diff --git a/docs/en/operations/configuration-files.md b/docs/en/operations/configuration-files.md
index d1d9fa542ab1..a19c55673ed3 100644
--- a/docs/en/operations/configuration-files.md
+++ b/docs/en/operations/configuration-files.md
@@ -67,7 +67,7 @@ Substitutions can also be performed from ZooKeeper. To do this, specify the attr
## Encrypting Configuration {#encryption}
-You can use symmetric encryption to encrypt a configuration element, for example, a password field. To do so, first configure the [encryption codec](../sql-reference/statements/create/table.md#encryption-codecs), then add attribute `encryption_codec` with the name of the encryption codec as value to the element to encrypt.
+You can use symmetric encryption to encrypt a configuration element, for example, a password field. To do so, first configure the [encryption codec](../sql-reference/statements/create/table.md#encryption-codecs), then add attribute `encrypted_by` with the name of the encryption codec as value to the element to encrypt.
Unlike attributes `from_zk`, `from_env` and `incl` (or element `include`), no substitution, i.e. decryption of the encrypted value, is performed in the preprocessed file. Decryption happens only at runtime in the server process.
@@ -75,19 +75,22 @@ Example:
```xml
+
00112233445566778899aabbccddeeff
+
admin
- 961F000000040000000000EEDDEF4F453CFE6457C4234BD7C09258BD651D85
+ 961F000000040000000000EEDDEF4F453CFE6457C4234BD7C09258BD651D85
+
```
-To get the encrypted value `encrypt_decrypt` example application may be used.
+To encrypt a value, you can use the (example) program `encrypt_decrypt`:
Example:
@@ -138,12 +141,17 @@ Here you can see default config written in YAML: [config.yaml.example](https://g
There are some differences between YAML and XML formats in terms of ClickHouse configurations. Here are some tips for writing a configuration in YAML format.
-You should use a Scalar node to write a key-value pair:
+An XML tag with a text value is represented by a YAML key-value pair
``` yaml
key: value
```
-To create a node, containing other nodes you should use a Map:
+Corresponding XML:
+``` xml
+value
+```
+
+A nested XML node is represented by a YAML map:
``` yaml
map_key:
key1: val1
@@ -151,7 +159,16 @@ map_key:
key3: val3
```
-To create a list of values or nodes assigned to one tag you should use a Sequence:
+Corresponding XML:
+``` xml
+
+ val1
+ val2
+ val3
+
+```
+
+To create the same XML tag multiple times, use a YAML sequence:
``` yaml
seq_key:
- val1
@@ -162,8 +179,22 @@ seq_key:
key3: val5
```
-If you want to write an attribute for a Sequence or Map node, you should use a @ prefix before the attribute key. Note, that @ is reserved by YAML standard, so you should also to wrap it into double quotes:
+Corresponding XML:
+```xml
+val1
+val2
+
+ val3
+
+
+
+
+```
+To provide an XML attribute, you can use an attribute key with a `@` prefix. Note that `@` is reserved by YAML standard, so must be wrapped in double quotes:
``` yaml
map:
"@attr1": value1
@@ -171,16 +202,14 @@ map:
key: 123
```
-From that Map we will get these XML nodes:
-
+Corresponding XML:
``` xml
```
-You can also set attributes for Sequence:
-
+It is also possible to use attributes in YAML sequence:
``` yaml
seq:
- "@attr1": value1
@@ -189,13 +218,25 @@ seq:
- abc
```
-So, we can get YAML config equal to this XML one:
-
+Corresponding XML:
``` xml
123
abc
```
+The aforementioned syntax does not allow to express XML text nodes with XML attributes as YAML. This special case can be achieved using an
+`#text` attribute key:
+```yaml
+map_key:
+ "@attr1": value1
+ "#text": value2
+```
+
+Corresponding XML:
+```xml
+value2
+```
+
## Implementation Details {#implementation-details}
For each config file, the server also generates `file-preprocessed.xml` files when starting. These files contain all the completed substitutions and overrides, and they are intended for informational use. If ZooKeeper substitutions were used in the config files but ZooKeeper is not available on the server start, the server loads the configuration from the preprocessed file.
diff --git a/docs/ru/operations/configuration-files.md b/docs/ru/operations/configuration-files.md
index 01a91bd41c64..085761d80c71 100644
--- a/docs/ru/operations/configuration-files.md
+++ b/docs/ru/operations/configuration-files.md
@@ -87,7 +87,7 @@ $ cat /etc/clickhouse-server/users.d/alice.xml
## Шифрование {#encryption}
-Вы можете использовать симметричное шифрование для зашифровки элемента конфигурации, например, поля password. Чтобы это сделать, сначала настройте [кодек шифрования](../sql-reference/statements/create/table.md#encryption-codecs), затем добавьте аттибут`encryption_codec` с именем кодека шифрования как значение к элементу, который надо зашифровать.
