revision-id: 494dfb14f29faa066926f87545a173ad676e669b (mariadb-10.1.37-7-g494dfb14f29) parent(s): ef40018535b71f0a4387fa6c1cc22e9991dfc0db author: Jan Lindström committer: Jan Lindström timestamp: 2018-11-07 09:41:08 +0200 message: MDEV-17229: Encryption threads ignore innodb_default_encryption_key_id Background: Original idea of this variable was to be used when table is created. However, this is not clearly documented. Cases: (1) create table t1(a) engine=innodb encrypted=yes. This case worked correctly as encryption metadata is created when table is created. (2) create table t1(a) engine=innodb; This case used global default key_id i.e. 1 not user defined innodb_default_encryption_key_id (3) create table t1(a) engine=innodb encrypted=no. No key_id is used so warning should be issued when nondefault key_id is used. Solution: Use default_encryption_key_id if defined when creating encryption metadata for unencrypted to encrypted key rotation. fil0crypt.cc::fil_crypt_start_encrypting_space() Use global default encryption key_id if defined when creating crypt_data for unencrypted => encrypted key rotation. ha_innodb.cc::innodb_default_encryption_key_id_update ha_innodb.cc::innodb_default_encryption_key_id_validate Add update and validate callbacks for variable innodb_default_encryption_key_id and make sure user can't define it to value that does not exists on encryption plugin. ha_innodb.cc::check_table_options() We should not allow nondefault encryption key_id when encryption is disabled as it will be newer used. srv0srv.h srv0srv.cc Add global srv_default_encryption_key_id where current key_id is stored. This is needed as encryption threads do not have THD. --- .../encryption/r/innodb-checksum-algorithm.result | 2 +- .../encryption/r/innodb-compressed-blob.result | 2 + .../encryption/r/innodb-encryption-alter.result | 17 ------ .../r/innodb_encryption_default_key.result | 29 +++++++++ .../encryption/t/innodb-checksum-algorithm.test | 2 +- .../encryption/t/innodb-encryption-alter.test | 7 --- .../encryption/t/innodb_encryption_default_key.opt | 1 + .../t/innodb_encryption_default_key.test | 45 ++++++++++++++ storage/innobase/fil/fil0crypt.cc | 4 +- storage/innobase/handler/ha_innodb.cc | 68 +++++++++++++++++++++- storage/innobase/include/srv0srv.h | 5 +- storage/innobase/srv/srv0srv.cc | 5 +- storage/xtradb/fil/fil0crypt.cc | 4 +- storage/xtradb/handler/ha_innodb.cc | 68 +++++++++++++++++++++- storage/xtradb/include/srv0srv.h | 5 +- storage/xtradb/srv/srv0srv.cc | 5 +- 16 files changed, 231 insertions(+), 38 deletions(-) diff --git a/mysql-test/suite/encryption/r/innodb-checksum-algorithm.result b/mysql-test/suite/encryption/r/innodb-checksum-algorithm.result index a853f3869a9..b3deac98e3c 100644 --- a/mysql-test/suite/encryption/r/innodb-checksum-algorithm.result +++ b/mysql-test/suite/encryption/r/innodb-checksum-algorithm.result @@ -10,7 +10,7 @@ SET GLOBAL innodb_encrypt_tables = ON; SET GLOBAL innodb_encryption_threads = 4; call mtr.add_suppression("InnoDB: innodb_checksum_algorithm is set to \"strict_(crc32|none|innodb)\" but the page \\[page id: space=[0-9]+, page number=[0-9]+\\] contains a valid checksum \"(innodb|none|crc32)\""); SET GLOBAL innodb_checksum_algorithm = innodb; -SET