diff --git a/meson.build b/meson.build index cc49a7bac3a..06e971c8427 100644 --- a/meson.build +++ b/meson.build @@ -128,7 +128,7 @@ if get_variable('percona_ext', false) 'trigger_on_view', 'change_access_method', 'insert_update_delete', - # 'tablespace', + 'tablespace', 'vault_v2_test', 'alter_index', 'merge_join', diff --git a/src/access/pg_tde_tdemap.c b/src/access/pg_tde_tdemap.c index f1ee5956867..6809d23bb08 100644 --- a/src/access/pg_tde_tdemap.c +++ b/src/access/pg_tde_tdemap.c @@ -55,9 +55,6 @@ } #endif -#define PG_TDE_MAP_FILENAME "pg_tde.map" -#define PG_TDE_KEYDATA_FILENAME "pg_tde.dat" - #define PG_TDE_FILEMAGIC 0x01454454 /* version ID value = TDE 01 */ @@ -163,7 +160,7 @@ pg_tde_create_key_map_entry(const RelFileLocator *newrlocator, uint32 entry_type LWLock *lock_pk = tde_lwlock_enc_keys(); LWLockAcquire(lock_pk, LW_EXCLUSIVE); - principal_key = GetPrincipalKey(newrlocator->dbOid, newrlocator->spcOid, LW_EXCLUSIVE); + principal_key = GetPrincipalKey(newrlocator->dbOid, LW_EXCLUSIVE); if (principal_key == NULL) { LWLockRelease(lock_pk); @@ -190,7 +187,7 @@ pg_tde_create_key_map_entry(const RelFileLocator *newrlocator, uint32 entry_type /* Encrypt the key */ rel_key_data = tde_create_rel_key(newrlocator->relNumber, &int_key, &principal_key->keyInfo); - enc_rel_key_data = tde_encrypt_rel_key(principal_key, rel_key_data, newrlocator); + enc_rel_key_data = tde_encrypt_rel_key(principal_key, rel_key_data, newrlocator->dbOid); /* * XLOG internal key @@ -244,12 +241,12 @@ tde_create_rel_key(RelFileNumber rel_num, InternalKey *key, TDEPrincipalKeyInfo * Encrypts a given key and returns the encrypted one. */ RelKeyData * -tde_encrypt_rel_key(TDEPrincipalKey *principal_key, RelKeyData *rel_key_data, const RelFileLocator *rlocator) +tde_encrypt_rel_key(TDEPrincipalKey *principal_key, RelKeyData *rel_key_data, Oid dbOid) { RelKeyData *enc_rel_key_data; size_t enc_key_bytes; - AesEncryptKey(principal_key, rlocator, rel_key_data, &enc_rel_key_data, &enc_key_bytes); + AesEncryptKey(principal_key, dbOid, rel_key_data, &enc_rel_key_data, &enc_key_bytes); return enc_rel_key_data; } @@ -259,13 +256,13 @@ tde_encrypt_rel_key(TDEPrincipalKey *principal_key, RelKeyData *rel_key_data, co * Returns true if both map and key data files are created. */ void -pg_tde_delete_tde_files(Oid dbOid, Oid spcOid) +pg_tde_delete_tde_files(Oid dbOid) { char db_map_path[MAXPGPATH] = {0}; char db_keydata_path[MAXPGPATH] = {0}; /* Set the file paths */ - pg_tde_set_db_file_paths(dbOid, spcOid, db_map_path, db_keydata_path); + pg_tde_set_db_file_paths(dbOid, db_map_path, db_keydata_path); /* Remove these files without emitting any error */ PathNameDeleteTemporaryFile(db_map_path, false); @@ -294,7 +291,6 @@ pg_tde_save_principal_key(TDEPrincipalKeyInfo *principal_key_info) /* Set the file paths */ pg_tde_set_db_file_paths(principal_key_info->databaseId, - principal_key_info->tablespaceId, db_map_path, db_keydata_path); ereport(LOG, (errmsg("pg_tde_save_principal_key"))); @@ -434,7 +430,7 @@ pg_tde_write_one_map_entry(int fd, const RelFileLocator *rlocator, uint32 flags, { char db_map_path[MAXPGPATH] = {0}; - pg_tde_set_db_file_paths(rlocator->dbOid, rlocator->spcOid, db_map_path, NULL); + pg_tde_set_db_file_paths(rlocator->dbOid, db_map_path, NULL); ereport(FATAL, (errcode_for_file_access(), errmsg("could not write tde map file \"%s\": %m", @@ -444,7 +440,7 @@ pg_tde_write_one_map_entry(int fd, const RelFileLocator *rlocator, uint32 flags, { char db_map_path[MAXPGPATH] = {0}; - pg_tde_set_db_file_paths(rlocator->dbOid, rlocator->spcOid, db_map_path, NULL); + pg_tde_set_db_file_paths(rlocator->dbOid, db_map_path, NULL); ereport(data_sync_elevel(ERROR), (errcode_for_file_access(), errmsg("could not fsync file \"%s\": %m", db_map_path))); @@ -525,7 +521,7 @@ pg_tde_write_key_map_entry(const RelFileLocator *rlocator, RelKeyData *enc_rel_k Assert(rlocator); /* Set the file paths */ - pg_tde_set_db_file_paths(rlocator->dbOid, rlocator->spcOid, db_map_path, db_keydata_path); + pg_tde_set_db_file_paths(rlocator->dbOid, db_map_path, db_keydata_path); /* Create the map entry and then add the encrypted key to the data file */ key_index = pg_tde_write_map_entry(rlocator, enc_rel_key_data->internal_key.rel_type, db_map_path, principal_key_info); @@ -550,7 +546,7 @@ pg_tde_delete_key_map_entry(const RelFileLocator *rlocator, uint32 key_type) Assert(rlocator); /* Get the file paths */ - pg_tde_set_db_file_paths(rlocator->dbOid, rlocator->spcOid, db_map_path, db_keydata_path); + pg_tde_set_db_file_paths(rlocator->dbOid, db_map_path, db_keydata_path); errno = 0; /* Remove the map entry if found */ @@ -596,7 +592,7 @@ pg_tde_free_key_map_entry(const RelFileLocator *rlocator, uint32 key_type, off_t Assert(rlocator); /* Get the file paths */ - pg_tde_set_db_file_paths(rlocator->dbOid, rlocator->spcOid, db_map_path, NULL); + pg_tde_set_db_file_paths(rlocator->dbOid, db_map_path, NULL); /* Remove the map entry if found */ key_index = pg_tde_process_map_entry(rlocator, key_type, db_map_path, &offset, true); @@ -610,17 +606,6 @@ pg_tde_free_key_map_entry(const RelFileLocator *rlocator, uint32 key_type, off_t db_map_path))); } - /* - * Remove TDE files it was the last TDE relation in a custom tablespace. - * DROP TABLESPACE needs an empty dir. - */ - if (rlocator->spcOid != GLOBALTABLESPACE_OID && - rlocator->spcOid != DEFAULTTABLESPACE_OID && - pg_tde_process_map_entry(NULL, key_type, db_map_path, &start, false) == -1) - { - pg_tde_delete_tde_files(rlocator->dbOid, rlocator->spcOid); - cleanup_key_provider_info(rlocator->dbOid, rlocator->spcOid); - } } /* @@ -689,7 +674,6 @@ pg_tde_perform_rotate_key(TDEPrincipalKey *principal_key, TDEPrincipalKey *new_p /* Set the file paths */ pg_tde_set_db_file_paths(principal_key->keyInfo.databaseId, - principal_key->keyInfo.tablespaceId, db_map_path, db_keydata_path); /* @@ -729,14 +713,13 @@ pg_tde_perform_rotate_key(TDEPrincipalKey *principal_key, TDEPrincipalKey *new_p rloc.relNumber = read_map_entry.relNumber; rloc.dbOid = principal_key->keyInfo.databaseId; - rloc.spcOid = principal_key->keyInfo.tablespaceId; /* Let's get the decrypted key and re-encrypt it with the new key. */ enc_rel_key_data[OLD_PRINCIPAL_KEY] = pg_tde_read_one_keydata(k_fd[OLD_PRINCIPAL_KEY], key_index[OLD_PRINCIPAL_KEY], principal_key); /* Decrypt and re-encrypt keys */ - rel_key_data[OLD_PRINCIPAL_KEY] = tde_decrypt_rel_key(principal_key, enc_rel_key_data[OLD_PRINCIPAL_KEY], &rloc); - enc_rel_key_data[NEW_PRINCIPAL_KEY] = tde_encrypt_rel_key(new_principal_key, rel_key_data[OLD_PRINCIPAL_KEY], &rloc); + rel_key_data[OLD_PRINCIPAL_KEY] = tde_decrypt_rel_key(principal_key, enc_rel_key_data[OLD_PRINCIPAL_KEY], principal_key->keyInfo.databaseId); + enc_rel_key_data[NEW_PRINCIPAL_KEY] = tde_encrypt_rel_key(new_principal_key, rel_key_data[OLD_PRINCIPAL_KEY], principal_key->keyInfo.databaseId); /* Write the given entry at the location pointed by prev_pos */ prev_pos[NEW_PRINCIPAL_KEY] = curr_pos[NEW_PRINCIPAL_KEY]; @@ -814,7 +797,6 @@ pg_tde_write_map_keydata_files(off_t map_size, char *m_file_data, off_t keydata_ /* Set the file paths */ pg_tde_set_db_file_paths(fheader->principal_key_info.databaseId, - fheader->principal_key_info.tablespaceId, db_map_path, db_keydata_path); /* Initialize