From c1498e81df3fbcf56d182c23f3478d958415d04e Mon Sep 17 00:00:00 2001 From: Bill Jin Date: Thu, 26 Feb 2026 19:43:59 +0000 Subject: [PATCH] MDEV-38244 Remove deprecated hashicorp cache_timeout and use_cache_on_timeout Remove the deprecated system variables cache_timeout and use_cache_on_timeout from the Hashicorp Key Management plugin. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc. --- .../hashicorp_key_management.cnf | 36 +--------------- .../hashicorp_key_management.txt | 34 +-------------- .../hashicorp_key_management_plugin.cc | 43 ++----------------- .../r/hashicorp_cache_after_recreate.result | 6 +-- .../r/hashicorp_cache_timeout_update.result | 30 +++++-------- .../vault/r/hashicorp_encode.result | 2 - .../vault/r/hashicorp_key_rotation_age.result | 2 - .../t/hashicorp_cache_after_recreate.opt | 1 - .../t/hashicorp_cache_after_recreate.test | 2 +- .../t/hashicorp_cache_timeout_update.opt | 1 - .../t/hashicorp_cache_timeout_update.test | 15 +++---- 11 files changed, 28 insertions(+), 144 deletions(-) diff --git a/plugin/hashicorp_key_management/hashicorp_key_management.cnf b/plugin/hashicorp_key_management/hashicorp_key_management.cnf index 92e84094a30b8..c82f9ec4ecd52 100644 --- a/plugin/hashicorp_key_management/hashicorp_key_management.cnf +++ b/plugin/hashicorp_key_management/hashicorp_key_management.cnf @@ -61,35 +61,6 @@ # #hashicorp-key-management-caching-enabled="on" -# -# This parameter instructs the plugin to use the key values -# or version numbers taken from the cache in the event of a -# timeout when accessing the vault server. By default this -# option is disabled. -# -# Please note that key values or version numbers will be read -# from the cache when the timeout expires only after the number -# of attempts to read them from the storage server that specified -# by the hashicorp-key-management-retries parameter has been -# exhausted: -# -#hashicorp-key-management-use-cache-on-timeout="off" - -# -# The time (in milliseconds) after which the value of the key -# stored in the cache becomes invalid and an attempt to read this -# data causes a new request send to the vault server. By default, -# cache entries become invalid after 60,000 milliseconds (after -# one minute). -# -# If the value of this parameter is zero, then the keys will always -# be considered invalid, but they still can be used if the vault -# server is unavailable and the corresponding cache operating mode -# (--[loose-]hashicorp-key-management-use-cache-on-timeout="on") -# is enabled. -# -#hashicorp-key-management-cache-timeout=0 - # # The time (in milliseconds) after which the information about # latest version number of the key (which stored in the cache) @@ -97,14 +68,11 @@ # a new request send to the vault server. # # If the value of this parameter is zero, then information about -# latest key version numbers is always considered invalid, unless -# there is no communication with the vault server and use of the -# cache is allowed when the server is unavailable. +# latest key version numbers is always considered invalid. # # By default, this parameter is zero, that is, the latest version # numbers for the keys stored in the cache are considered always -# invalid, except when the vault server is unavailable and use -# of the cache is allowed on server failures. +# invalid. # #hashicorp-key-management-cache-version-timeout=0 diff --git a/plugin/hashicorp_key_management/hashicorp_key_management.txt b/plugin/hashicorp_key_management/hashicorp_key_management.txt index 674c455dfd7a7..58a18550628bf 100644 --- a/plugin/hashicorp_key_management/hashicorp_key_management.txt +++ b/plugin/hashicorp_key_management/hashicorp_key_management.txt @@ -129,33 +129,6 @@ operation: the Hashicorp Vault server in the local memory). By default caching is enabled. ---[loose-]hashicorp-key-management-use-cache-on-timeout="on"|"off" - - This parameter instructs the plugin to use the key values - or version numbers taken from the cache in the event of a - timeout when accessing the vault server. By default this - option is disabled. - - Please note that key values or version numbers will be read - from the cache when the timeout expires only after the number - of attempts to read them from the storage server that specified - by the --[loose-]hashicorp-key-management-retries parameter - has been exhausted. - ---[loose-]hashicorp-key-management-cache-timeout= - - The time (in milliseconds) after which the value of the key - stored in the cache becomes invalid and an attempt to read this - data causes a new request send to the