Modified the structure and overall presentation for the users to make it more accessible and future-proof as we improve pg_tde moving forward.
Split big chapters into smaller chunks to improve SEO, renamed a couple of files for better visibility online and cleaned a bit of text.
Integrated changes from:
- https://github.com/percona/postgres/pull/314
- https://github.com/percona/postgres/pull/306
- Commit f636e82
These functions did never really do anything since they added no extra
permissions since you would need to be allowed to grant and revoke
access anyway to call them since they did not use SECURITY DEFINER.
When creating a key provider you can point its configuration towards any
path or network address that PostgreSQL can reach which can be used to
attack the environment of PostgreSQL in way normally only restricted to
superusers (comapre trusted vs untrusted languages). So make the
administration of key providers also follow this convention.
This limits the powers of our multitenancy but since we are not sure yet
about how users want to use our mutlitenancy it is better to start off
restrictive and build a complex solution later.
Since as soon as we have installed pg_tde the database owner can call
any function created by the extension so any database owner can meddle
with any global key provider. The only way to prevent the database owner
to do whatever they want add permissions checks to the C code and here
we keep that check simple by limiting modifying the global key provider
to only the super user.
Additionally we also protect the function for settting the WAL key, for
setting the default key and to be paranoid also the function for using a
global key provider to set the database key. The third is not obvious if
it is necessary or not but I chose to be paranoid and relax that
restirction later once we have demed it to be secure.
Changed the get started to global provider setting
Moved multi-tenant setup to a How to doc
Moved WAL encryption to a separate doc and Get started step
Updated functions description
modified: documentation/docs/apt.md
modified: documentation/docs/functions.md
modified: documentation/docs/install.md
new file: documentation/docs/multi-tenant-setup.md
modified: documentation/docs/setup.md
modified: documentation/docs/switch.md
new file: documentation/docs/wal-encryption.md
modified: documentation/docs/yum.md
modified: documentation/mkdocs.yml
new file: documentation/snippets/kms-considerations.md
To support checking other relation types than tables we removed the
check for the tde_heap access method and just do the following:
relam == 'tde_heap_basic' || GetSMGRRelationKey() != NULL
And to simplify the logic we merge pg_tde_is_encrypted() and
pg_tde_internal_has_key(), which will be an even bigger win once
the tde_heap_basic access method is removed since then we would
only need to check if there is a SMGR key.
- Rename database key rotation functions to make room for the global space ones.
- Now, during the first start, we would create a default temporary key provider for the global space. A user can (and should) create their own key provider afterwards. This allows use the same codepath and internal interfaces for the keyring management across databases and the global space.
- Now need to cache the principal key for the global space as we use it only at the server start to decrypt internal key. Then internal key persists in the memory cache.
Fixes https://perconadev.atlassian.net/browse/PG-835, https://perconadev.atlassian.net/browse/PG-833
* Updating documentation with configuration changes
* Minor updates to improve readability
* Added link to test.md for setup doc
* Added documentation about key rotation and remote parameters
---------
Co-authored-by: Anastasia Alexadrova <anastasia.alexandrova@percona.com>
Anders Åstrand