Skip to content

Commit e39d6e0

Browse files
committed
MDEV-18601 Can't create table with ENCRYPTED=DEFAULT when innodb_default_encryption_key_id!=1
The problem with the InnoDB table attribute encryption_key_id is that it is not being persisted anywhere in InnoDB except if the table attribute encryption is specified and is something else than encryption=default. MDEV-17320 made it a hard error if encryption_key_id is specified to be anything else than 1 in that case. Ideally, we would always persist encryption_key_id in InnoDB. But, then we would have to be prepared for the case that when encryption is being enabled for a table whose encryption_key_id attribute refers to a non-existing key. In MariaDB Server 10.1, our best option remains to not store anything inside InnoDB. But, instead of returning the error that MDEV-17320 introduced, we should merely issue a warning that the specified encryption_key_id is going to be ignored if encryption=default. To improve the situation a little more, we will issue a warning if SET [GLOBAL|SESSION] innodb_default_encryption_key_id is being set to something that does not refer to an available encryption key. Starting with MariaDB Server 10.2, thanks to MDEV-5800, we could open the table definition from InnoDB side when the encryption is being enabled, and actually fix the root cause of what was reported in MDEV-17320.
1 parent 622e9e8 commit e39d6e0

File tree

8 files changed

+182
-162
lines changed

8 files changed

+182
-162
lines changed
Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
--- suite/encryption/r/innodb-checksum-algorithm.result
2-
+++ suite/encryption/r/innodb-checksum-algorithm,32k.reject
2+
+++ suite/encryption/r/innodb-checksum-algorithm.result
33
@@ -13,9 +13,9 @@
44
SET GLOBAL innodb_default_encryption_key_id=4;
55
SET GLOBAL innodb_checksum_algorithm=crc32;
@@ -9,10 +9,10 @@
99
create table tc_crc32(a serial, b blob, index(b(10))) engine=innodb
1010
-ROW_FORMAT=COMPRESSED encrypted=no;
1111
+ROW_FORMAT=DYNAMIC encrypted=no;
12+
Warnings:
13+
Warning 140 InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
1214
create table te_crc32(a serial, b blob, index(b(10))) engine=innodb
13-
encrypted=yes;
14-
create table t_crc32(a serial, b blob, index(b(10))) engine=innodb
15-
@@ -222,9 +222,9 @@
15+
@@ -153,9 +153,9 @@
1616
t_crc32, tpe_crc32, tp_crc32;
1717
SET GLOBAL innodb_checksum_algorithm=innodb;
1818
create table tce_innodb(a serial, b blob, index(b(10))) engine=innodb
@@ -21,10 +21,10 @@
2121
create table tc_innodb(a serial, b blob, index(b(10))) engine=innodb
2222
-ROW_FORMAT=COMPRESSED encrypted=no;
2323
+ROW_FORMAT=DYNAMIC encrypted=no;
24+
Warnings:
25+
Warning 140 InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
2426
create table te_innodb(a serial, b blob, index(b(10))) engine=innodb
25-
encrypted=yes;
26-
create table t_innodb(a serial, b blob, index(b(10))) engine=innodb
27-
@@ -431,9 +431,9 @@
27+
@@ -293,9 +293,9 @@
2828
t_innodb, tpe_innodb, tp_innodb;
2929
SET GLOBAL innodb_checksum_algorithm=none;
3030
create table tce_none(a serial, b blob, index(b(10))) engine=innodb
@@ -33,6 +33,6 @@
3333
create table tc_none(a serial, b blob, index(b(10))) engine=innodb
3434
-ROW_FORMAT=COMPRESSED encrypted=no;
3535
+ROW_FORMAT=DYNAMIC encrypted=no;
36+
Warnings:
37+
Warning 140 InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
3638
create table te_none(a serial, b blob, index(b(10))) engine=innodb
37-
encrypted=yes;
38-
create table t_none(a serial, b blob, index(b(10))) engine=innodb
Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
--- suite/encryption/r/innodb-checksum-algorithm.result
2-
+++ suite/encryption/r/innodb-checksum-algorithm,64k.reject
2+
+++ suite/encryption/r/innodb-checksum-algorithm.result
33
@@ -13,9 +13,9 @@
44
SET GLOBAL innodb_default_encryption_key_id=4;
55
SET GLOBAL innodb_checksum_algorithm=crc32;
@@ -9,10 +9,10 @@
99
create table tc_crc32(a serial, b blob, index(b(10))) engine=innodb
1010
-ROW_FORMAT=COMPRESSED encrypted=no;
1111
+ROW_FORMAT=DYNAMIC encrypted=no;
12+
Warnings:
13+
Warning 140 InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
1214
create table te_crc32(a serial, b blob, index(b(10))) engine=innodb
13-
encrypted=yes;
14-
create table t_crc32(a serial, b blob, index(b(10))) engine=innodb
15-
@@ -222,9 +222,9 @@
15+
@@ -153,9 +153,9 @@
1616
t_crc32, tpe_crc32, tp_crc32;
1717
SET GLOBAL innodb_checksum_algorithm=innodb;
1818
create table tce_innodb(a serial, b blob, index(b(10))) engine=innodb
@@ -21,10 +21,10 @@
2121
create table tc_innodb(a serial, b blob, index(b(10))) engine=innodb
2222
-ROW_FORMAT=COMPRESSED encrypted=no;
2323
+ROW_FORMAT=DYNAMIC encrypted=no;
24+
Warnings:
25+
Warning 140 InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
2426
create table te_innodb(a serial, b blob, index(b(10))) engine=innodb
25-
encrypted=yes;
26-
create table t_innodb(a serial, b blob, index(b(10))) engine=innodb
27-
@@ -431,9 +431,9 @@
27+
@@ -293,9 +293,9 @@
2828
t_innodb, tpe_innodb, tp_innodb;
2929
SET GLOBAL innodb_checksum_algorithm=none;
3030
create table tce_none(a serial, b blob, index(b(10))) engine=innodb
@@ -33,6 +33,6 @@
3333
create table tc_none(a serial, b blob, index(b(10))) engine=innodb
3434
-ROW_FORMAT=COMPRESSED encrypted=no;
3535
+ROW_FORMAT=DYNAMIC encrypted=no;
36+
Warnings:
37+
Warning 140 InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
3638
create table te_none(a serial, b blob, index(b(10))) engine=innodb
37-
encrypted=yes;
38-
create table t_none(a serial, b blob, index(b(10))) engine=innodb

