1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
|
################################################################################
# InnoDB transparent tablespace data encryption for mysql.tablespace.
# For mysql.tablespace, this test will test
# 1 - Alter mysql.tablespace with
# - and without loading keyring
# - valid/invalid encryption option
# -ENCRYPTION='n' to ENCRYPTION='y'
# 2 - Actual encryption taking place or not
# 3 - Create/Alter table using mysql.tablespace
# 4 - Alter table part of innodb_file_per_table/general/innodb_system/mysql ts to mysql ts
# 5 - Create view using mysql.tablespace
# 6 - Delete/truncate/drop DD table part of mysql tablespace
# 7 - Changing encryption attribute of tables in mysql tablespace
# 8 - Restart with same keyring option and access mysql tables
# 10 - Monitor progress of encryption in performance_schema table
# 11 - Rename/drop mysql tablespace
# 12 - Create tablespace with name as mysql
################################################################################
--disable_query_log
call mtr.add_suppression("Error generating data for Data ID");
call mtr.add_suppression("\\[ERROR\\] \\[[^]]*\\] \\[[^]]*\\] Check keyring fail, please check the keyring is loaded.");
call mtr.add_suppression("\\[ERROR\\] \\[[^]]*\\] \\[[^]]*\\] Encryption can't find master key, please check the keyring is loaded.");
--enable_query_log
--echo #########
--echo # SETUP #
--echo #########
--echo
# Take backup of instance manifest
--source include/keyring_tests/helper/instance_backup_manifest.inc
let $restart_parameters = restart: $PLUGIN_DIR_OPT;
--source include/restart_mysqld_no_echo.inc
--echo #########################################################################
--echo # START : WITHOUT KEYRING
--echo #########################################################################
# Alter mysql.tablespace with encryption, should fail since keyring is not
# loaded.
--error ER_CANNOT_FIND_KEY_IN_KEYRING
ALTER TABLESPACE mysql ENCRYPTION='Y';
--error ER_CANNOT_FIND_KEY_IN_KEYRING
ALTER TABLESPACE mysql ENCRYPTION='N';
--error ER_CANNOT_FIND_KEY_IN_KEYRING
ALTER INSTANCE ROTATE INNODB MASTER KEY;
--echo #########################################################################
--echo # RESTART 1 : WITH KEYRING
--echo #########################################################################
# Restore instance manifest from backup
--source include/keyring_tests/helper/instance_restore_manifest.inc
let $restart_parameters = restart: $PLUGIN_DIR_OPT;
--source include/restart_mysqld_no_echo.inc
--echo --------------------------------------------------
--echo By Default, mysql tablespace should be unencrypted
--echo --------------------------------------------------
SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='mysql';
# mysql.ibd file should be actually unencrypted
--source include/if_encrypted.inc
ALTER TABLESPACE mysql ENCRYPTION='Y';
SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='mysql';
# mysql.ibd file should be actually encrypted
--source include/if_encrypted.inc
--echo -----------------------------------------------------
--echo ALTER mysql TABLESPACE WITH INVALID ENCRYPTION OPTION
--echo -----------------------------------------------------
--error ER_INVALID_ENCRYPTION_OPTION
ALTER TABLESPACE mysql ENCRYPTION='R';
--error ER_INVALID_ENCRYPTION_OPTION
ALTER TABLESPACE mysql ENCRYPTION='TRUE';
--error ER_INVALID_ENCRYPTION_OPTION
ALTER TABLESPACE mysql ENCRYPTION='True';
--error ER_INVALID_ENCRYPTION_OPTION
ALTER TABLESPACE mysql ENCRYPTION='true';
--error ER_PARSE_ERROR
ALTER TABLESPACE mysql ENCRYPTION=TRUE;
--error ER_PARSE_ERROR
ALTER TABLESPACE mysql ENCRYPTION=True;
--error ER_PARSE_ERROR
ALTER TABLESPACE mysql ENCRYPTION=true;
--error ER_INVALID_ENCRYPTION_OPTION
ALTER TABLESPACE mysql ENCRYPTION='FALSE';
