MySQL 8.4.3
Source Code Documentation
|
The Rpl_encryption class is the container for the binlog encryption feature generic and server instance functions. More...
#include <rpl_log_encryption.h>
Classes | |
struct | Rpl_encryption_key |
Public Types | |
enum class | Keyring_status { SUCCESS = 0 , KEYRING_ERROR_FETCHING = 1 , KEY_NOT_FOUND = 2 , UNEXPECTED_KEY_SIZE = 3 , UNEXPECTED_KEY_TYPE = 4 , KEY_EXISTS_UNEXPECTED = 5 , KEYRING_ERROR_GENERATING = 6 , KEYRING_ERROR_STORING = 7 , KEYRING_ERROR_REMOVING = 8 } |
enum class | Key_rotation_step { START , DETERMINE_NEXT_SEQNO , GENERATE_NEW_MASTER_KEY , REMOVE_MASTER_KEY_INDEX , STORE_MASTER_KEY_INDEX , ROTATE_LOGS , PURGE_UNUSED_ENCRYPTION_KEYS , REMOVE_KEY_ROTATION_TAG } |
Replication encryption master key rotation process is recoverable. More... | |
Public Member Functions | |
Rpl_encryption ()=default | |
Rpl_encryption (const Rpl_encryption &)=delete | |
Rpl_encryption (Rpl_encryption &&)=delete | |
Rpl_encryption & | operator= (const Rpl_encryption &)=delete |
Rpl_encryption & | operator= (Rpl_encryption &&)=delete |
bool | initialize () |
Initialize the rpl_encryption instance. More... | |
bool | remove_remaining_seqnos_from_keyring () |
Remove remaining old/new master key index in order to cleanup any previous master key rotation. More... | |
bool | recover_master_key () |
Recover the replication encryption master key from keyring. More... | |
const Rpl_encryption_key | get_master_key () |
Return the current replication encryption master key. More... | |
bool | enable (THD *thd) |
Enable binlog encryption option. More... | |
void | disable (THD *thd) |
Disable binlog encryption option. More... | |
bool | is_enabled () |
Return is the replication logs encryption feature is enabled. More... | |
const bool & | get_enabled_var () |
const bool & | get_master_key_rotation_at_startup_var () |
bool | purge_unused_keys () |
Purge unused master keys from Keyring. More... | |
bool | rotate_master_key (Key_rotation_step step=Key_rotation_step::START, uint32_t new_master_key_seqno=0) |
Rotate the master key. More... | |
Static Public Member Functions | |
static void | report_keyring_error (Keyring_status error) |
A wrapper function to throw a binlog encryption keyring error. More... | |
static void | report_keyring_error (Keyring_status error, const char *key_id) |
A wrapper function to throw a replication logs encryption keyring error, reporting also the key ID. More... | |
static std::pair< Keyring_status, Key_string > | get_key (const std::string &key_id, const std::string &key_type) |
Get the key with given key ID. More... | |
static std::pair< Keyring_status, Key_string > | get_key (const std::string &key_id, const std::string &key_type, size_t key_size) |
Get the key with given key ID. More... | |
Private Member Functions | |
void | rotate_logs (THD *thd) |
Rotate replication logs excluding relay logs of group replication channels. More... | |
std::pair< Rpl_encryption::Keyring_status, uint32_t > | get_seqno_from_keyring (std::string key_id) |
Get a sequence number from the keyring. More... | |
bool | set_seqno_on_keyring (std::string key_id, uint32_t seqno) |
Set a sequence number into a key and store it into keyring. More... | |
bool | remove_key_from_keyring (std::string key_id) |
Remove a key from the keyring. More... | |
std::string | get_master_key_seqno_key_id () |
Returns the key ID of the keyring key that stores the master key sequence number. More... | |
std::pair< Rpl_encryption::Keyring_status, uint32_t > | get_master_key_seqno_from_keyring () |
Get the master key sequence number from keyring. More... | |
bool | set_master_key_seqno_on_keyring (uint32 seqno) |
Set the master key sequence number into a key and store it into keyring. More... | |
bool | remove_master_key_seqno_from_keyring () |
Remove the master key sequence number key from the keyring. More... | |
std::string | get_new_master_key_seqno_key_id () |
Returns the key ID of the keyring key that stores the "new" master key sequence number. More... | |
std::string | get_last_purged_master_key_seqno_key_id () |
Returns the key ID of the keyring key that stores the "last_purged" master key sequence number. More... | |
std::string | get_old_master_key_seqno_key_id () |
Returns the key ID of the keyring key that stores the "old" master key sequence number. More... | |