vault server. By default, - cache entries become invalid after 60,000 milliseconds (after - one minute). - - If the value of this parameter is zero, then the keys will always - be considered invalid, but they still can be used if the vault - server is unavailable and the corresponding cache operating mode - (--[loose-]hashicorp-key-management-use-cache-on-timeout="on") - is enabled. - --[loose-]hashicorp-key-management-cache-version-timeout= The time (in milliseconds) after which the information about @@ -164,14 +137,11 @@ operation: a new request send to the vault server. If the value of this parameter is zero, then information about - latest key version numbers is always considered invalid, unless - there is no communication with the vault server and use of the - cache is allowed when the server is unavailable. + latest key version numbers is always considered invalid. By default, this parameter is zero, that is, the latest version numbers for the keys stored in the cache are considered always - invalid, except when the vault server is unavailable and use - of the cache is allowed on server failures. + invalid. --[loose-]hashicorp-key-management-check-kv-version="on"|"off" diff --git a/plugin/hashicorp_key_management/hashicorp_key_management_plugin.cc b/plugin/hashicorp_key_management/hashicorp_key_management_plugin.cc index 5f44b27d33c55..b3d0e8be90b48 100644 --- a/plugin/hashicorp_key_management/hashicorp_key_management_plugin.cc +++ b/plugin/hashicorp_key_management/hashicorp_key_management_plugin.cc @@ -164,7 +164,6 @@ class HCData static HCData data; static bool loaded= true; -static clock_t cache_max_time; static clock_t cache_max_ver_time; /* @@ -254,17 +253,11 @@ unsigned int #if HASHICORP_DEBUG_LOGGING my_printf_error(ER_UNKNOWN_ERROR, PLUGIN_ERROR_HEADER "cache_get: key_id = %u, key_version = %u, " - "effective version = %u, key data timestamp = %u, " - "current time = %u, diff = %u", + "effective version = %u", ME_ERROR_LOG_ONLY | ME_NOTE, key_id, key_version, - version, info.timestamp, current_time, - current_time - info.timestamp); + version); #endif unsigned int length= info.length; - if (with_timeouts && current_time - info.timestamp > cache_max_time) - { - return ENCRYPTION_KEY_VERSION_INVALID; - } unsigned int max_length = *buflen; *buflen = length; if (max_length >= length) @@ -353,10 +346,6 @@ static int timeout; static int max_retries; static char caching_enabled; static char check_kv_version; -#if MYSQL_VERSION_ID < 130300 -static long long cache_timeout; // for KEY_MAP key_info_cache -static char use_cache_on_timeout; -#endif static long cache_version_timeout; // for VER_MAP latest_version_cache static MYSQL_SYSVAR_STR(vault_ca, vault_ca, @@ -398,21 +387,6 @@ static MYSQL_SYSVAR_BOOL(check_kv_version, check_kv_version, "Enable kv storage version check during plugin initialization", NULL, NULL, 1); -static void cache_timeout_update (MYSQL_THD thd, - struct st_mysql_sys_var *var, - void *var_ptr, - const void *save) -{ - long long timeout = * (long long *) save; - * (long long *) var_ptr = timeout; - cache_max_time = ms_to_ticks(timeout); -} - -static MYSQL_SYSVAR_LONGLONG(cache_timeout, cache_timeout, - PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_DEPRECATED, - "Cache timeout for key data (in milliseconds)", - NULL, cache_timeout_update, INT64_MAX, 0, INT64_MAX, 1); - static void cache_version_timeout_update (MYSQL_THD thd, struct st_mysql_sys_var *var, @@ -429,12 +403,6 @@ static MYSQL_SYSVAR_LONG(cache_version_timeout, cache_version_timeout, "Cache timeout for key version (in milliseconds)", NULL, cache_version_timeout_update, 60*1000, 0, LONG_MAX, 1); -static MYSQL_SYSVAR_BOOL(use_cache_on_timeout, use_cache_on_timeout, - PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_DEPRECATED, - "In case of an error when accessing the vault server " - "use the value taken from the cache", - NULL, NULL, 1); - static struct st_mysql_sys_var *settings[] = { MYSQL_SYSVAR(vault_url), MYSQL_SYSVAR(token), @@ -442,9 +410,7 @@ static struct st_mysql_sys_var *settings[] = { MYSQL_SYSVAR(timeout), MYSQL_SYSVAR(max_retries), MYSQL_SYSVAR(caching_enabled), - MYSQL_SYSVAR(cache_timeout), MYSQL_SYSVAR(cache_version_timeout), - MYSQL_SYSVAR(use_cache_on_timeout), MYSQL_SYSVAR(check_kv_version), NULL }; @@ -759,7 +725,7 @@ unsigned int HCData::get_latest_version (unsigned int key_id) size_t buf_len = vault_url_len + (20 + 6 + 1); char *url = (char *) alloca(buf_len); snprintf(url, buf_len, "%s%u", vault_url_data, key_id); - bool use_cache= caching_enabled && use_cache_on_timeout; + bool