8000 [PG-1583, PG-1600] Do not unnecessarily try to fetch the principal key by AndersAstrand · Pull Request #330 · percona/postgres · GitHub
[go: up one dir, main page]
Skip to content

[PG-1583, PG-1600] Do not unnecessarily try to fetch the principal key #330

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 14, 2025
Merged

[PG-1583, PG-1600] Do not unnecessarily try to fetch the principal key #330

merged 3 commits into from
May 14, 2025

Conversation

AndersAstrand
Copy link
Collaborator
@AndersAstrand AndersAstrand commented May 13, 2025
edited by jira bot
Loading

tde_mdopen() and tde_mdunlink() can be called after the transaction is committed, in which case it's too late to abort the transaction with ereport(ERROR) if we fail to fetch the principal key.

This PR defers the loading of relation keys until they're actually needed, so that we won't unnecessarily try to fetch the principal key.

There is obviously room for optimizations here, for example by caching the still encrypted relation keys instead of looking them up in the map file again when they're actually needed. But this is not included in this PR as we have PG-1436 for investigating the performance of this caching.

@codecov-commenter
Copy link
codecov-commenter commented May 13, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 97.43590% with 1 line in your changes missing coverage. Please review.

Project coverage is 80.50%. Comparing base (e7e63e3) to head (1a04d5d).

❌ Your project status has failed because the head coverage (80.50%) is below the target coverage (90.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files 
@@                  Coverage Diff                  @@
##           TDE_REL_17_STABLE     #330      +/-   ##
=====================================================
+ Coverage              80.28%   80.50%   +0.21%     
=====================================================
  Files                     22       22              
  Lines                   2577     2600      +23     
  Branches                 395      400       +5     
=====================================================
+ Hits                    2069     2093      +24     
  Misses                   428      428              
+ Partials                  80       79       -1
Components Coverage Δ
access 82.95% <91.66%> (+0.18%) ⬆️
catalog 87.47% <ø> (ø)
common 91.80% <100.00%> (ø)
encryption 75.70% <ø> (ø)
keyring 72.31% <ø> (+0.47%) ⬆️
src 66.74% <ø> (ø)
smgr 97.27% <100.00%> (+0.30%) ⬆️
transam ∅ <ø> (∅)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@AndersAstrand AndersAstrand force-pushed the tde/panic-if-drop-without-principal-key branch from 057705e to 8e38fb1 Compare May 13, 2025 15:17
@AndersAstrand
Use an enum instead of bool for encryption status
a8f4a38 
Replace the boolean used in the smgr hooks. Currently we only have two
states still. This is in preparation for adding a third state to
indicate that the table is encrypted, but the key has not yet been
loaded.
@AndersAstrand
Do not use principal key to check encryption status
5816caa 
In many cases it's completely unnecessary to have the principal key in
order to know if a relation is encrypted or not. This simplifies cases
where principal key provider is not available for any reason.

The unencrypted key should most likely be cached, but this commit does
not do that.
@AndersAstrand
Defer decryption of relation keys
1a04d5d 
Don't decrypt relation keys until they're actually needed. In some cases
tde_mdopen() is called after the transaction is committed which means
that we're not longer able to abort the transaction if we fail when we
fetch the principal key.

This happens, for example, if dropping an encrypted table. Previously
this would cause postmaster to panic if it didn't have access to the
principal key.
dAdAbird
dAdAbird approved these changes May 13, 2025
View reviewed changes
Copy link
Member
@dAdAbird dAdAbird left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@AndersAstrand AndersAstrand force-pushed the tde/panic-if-drop-without-principal-key branch from 8e38fb1 to 1a04d5d Compare May 14, 2025 06:42
@AndersAstrand AndersAstrand merged commit 3e0639c into percona:TDE_REL_17_STABLE May 14, 2025
27 checks passed
@AndersAstrand AndersAstrand deleted the tde/panic-if-drop-without-principal-key branch May 14, 2025 07:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dAdAbird dAdAbird dAdAbird approved these changes

@dutow dutow Awaiting requested review from dutow dutow is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@AndersAstrand @codecov-commenter @dAdAbird
0