8000 Merge back release 17.5.2 by dutow · Pull Request #463 · percona/postgres · GitHub
[go: up one dir, main page]
Skip to content

Merge back release 17.5.2 #463

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 21 commits into from
Jul 3, 2025
Merged

Merge back release 17.5.2 #463

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
f631496
PG-1663 Make sure indexes on paritioned tables are encrypted
jeltz Jun 16, 2025
93dcf72
Update postgres and pg_tde version numbers
dutow Jun 18, 2025
d48fdea
PG-1662 Handle changing access method of partitioned table correctly
jeltz Jun 18, 2025
8b1f1cf
Try to use poll_start instead of kill9_until_dead in TAP tests
jeltz Jun 18, 2025
98c3109
Remove extra word in error message for existing key
AndersAstrand Jun 23, 2025
ef03f7b
Create enforcement.md - Encryption Enforcement topic (#403)
Andriciuc Jun 25, 2025
2a1f301
Created replication.md quick walkthrough for pg_tde (#319)
Andriciuc Jun 25, 2025
77db80a
PG-1700 Fix error hint when missing principal key
AndersAstrand Jun 25, 2025
d4639f8
Create restore-backups.md topic (#397)
Andriciuc Jun 26, 2025
5191b68
Updated Setup/Test/Var/Yum files based on AA feedback (#445)
Andriciuc Jun 26, 2025
26eecc7
text fixes for how-to and index folders based on AA feedback (#444)
Andriciuc Jun 26, 2025
c94be04
faq.md and wal_dump.md/encryption.md content improved (#437)
Andriciuc Jun 26, 2025
5a2c081
PG-1257 Add key deletion funcs to documentation
8000 artemgavrilov Jun 26, 2025
aa23578
Docs 17.5.1 revert commit 56106 (#458)
Andriciuc Jun 26, 2025
8d88d3f
Updated principal-key/features/functions.md based on AA feedback (#441)
Andriciuc Jun 27, 2025
58153f9
Add OpenBao Topic ver 2 (#459)
Andriciuc Jun 27, 2025
f10eae3
Clarify key deletion funcs description in docs
artemgavrilov Jun 27, 2025
33af938
Re-apply set key changes: revert of revert commit (#461)
Andriciuc Jun 30, 2025
dfcef9f
Prepare general docs for GA release (#434)
Andriciuc Jun 30, 2025
b6c1305
Update architecture/index.md (#439)
Andriciuc Jun 30, 2025
85037c4
Create Release Notes for 1.0 (#432)
Andriciuc Jun 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
PG-1663 Make sure indexes on paritioned tables are encrypted 
Since we only looked at the parent table and not on the whole tree when
setting the status of the encrypted indexes we could easily accidentally
create a plain text index on an encrypted table.

This patch also makes sure to disallow adding indexes to an inheritance
tree where the tables are a mix of encrypted and unecrypted tables.
  • Loading branch information
@jeltz
jeltz committed Jun 17, 2025
commit f631496d0b4064c9a8d38c40187842f326d64cbc
46 changes: 46 additions & 0 deletions contrib/pg_tde/expected/partition_table.out
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,4 +161,50 @@ SELECT pg_tde_is_encrypted('partition_child_tde_heap');

DROP TABLE partition_parent;
RESET pg_tde.enforce_encryption;
-- Partitioned indexes should be encrypted
CREATE TABLE partition_parent (a int) PARTITION BY RANGE (a);
CREATE TABLE partition_child PARTITION OF partition_parent FOR VALUES FROM (0) TO (9) USING tde_heap;
CREATE INDEX ON partition_parent (a);
SELECT pg_tde_is_encrypted('partition_parent_a_idx'); -- Also check that the parent index is NULL
pg_tde_is_encrypted
---------------------

(1 row)

SELECT pg_tde_is_encrypted('partition_child_a_idx');
pg_tde_is_encrypted
---------------------
t
(1 row)

DROP TABLE partition_parent;
-- Partitioned indexes should be not encrypted with heap
CREATE TABLE partition_parent (a int) PARTITION BY RANGE (a);
CREATE TABLE partition_child PARTITION OF partition_parent FOR VALUES FROM (0) TO (9) USING heap;
CREATE INDEX ON partition_parent (a);
SELECT pg_tde_is_encrypted('partition_child_a_idx');
pg_tde_is_encrypted
---------------------
f
(1 row)