the new files and set the names */ @@ -870,10 +852,7 @@ FINALIZE: } /* - * Move relation's key to the new physical location and cache it with the new - * relfilenode. It recreates *.map and *.dat files with the old principal key - * and re-encrypted with the new relfilenode internal key. And copies the - * old keyring to the new location. + * Saves the relation key with the new relfilenode. * Needed by ALTER TABLE SET TABLESPACE for example. */ bool @@ -890,40 +869,21 @@ pg_tde_move_rel_key(const RelFileLocator *newrlocator, const RelFileLocator *old off_t offset = 0; int32 key_index = 0; - pg_tde_set_db_file_paths(oldrlocator->dbOid, oldrlocator->spcOid, db_map_path, db_keydata_path); + pg_tde_set_db_file_paths(oldrlocator->dbOid, db_map_path, db_keydata_path); LWLockAcquire(tde_lwlock_enc_keys(), LW_EXCLUSIVE); - principal_key = GetPrincipalKey(oldrlocator->dbOid, oldrlocator->spcOid, LW_EXCLUSIVE); + principal_key = GetPrincipalKey(oldrlocator->dbOid, LW_EXCLUSIVE); Assert(principal_key); - /* - * Copy kering provider info. - * - * TODO: we can potentially avoid moving keyring and key tde files keeping - * these files always in dbOid+MyDatabaseTableSpace path. But the - * background writer isn't aware of MyDatabaseTableSpace hence it won't - * work with SMGR -> tde_heap. Revisit this after chages in SMGR (mdcreate) - * interface. + /* + * We don't use internal_key cache to avoid locking complications. */ - keyring = GetKeyProviderByID(principal_key->keyInfo.keyringId, oldrlocator->dbOid, oldrlocator->spcOid); - Assert(keyring); - memcpy(provider_rec.provider_name, keyring->provider_name, sizeof(keyring->provider_name)); - provider_rec.provider_type = keyring->type; - memcpy(provider_rec.options, keyring->options, sizeof(keyring->options)); - copy_key_provider_info(&provider_rec, newrlocator->dbOid, newrlocator->spcOid, true); - - principal_key->keyInfo.keyringId = provider_rec.provider_id; - key_index = pg_tde_process_map_entry(oldrlocator, MAP_ENTRY_VALID, db_map_path, &offset, false); Assert(key_index != -1); - /* - * Re-encrypt relation key. We don't use internal_key cache to avoid locking - * complications. - */ + enc_key = pg_tde_read_keydata(db_keydata_path, key_index, principal_key); - rel_key = tde_decrypt_rel_key(principal_key, enc_key, oldrlocator); - enc_key = tde_encrypt_rel_key(principal_key, rel_key, newrlocator); + rel_key = tde_decrypt_rel_key(principal_key, enc_key, oldrlocator->dbOid); xlrec.rlocator = *newrlocator; xlrec.relKey = *enc_key; @@ -983,7 +943,7 @@ pg_tde_get_key_from_file(const RelFileLocator *rlocator, uint32 key_type, bool n * key. */ LWLockAcquire(lock_pk, LW_SHARED); - principal_key = GetPrincipalKey(rlocator->dbOid, rlocator->spcOid, LW_SHARED); + principal_key = GetPrincipalKey(rlocator->dbOid, LW_SHARED); if (principal_key == NULL) { LWLockRelease(lock_pk); @@ -992,7 +952,7 @@ pg_tde_get_key_from_file(const RelFileLocator *rlocator, uint32 key_type, bool n } /* Get the file paths */ - pg_tde_set_db_file_paths(rlocator->dbOid, rlocator->spcOid, db_map_path, db_keydata_path); + pg_tde_set_db_file_paths(rlocator->dbOid, db_map_path, db_keydata_path); if (no_map_ok && access(db_map_path, F_OK) == -1) { @@ -1011,23 +971,11 @@ pg_tde_get_key_from_file(const RelFileLocator *rlocator, uint32 key_type, bool n enc_rel_key_data = pg_tde_read_keydata(db_keydata_path, key_index, principal_key); LWLockRelease(lock_pk); - rel_key_data = tde_decrypt_rel_key(principal_key, enc_rel_key_data, rlocator); + rel_key_data = tde_decrypt_rel_key(principal_key, enc_rel_key_data, rlocator->dbOid); return rel_key_data; } -inline void -pg_tde_set_db_file_paths(Oid dbOid, Oid spcOid, char *map_path, char *keydata_path) -{ - char *db_path = pg_tde_get_tde_file_dir(dbOid, spcOid); - - if (map_path) - join_path_components(map_path, db_path, PG_TDE_MAP_FILENAME); - if (keydata_path) - join_path_components(keydata_path, db_path, PG_TDE_KEYDATA_FILENAME); - pfree(db_path); -} - /* * Returns the index of the read map if we find a valid match; i.e. * - flags is set to MAP_ENTRY_VALID and the relNumber matches the one @@ -1147,12 +1095,12 @@ pg_tde_read_keydata(char *db_keydata_path, int32 key_index, TDEPrincipalKey *pri * Decrypts a given key and returns the decrypted one. */ RelKeyData * -tde_decrypt_rel_key(TDEPrincipalKey *principal_key, RelKeyData *enc_rel_key_data, const RelFileLocator *rlocator) +tde_decrypt_rel_key(TDEPrincipalKey *principal_key, RelKeyData *enc_rel_key_data, Oid dbOid) { RelKeyData *rel_key_data = NULL; size_t key_bytes; - AesDecryptKey(principal_key, rlocator, &rel_key_data, enc_rel_key_data, &key_bytes); + AesDecryptKey(principal_key, dbOid, &rel_key_data, enc_rel_key_data, &key_bytes); return rel_key_data; } @@ -1321,7 +1269,7 @@ pg_tde_read_one_keydata(int keydata_fd, int32 key_index, TDEPrincipalKey *princi { char db_keydata_path[MAXPGPATH] = {0}; - pg_tde_set_db_file_paths(principal_key->keyInfo.databaseId, principal_key->keyInfo.tablespaceId, NULL, db_keydata_path); + pg_tde_set_db_file_paths(principal_key->keyInfo.databaseId, NULL, db_keydata_path); ereport(FATAL, (errcode(ERRCODE_NO_DATA_FOUND), errmsg("could not find the required key at index %d in tde data file \"%s\": %m", @@ -1335,7 +1283,7 @@ pg_tde_read_one_keydata(int keydata_fd, int32 key_index, TDEPrincipalKey *princi { char db_keydata_path[MAXPGPATH] = {0}; - pg_tde_set_db_file_paths(principal_key->keyInfo.databaseId, principal_key->keyInfo.tablespaceId, NULL, db_keydata_path); + pg_tde_set_db_file_paths(principal_key->keyInfo.databaseId, NULL, db_keydata_path); ereport(FATAL, (errcode_for_file_access(), errmsg("could not read key at index %d in tde key data file \"%s\": %m", @@ -1352,7 +1300,7 @@ pg_tde_read_one_keydata(int keydata_fd, int32 key_index, TDEPrincipalKey *princi * a LW_SHARED or higher lock on files before calling this function. */ TDEPrincipalKeyInfo * -pg_tde_get_principal_key_info(Oid dbOid, Oid spcOid) +pg_tde_get_principal_key_info(Oid dbOid) { int fd = -1; TDEFileHeader fheader; @@ -1362,7 +1310,7 @@ pg_tde_get_principal_key_info(Oid dbOid, Oid spcOid) char db_map_path[MAXPGPATH] = {0}; /* Set the file paths */ - pg_tde_set_db_file_paths(dbOid, spcOid, db_map_path, NULL); + pg_tde_set_db_file_paths(dbOid, db_map_path, NULL); /* * Ensuring that we always open the file in binary mode. The caller must diff --git a/src/access/pg_tde_xlog.c b/src/access/pg_tde_xlog.c index ddb4e8a3fd0..f7583da08b1 100644 --- a/src/access/pg_tde_xlog.c +++ b/src/access/pg_tde_xlog.c @@ -17,7 +17,6 @@ #include "access/xlog.h" #include "access/xlog_internal.h" #include "access/xloginsert.h" -#include "catalog/pg_tablespace_d.h" #include "catalog/tde_keyring.h" #include "storage/bufmgr.h" #include "storage/shmem.h" @@ -108,13 +107,13 @@ tdeheap_rmgr_desc(StringInfo buf, XLogReaderState *record) { TDEPrincipalKeyInfo *xlrec = (TDEPrincipalKeyInfo *) XLogRecGetData(record); - appendStringInfo(buf, "add tde principal key for db %u/%u", xlrec->databaseId, xlrec->tablespaceId); + appendStringInfo(buf, "add tde principal key for db %u", xlrec->databaseId); } if (info == XLOG_TDE_EXTENSION_INSTALL_KEY) { XLogExtensionInstall *xlrec = (XLogExtensionInstall *) XLogRecGetData(record); - appendStringInfo(buf, "tde