Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Ensure InnoDB session temporary tablespaces are covered by innodb_temp_tablespace_encrypt

Description

Our innodb_temp_tablespace_encrypt feature should handle session temporary tablespaces as introduced in 8.0.13 by WL#11613.

Upstream commits:
d53d652e0a1 WL#11613 InnoDB: Reclaim disk space occupied by temporary tables online
0f05c2706b7 WL#11613: InnoDB: Reclaim disk space occupied by temporary tables online

New rules:

New rules for CREATE TEMPORARY:

  1. encryption attribute(ENCRYPTION="Y"/"N") disallowed

  2. tablespace attribute (TABLESPACE=innodb_temporary) disallowed

innodb_temp_tablespace_encrypt = OFF (startup)

  1. ibtmp1 unencrypted (only undo logs go to ibtmp1)

  2. temp table and intrinsic temp tables go to unencrypted session temporary tablespace

  3. innodb_encrypt_tables = ON/FORCE, tables go to encrypted session temporary tablespace

innodb_temp_tablespace_encrypt=ON (startup)

  1. ibtmp1 encrypted (only undo logs go to ibtmp1)

  2. temp table and intrinsic temp tables go to encrypted session temp

  3. innodb_encrypt_tables = ON/FORCE, tables go to encrypted session temporary tablespace

 

Changing innodb_temp_tablespace_encrypt from ON to OFF dynamically doesn't unencrypt existing data. Similarly chaning innodb_temp_tablespace_encrypt OFF to ON doesn't encrypt existing data. The variable at runtime is only about future writes. See https://jira.percona.com/browse/PS-3821 for more details

Environment

None

Smart Checklist

Activity

Show:

Satya Bodapati June 24, 2019 at 10:32 AM
Edited

And to answer zsolt's question, temp tablespace Pool expansion and the tablespace types in Pool has no relation to whether a tablespace is encrypted or not.

Satya Bodapati June 24, 2019 at 10:31 AM

There was a question from on how the pool would look like when innodb_encrypt_tables is changed ON to OFF and OFF to ON dynamically?

Few points to keep in mind

  1. if innodb_temp_tablespace_encrypt is ON, innodb_encrypt_tables is irrelevant. Session will always get encrypted session temp tablespace

  2. if innodb_temp_tablespace_encrypt is OFF, innodb_encrypt_table value matters. innodb_encrypt_tables = OFF ? unencrypted session temp tablespace else encrypted session temp tablespace (ON/FORCE)

  3. All tablespaces in session temporary tablespace pool are always unencrypted.

  4. A session can have max 4 types of tablespace attached
    INTRINSIC, USER, "INSTRINSIC ENCRYPTED", "USER ENCRYPTED"

  5. A session can have all these four types attached

How sessions get encrypted temp tablespace from a unencrypted session temp tablespace pool?

As noted above, all tablespace in session temp tabelspace pool are unencrypted. When a session request a tablespace, it first check if there is encrypted tablespace attached already. If so, it will use that.

IF an encrypted tablespace is not attached, it will get an unencrypted tablespace from pool and encrypts it (write encryption headers). All further writes to this tablespace will be encrypted.

How an encrypted temp tablespace from session return to a pool of unencrypted tablespaces?

On session disconnect, temp tablespace is truncated and recreated. So the tablespace is unencrypted now and returned to pool.

Laurynas Biveinis December 18, 2018 at 2:04 PM

for docs

Done

Details

Assignee

Reporter

Labels

Time tracking

1h 34m logged

Fix versions

Affects versions

Priority

Smart Checklist

Created December 14, 2018 at 10:46 AM
Updated March 6, 2024 at 12:34 PM
Resolved December 18, 2018 at 1:21 PM