (1, REPEAT('a', 6*512*512));
|
|
SELECT a,LEFT(b,10) FROM tde_db.t1;
|
|
CREATE TABLE tde_db.t2 (a BIGINT PRIMARY KEY, b LONGBLOB)
|
|
ENCRYPTION='Y' ENGINE=InnoDB;
|
|
INSERT INTO t2 (a, b) VALUES (1, REPEAT('a', 6*512*512));
|
|
SELECT a,LEFT(b,10) FROM tde_db.t2;
|
|
SET GLOBAL innodb_redo_log_encrypt = 0;
|
|
SELECT @@global.innodb_redo_log_encrypt ;
|
|
CREATE TABLE tde_db.t3 (a BIGINT PRIMARY KEY, b LONGBLOB) ENGINE=InnoDB;
|
|
INSERT INTO t3 (a, b) VALUES (1, REPEAT('a', 6*512*512));
|
|
SELECT a,LEFT(b,10) FROM tde_db.t3;
|
|
CREATE TABLE tde_db.t4 (a BIGINT PRIMARY KEY, b LONGBLOB)
|
|
ENCRYPTION='Y' ENGINE=InnoDB;
|
|
INSERT INTO t4 (a, b) VALUES (1, REPEAT('a', 6*512*512));
|
|
SELECT a,LEFT(b,10) FROM tde_db.t4;
|
|
FLUSH LOGS;
|
|
let $restart_parameters = restart: --early-plugin-load="keyring_file=$KEYRING_PLUGIN" --loose-keyring_file_data=$MYSQL_TMP_DIR/my_key_log3 $KEYRING_PLUGIN_OPT --innodb_redo_log_encrypt=ON ;
|
|
#--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR $KEYRING_PLUGIN_OPT --plugin-dir=KEYRING_PLUGIN_PATH $KEYRING_PLUGIN keyring_file.so
|
|
#--source include/kill_and_restart_mysqld.inc
|
|
--sleep 3
|
|
--let $_server_id= `SELECT @@server_id`
|
|
--let $_expect_file_name= $MYSQLTEST_VARDIR/tmp/mysqld.$_server_id.expect
|
|
--exec echo "$restart_parameters" > $_expect_file_name
|
|
--shutdown_server 0
|
|
--source include/wait_until_disconnected.inc
|
|
--enable_reconnect
|
|
--source include/wait_until_connected_again.inc
|
|
--disable_reconnect
|
|
|
|
|
|
SELECT
|
|
PLUGIN_NAME, PLUGIN_STATUS, PLUGIN_TYPE
|
|
FROM INFORMATION_SCHEMA.PLUGINS
|
|
WHERE PLUGIN_NAME LIKE '%keyring_file%' ;
|
|
SELECT a,LEFT(b,10) FROM tde_db.t1;
|
|
SELECT a,LEFT(b,10) FROM tde_db.t2;
|
|
SELECT a,LEFT(b,10) FROM tde_db.t3;
|
|
SELECT a,LEFT(b,10) FROM tde_db.t4;
|
|
#UNINSTALL PLUGIN keyring_file;
|
|
DROP TABLE tde_db.t1,tde_db.t2,tde_db.t3,tde_db.t4;
|
|
|
|
# innodb_redo_log_encrypt=ON/OFF with transaction
|
|
SELECT @@global.innodb_redo_log_encrypt ;
|
|
CREATE TABLE tde_db.t1 (a BIGINT PRIMARY KEY, b LONGBLOB) ENGINE=InnoDB;
|
|
CREATE TABLE tde_db.t2 (a BIGINT PRIMARY KEY, b LONGBLOB)
|
|
ENCRYPTION='Y' ENGINE=InnoDB;
|
|
START TRANSACTION;
|
|
SET GLOBAL innodb_redo_log_encrypt = 1;
|
|
INSERT INTO t1 (a, b) VALUES (1, REPEAT('a', 6*512*512));
|
|
INSERT INTO t2 (a, b) VALUES (1, REPEAT('a', 6*512*512));
|
|
SELECT a,LEFT(b,10) FROM tde_db.t1;
|
|
SELECT a,LEFT(b,10) FROM tde_db.t2;
|
|
ROLLBACK;
|
|
START TRANSACTION;
|
|
INSERT INTO t1 (a, b) VALUES (2, REPEAT('a', 6*512*512));
|
|
INSERT INTO t2 (a, b) VALUES (2, REPEAT('a', 6*512*512));
|
|
SELECT a,LEFT(b,10) FROM tde_db.t1;
|
|
SELECT a,LEFT(b,10) FROM tde_db.t2;
|
|
COMMIT;
|
|
CREATE TABLE tde_db.t3 (a BIGINT PRIMARY KEY, b LONGBLOB) ENGINE=InnoDB;
|
|
CREATE TABLE tde_db.t4 (a BIGINT PRIMARY KEY, b LONGBLOB)
|
|
ENCRYPTION='Y' ENGINE=InnoDB;
|
|
START TRANSACTION;
|
|
SET GLOBAL innodb_redo_log_encrypt = 0;
|
|
SELECT @@global.innodb_redo_log_encrypt ;
|
|
INSERT INTO t3 (a, b) VALUES (1, REPEAT('a', 6*512*512));
|
|
INSERT INTO t4 (a, b) VALUES (1, REPEAT('a', 6*512*512));
|
|
SELECT a,LEFT(b,10) FROM tde_db.t3;
|
|
SELECT a,LEFT(b,10) FROM tde_db.t4;
|
|
ROLLBACK;
|
|
START TRANSACTION;
|
|
INSERT INTO t3 (a, b) VALUES (2, REPEAT('a', 6*512*512));