GLOBAL innodb_default_encryption_key_id=4; +SET GLOBAL innodb_default_encryption_key_id=1; SET GLOBAL innodb_checksum_algorithm=crc32; create table tce_crc32(a serial, b blob, index(b(10))) engine=innodb ROW_FORMAT=COMPRESSED encrypted=yes; diff --git a/mysql-test/suite/encryption/r/innodb-compressed-blob.result b/mysql-test/suite/encryption/r/innodb-compressed-blob.result index ce73b80820f..a6f4856fdbb 100644 --- a/mysql-test/suite/encryption/r/innodb-compressed-blob.result +++ b/mysql-test/suite/encryption/r/innodb-compressed-blob.result @@ -7,6 +7,8 @@ set GLOBAL innodb_default_encryption_key_id=4; create table t1(a int not null primary key, b blob, index(b(10))) engine=innodb row_format=compressed; create table t2(a int not null primary key, b blob, index(b(10))) engine=innodb row_format=compressed encrypted=yes; create table t3(a int not null primary key, b blob, index(b(10))) engine=innodb row_format=compressed encrypted=no; +Warnings: +Warning 140 InnoDB: Ignored ENCRYPTION_KEY_ID 4 when encryption is disabled insert into t1 values (1, repeat('secret',6000)); insert into t2 values (1, repeat('secret',6000)); insert into t3 values (1, repeat('secret',6000)); diff --git a/mysql-test/suite/encryption/r/innodb-encryption-alter.result b/mysql-test/suite/encryption/r/innodb-encryption-alter.result index 5245d1da7d0..9d4fd0583c3 100644 --- a/mysql-test/suite/encryption/r/innodb-encryption-alter.result +++ b/mysql-test/suite/encryption/r/innodb-encryption-alter.result @@ -6,21 +6,6 @@ CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNOD Warnings: Warning 140 InnoDB: Ignored ENCRYPTION_KEY_ID 4 when encryption is disabled DROP TABLE t1; -set innodb_default_encryption_key_id = 99; -CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB; -ERROR HY000: Can't create table `test`.`t1` (errno: 140 "Wrong create options") -SHOW WARNINGS; -Level Code Message -Warning 140 InnoDB: ENCRYPTION_KEY_ID 99 not available -Error 1005 Can't create table `test`.`t1` (errno: 140 "Wrong create options") -Warning 1030 Got error 140 "Wrong create options" from storage engine InnoDB -CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=YES; -ERROR HY000: Can't create table `test`.`t1` (errno: 140 "Wrong create options") -SHOW WARNINGS; -Level Code Message -Warning 140 InnoDB: ENCRYPTION_KEY_ID 99 not available -Error 1005 Can't create table `test`.`t1` (errno: 140 "Wrong create options") -Warning 1030 Got error 140 "Wrong create options" from storage engine InnoDB set innodb_default_encryption_key_id = 4; CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=YES; SHOW CREATE TABLE t1; @@ -40,8 +25,6 @@ t1 CREATE TABLE `t1` ( PRIMARY KEY (`pk`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1 `ENCRYPTION_KEY_ID`=4 CREATE TABLE t2 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=NO ENCRYPTION_KEY_ID=1; -Warnings: -Warning 140 InnoDB: Ignored ENCRYPTION_KEY_ID 1 when encryption is disabled ALTER TABLE t1 ENCRYPTION_KEY_ID=99; ERROR HY000: Table storage engine 'InnoDB' does not support the create option 'ENCRYPTION_KEY_ID' SHOW WARNINGS; diff --git a/mysql-test/suite/encryption/r/innodb_encryption_default_key.result b/mysql-test/suite/encryption/r/innodb_encryption_default_key.result new file mode 