MDEV-8832: Encryption meta data should not be stored when ENCRYPTED=DEFAULT and innodb-encrypt-tables=OFF

Author: janlindstrom

mysql-test/suite/encryption/r/innodb_encryption_filekeys.result

@@ -0,0 +1,66 @@
+SET GLOBAL innodb_file_format = `Barracuda`;
+SET GLOBAL innodb_file_per_table = ON;
+SET GLOBAL innodb_encrypt_tables = OFF;
+SET GLOBAL innodb_encryption_threads = 4;
+CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB;
+SHOW CREATE TABLE t1;
+Table	Create Table
+t1	CREATE TABLE `t1` (
+ `pk` int(11) NOT NULL AUTO_INCREMENT,
+ `c` varchar(256) DEFAULT NULL,
+ PRIMARY KEY (`pk`)
+) ENGINE=InnoDB DEFAULT CHARSET=latin1
+CREATE TABLE t2 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=YES;
+CREATE TABLE t3 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=NO;
+CREATE TABLE t4 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=YES ENCRYPTION_KEY_ID=4;
+INSERT INTO t2 select * from t1;
+INSERT INTO t3 select * from t1;
+INSERT INTO t4 select * from t1;
+SET GLOBAL innodb_encrypt_tables = on;
+# Wait max 10 min for key encryption threads to encrypt required all spaces
+# Success!
+SELECT COUNT(1) FROM t1;
+COUNT(1)
+400
+SELECT COUNT(1) FROM t2;
+COUNT(1)
+400
+SELECT COUNT(1) FROM t3;
+COUNT(1)
+400
+SELECT COUNT(1) FROM t4;
+COUNT(1)
+400
+SET GLOBAL innodb_encrypt_tables = off;
+# Wait max 10 min for key encryption threads to decrypt all required spaces
+# Success!
+SET GLOBAL innodb_encrypt_tables = ON;
+set GLOBAL innodb_default_encryption_key_id=4;
+CREATE TABLE t5 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB;
+SHOW CREATE TABLE t5;
+Table	Create Table
+t5	CREATE TABLE `t5` (
+ `pk` int(11) NOT NULL AUTO_INCREMENT,
+ `c` varchar(256) DEFAULT NULL,
+ PRIMARY KEY (`pk`)
+) ENGINE=InnoDB DEFAULT CHARSET=latin1
+INSERT INTO t5 select * from t1;
+# Wait max 10 min for key encryption threads to encrypt required all spaces
+# Success!
+SELECT COUNT(1) FROM t1;
+COUNT(1)
+400
+SELECT COUNT(1) FROM t2;
+COUNT(1)
+400
+SELECT COUNT(1) FROM t3;
+COUNT(1)
+400
+SELECT COUNT(1) FROM t4;
+COUNT(1)
+400
+SELECT COUNT(1) FROM t5;
+COUNT(1)
+400
+drop table t1,t2,t3,t4, t5;
+set GLOBAL innodb_default_encryption_key_id=1;

