From 384542e0fe0b15305e79fd2b911d69f6b73da5b7 Mon Sep 17 00:00:00 2001 From: Carlos Salguero Date: Wed, 11 Apr 2018 15:20:15 -0300 Subject: [PATCH 1/4] PT-1530 WIP --- sandbox/servers/start | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/sandbox/servers/start b/sandbox/servers/start index d30b1e32..5beeb1f3 100755 --- a/sandbox/servers/start +++ b/sandbox/servers/start @@ -51,14 +51,32 @@ echo -n "Starting MySQL test server on port PORT... " cwd=$PWD cd $BASEDIR -init_file="TMP_DIR/PORT/mysql-init" -if [ -e $init_file ]; then - $BASEDIR/MYSQLD --defaults-file=TMP_DIR/PORT/my.sandbox.cnf -u root --init-file $init_file & -else - $BASEDIR/MYSQLD --defaults-file=TMP_DIR/PORT/my.sandbox.cnf > /dev/null 2>&1 & +plugins="" +pluginsparam="" +plugindirparam="" + +echo "basedir $BASEDIR" +if [ -e "${BASEDIR}/lib/mysql/plugin/keyring_file.so" ]; then + plugins="${BASEDIR}/lib/mysql/plugin/keyring_file.so" + plugindirparam="--plugin-dir=${BASEDIR}/lib/mysql/plugin/" +fi + +if [ ! -z "$plugins" ]; then + pluginsparam="--early-plugin-load" +fi + +echo "plugins: $plugins" +echo "pluginsparam: $pluginsparam" + +init_file="/tmp/12345/mysql-init" +if [ -e $init_file ]; then + $BASEDIR/bin/mysqld --defaults-file=/tmp/12345/my.sandbox.cnf -u root --init-file $init_file $pluginsparam & +else + $BASEDIR/bin/mysqld --defaults-file=/tmp/12345/my.sandbox.cnf $pluginsparam $plugins $plugindirparam > /dev/null 2>&1 & fi cd $PWD + # Wait for MySQL to actually be up, i.e. to respond to queries. for i in $(_seq 60); do if sandbox_is_alive; then From 5d74b0e76563041de6daf55daf308f11bdce9b3f Mon Sep 17 00:00:00 2001 From: Carlos Salguero Date: Thu, 12 Apr 2018 10:21:25 -0300 Subject: [PATCH 2/4] PT-1530 WIP Added encryption plugins to sandbox start In order to be able to test encryption support in Percona Server and MySQL, we need to enable encription plugins in the sandbox. This commit adds detection of plugin libraries in the MySQL binaries directory and enables it automatically. --- sandbox/servers/start | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/sandbox/servers/start b/sandbox/servers/start index 5beeb1f3..703fc18b 100755 --- a/sandbox/servers/start +++ b/sandbox/servers/start @@ -51,32 +51,30 @@ echo -n "Starting MySQL test server on port PORT... " cwd=$PWD cd $BASEDIR -plugins="" -pluginsparam="" -plugindirparam="" +encryption_plugins="" +plugins_dir_cmd="" + +plugins_cmd="" +keyring_cmd="" -echo "basedir $BASEDIR" if [ -e "${BASEDIR}/lib/mysql/plugin/keyring_file.so" ]; then - plugins="${BASEDIR}/lib/mysql/plugin/keyring_file.so" - plugindirparam="--plugin-dir=${BASEDIR}/lib/mysql/plugin/" + encryption_plugins="${BASEDIR}/lib/mysql/plugin/keyring_file.so" fi -if [ ! -z "$plugins" ]; then - pluginsparam="--early-plugin-load" +if [ ! -z "$encryption_plugins" ]; then + plugins_cmd="--early-plugin-load=${encryption_plugins}" + keyring_cmd="--keyring_file_data=/tmp/PORT/data/keyring" + plugins_dir_cmd="--plugin-dir=${BASEDIR}/lib/mysql/plugin/" fi -echo "plugins: $plugins" -echo "pluginsparam: $pluginsparam" - init_file="/tmp/12345/mysql-init" if [ -e $init_file ]; then - $BASEDIR/bin/mysqld --defaults-file=/tmp/12345/my.sandbox.cnf -u root --init-file $init_file $pluginsparam & + $BASEDIR/bin/mysqld --defaults-file=/tmp/12345/my.sandbox.cnf -u root --init-file $init_file $plugins_cmd $plugins_dir_cmd $keyring_cmd & else - $BASEDIR/bin/mysqld --defaults-file=/tmp/12345/my.sandbox.cnf $pluginsparam $plugins $plugindirparam > /dev/null 2>&1 & + $BASEDIR/bin/mysqld --defaults-file=/tmp/12345/my.sandbox.cnf --keyring_file_data=/tmp/12345/data/keyring $plugins_cmd $plugins_dir_cmd $keyring_cmd > /dev/null 2>&1 & fi cd $PWD - # Wait for MySQL to actually be up, i.e. to respond to queries. for i in $(_seq 60); do if sandbox_is_alive; then From 263edd7a44b87e1f8b8e03a459b375ca8d592794 