|
|
|
|
#!/usr/bin/perl
|
|
|
|
|
|
|
|
|
|
use strict;
|
|
|
|
|
use warnings;
|
|
|
|
|
use File::Basename;
|
|
|
|
|
use File::Compare;
|
|
|
|
|
use File::Copy;
|
|
|
|
|
use Test::More;
|
|
|
|
|
use lib 't';
|
|
|
|
|
use pgtde;
|
|
|
|
|
|
|
|
|
|
# Get file name and CREATE out file name and dirs WHERE requried
|
|
|
|
|
PGTDE::setup_files_dir(basename($0));
|
|
|
|
|
|
|
|
|
|
# CREATE new PostgreSQL node and do initdb
|
|
|
|
|
my $node = PGTDE->pgtde_init_pg();
|
|
|
|
|
my $pgdata = $node->data_dir;
|
|
|
|
|
|
|
|
|
|
# UPDATE postgresql.conf to include/load pg_tde library
|
|
|
|
|
open my $conf, '>>', "$pgdata/postgresql.conf";
|
|
|
|
|
print $conf "shared_preload_libraries = 'pg_tde'\n";
|
|
|
|
|
close $conf;
|
|
|
|
|
|
|
|
|
|
# Start server
|
|
|
|
|
my $rt_value = $node->start;
|
|
|
|
|
ok($rt_value == 1, "Start Server");
|
|
|
|
|
|
|
|
|
|
# CREATE EXTENSION and change out file permissions
|
|
|
|
|
my ($cmdret, $stdout, $stderr) = $node->psql('postgres', 'CREATE EXTENSION pg_tde;', extra_params => ['-a']);
|
|
|
|
|
ok($cmdret == 0, "CREATE PGTDE EXTENSION");
|
|
|
|
|
PGTDE::append_to_file($stdout);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
$rt_value = $node->psql('postgres', 'CREATE TABLE test_enc(id SERIAL,k INTEGER,PRIMARY KEY (id)) USING pg_tde_basic;', extra_params => ['-a']);
|
|
|
|
|
ok($rt_value == 3, "Failing query");
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Restart the server
|
|
|
|
|
PGTDE::append_to_file("-- server restart");
|
|
|
|
|
$node->stop();
|
|
|
|
|
|
|
|
|
|
$rt_value = $node->start();
|
|
|
|
|
ok($rt_value == 1, "Restart Server");
|
|
|
|
|
|
Framework for multi-tenancy support (#121)
* Introducing catalog table for managing key providers
This commit introduces a user catalog table, percona_tde.pg_tde_key_provider,
within the percona_tde schema, as part of the pg_tde extension. The purpose of
this table is to store essential provider information. The catalog accommodates
various key providers, present and future, utilizing a JSON type
options field to capture provider-specific details.
To facilitate the creation of key providers,
the commit introduces new SQL interfaces:
- pg_tde_add_key_provider(provider_type VARCHAR(10),
provider_name VARCHAR(128), options JSON)
- pg_tde_add_key_provider_file(provider_name VARCHAR(128),
file_path TEXT)
- pg_tde_add_key_provider_vault_v2(provider_name VARCHAR(128),
vault_token TEXT, vault_url TEXT,
vault_mount_path TEXT, vault_ca_path TEXT)
Additionally, the commit implements the C interface for catalog
interaction, detailed in the 'tde_keyring.h' file.
These changes lay the foundation for implementing multi-tenancy in pg_tde by
eliminating the necessity of a 'keyring.json' file for configuring a
cluster-wide key provider. With this enhancement, each database can have its
dedicated key provider, added via SQL interface, removing the need
for DBA intervention in TDE setup."
* Establishing a Framework for Master Key and Shared Cache Management
Up until now, pg_tde relied on a hard-coded master key name, primarily for
proof-of-concept purposes. This commit introduces a more robust infrastructure
for configuring the master key and managing a dynamic shared memory-based
master-key cache to enhance accessibility.
For user interaction, a new SQL interface is provided:
- pg_tde_set_master_key(master_key_name VARCHAR(255), provider_name VARCHAR(255));
This interface enables users to set a master key for a specific database and make
further enhancements toward implementing the multi-tenancy.
In addition to the public SQL interface, the commit optimizes the internal
master-key API. It introduces straightforward Get and Set functions,
handling locking, retrieval, caching, and seamlessly assigning a master key for
a database.
The commit also introduces a unified internal interface for requesting and
utilizing shared memory, contributing to a more cohesive and efficient
master key and cache management system.