use_cache= caching_enabled; int rc; if ((rc= curl_run(url, &response_str, use_cache)) != OPERATION_OK) { @@ -841,7 +807,7 @@ unsigned int HCData::get_key_from_vault (unsigned int key_id, vault_url_data, key_id, key_version); else snprintf(url, buf_len, "%s%u", vault_url_data, key_id); - bool use_cache= caching_enabled && use_cache_on_timeout; + bool use_cache= caching_enabled; int rc; if ((rc= curl_run(url, &response_str, use_cache)) != OPERATION_OK) { @@ -1162,7 +1128,6 @@ int HCData::init () } memcpy(vault_url_data, vault_url, vault_url_len); memcpy(vault_url_data + vault_url_len, "/data/", 7); - cache_max_time = ms_to_ticks(cache_timeout); cache_max_ver_time = ms_to_ticks(cache_version_timeout); /* Initialize curl: */ CURLcode curl_res = curl_global_init(CURL_GLOBAL_ALL); diff --git a/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_cache_after_recreate.result b/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_cache_after_recreate.result index a48c7873a093b..7d43507d55502 100644 --- a/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_cache_after_recreate.result +++ b/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_cache_after_recreate.result @@ -1,9 +1,9 @@ # restart: with restart_parameters CREATE TABLE t1 (a VARCHAR(8)) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=4; INSERT INTO t1 VALUES ('foo'),('bar'); -select @@hashicorp_key_management_caching_enabled, @@hashicorp_key_management_cache_timeout; -@@hashicorp_key_management_caching_enabled @@hashicorp_key_management_cache_timeout -1 180000 +select @@hashicorp_key_management_caching_enabled; +@@hashicorp_key_management_caching_enabled +1 CREATE TABLE t2 (a VARCHAR(8)) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=4; DROP TABLE IF EXISTS t1, t2; # restart diff --git a/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_cache_timeout_update.result b/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_cache_timeout_update.result index 2e91a7bffa40a..af5a0b639a5cd 100644 --- a/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_cache_timeout_update.result +++ b/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_cache_timeout_update.result @@ -1,23 +1,15 @@ SELECT -@@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT, -@@HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT; -@@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT @@HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT -0 180000 +@@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT; +@@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT +0 SET GLOBAL -HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT= 1, -HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT= 1; -Warnings: -Warning 1287 '@@hashicorp_key_management_cache_timeout' is deprecated and will be removed in a future release +HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT= 1; SELECT -@@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT, -@@HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT; -@@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT @@HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT -1 1 -SET GLOBAL HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT=0, HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT=180000; -Warnings: -Warning 1287 '@@hashicorp_key_management_cache_timeout' is deprecated and will be removed in a future release +@@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT; +@@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT +1 +SET GLOBAL HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT=0; SELECT -@@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT, -@@HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT; -@@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT @@HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT -0 180000 +@@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT; +@@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT +0 diff --git a/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_encode.result b/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_encode.result index 6366fb5b7a717..1264acdd661bb 100644 --- a/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_encode.result +++ b/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_encode.result @@ -1,12 +1,10 @@ SHOW GLOBAL variables LIKE "hashicorp%"; Variable_name Value -hashicorp_key_management_cache_timeout 9223372036854775807 hashicorp_key_management_cache_version_timeout 60000 hashicorp_key_management_caching_enabled ON hashicorp_key_management_check_kv_version OFF