Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
N/A
Description
According to the description in hashicorp_key_management.cnf, key cache related variables mean the following:
--[loose-]hashicorp-key-management-caching-enabled="on"|"off"
Enable key caching (storing key values received from
the Hashicorp Vault server in the local memory). By default
caching is enabled.--[loose-]hashicorp-key-management-cache-timeout=<timeout>
The time (in milliseconds) after which the value of the key
stored in the cache becomes invalid and an attempt to read this
data causes a new request send to the vault server. By default,
cache entries become invalid after 60,000 milliseconds (after
one minute).
The test below does the following:
- configure keys 1 and 4 in the vault;
- create a table with ENCRYPTION_KEY_ID=4, so that the key has been read;
- reconfigure the vault to remove key 4;
- try to create another table with ENCRYPTION_KEY_ID=4.
Since key cache is enabled and the (default) timeout is 60 seconds, presumably it should still work and the table should be created using the key from the cache. It doesn't happen however, the statement fails due to the missing key.
# The test presumes that the local vault is running at $VAULT_ADDR, |
# and the token is configured in $VAULT_TOKEN |
|
--source include/have_innodb.inc
|
|
--exec vault secrets disable bug
|
--exec vault secrets enable -path /bug -version=2 kv
|
--exec vault kv put /bug/1 data=01234567890123456789012345678901 > /dev/null
|
--exec vault kv put /bug/4 data=01234567890123456789012345678904 > /dev/null
|
|
--let $restart_parameters= --plugin-load-add=hashicorp_key_management --hashicorp-key-management-vault-url="$VAULT_ADDR/v1/bug/" --hashicorp-key-management-token="$VAULT_TOKEN"
|
|
--source include/restart_mysqld.inc
|
|
CREATE TABLE t1 (a VARCHAR(8)) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=4; |
INSERT INTO t1 VALUES ('foo'),('bar'); |
|
select @@hashicorp_key_management_caching_enabled, @@hashicorp_key_management_cache_timeout; |
|
--exec vault secrets disable bug
|
--exec vault secrets enable -path /bug -version=2 kv
|
--exec vault kv put /bug/1 data=01234567890123456789012345678901 > /dev/null
|
|
CREATE TABLE t2 (a VARCHAR(8)) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=4; |
|
# Cleanup
|
DROP TABLE IF EXISTS t1, t2; |
--exec vault secrets disable bug |
preview-10.9-MDEV-20119-misc e62a2a0615 |
CREATE TABLE t1 (a VARCHAR(8)) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=4; |
INSERT INTO t1 VALUES ('foo'),('bar'); |
select @@hashicorp_key_management_caching_enabled, @@hashicorp_key_management_cache_timeout; |
@@hashicorp_key_management_caching_enabled @@hashicorp_key_management_cache_timeout
|
1 60000
|
|
CREATE TABLE t2 (a VARCHAR(8)) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=4; |
|
mysqltest: At line 24: query 'CREATE TABLE t2 (a VARCHAR(8)) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=4' failed: ER_CANT_CREATE_TABLE (1005): Can't create table `test`.`t2` (errno: 140 "Wrong create options") |
There are no test cases coming with the plugin to validate any cache functionality, so there is still a room for interpretation. If expectations in the test above are false, then at least add tests to indicate how the cache is expected to act, and document it accordingly.
Attachments
Issue Links
- is part of
-
MDEV-28494 Hashicorp plugin documentation
- Closed
- relates to
-
MDEV-19281 Vault Key Management Plugin
- Closed
- split to
-
MDEV-28528 Hashicorp Vault plugin: documentation update
- Closed