+Вы можете использовать симметричное шифрование для зашифровки элемента конфигурации, например, поля password. Чтобы это сделать, сначала настройте [кодек шифрования](../sql-reference/statements/create/table.md#encryption-codecs), затем добавьте аттибут`encrypted_by` с именем кодека шифрования как значение к элементу, который надо зашифровать.
В отличии от аттрибутов `from_zk`, `from_env` и `incl` (или элемента `include`), подстановка, т.е. расшифровка зашифрованного значения, не выподняется в файле предобработки. Расшифровка происходит только во время исполнения в серверном процессе.
@@ -95,15 +95,18 @@ $ cat /etc/clickhouse-server/users.d/alice.xml
```xml
+
00112233445566778899aabbccddeeff
+
admin
- 961F000000040000000000EEDDEF4F453CFE6457C4234BD7C09258BD651D85
+ 961F000000040000000000EEDDEF4F453CFE6457C4234BD7C09258BD651D85
+
```
diff --git a/src/Common/Config/ConfigProcessor.cpp b/src/Common/Config/ConfigProcessor.cpp
index db3c6909b214..a55183782d83 100644
--- a/src/Common/Config/ConfigProcessor.cpp
+++ b/src/Common/Config/ConfigProcessor.cpp
@@ -192,13 +192,13 @@ static void mergeAttributes(Element & config_element, Element & with_element)
std::string ConfigProcessor::encryptValue(const std::string & codec_name, const std::string & value)
{
- EncryptionMethod method = getEncryptionMethod(codec_name);
- CompressionCodecEncrypted codec(method);
+ EncryptionMethod encryption_method = toEncryptionMethod(codec_name);
+ CompressionCodecEncrypted codec(encryption_method);
Memory<> memory;
memory.resize(codec.getCompressedReserveSize(static_cast(value.size())));
auto bytes_written = codec.compress(value.data(), static_cast(value.size()), memory.data());
- auto encrypted_value = std::string(memory.data(), bytes_written);
+ std::string encrypted_value(memory.data(), bytes_written);
std::string hex_value;
boost::algorithm::hex(encrypted_value.begin(), encrypted_value.end(), std::back_inserter(hex_value));
return hex_value;
@@ -206,8 +206,8 @@ std::string ConfigProcessor::encryptValue(const std::string & codec_name, const
std::string ConfigProcessor::decryptValue(const std::string & codec_name, const std::string & value)
{
- EncryptionMethod method = getEncryptionMethod(codec_name);
- CompressionCodecEncrypted codec(method);
+ EncryptionMethod encryption_method = toEncryptionMethod(codec_name);
+ CompressionCodecEncrypted codec(encryption_method);
Memory<> memory;
std::string encrypted_value;
@@ -223,7 +223,7 @@ std::string ConfigProcessor::decryptValue(const std::string & codec_name, const
memory.resize(codec.readDecompressedBlockSize(encrypted_value.data()));
codec.decompress(encrypted_value.data(), static_cast(encrypted_value.size()), memory.data());
- std::string decrypted_value = std::string(memory.data(), memory.size());
+ std::string decrypted_value(memory.data(), memory.size());
return decrypted_value;
}
@@ -234,7 +234,7 @@ void ConfigProcessor::decryptRecursive(Poco::XML::Node * config_root)
if (node->nodeType() == Node::ELEMENT_NODE)
{
Element & element = dynamic_cast(*node);
- if (element.hasAttribute("encryption_codec"))
+ if (element.hasAttribute("encrypted_by"))
{
const NodeListPtr children = element.childNodes();
if (children->length() != 1)
@@ -244,8 +244,8 @@ void ConfigProcessor::decryptRecursive(Poco::XML::Node * config_root)
if (text_node->nodeType() != Node::TEXT_NODE)
throw Exception(ErrorCodes::BAD_ARGUMENTS, "Encrypted node {} should have text node", node->nodeName());
- auto encryption_codec = element.getAttribute("encryption_codec");
- text_node->setNodeValue(decryptValue(encryption_codec, text_node->getNodeValue()));
+ auto encrypted_by = element.getAttribute("encrypted_by");
+ text_node->setNodeValue(decryptValue(encrypted_by, text_node->getNodeValue()));
}
decryptRecursive(node);
}
@@ -775,7 +775,7 @@ ConfigProcessor::LoadedConfig ConfigProcessor::loadConfigWithZooKeeperIncludes(
void ConfigProcessor::decryptEncryptedElements(LoadedConfig & loaded_config)
{
- CompressionCodecEncrypted::Configuration::instance().tryLoad(*loaded_config.configuration, "encryption_codecs");