--error ER_INVALID_ENCRYPTION_OPTION
ALTER TABLESPACE mysql ENCRYPTION='False';
--error ER_INVALID_ENCRYPTION_OPTION
ALTER TABLESPACE mysql ENCRYPTION='false';
--error ER_PARSE_ERROR
ALTER TABLESPACE mysql ENCRYPTION=FALSE;
--error ER_PARSE_ERROR
ALTER TABLESPACE mysql ENCRYPTION=False;
--error ER_PARSE_ERROR
ALTER TABLESPACE mysql ENCRYPTION=false;
--error ER_PARSE_ERROR
ALTER TABLESPACE mysql ENCRYPTION=0;
--error ER_PARSE_ERROR
ALTER TABLESPACE mysql ENCRYPTION=1;
--error ER_PARSE_ERROR
ALTER TABLESPACE mysql ENCRYPTION=null;
--error ER_PARSE_ERROR
ALTER TABLESPACE mysql ENCRYPTION=-1;
--error ER_PARSE_ERROR
ALTER TABLESPACE mysql ENCRYPTION=n;
--error ER_PARSE_ERROR
ALTER TABLESPACE mysql ENCRYPTION=N;
--error ER_PARSE_ERROR
ALTER TABLESPACE mysql ENCRYPTION=y;
--error ER_PARSE_ERROR
ALTER TABLESPACE mysql ENCRYPTION=Y;
--error ER_INVALID_ENCRYPTION_OPTION
ALTER TABLESPACE mysql ENCRYPTION='1';
--error ER_INVALID_ENCRYPTION_OPTION
ALTER TABLESPACE mysql ENCRYPTION='1True';
--error ER_INVALID_ENCRYPTION_OPTION
ALTER TABLESPACE mysql ENCRYPTION='@';
--error ER_INVALID_ENCRYPTION_OPTION
ALTER TABLESPACE mysql ENCRYPTION='null';
--error ER_INVALID_ENCRYPTION_OPTION
ALTER TABLESPACE mysql ENCRYPTION='';
--error ER_INVALID_ENCRYPTION_OPTION
ALTER TABLESPACE mysql ENCRYPTION="";
--echo ----------------------------------------------------
--echo ALTER MYSQL TABLESPACE WITH VALID ENCRYPTION OPTION
--echo ----------------------------------------------------
# ALTER mysql TABLESPACE WITH ENCRYPTION='Y'.
ALTER TABLESPACE mysql ENCRYPTION='Y';
SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='mysql';
# ALTER mysql TABLESPACE WITH ENCRYPTION='y'.
ALTER TABLESPACE mysql ENCRYPTION='y';
SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='mysql';
# ALTER mysql TABLESPACE WITH ENCRYPTION='n'.
ALTER TABLESPACE mysql ENCRYPTION='n';
SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='mysql';
# ALTER mysql TABLESPACE WITH ENCRYPTION='N'.
ALTER TABLESPACE mysql ENCRYPTION='N';
SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='mysql';
#Below SQL uses double quotes
# ALTER mysql TABLESPACE WITH ENCRYPTION="Y".
ALTER TABLESPACE mysql ENCRYPTION="Y";
SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='mysql';
# ALTER mysql TABLESPACE WITH ENCRYPTION="y".
ALTER TABLESPACE mysql ENCRYPTION="y";
SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='mysql';
# ALTER mysql TABLESPACE WITH ENCRYPTION="n".
ALTER TABLESPACE mysql ENCRYPTION="n";
SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='mysql';
# ALTER mysql TABLESPACE WITH ENCRYPTION="N".
ALTER TABLESPACE mysql ENCRYPTION="N";
SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='mysql';
--echo -----------------------------------------------------
--echo Create/Alter table using mysql.tablespace
--echo -----------------------------------------------------
# This should fail as mysql is a reserved tablespace
--error ER_RESERVED_TABLESPACE_NAME
CREATE TABLE t1(i int) TABLESPACE mysql;
--error ER_RESERVED_TABLESPACE_NAME
CREATE TEMPORARY TABLE t1(i int) TABLESPACE mysql;
# Alter table part of innodb_file_per_table ts to mysql ts
CREATE TABLE t1(i int);
--error ER_RESERVED_TABLESPACE_NAME
ALTER TABLE t1 TABLESPACE mysql;
DROP TABLE t1;
# Alter table part of general ts to mysql ts
CREATE TABLESPACE encrypt_ts ADD DATAFILE 'encrypt_ts.ibd' engine=INNODB;
CREATE TABLE t1(i int) TABLESPACE encrypt_ts;
--error ER_RESERVED_TABLESPACE_NAME
ALTER TABLE t1 TABLESPACE mysql;
DROP TABLE t1;
# Alter table part of innodb_system to mysql ts
CREATE TABLE t1(i int) TABLESPACE innodb_system;
--error ER_RESERVED_TABLESPACE_NAME
ALTER TABLE t1 TABLESPACE mysql;
DROP TABLE t1;
# Alter table part of mysql ts to mysql ts
# This should be successful
ALTER TABLE mysql.component TABLESPACE mysql;
