-
Daogang Qu authored
Introduced a new command to rotate the binlog master key used to change the key used to encrypt new file password and re-encrypt file passwords of previous existent encrypted binary or relay log files with the new generated key with syntax: ALTER INSTANCE ROTATE BINLOG MASTER KEY; Executing the new command shall emit an error to the client side on the session when binlog-encryption is off regardless of the value of log_bin. We still have a requirement to rotate binlog master key for relay logs on binlogless slaves when binlog-encryption is on. So rotating binlog master key shall result in an error when binlog-encryption is off even in binlogless slaves. The new command shall not be replicated while executing it. Implemented eight steps to make the command 'ALTER INSTANCE ROTATE BINLOG MASTER KEY' be crash safe. When starting the server, we should get the binlog master key and its corresponding sequence number from keyring before opening any new replication log, because they will be used to encrypt the new generated replication logs when binlog encryption is ON. So before initializing replication logs, we need to do binlog master key rotation recovery as following: Try to retrieve "MySQLReplicationKey\_{UUID}" from keyring. Store its content into `master key SEQNO`. Try to retrieve "MySQLReplicationKey\_{UUID}\_old" from keyring. Store its content into `old master key SEQNO`. Try to retrieve "MySQLReplicationKey\_{UUID}\_new" from keyring. Store its content into `new master key SEQNO`. Take action according to the following table: ------------------------------------------------------------------------------------------- | master key SEQNO | old master key SEQNO| new master key SEQNO | new master key | Action | ------------------------------------------------------------------------------------------- | doesn't exist | doesn't exist | doesn't exist | N/A | Do binlog master key rotation from START. | | n > 0 | doesn't exist | doesn't exist | N/A | Ordinary server startup with known binlog master key. | | n >= 0 | n | doesn't exist | N/A | Continue binlog master key rotation from DETERMINE_NEXT_SEQNO. | | n >= 0 | n | m > n | doesn't exists | Continue binlog master key rotation from GENERATE_NEW_MASTER_KEY. | | n > 0 | n | m > n | exists | Continue binlog master key rotation from REMOVE_MASTER_KEY_INDEX. | | doesn't exist | n >= 0 | m > n | exists | Continue binlog master key rotation from STORE_MASTER_KEY_INDEX. | | m > 0 | n >= 0 (exist) | m > n | exists | Continue binlog master key rotation from ROTATE_LOGS. | | m > 0 | doesn't exist | m | exists | Continue binlog master key rotation from REMOVE_KEY_ROTATION_TAG. | All above actions need to skip log rotation and unused encryption keys cleanup, because binary/relay logs will be rotated later on at the begin of the recovery. Any other combination from the table shall abort the recovery with an error if binlog encryption is ON. Updated the process of enabling binlog encryption to call above binlog master key rotation recovery.Daogang Qu authoredIntroduced a new command to rotate the binlog master key used to change the key used to encrypt new file password and re-encrypt file passwords of previous existent encrypted binary or relay log files with the new generated key with syntax: ALTER INSTANCE ROTATE BINLOG MASTER KEY; Executing the new command shall emit an error to the client side on the session when binlog-encryption is off regardless of the value of log_bin. We still have a requirement to rotate binlog master key for relay logs on binlogless slaves when binlog-encryption is on. So rotating binlog master key shall result in an error when binlog-encryption is off even in binlogless slaves. The new command shall not be replicated while executing it. Implemented eight steps to make the command 'ALTER INSTANCE ROTATE BINLOG MASTER KEY' be crash safe. When starting the server, we should get the binlog master key and its corresponding sequence number from keyring before opening any new replication log, because they will be used to encrypt the new generated replication logs when binlog encryption is ON. So before initializing replication logs, we need to do binlog master key rotation recovery as following: Try to retrieve "MySQLReplicationKey\_{UUID}" from keyring. Store its content into `master key SEQNO`. Try to retrieve "MySQLReplicationKey\_{UUID}\_old" from keyring. Store its content into `old master key SEQNO`. Try to retrieve "MySQLReplicationKey\_{UUID}\_new" from keyring. Store its content into `new master key SEQNO`. Take action according to the following table: ------------------------------------------------------------------------------------------- | master key SEQNO | old master key SEQNO| new master key SEQNO | new master key | Action | ------------------------------------------------------------------------------------------- | doesn't exist | doesn't exist | doesn't exist | N/A | Do binlog master key rotation from START. | | n > 0 | doesn't exist | doesn't exist | N/A | Ordinary server startup with known binlog master key. | | n >= 0 | n | doesn't exist | N/A | Continue binlog master key rotation from DETERMINE_NEXT_SEQNO. | | n >= 0 | n | m > n | doesn't exists | Continue binlog master key rotation from GENERATE_NEW_MASTER_KEY. | | n > 0 | n | m > n | exists | Continue binlog master key rotation from REMOVE_MASTER_KEY_INDEX. | | doesn't exist | n >= 0 | m > n | exists | Continue binlog master key rotation from STORE_MASTER_KEY_INDEX. | | m > 0 | n >= 0 (exist) | m > n | exists | Continue binlog master key rotation from ROTATE_LOGS. | | m > 0 | doesn't exist | m | exists | Continue binlog master key rotation from REMOVE_KEY_ROTATION_TAG. | All above actions need to skip log rotation and unused encryption keys cleanup, because binary/relay logs will be rotated later on at the begin of the recovery. Any other combination from the table shall abort the recovery with an error if binlog encryption is ON. Updated the process of enabling binlog encryption to call above binlog master key rotation recovery.
Loading