100644 index 00000000000..f97af5e45a9 --- /dev/null +++ b/mysql-test/suite/encryption/r/innodb_encryption_default_key.result @@ -0,0 +1,29 @@ +SET GLOBAL innodb_file_format = `Barracuda`; +SET GLOBAL innodb_file_per_table = ON; +SET GLOBAL innodb_encrypt_tables = OFF; +SET GLOBAL innodb_default_encryption_key_id = 1; +create table t1 (a int not null primary key) engine=InnoDB; +SET GLOBAL innodb_default_encryption_key_id = 999; +ERROR 42000: Variable 'innodb_default_encryption_key_id' can't be set to the value of '999' +SHOW WARNINGS; +Level Code Message +Warning 1210 InnoDB: innodb_default_encryption_key_id=999 not available in encryption plugin +Error 1231 Variable 'innodb_default_encryption_key_id' can't be set to the value of '999' +SET GLOBAL innodb_default_encryption_key_id = 4; +SET GLOBAL innodb_encryption_threads = 4; +SET GLOBAL innodb_encrypt_tables = ON; +SELECT NAME,CURRENT_KEY_ID,MIN_KEY_VERSION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION = 0 ORDER BY NAME; +NAME CURRENT_KEY_ID MIN_KEY_VERSION +SELECT NAME,CURRENT_KEY_ID,MIN_KEY_VERSION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION <> 0 ORDER BY NAME; +NAME CURRENT_KEY_ID MIN_KEY_VERSION +./ibdata1 4 1 +mysql/innodb_index_stats 4 1 +mysql/innodb_table_stats 4 1 +test/t1 4 1 +# Success! +DROP TABLE t1; +SET GLOBAL innodb_encryption_threads = DEFAULT; +SET GLOBAL innodb_encrypt_tables = DEFAULT; +SET GLOBAL innodb_file_format = DEFAULT; +SET GLOBAL innodb_file_per_table = DEFAULT; +SET GLOBAL innodb_default_encryption_key_id = DEFAULT; diff --git a/mysql-test/suite/encryption/t/innodb-checksum-algorithm.test b/mysql-test/suite/encryption/t/innodb-checksum-algorithm.test index d0caed05006..f4093bae81e 100644 --- a/mysql-test/suite/encryption/t/innodb-checksum-algorithm.test +++ b/mysql-test/suite/encryption/t/innodb-checksum-algorithm.test @@ -16,7 +16,7 @@ SET GLOBAL innodb_encryption_threads = 4; call mtr.add_suppression("InnoDB: innodb_checksum_algorithm is set to \"strict_(crc32|none|innodb)\" but the page \\[page id: space=[0-9]+, page number=[0-9]+\\] contains a valid checksum \"(innodb|none|crc32)\""); SET GLOBAL innodb_checksum_algorithm = innodb; -SET GLOBAL innodb_default_encryption_key_id=4; +SET GLOBAL innodb_default_encryption_key_id=1; let MYSQLD_DATADIR =`SELECT @@datadir`; diff --git a/mysql-test/suite/encryption/t/innodb-encryption-alter.test b/mysql-test/suite/encryption/t/innodb-encryption-alter.test index 9465226dd96..b4a432406d9 100644 --- a/mysql-test/suite/encryption/t/innodb-encryption-alter.test +++ b/mysql-test/suite/encryption/t/innodb-encryption-alter.test @@ -19,13 +19,6 @@ SET GLOBAL innodb_encryption_threads = 4; CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=NO ENCRYPTION_KEY_ID=4; DROP TABLE t1; -set innodb_default_encryption_key_id = 99; ---error 1005 -CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB; -SHOW WARNINGS; ---error 1005 -CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=YES; -SHOW WARNINGS; set innodb_default_encryption_key_id = 4; CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=YES; SHOW CREATE TABLE t1; diff --git a/mysql-test/suite/encryption/t/innodb_encryption_default_key.opt b/mysql-test/suite/encryption/t/innodb_encryption_default_key.opt