# Alter temporary table to mysql ts
CREATE TEMPORARY TABLE t1(i int);
--error ER_RESERVED_TABLESPACE_NAME
ALTER TABLE t1 TABLESPACE mysql;
DROP TABLE t1;
--echo -----------------------------------------------------
--echo Create view using mysql.tablespace
--echo -----------------------------------------------------
# This should throw parse error as view does not support tablespace attribute
CREATE TABLE t1(i int);
INSERT INTO t1 VALUES(1);
INSERT INTO t1 SELECT * FROM t1;
INSERT INTO t1 SELECT * FROM t1;
INSERT INTO t1 SELECT * FROM t1;
INSERT INTO t1 SELECT * FROM t1;
--error ER_PARSE_ERROR
CREATE VIEW v1 AS SELECT * FROM t1 TABLESPACE mysql;
DROP TABLE t1;
--echo ------------------------------------------------------------
--echo Alter DD table part of mysql.tablespace to other tablespaces
--echo ------------------------------------------------------------
# This should fail as access to DD table is not allowed
--error ER_NO_SYSTEM_TABLE_ACCESS
ALTER TABLE mysql.events TABLESPACE innodb_file_per_table ENCRYPTION='Y';
--error ER_NO_SYSTEM_TABLE_ACCESS
ALTER TABLE mysql.events TABLESPACE innodb_file_per_table;
--error ER_NO_SYSTEM_TABLE_ACCESS
ALTER TABLE mysql.events TABLESPACE innodb_temporary ENCRYPTION='Y';
--error ER_NO_SYSTEM_TABLE_ACCESS
ALTER TABLE mysql.events TABLESPACE innodb_temporary;
--error ER_NO_SYSTEM_TABLE_ACCESS
ALTER TABLE mysql.events TABLESPACE innodb_system ENCRYPTION='Y';
--error ER_NO_SYSTEM_TABLE_ACCESS
ALTER TABLE mysql.events TABLESPACE innodb_system;
--error ER_NO_SYSTEM_TABLE_ACCESS
ALTER TABLE mysql.events TABLESPACE encrypt_ts ENCRYPTION='Y';
--error ER_NO_SYSTEM_TABLE_ACCESS
ALTER TABLE mysql.events TABLESPACE encrypt_ts;
DROP TABLESPACE encrypt_ts;
--echo -------------------------------------------------------
--echo Delete/truncate/drop DD table part of mysql tablespace
--echo -------------------------------------------------------
# Access should be denied
--error ER_NO_SYSTEM_TABLE_ACCESS
DELETE FROM mysql.events;
--error ER_NO_SYSTEM_TABLE_ACCESS
TRUNCATE TABLE mysql.events;
--error ER_NO_SYSTEM_TABLE_ACCESS
DROP TABLE mysql.events;
--echo --------------------------------------------------
--echo Alter encryption of table part of mysql tablespace
--echo --------------------------------------------------
# Changing encryption at table level should not be permitted
--error ER_INVALID_ENCRYPTION_REQUEST
ALTER TABLE mysql.component ENCRYPTION='Y';
--error ER_INVALID_ENCRYPTION_REQUEST
ALTER TABLE mysql.component ENCRYPTION='y';
ALTER TABLE mysql.component ENCRYPTION='N';
ALTER TABLE mysql.component ENCRYPTION='n';
--echo ---------------------------------------------------------------------
--echo Metadata for a table in mysql ts should not show encryption attribute
--echo ---------------------------------------------------------------------
SHOW CREATE TABLE mysql.plugin;
--echo -------------------
--echo Drop mysql database
--echo -------------------
--error ER_NO_SYSTEM_SCHEMA_ACCESS
DROP DATABASE mysql;
--echo -----------------------------------------------------
--echo Other DDL operation not allowed on 'mysql' tablespace
--echo -----------------------------------------------------
--error ER_WRONG_TABLESPACE_NAME
CREATE TABLESPACE mysql ADD DATAFILE 'mysql.ibd' ENGINE=INNODB;
--error ER_WRONG_TABLESPACE_NAME
DROP TABLESPACE mysql;
--error ER_WRONG_TABLESPACE_NAME
ALTER TABLESPACE mysql RENAME TO xyz;
--error ER_TABLESPACE_ENGINE_MISMATCH
ALTER TABLESPACE mysql ENGINE=myisam;
--error ER_TABLESPACE_ENGINE_MISMATCH
ALTER TABLESPACE mysql ENGINE=memory;
--echo #########################################################################
--echo # Restart with same keyring option
--echo # - tables in mysql ts should be accessible
--echo #########################################################################
