diff --git a/ci_scripts/tde_setup_global.sql b/ci_scripts/tde_setup_global.sql index ab45d185611..4f35971a980 100644 --- a/ci_scripts/tde_setup_global.sql +++ b/ci_scripts/tde_setup_global.sql @@ -1,6 +1,6 @@ CREATE EXTENSION IF NOT EXISTS pg_tde; -SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'reg_file-global', '/tmp/pg_tde_test_keyring.per'); -SELECT pg_tde_set_server_principal_key('global-principal-key', 'PG_TDE_GLOBAL', 'reg_file-global'); +SELECT pg_tde_add_global_key_provider_file('reg_file-global', '/tmp/pg_tde_test_keyring.per'); +SELECT pg_tde_set_server_principal_key('global-principal-key', 'reg_file-global'); SELECT pg_tde_create_wal_key(); ALTER SYSTEM SET pg_tde.wal_encrypt = on; ALTER SYSTEM SET default_table_access_method = 'tde_heap'; diff --git a/contrib/earthdistance/expected/earthdistance_1.out b/contrib/earthdistance/expected/earthdistance_1.out index 17643e26bed..c91d923db2b 100644 --- a/contrib/earthdistance/expected/earthdistance_1.out +++ b/contrib/earthdistance/expected/earthdistance_1.out @@ -963,13 +963,12 @@ SELECT abs(cube_distance(ll_to_earth(-30,-90), '(0)'::cube) / earth() - 1) < -- -- list what's installed \dT - List of data types - Schema | Name | Description ---------+---------------+--------------------------------------------------------------------------------------------- - public | cube | multi-dimensional cube '(FLOAT-1, FLOAT-2, ..., FLOAT-N), (FLOAT-1, FLOAT-2, ..., FLOAT-N)' - public | earth | - public | pg_tde_global | -(3 rows) + List of data types + Schema | Name | Description +--------+-------+--------------------------------------------------------------------------------------------- + public | cube | multi-dimensional cube '(FLOAT-1, FLOAT-2, ..., FLOAT-N), (FLOAT-1, FLOAT-2, ..., FLOAT-N)' + public | earth | +(2 rows) drop extension cube; -- fail, earthdistance requires it ERROR: cannot drop extension cube because other objects depend on it @@ -981,12 +980,11 @@ ERROR: cannot drop type cube because extension cube requires it HINT: You can drop extension cube instead. -- list what's installed \dT - List of data types - Schema | Name | Description ---------+---------------+--------------------------------------------------------------------------------------------- - public | cube | multi-dimensional cube '(FLOAT-1, FLOAT-2, ..., FLOAT-N), (FLOAT-1, FLOAT-2, ..., FLOAT-N)' - public | pg_tde_global | -(2 rows) + List of data types + Schema | Name | Description +--------+------+--------------------------------------------------------------------------------------------- + public | cube | multi-dimensional cube '(FLOAT-1, FLOAT-2, ..., FLOAT-N), (FLOAT-1, FLOAT-2, ..., FLOAT-N)' +(1 row) create table foo (f1 cube, f2 int); drop extension cube; -- fail, foo.f1 requires it @@ -997,73 +995,72 @@ drop table foo; drop extension cube; -- list what's installed \dT - List of data types - Schema | Name | Description ---------+---------------+------------- - public | pg_tde_global | -(1 row) + List of data types + Schema | Name | Description +--------+------+------------- +(0 rows) \df - List of functions - Schema | Name | Result data type | Argument data types | Type ---------+-----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------+------ - public | pg_tde_add_key_provider | integer | pg_tde_global, provider_type character varying, provider_name character varying, options json | func - public | pg_tde_add_key_provider | integer | provider_type character varying, provider_name character varying, options json | func - public | pg_tde_add_key_provider_file | integer | pg_tde_global, provider_name character varying, file_path json | func - public | pg_tde_add_key_provider_file | integer | pg_tde_global, provider_name character varying, file_path text | func - public | pg_tde_add_key_provider_file | integer | provider_name character varying, file_path json | func - public | pg_tde_add_key_provider_file | integer | provider_name character varying, file_path text | func - public | pg_tde_add_key_provider_kmip | integer | pg_tde_global, provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func - public | pg_tde_add_key_provider_kmip | integer | pg_tde_global, provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func - public | pg_tde_add_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func - public | pg_tde_add_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func - public | pg_tde_add_key_provider_vault_v2 | integer | pg_tde_global, provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func - public | pg_tde_add_key_provider_vault_v2 | integer | pg_tde_global, provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func - public | pg_tde_add_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func - public | pg_tde_add_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func - public | pg_tde_change_key_provider | integer | pg_tde_global, provider_type character varying, provider_name character varying, options json | func - public | pg_tde_change_key_provider | integer | provider_type character varying, provider_name character varying, options json | func - public | pg_tde_change_key_provider_file | integer | pg_tde_global, provider_name character varying, file_path json | func - public | pg_tde_change_key_provider_file | integer | pg_tde_global, provider_name character varying, file_path text | func - public | pg_tde_change_key_provider_file | integer | provider_name character varying, file_path json | func - public | pg_tde_change_key_provider_file | integer | provider_name character varying, file_path text | func - public | pg_tde_change_key_provider_kmip | integer | pg_tde_global, provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func - public | pg_tde_change_key_provider_kmip | integer | pg_tde_global, provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func - public | pg_tde_change_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func - public | pg_tde_change_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func - public | pg_tde_change_key_provider_vault_v2 | integer | pg_tde_global, provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func - public | pg_tde_change_key_provider_vault_v2 | integer | pg_tde_global, provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func - public | pg_tde_change_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func - public | pg_tde_change_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func - public | pg_tde_create_wal_key | boolean | | func - public | pg_tde_ddl_command_end_capture | event_trigger | | func - public | pg_tde_ddl_command_start_capture | event_trigger | | func - public | pg_tde_delete_key_provider | void | pg_tde_global, provider_name character varying | func - public | pg_tde_delete_key_provider | void | provider_name character varying | func - public | pg_tde_extension_initialize | void | | func - public | pg_tde_grant_global_key_management_to_role | void | target_role text | func - public | pg_tde_grant_grant_management_to_role | void | target_role text | func - public | pg_tde_grant_key_viewer_to_role | void | target_role text | func - public | pg_tde_grant_local_key_management_to_role | void | target_role text | func - public | pg_tde_internal_has_key | boolean | oid oid | func - public | pg_tde_is_encrypted | boolean | table_name character varying | func - public | pg_tde_list_all_key_providers | SETOF record | OUT id integer, OUT provider_name character varying, OUT provider_type character varying, OUT options json | func - public | pg_tde_list_all_key_providers | SETOF record | pg_tde_global, OUT id integer, OUT provider_name character varying, OUT provider_type character varying, OUT options json | func - public | pg_tde_principal_key_info | TABLE(principal_key_name text, key_provider_name text, key_provider_id integer, key_createion_time timestamp with time zone) | | func - public | pg_tde_principal_key_info | TABLE(principal_key_name text, key_provider_name text, key_provider_id integer, key_createion_time timestamp with time zone) | pg_tde_global | func - public | pg_tde_revoke_global_key_management_from_role | void | target_role text | func - public | pg_tde_revoke_grant_management_from_role | void | target_role text | func - public | pg_tde_revoke_key_viewer_from_role | void | target_role text | func - public | pg_tde_revoke_local_key_management_from_role | void | target_role text | func - public | pg_tde_set_default_principal_key | boolean | principal_key_name character varying, pg_tde_global, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func - public | pg_tde_set_principal_key | boolean | principal_key_name character varying, pg_tde_global, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func - public | pg_tde_set_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func - public | pg_tde_set_server_principal_key | boolean | principal_key_name character varying, pg_tde_global, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func - public | pg_tde_verify_global_principal_key | void | | func - public | pg_tde_verify_principal_key | void | | func - public | pg_tde_version | text | | func - public | pg_tdeam_basic_handler | table_am_handler | internal | func - public | pg_tdeam_handler | table_am_handler | internal | func + List of functions + Schema | Name | Result data type | Argument data types | Type +--------+-----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------+------ + public | pg_tde_add_global_key_provider | integer | provider_type character varying, provider_name character varying, options json | func + public | pg_tde_add_global_key_provider_file | integer | provider_name character varying, file_path json | func + public | pg_tde_add_global_key_provider_file | integer | provider_name character varying, file_path text | func + public | pg_tde_add_global_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func + public | pg_tde_add_global_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func + public | pg_tde_add_global_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func + public | pg_tde_add_global_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func + public | pg_tde_add_key_provider | integer | provider_type character varying, provider_name character varying, options json | func + public | pg_tde_add_key_provider_file | integer | provider_name character varying, file_path json | func + public | pg_tde_add_key_provider_file | integer | provider_name character varying, file_path text | func + public | pg_tde_add_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func + public | pg_tde_add_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func + public | pg_tde_add_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func + public | pg_tde_add_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func + public | pg_tde_change_global_key_provider | integer | provider_type character varying, provider_name character varying, options json | func + public | pg_tde_change_global_key_provider_file | integer | provider_name character varying, file_path json | func + public | pg_tde_change_global_key_provider_file | integer | provider_name character varying, file_path text | func + public | pg_tde_change_global_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func + public | pg_tde_change_global_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func + public | pg_tde_change_global_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func + public | pg_tde_change_global_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func + public | pg_tde_change_key_provider | integer | provider_type character varying, provider_name character varying, options json | func + public | pg_tde_change_key_provider_file | integer | provider_name character varying, file_path json | func + public | pg_tde_change_key_provider_file | integer | provider_name character varying, file_path text | func + public | pg_tde_change_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func + public | pg_tde_change_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func + public | pg_tde_change_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func + public | pg_tde_change_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func + public | pg_tde_create_wal_key | boolean | | func + public | pg_tde_ddl_command_end_capture | event_trigger | | func + public | pg_tde_ddl_command_start_capture | event_trigger | | func + public | pg_tde_delete_global_key_provider | void | provider_name character varying | func + public | pg_tde_delete_key_provider | void | provider_name character varying | func + public | pg_tde_extension_initialize | void | | func + public | pg_tde_global_principal_key_info | TABLE(principal_key_name text, key_provider_name text, key_provider_id integer, key_createion_time timestamp with time zone) | | func + public | pg_tde_grant_global_key_management_to_role | void | target_role text | func + public | pg_tde_grant_grant_management_to_role | void | target_role text | func + public | pg_tde_grant_key_viewer_to_role | void | target_role text | func + public | pg_tde_grant_local_key_management_to_role | void | target_role text | func + public | pg_tde_internal_has_key | boolean | oid oid | func + public | pg_tde_is_encrypted | boolean | table_name character varying | func + public | pg_tde_list_all_global_key_providers | SETOF record | OUT id integer, OUT provider_name character varying, OUT provider_type character varying, OUT options json | func + public | pg_tde_list_all_key_providers | SETOF record | OUT id integer, OUT provider_name character varying, OUT provider_type character varying, OUT options json | func + public | pg_tde_principal_key_info | TABLE(principal_key_name text, key_provider_name text, key_provider_id integer, key_createion_time timestamp with time zone) | | func + public | pg_tde_revoke_global_key_management_from_role | void | target_role text | func + public | pg_tde_revoke_grant_management_from_role | void | target_role text | func + public | pg_tde_revoke_key_viewer_from_role | void | target_role text | func + public | pg_tde_revoke_local_key_management_from_role | void | target_role text | func + public | pg_tde_set_default_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func + public | pg_tde_set_global_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func + public | pg_tde_set_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func + public | pg_tde_set_server_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func + public | pg_tde_verify_global_principal_key | void | | func + public | pg_tde_verify_principal_key | void | | func + public | pg_tde_version | text | | func + public | pg_tdeam_basic_handler | table_am_handler | internal | func + public | pg_tdeam_handler | table_am_handler | internal | func (57 rows) \do @@ -1076,73 +1073,72 @@ create schema c; create extension cube with schema c; -- list what's installed \dT public.* - List of data types - Schema | Name | Description ---------+---------------+------------- - public | pg_tde_global | -(1 row) + List of data types + Schema | Name | Description +--------+------+------------- +(0 rows) \df public.* - List of functions - Schema | Name | Result data type | Argument data types | Type ---------+-----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------+------ - public | pg_tde_add_key_provider | integer | pg_tde_global, provider_type character varying, provider_name character varying, options json | func - public | pg_tde_add_key_provider | integer | provider_type character varying, provider_name character varying, options json | func - public | pg_tde_add_key_provider_file | integer | pg_tde_global, provider_name character varying, file_path json | func - public | pg_tde_add_key_provider_file | integer | pg_tde_global, provider_name character varying, file_path text | func - public | pg_tde_add_key_provider_file | integer | provider_name character varying, file_path json | func - public | pg_tde_add_key_provider_file | integer | provider_name character varying, file_path text | func - public | pg_tde_add_key_provider_kmip | integer | pg_tde_global, provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func - public | pg_tde_add_key_provider_kmip | integer | pg_tde_global, provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func - public | pg_tde_add_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func - public | pg_tde_add_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func - public | pg_tde_add_key_provider_vault_v2 | integer | pg_tde_global, provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func - public | pg_tde_add_key_provider_vault_v2 | integer | pg_tde_global, provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func - public | pg_tde_add_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func - public | pg_tde_add_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func - public | pg_tde_change_key_provider | integer | pg_tde_global, provider_type character varying, provider_name character varying, options json | func - public | pg_tde_change_key_provider | integer | provider_type character varying, provider_name character varying, options json | func - public | pg_tde_change_key_provider_file | integer | pg_tde_global, provider_name character varying, file_path json | func - public | pg_tde_change_key_provider_file | integer | pg_tde_global, provider_name character varying, file_path text | func - public | pg_tde_change_key_provider_file | integer | provider_name character varying, file_path json | func - public | pg_tde_change_key_provider_file | integer | provider_name character varying, file_path text | func - public | pg_tde_change_key_provider_kmip | integer | pg_tde_global, provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func - public | pg_tde_change_key_provider_kmip | integer | pg_tde_global, provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func - public | pg_tde_change_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func - public | pg_tde_change_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func - public | pg_tde_change_key_provider_vault_v2 | integer | pg_tde_global, provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func - public | pg_tde_change_key_provider_vault_v2 | integer | pg_tde_global, provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func - public | pg_tde_change_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func - public | pg_tde_change_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func - public | pg_tde_create_wal_key | boolean | | func - public | pg_tde_ddl_command_end_capture | event_trigger | | func - public | pg_tde_ddl_command_start_capture | event_trigger | | func - public | pg_tde_delete_key_provider | void | pg_tde_global, provider_name character varying | func - public | pg_tde_delete_key_provider | void | provider_name character varying | func - public | pg_tde_extension_initialize | void | | func - public | pg_tde_grant_global_key_management_to_role | void | target_role text | func - public | pg_tde_grant_grant_management_to_role | void | target_role text | func - public | pg_tde_grant_key_viewer_to_role | void | target_role text | func - public | pg_tde_grant_local_key_management_to_role | void | target_role text | func - public | pg_tde_internal_has_key | boolean | oid oid | func - public | pg_tde_is_encrypted | boolean | table_name character varying | func - public | pg_tde_list_all_key_providers | SETOF record | OUT id integer, OUT provider_name character varying, OUT provider_type character varying, OUT options json | func - public | pg_tde_list_all_key_providers | SETOF record | pg_tde_global, OUT id integer, OUT provider_name character varying, OUT provider_type character varying, OUT options json | func - public | pg_tde_principal_key_info | TABLE(principal_key_name text, key_provider_name text, key_provider_id integer, key_createion_time timestamp with time zone) | | func - public | pg_tde_principal_key_info | TABLE(principal_key_name text, key_provider_name text, key_provider_id integer, key_createion_time timestamp with time zone) | pg_tde_global | func - public | pg_tde_revoke_global_key_management_from_role | void | target_role text | func - public | pg_tde_revoke_grant_management_from_role | void | target_role text | func - public | pg_tde_revoke_key_viewer_from_role | void | target_role text | func - public | pg_tde_revoke_local_key_management_from_role | void | target_role text | func - public | pg_tde_set_default_principal_key | boolean | principal_key_name character varying, pg_tde_global, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func - public | pg_tde_set_principal_key | boolean | principal_key_name character varying, pg_tde_global, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func - public | pg_tde_set_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func - public | pg_tde_set_server_principal_key | boolean | principal_key_name character varying, pg_tde_global, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func - public | pg_tde_verify_global_principal_key | void | | func - public | pg_tde_verify_principal_key | void | | func - public | pg_tde_version | text | | func - public | pg_tdeam_basic_handler | table_am_handler | internal | func - public | pg_tdeam_handler | table_am_handler | internal | func + List of functions + Schema | Name | Result data type | Argument data types | Type +--------+-----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------+------ + public | pg_tde_add_global_key_provider | integer | provider_type character varying, provider_name character varying, options json | func + public | pg_tde_add_global_key_provider_file | integer | provider_name character varying, file_path json | func + public | pg_tde_add_global_key_provider_file | integer | provider_name character varying, file_path text | func + public | pg_tde_add_global_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func + public | pg_tde_add_global_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func + public | pg_tde_add_global_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func + public | pg_tde_add_global_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func + public | pg_tde_add_key_provider | integer | provider_type character varying, provider_name character varying, options json | func + public | pg_tde_add_key_provider_file | integer | provider_name character varying, file_path json | func + public | pg_tde_add_key_provider_file | integer | provider_name character varying, file_path text | func + public | pg_tde_add_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func + public | pg_tde_add_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func + public | pg_tde_add_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func + public | pg_tde_add_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func + public | pg_tde_change_global_key_provider | integer | provider_type character varying, provider_name character varying, options json | func + public | pg_tde_change_global_key_provider_file | integer | provider_name character varying, file_path json | func + public | pg_tde_change_global_key_provider_file | integer | provider_name character varying, file_path text | func + public | pg_tde_change_global_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func + public | pg_tde_change_global_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func + public | pg_tde_change_global_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func + public | pg_tde_change_global_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func + public | pg_tde_change_key_provider | integer | provider_type character varying, provider_name character varying, options json | func + public | pg_tde_change_key_provider_file | integer | provider_name character varying, file_path json | func + public | pg_tde_change_key_provider_file | integer | provider_name character varying, file_path text | func + public | pg_tde_change_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func + public | pg_tde_change_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func + public | pg_tde_change_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func + public | pg_tde_change_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func + public | pg_tde_create_wal_key | boolean | | func + public | pg_tde_ddl_command_end_capture | event_trigger | | func + public | pg_tde_ddl_command_start_capture | event_trigger | | func + public | pg_tde_delete_global_key_provider | void | provider_name character varying | func + public | pg_tde_delete_key_provider | void | provider_name character varying | func + public | pg_tde_extension_initialize | void | | func + public | pg_tde_global_principal_key_info | TABLE(principal_key_name text, key_provider_name text, key_provider_id integer, key_createion_time timestamp with time zone) | | func + public | pg_tde_grant_global_key_management_to_role | void | target_role text | func + public | pg_tde_grant_grant_management_to_role | void | target_role text | func + public | pg_tde_grant_key_viewer_to_role | void | target_role text | func + public | pg_tde_grant_local_key_management_to_role | void | target_role text | func + public | pg_tde_internal_has_key | boolean | oid oid | func + public | pg_tde_is_encrypted | boolean | table_name character varying | func + public | pg_tde_list_all_global_key_providers | SETOF record | OUT id integer, OUT provider_name character varying, OUT provider_type character varying, OUT options json | func + public | pg_tde_list_all_key_providers | SETOF record | OUT id integer, OUT provider_name character varying, OUT provider_type character varying, OUT options json | func + public | pg_tde_principal_key_info | TABLE(principal_key_name text, key_provider_name text, key_provider_id integer, key_createion_time timestamp with time zone) | | func + public | pg_tde_revoke_global_key_management_from_role | void | target_role text | func + public | pg_tde_revoke_grant_management_from_role | void | target_role text | func + public | pg_tde_revoke_key_viewer_from_role | void | target_role text | func + public | pg_tde_revoke_local_key_management_from_role | void | target_role text | func + public | pg_tde_set_default_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func + public | pg_tde_set_global_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func + public | pg_tde_set_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func + public | pg_tde_set_server_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func + public | pg_tde_verify_global_principal_key | void | | func + public | pg_tde_verify_principal_key | void | | func + public | pg_tde_version | text | | func + public | pg_tdeam_basic_handler | table_am_handler | internal | func + public | pg_tdeam_handler | table_am_handler | internal | func (57 rows) \do public.* @@ -1178,73 +1174,72 @@ NOTICE: drop cascades to column f1 of table foo -- list what's installed \dT public.* - List of data types - Schema | Name | Description ---------+---------------+------------- - public | pg_tde_global | -(1 row) + List of data types + Schema | Name | Description +--------+------+------------- +(0 rows) \df public.* - List of functions - Schema | Name | Result data type | Argument data types | Type ---------+-----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------+------ - public | pg_tde_add_key_provider | integer | pg_tde_global, provider_type character varying, provider_name character varying, options json | func - public | pg_tde_add_key_provider | integer | provider_type character varying, provider_name character varying, options json | func - public | pg_tde_add_key_provider_file | integer | pg_tde_global, provider_name character varying, file_path json | func - public | pg_tde_add_key_provider_file | integer | pg_tde_global, provider_name character varying, file_path text | func - public | pg_tde_add_key_provider_file | integer | provider_name character varying, file_path json | func - public | pg_tde_add_key_provider_file | integer | provider_name character varying, file_path text | func - public | pg_tde_add_key_provider_kmip | integer | pg_tde_global, provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func - public | pg_tde_add_key_provider_kmip | integer | pg_tde_global, provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func - public | pg_tde_add_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func - public | pg_tde_add_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func - public | pg_tde_add_key_provider_vault_v2 | integer | pg_tde_global, provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func - public | pg_tde_add_key_provider_vault_v2 | integer | pg_tde_global, provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func - public | pg_tde_add_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func - public | pg_tde_add_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func - public | pg_tde_change_key_provider | integer | pg_tde_global, provider_type character varying, provider_name character varying, options json | func - public | pg_tde_change_key_provider | integer | provider_type character varying, provider_name character varying, options json | func - public | pg_tde_change_key_provider_file | integer | pg_tde_global, provider_name character varying, file_path json | func - public | pg_tde_change_key_provider_file | integer | pg_tde_global, provider_name character varying, file_path text | func - public | pg_tde_change_key_provider_file | integer | provider_name character varying, file_path json | func - public | pg_tde_change_key_provider_file | integer | provider_name character varying, file_path text | func - public | pg_tde_change_key_provider_kmip | integer | pg_tde_global, provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func - public | pg_tde_change_key_provider_kmip | integer | pg_tde_global, provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func - public | pg_tde_change_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func - public | pg_tde_change_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func - public | pg_tde_change_key_provider_vault_v2 | integer | pg_tde_global, provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func - public | pg_tde_change_key_provider_vault_v2 | integer | pg_tde_global, provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func - public | pg_tde_change_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func - public | pg_tde_change_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func - public | pg_tde_create_wal_key | boolean | | func - public | pg_tde_ddl_command_end_capture | event_trigger | | func - public | pg_tde_ddl_command_start_capture | event_trigger | | func - public | pg_tde_delete_key_provider | void | pg_tde_global, provider_name character varying | func - public | pg_tde_delete_key_provider | void | provider_name character varying | func - public | pg_tde_extension_initialize | void | | func - public | pg_tde_grant_global_key_management_to_role | void | target_role text | func - public | pg_tde_grant_grant_management_to_role | void | target_role text | func - public | pg_tde_grant_key_viewer_to_role | void | target_role text | func - public | pg_tde_grant_local_key_management_to_role | void | target_role text | func - public | pg_tde_internal_has_key | boolean | oid oid | func - public | pg_tde_is_encrypted | boolean | table_name character varying | func - public | pg_tde_list_all_key_providers | SETOF record | OUT id integer, OUT provider_name character varying, OUT provider_type character varying, OUT options json | func - public | pg_tde_list_all_key_providers | SETOF record | pg_tde_global, OUT id integer, OUT provider_name character varying, OUT provider_type character varying, OUT options json | func - public | pg_tde_principal_key_info | TABLE(principal_key_name text, key_provider_name text, key_provider_id integer, key_createion_time timestamp with time zone) | | func - public | pg_tde_principal_key_info | TABLE(principal_key_name text, key_provider_name text, key_provider_id integer, key_createion_time timestamp with time zone) | pg_tde_global | func - public | pg_tde_revoke_global_key_management_from_role | void | target_role text | func - public | pg_tde_revoke_grant_management_from_role | void | target_role text | func - public | pg_tde_revoke_key_viewer_from_role | void | target_role text | func - public | pg_tde_revoke_local_key_management_from_role | void | target_role text | func - public | pg_tde_set_default_principal_key | boolean | principal_key_name character varying, pg_tde_global, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func - public | pg_tde_set_principal_key | boolean | principal_key_name character varying, pg_tde_global, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func - public | pg_tde_set_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func - public | pg_tde_set_server_principal_key | boolean | principal_key_name character varying, pg_tde_global, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func - public | pg_tde_verify_global_principal_key | void | | func - public | pg_tde_verify_principal_key | void | | func - public | pg_tde_version | text | | func - public | pg_tdeam_basic_handler | table_am_handler | internal | func - public | pg_tdeam_handler | table_am_handler | internal | func + List of functions + Schema | Name | Result data type | Argument data types | Type +--------+-----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------+------ + public | pg_tde_add_global_key_provider | integer | provider_type character varying, provider_name character varying, options json | func + public | pg_tde_add_global_key_provider_file | integer | provider_name character varying, file_path json | func + public | pg_tde_add_global_key_provider_file | integer | provider_name character varying, file_path text | func + public | pg_tde_add_global_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func + public | pg_tde_add_global_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func + public | pg_tde_add_global_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func + public | pg_tde_add_global_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func + public | pg_tde_add_key_provider | integer | provider_type character varying, provider_name character varying, options json | func + public | pg_tde_add_key_provider_file | integer | provider_name character varying, file_path json | func + public | pg_tde_add_key_provider_file | integer | provider_name character varying, file_path text | func + public | pg_tde_add_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func + public | pg_tde_add_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func + public | pg_tde_add_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func + public | pg_tde_add_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func + public | pg_tde_change_global_key_provider | integer | provider_type character varying, provider_name character varying, options json | func + public | pg_tde_change_global_key_provider_file | integer | provider_name character varying, file_path json | func + public | pg_tde_change_global_key_provider_file | integer | provider_name character varying, file_path text | func + public | pg_tde_change_global_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func + public | pg_tde_change_global_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func + public | pg_tde_change_global_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func + public | pg_tde_change_global_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func + public | pg_tde_change_key_provider | integer | provider_type character varying, provider_name character varying, options json | func + public | pg_tde_change_key_provider_file | integer | provider_name character varying, file_path json | func + public | pg_tde_change_key_provider_file | integer | provider_name character varying, file_path text | func + public | pg_tde_change_key_provider_kmip | integer | provider_name character varying, kmip_host json, kmip_port json, kmip_ca_path json, kmip_cert_path json | func + public | pg_tde_change_key_provider_kmip | integer | provider_name character varying, kmip_host text, kmip_port integer, kmip_ca_path text, kmip_cert_path text | func + public | pg_tde_change_key_provider_vault_v2 | integer | provider_name character varying, vault_token json, vault_url json, vault_mount_path json, vault_ca_path json | func + public | pg_tde_change_key_provider_vault_v2 | integer | provider_name character varying, vault_token text, vault_url text, vault_mount_path text, vault_ca_path text | func + public | pg_tde_create_wal_key | boolean | | func + public | pg_tde_ddl_command_end_capture | event_trigger | | func + public | pg_tde_ddl_command_start_capture | event_trigger | | func + public | pg_tde_delete_global_key_provider | void | provider_name character varying | func + public | pg_tde_delete_key_provider | void | provider_name character varying | func + public | pg_tde_extension_initialize | void | | func + public | pg_tde_global_principal_key_info | TABLE(principal_key_name text, key_provider_name text, key_provider_id integer, key_createion_time timestamp with time zone) | | func + public | pg_tde_grant_global_key_management_to_role | void | target_role text | func + public | pg_tde_grant_grant_management_to_role | void | target_role text | func + public | pg_tde_grant_key_viewer_to_role | void | target_role text | func + public | pg_tde_grant_local_key_management_to_role | void | target_role text | func + public | pg_tde_internal_has_key | boolean | oid oid | func + public | pg_tde_is_encrypted | boolean | table_name character varying | func + public | pg_tde_list_all_global_key_providers | SETOF record | OUT id integer, OUT provider_name character varying, OUT provider_type character varying, OUT options json | func + public | pg_tde_list_all_key_providers | SETOF record | OUT id integer, OUT provider_name character varying, OUT provider_type character varying, OUT options json | func + public | pg_tde_principal_key_info | TABLE(principal_key_name text, key_provider_name text, key_provider_id integer, key_createion_time timestamp with time zone) | | func + public | pg_tde_revoke_global_key_management_from_role | void | target_role text | func + public | pg_tde_revoke_grant_management_from_role | void | target_role text | func + public | pg_tde_revoke_key_viewer_from_role | void | target_role text | func + public | pg_tde_revoke_local_key_management_from_role | void | target_role text | func + public | pg_tde_set_default_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func + public | pg_tde_set_global_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func + public | pg_tde_set_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func + public | pg_tde_set_server_principal_key | boolean | principal_key_name character varying, provider_name character varying DEFAULT NULL::character varying, ensure_new_key boolean DEFAULT false | func + public | pg_tde_verify_global_principal_key | void | | func + public | pg_tde_verify_principal_key | void | | func + public | pg_tde_version | text | | func + public | pg_tdeam_basic_handler | table_am_handler | internal | func + public | pg_tdeam_handler | table_am_handler | internal | func (57 rows) \do public.