DROP TABLE partition_parent;
-- We refuse to create an index when the inheritance heirarchy has mixed statuses
CREATE TABLE partition_parent (a int) PARTITION BY RANGE (a);
CREATE TABLE partition_child_heap PARTITION OF partition_parent FOR VALUES FROM (0) TO (9) USING heap;
CREATE TABLE partition_child_tde_heap PARTITION OF partition_parent FOR VALUES FROM (10) TO (19) USING tde_heap;
CREATE INDEX ON partition_parent ( 8000 a);
ERROR: Recursive CREATE INDEX on a mix of encrypted and unencrypted relations is not supported
DROP TABLE partition_parent;
-- Index should also be encrypted for new partitionins
CREATE TABLE partition_parent (a int) PARTITION BY RANGE (a);
CREATE INDEX ON partition_parent (a);
CREATE TABLE partition_child PARTITION OF partition_parent FOR VALUES FROM (10) TO (19) USING tde_heap;
SELECT pg_tde_is_encrypted('partition_child_a_idx');
pg_tde_is_encrypted
---------------------
t
(1 row)

DROP TABLE partition_parent;
DROP EXTENSION pg_tde;
29 changes: 29 additions & 0 deletions contrib/pg_tde/sql/partition_table.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,4 +80,33 @@ SELECT pg_tde_is_encrypted('partition_child_tde_heap');
DROP TABLE partition_parent;
RESET pg_tde.enforce_encryption;

-- Partitioned indexes should be encrypted
CREATE TABLE partition_parent (a int) PARTITION BY RANGE (a);
CREATE TABLE partition_child PARTITION OF partition_parent FOR VALUES FROM (0) TO (9) USING tde_heap;
CREATE INDEX ON partition_parent (a);
SELECT pg_tde_is_encrypted('partition_parent_a_idx'); -- Also check that the parent index is NULL
SELECT pg_tde_is_encrypted('partition_child_a_idx');
DROP TABLE partition_parent;

-- Partitioned indexes should be not encrypted with heap
CREATE TABLE partition_parent (a int) PARTITION BY RANGE (a);
CREATE TABLE partition_child PARTITION OF partition_parent FOR VALUES FROM (0) TO 8000 (9) USING heap;
CREATE INDEX ON partition_parent (a);
SELECT pg_tde_is_encrypted('partition_child_a_idx');
DROP TABLE partition_parent;

-- We refuse to create an index when the inheritance heirarchy has mixed statuses
CREATE TABLE partition_parent (a int) PARTITION BY RANGE (a);
CREATE TABLE partition_child_heap PARTITION OF partition_parent FOR VALUES FROM (0) TO (9) USING heap;
CREATE TABLE partition_child_tde_heap PARTITION OF partition_parent FOR VALUES FROM (10) TO (19) USING tde_heap;
CREATE INDEX ON partition_parent (a);
DROP TABLE partition_parent;

-- Index should also be encrypted for new partitionins
CREATE TABLE partition_parent (a int) PARTITION BY RANGE (a);
CREATE INDEX ON partition_parent (a);
CREATE TABLE partition_child PARTITION OF partition_parent FOR VALUES FROM (10) TO (19) USING tde_heap;
SELECT pg_tde_is_encrypted('partition_child_a_idx');
DROP TABLE partition_parent;

DROP EXTENSION pg_tde;
21 changes: 11 additions & 10 deletions contrib/pg_tde/src/pg_tde_event_capture.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -258,21 +258,22 @@ pg_tde_ddl_command_start_capture(PG_FUNCTION_ARGS)
if (IsA(parsetree, IndexStmt))
{
IndexStmt *stmt = castNode(IndexStmt, parsetree);
Relation rel;
TdeDdlEvent event = {.parsetree = parsetree};
EncryptionMix encmix;
Oid relid = RangeVarGetRelid(stmt->relation, AccessShareLock, false);

rel = table_openrv(stmt->relation, AccessShareLock);
encmix = alter_table_encryption_mix(relid);

if (rel->rd_rel->relam == get_tde_table_am_oid())
{
if (encmix == ENC_MIX_ENCRYPTED)
event.encryptMode = TDE_ENCRYPT_MODE_ENCRYPT;
checkPrincipalKeyConfigured();
}
else
else if (encmix == ENC_MIX_PLAIN)
event.encryptMode = TDE_ENCRYPT_MODE_PLAIN;

/* Hold on to lock until end of transaction */
table_close(rel, NoLock);
else if (encmix == ENC_MIX_UNKNOWN)
event.encryptMode = TDE_ENCRYPT_MODE_RETAIN;
else
ereport(ERROR,
errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("Recursive CREATE INDEX on a mix of encrypted and unencrypted relations is not supported"));

push_event_stack(&event);
}
Expand Down
0