MDEV-18601 Can't create table with ENCRYPTED=DEFAULT when innodb_default_encryption_key_id!=1

The problem with the InnoDB table attribute encryption_key_id is that it is
not being persisted anywhere in InnoDB except if the table attribute
encryption is specified and is something else than encryption=default.
MDEV-17320 made it a hard error if encryption_key_id is specified to be
anything else than 1 in that case.

Ideally, we would always persist encryption_key_id in InnoDB. But, then we
would have to be prepared for the case that when encryption is being enabled
for a table whose encryption_key_id attribute refers to a non-existing key.

In MariaDB Server 10.1, our best option remains to not store anything
inside InnoDB. But, instead of returning the error that MDEV-17320
introduced, we should merely issue a warning that the specified
encryption_key_id is going to be ignored if encryption=default.

To improve the situation a little more, we will issue a warning if
SET [GLOBAL|SESSION] innodb_default_encryption_key_id is being set
to something that does not refer to an available encryption key.

Starting with MariaDB Server 10.2, thanks to MDEV-5800, we could open the
table definition from InnoDB side when the encryption is being enabled,
and actually fix the root cause of what was reported in MDEV-17320.

Author: dr-m

mysql-test/suite/encryption/r/innodb-checksum-algorithm,32k.rdiff

@@ -1,5 +1,5 @@
 --- suite/encryption/r/innodb-checksum-algorithm.result
-+++ suite/encryption/r/innodb-checksum-algorithm,32k.reject
++++ suite/encryption/r/innodb-checksum-algorithm.result
 @@ -13,9 +13,9 @@
  SET GLOBAL innodb_default_encryption_key_id=4;
  SET GLOBAL innodb_checksum_algorithm=crc32;
@@ -9,10 +9,10 @@
  create table tc_crc32(a serial, b blob, index(b(10))) engine=innodb
 -ROW_FORMAT=COMPRESSED encrypted=no;
 +ROW_FORMAT=DYNAMIC encrypted=no;
+ Warnings:
+ Warning	140	InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
  create table te_crc32(a serial, b blob, index(b(10))) engine=innodb
- encrypted=yes;
- create table t_crc32(a serial, b blob, index(b(10))) engine=innodb
-@@ -222,9 +222,9 @@
+@@ -153,9 +153,9 @@
  t_crc32, tpe_crc32, tp_crc32;
  SET GLOBAL innodb_checksum_algorithm=innodb;
  create table tce_innodb(a serial, b blob, index(b(10))) engine=innodb
@@ -21,10 +21,10 @@
  create table tc_innodb(a serial, b blob, index(b(10))) engine=innodb
 -ROW_FORMAT=COMPRESSED encrypted=no;
 +ROW_FORMAT=DYNAMIC encrypted=no;
+ Warnings:
+ Warning	140	InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
  create table te_innodb(a serial, b blob, index(b(10))) engine=innodb
- encrypted=yes;
- create table t_innodb(a serial, b blob, index(b(10))) engine=innodb
-@@ -431,9 +431,9 @@
+@@ -293,9 +293,9 @@
  t_innodb, tpe_innodb, tp_innodb;
  SET GLOBAL innodb_checksum_algorithm=none;
  create table tce_none(a serial, b blob, index(b(10))) engine=innodb
@@ -33,6 +33,6 @@
  create table tc_none(a serial, b blob, index(b(10))) engine=innodb
 -ROW_FORMAT=COMPRESSED encrypted=no;
 +ROW_FORMAT=DYNAMIC encrypted=no;
+ Warnings:
+ Warning	140	InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
  create table te_none(a serial, b blob, index(b(10))) engine=innodb
- encrypted=yes;
- create table t_none(a serial, b blob, index(b(10))) engine=innodb