new file mode 100644 index 00000000000..7d3f2da7971 --- /dev/null +++ b/mysql-test/suite/encryption/t/innodb_encryption_default_key.opt @@ -0,0 +1 @@ +--innodb-tablespaces-encryption diff --git a/mysql-test/suite/encryption/t/innodb_encryption_default_key.test b/mysql-test/suite/encryption/t/innodb_encryption_default_key.test new file mode 100644 index 00000000000..ece0823d0c2 --- /dev/null +++ b/mysql-test/suite/encryption/t/innodb_encryption_default_key.test @@ -0,0 +1,45 @@ +-- source include/have_innodb.inc +-- source include/have_file_key_management_plugin.inc + +--disable_query_log +let $innodb_file_format_orig = `SELECT @@innodb_file_format`; +let $innodb_file_per_table_orig = `SELECT @@innodb_file_per_table`; +--enable_query_log + +--disable_warnings +SET GLOBAL innodb_file_format = `Barracuda`; +SET GLOBAL innodb_file_per_table = ON; +--enable_warnings + +SET GLOBAL innodb_encrypt_tables = OFF; +SET GLOBAL innodb_default_encryption_key_id = 1; + +create table t1 (a int not null primary key) engine=InnoDB; + +# Do not allow setting default key to key_id that is not found +--error ER_WRONG_VALUE_FOR_VAR +SET GLOBAL innodb_default_encryption_key_id = 999; +SHOW WARNINGS; + +SET GLOBAL innodb_default_encryption_key_id = 4; +SET GLOBAL innodb_encryption_threads = 4; +SET GLOBAL innodb_encrypt_tables = ON; + +--let $tables_count= `select count(*) from information_schema.tables where engine = 'InnoDB'` +--let $wait_condition=SELECT COUNT(*) = $tables_count + 1 FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION <> 0 AND ROTATING_OR_FLUSHING = 0; +--source include/wait_condition.inc + +SELECT NAME,CURRENT_KEY_ID,MIN_KEY_VERSION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION = 0 ORDER BY NAME; +SELECT NAME,CURRENT_KEY_ID,MIN_KEY_VERSION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION <> 0 ORDER BY NAME; + +--echo # Success! + +DROP TABLE t1; + +--disable_warnings +SET GLOBAL innodb_encryption_threads = DEFAULT; +SET GLOBAL innodb_encrypt_tables = DEFAULT; +SET GLOBAL innodb_file_format = DEFAULT; +SET GLOBAL innodb_file_per_table = DEFAULT; +SET GLOBAL innodb_default_encryption_key_id = DEFAULT; +--enable_warnings diff --git a/storage/innobase/fil/fil0crypt.cc b/storage/innobase/fil/fil0crypt.cc index 7859fe67d40..e81e25378a5 100644 --- a/storage/innobase/fil/fil0crypt.cc +++ b/storage/innobase/fil/fil0crypt.cc @@ -1064,7 +1064,9 @@ fil_crypt_start_encrypting_space( * crypt data in page 0 */ /* 1 - create crypt data */ - crypt_data = fil_space_create_crypt_data(FIL_ENCRYPTION_DEFAULT, FIL_DEFAULT_ENCRYPTION_KEY); + crypt_data = fil_space_create_crypt_data(FIL_ENCRYPTION_DEFAULT, + srv_default_encryption_key_id != FIL_DEFAULT_ENCRYPTION_KEY + ? srv_default_encryption_key_id : FIL_DEFAULT_ENCRYPTION_KEY); if (crypt_data == NULL) { mutex_exit(&fil_crypt_threads_mutex); diff --git a/storage/innobase/handler/ha_innodb.cc b/storage/innobase/handler/ha_innodb.cc index b3a830e47c3..7ef73decace 100644 --- a/storage/innobase/handler/ha_innodb.cc +++ b/storage/innobase/handler/ha_innodb.cc @@ -685,9 +685,71 @@ static int mysql_tmpfile_path(const char *path, const char *prefix) static void innodb_remember_check_sysvar_funcs(); mysql_var_check_func check_sysvar_enum; +/** Update