Mon Sep 17 00:00:00 2001 From: Carlos Salguero Date: Thu, 12 Apr 2018 12:06:59 -0300 Subject: [PATCH 3/4] PT-1530 WIP sandbox scripts --- sandbox/servers/start | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/sandbox/servers/start b/sandbox/servers/start index 703fc18b..2be87878 100755 --- a/sandbox/servers/start +++ b/sandbox/servers/start @@ -57,15 +57,15 @@ plugins_dir_cmd="" plugins_cmd="" keyring_cmd="" -if [ -e "${BASEDIR}/lib/mysql/plugin/keyring_file.so" ]; then - encryption_plugins="${BASEDIR}/lib/mysql/plugin/keyring_file.so" -fi - -if [ ! -z "$encryption_plugins" ]; then - plugins_cmd="--early-plugin-load=${encryption_plugins}" - keyring_cmd="--keyring_file_data=/tmp/PORT/data/keyring" - plugins_dir_cmd="--plugin-dir=${BASEDIR}/lib/mysql/plugin/" -fi +# if [ -e "${BASEDIR}/lib/mysql/plugin/keyring_file.so" ]; then +# encryption_plugins="${BASEDIR}/lib/mysql/plugin/keyring_file.so" +# fi +# +# if [ ! -z "$encryption_plugins" ]; then +# plugins_cmd="--early-plugin-load=${encryption_plugins}" +# keyring_cmd="--keyring_file_data=/tmp/PORT/data/keyring" +# plugins_dir_cmd="--plugin-dir=${BASEDIR}/lib/mysql/plugin/" +# fi init_file="/tmp/12345/mysql-init" if [ -e $init_file ]; then From 3eccfcef4d57a27a254c210f8c19fb6402ac5f80 Mon Sep 17 00:00:00 2001 From: Carlos Salguero Date: Fri, 13 Apr 2018 15:08:10 -0300 Subject: [PATCH 4/4] PT-1530 Add support for encryption status to mysql-summary --- Changelog | 1 + bin/pt-mysql-summary | 39 +++++++++++++++++++++++++++++++++++ lib/bash/report_mysql_info.sh | 39 +++++++++++++++++++++++++++++++++++ sandbox/servers/start | 24 ++++++++++----------- 4 files changed, 91 insertions(+), 12 deletions(-) diff --git a/Changelog b/Changelog index f5edf00e..d6443b39 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,7 @@ Changelog for Percona Toolkit v3.0.9 + * Feature PT-1530 : Add support for encryption status to mysql-summary * Feature PT-1526 : Add ndb status to pt-mysql-summary (Thanks Fernando Ipar) * Feature PT-1525 : Added support for MySQL 8 roles into pt-mysql-summary * Feature PT-1509 : Only set binlog_format when necessary (Thanks Moritz Lenz) diff --git a/bin/pt-mysql-summary b/bin/pt-mysql-summary index 586a9a2b..172717e1 100755 --- a/bin/pt-mysql-summary +++ b/bin/pt-mysql-summary @@ -1177,6 +1177,15 @@ get_plugin_status () { echo ${status:-"Not found"} } +collect_keyring_plugins() { + $CMD_MYSQL $EXT_ARGV --table -ss -e 'SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE "keyring%";' +} + +collect_encrypted_tables() { + $CMD_MYSQL $EXT_ARGV --table -ss -e "SELECT TABLE_SCHEMA, TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES WHERE CREATE_OPTIONS LIKE '%ENCRYPTION=\"Y\"%';" +} + + _NO_FALSE_NEGATIVES="" parse_mysqld_instances () { @@ -1598,6 +1607,29 @@ format_ndb_status() { egrep '^[ \t]*Name:|[ \t]*Status:' $file|sed 's/^[ \t]*//g'|while read line; do echo $line; echo $line | grep '^Status:'>/dev/null && echo ; done } +format_keyring_plugins() { + local keyring_plugins="$1" + local encrypted_tables="$2" + + if [ -z "$keyring_plugins" ]; then + echo "No keyring plugins found" + if [ ! -z "$encrypted_tables" ]; then + echo "Warning! There are encrypted tables but keyring plugins are not loaded" + fi + else + echo "Keyring plugins:" + echo "'$keyring_plugins'" + fi +} + +format_encrypted_tables() { + local encrypted_tables="$1" + if [ ! -z "$encrypted_tables" ]; then + echo "Encrypted tables:" + echo "$encrypted_tables" + fi +} + format_mysql_roles() { local file=$1 [ -e "$file" ] || return @@ -2475,6 +2507,13 @@ report_mysql_summary () { format_mysql_roles "$dir/mysql-roles" fi + section "Encryption" + local keyring_plugins="$(collect_keyring_plugins)" + local encrypted_tables="$(collect_encrypted_tables)" + + format_keyring_plugins "$keyring_plugins" "$encrypted_tables" + format_encrypted_tables "$encrypted_tables" + section "Binary Logging" if [ -s "$dir/mysql-master-logs" ] \ diff --git a/lib/bash/report_mysql_info.sh b/lib/bash/report_mysql_info.sh index 23670108..62ae1586 100644 --- a/lib/bash/report_mysql_info.sh +++ b/lib/bash/report_mysql_info.sh @@ -107,6 +107,15 @@ get_plugin_status () { echo ${status:-"Not found"} } +collect_keyring_plugins() { + $CMD_MYSQL $EXT_ARGV --table -ss -e 'SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE "keyring%";' +} + +collect_encrypted_tables() { + $CMD_MYSQL $EXT_ARGV --table -ss -e "SELECT TABLE_SCHEMA, TABLE_NAME, CREATE_OPTIONS FROM INFORMATION_SCHEMA.TABLES WHERE CREATE_OPTIONS LIKE '%ENCRYPTION=\"Y\"%';" +} + + # ############################################################################## # Functions for parsing specific files and getting desired info from them. # These are called from within main() and are separated so they can be tested @@ -565,6 +574,29 @@ format_ndb_status() { egrep '^[ \t]*Name:|[ \t]*Status:' $file|sed 's/^[ \t]*//g'|while read line; do echo $line; echo $line | grep '^Status:'>/dev/null && echo ; done } +format_keyring_plugins() { + local keyring_plugins="$1" + local encrypted_tables="$2" + + if [ -z "$keyring_plugins" ]; then + echo "No keyring plugins found" + if [ ! -z "$encrypted_tables" ]; then + echo "Warning! There are encrypted tables but keyring plugins are not loaded" + fi + else + echo "Keyring plugins:" + echo "'$keyring_plugins'" + fi +} + +format_encrypted_tables() { + local encrypted_tables="$1" + if [ ! -z "$encrypted_tables" ]; then + echo "Encrypted tables:" + echo "$encrypted_tables" + fi +} + format_mysql_roles() { local file=$1 [ -e "$file" ] || return @@ -1533,6 +1565,13 @@ report_mysql_summary () { format_mysql_roles "$dir/mysql-roles" fi + section "Encryption" + local keyring_plugins="$(collect_keyring_plugins)" + local encrypted_tables="$(collect_encrypted_tables)" + + format_keyring_plugins "$keyring_plugins" "$encrypted_tables" + format_encrypted_tables "$encrypted_tables" + # ######################################################################## # Binary Logging # ######################################################################## diff --git a/sandbox/servers/start b/sandbox/servers/start index 2be87878..15f9afe9 100755 --- a/sandbox/servers/start +++ b/sandbox/servers/start @@ -57,21 +57,21 @@ plugins_dir_cmd="" plugins_cmd="" keyring_cmd="" -# if [ -e "${BASEDIR}/lib/mysql/plugin/keyring_file.so" ]; then -# encryption_plugins="${BASEDIR}/lib/mysql/plugin/keyring_file.so" -# fi -# -# if [ ! -z "$encryption_plugins" ]; then -# plugins_cmd="--early-plugin-load=${encryption_plugins}" -# keyring_cmd="--keyring_file_data=/tmp/PORT/data/keyring" -# plugins_dir_cmd="--plugin-dir=${BASEDIR}/lib/mysql/plugin/" -# fi +if [ -e "${BASEDIR}/lib/mysql/plugin/keyring_file.so" ]; then + encryption_plugins="${BASEDIR}/lib/mysql/plugin/keyring_file.so" +fi -init_file="/tmp/12345/mysql-init" +if [ ! -z "$encryption_plugins" ]; then + plugins_cmd="--early-plugin-load=${encryption_plugins}" + keyring_cmd="--keyring_file_data=/tmp/PORT/data/keyring" + plugins_dir_cmd="--plugin-dir=${BASEDIR}/lib/mysql/plugin/" +fi + +init_file="/tmp/PORT/mysql-init" if [ -e $init_file ]; then - $BASEDIR/bin/mysqld --defaults-file=/tmp/12345/my.sandbox.cnf -u root --init-file $init_file $plugins_cmd $plugins_dir_cmd $keyring_cmd & + $BASEDIR/bin/mysqld --defaults-file=/tmp/PORT/my.sandbox.cnf -u root --init-file $init_file $plugins_cmd $plugins_dir_cmd $keyring_cmd & else - $BASEDIR/bin/mysqld --defaults-file=/tmp/12345/my.sandbox.cnf --keyring_file_data=/tmp/12345/data/keyring $plugins_cmd $plugins_dir_cmd $keyring_cmd > /dev/null 2>&1 & + $BASEDIR/bin/mysqld --defaults-file=/tmp/PORT/my.sandbox.cnf $plugins_cmd $plugins_dir_cmd $keyring_cmd > /dev/null 2>&1 & fi cd $PWD