* diff --git a/contrib/pg_tde/expected/default_principal_key.out b/contrib/pg_tde/expected/default_principal_key.out index 3324c1852b2..ff052644b29 100644 --- a/contrib/pg_tde/expected/default_principal_key.out +++ b/contrib/pg_tde/expected/default_principal_key.out @@ -1,20 +1,20 @@ CREATE EXTENSION IF NOT EXISTS pg_tde; -SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-provider','/tmp/pg_tde_regression_default_principal_key.per'); - pg_tde_add_key_provider_file ------------------------------- - -4 +SELECT pg_tde_add_global_key_provider_file('file-provider','/tmp/pg_tde_regression_default_principal_key.per'); + pg_tde_add_global_key_provider_file +------------------------------------- + -4 (1 row) -SELECT pg_tde_set_default_principal_key('default-principal-key', 'PG_TDE_GLOBAL', 'file-provider', false); +SELECT pg_tde_set_default_principal_key('default-principal-key', 'file-provider', false); pg_tde_set_default_principal_key ---------------------------------- t (1 row) -- fails -SELECT pg_tde_delete_key_provider('PG_TDE_GLOBAL', 'file-provider'); +SELECT pg_tde_delete_global_key_provider('file-provider'); ERROR: Can't delete a provider which is currently in use -SELECT id, provider_name FROM pg_tde_list_all_key_providers('PG_TDE_GLOBAL'); +SELECT id, provider_name FROM pg_tde_list_all_global_key_providers(); id | provider_name ----+--------------- -2 | file-keyring2 @@ -67,7 +67,7 @@ SELECT key_provider_id, key_provider_name, principal_key_name (1 row) \c regression_pg_tde -SELECT pg_tde_set_default_principal_key('new-default-principal-key', 'PG_TDE_GLOBAL', 'file-provider', false); +SELECT pg_tde_set_default_principal_key('new-default-principal-key', 'file-provider', false); WARNING: you don't own a lock of type AccessExclusiveLock pg_tde_set_default_principal_key ---------------------------------- diff --git a/contrib/pg_tde/expected/key_provider.out b/contrib/pg_tde/expected/key_provider.out index 31b3adf82a7..16a6d6ed92e 100644 --- a/contrib/pg_tde/expected/key_provider.out +++ b/contrib/pg_tde/expected/key_provider.out @@ -80,19 +80,19 @@ SELECT * FROM pg_tde_list_all_key_providers(); 2 | file-provider2 | file | {"type" : "file", "path" : "/tmp/pg_tde_test_keyring2.per"} (2 rows) -SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-keyring','/tmp/pg_tde_test_keyring.per'); - pg_tde_add_key_provider_file ------------------------------- - -1 +SELECT pg_tde_add_global_key_provider_file('file-keyring','/tmp/pg_tde_test_keyring.per'); + pg_tde_add_global_key_provider_file +------------------------------------- + -1 (1 row) -SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-keyring2','/tmp/pg_tde_test_keyring2.per'); - pg_tde_add_key_provider_file ------------------------------- - -2 +SELECT pg_tde_add_global_key_provider_file('file-keyring2','/tmp/pg_tde_test_keyring2.per'); + pg_tde_add_global_key_provider_file +------------------------------------- + -2 (1 row) -SELECT id, provider_name FROM pg_tde_list_all_key_providers('PG_TDE_GLOBAL'); +SELECT id, provider_name FROM pg_tde_list_all_global_key_providers(); id | provider_name ----+--------------- -1 | file-keyring @@ -123,40 +123,40 @@ SELECT id, provider_name FROM pg_tde_list_all_key_providers(); 1 | file-provider (1 row) -SELECT id, provider_name FROM pg_tde_list_all_key_providers('PG_TDE_GLOBAL'); +SELECT id, provider_name FROM pg_tde_list_all_global_key_providers(); id | provider_name ----+--------------- -1 | file-keyring -2 | file-keyring2 (2 rows) -SELECT pg_tde_set_principal_key('test-db-principal-key', 'PG_TDE_GLOBAL', 'file-keyring', false); - pg_tde_set_principal_key --------------------------- +SELECT pg_tde_set_global_principal_key('test-db-principal-key', 'file-keyring', false); + pg_tde_set_global_principal_key +--------------------------------- t (1 row) -- fails -SELECT pg_tde_delete_key_provider('PG_TDE_GLOBAL', 'file-keyring'); - pg_tde_delete_key_provider ----------------------------- +SELECT pg_tde_delete_global_key_provider('file-keyring'); + pg_tde_delete_global_key_provider +----------------------------------- (1 row) -SELECT id, provider_name FROM pg_tde_list_all_key_providers('PG_TDE_GLOBAL'); +SELECT id, provider_name FROM pg_tde_list_all_global_key_providers(); id | provider_name ----+--------------- -2 | file-keyring2 (1 row) -- works -SELECT pg_tde_delete_key_provider('PG_TDE_GLOBAL', 'file-keyring2'); - pg_tde_delete_key_provider ----------------------------- +SELECT pg_tde_delete_global_key_provider('file-keyring2'); + pg_tde_delete_global_key_provider +----------------------------------- (1 row) -SELECT id, provider_name FROM pg_tde_list_all_key_providers('PG_TDE_GLOBAL'); +SELECT id, provider_name FROM pg_tde_list_all_global_key_providers(); id | provider_name ----+--------------- -2 | file-keyring2 diff --git a/contrib/pg_tde/expected/wal_key.out b/contrib/pg_tde/expected/wal_key.out index 1446dd7d775..8e59ae58221 100644 --- a/contrib/pg_tde/expected/wal_key.out +++ b/contrib/pg_tde/expected/wal_key.out @@ -4,20 +4,20 @@ CREATE EXTENSION IF NOT EXISTS pg_tde; SELECT pg_tde_create_wal_key(); ERROR: failed to retrieve principal key. Create one using pg_tde_set_principal_key before using encrypted tables. -SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-keyring','/tmp/pg_tde_test_keyring.per'); - pg_tde_add_key_provider_file ------------------------------- - -3 +SELECT pg_tde_add_global_key_provider_file('file-keyring','/tmp/pg_tde_test_keyring.per'); + pg_tde_add_global_key_provider_file +------------------------------------- + -3 (1 row) SELECT pg_tde_create_wal_key(); ERROR: failed to retrieve principal key. Create one using pg_tde_set_principal_key before using encrypted tables. -- db local principal key with global provider -SELECT pg_tde_set_principal_key('test-db-principal-key', 'PG_TDE_GLOBAL', 'file-keyring', true); +SELECT pg_tde_set_global_principal_key('test-db-principal-key', 'file-keyring', true); ERROR: failed to create principal key: already exists SELECT pg_tde_create_wal_key(); ERROR: failed to retrieve principal key. Create one using pg_tde_set_principal_key before using encrypted tables. -SELECT pg_tde_set_server_principal_key('test-db-principal-key', 'PG_TDE_GLOBAL', 'file-keyring'); +SELECT pg_tde_set_server_principal_key('test-db-principal-key', 'file-keyring'); pg_tde_set_server_principal_key --------------------------------- t diff --git a/contrib/pg_tde/pg_tde--1.0-beta2.sql b/contrib/pg_tde/pg_tde--1.0-beta2.sql index 06f074d09e4..b703ada9519 100644 --- a/contrib/pg_tde/pg_tde--1.0-beta2.sql +++ b/contrib/pg_tde/pg_tde--1.0-beta2.sql @@ -3,8 +3,6 @@ -- complain if script is sourced in psql, rather than via CREATE EXTENSION \echo Use "CREATE EXTENSION pg_tde" to load this file. \quit -CREATE type PG_TDE_GLOBAL AS ENUM('PG_TDE_GLOBAL'); - -- Key Provider Management CREATE FUNCTION pg_tde_add_key_provider(provider_type VARCHAR(10), provider_name VARCHAR(128), options JSON) RETURNS INT @@ -103,7 +101,7 @@ BEGIN ATOMIC 'certPath' VALUE kmip_cert_path)); END; -CREATE FUNCTION pg_tde_set_default_principal_key(principal_key_name VARCHAR(255), PG_TDE_GLOBAL, provider_name VARCHAR(255) DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE) +CREATE FUNCTION pg_tde_set_default_principal_key(principal_key_name VARCHAR(255), provider_name VARCHAR(255) DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE) RETURNS boolean AS 'MODULE_PATHNAME' LANGUAGE C; @@ -117,8 +115,8 @@ RETURNS SETOF record LANGUAGE C STRICT AS 'MODULE_PATHNAME'; -CREATE FUNCTION pg_tde_list_all_key_providers - (PG_TDE_GLOBAL, OUT id INT, +CREATE FUNCTION pg_tde_list_all_global_key_providers + (OUT id INT, OUT provider_name VARCHAR(128), OUT provider_type VARCHAR(10), OUT options JSON) @@ -127,43 +125,42 @@ LANGUAGE C STRICT AS 'MODULE_PATHNAME'; -- Global Tablespace Key Provider Management -CREATE FUNCTION pg_tde_add_key_provider(PG_TDE_GLOBAL, provider_type VARCHAR(10), provider_name VARCHAR(128), options JSON) +CREATE FUNCTION pg_tde_add_global_key_provider(provider_type VARCHAR(10), provider_name VARCHAR(128), options JSON) RETURNS INT LANGUAGE C -AS 'MODULE_PATHNAME', 'pg_tde_add_key_provider_global'; +AS 'MODULE_PATHNAME'; -CREATE FUNCTION pg_tde_add_key_provider_file(PG_TDE_GLOBAL, provider_name VARCHAR(128), file_path TEXT) +CREATE FUNCTION pg_tde_add_global_key_provider_file(provider_name VARCHAR(128), file_path TEXT) RETURNS INT LANGUAGE SQL BEGIN ATOMIC -- JSON keys in the options must be matched to the keys in -- load_file_keyring_provider_options function. - SELECT pg_tde_add_key_provider('PG_TDE_GLOBAL', 'file', provider_name, + SELECT pg_tde_add_global_key_provider('file', provider_name, json_object('type' VALUE 'file', 'path' VALUE COALESCE(file_path, ''))); END; -CREATE FUNCTION pg_tde_add_key_provider_file(PG_TDE_GLOBAL, provider_name VARCHAR(128), file_path JSON) +CREATE FUNCTION pg_tde_add_global_key_provider_file(provider_name VARCHAR(128), file_path JSON) RETURNS INT LANGUAGE SQL BEGIN ATOMIC -- JSON keys in the options must be matched to the keys in -- load_file_keyring_provider_options function. - SELECT pg_tde_add_key_provider('PG_TDE_GLOBAL', 'file', provider_name, + SELECT pg_tde_add_global_key_provider('file', provider_name, json_object('type' VALUE 'file', 'path' VALUE file_path)); END; -CREATE FUNCTION pg_tde_add_key_provider_vault_v2(PG_TDE_GLOBAL, - provider_name VARCHAR(128), - vault_token TEXT, - vault_url TEXT, - vault_mount_path TEXT, - vault_ca_path TEXT) +CREATE FUNCTION pg_tde_add_global_key_provider_vault_v2(provider_name VARCHAR(128), + vault_token TEXT, + vault_url