the system variable srv_default_encryption_key_id using +the "saved" value. This function is registered as a callback with MySQL. +@param[in,out] thd thread handle +@param[in] var pointer to system variable +@param[out] save immediate result for update +@param[in] value incoming string +*/ +static +void +innodb_default_encryption_key_id_update( + THD* thd, + struct st_mysql_sys_var* var, + void* var_ptr, + const void* save) +{ + *reinterpret_cast<uint*>(var_ptr) + = srv_default_encryption_key_id + = (*static_cast<const uint*>(save)); +} + +/** Validate passed-in "value" is a valid encryption key_id +found from encryption plugin. +This function is registered as a callback with MySQL. +@param[in,out] thd thread handle +@param[in] var pointer to system variable +@param[out] save immediate result for validate +@param[in] value incoming string +@return 0 for valid key_id */ +static +int +innodb_default_encryption_key_id_validate( + THD* thd, + struct st_mysql_sys_var* var, + void* save, + struct st_mysql_value* value) +{ + long long key_id_buf; + uint key_id; + + if (value->val_int(value, &key_id_buf)) { + /* The value is NULL. That is invalid. */ + return(1); + } + + *reinterpret_cast<uint*>(save) = key_id = static_cast<uint>(key_id_buf); + + /* Default encryption key_id must be found from encryption + plugin keys. */ + if (key_id != FIL_DEFAULT_ENCRYPTION_KEY + && !encryption_key_id_exists(key_id)) { + push_warning_printf( + thd, Sql_condition::WARN_LEVEL_WARN, + ER_WRONG_ARGUMENTS, + "InnoDB: innodb_default_encryption_key_id=%u not available in encryption plugin", + key_id); + return (1); + } + + return(0); +} + static MYSQL_THDVAR_UINT(default_encryption_key_id, PLUGIN_VAR_RQCMDARG, "Default encryption key id used for table encryption.", - NULL, NULL, + innodb_default_encryption_key_id_validate, + innodb_default_encryption_key_id_update, FIL_DEFAULT_ENCRYPTION_KEY, 1, UINT_MAX32, 0); /** @@ -11947,8 +12009,8 @@ ha_innobase::check_table_options( } /* Ignore nondefault key_id if encryption is set off */ - if (encrypt == FIL_ENCRYPTION_OFF && - options->encryption_key_id != THDVAR(thd, default_encryption_key_id)) { + if (encrypt == FIL_ENCRYPTION_OFF + && options->encryption_key_id != FIL_DEFAULT_ENCRYPTION_KEY) { push_warning_printf( thd, Sql_condition::WARN_LEVEL_WARN, HA_WRONG_CREATE_OPTION, diff --git a/storage/innobase/include/srv0srv.h b/storage/innobase/include/srv0srv.h index 09af0b2cdd2..804b1a8f66c 100644 --- a/storage/innobase/include/srv0srv.h +++ b/storage/innobase/include/srv0srv.h @@ -3,7 +3,7 @@ Copyright (c) 1995, 2017, Oracle and/or its affiliates. All rights reserved. Copyright (c) 2008, 2009, Google Inc. Copyright (c) 2009, Percona Inc. -Copyright (c) 2013, 2017, MariaDB Corporation. +Copyright (c) 2013, 2018, MariaDB Corporation. Portions of this file contain modifications contributed and copyrighted by Google, Inc. Those modifications are gratefully acknowledged and are described @@ -367,6 +367,9 @@ extern ulong srv_flush_log_at_trx_commit; extern uint srv_flush_log_at_timeout; extern char srv_adaptive_flushing; +/* Default encryption key_id */ +extern uint srv_default_encryption_key_id; + #ifdef WITH_INNODB_DISALLOW_WRITES /* When this event is reset we