MDEV-17230: encryption_key_id from alter is ignored by encryption threadsbb-10.1-MDEV-17230

Background: Used encryption key_id is stored to encryption metadata i.e. crypt_data that is stored on page 0 of the tablespace of the table. crypt_data is created only if implicit encryption/not encryption is requested i.e. ENCRYPTED=[YES|NO] table option is used fil_create_new_single_table_tablespace on fil0fil.cc. Later if encryption is enabled all tables that use default encryption mode (i.e. no encryption table option is set) are encrypted with default encryption key_id that is 1. See fil_crypt_start_encrypting_space on fil0crypt.cc. ha_innobase::check_table_options() If default encryption is used and encryption is disabled, you may not use nondefault encryption_key_id as it is not stored anywhere.
author: Jan Lindström <jan.lindstrom@mariadb.com> 2018-10-10 18:25:53 +0300
committer: Jan Lindström <jan.lindstrom@mariadb.com> 2018-10-10 18:25:53 +0300
commit: 0bafdc478c4ab8c577331b950dc7719abd6781c1 (patch)
tree: bd09be88f13ab64c369c9aafd7869b36d6c0a8af
parent: 3c3c4ae22545d3242a8b7c4f2bec3bf2d245890a (diff)
download: mariadb-git-bb-10.1-MDEV-17230.tar.gz
4 files changed, 81 insertions, 26 deletions
diff --git a/mysql-test/suite/encryption/r/innodb-encryption-alter.result b/mysql-test/suite/encryption/r/innodb-encryption-alter.result
index 9ff0f492034..75417074fb0 100644
--- a/mysql-test/suite/encryption/r/innodb-encryption-alter.result
+++ b/mysql-test/suite/encryption/r/innodb-encryption-alter.result
@@ -50,3 +50,40 @@ Warning	140	InnoDB: ENCRYPTION_KEY_ID 99 not available
 Error	1478	Table storage engine 'InnoDB' does not support the create option 'ENCRYPTION_KEY_ID'
 set innodb_default_encryption_key_id = 1;
 drop table t1,t2;
+SET GLOBAL innodb_encrypt_tables=OFF;
+CREATE TABLE t1 (a int not null primary key) engine=innodb;
+ALTER TABLE t1 ENCRYPTION_KEY_ID=4;
+ERROR HY000: Table storage engine 'InnoDB' does not support the create option 'ENCRYPTION_KEY_ID'
+SHOW WARNINGS;
+Level	Code	Message
+Warning	140	InnoDB: Incorrect ENCRYPTION_KEY_ID 4 when encryption is disabled
+Error	1478	Table storage engine 'InnoDB' does not support the create option 'ENCRYPTION_KEY_ID'
+SHOW CREATE TABLE t1;
+Table	Create Table
+t1	CREATE TABLE `t1` (
+  `a` int(11) NOT NULL,
+  PRIMARY KEY (`a`)
+) ENGINE=InnoDB DEFAULT CHARSET=latin1
+DROP TABLE t1;
+CREATE TABLE t2 (a int not null primary key) engine=innodb;
+ALTER TABLE t2 ENCRYPTION_KEY_ID=4, ALGORITHM=COPY;
+ERROR HY000: Can't create table `test`.`#sql-temporary` (errno: 140 "Wrong create options")
+SHOW WARNINGS;
+Level	Code	Message
+Warning	140	InnoDB: Incorrect ENCRYPTION_KEY_ID 4 when encryption is disabled
+Error	1005	Can't create table `test`.`#sql-temporary` (errno: 140 "Wrong create options")
+Warning	1030	Got error 140 "Wrong create options" from storage engine InnoDB
+SHOW CREATE TABLE t2;
+Table	Create Table
+t2	CREATE TABLE `t2` (
+  `a` int(11) NOT NULL,
+  PRIMARY KEY (`a`)
+) ENGINE=InnoDB DEFAULT CHARSET=latin1
+DROP TABLE t2;
+CREATE TABLE t3 (a int not null primary key) engine=innodb ENCRYPTION_KEY_ID=4;
+ERROR HY000: Can't create table `test`.`t3` (errno: 140 "Wrong create options")
+SHOW WARNINGS;
+Level	Code	Message
+Warning	140	InnoDB: Incorrect ENCRYPTION_KEY_ID 4 when encryption is disabled
+Error	1005	Can't create table `test`.`t3` (errno: 140 "Wrong create options")
+Warning	1030	Got error 140 "Wrong create options" from storage engine InnoDB
diff --git a/mysql-test/suite/encryption/t/innodb-encryption-alter.test b/mysql-test/suite/encryption/t/innodb-encryption-alter.test
index 9420fb74a4c..9465226dd96 100644
--- a/mysql-test/suite/encryption/t/innodb-encryption-alter.test
+++ b/mysql-test/suite/encryption/t/innodb-encryption-alter.test
@@ -87,6 +87,30 @@ connection default;
 
 drop table t1,t2;
 
