4493d40a-92aa-4162-9dfc-bfc4ec0996e6
/
polardbxengine
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
polardbxengine/mysql-test/suite/auth_sec/t/key_rotation_qa.test

243 lines
9.6 KiB
Plaintext
Raw Blame History

# Wl8821 Testing
# This test will will check parser support for
# ALTER INSTANCE ROTATE <key_type> MASTER KEY statement
# and key rotation testing.
--source include/no_valgrind_without_big.inc
--disable_query_log
call mtr.add_suppression("\\[ERROR\\] .*MY-\\d+.* Encryption can't find master key, please check the keyring plugin is loaded.");
call mtr.add_suppression("\\[ERROR\\] .*MY-\\d+.* Plugin keyring_file reported: 'keyring_file initialization failure.");
call mtr.add_suppression("\\[ERROR\\] .*MY-\\d+.* Function 'keyring_file' already exists");
call mtr.add_suppression("\\[ERROR\\] .*MY-\\d+.* Couldn't load plugin named 'keyring_file' with soname 'keyring_file.so'.");
call mtr.add_suppression("\\[ERROR\\] .*MY-\\d+.* Couldn't load plugin named 'keyring_file' with soname 'keyring_file.dll'.");
call mtr.add_suppression("\\[ERROR\\] .*MY-\\d+.* Can't generate new master key, please check the keyring plugin is loaded.");
call mtr.add_suppression("\\[ERROR\\] .*MY-\\d+.* Encryption information in datafile");
call mtr.add_suppression("\\[ERROR\\] .*MY-\\d+.* Operating system error number 2 in a file operation.");
call mtr.add_suppression("\\[ERROR\\] .*MY-\\d+.* The error means the system cannot find the path specified.");
call mtr.add_suppression("\\[ERROR\\] .*MY-\\d+.* Could not find a valid tablespace file for");
call mtr.add_suppression("\\[ERROR\\] .*MY-\\d+.* If you are installing InnoDB, remember that you must create directories yourself, InnoDB does not create them.");
call mtr.add_suppression("\\[ERROR\\] .*MY-\\d+.* Can't generate new master key for tablespace encryption, please check the keyring plugin is loaded.");
call mtr.add_suppression("\\[Warning\\] .*MY-\\d+.* Ignoring tablespace `test/.*` because it could not be opened.");
call mtr.add_suppression("\\[ERROR\\] .*MY-\\d+.* Failed to find tablespace for table");
call mtr.add_suppression("\\[Warning\\] .*MY-\\d+.* Can't read encryption key from file");
call mtr.add_suppression("\\[Warning\\] .*MY-\\d+.* Cannot open table .* from the internal data dictionary of InnoDB though the .frm file for the table exists.*");
call mtr.add_suppression("\\[ERROR\\] .*MY-\\d+.* Table .* in the InnoDB data dictionary has tablespace id .*, but tablespace with that id or name does not exist");
call mtr.add_suppression("\\[Warning\\] .*MY-\\d+.* Please refer to .* for how to resolve the issue");
call mtr.add_suppression("Could not flush keys to keyring's backup");
call mtr.add_suppression("\\[ERROR\\].* Tablespace [0-9]+, name 'test.t[0-9]+', unable to open file '.*test.t[0-9]+.ibd' - Data structure corruption");
call mtr.add_suppression("Plugin mysqlx reported: 'Failed at SSL configuration");
--enable_query_log
# Invalid syntax
--error ER_PARSE_ERROR
ALTER INSTANCE ROTATE MYISAM MASTER KEY;
--error ER_PARSE_ERROR
ALTER INSTANCE ROTATE INNODB;
--error ER_PARSE_ERROR
ALTER INSTANCE STORE INNDB;
--error ER_PARSE_ERROR
ALTER INSTANCE ROTATE INNODB SLAVE KEY;
# When keyring_file plugin not loaded.
--error ER_CANNOT_FIND_KEY_IN_KEYRING
ALTER INSTANCE ROTATE INNODB MASTER KEY;
