257 lines
9.3 KiB
Plaintext
257 lines
9.3 KiB
Plaintext
# ==== Purpose ====
|
|
#
|
|
# Verify that default_table_encryption is replicated when needed.
|
|
#
|
|
# ==== Requirements ====
|
|
#
|
|
# R1. @@session.default_table_encryption should be replicated for
|
|
# CREATE TABLESPACE when no ENCRYPTION clause is included in the
|
|
# statement.
|
|
#
|
|
# R2. @@session.default_table_encryption should be replicated for
|
|
# CREATE DATABASE when no ENCRYPTION clause is included in the
|
|
# statement.
|
|
#
|
|
# R3. @@session.default_table_encryption should not be replicated for
|
|
# any other statements.
|
|
#
|
|
# ==== Implementation ====
|
|
#
|
|
# Try all possible combinations of values for
|
|
# @@global.default_table_encryption on master and slave, as well as
|
|
# @@session.default_table_encryption on master.
|
|
#
|
|
# For each such option combination, try three CREATE DATABASE and
|
|
# three CREATE TABLESPACE statements: without ENCRYPTION clause, with
|
|
# ENCRYPTION='Y', and with ENCRYPTION='N'. Also try ALTER DATABASE
|
|
# and ALTER TABLESPACE.
|
|
#
|
|
# For each such option combination and statement, verify that the
|
|
# value of default_table_encryption is included or excluded in the
|
|
# binary log according to the requirements, and verify that the actual
|
|
# encryptedness of the database/tablespace is as expected on both
|
|
# master and slave.
|
|
#
|
|
# ==== References ====
|
|
#
|
|
# WL#12261: Control (enforce and disable) table encryption
|
|
# BUG#29818605: WRONG CONDITION TO REPLICATE AND WRONG PRIVILEGE TO SET DEFAULT_TABLE_ENCRYPTION
|
|
|
|
# The test only needs to be executed in one binlog_format.
|
|
--source include/have_binlog_format_row.inc
|
|
--source include/master-slave.inc
|
|
|
|
|
|
# Executes CREATE DATABASE or CREATE TABLESPACE,
|
|
# verifies that binlog contains default_table_encryption if expected,
|
|
# and verifies that it has the correct encryptedness on master and slave.
|
|
#
|
|
# Parameters:
|
|
#
|
|
# $desc
|
|
# Brief text explaining what is expected in the scenario
|
|
#
|
|
# $statement
|
|
# Statement to execute - CREATE DATABASE or CREATE TABLESPACE
|
|
#
|
|
# $expect_binlog
|
|
# If this is 0 or 1, assert that the binary log contains
|
|
# default_table_encryption set to that value. If set to empty
|
|
# string, assert that the binary log does not contain
|
|
# default_table_encryption.
|
|
#
|
|
# $check_statement
|
|
# Statement to check if encryption is enabled.
|
|
#
|
|
# $expect
|
|
# Assert that the result returned by $check_statement matches
|
|
# (LIKE) $expect on both master and slave.
|
|
#
|
|
# $drop_statement
|
|
# Statement to "undo" the effect of $statement. This will be
|
|
# executed unless it is set to empty string.
|
|
#
|
|
--let $script_dir = $MYSQLTEST_VARDIR
|
|
--write_file $script_dir/check_encryption.inc
|
|
--echo ==== $statement [master_session:$master_session master_global:$master_global slave_global:$slave_global] ====
