Added initial files and modifications to include 1.0 release notes to
the TOC and variables. Updates:
* updated the ToC names to make them in line with style guide
* updated variable with new release branch and fixed small release note
name
* updated ## Release Highlights with topics:
* Added tickets
* Updated Upgrade considerations
Updated the Architecture topic with the following:
- New intro detailing the long term tde goals in a paragraph
- Updated the ## Typical setup scenarios topic with better writing and
improved flow
- Added note to WAL Encryption that it is not to be used in prod env
- General small fixes to paragraphs, wrongly written words and such
Updated the introduction with the proper extension name, updated the
intro to reflect this. Removed important note about not meant for
production and added the No upgrade warning from previous versions (like
RC2) to GA. Updates:
* removed the block announcement for RC2 at the top of the HTML page in
the intro
* Added the warning note before installation begins too.
* Updated site name to full name.
In set-principal-key.md:
* updated with correct code example using set_server_key_using_global
parameter
* updated note to reflect correct config
In features.md:
* Removed temporary tables feature to clear confusion, removed logical
replication mention, removed WAL encryption as a feature.
In functions.md:
* Added ON FUNCTION for grant/revoke execution
* Modified sensitive info bolded paragraph to important note
* Small modifications to notes display, title cases and text fixes
* added note to Add or modify Vault providers for keeping the same
principal key.
* Added warning for WAL in pg_tde_create_key_using_global_key_provider
In general:
* Removed all logical replication mentions except the FAQ and in RC2
release note.
- updated FAQ with WAL encryption notes about it's beta status
- updated links to How does pg_tde make my data safe? FAQ for KMS chapters
we added
- updated pg_waldump with a note about wal encryption beta status
- Removed post quantum question from FAQ
* uninstall.md added warning note and added a new step to
ensure user knows he needs to decrypt or drop encrypted tables
* rewrote table access ALTER SYSTEM command
* for limitations.md, removed rewind mention and added WAL note as
text, made small changes to RC version. Added note for KMS, improved
system tables text.
Multi-tenant-setup.md:
* updated SELECT parameters
* Added that KMIP server setup is out of scope.
* Added a link to KMS configuration chapter in the intro to Key provider
config
setup.md:
Modified file to be postgresql.conf file
Modified last note to be clearer.
test.md:
UPdated function return for step 2 checking encrypted data
variables.md:
Added warning note for Enabling WAL encryption.
yum.md:
Updated Memory Lock description.
Added a new topic:
- How can I store an old key securely? Use Vault as an example here.
- ~~Explain how you can use this “old” principal key to unencrypt your
backups.~~
Removed files like FAQ and others that do not belong to this PR.
The function this message referenced does not exist, and even if it did
it wouldn't create keys.
Also error hint messages are supposed to be full sentences with capital
letter and period.
Having this enum named as a plural made little sense as any value of
this type is just a single code and not multiple.
The postgres code does not have pluralized enum names, so we shouldn't
either.
Created new replication topic which outlines how to set up PostgreSQL streaming replication when the `pg_tde` extension, specifically the `tde_heap` access method, is enabled on the primary server.
Ubuntu 24.04 image has Python 3.12 by default. PyKMIP server and
CodeCheker tool don't support this version, so we have to downgrade
Python version to 3.11.
Since partitioned tables do not have any sotrage and only control the
default access method of their children we should not try to change the
encryption status of anything when changing the AM of a partitioned
table.
Since we only looked at the parent table and not on the whole tree when
setting the status of the encrypted indexes we could easily accidentally
create a plain text index on an encrypted table.
This patch also makes sure to disallow adding indexes to an inheritance
tree where the tables are a mix of encrypted and unecrypted tables.
We removed the ability for the various set_key functions to actually
create new keys and instead have a separate function for that as the API
around "ensure_new_key" was confusing at best.
We no longer run these tests when pg_tde is turned on globally.
There is no reason for us to CREATE IF NOT EXISTS in tests as we should
_know_ what state the database is in when running them.
Add new functions pg_tde_create_key_using_database/global_key_provider()
to create keys instead of key creation being a side effect of setting
the key.
Also remove support for "create if not exists" semantics as any user
should know what keys their key provider contains.
To ensure the tests are always run from the same state we remove any key
provider files so that pg_tde_add_database/global_key_provider_file()
always creates a new file.
updated this topic with:
- added warning to not use it in PROD as it is in beta
- Updated the SELECT parameters to be easier to read
- Removed topic header as it is not necessary and updated the paragraph
introducing the steps
The modified files allow the creation of the pdf for pg_tde
modified:
contrib/pg_tde/documentation/_resource/overrides/partials/banner.html
new file: contrib/pg_tde/documentation/_resourcepdf/overrides/404.html
new file: contrib/pg_tde/documentation/_resourcepdf/overrides/main.html
new file:
contrib/pg_tde/documentation/_resourcepdf/overrides/partials/banner.html
new file:
contrib/pg_tde/documentation/_resourcepdf/overrides/partials/copyright.html
new file:
contrib/pg_tde/documentation/_resourcepdf/overrides/partials/header.html
new file: contrib/pg_tde/documentation/docs/templates/pdf_cover_page.tpl
deleted: contrib/pg_tde/documentation/mkdocs-pdf.yml
modified: contrib/pg_tde/documentation/mkdocs.yml
modified: contrib/pg_tde/documentation/requirements.txt
Co-authored-by: Dragos Andriciuc <dragos.andriciuc@percona.com>
In the output from the key info functions the key_ prefix for the
provider name and id columns doesn't add any value so let's harmonize
them with how we name arguments to the key creation functions.
There was no reason for name and type to be prefixed in the add/change
key provider functions while options was not.
The output from the list_providers functions had them for name and type,
but not id nor options. So remove the prefixes there aswell.
In other functions the prefixes serve to show what parameters is about
the provider and which are about something else.
We're long past the years where someone is gonna read a print-out of
these files and thus need a reminder of what the file name is. And even
if someone wanted to do that it's easy to have your printer program
automatically add the file name to the header or footer of each page
now-a-days.
Dragos Andriciuc