mysql-test/suite/encryption/r/innodb-checksum-algorithm.result

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,14 +16,20 @@ create table tce_crc32(a serial, b blob, index(b(10))) engine=innodb
1616
ROW_FORMAT=COMPRESSED encrypted=yes;
1717
create table tc_crc32(a serial, b blob, index(b(10))) engine=innodb
1818
ROW_FORMAT=COMPRESSED encrypted=no;
19+
Warnings:
20+
Warning 140 InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
1921
create table te_crc32(a serial, b blob, index(b(10))) engine=innodb
2022
encrypted=yes;
2123
create table t_crc32(a serial, b blob, index(b(10))) engine=innodb
2224
encrypted=no;
25+
Warnings:
26+
Warning 140 InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
2327
create table tpe_crc32(a serial, b blob, index(b(10))) engine=innodb
2428
page_compressed=yes encrypted=yes;
2529
create table tp_crc32(a serial, b blob, index(b(10))) engine=innodb
2630
page_compressed=yes encrypted=no;
31+
Warnings:
32+
Warning 140 InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
2733
begin;
2834
insert into tce_crc32(b) values (repeat('secret',20));
2935
insert into tc_crc32(b) values (repeat('secret',20));
@@ -150,14 +156,20 @@ create table tce_innodb(a serial, b blob, index(b(10))) engine=innodb
150156
ROW_FORMAT=COMPRESSED encrypted=yes;
151157
create table tc_innodb(a serial, b blob, index(b(10))) engine=innodb
152158
ROW_FORMAT=COMPRESSED encrypted=no;
159+
Warnings:
160+
Warning 140 InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
153161
create table te_innodb(a serial, b blob, index(b(10))) engine=innodb
154162
encrypted=yes;
155163
create table t_innodb(a serial, b blob, index(b(10))) engine=innodb
156164
encrypted=no;
165+
Warnings:
166+
Warning 140 InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
157167
create table tpe_innodb(a serial, b blob, index(b(10))) engine=innodb
158168
page_compressed=yes encrypted=yes;
159169
create table tp_innodb(a serial, b blob, index(b(10))) engine=innodb
160170
page_compressed=yes encrypted=no;
171+
Warnings:
172+
Warning 140 InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
161173
begin;
162174
insert into tce_innodb(b) values (repeat('secret',20));
163175
insert into tc_innodb(b) values (repeat('secret',20));
@@ -284,14 +296,20 @@ create table tce_none(a serial, b blob, index(b(10))) engine=innodb
284296
ROW_FORMAT=COMPRESSED encrypted=yes;
285297
create table tc_none(a serial, b blob, index(b(10))) engine=innodb
286298
ROW_FORMAT=COMPRESSED encrypted=no;
299+
Warnings:
300+
Warning 140 InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
287301
create table te_none(a serial, b blob, index(b(10))) engine=innodb
288302
encrypted=yes;
289303
create table t_none(a serial, b blob, index(b(10))) engine=innodb
290304
encrypted=no;
305+
Warnings:
306+
Warning 140 InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
291307
create table tpe_none(a serial, b blob, index(b(10))) engine=innodb
292308
page_compressed=yes encrypted=yes;
293309
create table tp_none(a serial, b blob, index(b(10))) engine=innodb
294310
page_compressed=yes encrypted=no;
311+
Warnings:
312+
Warning 140 InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
295313
begin;
296314
insert into tce_none(b) values (repeat('secret',20));
297315
insert into tc_none(b) values (repeat('secret',20));