|
|
INSERT INTO t4 (a, b) VALUES (2, REPEAT('a', 6*512*512));
|
|
SELECT a,LEFT(b,10) FROM tde_db.t3;
|
|
SELECT a,LEFT(b,10) FROM tde_db.t4;
|
|
COMMIT;
|
|
let $restart_parameters = restart: --early-plugin-load="keyring_file=$KEYRING_PLUGIN" --loose-keyring_file_data=$MYSQL_TMP_DIR/my_key_log3 $KEYRING_PLUGIN_OPT --innodb_redo_log_encrypt=ON ;
|
|
#--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR $KEYRING_PLUGIN_OPT --plugin-dir=KEYRING_PLUGIN_PATH $KEYRING_PLUGIN keyring_file.so
|
|
#--source include/kill_and_restart_mysqld.inc
|
|
--sleep 3
|
|
--let $_server_id= `SELECT @@server_id`
|
|
--let $_expect_file_name= $MYSQLTEST_VARDIR/tmp/mysqld.$_server_id.expect
|
|
--exec echo "$restart_parameters" > $_expect_file_name
|
|
--shutdown_server 0
|
|
--source include/wait_until_disconnected.inc
|
|
--enable_reconnect
|
|
--source include/wait_until_connected_again.inc
|
|
--disable_reconnect
|
|
|
|
|
|
SELECT
|
|
PLUGIN_NAME, PLUGIN_STATUS, PLUGIN_TYPE
|
|
FROM INFORMATION_SCHEMA.PLUGINS
|
|
WHERE PLUGIN_NAME LIKE '%keyring_file%' ;
|
|
SELECT a,LEFT(b,10) FROM tde_db.t1;
|
|
SELECT a,LEFT(b,10) FROM tde_db.t2;
|
|
SELECT a,LEFT(b,10) FROM tde_db.t3;
|
|
SELECT a,LEFT(b,10) FROM tde_db.t4;
|
|
|
|
# Rotate master key when innodb_redo_log_encrypt=ON/OFF
|
|
SET GLOBAL innodb_redo_log_encrypt = 0;
|
|
SELECT @@global.innodb_redo_log_encrypt ;
|
|
ALTER INSTANCE ROTATE INNODB MASTER KEY;
|
|
SELECT a,LEFT(b,10) FROM tde_db.t1;
|
|
SELECT a,LEFT(b,10) FROM tde_db.t2;
|
|
SELECT a,LEFT(b,10) FROM tde_db.t3;
|
|
SELECT a,LEFT(b,10) FROM tde_db.t4;
|
|
SET GLOBAL innodb_redo_log_encrypt = 1;
|
|
SELECT @@global.innodb_redo_log_encrypt ;
|
|
ALTER INSTANCE ROTATE INNODB MASTER KEY;
|
|
SELECT a,LEFT(b,10) FROM tde_db.t1;
|
|
SELECT a,LEFT(b,10) FROM tde_db.t2;
|
|
SELECT a,LEFT(b,10) FROM tde_db.t3;
|
|
SELECT a,LEFT(b,10) FROM tde_db.t4;
|
|
|
|
# Non priviledge user can not set innodb_redo_log_encrypt variable.
|
|
CREATE USER encryptnonprivuser@localhost IDENTIFIED BY 'noauth';
|
|
GRANT SELECT ON *.* to encryptnonprivuser@localhost;
|
|
FLUSH PRIVILEGES;
|
|
--echo # In connection 1 - with encryptnonprivuser
|
|
connect (con1,localhost,encryptnonprivuser,'noauth',);
|
|
SELECT @@global.innodb_redo_log_encrypt ;
|
|
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
|
|
SET GLOBAL innodb_redo_log_encrypt = 0;
|
|
SELECT @@global.innodb_redo_log_encrypt ;
|
|
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
|
|
SET GLOBAL innodb_undo_log_encrypt = 0;
|
|
SELECT @@global.innodb_undo_log_encrypt ;
|
|
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
|
|
SET GLOBAL innodb_redo_log_encrypt = 1;
|
|
SELECT @@global.innodb_redo_log_encrypt ;
|
|
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
|
|
SET GLOBAL innodb_undo_log_encrypt = 1;
|
|
SELECT @@global.innodb_undo_log_encrypt ;
|
|
disconnect con1;
|
|
--echo # In connection default
|
|
connection default;
|
|
|
|
|
|
UNINSTALL PLUGIN keyring_file;
|
|
DROP TABLE tde_db.t1,tde_db.t2,tde_db.t3,tde_db.t4;
|
|
|
|
# Cleanup
|
|
--disable_query_log
|
|
eval SET GLOBAL innodb_file_per_table=$old_innodb_file_per_table;
|
|
eval SET GLOBAL innodb_redo_log_encrypt=$old_innodb_redo_log_encrypt;
|
|
DROP DATABASE tde_db;
|
|
--enable_query_log
|