diff --git a/plugin/hashicorp_key_management/hashicorp_key_management.cnf b/plugin/hashicorp_key_management/hashicorp_key_management.cnf index 92e84094a30b8..c82f9ec4ecd52 100644 --- a/plugin/hashicorp_key_management/hashicorp_key_management.cnf +++ b/plugin/hashicorp_key_management/hashicorp_key_management.cnf @@ -61,35 +61,6 @@ # #hashicorp-key-management-caching-enabled="on" -# -# This parameter instructs the plugin to use the key values -# or version numbers taken from the cache in the event of a -# timeout when accessing the vault server. By default this -# option is disabled. -# -# Please note that key values or version numbers will be read -# from the cache when the timeout expires only after the number -# of attempts to read them from the storage server that specified -# by the hashicorp-key-management-retries parameter has been -# exhausted: -# -#hashicorp-key-management-use-cache-on-timeout="off" - -# -# The time (in milliseconds) after which the value of the key -# stored in the cache becomes invalid and an attempt to read this -# data causes a new request send to the vault server. By default, -# cache entries become invalid after 60,000 milliseconds (after -# one minute). -# -# If the value of this parameter is zero, then the keys will always -# be considered invalid, but they still can be used if the vault -# server is unavailable and the corresponding cache operating mode -# (--[loose-]hashicorp-key-management-use-cache-on-timeout="on") -# is enabled. -# -#hashicorp-key-management-cache-timeout=0 - # # The time (in milliseconds) after which the information about # latest version number of the key (which stored in the cache) @@ -97,14 +68,11 @@ # a new request send to the vault server. # # If the value of this parameter is zero, then information about -# latest key version numbers is always considered invalid, unless -# there is no communication with the vault server and use of the -# cache is allowed when the server is unavailable. +# latest key version numbers is always considered invalid. # # By default, this parameter is zero, that is, the latest version # numbers for the keys stored in the cache are considered always -# invalid, except when the vault server is unavailable and use -# of the cache is allowed on server failures. +# invalid. # #hashicorp-key-management-cache-version-timeout=0 diff --git a/plugin/hashicorp_key_management/hashicorp_key_management.txt b/plugin/hashicorp_key_management/hashicorp_key_management.txt index 674c455dfd7a7..58a18550628bf 100644 --- a/plugin/hashicorp_key_management/hashicorp_key_management.txt +++ b/plugin/hashicorp_key_management/hashicorp_key_management.txt @@ -129,33 +129,6 @@ operation: the Hashicorp Vault server in the local memory). By default caching is enabled. ---[loose-]hashicorp-key-management-use-cache-on-timeout="on"|"off" - - This parameter instructs the plugin to use the key values - or version numbers taken from the cache in the event of a - timeout when accessing the vault server. By default this - option is disabled. - - Please note that key values or version numbers will be read - from the cache when the timeout expires only after the number - of attempts to read them from the storage server that specified - by the --[loose-]hashicorp-key-management-retries parameter - has been exhausted. - ---[loose-]hashicorp-key-management-cache-timeout= - - The time (in milliseconds) after which the value of the key - stored in the cache becomes invalid and an attempt to read this - data causes a new request send to the vault server. By default, - cache entries become invalid after 60,000 milliseconds (after - one minute). - - If the value of this parameter is zero, then the keys will always - be considered invalid, but they still can be used if the vault - server is unavailable and the corresponding cache operating mode - (--[loose-]hashicorp-key-management-use-cache-on-timeout="on") - is enabled. - --[loose-]hashicorp-key-management-cache-version-timeout= The time (in milliseconds) after which the information about @@ -164,14 +137,11 @@ operation: a new request send to the vault server. If the value of this parameter is zero, then information about - latest key version numbers is always considered invalid, unless - there is no communication with the vault server and use of the - cache is allowed when the server is unavailable. + latest key version numbers is always considered invalid. By default, this parameter is zero, that is, the latest version numbers for the keys stored in the cache are considered always - invalid, except when the vault server is unavailable and use - of the cache is allowed on server failures. + invalid. --[loose-]hashicorp-key-management-check-kv-version="on"|"off" diff --git a/plugin/hashicorp_key_management/hashicorp_key_management_plugin.cc b/plugin/hashicorp_key_management/hashicorp_key_management_plugin.cc index 5f44b27d33c55..b3d0e8be90b48 100644 --- a/plugin/hashicorp_key_management/hashicorp_key_management_plugin.cc +++ b/plugin/hashicorp_key_management/hashicorp_key_management_plugin.cc @@ -164,7 +164,6 @@ class HCData static HCData data; static bool loaded= true; -static clock_t cache_max_time; static clock_t cache_max_ver_time; /* @@ -254,17 +253,11 @@ unsigned int #if HASHICORP_DEBUG_LOGGING my_printf_error(ER_UNKNOWN_ERROR, PLUGIN_ERROR_HEADER "cache_get: key_id = %u, key_version = %u, " - "effective version = %u, key data timestamp = %u, " - "current time = %u, diff = %u", + "effective version = %u", ME_ERROR_LOG_ONLY | ME_NOTE, key_id, key_version, - version, info.timestamp, current_time, - current_time - info.timestamp); + version); #endif unsigned int length= info.length; - if (with_timeouts && current_time - info.timestamp > cache_max_time) - { - return