+ CompressionCodecEncrypted::Configuration::instance().load(*loaded_config.configuration, "encryption_codecs");
Node * config_root = getRootNode(loaded_config.preprocessed_xml.get());
decryptRecursive(config_root);
loaded_config.configuration = new Poco::Util::XMLConfiguration(loaded_config.preprocessed_xml);
diff --git a/src/Common/examples/encrypt_decrypt.cpp b/src/Common/examples/encrypt_decrypt.cpp
index 503802016cbb..c7f949195c87 100644
--- a/src/Common/examples/encrypt_decrypt.cpp
+++ b/src/Common/examples/encrypt_decrypt.cpp
@@ -3,7 +3,7 @@
#include
#include
-/** This test program encrypts or decrypts text values using a symmetric encryption codec like AES_128_GCM_SIV or AES_256_GCM_SIV.
+/** This program encrypts or decrypts text values using a symmetric encryption codec like AES_128_GCM_SIV or AES_256_GCM_SIV.
* Keys for codecs are loaded from section of configuration file.
*
* How to use:
@@ -32,7 +32,7 @@ int main(int argc, char ** argv)
DB::ConfigProcessor processor(argv[1], false, true);
auto loaded_config = processor.loadConfig();
- DB::CompressionCodecEncrypted::Configuration::instance().tryLoad(*loaded_config.configuration, "encryption_codecs");
+ DB::CompressionCodecEncrypted::Configuration::instance().load(*loaded_config.configuration, "encryption_codecs");
if (action == "-e")
std::cout << processor.encryptValue(codec_name, value) << std::endl;
diff --git a/src/Compression/CompressionCodecEncrypted.cpp b/src/Compression/CompressionCodecEncrypted.cpp
index 3f4e35a78a46..5438e02792fc 100644
--- a/src/Compression/CompressionCodecEncrypted.cpp
+++ b/src/Compression/CompressionCodecEncrypted.cpp
@@ -31,14 +31,14 @@ namespace ErrorCodes
extern const int BAD_ARGUMENTS;
}
-EncryptionMethod getEncryptionMethod(const std::string & name)
+EncryptionMethod toEncryptionMethod(const std::string & name)
{
if (name == "AES_128_GCM_SIV")
return AES_128_GCM_SIV;
else if (name == "AES_256_GCM_SIV")
return AES_256_GCM_SIV;
else
- throw Exception(ErrorCodes::BAD_ARGUMENTS, "Wrong encryption method. Got {}", name);
+ throw Exception(ErrorCodes::BAD_ARGUMENTS, "Unknown encryption method. Got {}", name);
}
namespace
@@ -48,34 +48,22 @@ namespace
String getMethodName(EncryptionMethod Method)
{
if (Method == AES_128_GCM_SIV)
- {
return "AES_128_GCM_SIV";
- }
else if (Method == AES_256_GCM_SIV)
- {
return "AES_256_GCM_SIV";
- }
else
- {
return "";
- }
}
/// Get method code (used for codec, to understand which one we are using)
uint8_t getMethodCode(EncryptionMethod Method)
{
if (Method == AES_128_GCM_SIV)
- {
return static_cast(CompressionMethodByte::AES_128_GCM_SIV);
- }
else if (Method == AES_256_GCM_SIV)
- {
return static_cast(CompressionMethodByte::AES_256_GCM_SIV);
- }
else
- {
- throw Exception(ErrorCodes::BAD_ARGUMENTS, "Wrong encryption method. Got {}", getMethodName(Method));
- }
+ throw Exception(ErrorCodes::BAD_ARGUMENTS, "Unknown encryption method. Got {}", getMethodName(Method));
}
} // end of namespace
@@ -105,17 +93,11 @@ const String empty_nonce = {"\0\0\0\0\0\0\0\0\0\0\0\0", actual_nonce_size};
UInt64 methodKeySize(EncryptionMethod Method)
{
if (Method == AES_128_GCM_SIV)
- {
return 16;
- }
else if (Method == AES_256_GCM_SIV)
- {
return 32;
- }
else
- {
- throw Exception(ErrorCodes::BAD_ARGUMENTS, "Wrong encryption method. Got {}", getMethodName(Method));
- }
+ throw Exception(ErrorCodes::BAD_ARGUMENTS, "Unknown encryption method. Got {}", getMethodName(Method));
}
std::string lastErrorString()
@@ -130,17 +112,11 @@ std::string lastErrorString()
auto getMethod(EncryptionMethod Method)
{
if (Method == AES_128_GCM_SIV)
- {
return EVP_aead_aes_128_gcm_siv;
- }
else if (Method == AES_256_GCM_SIV)
- {
return EVP_aead_aes_256_gcm_siv;
- }
else
- {
- throw Exception(ErrorCodes::BAD_ARGUMENTS, "Wrong encryption method. Got {}", getMethodName(Method));
- }
+ throw Exception(ErrorCodes::BAD_ARGUMENTS, "Unknown encryption method. Got {}", getMethodName(Method));
}
/// Encrypt plaintext with particular algorithm and put result into ciphertext_and_tag.