mysql-test/suite/encryption/r/innodb-compressed-blob.result

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,8 @@ set GLOBAL innodb_default_encryption_key_id=4;
77
create table t1(a int not null primary key, b blob, index(b(10))) engine=innodb row_format=compressed;
88
create table t2(a int not null primary key, b blob, index(b(10))) engine=innodb row_format=compressed encrypted=yes;
99
create table t3(a int not null primary key, b blob, index(b(10))) engine=innodb row_format=compressed encrypted=no;
10+
Warnings:
11+
Warning 140 InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
1012
insert into t1 values (1, repeat('secret',6000));
1113
insert into t2 values (1, repeat('secret',6000));
1214
insert into t3 values (1, repeat('secret',6000));

mysql-test/suite/encryption/r/innodb-encryption-alter.result

Lines changed: 16 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -4,9 +4,16 @@ SET GLOBAL innodb_encrypt_tables = ON;
44
SET GLOBAL innodb_encryption_threads = 4;
55
CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=NO ENCRYPTION_KEY_ID=4;
66
Warnings:
7-
Warning 140 InnoDB: Ignored ENCRYPTION_KEY_ID 4 when encryption is disabled
7+
Warning 140 InnoDB: ENCRYPTED=NO implies ENCRYPTION_KEY_ID=1
88
DROP TABLE t1;
9+
set @save_global = @@GLOBAL.innodb_default_encryption_key_id;
910
set innodb_default_encryption_key_id = 99;
11+
Warnings:
12+
Warning 1210 innodb_default_encryption_key=99 is not available
13+
set global innodb_default_encryption_key_id = 99;
14+
Warnings:
15+
Warning 1210 innodb_default_encryption_key=99 is not available
16+
set global innodb_default_encryption_key_id = @save_global;
1017
CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB;
1118
ERROR HY000: Can't create table `test`.`t1` (errno: 140 "Wrong create options")
1219
SHOW WARNINGS;
@@ -40,8 +47,6 @@ t1 CREATE TABLE `t1` (
4047
PRIMARY KEY (`pk`)
4148
) ENGINE=InnoDB DEFAULT CHARSET=latin1 `ENCRYPTION_KEY_ID`=4
4249
CREATE TABLE t2 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=NO ENCRYPTION_KEY_ID=1;
43-
Warnings:
44-
Warning 140 InnoDB: Ignored ENCRYPTION_KEY_ID 1 when encryption is disabled
4550
ALTER TABLE t1 ENCRYPTION_KEY_ID=99;
4651
ERROR HY000: Table storage engine 'InnoDB' does not support the create option 'ENCRYPTION_KEY_ID'
4752
SHOW WARNINGS;
@@ -53,37 +58,29 @@ drop table t1,t2;
5358
SET GLOBAL innodb_encrypt_tables=OFF;
5459
CREATE TABLE t1 (a int not null primary key) engine=innodb;
5560
ALTER TABLE t1 ENCRYPTION_KEY_ID=4;
56-
ERROR HY000: Table storage engine 'InnoDB' does not support the create option 'ENCRYPTION_KEY_ID'
57-
SHOW WARNINGS;
58-
Level Code Message
59-
Warning 140 InnoDB: innodb_encrypt_tables=OFF only allows ENCRYPTION_KEY_ID=1
60-
Error 1478 Table storage engine 'InnoDB' does not support the create option 'ENCRYPTION_KEY_ID'
6161
SHOW CREATE TABLE t1;
6262
Table Create Table
6363
t1 CREATE TABLE `t1` (
6464
`a` int(11) NOT NULL,
6565
PRIMARY KEY (`a`)
66-
) ENGINE=InnoDB DEFAULT CHARSET=latin1
66+
) ENGINE=InnoDB DEFAULT CHARSET=latin1 `ENCRYPTION_KEY_ID`=4
6767
DROP TABLE t1;
6868
CREATE TABLE t2 (a int not null primary key) engine=innodb;
6969
ALTER TABLE t2 ENCRYPTION_KEY_ID=4, ALGORITHM=COPY;
70-
ERROR HY000: Can't create table `test`.`#sql-temporary` (errno: 140 "Wrong create options")
71-
SHOW WARNINGS;
72-
Level Code Message
73-
Warning 140 InnoDB: innodb_encrypt_tables=OFF only allows ENCRYPTION_KEY_ID=1
74-
Error 1005 Can't create table `test`.`#sql-temporary` (errno: 140 "Wrong create options")
75-
Warning 1030 Got error 140 "Wrong create options" from storage engine InnoDB
7670
SHOW CREATE TABLE t2;
7771
Table Create Table
7872
t2 CREATE TABLE `t2` (
7973
`a` int(11) NOT NULL,
8074
PRIMARY KEY (`a`)
81-
) ENGINE=InnoDB DEFAULT CHARSET=latin1
75+
) ENGINE=InnoDB DEFAULT CHARSET=latin1 `ENCRYPTION_KEY_ID`=4
8276
DROP TABLE t2;
8377
CREATE TABLE t3 (a int not null primary key) engine=innodb ENCRYPTION_KEY_ID=4;
84-
ERROR HY000: Can't create table `test`.`t3` (errno: 140 "Wrong create options")
78+
DROP TABLE t3;
79+
SET GLOBAL innodb_encrypt_tables='FORCE';
80+
CREATE TABLE t1 (a int primary key) engine=innodb encrypted=no;
81+
ERROR HY000: Can't create table `test`.`t1` (errno: 140 "Wrong create options")
8582
SHOW WARNINGS;
8683
Level Code Message
87-
Warning 140 InnoDB: innodb_encrypt_tables=OFF only allows ENCRYPTION_KEY_ID=1
88-
Error 1005 Can't create table `test`.`t3` (errno: 140 "Wrong create options")
84+
Warning 140 InnoDB: ENCRYPTED=NO cannot be used with innodb_encrypt_tables=FORCE
85+
Error 1005 Can't create table `test`.`t1` (errno: 140 "Wrong create options")
8986
Warning 1030 Got error 140 "Wrong create options" from storage engine InnoDB