std::pair< Rpl_encryption::Keyring_status, uint32_t > | get_new_master_key_seqno_from_keyring () |
Get the "new" master key sequence number from keyring. More... | |
std::pair< Rpl_encryption::Keyring_status, uint32_t > | get_old_master_key_seqno_from_keyring () |
Get the "old" master key sequence number from keyring. More... | |
std::pair< Rpl_encryption::Keyring_status, uint32_t > | get_last_purged_master_key_seqno_from_keyring () |
Get the "last_purged" master key sequence number from keyring. More... | |
bool | set_new_master_key_seqno_on_keyring (uint32 seqno) |
Set the "new" master key sequence number into a key and store it into keyring. More... | |
bool | set_last_purged_master_key_seqno_on_keyring (uint32 seqno) |
Set the "last_purged" master key sequence number into a key and store it into keyring. More... | |
bool | set_old_master_key_seqno_on_keyring (uint32 seqno) |
Set the "old" master key sequence number into a key and store it into keyring. More... | |
bool | remove_new_master_key_seqno_from_keyring () |
Remove the "new" master key sequence number key from the keyring. More... | |
bool | remove_last_purged_master_key_seqno_from_keyring () |
Remove the "last_purged" master key sequence number key from the keyring. More... | |
bool | remove_old_master_key_seqno_from_keyring () |
Remove the "old" master key sequence number key from the keyring. More... | |
bool | generate_master_key_on_keyring (uint32 seqno) |
Generate a new replication master key on keyring and retrieve it. More... | |
Static Private Member Functions | |
static std::tuple< Keyring_status, void *, size_t > | fetch_key_from_keyring (const std::string &key_id, const std::string &key_type) |
Fetch a key from keyring. More... | |
Private Attributes | |
bool | m_enabled = false |
bool | m_rotate_at_startup = false |
bool | m_initialized = false |
bool | m_master_key_recovered = false |
uint32_t | m_master_key_seqno = 0 |
Rpl_encryption_key | m_master_key |
bool | m_skip_logs_rotation = false |
Static Private Attributes | |
static const char * | SEQNO_KEY_TYPE = "AES" |
static const int | SEQNO_KEY_LENGTH = 16 |
The Rpl_encryption class is the container for the binlog encryption feature generic and server instance functions.
|
strong |
Replication encryption master key rotation process is recoverable.
The steps defined in the enum class below are the steps from which the rotation process may continue after an unexpected interruption.
Enumerator | |
---|---|
START | |
DETERMINE_NEXT_SEQNO | |
GENERATE_NEW_MASTER_KEY | |
REMOVE_MASTER_KEY_INDEX | |
STORE_MASTER_KEY_INDEX | |
ROTATE_LOGS | |
PURGE_UNUSED_ENCRYPTION_KEYS | |
REMOVE_KEY_ROTATION_TAG |
|
strong |
|
default |
|
delete |
|
delete |
void Rpl_encryption::disable | ( | THD * | thd | ) |
Disable binlog encryption option.
It rotates replication logs to make encryption ineffective immediately.
Replication logs rotation errors don't fail, but they will throw a warning.
[in] | thd | the thd object of the session. |
bool Rpl_encryption::enable | ( | THD * | thd | ) |
Enable binlog encryption option.
It will generate a new global key if there is no master key yet. Then rotate replication logs to make encryption effective immediately.
Replication logs rotation errors don't fail, but they will throw a warning.
[in] | thd | the thd object of the session. |
false | Success. |
true | Error. If error happens when generating new key, it will fail. |
|
staticprivate |
Fetch a key from keyring.
When error happens, it either reports an error to user or write an error to log accordingly.
[in] | key_id | ID of the key to be returned. |
[in] | key_type | Expected type of the key to be returned. |
|
private |
Generate a new replication master key on keyring and retrieve it.
[in] | seqno | The sequence number of the master key. |
false | Success. |
true | Error. |
const bool & Rpl_encryption::get_enabled_var | ( | ) |
|
static |
Get the key with given key ID.
The key to be returned will be retrieved from the keyring or from a cached copy in memory.
[in] | key_id | ID of the key to be returned. |
[in] | key_type | Expected type of the key to be returned. |
|
static |
Get the key with given key ID.
The key to be returned will be retrieved from the keyring or from a cached copy in memory.