mysql-test/suite/encryption/r/innodb-checksum-algorithm,64k.rdiff

@@ -1,5 +1,5 @@
 --- suite/encryption/r/innodb-checksum-algorithm.result
-+++ suite/encryption/r/innodb-checksum-algorithm,64k.reject
++++ suite/encryption/r/innodb-checksum-algorithm.result
 @@ -13,9 +13,9 @@
  SET GLOBAL innodb_default_encryption_key_id=4;
  SET GLOBAL innodb_checksum_algorithm=crc32;
@@ -9,10 +9,10 @@
  create table tc_crc32(a serial, b blob, index(b(10))) engine=innodb
 -ROW_FORMAT=COMPRESSED encrypted=no;
 +ROW_FORMAT=DYNAMIC encrypted=no;
+ Warnings:
+ Warning	140	InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
  create table te_crc32(a serial, b blob, index(b(10))) engine=innodb
- encrypted=yes;
- create table t_crc32(a serial, b blob, index(b(10))) engine=innodb
-@@ -222,9 +222,9 @@
+@@ -153,9 +153,9 @@
  t_crc32, tpe_crc32, tp_crc32;
  SET GLOBAL innodb_checksum_algorithm=innodb;
  create table tce_innodb(a serial, b blob, index(b(10))) engine=innodb
@@ -21,10 +21,10 @@
  create table tc_innodb(a serial, b blob, index(b(10))) engine=innodb
 -ROW_FORMAT=COMPRESSED encrypted=no;
 +ROW_FORMAT=DYNAMIC encrypted=no;
+ Warnings:
+ Warning	140	InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
  create table te_innodb(a serial, b blob, index(b(10))) engine=innodb
- encrypted=yes;
- create table t_innodb(a serial, b blob, index(b(10))) engine=innodb
-@@ -431,9 +431,9 @@
+@@ -293,9 +293,9 @@
  t_innodb, tpe_innodb, tp_innodb;
  SET GLOBAL innodb_checksum_algorithm=none;
  create table tce_none(a serial, b blob, index(b(10))) engine=innodb
@@ -33,6 +33,6 @@
  create table tc_none(a serial, b blob, index(b(10))) engine=innodb
 -ROW_FORMAT=COMPRESSED encrypted=no;
 +ROW_FORMAT=DYNAMIC encrypted=no;
+ Warnings:
+ Warning	140	InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
  create table te_none(a serial, b blob, index(b(10))) engine=innodb
- encrypted=yes;
- create table t_none(a serial, b blob, index(b(10))) engine=innodb

mysql-test/suite/encryption/r/innodb-checksum-algorithm.result

@@ -16,14 +16,20 @@ create table tce_crc32(a serial, b blob, index(b(10))) engine=innodb
 ROW_FORMAT=COMPRESSED encrypted=yes;
 create table tc_crc32(a serial, b blob, index(b(10))) engine=innodb
 ROW_FORMAT=COMPRESSED encrypted=no;
+Warnings:
+Warning	140	InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
 create table te_crc32(a serial, b blob, index(b(10))) engine=innodb
 encrypted=yes;
 create table t_crc32(a serial, b blob, index(b(10))) engine=innodb
 encrypted=no;
+Warnings:
+Warning	140	InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
 create table tpe_crc32(a serial, b blob, index(b(10))) engine=innodb
 page_compressed=yes encrypted=yes;
 create table tp_crc32(a serial, b blob, index(b(10))) engine=innodb
 page_compressed=yes encrypted=no;
+Warnings:
+Warning	140	InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
 begin;
 insert into tce_crc32(b) values (repeat('secret',20));
 insert into tc_crc32(b) values (repeat('secret',20));
@@ -150,14 +156,20 @@ create table tce_innodb(a serial, b blob, index(b(10))) engine=innodb
 ROW_FORMAT=COMPRESSED encrypted=yes;
 create table tc_innodb(a serial, b blob, index(b(10))) engine=innodb
 ROW_FORMAT=COMPRESSED encrypted=no;
+Warnings:
+Warning	140	InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
 create table te_innodb(a serial, b blob, index(b(10))) engine=innodb
 encrypted=yes;
 create table t_innodb(a serial, b blob, index(b(10))) engine=innodb
 encrypted=no;
+Warnings:
+Warning	140	InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
 create table tpe_innodb(a serial, b blob, index(b(10))) engine=innodb
 page_compressed=yes encrypted=yes;
 create table tp_innodb(a serial, b blob, index(b(10))) engine=innodb
 page_compressed=yes encrypted=no;
+Warnings:
+Warning	140	InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
 begin;
 insert into tce_innodb(b) values (repeat('secret',20));
 insert into tc_innodb(b) values (repeat('secret',20));
@@ -284,14 +296,20 @@ create table tce_none(a serial, b blob, index(b(10))) engine=innodb
 ROW_FORMAT=COMPRESSED encrypted=yes;
 create table tc_none(a serial, b blob, index(b(10))) engine=innodb
 ROW_FORMAT=COMPRESSED encrypted=no;
+Warnings:
+Warning	140	InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
 create table te_none(a serial, b blob, index(b(10))) engine=innodb
 encrypted=yes;
 create table t_none(a serial, b blob, index(b(10))) engine=innodb
 encrypted=no;
+Warnings:
+Warning	140	InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
 create table tpe_none(a serial, b blob, index(b(10))) engine=innodb
 page_compressed=yes encrypted=yes;
 create table tp_none(a serial, b blob, index(b(10))) engine=innodb
 page_compressed=yes encrypted=no;
+Warnings:
+Warning	140	InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
 begin;
 insert into tce_none(b) values (repeat('secret',20));
 insert into tc_none(b) values (repeat('secret',20));