mysql-test/suite/encryption/t/innodb-encryption-alter.test

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,10 @@ SET GLOBAL innodb_encryption_threads = 4;
1919

2020
CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB ENCRYPTED=NO ENCRYPTION_KEY_ID=4;
2121
DROP TABLE t1;
22+
set @save_global = @@GLOBAL.innodb_default_encryption_key_id;
2223
set innodb_default_encryption_key_id = 99;
24+
set global innodb_default_encryption_key_id = 99;
25+
set global innodb_default_encryption_key_id = @save_global;
2326
--error 1005
2427
CREATE TABLE t1 (pk INT PRIMARY KEY AUTO_INCREMENT, c VARCHAR(256)) ENGINE=INNODB;
2528
SHOW WARNINGS;
@@ -90,25 +93,26 @@ drop table t1,t2;
9093
#
9194
# MDEV-17230: encryption_key_id from alter is ignored by encryption threads
9295
#
96+
--enable_warnings
9397
SET GLOBAL innodb_encrypt_tables=OFF;
9498
CREATE TABLE t1 (a int not null primary key) engine=innodb;
95-
--error ER_ILLEGAL_HA_CREATE_OPTION
9699
ALTER TABLE t1 ENCRYPTION_KEY_ID=4;
97-
SHOW WARNINGS;
98100
SHOW CREATE TABLE t1;
99101
DROP TABLE t1;
100102

101103
CREATE TABLE t2 (a int not null primary key) engine=innodb;
102104
--replace_regex /#sql-[0-9a-f_]*`/#sql-temporary`/
103-
--error ER_CANT_CREATE_TABLE
104105
ALTER TABLE t2 ENCRYPTION_KEY_ID=4, ALGORITHM=COPY;
105106
--replace_regex /#sql-[0-9a-f_]*`/#sql-temporary`/
106-
SHOW WARNINGS;
107107
SHOW CREATE TABLE t2;
108108
DROP TABLE t2;
109109

110-
--error ER_CANT_CREATE_TABLE
111110
CREATE TABLE t3 (a int not null primary key) engine=innodb ENCRYPTION_KEY_ID=4;
111+
DROP TABLE t3;
112+
113+
SET GLOBAL innodb_encrypt_tables='FORCE';
114+
--error ER_CANT_CREATE_TABLE
115+
CREATE TABLE t1 (a int primary key) engine=innodb encrypted=no;
112116
SHOW WARNINGS;
113117

114118
# reset system

0 commit comments

Comments
 (0)