do not allow any file writes to take place. */ extern os_event_t srv_allow_writes_event; diff --git a/storage/innobase/srv/srv0srv.cc b/storage/innobase/srv/srv0srv.cc index 87f9064c14e..f9fbc874f30 100644 --- a/storage/innobase/srv/srv0srv.cc +++ b/storage/innobase/srv/srv0srv.cc @@ -3,7 +3,7 @@ Copyright (c) 1995, 2017, Oracle and/or its affiliates. All Rights Reserved. Copyright (c) 2008, 2009 Google Inc. Copyright (c) 2009, Percona Inc. -Copyright (c) 2013, 2017, MariaDB Corporation. +Copyright (c) 2013, 2018, MariaDB Corporation. Portions of this file contain modifications contributed and copyrighted by Google, Inc. Those modifications are gratefully acknowledged and are described @@ -225,6 +225,9 @@ UNIV_INTERN uint srv_flush_log_at_timeout = 1; UNIV_INTERN ulong srv_page_size = UNIV_PAGE_SIZE_DEF; UNIV_INTERN ulong srv_page_size_shift = UNIV_PAGE_SIZE_SHIFT_DEF; +/* Default encryption key_id */ +UNIV_INTERN uint srv_default_encryption_key_id = FIL_DEFAULT_ENCRYPTION_KEY; + /* Try to flush dirty pages so as to avoid IO bursts at the checkpoints. */ UNIV_INTERN char srv_adaptive_flushing = TRUE; diff --git a/storage/xtradb/fil/fil0crypt.cc b/storage/xtradb/fil/fil0crypt.cc index 7859fe67d40..e81e25378a5 100644 --- a/storage/xtradb/fil/fil0crypt.cc +++ b/storage/xtradb/fil/fil0crypt.cc @@ -1064,7 +1064,9 @@ fil_crypt_start_encrypting_space( * crypt data in page 0 */ /* 1 - create crypt data */ - crypt_data = fil_space_create_crypt_data(FIL_ENCRYPTION_DEFAULT, FIL_DEFAULT_ENCRYPTION_KEY); + crypt_data = fil_space_create_crypt_data(FIL_ENCRYPTION_DEFAULT, + srv_default_encryption_key_id != FIL_DEFAULT_ENCRYPTION_KEY + ? srv_default_encryption_key_id : FIL_DEFAULT_ENCRYPTION_KEY); if (crypt_data == NULL) { mutex_exit(&fil_crypt_threads_mutex); diff --git a/storage/xtradb/handler/ha_innodb.cc b/storage/xtradb/handler/ha_innodb.cc index 05066512db9..26d9db5dd08 100644 --- a/storage/xtradb/handler/ha_innodb.cc +++ b/storage/xtradb/handler/ha_innodb.cc @@ -686,9 +686,71 @@ ib_cb_t innodb_api_cb[] = { static void innodb_remember_check_sysvar_funcs(); mysql_var_check_func check_sysvar_enum; +/** Update the system variable srv_default_encryption_key_id using +the "saved" value. This function is registered as a callback with MySQL. +@param[in,out] thd thread handle +@param[in] var pointer to system variable +@param[out] save immediate result for update +@param[in] value incoming string +*/ +static +void +innodb_default_encryption_key_id_update( + THD* thd, + struct st_mysql_sys_var* var, + void* var_ptr, + const void* save) +{ + *reinterpret_cast<uint*>(var_ptr) + = srv_default_encryption_key_id + = (*static_cast<const uint*>(save)); +} + +/** Validate passed-in "value" is a valid encryption key_id +found from encryption plugin. +This function is registered as a callback with MySQL. +@param[in,out] thd thread handle +@param[in] var pointer to system variable +@param[out] save immediate result for validate +@param[in] value incoming string +@return 0 for valid key_id */ +static +int +innodb_default_encryption_key_id_validate( + THD* thd, + struct st_mysql_sys_var* var, + void* save, + struct st_mysql_value* value) +{ + long long key_id_buf; + uint key_id; + + if (value->val_int(value, &key_id_buf)) { + /* The