-
Gopal Shankar authored
A) This WL aim to provide following functionality: 1) Enforce table encryption globally: Enable all tables to be encrypted by default. Add global system variable 'default_table_encryption'. 2) Force encryption for certain database: Enable all tables in the specific database be encrypted by default. Add new DEFAULT ENCRYPTION clause for database to support the same. 3) Disable encryption globally: Disable tables encryption in MySQL by default. The system variable 'default_table_encryption' enables the same. This is helpful to avoid double encryption since underlying storage is encrypted already in cloud setup. 4) Backward compatible setup: Keep CREATE TABLE ... ENCRYPTION=Y|N and CREATE TABLESPACE ENCRYPTION=Y|N work as before. B) Major changes done are: 1) Support DEFAULT ENCRYPTION property for DATABASE. - Add new column to mysql.schemata. - Add mysql.schemata.default_encryption ENUM('NO','YES') dd column. 2) Support new privilege TABLE_ENCRYPTION_ADMIN. 3) Add two system variables, a. The system variable to control global encryption default. --default-table-encryption=Y|N. - Add Session/Persistable system variable 'default_table_encryption'. b. The option which indicates whether we do privilege check. --table-encryption-privilege-check=Y|N. - Add Global/Persistable system variable 'table_encryption_privilege_check'. 4) Change implementation of following command to behave as per above requirement defined by three options. Detailed behavior change is described in WL. CREATE|ALTER DATABASE ... CREATE|ALTER TABLESPACE ... CREATE|ALTER TABLE ... RENAME TABLE ... 5) Add new column to INFORMATION_SCHEMA.SCHEMATA.DEFAULT_ENCRYPTION to show value supplied in new clause added by 1) above. - Change I_S.TABLES.CREATE_OPTIONS to show ENCRYPTION clause only if table is encrypted or if encryption is different than the schema encryption default. 6) Upgrade from 8.0/5.7 to wl12261 version causes updates ENCRYPTION clauses for schema/tablespaces/tables and table as discussed in HLS. - Added Internal functions GET_DD_PROPERTY_KEY_VALUE() and REMOVE_DD_PROPERTY_KEY(). This is used during 8.0->8.0 upgrade. 7) Increase dictionary and INFORMATION_SCHEMA version as we modify both of these definitions. 8) Introduce HTON_SUPPORTS_TABLE_ENCRYPTION flag for handlerton. Enabled it to InnoDB for now. 9) Group replication code is changed to ensure 'default_table_encryption' value is same across all GR nodes. We write value of global 'default_table_encryption' in binlog for DDL's listed in 4). 10) Added tests in new test suite encryption. Changes are done in ndb, rpl, keying_aws suite too. - Have modified tests to allow CREATE TABLE succeed by adding explicit ENCRYPTION clause when using encrypted general tablespaces. There are several other changes done in this WL. Refer the WL page for more details. The code is reviewed by: Praveen - Server changes, Sivert - Upgrade changes, Mayank - InnoDB changes, Hemant Dangi - Replication changes, Gleb - Parser changes. Change-Id: I77221ec45bea509347b8a612b8510dea318d5d3bGopal Shankar authoredA) This WL aim to provide following functionality: 1) Enforce table encryption globally: Enable all tables to be encrypted by default. Add global system variable 'default_table_encryption'. 2) Force encryption for certain database: Enable all tables in the specific database be encrypted by default. Add new DEFAULT ENCRYPTION clause for database to support the same. 3) Disable encryption globally: Disable tables encryption in MySQL by default. The system variable 'default_table_encryption' enables the same. This is helpful to avoid double encryption since underlying storage is encrypted already in cloud setup. 4) Backward compatible setup: Keep CREATE TABLE ... ENCRYPTION=Y|N and CREATE TABLESPACE ENCRYPTION=Y|N work as before. B) Major changes done are: 1) Support DEFAULT ENCRYPTION property for DATABASE. - Add new column to mysql.schemata. - Add mysql.schemata.default_encryption ENUM('NO','YES') dd column. 2) Support new privilege TABLE_ENCRYPTION_ADMIN. 3) Add two system variables, a. The system variable to control global encryption default. --default-table-encryption=Y|N. - Add Session/Persistable system variable 'default_table_encryption'. b. The option which indicates whether we do privilege check. --table-encryption-privilege-check=Y|N. - Add Global/Persistable system variable 'table_encryption_privilege_check'. 4) Change implementation of following command to behave as per above requirement defined by three options. Detailed behavior change is described in WL. CREATE|ALTER DATABASE ... CREATE|ALTER TABLESPACE ... CREATE|ALTER TABLE ... RENAME TABLE ... 5) Add new column to INFORMATION_SCHEMA.SCHEMATA.DEFAULT_ENCRYPTION to show value supplied in new clause added by 1) above. - Change I_S.TABLES.CREATE_OPTIONS to show ENCRYPTION clause only if table is encrypted or if encryption is different than the schema encryption default. 6) Upgrade from 8.0/5.7 to wl12261 version causes updates ENCRYPTION clauses for schema/tablespaces/tables and table as discussed in HLS. - Added Internal functions GET_DD_PROPERTY_KEY_VALUE() and REMOVE_DD_PROPERTY_KEY(). This is used during 8.0->8.0 upgrade. 7) Increase dictionary and INFORMATION_SCHEMA version as we modify both of these definitions. 8) Introduce HTON_SUPPORTS_TABLE_ENCRYPTION flag for handlerton. Enabled it to InnoDB for now. 9) Group replication code is changed to ensure 'default_table_encryption' value is same across all GR nodes. We write value of global 'default_table_encryption' in binlog for DDL's listed in 4). 10) Added tests in new test suite encryption. Changes are done in ndb, rpl, keying_aws suite too. - Have modified tests to allow CREATE TABLE succeed by adding explicit ENCRYPTION clause when using encrypted general tablespaces. There are several other changes done in this WL. Refer the WL page for more details. The code is reviewed by: Praveen - Server changes, Sivert - Upgrade changes, Mayank - InnoDB changes, Hemant Dangi - Replication changes, Gleb - Parser changes. Change-Id: I77221ec45bea509347b8a612b8510dea318d5d3b
Loading