--error 0,1
--remove_file $MYSQL_TMP_DIR/keyring
--echo
# Re-starting mysql server with keyring_file plugin.
--exec echo "wait" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
-- send_shutdown
-- source include/wait_until_disconnected.inc
--exec echo "restart:--early-plugin-load="keyring_file=$KEYRING_PLUGIN" --keyring_file_data=$MYSQL_TMP_DIR/keyring/keyring" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
--enable_reconnect
--source include/wait_until_connected_again.inc
--disable_reconnect
--error ER_UDF_EXISTS
INSTALL PLUGIN keyring_file SONAME 'keyring_file.so';
--echo
SHOW GLOBAL variables LIKE 'early-plugin-load';
# Command-Line option.
--error ER_PARSE_ERROR
SET @@global.early-plugin-load="keyring_file=keyring_file.so";
--echo
# Check keyring_file plugin.
query_vertical SELECT PLUGIN_NAME,PLUGIN_VERSION,PLUGIN_STATUS
FROM INFORMATION_SCHEMA.PLUGINS WHERE plugin_name='keyring_file';
--file_exists $MYSQL_TMP_DIR/keyring/keyring
--echo
# Roating master key when keyring file is empty.
# It should genereate new master key.
ALTER INSTANCE ROTATE INNODB MASTER KEY;
# Creating table with encryption.
CREATE TABLE t1(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB;
INSERT INTO t1 VALUES(0, "aaaaa");
INSERT INTO t1 VALUES(1, "bbbbb");
INSERT INTO t1 VALUES(2, "ccccc");
SELECT * FROM t1;
ALTER INSTANCE ROTATE INNODB MASTER KEY;
CREATE TABLE t2(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB;
INSERT INTO t2 SELECT * FROM t1;
SELECT COUNT(*) FROM t2;
--echo # Remove keyring file
# If we remove the keyring file and the server
# is still running the keyring will stay in the memory
# and the encrypted table/s will be accessible.
--error 0,1
--remove_file $MYSQL_TMP_DIR/keyring/keyring_tmp
--copy_file $MYSQL_TMP_DIR/keyring/keyring $MYSQL_TMP_DIR/keyring/keyring_tmp
--remove_file $MYSQL_TMP_DIR/keyring/keyring
--echo
--echo # Check for keyring file.
--list_files $MYSQL_TMP_DIR/keyring/
--echo
SELECT COUNT(*) FROM t2;
CREATE TABLE t3(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB;
INSERT INTO t3 VALUES(2, "ccccc");
--echo # Check for keyring file.
--list_files $MYSQL_TMP_DIR/keyring/
--echo
# ALTER INSTANCE ROTATE cmd will fail if keyring file
# does not exist
--ERROR 3185
ALTER INSTANCE ROTATE INNODB MASTER KEY;
--echo # Check for keyring file.
--list_files $MYSQL_TMP_DIR/keyring/
--error 1
--file_exists $MYSQL_TMP_DIR/keyring/keyring
--echo
SELECT * FROM t1;
# Uninstalling keyring_file plugin.
UNINSTALL PLUGIN keyring_file;
query_vertical SELECT PLUGIN_NAME,PLUGIN_VERSION,PLUGIN_STATUS
FROM INFORMATION_SCHEMA.PLUGINS WHERE plugin_name='keyring_file';
--echo # Try to access encrypted table.
# Cached the tablespace key in memory.
SELECT COUNT(*) FROM t1;
SELECT * FROM t2;
CREATE TABLE t10(c1 INT, c2 char(20)) ENGINE = InnoDB;
# Recreate the keyring file
--copy_file $MYSQL_TMP_DIR/keyring/keyring_tmp $MYSQL_TMP_DIR/keyring/keyring
--remove_file $MYSQL_TMP_DIR/keyring/keyring_tmp
# After restart encrypted table/s should be accessible
# when using same keyring file.
let $restart_parameters = restart: --early-plugin-load="keyring_file=$KEYRING_PLUGIN" --keyring_file_data=$MYSQL_TMP_DIR/keyring/keyring;
--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR $KEYRING_PLUGIN keyring_file.so
--source include/restart_mysqld.inc
--file_exists $MYSQL_TMP_DIR/keyring/keyring
SELECT * FROM t1;
SELECT * FROM t3;
