Ensure InnoDB session temporary tablespaces are covered by innodb_temp_tablespace_encrypt

General

Escalation

General

Escalation

Description

Our innodb_temp_tablespace_encrypt feature should handle session temporary tablespaces as introduced in 8.0.13 by WL#11613.

Upstream commits:
d53d652e0a1 WL#11613 InnoDB: Reclaim disk space occupied by temporary tables online
0f05c2706b7 WL#11613: InnoDB: Reclaim disk space occupied by temporary tables online

New rules:

New rules for CREATE TEMPORARY:

encryption attribute(ENCRYPTION="Y"/"N") disallowed
tablespace attribute (TABLESPACE=innodb_temporary) disallowed

innodb_temp_tablespace_encrypt = OFF (startup)

ibtmp1 unencrypted (only undo logs go to ibtmp1)
temp table and intrinsic temp tables go to unencrypted session temporary tablespace
innodb_encrypt_tables = ON/FORCE, tables go to encrypted session temporary tablespace

innodb_temp_tablespace_encrypt=ON (startup)

ibtmp1 encrypted (only undo logs go to ibtmp1)
temp table and intrinsic temp tables go to encrypted session temp
innodb_encrypt_tables = ON/FORCE, tables go to encrypted session temporary tablespace

Changing innodb_temp_tablespace_encrypt from ON to OFF dynamically doesn't unencrypt existing data. Similarly chaning innodb_temp_tablespace_encrypt OFF to ON doesn't encrypt existing data. The variable at runtime is only about future writes. See https://jira.percona.com/browse/PS-3821 for more details

Environment

None

Linked work items

causes

PS-5184

Warning regressions from PS-5153

PS-5188

Cannot allocate temporary tablespace for current session if innodb_encrypt_tables = keyring_on | keyring_force | online_to_keyring | online_to_keyring_force | online_from_keyring_to_unencrypted

is blocked by

PS-5774

innodb_tablespace does not show correct encryption status for innodb_temporary

PS-5777

make innodb_temp_tablespace_encrypt perform encryption/decryption at page level for existing data as well

Activity

Satya Bodapati

June 24, 2019 at 10:32 AM

(edited)

And to answer zsolt's question, temp tablespace Pool expansion and the tablespace types in Pool has no relation to whether a tablespace is encrypted or not.

Satya Bodapati

June 24, 2019 at 10:31 AM

There was a question from @Zsolt Parragi on how the pool would look like when innodb_encrypt_tables is changed ON to OFF and OFF to ON dynamically?

Few points to keep in mind

if innodb_temp_tablespace_encrypt is ON, innodb_encrypt_tables is irrelevant. Session will always get encrypted session temp tablespace
if innodb_temp_tablespace_encrypt is OFF, innodb_encrypt_table value matters. innodb_encrypt_tables = OFF ? unencrypted session temp tablespace else encrypted session temp tablespace (ON/FORCE)
All tablespaces in session temporary tablespace pool are always unencrypted.
A session can have max 4 types of tablespace attached
INTRINSIC, USER, "INSTRINSIC ENCRYPTED", "USER ENCRYPTED"
A session can have all these four types attached

How sessions get encrypted temp tablespace from a unencrypted session temp tablespace pool?

As noted above, all tablespace in session temp tabelspace pool are unencrypted. When a session request a tablespace, it first check if there is encrypted tablespace attached already. If so, it will use that.

IF an encrypted tablespace is not attached, it will get an unencrypted tablespace from pool and encrypts it (write encryption headers). All further writes to this tablespace will be encrypted.

How an encrypted temp tablespace from session return to a pool of unencrypted tablespaces?

On session disconnect, temp tablespace is truncated and recreated. So the tablespace is unencrypted now and returned to pool.

Laurynas Biveinis

December 18, 2018 at 2:04 PM

https://perconadev.atlassian.net/browse/PS-5176#icft=PS-5176 for docs

Resize issue view side panel