• Thirunarayanan Balathandayuthapani's avatar
    MDEV-14398 innodb_encryption_rotate_key_age=0 causes innodb_encrypt_tables to be ignored · ada1074b
    Thirunarayanan Balathandayuthapani authored
    The statement
    
    SET GLOBAL innodb_encryption_rotate_key_age=0;
    
    would have the unwanted side effect that ENCRYPTION=DEFAULT tablespaces
    would no longer be encrypted or decrypted according to the setting of
    innodb_encrypt_tables.
    
    We implement a trigger, so that whenever one of the following is executed:
    
    SET GLOBAL innodb_encrypt_tables=OFF;
    SET GLOBAL innodb_encrypt_tables=ON;
    SET GLOBAL innodb_encrypt_tables=FORCE;
    
    all wrong-state ENCRYPTION=DEFAULT tablespaces will be added to
    fil_system_t::rotation_list, so that the encryption will be added
    or removed.
    
    Note: This will *NOT* happen automatically after a server restart.
    Before reading the first page of a data file, InnoDB cannot know
    the encryption status of the data file. The statement
    SET GLOBAL innodb_encrypt_tables will have the side effect that
    all not-yet-read InnoDB data files will be accessed in order to
    determine the encryption status.
    
    innodb_encrypt_tables_validate(): Stop disallowing
    SET GLOBAL innodb_encrypt_tables when innodb_encryption_rotate_key_age=0.
    This reverts part of commit 50eb40a2
    that addressed MDEV-11738 and MDEV-11581.
    
    fil_system_t::read_page0(): Trigger a call to fil_node_t::read_page0().
    Refactored from fil_space_get_space().
    
    fil_crypt_rotation_list_fill(): If innodb_encryption_rotate_key_age=0,
    initialize fil_system->rotation_list. This is invoked both on
    SET GLOBAL innodb_encrypt_tables and
    on SET GLOBAL innodb_encryption_rotate_key_age=0.
    
    fil_space_set_crypt_data(): Remove.
    
    fil_parse_write_crypt_data(): Simplify the logic.
    
    This is joint work with Marko Mäkelä.
    ada1074b
innodb-key-rotation-disable.test 3.78 KB