mysql-test/suite/encryption/r/innodb-compressed-blob.result

@@ -7,6 +7,8 @@ set GLOBAL innodb_default_encryption_key_id=4;
 create table t1(a int not null primary key, b blob, index(b(10))) engine=innodb row_format=compressed;
 create table t2(a int not null primary key, b blob, index(b(10))) engine=innodb row_format=compressed encrypted=yes;
 create table t3(a int not null primary key, b blob, index(b(10))) engine=innodb row_format=compressed encrypted=no;
+Warnings:
+Warning	140	InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
 insert into t1 values (1, repeat('secret',6000));
 insert into t2 values (1, repeat('secret',6000));
 insert into t3 values (1, repeat('secret',6000));

mysql-test/suite/encryption/r/innodb-encryption-alter.result

@@ -4,9 +4,16 @@ SET GLOBAL innodb_encrypt_tables = ON;
 SET GLOBAL innodb_encryption_threads = 4;
 CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=NO ENCRYPTION_KEY_ID=4;
 Warnings:
-Warning	140	InnoDB: Ignored ENCRYPTION_KEY_ID 4 when encryption is disabled
+Warning	140	InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
 DROP TABLE t1;
+set @save_global = @@GLOBAL.innodb_default_encryption_key_id;
 set innodb_default_encryption_key_id = 99;
+Warnings:
+Warning	1210	innodb_default_encryption_key=99 is not available
+set global innodb_default_encryption_key_id = 99;
+Warnings:
+Warning	1210	innodb_default_encryption_key=99 is not available
+set global innodb_default_encryption_key_id = @save_global;
 CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB;
 ERROR HY000: Can't create table `test`.`t1` (errno: 140 "Wrong create options")
 SHOW WARNINGS;
@@ -40,8 +47,6 @@ t1	CREATE TABLE `t1` (
   PRIMARY KEY (`pk`)
 ) ENGINE=InnoDB DEFAULT CHARSET=latin1 `ENCRYPTION_KEY_ID`=4
 CREATE TABLE t2 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=NO ENCRYPTION_KEY_ID=1;
-Warnings:
-Warning	140	InnoDB: Ignored ENCRYPTION_KEY_ID 1 when encryption is disabled
 ALTER TABLE t1 ENCRYPTION_KEY_ID=99;
 ERROR HY000: Table storage engine 'InnoDB' does not support the create option 'ENCRYPTION_KEY_ID'
 SHOW WARNINGS;
@@ -53,37 +58,29 @@ drop table t1,t2;
 SET GLOBAL innodb_encrypt_tables=OFF;
 CREATE TABLE t1 (a int not null primary key) engine=innodb;
 ALTER TABLE t1 ENCRYPTION_KEY_ID=4;
-ERROR HY000: Table storage engine 'InnoDB' does not support the create option 'ENCRYPTION_KEY_ID'
-SHOW WARNINGS;
-Level	Code	Message
-Warning	140	InnoDB: innodb_encrypt_tables=OFF only allows ENCRYPTION_KEY_ID=1
-Error	1478	Table storage engine 'InnoDB' does not support the create option 'ENCRYPTION_KEY_ID'
 SHOW CREATE TABLE t1;
 Table	Create Table
 t1	CREATE TABLE `t1` (
   `a` int(11) NOT NULL,
   PRIMARY KEY (`a`)
-) ENGINE=InnoDB DEFAULT CHARSET=latin1
+) ENGINE=InnoDB DEFAULT CHARSET=latin1 `ENCRYPTION_KEY_ID`=4
 DROP TABLE t1;
 CREATE TABLE t2 (a int not null primary key) engine=innodb;
 ALTER TABLE t2 ENCRYPTION_KEY_ID=4, ALGORITHM=COPY;
-ERROR HY000: Can't create table `test`.`#sql-temporary` (errno: 140 "Wrong create options")
-SHOW WARNINGS;
-Level	Code	Message
-Warning	140	InnoDB: innodb_encrypt_tables=OFF only allows ENCRYPTION_KEY_ID=1
-Error	1005	Can't create table `test`.`#sql-temporary` (errno: 140 "Wrong create options")
-Warning	1030	Got error 140 "Wrong create options" from storage engine InnoDB
 SHOW CREATE TABLE t2;
 Table	Create Table
 t2	CREATE TABLE `t2` (
   `a` int(11) NOT NULL,
   PRIMARY KEY (`a`)
-) ENGINE=InnoDB DEFAULT CHARSET=latin1
+) ENGINE=InnoDB DEFAULT CHARSET=latin1 `ENCRYPTION_KEY_ID`=4
 DROP TABLE t2;
 CREATE TABLE t3 (a int not null primary key) engine=innodb ENCRYPTION_KEY_ID=4;
-ERROR HY000: Can't create table `test`.`t3` (errno: 140 "Wrong create options")
+DROP TABLE t3;
+SET GLOBAL innodb_encrypt_tables='FORCE';
+CREATE TABLE t1 (a int primary key) engine=innodb encrypted=no;
+ERROR HY000: Can't create table `test`.`t1` (errno: 140 "Wrong create options")
 SHOW WARNINGS;
 Level	Code	Message
-Warning	140	InnoDB: innodb_encrypt_tables=OFF only allows ENCRYPTION_KEY_ID=1
-Error	1005	Can't create table `test`.`t3` (errno: 140 "Wrong create options")
+Warning	140	InnoDB: ENCRYPTED=NO cannot be used with innodb_encrypt_tables=FORCE
+Error	1005	Can't create table `test`.`t1` (errno: 140 "Wrong create options")
 Warning	1030	Got error 140 "Wrong create options" from storage engine InnoDB

