Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-13827

Add encryption tests for FULLTEXT INDEX

    XMLWordPrintable

Details

    Description

      As noted in MDEV-13826, the merge of MySQL 5.7.9 into MariaDB 10.2.2 broke CREATE FULLTEXT INDEX on encrypted tables.

      This was uncaught, because there are no encryption tests for FULLTEXT INDEX whatsoever.
      To prevent further bugs like this, we must test FULLTEXT INDEX with encryption: both the index creation, and to ensure that the auxiliary FTS_*.ibd tables actually are encrypted.

      I manually checked that the auxiliary tables are encrypted by applying this patch:

      diff --git a/mysql-test/suite/encryption/t/encrypt_and_grep.test b/mysql-test/suite/encryption/t/encrypt_and_grep.test
      index c5a10620f6e..278bf6febda 100644
      --- a/mysql-test/suite/encryption/t/encrypt_and_grep.test
      +++ b/mysql-test/suite/encryption/t/encrypt_and_grep.test
      @@ -19,7 +19,7 @@ SET GLOBAL innodb_file_per_table = ON;
       SET GLOBAL innodb_file_format = `Barracuda`;
       --enable_warnings
       
      -create table t1 (a varchar(255)) engine=innodb encrypted=yes;
      +create table t1 (a varchar(255), FULLTEXT INDEX(a)) engine=innodb encrypted=yes;
       create table t2 (a varchar(255)) engine=innodb;
       show warnings;
       create table t3 (a varchar(255)) engine=innodb encrypted=no;
      @@ -59,7 +59,7 @@ SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_
       
       --echo # Now turn off encryption and wait for threads to decrypt everything
       
      -SET GLOBAL innodb_encrypt_tables = off;
      +SET GLOBAL innodb_encrypto_tables = off;
       
       --echo # Wait max 10 min for key encryption threads to decrypt all spaces
       --let $wait_timeout= 600
      

      After the test failed due to the intentional typo, I checked with

      grep -l infimum var/log/encryption.encrypt_and_grep-*/mysqld.1/data/test/FTS*.ibd
      

      that the internally created tables are encrypted. I also manually checked some files to ensure that they are not empty.

      This should be done properly by extending the test.
      To test the encryption of temporary files during CREATE FULLTEXT INDEX, the following test needs to be augmented:

      diff --git a/mysql-test/suite/innodb_fts/t/innodb-fts-ddl.test b/mysql-test/suite/innodb_fts/t/innodb-fts-ddl.test
      index 10dc1462c98..40bde24409f 100644
      --- a/mysql-test/suite/innodb_fts/t/innodb-fts-ddl.test
      +++ b/mysql-test/suite/innodb_fts/t/innodb-fts-ddl.test
      @@ -1,5 +1,6 @@
       # This is the DDL function tests for innodb FTS
       
      +-- source include/innodb_encrypt_log.inc
       -- source include/have_innodb.inc
       
       # Create FTS table
      

      This is obviously not sufficient; similar to my change to innodb.innodb-index-online and innodb.innodb-table-online we should ensure that on successful operation, the amount of encrypted blocks equals the amount of decrypted blocks, and that when encryption is used, some encrypted blocks are being read and written.

      Attachments

        Issue Links

          Activity

            People

              marko Marko Mäkelä
              marko Marko Mäkelä
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.