--remove_file $MYSQL_TMP_DIR/keyring/keyring
# After restart old encrypted tables will not be not accesiable,
# if keyring file missing or keyring_file_data location changed.
let $restart_parameters = restart: --early-plugin-load="keyring_file=$KEYRING_PLUGIN" --keyring_file_data=$MYSQL_TMP_DIR/keyring/keyring_new;
--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR $KEYRING_PLUGIN keyring_file.so
--source include/restart_mysqld.inc
--error ER_CANNOT_FIND_KEY_IN_KEYRING
SELECT * FROM t1;
CREATE TABLE t12(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB;
INSERT INTO t12 VALUES(2, "ccccchfc");
ALTER INSTANCE ROTATE INNODB MASTER KEY;
SELECT * FROM t12;
--remove_file $MYSQL_TMP_DIR/keyring/keyring_new
# Test keyring_file with early-plugin-load and plugin-load.
--exec echo "wait" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
-- send_shutdown
-- source include/wait_until_disconnected.inc
--exec echo "restart:--early-plugin-load="keyring_file=$KEYRING_PLUGIN" --plugin-load="keyring_file=$KEYRING_PLUGIN" --keyring_file_data=$MYSQL_TMP_DIR/keyring/keyring" > $MYSQLTEST_VARDIR/tmp/mysqld.1.expect
--enable_reconnect
--source include/wait_until_connected_again.inc
--disable_reconnect
query_vertical SELECT PLUGIN_NAME,PLUGIN_VERSION,PLUGIN_STATUS
FROM INFORMATION_SCHEMA.PLUGINS WHERE plugin_name='keyring_file';
--error ER_CANNOT_FIND_KEY_IN_KEYRING
SELECT * FROM t2;
CREATE TABLE t11(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB;
# Table will not be accesiable,since the original key file is removed,
# Innodb will mark is as data file missing.
--error ER_CANNOT_FIND_KEY_IN_KEYRING
SELECT * FROM t2;
# Uninstalling keyring_file plugin.
UNINSTALL PLUGIN keyring_file;
query_vertical SELECT PLUGIN_NAME,PLUGIN_VERSION,PLUGIN_STATUS
FROM INFORMATION_SCHEMA.PLUGINS WHERE plugin_name='keyring_file';
SELECT * FROM t11;
# Try to access encrypted table, Which are created before restart.
--error ER_CANNOT_FIND_KEY_IN_KEYRING
SELECT COUNT(*) FROM t1;
# Creating table after uninstalling keyring_file plugin.
--error ER_CANNOT_FIND_KEY_IN_KEYRING
CREATE TABLE t4(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB;
# ALTER INSTANCE ROTATE <key_type> MASTER KEY statement,after UNINSTALL.
--error ER_CANNOT_FIND_KEY_IN_KEYRING
ALTER INSTANCE ROTATE INNODB MASTER KEY;
# Creating table without encryption.
CREATE TABLE t5(c1 INT, c2 char(20)) ENGINE = InnoDB;
INSERT INTO t5 VALUES(100, "without_enc");
# Uninstall will not remove keyring file.
--list_files $MYSQL_TMP_DIR/keyring/
--file_exists $MYSQL_TMP_DIR/keyring/keyring
--remove_file $MYSQL_TMP_DIR/keyring/keyring
# Encrypted table DROP when keyring_file plugin missing/removed.
DROP TABLE t11;
--replace_regex /\.dll/.so/
eval INSTALL PLUGIN keyring_file SONAME '$KEYRING_PLUGIN';
--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR
eval SET @@global.keyring_file_data='$MYSQL_TMP_DIR/keyring/keyring';
query_vertical SELECT PLUGIN_NAME,PLUGIN_VERSION,PLUGIN_STATUS
FROM INFORMATION_SCHEMA.PLUGINS WHERE plugin_name='keyring_file';
--error ER_CANNOT_FIND_KEY_IN_KEYRING
CREATE TABLE t6(c1 INT, c2 char(20)) ENCRYPTION="Y" ENGINE = InnoDB;
--error ER_CANNOT_FIND_KEY_IN_KEYRING
ALTER INSTANCE ROTATE INNODB MASTER KEY;
--error ER_CANNOT_FIND_KEY_IN_KEYRING
SELECT * FROM t3;
--echo
## Try to access non-encrypted table.
SELECT * FROM t5;
# Cleanup
DROP TABLE t1,t2,t3,t5,t12,t10;
--source include/force_restart.inc
--echo #End:
Reference in New Issue View Git Blame Copy Permalink