@@ -206,17 +182,11 @@ size_t decrypt(std::string_view ciphertext, char * plaintext, EncryptionMethod m
auto getMethod(EncryptionMethod Method)
{
if (Method == AES_128_GCM_SIV)
- {
return EVP_aes_128_gcm;
- }
else if (Method == AES_256_GCM_SIV)
- {
return EVP_aes_256_gcm;
- }
else
- {
- throw Exception(ErrorCodes::BAD_ARGUMENTS, "Wrong encryption method. Got {}", getMethodName(Method));
- }
+ throw Exception(ErrorCodes::BAD_ARGUMENTS, "Unknown encryption method. Got {}", getMethodName(Method));
}
/// Encrypt plaintext with particular algorithm and put result into ciphertext_and_tag.
diff --git a/src/Compression/CompressionCodecEncrypted.h b/src/Compression/CompressionCodecEncrypted.h
index fafcf4af507e..7971cbadab71 100644
--- a/src/Compression/CompressionCodecEncrypted.h
+++ b/src/Compression/CompressionCodecEncrypted.h
@@ -18,8 +18,8 @@ enum EncryptionMethod
MAX_ENCRYPTION_METHOD
};
-/// Get method for string name. Throw exception for wrong name.
-EncryptionMethod getEncryptionMethod(const std::string & name);
+/// Get encryption method for string name. Throw exception for wrong name.
+EncryptionMethod toEncryptionMethod(const std::string & name);
/** This codec encrypts and decrypts blocks with AES-128 in
* GCM-SIV mode (RFC-8452), which is the only cipher currently
diff --git a/tests/integration/test_config_decryption/configs/config.xml b/tests/integration/test_config_decryption/configs/config.xml
index 5c274128e39d..4b0d3a776590 100644
--- a/tests/integration/test_config_decryption/configs/config.xml
+++ b/tests/integration/test_config_decryption/configs/config.xml
@@ -1,4 +1,5 @@
+
00112233445566778899aabbccddeeff
@@ -7,6 +8,8 @@
00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff
- 96260000000B0000000000E8FE3C087CED2205A5071078B29FD5C3B97F824911DED3217E980C
- 97260000000B0000000000BFFF70C4DA718754C1DA0E2F25FF9246D4783F7FFEC4089EC1CC14
+
+ 96260000000B0000000000E8FE3C087CED2205A5071078B29FD5C3B97F824911DED3217E980C
+ 97260000000B0000000000BFFF70C4DA718754C1DA0E2F25FF9246D4783F7FFEC4089EC1CC14
+
diff --git a/tests/integration/test_config_decryption/configs/config.yaml b/tests/integration/test_config_decryption/configs/config.yaml
index ab4391be3c53..1b20b65b6524 100644
--- a/tests/integration/test_config_decryption/configs/config.yaml
+++ b/tests/integration/test_config_decryption/configs/config.yaml
@@ -3,9 +3,11 @@ encryption_codecs:
key_hex: 00112233445566778899aabbccddeeff
aes_256_gcm_siv:
key_hex: 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff
+
max_table_size_to_drop:
'#text': 96260000000B0000000000E8FE3C087CED2205A5071078B29FD5C3B97F824911DED3217E980C
- '@encryption_codec': AES_128_GCM_SIV
+ '@encrypted_by': AES_128_GCM_SIV
+
max_partition_size_to_drop:
- '@encryption_codec': AES_256_GCM_SIV
+ '@encrypted_by': AES_256_GCM_SIV
'#text': 97260000000B0000000000BFFF70C4DA718754C1DA0E2F25FF9246D4783F7FFEC4089EC1CC14
diff --git a/tests/integration/test_config_decryption/configs/config_invalid_chars.xml b/tests/integration/test_config_decryption/configs/config_invalid_chars.xml