|
|
--echo # $desc
|
|
# Restart slave threads to force them take the global value.
|
|
--source include/rpl_connection_slave.inc
|
|
--source include/stop_slave_sql.inc
|
|
--source include/start_slave_sql.inc
|
|
# Execute statement on master.
|
|
--source include/rpl_connection_master.inc
|
|
--source include/save_binlog_position.inc
|
|
eval $statement;
|
|
# Verify that the binary log contains the expected value
|
|
--echo # Assert that binlog is as expected
|
|
--let $mysqlbinlog_out = $MYSQLTEST_VARDIR/rpl_table_encryption_binlog.sql
|
|
--exec $MYSQL_BINLOG $binlog_fullpath --start-position=$binlog_position > $mysqlbinlog_out
|
|
--let $assert_file = $mysqlbinlog_out
|
|
--let $assert_select = default_table_encryption
|
|
if ($expect_binlog != '') {
|
|
--let $assert_count =
|
|
--let $assert_match = default_table_encryption=$expect_binlog
|
|
--let $assert_text = Binlog should contain default_table_encryption=$expect_binlog
|
|
}
|
|
if ($expect_binlog == '') {
|
|
--let $assert_count = 0
|
|
--let $assert_match =
|
|
--let $assert_text = Binlog should not contain default_table_encryption
|
|
}
|
|
--source include/assert_grep.inc
|
|
--remove_file $mysqlbinlog_out
|
|
# Verify that the definition is as expected on master.
|
|
--echo # Assert that object on master is "$expect"
|
|
--let $output = `$check_statement`
|
|
--let $result = `SELECT "$output" LIKE "$expect"`
|
|
# Verify that the definition is as expected on slave.
|
|
if ($result) {
|
|
--source include/sync_slave_sql_with_master.inc
|
|
--echo # Assert that object on slave is "$expect"
|
|
--let $output = `$check_statement`
|
|
--let $result = `SELECT "$output" LIKE "$expect"`
|
|
}
|
|
# Print error
|
|
if (!$result) {
|
|
--let $connection = $CURRENT_CONNECTION
|
|
--source include/show_rpl_debug_info.inc
|
|
--echo master_global='$master_global'
|
|
--echo slave_global='$slave_global'
|
|
--echo master_session='$master_session'
|
|
--echo statement='$statement'
|
|
--echo check_statement='$check_statement'
|
|
--echo output='$output'
|
|
--echo expect='$expect'
|
|
--echo result='$result'
|
|
--echo connection='$connection'
|
|
--die Error: the created object did not have the expected encryptedness on slave
|
|
}
|
|
# Clean up.
|
|
--source include/rpl_connection_master.inc
|
|
if ($drop_statement != '') {
|
|
eval $drop_statement;
|
|
}
|
|
--source include/sync_slave_sql_with_master.inc
|
|
--source include/rpl_connection_master.inc
|
|
EOF
|
|
|
|
|
|
--echo #### SETUP ####
|
|
|
|
--source include/rpl_connection_master.inc
|
|
SET @default_table_encryption_save = @@global.default_table_encryption;
|
|
CALL mtr.add_suppression("Could not flush keys to keyring's backup");
|
|
CALL mtr.add_suppression("Incorrect Keyring File");
|
|
--source include/sync_slave_sql_with_master.inc
|
|
SET @default_table_encryption_save = @@global.default_table_encryption;