[in] | key_id | ID of the key to be returned. |
[in] | key_type | Expected type of the key to be returned. |
[in] | key_size | Expected size of the key to be returned. |
|
private |
Get the "last_purged" master key sequence number from keyring.
|
private |
Returns the key ID of the keyring key that stores the "last_purged" master key sequence number.
const Rpl_encryption::Rpl_encryption_key Rpl_encryption::get_master_key | ( | ) |
Return the current replication encryption master key.
const bool & Rpl_encryption::get_master_key_rotation_at_startup_var | ( | ) |
|
private |
Get the master key sequence number from keyring.
|
private |
Returns the key ID of the keyring key that stores the master key sequence number.
|
private |
Get the "new" master key sequence number from keyring.
|
private |
Returns the key ID of the keyring key that stores the "new" master key sequence number.
|
private |
Get the "old" master key sequence number from keyring.
|
private |
Returns the key ID of the keyring key that stores the "old" master key sequence number.
|
private |
Get a sequence number from the keyring.
The sequence number to be returned will be extracted from the key retrieved from the keyring. No caching shall be used for this function.
[in] | key_id | ID of the key to extract the sequence number from. |
bool Rpl_encryption::initialize | ( | ) |
Initialize the rpl_encryption instance.
This initialization shall be called after generating/loading the server UUID and before opening new binary and relay log files for writing.
When the replication_logs_encrypt option is on at server startup, the initialization process will try to recover master key and may generate a new replication master key if needed.
false | Success. |
true | Error. |
bool Rpl_encryption::is_enabled | ( | ) |
Return is the replication logs encryption feature is enabled.
false | The feature is disabled. |
true | The feature is enabled. |
|
delete |
|
delete |
bool Rpl_encryption::purge_unused_keys | ( | ) |
Purge unused master keys from Keyring.
false | Success. |
true | Error. |
bool Rpl_encryption::recover_master_key | ( | ) |
Recover the replication encryption master key from keyring.
The recovery of the master key process starts by trying to read the replication master key information from keyring (the master key sequence number, and the master key itself).
Then, if detected that a key rotation did not completed properly, tries to continue the master key rotation.
When recovery is successful, the m_master_key_recovered flag is set true.
false | Success. |
true | Error. |
|
private |
Remove a key from the keyring.
[in] | key_id | ID of the key to be removed from keyring. |
false | Success. |
true | Error. |
|
private |
Remove the "last_purged" master key sequence number key from the keyring.
false | Success. |
true | Error. |
|
private |
Remove the master key sequence number key from the keyring.
false | Success. |
true | Error. |
|
private |
Remove the "new" master key sequence number key from the keyring.
false | Success. |
true | Error. |
|
private |
Remove the "old" master key sequence number key from the keyring.
false | Success. |
true | Error. |
bool Rpl_encryption::remove_remaining_seqnos_from_keyring | ( | ) |
Remove remaining old/new master key index in order to cleanup any previous master key rotation.
false | Success. |
true | Error. |
|
static |
A wrapper function to throw a binlog encryption keyring error.
The wrapper will decide if the error will be reported to the client session or to the server error log according to current_thd.
error | The Keyring_status to be reported. |
|
static |
A wrapper function to throw a replication logs encryption keyring error, reporting also the key ID.
The wrapper will decide if the error will be reported to the client session or to the server error log according to current_thd.
error | The Keyring_status to be reported. |
key_id | The key ID to appear in the error message. |
|
private |
Rotate replication logs excluding relay logs of group replication channels.
If error happens, it will either report a warning to session user.
[in] | thd | The thd object of current session. |
bool Rpl_encryption::rotate_master_key | ( | Key_rotation_step | step = Key_rotation_step::START , |
uint32_t | new_master_key_seqno = 0 |
||
) |
Rotate the master key.
step | Step to start the process (it might be recovering). |
new_master_key_seqno | When recovering, this is the new master key sequence number detected by recovery process. |
false | Success. |
true | Error. |
|
private |
Set the "last_purged" master key sequence number into a key and store it into keyring.
false | Success. |
true | Error. |
|
private |
Set the master key sequence number into a key and store it into keyring.
false | Success. |
true | Error. |
|
private |
Set the "new" master key sequence number into a key and store it into keyring.
false | Success. |
true | Error. |
|
private |
Set the "old" master key sequence number into a key and store it into keyring.
false | Success. |
true | Error. |
|
private |
Set a sequence number into a key and store it into keyring.
[in] | key_id | ID of the key to set the sequence number. |
[in] | seqno | The sequence number to be set. |
false | Success. |
true | Error. |
|
private |
|
private |
|
private |
|
private |
|
private |
|
private |
|
private |
|
staticprivate |
|
staticprivate |