* Revamping the Keyring API Interface and Integrating Master Key
This commit unifies the master-key and key-provider modules with the core of
pg_tde, marking a significant evolution in the architecture.
As part of this integration, the keyring API undergoes substantial changes
to enhance flexibility and remove unnecessary components such as the key cache.
As a result of the keyring refactoring, the file keyring is also rewritten,
offering a template for implementing additional key providers for the extension.
The modifications make the keyring API more pluggable, streamlining
interactions and paving the way for future enhancements.
* An Interface for Informing the Shared Memory Manager about Lock Requirements
This commit addresses PostgreSQL core's requirement for upfront information
regarding the number of locks the extension needs. Given the connection
between locks and the shared memory interface, a new callback routine
is introduced. This routine allows modules to specify
the number of locks they require.
In addition to this functionality, the commit includes code cleanups
and adjustments to nomenclature for improved clarity and consistency.
* Adjusting test cases
* Extension Initialization and Cleanup Mechanism
This commit enhances the extension by adding a new mechanism to facilitate
cleanup or setup procedures when the extension is installed in a database.
The core addition is a function "pg_tde_extension_initialize" invoked upon
executing the database's 'CREATE EXTENSION' command.
The commit introduces a callback registration mechanism to streamline
future development and ensure extensibility. This enables any module
to specify a callback function (registered using on_ext_install() ) to be
invoked during extension creation.
As of this commit, the callback functionality is explicitly utilized by the
master key module to handle the cleanup of the master key information file.
This file might persist in the database directory if the extension had been
previously deleted in the same database.
This enhancement paves the way for a more modular and maintainable extension
architecture, allowing individual modules to manage their specific
setup and cleanup tasks seamlessly."
* Adjusting Vault-V2 key provider to use new keyring architecture
2 years ago
|
|
|
$rt_value = $node->psql('postgres', "SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');", extra_params => ['-a']);
|
|
|
|
|
$rt_value = $node->psql('postgres', "SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');", extra_params => ['-a']);
|
Framework for multi-tenancy support (#121)
* Introducing catalog table for managing key providers
This commit introduces a user catalog table, percona_tde.pg_tde_key_provider,
within the percona_tde schema, as part of the pg_tde extension. The purpose of
this table is to store essential provider information. The catalog accommodates
various key providers, present and future, utilizing a JSON type
options field to capture provider-specific details.
To facilitate the creation of key providers,
the commit introduces new SQL interfaces:
- pg_tde_add_key_provider(provider_type VARCHAR(10),
provider_name VARCHAR(128), options JSON)
- pg_tde_add_key_provider_file(provider_name VARCHAR(128),
file_path TEXT)
- pg_tde_add_key_provider_vault_v2(provider_name VARCHAR(128),
vault_token TEXT, vault_url TEXT,
vault_mount_path TEXT, vault_ca_path TEXT)
Additionally, the commit implements the C interface for catalog
interaction, detailed in the 'tde_keyring.h' file.
These changes lay the foundation for implementing multi-tenancy in pg_tde by
eliminating the necessity of a 'keyring.json' file for configuring a
cluster-wide key provider. With this enhancement, each database can have its
dedicated key provider, added via SQL interface, removing the need
for DBA intervention in TDE setup."
* Establishing a Framework for Master Key and Shared Cache Management
Up until now, pg_tde relied on a hard-coded master key name, primarily for
proof-of-concept purposes. This commit introduces a more robust infrastructure
for configuring the master key and managing a dynamic shared memory-based
master-key cache to enhance accessibility.
For user interaction, a new SQL interface is provided:
- pg_tde_set_master_key(master_key_name VARCHAR(255), provider_name VARCHAR(255));
This interface enables users to set a master key for a specific database and make
further enhancements toward implementing the multi-tenancy.
In addition to the public SQL interface, the commit optimizes the internal
master-key API. It introduces straightforward Get and Set functions,
handling locking, retrieval, caching, and seamlessly assigning a master key for
a database.
The commit also introduces a unified internal interface for requesting and
utilizing shared memory, contributing to a more cohesive and efficient
master key and cache management system.
* Revamping the Keyring API Interface and Integrating Master Key
This commit unifies the master-key and key-provider modules with the core of
pg_tde, marking a significant evolution in the architecture.
As part of this integration, the keyring API undergoes substantial changes
to enhance flexibility and remove unnecessary components such as the key cache.
As a result of the keyring refactoring, the file keyring is also rewritten,
offering a template for implementing additional key providers for the extension.
The modifications make the keyring API more pluggable, streamlining
interactions and paving the way for future enhancements.