+#
+# MDEV-17230: encryption_key_id from alter is ignored by encryption threads
+#
+SET GLOBAL innodb_encrypt_tables=OFF;
+CREATE TABLE t1 (a int not null primary key) engine=innodb;
+--error ER_ILLEGAL_HA_CREATE_OPTION
+ALTER TABLE t1 ENCRYPTION_KEY_ID=4;
+SHOW WARNINGS;
+SHOW CREATE TABLE t1;
+DROP TABLE t1;
+
+CREATE TABLE t2 (a int not null primary key) engine=innodb;
+--replace_regex /#sql-[0-9a-f_]*`/#sql-temporary`/
+--error ER_CANT_CREATE_TABLE
+ALTER TABLE t2 ENCRYPTION_KEY_ID=4, ALGORITHM=COPY;
+--replace_regex /#sql-[0-9a-f_]*`/#sql-temporary`/
+SHOW WARNINGS;
+SHOW CREATE TABLE t2;
+DROP TABLE t2;
+
+--error ER_CANT_CREATE_TABLE
+CREATE TABLE t3 (a int not null primary key) engine=innodb ENCRYPTION_KEY_ID=4;
+SHOW WARNINGS;
+
 # reset system
 --disable_query_log
 EVAL SET GLOBAL innodb_file_per_table = $innodb_file_per_table_orig;
diff --git a/storage/innobase/handler/ha_innodb.cc b/storage/innobase/handler/ha_innodb.cc
index 084272124b7..50c081b960e 100644
--- a/storage/innobase/handler/ha_innodb.cc
+++ b/storage/innobase/handler/ha_innodb.cc
@@ -11958,21 +11958,18 @@ ha_innobase::check_table_options(
 		options->encryption_key_id = FIL_DEFAULT_ENCRYPTION_KEY;
 	}
 
-	/* If default encryption is used make sure that used kay is found
-	from key file. */
+	/* If default encryption is used and encryption is disabled, you may
+	not use nondefault encryption_key_id as it is not stored anywhere. */
 	if (encrypt == FIL_ENCRYPTION_DEFAULT &&
-		!srv_encrypt_tables &&
-		options->encryption_key_id != FIL_DEFAULT_ENCRYPTION_KEY) {
-		if (!encryption_key_id_exists((unsigned int)options->encryption_key_id)) {
-			push_warning_printf(
-				thd, Sql_condition::WARN_LEVEL_WARN,
-				HA_WRONG_CREATE_OPTION,
-				"InnoDB: ENCRYPTION_KEY_ID %u not available",
-				(uint)options->encryption_key_id
+	    !srv_encrypt_tables &&
+	    options->encryption_key_id != FIL_DEFAULT_ENCRYPTION_KEY) {
+		push_warning_printf(
+			thd, Sql_condition::WARN_LEVEL_WARN,
+			HA_WRONG_CREATE_OPTION,
+			"InnoDB: Incorrect ENCRYPTION_KEY_ID %u when encryption is disabled",
+			(uint)options->encryption_key_id
 			);
-			return "ENCRYPTION_KEY_ID";
-
-		}
+		return "ENCRYPTION_KEY_ID";
 	}
 
 	/* Check atomic writes requirements */
diff --git a/storage/xtradb/handler/ha_innodb.cc b/storage/xtradb/handler/ha_innodb.cc
index fa63ed58292..896a230ab6b 100644
--- a/storage/xtradb/handler/ha_innodb.cc
+++ b/storage/xtradb/handler/ha_innodb.cc
@@ -12524,21 +12524,18 @@ ha_innobase::check_table_options(
 		options->encryption_key_id = FIL_DEFAULT_ENCRYPTION_KEY;
 	}
 
-	/* If default encryption is used make sure that used kay is found
-	from key file. */
+	/* If default encryption is used and encryption is disabled, you may
+	not use nondefault encryption_key_id as it is not stored anywhere. */
 	if (encrypt == FIL_ENCRYPTION_DEFAULT &&
-		!srv_encrypt_tables &&
-		options->encryption_key_id != FIL_DEFAULT_ENCRYPTION_KEY) {
-		if (!encryption_key_id_exists((unsigned int)options->encryption_key_id)) {
-			push_warning_printf(
-				thd, Sql_condition::WARN_LEVEL_WARN,
-				HA_WRONG_CREATE_OPTION,
-				"InnoDB: ENCRYPTION_KEY_ID %u not available",
-				(uint)options->encryption_key_id
+	    !srv_encrypt_tables &&
+	    options->encryption_key_id != FIL_DEFAULT_ENCRYPTION_KEY) {
+		push_warning_printf(
+			thd, Sql_condition::WARN_LEVEL_WARN,
+			HA_WRONG_CREATE_OPTION,
+			"InnoDB: Incorrect ENCRYPTION_KEY_ID %u when encryption is disabled",
+			(uint)options->encryption_key_id
 			);
-			return "ENCRYPTION_KEY_ID";
-
-		}
+		return "ENCRYPTION_KEY_ID";
 	}
 
 	/* Check atomic writes requirements */
author	Jan Lindström <jan.lindstrom@mariadb.com>	2018-10-10 18:25:53 +0300
committer	Jan Lindström <jan.lindstrom@mariadb.com>	2018-10-10 18:25:53 +0300
commit	0bafdc478c4ab8c577331b950dc7719abd6781c1 (patch)
tree	bd09be88f13ab64c369c9aafd7869b36d6c0a8af
parent	3c3c4ae22545d3242a8b7c4f2bec3bf2d245890a (diff)
download	mariadb-git-bb-10.1-MDEV-17230.tar.gz