mysql-test/suite/encryption/t/innodb_encryption_filekeys.opt

@@ -0,0 +1 @@
+--innodb-tablespaces-encryption

mysql-test/suite/encryption/t/innodb_encryption_filekeys.test

@@ -0,0 +1,141 @@
+-- source include/have_innodb.inc
+-- source include/have_file_key_management_plugin.inc
+# embedded does not support restart
+-- source include/not_embedded.inc
+
+--disable_query_log
+let $innodb_file_format_orig = `SELECT @@innodb_file_format`;
+let $innodb_file_per_table_orig = `SELECT @@innodb_file_per_table`;
+let $encrypt_tables = `SELECT @@innodb_encrypt_tables`;
+let $threads = `SELECT @@innodb_encryption_threads`;
+--enable_query_log
+
+SET GLOBAL innodb_file_format = `Barracuda`;
+SET GLOBAL innodb_file_per_table = ON;
+SET GLOBAL innodb_encrypt_tables = OFF;
+SET GLOBAL innodb_encryption_threads = 4;
+
+CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB;
+SHOW CREATE TABLE t1;
+CREATE TABLE t2 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=YES;
+CREATE TABLE t3 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=NO;
+CREATE TABLE t4 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=YES ENCRYPTION_KEY_ID=4;
+
+--disable_warnings
+--disable_query_log
+set autocommit=0;
+let $i = 400;
+while ($i)
+{
+INSERT INTO t1 values(NULL, substring(MD5(RAND()), -128));
+dec $i;
+}
+commit;
+set autocommit=1;
+--enable_warnings
+--enable_query_log
+
+INSERT INTO t2 select * from t1;
+INSERT INTO t3 select * from t1;
+INSERT INTO t4 select * from t1;
+
+SET GLOBAL innodb_encrypt_tables = on;
+
+--echo # Wait max 10 min for key encryption threads to encrypt required all spaces
+let $cnt=600;
+while ($cnt)
+{
+ let $success=`SELECT COUNT(*) = 1 FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION = 0`;
+ if ($success)
+ {
+ let $cnt=0;
+ }
+ if (!$success)
+ {
+ real_sleep 1;
+ dec $cnt;
+ }
+}
+if (!$success)
+{
+ SELECT * FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION;
+ SHOW STATUS LIKE 'innodb_encryption%';
+ -- die Timeout waiting for encryption threads
+}
+--echo # Success!
+
+SELECT COUNT(1) FROM t1;
+SELECT COUNT(1) FROM t2;
+SELECT COUNT(1) FROM t3;
+SELECT COUNT(1) FROM t4;
+
+SET GLOBAL innodb_encrypt_tables = off;
+
+--echo # Wait max 10 min for key encryption threads to decrypt all required spaces
+let $cnt=600;
+while ($cnt)
+{
+ let $success=`SELECT COUNT(*) = 2 FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION <> 0`;
+ if ($success)
+ {
+ let $cnt=0;
+ }
+ if (!$success)
+ {
+ real_sleep 1;
+ dec $cnt;
+ }
+}
+if (!$success)
+{
+ SELECT * FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION;
+ SHOW STATUS LIKE 'innodb_encryption%';
+ -- die Timeout waiting for encryption threads
+}
+--echo # Success!
+
+SET GLOBAL innodb_encrypt_tables = ON;
+set GLOBAL innodb_default_encryption_key_id=4;
+CREATE TABLE t5 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB;
+SHOW CREATE TABLE t5;
+INSERT INTO t5 select * from t1;
+
+--echo # Wait max 10 min for key encryption threads to encrypt required all spaces
+let $cnt=600;
+while ($cnt)
+{
+ let $success=`SELECT COUNT(*) = 1 FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_VERSION = 0`;
+ if ($success)
+ {
+ let $cnt=0;
+ }
+ if (!$success)
+ {
+ real_sleep 1;
+ dec $cnt;
+ }
+}
+if (!$success)
+{
+ SELECT * FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION;
+ SHOW STATUS LIKE 'innodb_encryption%';
+ -- die Timeout waiting for encryption threads
+}
+--echo # Success!
+
+SELECT COUNT(1) FROM t1;
+SELECT COUNT(1) FROM t2;
+SELECT COUNT(1) FROM t3;
+SELECT COUNT(1) FROM t4;
+SELECT COUNT(1) FROM t5;
+
+drop table t1,t2,t3,t4, t5;
+set GLOBAL innodb_default_encryption_key_id=1;
+
+# reset system
+--disable_query_log
+EVAL SET GLOBAL innodb_file_per_table = $innodb_file_per_table_orig;
+EVAL SET GLOBAL innodb_file_format = $innodb_file_format_orig;
+EVAL SET GLOBAL innodb_encrypt_tables = $encrypt_tables;
+EVAL SET GLOBAL innodb_encryption_threads = $threads;
+--enable_query_log

storage/innobase/fil/fil0fil.cc

@@ -3353,6 +3353,7 @@ fil_create_new_single_table_tablespace(
 boolis_temp = !!(flags2 & DICT_TF2_TEMPORARY);
 boolhas_data_dir = FSP_FLAGS_HAS_DATA_DIR(flags);
 ulint	atomic_writes = FSP_FLAGS_GET_ATOMIC_WRITES(flags);
+fil_space_crypt_t *crypt_data = NULL;
 
 ut_a(space_id > 0);
 ut_ad(!srv_read_only_mode);
@@ -3506,8 +3507,15 @@ fil_create_new_single_table_tablespace(
 }
 }
 
+/* Create crypt data if the tablespace is either encrypted or user has
+requested it to remain unencrypted. */
+if (mode == FIL_SPACE_ENCRYPTION_ON || mode == FIL_SPACE_ENCRYPTION_OFF ||
+srv_encrypt_tables) {
+crypt_data = fil_space_create_crypt_data(mode, key_id);
+}
+
 success = fil_space_create(tablename, space_id, flags, FIL_TABLESPACE,
-fil_space_create_crypt_data(mode, key_id));
+ crypt_data);
 
 if (!success || !fil_node_create(path, size, space_id, FALSE)) {
 err = DB_ERROR;
@@ -6501,7 +6509,7 @@ fil_iterate(
 
 if (page_compressed) {
 ulint len = 0;
-byte* res = fil_compress_page(space_id,
+fil_compress_page(space_id,
 src,
 NULL,
 size,

storage/xtradb/fil/fil0fil.cc

@@ -3387,6 +3387,7 @@ fil_create_new_single_table_tablespace(
 boolis_temp = !!(flags2 & DICT_TF2_TEMPORARY);
 boolhas_data_dir = FSP_FLAGS_HAS_DATA_DIR(flags);
 ulint	atomic_writes = FSP_FLAGS_GET_ATOMIC_WRITES(flags);
+fil_space_crypt_t *crypt_data = NULL;
 
 ut_a(space_id > 0);
 ut_ad(!srv_read_only_mode);
@@ -3540,8 +3541,15 @@ fil_create_new_single_table_tablespace(
 }
 }
 
+/* Create crypt data if the tablespace is either encrypted or user has
+requested it to remain unencrypted. */
+if (mode == FIL_SPACE_ENCRYPTION_ON || mode == FIL_SPACE_ENCRYPTION_OFF ||
+srv_encrypt_tables) {
+crypt_data = fil_space_create_crypt_data(mode, key_id);
+}
+
 success = fil_space_create(tablename, space_id, flags, FIL_TABLESPACE,
-fil_space_create_crypt_data(mode, key_id));
+ crypt_data);
 
 if (!success || !fil_node_create(path, size, space_id, FALSE)) {
 err = DB_ERROR;
@@ -6558,7 +6566,7 @@ fil_iterate(
 
 if (page_compressed) {
 ulint len = 0;
-byte* res = fil_compress_page(space_id,
+fil_compress_page(space_id,
 src,
 NULL,
 size,