ALTER TABLESPACE mysql ENCRYPTION='Y';
let $restart_parameters = restart: $PLUGIN_DIR_OPT;
--source include/restart_mysqld_no_echo.inc
SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='mysql';
SELECT help_keyword_id FROM mysql.help_keyword ORDER BY help_keyword_id LIMIT 2;
ALTER TABLESPACE mysql ENCRYPTION='N';
let $restart_parameters = restart: $PLUGIN_DIR_OPT;
--source include/restart_mysqld_no_echo.inc
ALTER TABLESPACE mysql ENCRYPTION='Y';
SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='mysql';
ALTER INSTANCE ROTATE INNODB MASTER KEY;
ALTER TABLESPACE mysql ENCRYPTION='N';
SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES where NAME='mysql';
--echo # Set Encryption process to wait after page 5 so that we can monitor
--echo # progress in performance_schema table
SET DEBUG_SYNC = 'alter_encrypt_tablespace_wait_after_page5 SIGNAL s1 WAIT_FOR s2';
let $con_default_thread_id= `select THREAD_ID from performance_schema.threads
where PROCESSLIST_ID = connection_id()`;
--send
ALTER TABLESPACE mysql ENCRYPTION='Y';
--echo # Monitoring connection
connect(con1, localhost, root,,);
--connection con1
SET DEBUG_SYNC = 'now WAIT_FOR s1';
--echo # Wait for Encryption progress monitoring to appear in PFS table
let $wait_condition = SELECT COUNT(*) = 1
FROM performance_schema.events_stages_current
WHERE EVENT_NAME='stage/innodb/alter tablespace (encryption)';
--source include/wait_condition.inc
--echo # Wait for some progress to appear in PFS table
let $wait_condition = SELECT WORK_COMPLETED > 0
FROM performance_schema.events_stages_current
WHERE EVENT_NAME='stage/innodb/alter tablespace (encryption)';
--source include/wait_condition.inc
# Verify the expected progress seen in PFS table
select WORK_COMPLETED
FROM performance_schema.events_stages_current
WHERE EVENT_NAME = 'stage/innodb/alter tablespace (encryption)';
# Let the encryption processing continue
SET DEBUG_SYNC = 'now SIGNAL s2';
--echo # Default connection
--connection default
--reap
--echo # Once done, select count from PFS tables
SELECT COUNT(*)
FROM performance_schema.events_stages_current
WHERE EVENT_NAME='stage/innodb/alter tablespace (encryption)';
SELECT COUNT(*)
FROM performance_schema.events_stages_history
WHERE EVENT_NAME='stage/innodb/alter tablespace (encryption)';
SELECT COUNT(*)
FROM performance_schema.events_stages_history_long
WHERE EVENT_NAME='stage/innodb/alter tablespace (encryption)';
SELECT COUNT(*)
FROM performance_schema.events_stages_summary_global_by_event_name
WHERE EVENT_NAME = 'stage/innodb/alter tablespace (encryption)' AND
COUNT_STAR>0;
--disable_query_log
eval SELECT COUNT(*)
FROM performance_schema.events_stages_summary_by_thread_by_event_name
WHERE EVENT_NAME = 'stage/innodb/alter tablespace (encryption)' AND
THREAD_ID=$con_default_thread_id;
--enable_query_log
SELECT COUNT(*)
FROM performance_schema.events_stages_summary_by_user_by_event_name
WHERE EVENT_NAME = 'stage/innodb/alter tablespace (encryption)' AND
COUNT_STAR>0;
SELECT COUNT(*)
FROM performance_schema.events_stages_summary_by_host_by_event_name
WHERE EVENT_NAME = 'stage/innodb/alter tablespace (encryption)' AND
COUNT_STAR>0;
SELECT COUNT(*)
FROM performance_schema.events_stages_summary_by_account_by_event_name
WHERE EVENT_NAME = 'stage/innodb/alter tablespace (encryption)' AND
COUNT_STAR>0;
--echo # Check that Encryption done successfully.
SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES
WHERE NAME='mysql';
SELECT help_keyword_id FROM mysql.help_keyword ORDER BY help_keyword_id LIMIT 2;
--echo ###########
--echo # Cleanup #
--echo ###########
--disconnect con1
# Unencrypt tablespace
ALTER TABLESPACE mysql ENCRYPTION='N';
SELECT NAME, ENCRYPTION FROM INFORMATION_SCHEMA.INNODB_TABLESPACES WHERE NAME='mysql';
remove_file $MYSQLTEST_VARDIR/tmpfile.txt;
|
