[MDEV-13827] Add encryption tests for FULLTEXT INDEX Created: 2017-09-17  Updated: 2023-04-12  Resolved: 2023-04-11

Status: Closed
Project: MariaDB Server
Component/s: Storage Engine - InnoDB
Affects Version/s: 10.1, 10.2
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Marko Mäkelä Assignee: Marko Mäkelä
Resolution: Won't Do Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-12634 Uninitialised ROW_MERGE_RESERVE_SIZE ... Closed
relates to MDEV-13826 CREATE FULLTEXT INDEX on encrypted ta... Closed

 Description   

As noted in MDEV-13826, the merge of MySQL 5.7.9 into MariaDB 10.2.2 broke CREATE FULLTEXT INDEX on encrypted tables.

This was uncaught, because there are no encryption tests for FULLTEXT INDEX whatsoever.
To prevent further bugs like this, we must test FULLTEXT INDEX with encryption: both the index creation, and to ensure that the auxiliary FTS_*.ibd tables actually are encrypted.

I manually checked that the auxiliary tables are encrypted by applying this patch:

diff --git a/mysql-test/suite/encryption/t/encrypt_and_grep.test b/mysql-test/suite/encryption/t/encrypt_and_grep.test
 
index c5a10620f6e..278bf6febda 100644
 
--- a/mysql-test/suite/encryption/t/encrypt_and_grep.test
 
+++ b/mysql-test/suite/encryption/t/encrypt_and_grep.test
 
@@ -19,7 +19,7 @@ SET GLOBAL innodb_file_per_table = ON;
 
 SET GLOBAL innodb_file_format = `Barracuda`;
 
 --enable_warnings
 
 
-create table t1 (a varchar(255)) engine=innodb encrypted=yes;
 
+create table t1 (a varchar(255), FULLTEXT INDEX(a)) engine=innodb encrypted=yes;
 
 create table t2 (a varchar(255)) engine=innodb;
 
 show warnings;
 
 create table t3 (a varchar(255)) engine=innodb encrypted=no;
 
@@ -59,7 +59,7 @@ SELECT NAME FROM INFORMATION_SCHEMA.INNODB_TABLESPACES_ENCRYPTION WHERE MIN_KEY_
 
 
 --echo # Now turn off encryption and wait for threads to decrypt everything
 
 
-SET GLOBAL innodb_encrypt_tables = off;
 
+SET GLOBAL innodb_encrypto_tables = off;
 
 
 --echo # Wait max 10 min for key encryption threads to decrypt all spaces
 
 --let $wait_timeout= 600

After the test failed due to the intentional typo, I checked with

grep -l infimum var/log/encryption.encrypt_and_grep-*/mysqld.1/data/test/FTS*.ibd

that the internally created tables are encrypted. I also manually checked some files to ensure that they are not empty.

This should be done properly by extending the test.
To test the encryption of temporary files during CREATE FULLTEXT INDEX, the following test needs to be augmented:

diff --git a/mysql-test/suite/innodb_fts/t/innodb-fts-ddl.test b/mysql-test/suite/innodb_fts/t/innodb-fts-ddl.test
 
index 10dc1462c98..40bde24409f 100644
 
--- a/mysql-test/suite/innodb_fts/t/innodb-fts-ddl.test
 
+++ b/mysql-test/suite/innodb_fts/t/innodb-fts-ddl.test
 
@@ -1,5 +1,6 @@
 
 # This is the DDL function tests for innodb FTS
 
 
+-- source include/innodb_encrypt_log.inc
 
 -- source include/have_innodb.inc
 
 
 # Create FTS table

This is obviously not sufficient; similar to my change to innodb.innodb-index-online and innodb.innodb-table-online we should ensure that on successful operation, the amount of encrypted blocks equals the amount of decrypted blocks, and that when encryption is used, some encrypted blocks are being read and written.

 Comments   
Comment by Marko Mäkelä [ 2023-04-11 ]

I see that some test was added in MDEV-8708, but it does not check that the files are actually encrypted.

Because FLUSH TABLES…FOR EXPORT will not work on InnoDB tables that contain FULLTEXT INDEX, it is a bit tricky to check that the data is actually encrypted.

I think that we can live without this extra check in the encryption test suite.

Generated at Thu Feb 08 08:08:41 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.