mysql-test/suite/encryption/t/innodb-encryption-alter.test

@@ -19,7 +19,10 @@ SET GLOBAL innodb_encryption_threads = 4;
 
 CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=NO ENCRYPTION_KEY_ID=4;
 DROP TABLE t1;
+set @save_global = @@GLOBAL.innodb_default_encryption_key_id;
 set innodb_default_encryption_key_id = 99;
+set global innodb_default_encryption_key_id = 99;
+set global innodb_default_encryption_key_id = @save_global;
 --error 1005
 CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB;
 SHOW WARNINGS;
@@ -90,25 +93,26 @@ drop table t1,t2;
 #
 # MDEV-17230: encryption_key_id from alter is ignored by encryption threads
 #
+--enable_warnings
 SET GLOBAL innodb_encrypt_tables=OFF;
 CREATE TABLE t1 (a int not null primary key) engine=innodb;
---error ER_ILLEGAL_HA_CREATE_OPTION
 ALTER TABLE t1 ENCRYPTION_KEY_ID=4;
-SHOW WARNINGS;
 SHOW CREATE TABLE t1;
 DROP TABLE t1;
 
 CREATE TABLE t2 (a int not null primary key) engine=innodb;
 --replace_regex /#sql-[0-9a-f_]*`/#sql-temporary`/
---error ER_CANT_CREATE_TABLE
 ALTER TABLE t2 ENCRYPTION_KEY_ID=4, ALGORITHM=COPY;
 --replace_regex /#sql-[0-9a-f_]*`/#sql-temporary`/
-SHOW WARNINGS;
 SHOW CREATE TABLE t2;
 DROP TABLE t2;
 
---error ER_CANT_CREATE_TABLE
 CREATE TABLE t3 (a int not null primary key) engine=innodb ENCRYPTION_KEY_ID=4;
+DROP TABLE t3;
+
+SET GLOBAL innodb_encrypt_tables='FORCE';
+--error ER_CANT_CREATE_TABLE
+CREATE TABLE t1 (a int primary key) engine=innodb encrypted=no;
 SHOW WARNINGS;
 
 # reset system