|
|
|
|
# Loops to try all possible values of
|
|
# master:@@global.default_table_encryption,
|
|
# master:@@session.default_table_encryption, and
|
|
# slave:@@global.default_table_encryption.
|
|
|
|
|
|
--echo #### TEST ####
|
|
|
|
--let $master_global = 0
|
|
while ($master_global <= 1) {
|
|
--source include/rpl_connection_master.inc
|
|
eval SET @@global.default_table_encryption = $master_global;
|
|
|
|
--let $slave_global = 0
|
|
while ($slave_global <= 1) {
|
|
--source include/rpl_connection_slave.inc
|
|
eval SET @@global.default_table_encryption = $slave_global;
|
|
|
|
--let $master_session = 0
|
|
--let $letter = N
|
|
while ($master_session <= 1) {
|
|
--source include/rpl_connection_master.inc
|
|
eval SET @@session.default_table_encryption = $master_session;
|
|
|
|
--let $check_statement = SHOW CREATE DATABASE db
|
|
|
|
--let $desc = CREATE without ENCRYPTION: include the variable in the binlog
|
|
--let $statement = CREATE DATABASE db
|
|
--let $drop_statement =
|
|
--let $expect = %ENCRYPTION='$letter'%
|
|
--let $expect_binlog = $master_session
|
|
--source $script_dir/check_encryption.inc
|
|
|
|
--let $desc = ALTER: exclude the variable from the binlog
|
|
eval SET @@session.default_table_encryption = 1-$master_session;
|
|
--let $statement = ALTER DATABASE db CHARACTER SET = utf8
|
|
--let $drop_statement = DROP DATABASE db
|
|
--let $expect = %ENCRYPTION='$letter'%
|
|
--let $expect_binlog =
|
|
--source $script_dir/check_encryption.inc
|
|
eval SET @@session.default_table_encryption = $master_session;
|
|
|
|
--let $desc = CREATE with ENCRYPTION: exclude the variable from the binlog
|
|
--let $statement = CREATE DATABASE db DEFAULT ENCRYPTION = 'n'
|
|
--let $drop_statement = DROP DATABASE db
|
|
--let $expect = %ENCRYPTION='N'%
|
|
--let $expect_binlog =
|
|
--source $script_dir/check_encryption.inc
|
|
|
|
--let $desc = CREATE with ENCRYPTION: exclude the variable from the binlog
|
|
--let $statement = CREATE DATABASE db DEFAULT ENCRYPTION = 'y'
|
|
--let $drop_statement = DROP DATABASE db
|
|
--let $expect = %ENCRYPTION='Y'%
|
|
--let $expect_binlog =
|
|
--source $script_dir/check_encryption.inc
|
|
|
|
--let $check_statement = SELECT ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME LIKE 'ts%'
|
|
|
|
--let $desc = CREATE without ENCRYPTION: include the variable in the binlog
|
|
--let $statement = CREATE TABLESPACE ts
|
|
--let $drop_statement =
|
|
--let $expect = $letter
|
|
--let $expect_binlog = $master_session
|
|
--source $script_dir/check_encryption.inc
|
|
|
|
--let $desc = ALTER should not include the variable in the binlog
|
|
eval SET @@session.default_table_encryption = 1-$master_session;
|
|
--let $statement = ALTER TABLESPACE ts RENAME TO ts2
|
|
--let $drop_statement = DROP TABLESPACE ts2
|
|
--let $expect = $letter
|
|
--let $expect_binlog =
|
|
--source $script_dir/check_encryption.inc
|
|
eval SET @@session.default_table_encryption = $master_session;
|
|
|
|
--let $desc = CREATE with ENCRYPTION: exclude the variable from the binlog
|
|
--let $statement = CREATE TABLESPACE ts ENCRYPTION = 'y'
|
|
--let $drop_statement = DROP TABLESPACE ts
|
|
--let $expect = Y
|
|
--let $expect_binlog =
|
|
--source $script_dir/check_encryption.inc
|
|
|
|
--let $desc = CREATE with ENCRYPTION: exclude the variable from the binlog
|
|
--let $statement = CREATE TABLESPACE ts ENCRYPTION = 'n'
|
|
--let $drop_statement = DROP TABLESPACE ts
|
|
--let $expect = N
|
|
--let $expect_binlog =
|
|
--source $script_dir/check_encryption.inc
|
|
|
|
--inc $master_session
|
|
--let $letter = Y
|
|
}
|
|
--inc $slave_global
|
|
}
|
|
--inc $master_global
|
|
}
|
|
|
|
|
|
--echo #### CLEANUP ####
|
|
|
|
--source include/rpl_connection_master.inc
|
|
SET @@global.default_table_encryption = @default_table_encryption_save;
|
|
--source include/rpl_connection_slave.inc
|
|
SET @@global.default_table_encryption = @default_table_encryption_save;
|
|
|
|
--remove_file $script_dir/check_encryption.inc
|
|
|
|
|
|
--source include/rpl_end.inc
|