extension install for db %u/%u", xlrec->database_id, xlrec->tablespace_id); + appendStringInfo(buf, "tde extension install for db %u", xlrec->database_id); } if (info == XLOG_TDE_ROTATE_KEY) { diff --git a/src/access/pg_tde_xlog_encrypt.c b/src/access/pg_tde_xlog_encrypt.c index 804e59178c2..5c40f73e902 100644 --- a/src/access/pg_tde_xlog_encrypt.c +++ b/src/access/pg_tde_xlog_encrypt.c @@ -18,7 +18,6 @@ #include "access/xlog.h" #include "access/xlog_internal.h" #include "access/xloginsert.h" -#include "catalog/pg_tablespace_d.h" #include "storage/bufmgr.h" #include "storage/shmem.h" #include "utils/guc.h" diff --git a/src/catalog/tde_global_space.c b/src/catalog/tde_global_space.c index e97f9d423c1..936f6d3b612 100644 --- a/src/catalog/tde_global_space.c +++ b/src/catalog/tde_global_space.c @@ -14,7 +14,6 @@ #ifdef PERCONA_EXT -#include "catalog/pg_tablespace_d.h" #include "utils/memutils.h" #include "access/pg_tde_tdemap.h" @@ -36,14 +35,13 @@ #define KEYRING_DEFAULT_FILE_NAME "pg_tde_default_keyring_CHANGE_AND_REMOVE_IT" #define DefaultKeyProvider GetKeyProviderByName(KEYRING_DEFAULT_NAME, \ - GLOBAL_DATA_TDE_OID, GLOBALTABLESPACE_OID) + GLOBAL_DATA_TDE_OID) #ifndef FRONTEND static void init_keys(void); static void init_default_keyring(void); static TDEPrincipalKey *create_principal_key(const char *key_name, - GenericKeyring *keyring, Oid dbOid, - Oid spcOid); + GenericKeyring *keyring, Oid dbOid); #endif /* !FRONTEND */ @@ -53,7 +51,7 @@ TDEInitGlobalKeys(const char *dir) #ifndef FRONTEND char db_map_path[MAXPGPATH] = {0}; - pg_tde_set_db_file_paths(GLOBAL_DATA_TDE_OID, GLOBALTABLESPACE_OID, db_map_path, NULL); + pg_tde_set_db_file_paths(GLOBAL_DATA_TDE_OID, db_map_path, NULL); if (access(db_map_path, F_OK) == -1) { init_default_keyring(); @@ -87,7 +85,7 @@ TDEInitGlobalKeys(const char *dir) static void init_default_keyring(void) { - if (GetAllKeyringProviders(GLOBAL_DATA_TDE_OID, GLOBALTABLESPACE_OID) == NIL) + if (GetAllKeyringProviders(GLOBAL_DATA_TDE_OID) == NIL) { char path[MAXPGPATH] = {0}; static KeyringProvideRecord provider = @@ -100,7 +98,7 @@ init_default_keyring(void) elog(WARNING, "unable to get current working dir"); /* TODO: not sure about the location. Currently it's in $PGDATA */ - join_path_components(path, path, KEYRING_DEFAULT_FILE_NAME); + join_path_components(path, PG_TDE_DATA_DIR, KEYRING_DEFAULT_FILE_NAME); snprintf(provider.options, MAX_KEYRING_OPTION_LEN, "{" @@ -109,11 +107,13 @@ init_default_keyring(void) "}", path ); + pg_tde_init_data_dir(); + /* * TODO: should we remove it automaticaly on * pg_tde_rotate_principal_key() ? */ - save_new_key_provider_info(&provider, GLOBAL_DATA_TDE_OID, GLOBALTABLESPACE_OID, false); + save_new_key_provider_info(&provider, GLOBAL_DATA_TDE_OID, false); elog(INFO, "default keyring has been created for the global tablespace (WAL)." " Change it with pg_tde_add_key_provider_* and run pg_tde_rotate_principal_key." @@ -142,7 +142,7 @@ init_keys(void) mkey = create_principal_key(PRINCIPAL_KEY_DEFAULT_NAME, DefaultKeyProvider, - GLOBAL_DATA_TDE_OID, GLOBALTABLESPACE_OID); + GLOBAL_DATA_TDE_OID); memset(&int_key, 0, sizeof(InternalKey)); @@ -159,7 +159,7 @@ init_keys(void) rlocator = &GLOBAL_SPACE_RLOCATOR(XLOG_TDE_OID); rel_key_data = tde_create_rel_key(rlocator->relNumber, &int_key, &mkey->keyInfo); - enc_rel_key_data = tde_encrypt_rel_key(mkey, rel_key_data, rlocator); + enc_rel_key_data = tde_encrypt_rel_key(mkey, rel_key_data, rlocator->dbOid); pg_tde_write_key_map_entry(rlocator, enc_rel_key_data, &mkey->keyInfo); pfree(enc_rel_key_data); pfree(mkey); @@ -175,15 +175,13 @@ init_keys(void) * first. */ static TDEPrincipalKey * -create_principal_key(const char *key_name, GenericKeyring *keyring, - Oid dbOid, Oid spcOid) +create_principal_key(const char *key_name, GenericKeyring *keyring, Oid dbOid) { TDEPrincipalKey *principalKey; keyInfo *keyInfo = NULL; principalKey = palloc(sizeof(TDEPrincipalKey)); principalKey->keyInfo.databaseId = dbOid; - principalKey->keyInfo.tablespaceId = spcOid; principalKey->keyInfo.keyId.version = DEFAULT_PRINCIPAL_KEY_VERSION; principalKey->keyInfo.keyringId = keyring->key_id; strncpy(principalKey->keyInfo.keyId.name, key_name, TDE_KEY_NAME_LEN); diff --git a/src/catalog/tde_keyring.c b/src/catalog/tde_keyring.c index 49cdfd0f0bd..95a9c669bcf 100644 --- a/src/catalog/tde_keyring.c +++ b/src/catalog/tde_keyring.c @@ -47,24 +47,24 @@ typedef enum ProviderScanType PROVIDER_SCAN_ALL } ProviderScanType; -#define PG_TDE_KEYRING_FILENAME "pg_tde_keyrings" +#define PG_TDE_KEYRING_FILENAME "pg_tde_%d_keyring" static FileKeyring *load_file_keyring_provider_options(char *keyring_options); static GenericKeyring *load_keyring_provider_options(ProviderType provider_type, char *keyring_options); static VaultV2Keyring *load_vaultV2_keyring_provider_options(char *keyring_options); static void debug_print_kerying(GenericKeyring *keyring); static GenericKeyring *load_keyring_provider_from_record(KeyringProvideRecord *provider); -static char *get_keyring_infofile_path(char *resPath, Oid dbOid, Oid spcOid); +static inline void get_keyring_infofile_path(char *resPath, Oid dbOid); static bool fetch_next_key_provider(int fd, off_t *curr_pos, KeyringProvideRecord *provider); #ifdef FRONTEND -static SimplePtrList *scan_key_provider_file(ProviderScanType scanType, void *scanKey, Oid dbOid, Oid spcOid); +static SimplePtrList *scan_key_provider_file(ProviderScanType scanType, void *scanKey, Oid dbOid); static void simple_list_free(SimplePtrList *list); #else -static List *scan_key_provider_file(ProviderScanType scanType, void *scanKey, Oid dbOid, Oid spcOid); +static List *scan_key_provider_file(ProviderScanType scanType, void *scanKey, Oid dbOid); PG_FUNCTION_INFO_V1(pg_tde_add_key_provider_internal); Datum pg_tde_add_key_provider_internal(PG_FUNCTION_ARGS); @@ -77,9 +77,8 @@ Datum pg_tde_list_all_key_providers(PG_FUNCTION_ARGS); static void key_provider_startup_cleanup(int tde_tbl_count, XLogExtensionInstall *ext_info, bool redo, void *arg); static const char *get_keyring_provider_typename(ProviderType p_type); static uint32 write_key_provider_info(KeyringProvideRecord *provider, - Oid database_id, Oid tablespace_id, - off_t position, bool error_if_exists, - bool write_xlog); + Oid database_id, off_t position, + bool error_if_exists, bool write_xlog); static Size initialize_shared_state(void *start_address); static Size required_shared_mem_size(void); @@ -137,7 +136,7 @@ key_provider_startup_cleanup(int tde_tbl_count, XLogExtensionInstall *ext_info, (errmsg("failed to perform initialization. database already has %d TDE tables", tde_tbl_count))); return; } - cleanup_key_provider_info(ext_info->database_id, ext_info->tablespace_id); + cleanup_key_provider_info(ext_info->database_id); } ProviderType @@ -169,16 +168,16 @@ get_keyring_provider_typename(ProviderType p_type) } List * -GetAllKeyringProviders(Oid dbOid, Oid spcOid) +GetAllKeyringProviders(Oid dbOid) { - return scan_key_provider_file(PROVIDER_SCAN_ALL, NULL, dbOid, spcOid); + return scan_key_provider_file(PROVIDER_SCAN_ALL, NULL, dbOid); } GenericKeyring * -GetKeyProviderByName(const char *provider_name, Oid dbOid, Oid spcOid) +GetKeyProviderByName(const char *provider_name, Oid dbOid) { GenericKeyring *keyring = NULL; - List *providers = scan_key_provider_file(PROVIDER_SCAN_BY_NAME, (void *) provider_name, dbOid, spcOid); + List *providers = scan_key_provider_file(PROVIDER_SCAN_BY_NAME, (void *) provider_name, dbOid); if (providers != NIL) { @@ -197,8 +196,8 @@ GetKeyProviderByName(const char *provider_name, Oid dbOid, Oid spcOid) static uint32 -write_key_provider_info(KeyringProvideRecord *provider, Oid database_id, - Oid tablespace_id, off_t position, bool error_if_exists, bool write_xlog) +write_key_provider_info(KeyringProvideRecord *provider, Oid database_id, + off_t position, bool error_if_exists, bool write_xlog) { off_t bytes_written = 0; off_t curr_pos = 0; @@ -209,7 +208,7 @@ write_key_provider_info(KeyringProvideRecord *provider, Oid database_id, Assert(provider != NULL); - get_keyring_infofile_path(kp_info_path, database_id, tablespace_id); + get_keyring_infofile_path(kp_info_path, database_id); LWLockAcquire(tde_provider_info_lock(), LW_EXCLUSIVE); @@ -258,7 +257,6 @@ write_key_provider_info(KeyringProvideRecord *provider, Oid database_id, KeyringProviderXLRecord xlrec; xlrec.database_id = database_id; - xlrec.tablespace_id = tablespace_id; xlrec.offset_in_file = curr_pos; memcpy(&xlrec.provider, provider, sizeof(KeyringProvideRecord)); @@ -308,33 +306,24 @@ write_key_provider_info(KeyringProvideRecord *provider, Oid database_id, * Save the key provider info to the file */ uint32 -save_new_key_provider_info(KeyringProvideRecord* provider, Oid databaseId, Oid tablespaceId, bool write_xlog) +save_new_key_provider_info(KeyringProvideRecord* provider, Oid databaseId, bool write_xlog) { - return write_key_provider_info(provider, databaseId, tablespaceId, -1, true, write_xlog); -} - -/* - * Save the key provider info to the file but don't fail if it is already exists. - */ -uint32 -copy_key_provider_info(KeyringProvideRecord* provider, Oid newdatabaseId, Oid newtablespaceId, bool write_xlog) -{ - return write_key_provider_info(provider, newdatabaseId, newtablespaceId, -1, false, write_xlog); + return write_key_provider_info(provider, databaseId, -1, true, write_xlog); } uint32 redo_key_provider_info(KeyringProviderXLRecord *xlrec) { - return write_key_provider_info(&xlrec->provider, xlrec->database_id, xlrec->tablespace_id, xlrec->offset_in_file, true, false); + return write_key_provider_info(&xlrec->provider, xlrec->database_id, xlrec->offset_in_file, true, false); } void -cleanup_key_provider_info(Oid databaseId, Oid tablespaceId) +cleanup_key_provider_info(Oid databaseId) { /* Remove the key provider info file */ char kp_info_path[MAXPGPATH] = {0}; - get_keyring_infofile_path(kp_info_path, databaseId, tablespaceId); + get_keyring_infofile_path(kp_info_path, databaseId); PathNameDeleteTemporaryFile(kp_info_path, false); } @@ -346,19 +335,12 @@ pg_tde_add_key_provider_internal(PG_FUNCTION_ARGS) char *options = text_to_cstring(PG_GETARG_TEXT_PP(2)); bool is_global = PG_GETARG_BOOL(3); KeyringProvideRecord provider; - Oid dbOid = MyDatabaseId; - Oid spcOid = MyDatabaseTableSpace; - - if (is_global) - { - dbOid = GLOBAL_DATA_TDE_OID; - spcOid = GLOBALTABLESPACE_OID; - } + Oid dbOid = is_global ? GLOBAL_DATA_TDE_OID : MyDatabaseId; strncpy(provider.options, options, sizeof(provider.options)); strncpy(provider.provider_name, provider_name, sizeof(provider.provider_name)); provider.provider_type = get_keyring_provider_from_typename(provider_type); - save_new_key_provider_info(&provider, dbOid, spcOid, true); + save_new_key_provider_info(&provider, dbOid, true); PG_RETURN_INT32(provider.provider_id); } @@ -366,7 +348,7 @@ pg_tde_add_key_provider_internal(PG_FUNCTION_ARGS) Datum pg_tde_list_all_key_providers(PG_FUNCTION_ARGS) { - List *all_providers = GetAllKeyringProviders(MyDatabaseId, MyDatabaseTableSpace); + List *all_providers = GetAllKeyringProviders(MyDatabaseId); ListCell *lc; Tuplestorestate *tupstore; TupleDesc tupdesc; @@ -419,10 +401,10 @@ pg_tde_list_all_key_providers(PG_FUNCTION_ARGS) } GenericKeyring * -GetKeyProviderByID(int provider_id, Oid dbOid, Oid spcOid) +GetKeyProviderByID(int provider_id, Oid dbOid) { GenericKeyring *keyring = NULL; - List *providers = scan_key_provider_file(PROVIDER_SCAN_BY_ID, &provider_id, dbOid, spcOid); + List *providers = scan_key_provider_file(PROVIDER_SCAN_BY_ID, &provider_id, dbOid); if (providers != NIL) { @@ -436,10 +418,10 @@ GetKeyProviderByID(int provider_id, Oid dbOid, Oid spcOid) #ifdef FRONTEND GenericKeyring * -GetKeyProviderByID(int provider_id, Oid dbOid, Oid spcOid) +GetKeyProviderByID(int provider_id, Oid dbOid) { GenericKeyring *keyring = NULL; - SimplePtrList *providers = scan_key_provider_file(PROVIDER_SCAN_BY_ID, &provider_id, dbOid, spcOid); + SimplePtrList *providers = scan_key_provider_file(PROVIDER_SCAN_BY_ID, &provider_id, dbOid); if (providers != NULL) { @@ -474,7 +456,7 @@ static List * #else static SimplePtrList * #endif -scan_key_provider_file(ProviderScanType scanType, void *scanKey, Oid dbOid, Oid spcOid) +scan_key_provider_file(ProviderScanType scanType, void *scanKey, Oid dbOid) { off_t curr_pos = 0; int fd; @@ -489,7 +471,7 @@ scan_key_provider_file(ProviderScanType scanType, void *scanKey, Oid dbOid, Oid if (scanType != PROVIDER_SCAN_ALL) Assert(scanKey != NULL); - get_keyring_infofile_path(kp_info_path, dbOid, spcOid); + get_keyring_infofile_path(kp_info_path, dbOid); LWLockAcquire(tde_provider_info_lock(), LW_SHARED); @@ -661,15 +643,10 @@ debug_print_kerying(GenericKeyring *keyring) } } -static char * -get_keyring_infofile_path(char *resPath, Oid dbOid, Oid spcOid) +static inline void +get_keyring_infofile_path(char *resPath, Oid dbOid) { - char *db_path = pg_tde_get_tde_file_dir(dbOid, spcOid); - - Assert(db_path != NULL); - join_path_components(resPath, db_path, PG_TDE_KEYRING_FILENAME); - pfree(db_path); - return resPath; + join_path_components(resPath, PG_TDE_DATA_DIR, psprintf(PG_TDE_KEYRING_FILENAME, dbOid)); } /* diff --git a/src/catalog/tde_principal_key.c b/src/catalog/tde_principal_key.c index ab241d69916..8d8053827f1 100644 --- a/src/catalog/tde_principal_key.c +++ b/src/catalog/tde_principal_key.c @@ -75,16 +75,16 @@ static void shared_memory_shutdown(int code, Datum arg); static void principal_key_startup_cleanup(int tde_tbl_count, XLogExtensionInstall *ext_info, bool redo, void *arg); static void clear_principal_key_cache(Oid databaseId); static inline dshash_table *get_principal_key_Hash(void); -static TDEPrincipalKey *get_principal_key_from_keyring(Oid dbOid, Oid spcOid); +static TDEPrincipalKey *get_principal_key_from_keyring(Oid dbOid); static TDEPrincipalKey *get_principal_key_from_cache(Oid dbOid); static void push_principal_key_to_cache(TDEPrincipalKey *principalKey); -static Datum pg_tde_get_key_info(PG_FUNCTION_ARGS, Oid dbOid, Oid spcOid); +static Datum pg_tde_get_key_info(PG_FUNCTION_ARGS, Oid dbOid); static keyInfo *load_latest_versioned_key_name(TDEPrincipalKeyInfo *principal_key_info, GenericKeyring *keyring, bool ensure_new_key); static TDEPrincipalKey *set_principal_key_with_keyring(const char *key_name, GenericKeyring *keyring, - Oid dbOid, Oid spcOid, + Oid dbOid, bool ensure_new_key); static const TDEShmemSetupRoutine principal_key_info_shmem_routine = { @@ -222,7 +222,7 @@ save_principal_key_info(TDEPrincipalKeyInfo *principal_key_info) */ TDEPrincipalKey * set_principal_key_with_keyring(const char *key_name, GenericKeyring *keyring, - Oid dbOid, Oid spcOid, bool ensure_new_key) + Oid dbOid, bool ensure_new_key) { TDEPrincipalKey *principalKey = NULL; LWLock *lock_files = tde_lwlock_enc_keys(); @@ -238,7 +238,7 @@ set_principal_key_with_keyring(const char *key_name, GenericKeyring *keyring, /* TODO: Add the key in the cache? */ if (!is_dup_key) - is_dup_key = (pg_tde_get_principal_key_info(dbOid, spcOid) != NULL); + is_dup_key = (pg_tde_get_principal_key_info(dbOid) != NULL); if (!is_dup_key) { @@ -246,7 +246,6 @@ set_principal_key_with_keyring(const char *key_name, GenericKeyring *keyring, principalKey = palloc(sizeof(TDEPrincipalKey)); principalKey->keyInfo.databaseId = dbOid; - principalKey->keyInfo.tablespaceId = spcOid; principalKey->keyInfo.keyId.version = DEFAULT_PRINCIPAL_KEY_VERSION; principalKey->keyInfo.keyringId = keyring->key_id; strncpy(principalKey->keyInfo.keyId.name, key_name, TDE_KEY_NAME_LEN); @@ -301,8 +300,8 @@ bool SetPrincipalKey(const char *key_name, const char *provider_name, bool ensure_new_key) { TDEPrincipalKey *principal_key = set_principal_key_with_keyring(key_name, - GetKeyProviderByName(provider_name, MyDatabaseId, MyDatabaseTableSpace), - MyDatabaseId, MyDatabaseTableSpace, + GetKeyProviderByName(provider_name, MyDatabaseId), + MyDatabaseId, ensure_new_key); return (principal_key != NULL); @@ -343,15 +342,13 @@ RotatePrincipalKey(TDEPrincipalKey *current_key, const char *new_key_name, const if (new_provider_name != NULL) { new_principal_key.keyInfo.keyringId = GetKeyProviderByName(new_provider_name, - new_principal_key.keyInfo.databaseId, - new_principal_key.keyInfo.tablespaceId)->key_id; + new_principal_key.keyInfo.databaseId)->key_id; } } /* We need a valid keyring structure */ keyring = GetKeyProviderByID(new_principal_key.keyInfo.keyringId, - new_principal_key.keyInfo.databaseId, - new_principal_key.keyInfo.tablespaceId); + new_principal_key.keyInfo.databaseId); keyInfo = load_latest_versioned_key_name(&new_principal_key.keyInfo, keyring, ensure_new_key); @@ -368,7 +365,7 @@ RotatePrincipalKey(TDEPrincipalKey *current_key, const char *new_key_name, const memcpy(new_principal_key.keyData, keyInfo->data.data, keyInfo->data.len); is_rotated = pg_tde_perform_rotate_key(current_key, &new_principal_key); - if (is_rotated && current_key->keyInfo.tablespaceId != GLOBALTABLESPACE_OID) + if (is_rotated && !TDEisInGlobalSpace(current_key->keyInfo.databaseId)) { clear_principal_key_cache(current_key->keyInfo.databaseId); push_principal_key_to_cache(&new_principal_key); @@ -493,7 +490,7 @@ GetPrincipalKeyProviderId(void) * Principal key not present in cache. Try Loading it from the info * file */ - principalKeyInfo = pg_tde_get_principal_key_info(dbOid, MyDatabaseTableSpace); + principalKeyInfo = pg_tde_get_principal_key_info(dbOid); if (principalKeyInfo) { keyringId = principalKeyInfo->keyringId; @@ -582,11 +579,11 @@ principal_key_startup_cleanup(int tde_tbl_count, XLogExtensionInstall *ext_info, return; } - cleanup_principal_key_info(ext_info->database_id, ext_info->tablespace_id); + cleanup_principal_key_info(ext_info->database_id); } void -cleanup_principal_key_info(Oid databaseId, Oid tablespaceId) +cleanup_principal_key_info(Oid databaseId) { clear_principal_key_cache(databaseId); @@ -596,7 +593,7 @@ cleanup_principal_key_info(Oid databaseId, Oid tablespaceId) */ /* Remove the tde files */ - pg_tde_delete_tde_files(databaseId, tablespaceId); + pg_tde_delete_tde_files(databaseId); } static void @@ -646,7 +643,6 @@ pg_tde_rotate_principal_key_internal(PG_FUNCTION_ARGS) bool ret; TDEPrincipalKey *current_key; Oid dbOid = MyDatabaseId; - Oid spcOid = MyDatabaseTableSpace; if (!PG_ARGISNULL(0)) new_principal_key_name = text_to_cstring(PG_GETARG_TEXT_PP(0)); @@ -659,7 +655,6 @@ pg_tde_rotate_principal_key_internal(PG_FUNCTION_ARGS) if (is_global) { dbOid = GLOBAL_DATA_TDE_OID; - spcOid = GLOBALTABLESPACE_OID; } #endif @@ -669,7 +664,7 @@ pg_tde_rotate_principal_key_internal(PG_FUNCTION_ARGS) is_global ? "cluster" : "database"))); LWLockAcquire(tde_lwlock_enc_keys(), LW_EXCLUSIVE); - current_key = GetPrincipalKey(dbOid, spcOid, LW_EXCLUSIVE); + current_key = GetPrincipalKey(dbOid, LW_EXCLUSIVE); ret = RotatePrincipalKey(current_key, new_principal_key_name, new_provider_name, ensure_new_key); LWLockRelease(tde_lwlock_enc_keys()); @@ -681,20 +676,18 @@ Datum pg_tde_principal_key_info_internal(PG_FUNCTION_ARGS) { Oid dbOid = MyDatabaseId; - Oid spcOid = MyDatabaseTableSpace; bool is_global = PG_GETARG_BOOL(0); if (is_global) { dbOid = GLOBAL_DATA_TDE_OID; - spcOid = GLOBALTABLESPACE_OID; } - return pg_tde_get_key_info(fcinfo, dbOid, spcOid); + return pg_tde_get_key_info(fcinfo, dbOid); } static Datum -pg_tde_get_key_info(PG_FUNCTION_ARGS, Oid dbOid, Oid spcOid) +pg_tde_get_key_info(PG_FUNCTION_ARGS, Oid dbOid) { TupleDesc tupdesc; Datum values[6]; @@ -712,7 +705,7 @@ pg_tde_get_key_info(PG_FUNCTION_ARGS, Oid dbOid, Oid spcOid) errmsg("function returning record called in context that cannot accept type record"))); LWLockAcquire(tde_lwlock_enc_keys(), LW_SHARED); - principal_key = GetPrincipalKey(dbOid, spcOid, LW_SHARED); + principal_key = GetPrincipalKey(dbOid, LW_SHARED); LWLockRelease(tde_lwlock_enc_keys()); if (principal_key == NULL) { @@ -722,7 +715,7 @@ pg_tde_get_key_info(PG_FUNCTION_ARGS, Oid dbOid, Oid spcOid) PG_RETURN_NULL(); } - keyring = GetKeyProviderByID(principal_key->keyInfo.keyringId, dbOid, spcOid); + keyring = GetKeyProviderByID(principal_key->keyInfo.keyringId, dbOid); /* Initialize the values and null flags */ @@ -769,7 +762,7 @@ pg_tde_get_key_info(PG_FUNCTION_ARGS, Oid dbOid, Oid spcOid) * Caller should hold an exclusive tde_lwlock_enc_keys lock */ TDEPrincipalKey * -get_principal_key_from_keyring(Oid dbOid, Oid spcOid) +get_principal_key_from_keyring(Oid dbOid) { GenericKeyring *keyring; TDEPrincipalKey *principalKey = NULL; @@ -779,13 +772,13 @@ get_principal_key_from_keyring(Oid dbOid, Oid spcOid) Assert(LWLockHeldByMeInMode(tde_lwlock_enc_keys(), LW_EXCLUSIVE)); - principalKeyInfo = pg_tde_get_principal_key_info(dbOid, spcOid); + principalKeyInfo = pg_tde_get_principal_key_info(dbOid); if (principalKeyInfo == NULL) { return NULL; } - keyring = GetKeyProviderByID(principalKeyInfo->keyringId, dbOid, spcOid); + keyring = GetKeyProviderByID(principalKeyInfo->keyringId, dbOid); if (keyring == NULL) { return NULL; @@ -808,7 +801,7 @@ get_principal_key_from_keyring(Oid dbOid, Oid spcOid) #ifndef FRONTEND /* We don't store global space key in cache */ - if (spcOid != GLOBALTABLESPACE_OID) + if (!TDEisInGlobalSpace(dbOid)) { push_principal_key_to_cache(principalKey); @@ -842,14 +835,14 @@ get_principal_key_from_keyring(Oid dbOid, Oid spcOid) * cache. */ TDEPrincipalKey * -GetPrincipalKey(Oid dbOid, Oid spcOid, LWLockMode lockMode) +GetPrincipalKey(Oid dbOid, LWLockMode lockMode) { #ifndef FRONTEND TDEPrincipalKey *principalKey = NULL; Assert(LWLockHeldByMeInMode(tde_lwlock_enc_keys(), lockMode)); /* We don't store global space key in cache */ - if (spcOid != GLOBALTABLESPACE_OID) + if (!TDEisInGlobalSpace(dbOid)) { principalKey = get_principal_key_from_cache(dbOid); } @@ -866,5 +859,5 @@ GetPrincipalKey(Oid dbOid, Oid spcOid, LWLockMode lockMode) } #endif - return get_principal_key_from_keyring(dbOid, spcOid); + return get_principal_key_from_keyring(dbOid); } diff --git a/src/common/pg_tde_utils.c b/src/common/pg_tde_utils.c index ce99a972c62..d8fdbe1d3e9 100644 --- a/src/common/pg_tde_utils.c +++ b/src/common/pg_tde_utils.c @@ -11,7 +11,6 @@ #include "postgres.h" -#include "catalog/pg_tablespace_d.h" #include "utils/snapmgr.h" #include "commands/defrem.h" #include "common/pg_tde_utils.h" @@ -93,22 +92,3 @@ pg_tde_set_globalspace_dir(const char *dir) Assert(dir != NULL); strncpy(globalspace_dir, dir, sizeof(globalspace_dir)); } - -/* returns the palloc'd string */ -char * -pg_tde_get_tde_file_dir(Oid dbOid, Oid spcOid) -{ - /* - * `dbOid` is set to a value for the XLog keys caching but - * GetDatabasePath() expects it (`dbOid`) to be `0` if this is a global - * space. - */ - if (spcOid == GLOBALTABLESPACE_OID) - { - if (strlen(globalspace_dir) > 0) - return pstrdup(globalspace_dir); - - return pstrdup("global"); - } - return GetDatabasePath(dbOid, spcOid); -} diff --git a/src/encryption/enc_tde.c b/src/encryption/enc_tde.c index e3f96676e69..a24c7d16213 100644 --- a/src/encryption/enc_tde.c +++ b/src/encryption/enc_tde.c @@ -205,7 +205,6 @@ pg_tde_crypt_tuple(HeapTuple tuple, HeapTuple out_tuple, RelKeyData *key, const OffsetNumber PGTdePageAddItemExtended(RelFileLocator rel, - Oid oid, BlockNumber bn, Page page, Item item, @@ -241,15 +240,14 @@ PGTdePageAddItemExtended(RelFileLocator rel, * short lifespan until it is written to disk. */ void -AesEncryptKey(const TDEPrincipalKey *principal_key, const RelFileLocator *rlocator, RelKeyData *rel_key_data, RelKeyData **p_enc_rel_key_data, size_t *enc_key_bytes) +AesEncryptKey(const TDEPrincipalKey *principal_key, Oid dbOid, RelKeyData *rel_key_data, RelKeyData **p_enc_rel_key_data, size_t *enc_key_bytes) { unsigned char iv[16] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; /* Ensure we are getting a valid pointer here */ Assert(principal_key); - memcpy(iv, &rlocator->spcOid, sizeof(Oid)); - memcpy(iv + sizeof(Oid), &rlocator->dbOid, sizeof(Oid)); + memcpy(iv, &dbOid, sizeof(Oid)); *p_enc_rel_key_data = (RelKeyData *) palloc(sizeof(RelKeyData)); memcpy(*p_enc_rel_key_data, rel_key_data, sizeof(RelKeyData)); @@ -267,15 +265,14 @@ AesEncryptKey(const TDEPrincipalKey *principal_key, const RelFileLocator *rlocat * to our key cache. */ void -AesDecryptKey(const TDEPrincipalKey *principal_key, const RelFileLocator *rlocator, RelKeyData **p_rel_key_data, RelKeyData *enc_rel_key_data, size_t *key_bytes) +AesDecryptKey(const TDEPrincipalKey *principal_key, Oid dbOid, RelKeyData **p_rel_key_data, RelKeyData *enc_rel_key_data, size_t *key_bytes) { unsigned char iv[16] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; /* Ensure we are getting a valid pointer here */ Assert(principal_key); - memcpy(iv, &rlocator->spcOid, sizeof(Oid)); - memcpy(iv + sizeof(Oid), &rlocator->dbOid, sizeof(Oid)); + memcpy(iv, &dbOid, sizeof(Oid)); #ifndef FRONTEND MemoryContext oldcontext; diff --git a/src/include/access/pg_tde_tdemap.h b/src/include/access/pg_tde_tdemap.h index c3ae2e59447..9ab39578038 100644 --- a/src/include/access/pg_tde_tdemap.h +++ b/src/include/access/pg_tde_tdemap.h @@ -8,9 +8,9 @@ #ifndef PG_TDE_MAP_H #define PG_TDE_MAP_H +#include "pg_tde.h" #include "utils/rel.h" #include "access/xlog_internal.h" -#include "catalog/pg_tablespace_d.h" #include "catalog/tde_principal_key.h" #include "storage/relfilelocator.h" @@ -62,19 +62,29 @@ extern RelKeyData *GetSMGRRelationKey(RelFileLocator rel); extern RelKeyData *GetHeapBaiscRelationKey(RelFileLocator rel); extern RelKeyData *GetTdeGlobaleRelationKey(RelFileLocator rel); -extern void pg_tde_delete_tde_files(Oid dbOid, Oid spcOid); +extern void pg_tde_delete_tde_files(Oid dbOid); -extern TDEPrincipalKeyInfo *pg_tde_get_principal_key_info(Oid dbOid, Oid spcOid); +extern TDEPrincipalKeyInfo *pg_tde_get_principal_key_info(Oid dbOid); extern bool pg_tde_save_principal_key(TDEPrincipalKeyInfo *principal_key_info); extern bool pg_tde_perform_rotate_key(TDEPrincipalKey *principal_key, TDEPrincipalKey *new_principal_key); extern bool pg_tde_write_map_keydata_files(off_t map_size, char *m_file_data, off_t keydata_size, char *k_file_data); extern RelKeyData *tde_create_rel_key(RelFileNumber rel_num, InternalKey *key, TDEPrincipalKeyInfo *principal_key_info); -extern RelKeyData *tde_encrypt_rel_key(TDEPrincipalKey *principal_key, RelKeyData *rel_key_data, const RelFileLocator *rlocator); -extern RelKeyData *tde_decrypt_rel_key(TDEPrincipalKey *principal_key, RelKeyData *enc_rel_key_data, const RelFileLocator *rlocator); +extern RelKeyData *tde_encrypt_rel_key(TDEPrincipalKey *principal_key, RelKeyData *rel_key_data, Oid dbOid); +extern RelKeyData *tde_decrypt_rel_key(TDEPrincipalKey *principal_key, RelKeyData *enc_rel_key_data, Oid dbOid); extern RelKeyData *pg_tde_get_key_from_file(const RelFileLocator *rlocator, uint32 key_type, bool no_map_ok); extern bool pg_tde_move_rel_key(const RelFileLocator *newrlocator, const RelFileLocator *oldrlocator); -extern void pg_tde_set_db_file_paths(Oid dbOid, Oid spcOid, char *map_path, char *keydata_path); +#define PG_TDE_MAP_FILENAME "pg_tde_%d_map" +#define PG_TDE_KEYDATA_FILENAME "pg_tde_%d_dat" + +static inline void +pg_tde_set_db_file_paths(Oid dbOid, char *map_path, char *keydata_path) +{ + if (map_path) + join_path_components(map_path, PG_TDE_DATA_DIR, psprintf(PG_TDE_MAP_FILENAME, dbOid)); + if (keydata_path) + join_path_components(keydata_path, PG_TDE_DATA_DIR, psprintf(PG_TDE_KEYDATA_FILENAME, dbOid)); +} const char *tde_sprint_key(InternalKey *k); diff --git a/src/include/catalog/tde_global_space.h b/src/include/catalog/tde_global_space.h index 784749609f1..0656ef4d2d7 100644 --- a/src/include/catalog/tde_global_space.h +++ b/src/include/catalog/tde_global_space.h @@ -12,6 +12,7 @@ #define TDE_GLOBAL_CATALOG_H #include "postgres.h" +#include "catalog/pg_tablespace_d.h" #include "access/pg_tde_tdemap.h" #include "catalog/tde_principal_key.h" @@ -21,17 +22,17 @@ * We take Oids of the sql operators, so there is no overlap with the "real" * catalog objects possible. */ -#define GLOBAL_DATA_TDE_OID InvalidOid +#define GLOBAL_DATA_TDE_OID 607 #define XLOG_TDE_OID 608 -#define GLOBAL_DATA_TDE_OID InvalidOid - #define GLOBAL_SPACE_RLOCATOR(_obj_oid) (RelFileLocator) { \ GLOBALTABLESPACE_OID, \ GLOBAL_DATA_TDE_OID, \ _obj_oid \ } +#define TDEisInGlobalSpace(dbOid) (dbOid == GLOBAL_DATA_TDE_OID) + extern void TDEInitGlobalKeys(const char *dir); #endif /* TDE_GLOBAL_CATALOG_H */ diff --git a/src/include/catalog/tde_keyring.h b/src/include/catalog/tde_keyring.h index 7a9337da41f..6249ba47cd8 100644 --- a/src/include/catalog/tde_keyring.h +++ b/src/include/catalog/tde_keyring.h @@ -68,23 +68,18 @@ typedef struct KeyringProvideRecord typedef struct KeyringProviderXLRecord { Oid database_id; - Oid tablespace_id; off_t offset_in_file; KeyringProvideRecord provider; } KeyringProviderXLRecord; -extern List *GetAllKeyringProviders(Oid dbOid, Oid spcOid); -extern GenericKeyring *GetKeyProviderByName(const char *provider_name, Oid dbOid, Oid spcOid); -extern GenericKeyring *GetKeyProviderByID(int provider_id, Oid dbOid, Oid spcOid); +extern List *GetAllKeyringProviders(Oid dbOid); +extern GenericKeyring *GetKeyProviderByName(const char *provider_name, Oid dbOid); +extern GenericKeyring *GetKeyProviderByID(int provider_id, Oid dbOid); extern ProviderType get_keyring_provider_from_typename(char *provider_type); -extern void cleanup_key_provider_info(Oid databaseId, Oid tablespaceId); +extern void cleanup_key_provider_info(Oid databaseId); extern void InitializeKeyProviderInfo(void); extern uint32 save_new_key_provider_info(KeyringProvideRecord *provider, - Oid databaseId, Oid tablespaceId, - bool write_xlog); -extern uint32 copy_key_provider_info(KeyringProvideRecord* provider, - Oid newdatabaseId, Oid newtablespaceId, - bool write_xlog); + Oid databaseId, bool write_xlog); extern uint32 redo_key_provider_info(KeyringProviderXLRecord *xlrec); extern bool ParseKeyringJSONOptions(ProviderType provider_type, void *out_opts, diff --git a/src/include/catalog/tde_principal_key.h b/src/include/catalog/tde_principal_key.h index 26dc1a118ae..5ba90646a4b 100644 --- a/src/include/catalog/tde_principal_key.h +++ b/src/include/catalog/tde_principal_key.h @@ -33,7 +33,6 @@ typedef struct TDEPrincipalKeyId typedef struct TDEPrincipalKeyInfo { Oid databaseId; - Oid tablespaceId; Oid userId; Oid keyringId; struct timeval creationTime; @@ -58,13 +57,13 @@ typedef struct XLogPrincipalKeyRotate #define SizeoOfXLogPrincipalKeyRotate offsetof(XLogPrincipalKeyRotate, buff) extern void InitializePrincipalKeyInfo(void); -extern void cleanup_principal_key_info(Oid databaseId, Oid tablespaceId); +extern void cleanup_principal_key_info(Oid databaseId); #ifndef FRONTEND extern LWLock *tde_lwlock_enc_keys(void); -extern TDEPrincipalKey *GetPrincipalKey(Oid dbOid, Oid spcOid, LWLockMode lockMode); +extern TDEPrincipalKey *GetPrincipalKey(Oid dbOid, LWLockMode lockMode); #else -extern TDEPrincipalKey *GetPrincipalKey(Oid dbOid, Oid spcOid, void *lockMode); +extern TDEPrincipalKey *GetPrincipalKey(Oid dbOid, void *lockMode); #endif extern bool save_principal_key_info(TDEPrincipalKeyInfo *principalKeyInfo); diff --git a/src/include/common/pg_tde_utils.h b/src/include/common/pg_tde_utils.h index b49c409e6e9..d94fd3da0b0 100644 --- a/src/include/common/pg_tde_utils.h +++ b/src/include/common/pg_tde_utils.h @@ -19,6 +19,5 @@ extern List *get_all_tde_tables(void); extern int get_tde_tables_count(void); #endif /* !FRONTEND */ -extern char *pg_tde_get_tde_file_dir(Oid dbOid, Oid spcOid); extern void pg_tde_set_globalspace_dir(const char *dir); #endif /* PG_TDE_UTILS_H */ diff --git a/src/include/encryption/enc_tde.h b/src/include/encryption/enc_tde.h index f7732ed6a36..552888b317d 100644 --- a/src/include/encryption/enc_tde.h +++ b/src/include/encryption/enc_tde.h @@ -24,7 +24,7 @@ extern void /* A wrapper to encrypt a tuple before adding it to the buffer */ extern OffsetNumber - PGTdePageAddItemExtended(RelFileLocator rel, Oid oid, BlockNumber bn, Page page, + PGTdePageAddItemExtended(RelFileLocator rel, BlockNumber bn, Page page, Item item, Size size, OffsetNumber offsetNumber, @@ -52,7 +52,7 @@ extern OffsetNumber pg_tde_crypt(_iv_prefix, _start_offset, _data, _data_len, _out, _key, "ENCRYPT-PAGE-ITEM"); \ } while(0) -extern void AesEncryptKey(const TDEPrincipalKey *principal_key, const RelFileLocator *rlocator, RelKeyData *rel_key_data, RelKeyData **p_enc_rel_key_data, size_t *enc_key_bytes); -extern void AesDecryptKey(const TDEPrincipalKey *principal_key, const RelFileLocator *rlocator, RelKeyData **p_rel_key_data, RelKeyData *enc_rel_key_data, size_t *key_bytes); +extern void AesEncryptKey(const TDEPrincipalKey *principal_key, Oid dbOid, RelKeyData *rel_key_data, RelKeyData **p_enc_rel_key_data, size_t *enc_key_bytes); +extern void AesDecryptKey(const TDEPrincipalKey *principal_key, Oid dbOid, RelKeyData **p_rel_key_data, RelKeyData *enc_rel_key_data, size_t *key_bytes); #endif /* ENC_TDE_H */ diff --git a/src/include/pg_tde.h b/src/include/pg_tde.h index c9c387273ed..c8046373e01 100644 --- a/src/include/pg_tde.h +++ b/src/include/pg_tde.h @@ -8,10 +8,11 @@ #ifndef PG_TDE_H #define PG_TDE_H +#define PG_TDE_DATA_DIR "pg_tde" + typedef struct XLogExtensionInstall { Oid database_id; - Oid tablespace_id; } XLogExtensionInstall; typedef void (*pg_tde_on_ext_install_callback) (int tde_tbl_count, XLogExtensionInstall *ext_info, bool redo, void *arg); @@ -19,4 +20,6 @@ typedef void (*pg_tde_on_ext_install_callback) (int tde_tbl_count, XLogExtension extern void on_ext_install(pg_tde_on_ext_install_callback function, void *arg); extern void extension_install_redo(XLogExtensionInstall *xlrec); + +extern void pg_tde_init_data_dir(void); #endif /* PG_TDE_H */ diff --git a/src/include/pg_tde_defines.h b/src/include/pg_tde_defines.h index 529b24497b1..9aeee11a7c6 100644 --- a/src/include/pg_tde_defines.h +++ b/src/include/pg_tde_defines.h @@ -40,8 +40,8 @@ #define pgstat_count_tdeheap_delete pgstat_count_heap_delete #define pgstat_count_tdeheap_insert pgstat_count_heap_insert -#define TDE_PageAddItem(rel, oid, blkno, page, item, size, offsetNumber, overwrite, is_heap) \ - PGTdePageAddItemExtended(rel, oid, blkno, page, item, size, offsetNumber, \ +#define TDE_PageAddItem(rel, blkno, page, item, size, offsetNumber, overwrite, is_heap) \ + PGTdePageAddItemExtended(rel, blkno, page, item, size, offsetNumber, \ ((overwrite) ? PAI_OVERWRITE : 0) | \ ((is_heap) ? PAI_IS_HEAP : 0)) diff --git a/src/pg_tde.c b/src/pg_tde.c index 2e21c1c6ad5..1acf89fc86c 100644 --- a/src/pg_tde.c +++ b/src/pg_tde.c @@ -39,6 +39,8 @@ #include "utils/percona.h" #endif +#include + #define MAX_ON_INSTALLS 5 PG_MODULE_MAGIC; @@ -130,11 +132,12 @@ _PG_init(void) Datum pg_tde_extension_initialize(PG_FUNCTION_ARGS) { + pg_tde_init_data_dir(); + /* Initialize the TDE map */ XLogExtensionInstall xlrec; xlrec.database_id = MyDatabaseId; - xlrec.tablespace_id = MyDatabaseTableSpace; run_extension_install_callbacks(&xlrec, false); /* @@ -174,6 +177,22 @@ on_ext_install(pg_tde_on_ext_install_callback function, void *arg) ++on_ext_install_index; } +/* Creates a tde directory for internal files if not exists */ +void +pg_tde_init_data_dir(void) +{ + struct stat st; + + if (stat(PG_TDE_DATA_DIR, &st) < 0) + { + if (MakePGDirectory(PG_TDE_DATA_DIR) < 0) + ereport(ERROR, + (errcode_for_file_access(), + errmsg("could not create tde directory \"%s\": %m", + PG_TDE_DATA_DIR))); + } +} + /* ------------------ * Run all of the on_ext_install routines and execute those one by one * ------------------ diff --git a/src/pg_tde_event_capture.c b/src/pg_tde_event_capture.c index a2bb8b99112..8d7794aee6e 100644 --- a/src/pg_tde_event_capture.c +++ b/src/pg_tde_event_capture.c @@ -21,7 +21,6 @@ #include "commands/event_trigger.h" #include "common/pg_tde_utils.h" #include "pg_tde_event_capture.h" -#include "commands/tablespace.h" #include "catalog/tde_principal_key.h" #include "miscadmin.h" #include "access/tableam.h" @@ -102,7 +101,6 @@ pg_tde_ddl_command_start_capture(PG_FUNCTION_ARGS) { CreateStmt *stmt = (CreateStmt *) parsetree; TDEPrincipalKey *principal_key; - Oid tablespace_oid; tdeCurrentCreateEvent.eventType = TDE_TABLE_CREATE_EVENT; tdeCurrentCreateEvent.relation = stmt->relation; @@ -118,10 +116,8 @@ pg_tde_ddl_command_start_capture(PG_FUNCTION_ARGS) if (tdeCurrentCreateEvent.encryptMode) { - tablespace_oid = stmt->tablespacename != NULL ? get_tablespace_oid(stmt->tablespacename, false) - : MyDatabaseTableSpace; LWLockAcquire(tde_lwlock_enc_keys(), LW_SHARED); - principal_key = GetPrincipalKey(MyDatabaseId, tablespace_oid, LW_SHARED); + principal_key = GetPrincipalKey(MyDatabaseId, LW_SHARED); LWLockRelease(tde_lwlock_enc_keys()); if (principal_key == NULL) { @@ -152,21 +148,15 @@ pg_tde_ddl_command_start_capture(PG_FUNCTION_ARGS) } } - /* - * TODO: also check for tablespace change, if current or new AM is - * tde_heap! - */ - if (tdeCurrentCreateEvent.encryptMode) { TDEPrincipalKey * principal_key; Oid relationId = RangeVarGetRelid(stmt->relation, NoLock, true); Relation rel = table_open(relationId, lockmode); - Oid tablespace_oid = rel->rd_locator.spcOid; table_close(rel, lockmode); LWLockAcquire(tde_lwlock_enc_keys(), LW_SHARED); - principal_key = GetPrincipalKey(MyDatabaseId, tablespace_oid, LW_SHARED); + principal_key = GetPrincipalKey(MyDatabaseId, LW_SHARED); LWLockRelease(tde_lwlock_enc_keys()); if (principal_key == NULL) { diff --git a/src/smgr/pg_tde_smgr.c b/src/smgr/pg_tde_smgr.c index 1ace3c5dfeb..34535d2a0ff 100644 --- a/src/smgr/pg_tde_smgr.c +++ b/src/smgr/pg_tde_smgr.c @@ -51,7 +51,7 @@ tde_smgr_get_key(SMgrRelation reln, RelFileLocator* old_locator, bool can_create } LWLockAcquire(tde_lwlock_enc_keys(), LW_SHARED); - pk = GetPrincipalKey(reln->smgr_rlocator.locator.dbOid, reln->smgr_rlocator.locator.spcOid, LW_SHARED); + pk = GetPrincipalKey(reln->smgr_rlocator.locator.dbOid, LW_SHARED); LWLockRelease(tde_lwlock_enc_keys()); if (pk == NULL) { diff --git a/src16/access/pg_tde_io.c b/src16/access/pg_tde_io.c index 2ad4d366eb6..0c107a331cd 100644 --- a/src16/access/pg_tde_io.c +++ b/src16/access/pg_tde_io.c @@ -65,7 +65,7 @@ tdeheap_RelationPutHeapTuple(Relation relation, pageHeader = BufferGetPage(buffer); if (encrypt) - offnum = TDE_PageAddItem(relation->rd_locator, tuple->t_tableOid, BufferGetBlockNumber(buffer), pageHeader, (Item) tuple->t_data, + offnum = TDE_PageAddItem(relation->rd_locator, BufferGetBlockNumber(buffer), pageHeader, (Item) tuple->t_data, tuple->t_len, InvalidOffsetNumber, false, true); else offnum = PageAddItem(pageHeader, (Item) tuple->t_data, diff --git a/src16/access/pg_tde_rewrite.c b/src16/access/pg_tde_rewrite.c index 964082a0f3d..3577141ee00 100644 --- a/src16/access/pg_tde_rewrite.c +++ b/src16/access/pg_tde_rewrite.c @@ -711,7 +711,7 @@ raw_tdeheap_insert(RewriteState state, HeapTuple tup) } /* And now we can insert the tuple into the page */ - newoff = TDE_PageAddItem(state->rs_new_rel->rd_locator, heaptup->t_tableOid, state->rs_blockno, page, (Item) heaptup->t_data, heaptup->t_len, + newoff = TDE_PageAddItem(state->rs_new_rel->rd_locator, state->rs_blockno, page, (Item) heaptup->t_data, heaptup->t_len, InvalidOffsetNumber, false, true); if (newoff == InvalidOffsetNumber) elog(ERROR, "failed to add tuple"); diff --git a/src16/access/pg_tdeam.c b/src16/access/pg_tdeam.c index 840aa6f076e..2568b3849ac 100644 --- a/src16/access/pg_tdeam.c +++ b/src16/access/pg_tdeam.c @@ -9382,7 +9382,7 @@ tdeheap_xlog_insert(XLogReaderState *record) HeapTupleHeaderSetCmin(htup, FirstCommandId); htup->t_ctid = target_tid; - if (TDE_PageAddItem(target_locator, target_locator.spcOid, blkno, page, (Item) htup, newlen, xlrec->offnum, + if (TDE_PageAddItem(target_locator, blkno, page, (Item) htup, newlen, xlrec->offnum, true, true) == InvalidOffsetNumber) elog(PANIC, "failed to add tuple"); @@ -9526,7 +9526,7 @@ tdeheap_xlog_multi_insert(XLogReaderState *record) ItemPointerSetBlockNumber(&htup->t_ctid, blkno); ItemPointerSetOffsetNumber(&htup->t_ctid, offnum); - offnum = TDE_PageAddItem(rlocator, rlocator.spcOid, blkno, page, (Item) htup, newlen, offnum, true, true); + offnum = TDE_PageAddItem(rlocator, blkno, page, (Item) htup, newlen, offnum, true, true); if (offnum == InvalidOffsetNumber) elog(PANIC, "failed to add tuple"); } @@ -9800,7 +9800,7 @@ tdeheap_xlog_update(XLogReaderState *record, bool hot_update) /* Make sure there is no forward chain link in t_ctid */ htup->t_ctid = newtid; - offnum = TDE_PageAddItem(rlocator, rlocator.spcOid, newblk, page, (Item) htup, newlen, offnum, true, true); + offnum = TDE_PageAddItem(rlocator, newblk, page, (Item) htup, newlen, offnum, true, true); if (offnum == InvalidOffsetNumber) elog(PANIC, "failed to add tuple"); diff --git a/src17/access/pg_tde_io.c b/src17/access/pg_tde_io.c index 5f0ec9314f3..4136b04b56a 100644 --- a/src17/access/pg_tde_io.c +++ b/src17/access/pg_tde_io.c @@ -64,7 +64,7 @@ tdeheap_RelationPutHeapTuple(Relation relation, pageHeader = BufferGetPage(buffer); if (encrypt) - offnum = TDE_PageAddItem(relation->rd_locator, tuple->t_tableOid, BufferGetBlockNumber(buffer), pageHeader, (Item) tuple->t_data, + offnum = TDE_PageAddItem(relation->rd_locator, BufferGetBlockNumber(buffer), pageHeader, (Item) tuple->t_data, tuple->t_len, InvalidOffsetNumber, false, true); else offnum = PageAddItem(pageHeader, (Item) tuple->t_data, diff --git a/src17/access/pg_tde_rewrite.c b/src17/access/pg_tde_rewrite.c index 72919c7eda0..9332b42923a 100644 --- a/src17/access/pg_tde_rewrite.c +++ b/src17/access/pg_tde_rewrite.c @@ -677,7 +677,7 @@ raw_tdeheap_insert(RewriteState state, HeapTuple tup) } /* And now we can insert the tuple into the page */ - newoff = TDE_PageAddItem(state->rs_new_rel->rd_locator, heaptup->t_tableOid, state->rs_blockno, page, (Item) heaptup->t_data, heaptup->t_len, + newoff = TDE_PageAddItem(state->rs_new_rel->rd_locator, state->rs_blockno, page, (Item) heaptup->t_data, heaptup->t_len, InvalidOffsetNumber, false, true); if (newoff == InvalidOffsetNumber) elog(ERROR, "failed to add tuple"); diff --git a/src17/access/pg_tdeam.c b/src17/access/pg_tdeam.c index 5f6cccfd64c..597b2335b02 100644 --- a/src17/access/pg_tdeam.c +++ b/src17/access/pg_tdeam.c @@ -9282,7 +9282,7 @@ tdeheap_xlog_insert(XLogReaderState *record) HeapTupleHeaderSetCmin(htup, FirstCommandId); htup->t_ctid = target_tid; - if (TDE_PageAddItem(target_locator, target_locator.spcOid, blkno, page, (Item) htup, newlen, xlrec->offnum, + if (TDE_PageAddItem(target_locator, blkno, page, (Item) htup, newlen, xlrec->offnum, true, true) == InvalidOffsetNumber) elog(PANIC, "failed to add tuple"); @@ -9426,7 +9426,7 @@ tdeheap_xlog_multi_insert(XLogReaderState *record) ItemPointerSetBlockNumber(&htup->t_ctid, blkno); ItemPointerSetOffsetNumber(&htup->t_ctid, offnum); - offnum = TDE_PageAddItem(rlocator, rlocator.spcOid, blkno, page, (Item) htup, newlen, offnum, true, true); + offnum = TDE_PageAddItem(rlocator, blkno, page, (Item) htup, newlen, offnum, true, true); if (offnum == InvalidOffsetNumber) elog(PANIC, "failed to add tuple"); } @@ -9700,7 +9700,7 @@ tdeheap_xlog_update(XLogReaderState *record, bool hot_update) /* Make sure there is no forward chain link in t_ctid */ htup->t_ctid = newtid; - offnum = TDE_PageAddItem(rlocator, rlocator.spcOid, newblk, page, (Item) htup, newlen, offnum, true, true); + offnum = TDE_PageAddItem(rlocator, newblk, page, (Item) htup, newlen, offnum, true, true); if (offnum == InvalidOffsetNumber) elog(PANIC, "failed to add tuple");