hashicorp_key_management_max_retries 3 hashicorp_key_management_timeout 60 -hashicorp_key_management_use_cache_on_timeout ON hashicorp_key_management_vault_ca hashicorp_key_management_vault_url VAULT_ADDR/v1/mariadbtest/ create table t1(c1 bigint not null, b char(200)) engine=innodb encrypted=yes encryption_key_id=1; diff --git a/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_key_rotation_age.result b/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_key_rotation_age.result index d782f7e83fddb..0edc10815a5ed 100644 --- a/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_key_rotation_age.result +++ b/plugin/hashicorp_key_management/mysql-test/vault/r/hashicorp_key_rotation_age.result @@ -1,12 +1,10 @@ SHOW GLOBAL variables LIKE "hashicorp%"; Variable_name Value -hashicorp_key_management_cache_timeout 9223372036854775807 hashicorp_key_management_cache_version_timeout 0 hashicorp_key_management_caching_enabled ON hashicorp_key_management_check_kv_version OFF hashicorp_key_management_max_retries 3 hashicorp_key_management_timeout 60 -hashicorp_key_management_use_cache_on_timeout ON hashicorp_key_management_vault_ca hashicorp_key_management_vault_url VAULT_ADDR/v1/mariadbtest/ # Restart the server with encryption diff --git a/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_after_recreate.opt b/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_after_recreate.opt index 0a4ff1d59867d..b26e6eec20602 100644 --- a/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_after_recreate.opt +++ b/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_after_recreate.opt @@ -1,2 +1 @@ ---loose-hashicorp-key-management-cache-timeout=180000 --loose-hashicorp-key-management-cache-version-timeout=180000 diff --git a/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_after_recreate.test b/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_after_recreate.test index 925e89a3140b3..c1edf3eb9a148 100644 --- a/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_after_recreate.test +++ b/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_after_recreate.test @@ -18,7 +18,7 @@ CREATE TABLE t1 (a VARCHAR(8)) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=4; INSERT INTO t1 VALUES ('foo'),('bar'); -select @@hashicorp_key_management_caching_enabled, @@hashicorp_key_management_cache_timeout; +select @@hashicorp_key_management_caching_enabled; --exec vault secrets disable bug > /dev/null --exec vault secrets enable -path /bug -version=2 kv > /dev/null diff --git a/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_timeout_update.opt b/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_timeout_update.opt index cdc590b33ed19..42a8627548369 100644 --- a/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_timeout_update.opt +++ b/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_timeout_update.opt @@ -1,2 +1 @@ ---loose-hashicorp-key-management-cache-timeout=180000 --loose-hashicorp-key-management-cache-version-timeout=0 diff --git a/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_timeout_update.test b/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_timeout_update.test index 61c23d4454893..d82af5ca82ad4 100644 --- a/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_timeout_update.test +++ b/plugin/hashicorp_key_management/mysql-test/vault/t/hashicorp_cache_timeout_update.test @@ -3,21 +3,16 @@ --source hashicorp_plugin.inc --source hashicorp_init.inc ---let $ct=`SELECT @@HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT` --let $vt=`SELECT @@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT` SELECT - @@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT, - @@HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT; + @@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT; SET GLOBAL - HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT= 1, - HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT= 1; + HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT= 1; SELECT - @@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT, - @@HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT; ---eval SET GLOBAL HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT=$vt, HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT=$ct + @@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT; +--eval SET GLOBAL HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT=$vt SELECT - @@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT, - @@HASHICORP_KEY_MANAGEMENT_CACHE_TIMEOUT; + @@HASHICORP_KEY_MANAGEMENT_CACHE_VERSION_TIMEOUT; --source hashicorp_deinit.inc