ENCRYPTION_KEY_VERSION_INVALID; - } unsigned int max_length = *buflen; *buflen = length; if (max_length >= length) @@ -353,10 +346,6 @@ static int timeout; static int max_retries; static char caching_enabled; static char check_kv_version; -#if MYSQL_VERSION_ID < 130300 -static long long cache_timeout; // for KEY_MAP key_info_cache -static char use_cache_on_timeout; -#endif static long cache_version_timeout; // for VER_MAP latest_version_cache static MYSQL_SYSVAR_STR(vault_ca, vault_ca, @@ -398,21 +387,6 @@ static MYSQL_SYSVAR_BOOL(check_kv_version, check_kv_version, "Enable kv storage version check during plugin initialization", NULL, NULL, 1); -static void cache_timeout_update (MYSQL_THD thd, - struct st_mysql_sys_var *var, - void *var_ptr, - const void *save) -{ - long long timeout = * (long long *) save; - * (long long *) var_ptr = timeout; - cache_max_time = ms_to_ticks(timeout); -} - -static MYSQL_SYSVAR_LONGLONG(cache_timeout, cache_timeout, - PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_DEPRECATED, - "Cache timeout for key data (in milliseconds)", - NULL, cache_timeout_update, INT64_MAX, 0, INT64_MAX, 1); - static void cache_version_timeout_update (MYSQL_THD thd, struct st_mysql_sys_var *var, @@ -429,12 +403,6 @@ static MYSQL_SYSVAR_LONG(cache_version_timeout, cache_version_timeout, "Cache timeout for key version (in milliseconds)", NULL, cache_version_timeout_update, 60*1000, 0, LONG_MAX, 1); -static MYSQL_SYSVAR_BOOL(use_cache_on_timeout, use_cache_on_timeout, - PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_DEPRECATED, - "In case of an error when accessing the vault server " - "use the value taken from the cache", - NULL, NULL, 1); - static struct st_mysql_sys_var *settings[] = { MYSQL_SYSVAR(vault_url), MYSQL_SYSVAR(token), @@ -442,9 +410,7 @@ static struct st_mysql_sys_var *settings[] = { MYSQL_SYSVAR(timeout), MYSQL_SYSVAR(max_retries), MYSQL_SYSVAR(caching_enabled), - MYSQL_SYSVAR(cache_timeout), MYSQL_SYSVAR(cache_version_timeout), - MYSQL_SYSVAR(use_cache_on_timeout), MYSQL_SYSVAR(check_kv_version), NULL }; @@ -759,7 +725,7 @@ unsigned int HCData::get_latest_version (unsigned int key_id) size_t buf_len = vault_url_len + (20 + 6 + 1); char *url = (char *) alloca(buf_len); snprintf(url, buf_len, "%s%u", vault_url_data, key_id); - bool use_cache= caching_enabled && use_cache_on_timeout; + bool use_cache= caching_enabled; int rc; if ((rc= curl_run(url, &response_str, use_cache)) != OPERATION_OK) { @@ -841,7 +807,7 @@ unsigned int HCData::get_key_from_vault (unsigned int key_id, vault_url_data, key_id, key_version); else snprintf(url, buf_len, "%s%u", vault_url_data, key_id); - bool use_cache= caching_enabled && use_cache_on_timeout; + bool use_cache= caching_enabled; int rc; if ((rc= curl_run(url, &response_str, use_cache)) != OPERATION_OK) { @@ -1162,7 +1128,6 @@ int HCData::init () } memcpy(vault_url_data, vault_url, vault_url_len); memcpy(vault_url_data + vault_url_len, "/data/", 7); - cache_max_time = ms_to_ticks(cache_timeout); cache_max_ver_time = ms_to_ticks(cache_version_timeout); /* Initialize curl: */ CURLcode curl_res = curl_global_init(CURL_GLOBAL_ALL); diff --git a/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_cache_after_recreate.result b/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_cache_after_recreate.result index a48c7873a093b..7d43507d55502 100644 --- a/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_cache_after_recreate.result +++ b/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_cache_after_recreate.result @@ -1,9 +1,9 @@ # restart: with restart_parameters CREATE TABLE t1 (a VARCHAR(8)) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=4; INSERT INTO t1 VALUES ('foo'),('bar'); -select @@hashicorp_key_management_caching_enabled, @@hashicorp_key_management_cache_timeout; -@@hashicorp_key_management_caching_enabled @@hashicorp_key_management_cache_timeout -1 180000 +select @@hashicorp_key_management_caching_enabled; +@@hashicorp_key_management_caching_enabled +1 CREATE TABLE t2 (a VARCHAR(8)) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=4; DROP TABLE IF EXISTS t1, t2; # restart diff --git a/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_cache_timeout_update.result b/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_cache_timeout_update.result index 2e91a7bffa40a..af5a0b639a5cd 100644 --- a/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_cache_timeout_update.result +++ b/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_cache_timeout_update.result @@ -1,23 +1,15 @@ SELECT -@@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT, -@@HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT; -@@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT @@HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT -0 180000 +@@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT; +@@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT +0 SET GLOBAL -HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT= 1, -HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT= 1; -Warnings: -Warning 1287 '@@hashicorp_key_management_cache_timeout' is deprecated and will be removed in a future release +HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT= 1; SELECT -@@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT, -@@HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT; -@@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT @@HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT -1 1 -SET GLOBAL HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT=0, HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT=180000; -Warnings: -Warning 1287 '@@hashicorp_key_management_cache_timeout' is deprecated and will be removed in a future release +@@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT; +@@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT +1 +SET GLOBAL HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT=0; SELECT -@@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT, -@@HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT; -@@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT @@HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT -0 180000 +@@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT; +@@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT +0 diff --git a/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_encode.result b/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_encode.result index 6366fb5b7a717..1264acdd661bb 100644 --- a/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_encode.result +++ b/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_encode.result @@ -1,12 +1,10 @@ SHOW GLOBAL variables LIKE "hashicorp%"; Variable_name Value -hashicorp_key_management_cache_timeout 9223372036854775807 hashicorp_key_management_cache_version_timeout 60000 hashicorp_key_management_caching_enabled ON hashicorp_key_management_check_kv_version OFF hashicorp_key_management_max_retries 3 hashicorp_key_management_timeout 60 -hashicorp_key_management_use_cache_on_timeout ON hashicorp_key_management_vault_ca hashicorp_key_management_vault_url VAULT_ADDR/v1/mariadbtest/ create table t1(c1 bigint not null, b char(200)) engine=innodb encrypted=yes encryption_key_id=1; diff --git a/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_key_rotation_age.result b/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_key_rotation_age.result index d782f7e83fddb..0edc10815a5ed 100644 --- a/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_key_rotation_age.result +++ b/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_key_rotation_age.result @@ -1,12 +1,10 @@ SHOW GLOBAL variables LIKE "hashicorp%"; Variable_name Value -hashicorp_key_management_cache_timeout 9223372036854775807 hashicorp_key_management_cache_version_timeout 0 hashicorp_key_management_caching_enabled ON hashicorp_key_management_check_kv_version OFF hashicorp_key_management_max_retries 3 hashicorp_key_management_timeout 60 -hashicorp_key_management_use_cache_on_timeout ON hashicorp_key_management_vault_ca hashicorp_key_management_vault_url VAULT_ADDR/v1/mariadbtest/ # Restart the server with encryption diff --git a/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_after_recreate.opt b/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_after_recreate.opt index 0a4ff1d59867d..b26e6eec20602 100644 --- a/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_after_recreate.opt +++ b/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_after_recreate.opt @@ -1,2 +1 @@ ---loose-hashicorp-key-management-cache-timeout=180000 --loose-hashicorp-key-management-cache-version-timeout=180000 diff --git a/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_after_recreate.test b/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_after_recreate.test index 925e89a3140b3..c1edf3eb9a148 100644 --- a/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_after_recreate.test +++ b/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_after_recreate.test @@ -18,7 +18,7 @@ CREATE TABLE t1 (a VARCHAR(8)) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=4; INSERT INTO t1 VALUES ('foo'),('bar'); -select @@hashicorp_key_management_caching_enabled, @@hashicorp_key_management_cache_timeout; +select @@hashicorp_key_management_caching_enabled; --exec vault secrets disable bug > /dev/null --exec vault secrets enable -path /bug -version=2 kv > /dev/null diff --git a/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_timeout_update.opt b/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_timeout_update.opt index cdc590b33ed19..42a8627548369 100644 --- a/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_timeout_update.opt +++ b/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_timeout_update.opt @@ -1,2 +1 @@ ---loose-hashicorp-key-management-cache-timeout=180000 --loose-hashicorp-key-management-cache-version-timeout=0 diff --git a/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_timeout_update.test b/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_timeout_update.test index 61c23d4454893..d82af5ca82ad4 100644 --- a/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_timeout_update.test +++ b/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_timeout_update.test @@ -3,21 +3,16 @@ --source hashicorp_plugin.inc --source hashicorp_init.inc ---let $ct=`SELECT @@HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT` --let $vt=`SELECT @@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT` SELECT - @@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT, - @@HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT; + @@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT; SET GLOBAL - HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT= 1, - HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT= 1; + HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT= 1; SELECT - @@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT, - @@HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT; ---eval SET GLOBAL HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT=$vt, HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT=$ct + @@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT; +--eval SET GLOBAL HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT=$vt SELECT - @@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT, - @@HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT; + @@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT; --source hashicorp_deinit.inc