index 49bf51b5bad5..53345b897dcb 100644
--- a/tests/integration/test_config_decryption/configs/config_invalid_chars.xml
+++ b/tests/integration/test_config_decryption/configs/config_invalid_chars.xml
@@ -1,4 +1,5 @@
+
00112233445566778899aabbccddeeff
@@ -7,6 +8,9 @@
00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff
- --96260000000B0000000000E8FE3C087CED2205A5071078B29FD5C3B97F824911DED3217E980C
- 97260000000B0000000000BFFF70C4DA718754C1DA0E2F25FF9246D4783F7FFEC4089EC1CC14
+
+
+ --96260000000B0000000000E8FE3C087CED2205A5071078B29FD5C3B97F824911DED3217E980C
+ 97260000000B0000000000BFFF70C4DA718754C1DA0E2F25FF9246D4783F7FFEC4089EC1CC14
+
diff --git a/tests/integration/test_config_decryption/configs/config_no_encryption_key.xml b/tests/integration/test_config_decryption/configs/config_no_encryption_key.xml
index 5f7769f74031..830c75f7378c 100644
--- a/tests/integration/test_config_decryption/configs/config_no_encryption_key.xml
+++ b/tests/integration/test_config_decryption/configs/config_no_encryption_key.xml
@@ -1,3 +1,7 @@
- 96260000000B0000000000E8FE3C087CED2205A5071078B29FD5C3B97F824911DED3217E980C
+
+
+
+ 96260000000B0000000000E8FE3C087CED2205A5071078B29FD5C3B97F824911DED3217E980C
+
diff --git a/tests/integration/test_config_decryption/configs/config_subnodes.xml b/tests/integration/test_config_decryption/configs/config_subnodes.xml
index b0e519ff546f..8213270f7477 100644
--- a/tests/integration/test_config_decryption/configs/config_subnodes.xml
+++ b/tests/integration/test_config_decryption/configs/config_subnodes.xml
@@ -1,10 +1,14 @@
+
00112233445566778899aabbccddeeff
-
+
+
+
96260000000B0000000000E8FE3C087CED2205A5071078B29FD5C3B97F824911DED3217E980C
+
diff --git a/tests/integration/test_config_decryption/configs/config_wrong_method.xml b/tests/integration/test_config_decryption/configs/config_wrong_method.xml
index b452ce6374c3..b96c13d51055 100644
--- a/tests/integration/test_config_decryption/configs/config_wrong_method.xml
+++ b/tests/integration/test_config_decryption/configs/config_wrong_method.xml
@@ -1,4 +1,5 @@
+
00112233445566778899aabbccddeeff
@@ -7,6 +8,8 @@
00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff
- 96260000000B0000000000E8FE3C087CED2205A5071078B29FD5C3B97F824911DED3217E980C
- 97260000000B0000000000BFFF70C4DA718754C1DA0E2F25FF9246D4783F7FFEC4089EC1CC14
+
+ 96260000000B0000000000E8FE3C087CED2205A5071078B29FD5C3B97F824911DED3217E980C
+ 97260000000B0000000000BFFF70C4DA718754C1DA0E2F25FF9246D4783F7FFEC4089EC1CC14
+
diff --git a/tests/integration/test_config_decryption/test_wrong_settings.py b/tests/integration/test_config_decryption/test_wrong_settings.py
index b148f9a051aa..c6987d123243 100644
--- a/tests/integration/test_config_decryption/test_wrong_settings.py
+++ b/tests/integration/test_config_decryption/test_wrong_settings.py
@@ -15,7 +15,7 @@ def start_clickhouse(config, err_msg):
def test_wrong_method():
start_clickhouse(
- "configs/config_wrong_method.xml", "Wrong encryption method. Got WRONG"
+ "configs/config_wrong_method.xml", "Unknown encryption method. Got WRONG"
)