value is NULL. That is invalid. */ + return(1); + } + + *reinterpret_cast<uint*>(save) = key_id = static_cast<uint>(key_id_buf); + + /* Default encryption key_id must be found from encryption + plugin keys. */ + if (key_id != FIL_DEFAULT_ENCRYPTION_KEY + && !encryption_key_id_exists(key_id)) { + push_warning_printf( + thd, Sql_condition::WARN_LEVEL_WARN, + ER_WRONG_ARGUMENTS, + "InnoDB: innodb_default_encryption_key_id=%u not available in encryption plugin", + key_id); + return (1); + } + + return(0); +} + static MYSQL_THDVAR_UINT(default_encryption_key_id, PLUGIN_VAR_RQCMDARG, "Default encryption key id used for table encryption.", - NULL, NULL, + innodb_default_encryption_key_id_validate, + innodb_default_encryption_key_id_update, FIL_DEFAULT_ENCRYPTION_KEY, 1, UINT_MAX32, 0); /** @@ -12514,8 +12576,8 @@ ha_innobase::check_table_options( } /* Ignore nondefault key_id if encryption is set off */ - if (encrypt == FIL_ENCRYPTION_OFF && - options->encryption_key_id != THDVAR(thd, default_encryption_key_id)) { + if (encrypt == FIL_ENCRYPTION_OFF + && options->encryption_key_id != FIL_DEFAULT_ENCRYPTION_KEY) { push_warning_printf( thd, Sql_condition::WARN_LEVEL_WARN, HA_WRONG_CREATE_OPTION, diff --git a/storage/xtradb/include/srv0srv.h b/storage/xtradb/include/srv0srv.h index 6df60e0e52d..54aa4319f5b 100644 --- a/storage/xtradb/include/srv0srv.h +++ b/storage/xtradb/include/srv0srv.h @@ -3,7 +3,7 @@ Copyright (c) 1995, 2017, Oracle and/or its affiliates. All rights reserved. Copyright (c) 2008, 2009, Google Inc. Copyright (c) 2009, Percona Inc. -Copyright (c) 2013, 2017, MariaDB Corporation. +Copyright (c) 2013, 2018, MariaDB Corporation. Portions of this file contain modifications contributed and copyrighted by Google, Inc. Those modifications are gratefully acknowledged and are described @@ -400,6 +400,9 @@ extern uint srv_flush_log_at_timeout; extern char srv_use_global_flush_log_at_trx_commit; extern char srv_adaptive_flushing; +/* Default encryption key_id */ +extern uint srv_default_encryption_key_id; + #ifdef WITH_INNODB_DISALLOW_WRITES /* When this event is reset we do not allow any file writes to take place. */ extern os_event_t srv_allow_writes_event; diff --git a/storage/xtradb/srv/srv0srv.cc b/storage/xtradb/srv/srv0srv.cc index 0133b17fada..b6e0ea1e937 100644 --- a/storage/xtradb/srv/srv0srv.cc +++ b/storage/xtradb/srv/srv0srv.cc @@ -3,7 +3,7 @@ Copyright (c) 1995, 2017, Oracle and/or its affiliates. All Rights Reserved. Copyright (c) 2008, 2009 Google Inc. Copyright (c) 2009, Percona Inc. -Copyright (c) 2013, 2017, MariaDB Corporation. +Copyright (c) 2013, 2018, MariaDB Corporation. Portions of this file contain modifications contributed and copyrighted by Google, Inc. Those modifications are gratefully acknowledged and are described @@ -254,6 +254,9 @@ UNIV_INTERN ulong srv_page_size = UNIV_PAGE_SIZE_DEF; UNIV_INTERN ulong srv_page_size_shift = UNIV_PAGE_SIZE_SHIFT_DEF; UNIV_INTERN char srv_use_global_flush_log_at_trx_commit = TRUE; +/* Default encryption key_id */ +UNIV_INTERN uint srv_default_encryption_key_id = FIL_DEFAULT_ENCRYPTION_KEY; + /* Try to flush dirty pages so as to avoid IO bursts at the checkpoints. */ UNIV_INTERN char srv_adaptive_flushing = TRUE;