8000 Separate principal key creation from usage · percona/postgres@ceff90e · GitHub
[go: up one dir, main page]
Skip to content

Commit ceff90e

Browse files
AndersAstrandAndersAstrand
committed
Separate principal key creation from usage
Add new functions pg_tde_create_key_using_database/global_key_provider() to create keys instead of key creation being a side effect of setting the key. Also remove support for "create if not exists" semantics as any user should know what keys their key provider contains.
1 parent 46cee5c commit ceff90e

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

57 files changed

+563
-85
lines changed

ci_scripts/tde_setup.sql

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,4 +2,5 @@ CREATE SCHEMA IF NOT EXISTS tde;
22
CREATE EXTENSION IF NOT EXISTS pg_tde SCHEMA tde;
33
\! rm -f '/tmp/pg_tde_test_keyring.per'
44
SELECT tde.pg_tde_add_database_key_provider_file('reg_file-vault', '/tmp/pg_tde_test_keyring.per');
5+
SELECT tde.pg_tde_create_key_using_database_key_provider('test-db-key', 'reg_file-vault');
56
SELECT tde.pg_tde_set_key_using_database_key_provider('test-db-key', 'reg_file-vault');

ci_scripts/tde_setup_global.sql

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ CREATE EXTENSION IF NOT EXISTS pg_tde SCHEMA tde;
33

44
\! rm -f '/tmp/pg_tde_test_keyring.per'
55
SELECT tde.pg_tde_add_global_key_provider_file('reg_file-global', '/tmp/pg_tde_test_keyring.per');
6+
SELECT tde.pg_tde_create_key_using_global_key_provider('server-key', 'reg_file-global');
67
SELECT tde.pg_tde_set_server_key_using_global_key_provider('server-key', 'reg_file-global');
78
ALTER SYSTEM SET pg_tde.wal_encrypt = on;
89
ALTER SYSTEM SET default_table_access_method = 'tde_heap';

contrib/pg_tde/expected/access_control.out

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,8 @@ SELECT pg_tde_add_database_key_provider_file('local-file-provider', '/tmp/pg_tde
99
CREATE USER regress_pg_tde_access_control;
1010
SET ROLE regress_pg_tde_access_control;
1111
-- should throw access denied
12+
SELECT pg_tde_create_key_using_database_key_provider('test-db-key', 'local-file-provider');
13+
ERROR: permission denied for function pg_tde_create_key_using_database_key_provider
1214
SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'local-file-provider');
1315
ERROR: permission denied for function pg_tde_set_key_using_database_key_provider
1416
SELECT pg_tde_delete_key();
@@ -35,11 +37,12 @@ GRANT EXECUTE ON FUNCTION pg_tde_add_database_key_provider(TEXT, TEXT, JSON) TO
3537
GRANT EXECUTE ON FUNCTION pg_tde_add_global_key_provider(TEXT, TEXT, JSON) TO regress_pg_tde_access_control;
3638
GRANT EXECUTE ON FUNCTION pg_tde_change_database_key_provider(TEXT, TEXT, JSON) TO regress_pg_tde_access_control;
3739
GRANT EXECUTE ON FUNCTION pg_tde_change_global_key_provider(TEXT, TEXT, JSON) TO regress_pg_tde_access_control;
40+
GRANT EXECUTE ON FUNCTION pg_tde_create_key_using_global_key_provider(TEXT, TEXT) TO regress_pg_tde_access_control;
3841
GRANT EXECUTE ON FUNCTION pg_tde_delete_database_key_provider(TEXT) TO regress_pg_tde_access_control;
3942
GRANT EXECUTE ON FUNCTION pg_tde_delete_global_key_provider(TEXT) TO regress_pg_tde_access_control;
40-
GRANT EXECUTE ON FUNCTION pg_tde_set_default_key_using_global_key_provider(TEXT, TEXT, BOOLEAN) TO regress_pg_tde_access_control;
41-
GRANT EXECUTE ON FUNCTION pg_tde_set_key_using_global_key_provider(TEXT, TEXT, BOOLEAN) TO regress_pg_tde_access_control;
42-
GRANT EXECUTE ON FUNCTION pg_tde_set_server_key_using_global_key_provider(TEXT, TEXT, BOOLEAN) TO regress_pg_tde_access_control;
43+
GRANT EXECUTE ON FUNCTION pg_tde_set_default_key_using_global_key_provider(TEXT, TEXT) TO regress_pg_tde_access_control;
44+
GRANT EXECUTE ON FUNCTION pg_tde_set_key_using_global_key_provider(TEXT, TEXT) TO regress_pg_tde_access_control;
45+
GRANT EXECUTE ON FUNCTION pg_tde_set_server_key_using_global_key_provider(TEXT, TEXT) TO regress_pg_tde_access_control;
4346
GRANT EXECUTE ON FUNCTION pg_tde_delete_default_key() TO regress_pg_tde_access_control;
4447
SET ROLE regress_pg_tde_access_control;
4548
SELECT pg_tde_add_database_key_provider_file('local-file-provider', '/tmp/pg_tde_test_keyring.per');
@@ -54,6 +57,8 @@ SELECT pg_tde_change_global_key_provider_file('global-file-provider', '/tmp/pg_t
5457
ERROR: must be superuser to modify key providers
5558
SELECT pg_tde_delete_global_key_provider('global-file-provider');
5659
ERROR: must be superuser to modify key providers
60+
SELECT pg_tde_create_key_using_global_key_provider('key1', 'global-file-provider');
61+
ERROR: must be superuser to access global key providers
5762
SELECT pg_tde_set_key_using_global_key_provider('key1', 'global-file-provider');
5863
ERROR: must be superuser to access global key providers
5964
SELECT pg_tde_set_default_key_using_global_key_provider('key1', 'global-file-provider');

contrib/pg_tde/expected/alter_index.out

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,12 @@ SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyr
66