* An Interface for Informing the Shared Memory Manager about Lock Requirements
This commit addresses PostgreSQL core's requirement for upfront information
regarding the number of locks the extension needs. Given the connection
between locks and the shared memory interface, a new callback routine
is introduced. This routine allows modules to specify
the number of locks they require.
In addition to this functionality, the commit includes code cleanups
and adjustments to nomenclature for improved clarity and consistency.
* Adjusting test cases
* Extension Initialization and Cleanup Mechanism
This commit enhances the extension by adding a new mechanism to facilitate
cleanup or setup procedures when the extension is installed in a database.
The core addition is a function "pg_tde_extension_initialize" invoked upon
executing the database's 'CREATE EXTENSION' command.
The commit introduces a callback registration mechanism to streamline
future development and ensure extensibility. This enables any module
to specify a callback function (registered using on_ext_install() ) to be
invoked during extension creation.
As of this commit, the callback functionality is explicitly utilized by the
master key module to handle the cleanup of the master key information file.
This file might persist in the database directory if the extension had been
previously deleted in the same database.
This enhancement paves the way for a more modular and maintainable extension
architecture, allowing individual modules to manage their specific
setup and cleanup tasks seamlessly."
* Adjusting Vault-V2 key provider to use new keyring architecture
2 years ago
|
|
|
|
|
|
|
|
$stdout = $node->safe_psql('postgres', 'CREATE TABLE test_enc(id SERIAL,k VARCHAR(32),PRIMARY KEY (id)) USING pg_tde_basic;', extra_params => ['-a']);
|
|
|
|
|
PGTDE::append_to_file($stdout);
|
|
|
|
|
|
|
|
|
|
$stdout = $node->safe_psql('postgres', 'INSERT INTO test_enc (k) VALUES (\'foobar\'),(\'barfoo\');', extra_params => ['-a']);
|
|
|
|
|
PGTDE::append_to_file($stdout);
|
|
|
|
|
|
|
|
|
|
$stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id ASC;', extra_params => ['-a']);
|
|
|
|
|
PGTDE::append_to_file($stdout);
|
|
|
|
|
|
|
|
|
|
# Restart the server
|
|
|
|
|
PGTDE::append_to_file("-- server restart");
|
|
|
|
|
$rt_value = $node->stop();
|
|
|
|
|
$rt_value = $node->start();
|
|
|
|
|
|
|
|
|
|
$stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id ASC;', extra_params => ['-a']);
|
|
|
|
|
PGTDE::append_to_file($stdout);
|
|
|
|
|
|
|
|
|
|
# Verify that we can't see the data in the file
|
|
|
|
|
my $tablefile = $node->safe_psql('postgres', 'SHOW data_directory;');
|
|
|
|
|
$tablefile .= '/';
|
|
|
|
|
$tablefile .= $node->safe_psql('postgres', 'SELECT pg_relation_filepath(\'test_enc\');');
|
|
|
|
|
|
|
|
|
|
my $strings = 'TABLEFILE FOUND: ';
|
|
|
|
|
$strings .= `(ls $tablefile >/dev/null && echo yes) || echo no`;
|
|
|
|
|
PGTDE::append_to_file($strings);
|
|
|
|
|
|
|
|
|
|
$strings = 'CONTAINS FOO (should be empty): ';
|
|
|
|
|
$strings .= `strings $tablefile | grep foo`;
|
|
|
|
|
PGTDE::append_to_file($strings);
|
|
|
|
|
|
|
|
|
|
$stdout = $node->safe_psql('postgres', 'DROP TABLE test_enc;', extra_params => ['-a']);
|
|
|
|
|
PGTDE::append_to_file($stdout);
|
|
|
|
|
|
|
|
|
|
# DROP EXTENSION
|
|
|
|
|
$stdout = $node->safe_psql('postgres', 'DROP EXTENSION pg_tde;', extra_params => ['-a']);
|
|
|
|
|
ok($cmdret == 0, "DROP PGTDE EXTENSION");
|
|
|
|
|
PGTDE::append_to_file($stdout);
|
|
|
|
|
# Stop the server
|
|
|
|
|
$node->stop();
|
|
|
|
|
|
|
|
|
|
# compare the expected and out file
|
|
|
|
|
my $compare = PGTDE->compare_results();
|
|
|
|
|
|
|
|
|
|
# Test/check if expected and result/out file match. If Yes, test passes.
|
|
|
|
|
is($compare,0,"Compare Files: $PGTDE::expected_filename_with_path and $PGTDE::out_filename_with_path files.");
|
|
|
|
|
|
|
|
|
|
# Done testing for this testcase file.
|
|
|
|
|
done_testing();
|
