Implement event triggers to identify index creation on encrypted tables. #196
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit implements ddl-start and ddl-end event triggers to identify index creation operations on encrypted tables. Upon creating an index on an encrypted table, the trigger function updates the global state, which can be accessed by the storage manager (mgr) to decide if smgr_create needs to do encryption or not. The start-ddl function analyzes the CREATE TABLE and CREATE INDEX statements and identifies if the table uses the pg_tde access method. When the table is created or the one on which the index is being created utilizes the pg_tde access method, the start-ddl trigger function populates relevant information about the encrypted table into a global structure. This structure can be accessed using the GetCurrentTdeCreateEvent() function. After the execution of the current DDL command finishes, the end-ddl function clears out this structure.
dutow
approved these changes
May 22, 2024
dutow
added a commit
to dutow/postgres-tde-ext
that referenced
this pull request
May 28, 2024
* Introduces `pg_tde2` access method * New access method uses the event trigger changes from percona#196 * Keys are now loaded from the keyring * This required changes to the map file / master key infrastructure * This commit only modifies/fixes those as little as required for simplicity. More refactoring/changes coming in separate commits / PRs * Removes reliance from MyDatabaseId, as things now have to work with multiple databases in the checkpointer * Removes some error reports, where functions should work even without a configured keyring * Fixes some bugs in the map file functions * Map file functions now work with multiple databases in a single process, but this is a hackish solution, global state needs a proper refactoring * Contains anti-recursion hack in the new SMGR code, which is needed until we store the metadata in the catalog
dAdAbird
reviewed
May 30, 2024
pg_tde--1.0.sql
Outdated
| AS 'MODULE_PATHNAME' | ||
| LANGUAGE C; | ||
|
|
||
| CREATE EVENT TRIGGER trigger_create_index |
There was a problem hiding this comment.
Maybe, it makes sense to have a tde_ prefix for the trigger names? Just to avoid any uniqueness issues
dutow
added a commit
to dutow/postgres-tde-ext
that referenced
this pull request
Jun 11, 2024
* Introduces `pg_tde2` access method * New access method uses the event trigger changes from percona#196 * Keys are now loaded from the keyring * This required changes to the map file / master key infrastructure * This commit only modifies/fixes those as little as required for simplicity. More refactoring/changes coming in separate commits / PRs * Removes reliance from MyDatabaseId, as things now have to work with multiple databases in the checkpointer * Removes some error reports, where functions should work even without a configured keyring * Fixes some bugs in the map file functions * Map file functions now work with multiple databases in a single process, but this is a hackish solution, global state needs a proper refactoring * Contains anti-recursion hack in the new SMGR code, which is needed until we store the metadata in the catalog
dutow
added a commit
to dutow/postgres-tde-ext
that referenced
this pull request
Jun 11, 2024
* Introduces `pg_tde2` access method * New access method uses the event trigger changes from percona#196 * Keys are now loaded from the keyring * This required changes to the map file / master key infrastructure * This commit only modifies/fixes those as little as required for simplicity. More refactoring/changes coming in separate commits / PRs * Removes reliance from MyDatabaseId, as things now have to work with multiple databases in the checkpointer * Removes some error reports, where functions should work even without a configured keyring * Fixes some bugs in the map file functions * Map file functions now work with multiple databases in a single process, but this is a hackish solution, global state needs a proper refactoring * Contains anti-recursion hack in the new SMGR code, which is needed until we store the metadata in the catalog
dutow
added a commit
that referenced
this pull request
Jun 11, 2024
…on (#199) * Introduces `pg_tde2` access method * New access method uses the event trigger changes from #196 * Keys are now loaded from the keyring * This required changes to the map file / master key infrastructure * This commit only modifies/fixes those as little as required for simplicity. More refactoring/changes coming in separate commits / PRs * Removes reliance from MyDatabaseId, as things now have to work with multiple databases in the checkpointer * Removes some error reports, where functions should work even without a configured keyring * Fixes some bugs in the map file functions * Map file functions now work with multiple databases in a single process, but this is a hackish solution, global state needs a proper refactoring * Contains anti-recursion hack in the new SMGR code, which is needed until we store the metadata in the catalog
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit implements ddl-start and ddl-end event triggers to identify index creation operations on encrypted tables. Upon creating an index on an encrypted table, the trigger function updates the global state, which can be accessed by the storage manager (mgr) to decide if smgr_create needs to do encryption or not.
The start-ddl function analyzes the CREATE TABLE and CREATE INDEX statements and identifies if the table uses the pg_tde access method. When the table is created or the one on which the index is being created utilizes the pg_tde access method, the start-ddl trigger function populates relevant information about the encrypted table into a global structure. This structure can be accessed using the GetCurrentTdeCreateEvent() function. After the execution of the current DDL command finishes, the end-ddl function clears out this structure.