diff options
| -rw-r--r-- | mysql-test/suite/encryption/r/innodb-key-rotation-disable.result | 4 | ||||
| -rw-r--r-- | mysql-test/suite/encryption/t/innodb-key-rotation-disable.test | 3 | ||||
| -rw-r--r-- | storage/innobase/fil/fil0crypt.cc | 22 | ||||
| -rw-r--r-- | storage/innobase/fil/fil0fil.cc | 5 | ||||
| -rw-r--r-- | storage/innobase/include/fil0crypt.h | 4 |
5 files changed, 26 insertions, 12 deletions
diff --git a/mysql-test/suite/encryption/r/innodb-key-rotation-disable.result b/mysql-test/suite/encryption/r/innodb-key-rotation-disable.result index 02304fbda17..4e816bea43b 100644 --- a/mysql-test/suite/encryption/r/innodb-key-rotation-disable.result +++ b/mysql-test/suite/encryption/r/innodb-key-rotation-disable.result @@ -1,7 +1,3 @@ -SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION <> 0; -NAME -SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION = 0; -NAME SET GLOBAL innodb_file_per_table = ON; set global innodb_compression_algorithm = 1; create database enctests; diff --git a/mysql-test/suite/encryption/t/innodb-key-rotation-disable.test b/mysql-test/suite/encryption/t/innodb-key-rotation-disable.test index dffabaf97f1..96b62f7c05b 100644 --- a/mysql-test/suite/encryption/t/innodb-key-rotation-disable.test +++ b/mysql-test/suite/encryption/t/innodb-key-rotation-disable.test @@ -3,9 +3,6 @@ # not embedded because of restarts -- source include/not_embedded.inc -SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION <> 0; -SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION = 0; - let $encryption = `SELECT @@innodb_encrypt_tables`; SET GLOBAL innodb_file_per_table = ON; # zlib diff --git a/storage/innobase/fil/fil0crypt.cc b/storage/innobase/fil/fil0crypt.cc index 5931c820064..ba631703308 100644 --- a/storage/innobase/fil/fil0crypt.cc +++ b/storage/innobase/fil/fil0crypt.cc @@ -55,6 +55,9 @@ UNIV_INTERN uint srv_n_fil_crypt_threads_started = 0; /** At this age or older a space/page will be rotated */ UNIV_INTERN uint srv_fil_crypt_rotate_key_age; +/** Whether the encryption does key rotation */ +static std::atomic<bool> srv_encrypt_rotate; + /** Condition variable for srv_n_fil_crypt_threads_started */ static pthread_cond_t fil_crypt_cond; @@ -136,6 +139,12 @@ fil_space_crypt_t::key_get_latest_version(void) key_version = encryption_key_get_latest_version(key_id); srv_stats.n_key_requests.inc(); key_found = key_version; + /* Encryption plugin is capable of doing key + version rotation */ + if (key_version > srv_fil_crypt_rotate_key_age) { + srv_encrypt_rotate.store( + true, std::memory_order_relaxed); + } } return key_version; @@ -1475,6 +1484,15 @@ inline fil_space_t *fil_system_t::keyrotate_next(fil_space_t *space, return nullptr; } +/** If the encryption doesn't have key rotation age variable or +can't rotate then the tablespace should be added to rotation list. */ +bool fil_crypt_enable_rotation_list() +{ + return !srv_fil_crypt_rotate_key_age || + !srv_encrypt_rotate.load(std::memory_order_relaxed); +} + + /** Determine the next tablespace for encryption key rotation. @param space current tablespace (nullptr to start from the beginning) @param recheck whether the removal condition needs to be rechecked after @@ -1488,7 +1506,7 @@ space_list_t::iterator fil_space_t::next(space_list_t::iterator space, { mysql_mutex_lock(&fil_system.mutex); - if (!srv_fil_crypt_rotate_key_age) + if (fil_crypt_enable_rotation_list()) { fil_space_t *next_space= fil_system.keyrotate_next( space != fil_system.space_list.end() ? &*space : nullptr, recheck, @@ -2279,7 +2297,7 @@ void fil_crypt_set_encrypt_tables(ulong val) mysql_mutex_lock(&fil_system.mutex); srv_encrypt_tables= val; - if (srv_fil_crypt_rotate_key_age == 0) + if (fil_crypt_enable_rotation_list()) fil_crypt_rotation_list_fill(); mysql_mutex_unlock(&fil_system.mutex); diff --git a/storage/innobase/fil/fil0fil.cc b/storage/innobase/fil/fil0fil.cc index 39e01cb67c6..5949483dea2 100644 --- a/storage/innobase/fil/fil0fil.cc +++ b/storage/innobase/fil/fil0fil.cc @@ -994,8 +994,7 @@ fil_space_t *fil_space_t::create(ulint id, ulint flags, const bool rotate= purpose == FIL_TYPE_TABLESPACE && (mode == FIL_ENCRYPTION_ON || mode == FIL_ENCRYPTION_OFF || srv_encrypt_tables) - && !srv_fil_crypt_rotate_key_age - && srv_n_fil_crypt_threads_started; + && fil_crypt_enable_rotation_list(); if (rotate) { fil_system.rotation_list.push_back(*space); @@ -1004,7 +1003,7 @@ fil_space_t *fil_space_t::create(ulint id, ulint flags, mysql_mutex_unlock(&fil_system.mutex); - if (rotate) { + if (rotate && srv_n_fil_crypt_threads_started) { fil_crypt_threads_signal(); } diff --git a/storage/innobase/include/fil0crypt.h b/storage/innobase/include/fil0crypt.h index c90360571fa..f26a9f32966 100644 --- a/storage/innobase/include/fil0crypt.h +++ b/storage/innobase/include/fil0crypt.h @@ -430,6 +430,10 @@ void fil_crypt_total_stat( fil_crypt_stat_t *stat); +/** If the encryption doesn't have key rotation age variable or +can't rotate then the tablespace should be added to rotation list. */ +bool fil_crypt_enable_rotation_list(); + #include "fil0crypt.ic" #endif /* !UNIV_INNOCHECKSUM */ |