77
(1 row)
88

9+
SELECT pg_tde_create_key_using_database_key_provider('test-db-key','file-vault');
10+
pg_tde_create_key_using_database_key_provider
11+
-----------------------------------------------
12+
13+
(1 row)
14+
915
SELECT pg_tde_set_key_using_database_key_provider('test-db-key','file-vault');
1016
pg_tde_set_key_using_database_key_provider
1117
--------------------------------------------

contrib/pg_tde/expected/cache_alloc.out

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,12 @@ SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyr
77

88
(1 row)
99

10+
SELECT pg_tde_create_key_using_database_key_provider('test-db-key','file-vault');
11+
pg_tde_create_key_using_database_key_provider
12+
-----------------------------------------------
13+
14+
(1 row)
15+
1016
SELECT pg_tde_set_key_using_database_key_provider('test-db-key','file-vault');
1117
pg_tde_set_key_using_database_key_provider
1218
--------------------------------------------

contrib/pg_tde/expected/change_access_method.out

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,12 @@ SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_key
66

77
(1 row)
88

9+
SELECT pg_tde_create_key_using_database_key_provider('test-db-key', 'file-vault');
10+
pg_tde_create_key_using_database_key_provider
11+
-----------------------------------------------
12+
13+
(1 row)
14+
915
SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault');
1016
pg_tde_set_key_using_database_key_provider
1117
--------------------------------------------

contrib/pg_tde/expected/create_database.out

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,12 @@ SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/template_provid
1212

1313
(1 row)
1414

15+
SELECT pg_tde_create_key_using_database_key_provider('test-db-key', 'file-vault');
16+
pg_tde_create_key_using_database_key_provider
17+
-----------------------------------------------
18+
19+
(1 row)
20+
1521
SELECT pg_tde_set_key_using_database_key_provider('test-db-key', 'file-vault');
1622
pg_tde_set_key_using_database_key_provider
1723
--------------------------------------------
@@ -31,6 +37,12 @@ SELECT pg_tde_add_global_key_provider_file('global-file-vault','/tmp/template_pr
3137

3238
(1 row)
3339

40+
SELECT pg_tde_create_key_using_global_key_provider('default-key', 'global-file-vault');
41+
pg_tde_create_key_using_global_key_provider
42+
---------------------------------------------
43+
44+
(1 row)
45+
3446
SELECT pg_tde_set_default_key_using_global_key_provider('default-key', 'global-file-vault');
3547
pg_tde_set_default_key_using_global_key_provider
3648
--------------------------------------------------

contrib/pg_tde/expected/default_principal_key.out

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,13 @@ SELECT provider_id, provider_name, key_name
1818
| |
1919
(1 row)
2020

21-
SELECT pg_tde_set_default_key_using_global_key_provider('default-key', 'file-provider', false);
21+
SELECT pg_tde_create_key_using_global_key_provider('default-key', 'file-provider');
22+
pg_tde_create_key_using_global_key_provider
23+
---------------------------------------------
24+
25+
(1 row)
26+
27+
SELECT pg_tde_set_default_key_using_global_key_provider('default-key', 'file-provider');
2228
pg_tde_set_default_key_using_global_key_provider
2329
--------------------------------------------------
2430

@@ -100,7 +106,13 @@ SELECT provider_id, provider_name, key_name
100106

101107
\c :regress_database
102108
CHECKPOINT;
103-
SELECT pg_tde_set_default_key_using_global_key_provider('new-default-key', 'file-provider', false);
109+
SELECT pg_tde_create_key_using_global_key_provider('new-default-key', 'file-provider');
110+
pg_tde_create_key_using_global_key_provider
111+
---------------------------------------------
112+
113+
(1 row)
114+
115+
SELECT pg_tde_set_default_key_using_global_key_provider('new-default-key', 'file-provider');
104116
pg_tde_set_default_key_using_global_key_provider
105117
--------------------------------------------------
106118

contrib/pg_tde/expected/delete_principal_key.out

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,18 @@ SELECT pg_tde_add_global_key_provider_file('file-provider','/tmp/pg_tde_test_key
66

77
(1 row)
88

9+
SELECT pg_tde_create_key_using_global_key_provider('defalut-key','file-provider');
10+
pg_tde_create_key_using_global_key_provider
11+
---------------------------------------------
12+
13+
(1 row)
14+
15+
SELECT pg_tde_create_key_using_global_key_provider('test-db-key','file-provider');
16+
pg_tde_create_key_using_global_key_provider
17+
---------------------------------------------
18+
19+
(1 row)
20+
921
-- Set the local key and delete it without any encrypted tables
1022
-- Should succeed: nothing used the key
1123
SELECT pg_tde_set_key_using_global_key_provider('test-db-key','file-provider');

contrib/pg_tde/expected/insert_update_delete.out

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,12 @@ SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyr
66

77
(1 row)
88

9+
SELECT pg_tde_create_key_using_database_key_provider('test-db-key','file-vault');
10+
pg_tde_create_key_using_database_key_provider
11+
-----------------------------------------------
12+
13+
(1 row)
14+
915
SELECT pg_tde_set_key_using_database_key_provider('test-db-key','file-vault');
1016
pg_tde_set_key_using_database_key_provider
1117
--------------------------------------------

0 commit comments

Comments
 (0)
0