TEXT, + vault_mount_path TEXT, + vault_ca_path TEXT) RETURNS INT LANGUAGE SQL BEGIN ATOMIC -- JSON keys in the options must be matched to the keys in -- load_vaultV2_keyring_provider_options function. - SELECT pg_tde_add_key_provider('PG_TDE_GLOBAL', 'vault-v2', provider_name, + SELECT pg_tde_add_global_key_provider('vault-v2', provider_name, json_object('type' VALUE 'vault-v2', 'url' VALUE COALESCE(vault_url, ''), 'token' VALUE COALESCE(vault_token, ''), @@ -171,18 +168,17 @@ BEGIN ATOMIC 'caPath' VALUE COALESCE(vault_ca_path, ''))); END; -CREATE FUNCTION pg_tde_add_key_provider_vault_v2(PG_TDE_GLOBAL, - provider_name VARCHAR(128), - vault_token JSON, - vault_url JSON, - vault_mount_path JSON, - vault_ca_path JSON) +CREATE FUNCTION pg_tde_add_global_key_provider_vault_v2(provider_name VARCHAR(128), + vault_token JSON, + vault_url JSON, + vault_mount_path JSON, + vault_ca_path JSON) RETURNS INT LANGUAGE SQL BEGIN ATOMIC -- JSON keys in the options must be matched to the keys in -- load_vaultV2_keyring_provider_options function. - SELECT pg_tde_add_key_provider('PG_TDE_GLOBAL', 'vault-v2', provider_name, + SELECT pg_tde_add_global_key_provider('vault-v2', provider_name, json_object('type' VALUE 'vault-v2', 'url' VALUE vault_url, 'token' VALUE vault_token, @@ -190,18 +186,17 @@ BEGIN ATOMIC 'caPath' VALUE vault_ca_path)); END; -CREATE FUNCTION pg_tde_add_key_provider_kmip(PG_TDE_GLOBAL, - provider_name VARCHAR(128), - kmip_host TEXT, - kmip_port INT, - kmip_ca_path TEXT, - kmip_cert_path TEXT) +CREATE FUNCTION pg_tde_add_global_key_provider_kmip(provider_name VARCHAR(128), + kmip_host TEXT, + kmip_port INT, + kmip_ca_path TEXT, + kmip_cert_path TEXT) RETURNS INT LANGUAGE SQL BEGIN ATOMIC -- JSON keys in the options must be matched to the keys in -- load_kmip_keyring_provider_options function. - SELECT pg_tde_add_key_provider('PG_TDE_GLOBAL', 'kmip', provider_name, + SELECT pg_tde_add_global_key_provider('kmip', provider_name, json_object('type' VALUE 'kmip', 'host' VALUE COALESCE(kmip_host, ''), 'port' VALUE kmip_port, @@ -209,18 +204,17 @@ BEGIN ATOMIC 'certPath' VALUE COALESCE(kmip_cert_path, ''))); END; -CREATE FUNCTION pg_tde_add_key_provider_kmip(PG_TDE_GLOBAL, - provider_name VARCHAR(128), - kmip_host JSON, - kmip_port JSON, - kmip_ca_path JSON, - kmip_cert_path JSON) +CREATE FUNCTION pg_tde_add_global_key_provider_kmip(provider_name VARCHAR(128), + kmip_host JSON, + kmip_port JSON, + kmip_ca_path JSON, + kmip_cert_path JSON) RETURNS INT LANGUAGE SQL BEGIN ATOMIC -- JSON keys in the options must be matched to the keys in -- load_kmip_keyring_provider_options function. - SELECT pg_tde_add_key_provider('PG_TDE_GLOBAL', 'vault-v2', provider_name, + SELECT pg_tde_add_global_key_provider('vault-v2', provider_name, json_object('type' VALUE 'vault-v2', 'host' VALUE kmip_host, 'port' VALUE kmip_port, @@ -327,43 +321,42 @@ BEGIN ATOMIC END; -- Global Tablespace Key Provider Management -CREATE FUNCTION pg_tde_change_key_provider(PG_TDE_GLOBAL, provider_type VARCHAR(10), provider_name VARCHAR(128), options JSON) +CREATE FUNCTION pg_tde_change_global_key_provider(provider_type VARCHAR(10), provider_name VARCHAR(128), options JSON) RETURNS INT LANGUAGE C -AS 'MODULE_PATHNAME', 'pg_tde_change_key_provider_global'; +AS 'MODULE_PATHNAME'; -CREATE FUNCTION pg_tde_change_key_provider_file(PG_TDE_GLOBAL, provider_name VARCHAR(128), file_path TEXT) +CREATE FUNCTION pg_tde_change_global_key_provider_file(provider_name VARCHAR(128), file_path TEXT) RETURNS INT LANGUAGE SQL BEGIN ATOMIC -- JSON keys in the options must be matched to the keys in -- load_file_keyring_provider_options function. - SELECT pg_tde_change_key_provider('PG_TDE_GLOBAL', 'file', provider_name, + SELECT pg_tde_change_global_key_provider('file', provider_name, json_object('type' VALUE 'file', 'path' VALUE COALESCE(file_path, ''))); END; -CREATE FUNCTION pg_tde_change_key_provider_file(PG_TDE_GLOBAL, provider_name VARCHAR(128), file_path JSON) +CREATE FUNCTION pg_tde_change_global_key_provider_file(provider_name VARCHAR(128), file_path JSON) RETURNS INT LANGUAGE SQL BEGIN ATOMIC -- JSON keys in the options must be matched to the keys in -- load_file_keyring_provider_options function. - SELECT pg_tde_change_key_provider('PG_TDE_GLOBAL', 'file', provider_name, + SELECT pg_tde_change_global_key_provider('file', provider_name, json_object('type' VALUE 'file', 'path' VALUE file_path)); END; -CREATE FUNCTION pg_tde_change_key_provider_vault_v2(PG_TDE_GLOBAL, - provider_name VARCHAR(128), - vault_token TEXT, - vault_url TEXT, - vault_mount_path TEXT, - vault_ca_path TEXT) +CREATE FUNCTION pg_tde_change_global_key_provider_vault_v2(provider_name VARCHAR(128), + vault_token TEXT, + vault_url TEXT, + vault_mount_path TEXT, + vault_ca_path TEXT) RETURNS INT LANGUAGE SQL BEGIN ATOMIC -- JSON keys in the options must be matched to the keys in -- load_vaultV2_keyring_provider_options function. - SELECT pg_tde_change_key_provider('PG_TDE_GLOBAL', 'vault-v2', provider_name, + SELECT pg_tde_change_global_key_provider('vault-v2', provider_name, json_object('type' VALUE 'vault-v2', 'url' VALUE COALESCE(vault_url, ''), 'token' VALUE COALESCE(vault_token, ''), @@ -371,18 +364,17 @@ BEGIN ATOMIC 'caPath' VALUE COALESCE(vault_ca_path, ''))); END; -CREATE FUNCTION pg_tde_change_key_provider_vault_v2(PG_TDE_GLOBAL, - provider_name VARCHAR(128), - vault_token JSON, - vault_url JSON, - vault_mount_path JSON, - vault_ca_path JSON) +CREATE FUNCTION pg_tde_change_global_key_provider_vault_v2(provider_name VARCHAR(128), + vault_token JSON, + vault_url JSON, + vault_mount_path JSON, + vault_ca_path JSON) RETURNS INT LANGUAGE SQL BEGIN ATOMIC -- JSON keys in the options must be matched to the keys in -- load_vaultV2_keyring_provider_options function. - SELECT pg_tde_change_key_provider('PG_TDE_GLOBAL', 'vault-v2', provider_name, + SELECT pg_tde_change_global_key_provider('vault-v2', provider_name, json_object('type' VALUE 'vault-v2', 'url' VALUE vault_url, 'token' VALUE vault_token, @@ -390,18 +382,17 @@ BEGIN ATOMIC 'caPath' VALUE vault_ca_path)); END; -CREATE FUNCTION pg_tde_change_key_provider_kmip(PG_TDE_GLOBAL, - provider_name VARCHAR(128), - kmip_host TEXT, - kmip_port INT, - kmip_ca_path TEXT, - kmip_cert_path TEXT) +CREATE FUNCTION pg_tde_change_global_key_provider_kmip(provider_name VARCHAR(128), + kmip_host TEXT, + kmip_port INT, + kmip_ca_path TEXT, + kmip_cert_path TEXT) RETURNS INT LANGUAGE SQL BEGIN ATOMIC -- JSON keys in the options must be matched to the keys in -- load_kmip_keyring_provider_options function. - SELECT pg_tde_change_key_provider('PG_TDE_GLOBAL', 'kmip', provider_name, + SELECT pg_tde_change_global_key_provider('kmip', provider_name, json_object('type' VALUE 'kmip', 'host' VALUE COALESCE(kmip_host, ''), 'port' VALUE kmip_port, @@ -409,18 +400,17 @@ BEGIN ATOMIC 'certPath' VALUE COALESCE(kmip_cert_path, ''))); END; -CREATE FUNCTION pg_tde_change_key_provider_kmip(PG_TDE_GLOBAL, - provider_name VARCHAR(128), - kmip_host JSON, - kmip_port JSON, - kmip_ca_path JSON, - kmip_cert_path JSON) +CREATE FUNCTION pg_tde_change_global_key_provider_kmip(provider_name VARCHAR(128), + kmip_host JSON, + kmip_port JSON, + kmip_ca_path JSON, + kmip_cert_path JSON) RETURNS INT LANGUAGE SQL BEGIN ATOMIC -- JSON keys in the options must be matched to the keys in -- load_kmip_keyring_provider_options function. - SELECT pg_tde_change_key_provider('PG_TDE_GLOBAL', 'vault-v2', provider_name, + SELECT pg_tde_change_global_key_provider('vault-v2', provider_name, json_object('type' VALUE 'vault-v2', 'host' VALUE kmip_host, 'port' VALUE kmip_port, @@ -458,15 +448,15 @@ RETURNS boolean LANGUAGE C AS 'MODULE_PATHNAME'; -CREATE FUNCTION pg_tde_set_principal_key(principal_key_name VARCHAR(255), PG_TDE_GLOBAL, provider_name VARCHAR(255) DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE) +CREATE FUNCTION pg_tde_set_global_principal_key(principal_key_name VARCHAR(255), provider_name VARCHAR(255) DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE) RETURNS boolean LANGUAGE C -AS 'MODULE_PATHNAME', 'pg_tde_set_principal_key_global'; +AS 'MODULE_PATHNAME'; -CREATE FUNCTION pg_tde_set_server_principal_key(principal_key_name VARCHAR(255), PG_TDE_GLOBAL, provider_name VARCHAR(255) DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE) +CREATE FUNCTION pg_tde_set_server_principal_key(principal_key_name VARCHAR(255), provider_name VARCHAR(255) DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE) RETURNS boolean LANGUAGE C -AS 'MODULE_PATHNAME', 'pg_tde_set_principal_key_server'; +AS 'MODULE_PATHNAME'; CREATE FUNCTION pg_tde_create_wal_key() RETURNS boolean @@ -496,18 +486,18 @@ RETURNS TABLE ( principal_key_name text, LANGUAGE C AS 'MODULE_PATHNAME'; -CREATE FUNCTION pg_tde_principal_key_info(PG_TDE_GLOBAL) +CREATE FUNCTION pg_tde_global_principal_key_info() RETURNS TABLE ( principal_key_name text, - key_provider_name text, + key_provider_name text, key_provider_id integer, key_createion_time timestamp with time zone) LANGUAGE C -AS 'MODULE_PATHNAME', 'pg_tde_principal_key_info_global'; +AS 'MODULE_PATHNAME'; -CREATE FUNCTION pg_tde_delete_key_provider(PG_TDE_GLOBAL, provider_name VARCHAR) +CREATE FUNCTION pg_tde_delete_global_key_provider(provider_name VARCHAR) RETURNS VOID LANGUAGE C -AS 'MODULE_PATHNAME', 'pg_tde_delete_key_provider_global'; +AS 'MODULE_PATHNAME'; CREATE FUNCTION pg_tde_delete_key_provider(provider_name VARCHAR) RETURNS VOID @@ -564,30 +554,30 @@ LANGUAGE plpgsql SET search_path = @extschema@ AS $$ BEGIN - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_key_provider(pg_tde_global, varchar, varchar, JSON) TO %I', target_role); + EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_global_key_provider(varchar, varchar, JSON) TO %I', target_role); - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_key_provider_file(pg_tde_global, varchar, json) TO %I', target_role); - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_key_provider_file(pg_tde_global, varchar, text) TO %I', target_role); - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_key_provider_vault_v2(pg_tde_global, varchar, text, text, text, text) TO %I', target_role); - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_key_provider_vault_v2(pg_tde_global, varchar, JSON, JSON, JSON, JSON) TO %I', target_role); - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_key_provider_kmip(pg_tde_global, varchar, text, int, text, text) TO %I', target_role); - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_key_provider_kmip(pg_tde_global, varchar, JSON, JSON, JSON, JSON) TO %I', target_role); + EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_global_key_provider_file(varchar, json) TO %I', target_role); + EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_global_key_provider_file(varchar, text) TO %I', target_role); + EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_global_key_provider_vault_v2(varchar, text, text, text, text) TO %I', target_role); + EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_global_key_provider_vault_v2(varchar, JSON, JSON, JSON, JSON) TO %I', target_role); + EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_global_key_provider_kmip(varchar, text, int, text, text) TO %I', target_role); + EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_global_key_provider_kmip(varchar, JSON, JSON, JSON, JSON) TO %I', target_role); - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_key_provider(pg_tde_global, varchar, varchar, JSON) TO %I', target_role); + EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_global_key_provider(varchar, varchar, JSON) TO %I', target_role); - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_key_provider_file(pg_tde_global, varchar, json) TO %I', target_role); - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_key_provider_file(pg_tde_global, varchar, text) TO %I', target_role); - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_key_provider_vault_v2(pg_tde_global, varchar, text, text, text, text) TO %I', target_role); - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_key_provider_vault_v2(pg_tde_global, varchar, JSON, JSON, JSON, JSON) TO %I', target_role); - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_key_provider_kmip(pg_tde_global, varchar, text, int, text, text) TO %I', target_role); - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_key_provider_kmip(pg_tde_global, varchar, JSON, JSON, JSON, JSON) TO %I', target_role); + EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_global_key_provider_file(varchar, json) TO %I', target_role); + EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_global_key_provider_file(varchar, text) TO %I', target_role); + EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_global_key_provider_vault_v2(varchar, text, text, text, text) TO %I', target_role); + EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_global_key_provider_vault_v2(varchar, JSON, JSON, JSON, JSON) TO %I', target_role); + EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_global_key_provider_kmip(varchar, text, int, text, text) TO %I', target_role); + EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_global_key_provider_kmip(varchar, JSON, JSON, JSON, JSON) TO %I', target_role); - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_delete_key_provider(pg_tde_global, varchar) TO %I', target_role); + EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_delete_global_key_provider(varchar) TO %I', target_role); - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_set_principal_key(varchar, pg_tde_global, varchar, BOOLEAN) TO %I', target_role); - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_set_server_principal_key(varchar, pg_tde_global, varchar, BOOLEAN) TO %I', target_role); + EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_set_global_principal_key(varchar, varchar, BOOLEAN) TO %I', target_role); + EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_set_server_principal_key(varchar, varchar, BOOLEAN) TO %I', target_role); - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_set_default_principal_key(varchar, pg_tde_global, varchar, BOOLEAN) FROM %I', target_role); + EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_set_default_principal_key(varchar, varchar, BOOLEAN) FROM %I', target_role); END; $$; @@ -630,11 +620,11 @@ SET search_path = @extschema@ AS $$ BEGIN EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_list_all_key_providers(OUT INT, OUT varchar, OUT varchar, OUT JSON) TO %I', target_role); - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_list_all_key_providers(pg_tde_global, OUT INT, OUT varchar, OUT varchar, OUT JSON) TO %I', target_role); + EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_list_all_global_key_providers(OUT INT, OUT varchar, OUT varchar, OUT JSON) TO %I', target_role); EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_is_encrypted(VARCHAR) TO %I', target_role); EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_principal_key_info() TO %I', target_role); - EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_principal_key_info(pg_tde_global) TO %I', target_role); + EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_global_principal_key_info() TO %I', target_role); END; $$; @@ -645,30 +635,30 @@ LANGUAGE plpgsql SET search_path = @extschema@ AS $$ BEGIN - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_key_provider(pg_tde_global, varchar, varchar, JSON) FROM %I', target_role); + EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_global_key_provider(varchar, varchar, JSON) FROM %I', target_role); - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_key_provider_file(pg_tde_global, varchar, json) FROM %I', target_role); - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_key_provider_file(pg_tde_global, varchar, text) FROM %I', target_role); - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_key_provider_vault_v2(pg_tde_global, varchar, text, text, text, text) FROM %I', target_role); - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_key_provider_vault_v2(pg_tde_global, varchar, JSON, JSON, JSON, JSON) FROM %I', target_role); - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_key_provider_kmip(pg_tde_global, varchar, text, int, text, text) FROM %I', target_role); - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_key_provider_kmip(pg_tde_global, varchar, JSON, JSON, JSON, JSON) FROM %I', target_role); + EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_global_key_provider_file(varchar, json) FROM %I', target_role); + EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_global_key_provider_file(varchar, text) FROM %I', target_role); + EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_global_key_provider_vault_v2(varchar, text, text, text, text) FROM %I', target_role); + EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_global_key_provider_vault_v2(varchar, JSON, JSON, JSON, JSON) FROM %I', target_role); + EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_global_key_provider_kmip(varchar, text, int, text, text) FROM %I', target_role); + EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_global_key_provider_kmip(varchar, JSON, JSON, JSON, JSON) FROM %I', target_role); - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_key_provider(pg_tde_global, varchar, varchar, JSON) FROM %I', target_role); + EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_global_key_provider(varchar, varchar, JSON) FROM %I', target_role); - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_key_provider_file(pg_tde_global, varchar, json) FROM %I', target_role); - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_key_provider_file(pg_tde_global, varchar, text) FROM %I', target_role); - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_key_provider_vault_v2(pg_tde_global, varchar, text, text, text, text) FROM %I', target_role); - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_key_provider_vault_v2(pg_tde_global, varchar, JSON, JSON, JSON, JSON) FROM %I', target_role); - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_key_provider_kmip(pg_tde_global, varchar, text, int, text, text) FROM %I', target_role); - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_key_provider_kmip(pg_tde_global, varchar, JSON, JSON, JSON, JSON) FROM %I', target_role); + EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_global_key_provider_file(varchar, json) FROM %I', target_role); + EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_global_key_provider_file(varchar, text) FROM %I', target_role); + EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_global_key_provider_vault_v2(varchar, text, text, text, text) FROM %I', target_role); + EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_global_key_provider_vault_v2(varchar, JSON, JSON, JSON, JSON) FROM %I', target_role); + EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_global_key_provider_kmip(varchar, text, int, text, text) FROM %I', target_role); + EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_global_key_provider_kmip(varchar, JSON, JSON, JSON, JSON) FROM %I', target_role); - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_delete_key_provider(pg_tde_global, varchar) FROM %I', target_role); + EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_delete_global_key_provider(varchar) FROM %I', target_role); - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_set_principal_key(varchar, pg_tde_global, varchar, BOOLEAN) FROM %I', target_role); - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_set_server_principal_key(varchar, pg_tde_global, varchar, BOOLEAN) FROM %I', target_role); + EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_set_global_principal_key(varchar, varchar, BOOLEAN) FROM %I', target_role); + EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_set_server_principal_key(varchar, varchar, BOOLEAN) FROM %I', target_role); - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_set_default_principal_key(varchar, pg_tde_global, varchar, BOOLEAN) FROM %I', target_role); + EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_set_default_principal_key(varchar, varchar, BOOLEAN) FROM %I', target_role); END; $$; @@ -711,11 +701,11 @@ SET search_path = @extschema@ AS $$ BEGIN EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_list_all_key_providers(OUT INT, OUT varchar, OUT varchar, OUT JSON) FROM %I', target_role); - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_list_all_key_providers(pg_tde_global, OUT INT, OUT varchar, OUT varchar, OUT JSON) FROM %I', target_role); + EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_list_all_global_key_providers(OUT INT, OUT varchar, OUT varchar, OUT JSON) FROM %I', target_role); EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_is_encrypted(VARCHAR) FROM %I', target_role); EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_principal_key_info() FROM %I', target_role); - EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_principal_key_info(pg_tde_global) FROM %I', target_role); + EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_global_principal_key_info() FROM %I', target_role); END; $$; diff --git a/contrib/pg_tde/sql/default_principal_key.sql b/contrib/pg_tde/sql/default_principal_key.sql index 5becd5c6f2a..1996f1c46dd 100644 --- a/contrib/pg_tde/sql/default_principal_key.sql +++ b/contrib/pg_tde/sql/default_principal_key.sql @@ -1,12 +1,12 @@ CREATE EXTENSION IF NOT EXISTS pg_tde; -SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-provider','/tmp/pg_tde_regression_default_principal_key.per'); +SELECT pg_tde_add_global_key_provider_file('file-provider','/tmp/pg_tde_regression_default_principal_key.per'); -SELECT pg_tde_set_default_principal_key('default-principal-key', 'PG_TDE_GLOBAL', 'file-provider', false); +SELECT pg_tde_set_default_principal_key('default-principal-key', 'file-provider', false); -- fails -SELECT pg_tde_delete_key_provider('PG_TDE_GLOBAL', 'file-provider'); -SELECT id, provider_name FROM pg_tde_list_all_key_providers('PG_TDE_GLOBAL'); +SELECT pg_tde_delete_global_key_provider('file-provider'); +SELECT id, provider_name FROM pg_tde_list_all_global_key_providers(); -- Should fail: no principal key for the database yet SELECT key_provider_id, key_provider_name, principal_key_name @@ -50,7 +50,7 @@ SELECT key_provider_id, key_provider_name, principal_key_name \c regression_pg_tde -SELECT pg_tde_set_default_principal_key('new-default-principal-key', 'PG_TDE_GLOBAL', 'file-provider', false); +SELECT pg_tde_set_default_principal_key('new-default-principal-key', 'file-provider', false); SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info(); diff --git a/contrib/pg_tde/sql/key_provider.sql b/contrib/pg_tde/sql/key_provider.sql index 7db479f5424..7f430df51c4 100644 --- a/contrib/pg_tde/sql/key_provider.sql +++ b/contrib/pg_tde/sql/key_provider.sql @@ -24,11 +24,11 @@ SELECT pg_tde_verify_principal_key(); SELECT pg_tde_change_key_provider_file('file-provider', json_object('foo' VALUE '/tmp/pg_tde_test_keyring.per')); SELECT * FROM pg_tde_list_all_key_providers(); -SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-keyring','/tmp/pg_tde_test_keyring.per'); +SELECT pg_tde_add_global_key_provider_file('file-keyring','/tmp/pg_tde_test_keyring.per'); -SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-keyring2','/tmp/pg_tde_test_keyring2.per'); +SELECT pg_tde_add_global_key_provider_file('file-keyring2','/tmp/pg_tde_test_keyring2.per'); -SELECT id, provider_name FROM pg_tde_list_all_key_providers('PG_TDE_GLOBAL'); +SELECT id, provider_name FROM pg_tde_list_all_global_key_providers(); -- TODO: verify that we can also can change the type of it @@ -40,16 +40,16 @@ SELECT id, provider_name FROM pg_tde_list_all_key_providers(); SELECT pg_tde_delete_key_provider('file-provider2'); SELECT id, provider_name FROM pg_tde_list_all_key_providers(); -SELECT id, provider_name FROM pg_tde_list_all_key_providers('PG_TDE_GLOBAL'); +SELECT id, provider_name FROM pg_tde_list_all_global_key_providers(); -SELECT pg_tde_set_principal_key('test-db-principal-key', 'PG_TDE_GLOBAL', 'file-keyring', false); +SELECT pg_tde_set_global_principal_key('test-db-principal-key', 'file-keyring', false); -- fails -SELECT pg_tde_delete_key_provider('PG_TDE_GLOBAL', 'file-keyring'); -SELECT id, provider_name FROM pg_tde_list_all_key_providers('PG_TDE_GLOBAL'); +SELECT pg_tde_delete_global_key_provider('file-keyring'); +SELECT id, provider_name FROM pg_tde_list_all_global_key_providers(); -- works -SELECT pg_tde_delete_key_provider('PG_TDE_GLOBAL', 'file-keyring2'); -SELECT id, provider_name FROM pg_tde_list_all_key_providers('PG_TDE_GLOBAL'); +SELECT pg_tde_delete_global_key_provider('file-keyring2'); +SELECT id, provider_name FROM pg_tde_list_all_global_key_providers(); DROP EXTENSION pg_tde; \ No newline at end of file diff --git a/contrib/pg_tde/sql/wal_key.sql b/contrib/pg_tde/sql/wal_key.sql index 6f090e944b1..1084159ba7e 100644 --- a/contrib/pg_tde/sql/wal_key.sql +++ b/contrib/pg_tde/sql/wal_key.sql @@ -5,16 +5,16 @@ CREATE EXTENSION IF NOT EXISTS pg_tde; SELECT pg_tde_create_wal_key(); -SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-keyring','/tmp/pg_tde_test_keyring.per'); +SELECT pg_tde_add_global_key_provider_file('file-keyring','/tmp/pg_tde_test_keyring.per'); SELECT pg_tde_create_wal_key(); -- db local principal key with global provider -SELECT pg_tde_set_principal_key('test-db-principal-key', 'PG_TDE_GLOBAL', 'file-keyring', true); +SELECT pg_tde_set_global_principal_key('test-db-principal-key', 'file-keyring', true); SELECT pg_tde_create_wal_key(); -SELECT pg_tde_set_server_principal_key('test-db-principal-key', 'PG_TDE_GLOBAL', 'file-keyring'); +SELECT pg_tde_set_server_principal_key('test-db-principal-key', 'file-keyring'); -- and now it should work! SELECT pg_tde_create_wal_key(); diff --git a/contrib/pg_tde/src/catalog/tde_keyring.c b/contrib/pg_tde/src/catalog/tde_keyring.c index 194d3171503..b133758556c 100644 --- a/contrib/pg_tde/src/catalog/tde_keyring.c +++ b/contrib/pg_tde/src/catalog/tde_keyring.c @@ -75,21 +75,26 @@ static List *scan_key_provider_file(ProviderScanType scanType, void *scanKey, Oi PG_FUNCTION_INFO_V1(pg_tde_add_key_provider); Datum pg_tde_add_key_provider(PG_FUNCTION_ARGS); -PG_FUNCTION_INFO_V1(pg_tde_add_key_provider_global); -Datum pg_tde_add_key_provider_global(PG_FUNCTION_ARGS); +PG_FUNCTION_INFO_V1(pg_tde_add_global_key_provider); +Datum pg_tde_add_global_key_provider(PG_FUNCTION_ARGS); PG_FUNCTION_INFO_V1(pg_tde_change_key_provider); Datum pg_tde_change_key_provider(PG_FUNCTION_ARGS); -PG_FUNCTION_INFO_V1(pg_tde_change_key_provider_global); -Datum pg_tde_change_key_provider_global(PG_FUNCTION_ARGS); +PG_FUNCTION_INFO_V1(pg_tde_change_global_key_provider); +Datum pg_tde_change_global_key_provider(PG_FUNCTION_ARGS); + +static Datum pg_tde_list_all_key_providers_internal(const char *fname, bool global, PG_FUNCTION_ARGS); PG_FUNCTION_INFO_V1(pg_tde_list_all_key_providers); Datum pg_tde_list_all_key_providers(PG_FUNCTION_ARGS); -static Datum pg_tde_change_key_provider_internal(PG_FUNCTION_ARGS, Oid dbOid, int shift); +PG_FUNCTION_INFO_V1(pg_tde_list_all_global_key_providers); +Datum pg_tde_list_all_global_key_providers(PG_FUNCTION_ARGS); -static Datum pg_tde_add_key_provider_internal(PG_FUNCTION_ARGS, Oid dbOid, int shift); +static Datum pg_tde_change_key_provider_internal(PG_FUNCTION_ARGS, Oid dbOid); + +static Datum pg_tde_add_key_provider_internal(PG_FUNCTION_ARGS, Oid dbOid); #define PG_TDE_LIST_PROVIDERS_COLS 4 @@ -197,21 +202,21 @@ cleanup_key_provider_info(Oid databaseId) Datum pg_tde_change_key_provider(PG_FUNCTION_ARGS) { - return pg_tde_change_key_provider_internal(fcinfo, MyDatabaseId, 0); + return pg_tde_change_key_provider_internal(fcinfo, MyDatabaseId); } Datum -pg_tde_change_key_provider_global(PG_FUNCTION_ARGS) +pg_tde_change_global_key_provider(PG_FUNCTION_ARGS) { - return pg_tde_change_key_provider_internal(fcinfo, GLOBAL_DATA_TDE_OID, 1); + return pg_tde_change_key_provider_internal(fcinfo, GLOBAL_DATA_TDE_OID); } static Datum -pg_tde_change_key_provider_internal(PG_FUNCTION_ARGS, Oid dbOid, int shift) +pg_tde_change_key_provider_internal(PG_FUNCTION_ARGS, Oid dbOid) { - char *provider_type = text_to_cstring(PG_GETARG_TEXT_PP(0 + shift)); - char *provider_name = text_to_cstring(PG_GETARG_TEXT_PP(1 + shift)); - char *options = text_to_cstring(PG_GETARG_TEXT_PP(2 + shift)); + char *provider_type = text_to_cstring(PG_GETARG_TEXT_PP(0)); + char *provider_name = text_to_cstring(PG_GETARG_TEXT_PP(1)); + char *options = text_to_cstring(PG_GETARG_TEXT_PP(2)); KeyringProvideRecord provider; /* reports error if not found */ @@ -231,21 +236,21 @@ pg_tde_change_key_provider_internal(PG_FUNCTION_ARGS, Oid dbOid, int shift) Datum pg_tde_add_key_provider(PG_FUNCTION_ARGS) { - return pg_tde_add_key_provider_internal(fcinfo, MyDatabaseId, 0); + return pg_tde_add_key_provider_internal(fcinfo, MyDatabaseId); } Datum -pg_tde_add_key_provider_global(PG_FUNCTION_ARGS) +pg_tde_add_global_key_provider(PG_FUNCTION_ARGS) { - return pg_tde_add_key_provider_internal(fcinfo, GLOBAL_DATA_TDE_OID, 1); + return pg_tde_add_key_provider_internal(fcinfo, GLOBAL_DATA_TDE_OID); } Datum -pg_tde_add_key_provider_internal(PG_FUNCTION_ARGS, Oid dbOid, int shift) +pg_tde_add_key_provider_internal(PG_FUNCTION_ARGS, Oid dbOid) { - char *provider_type = text_to_cstring(PG_GETARG_TEXT_PP(0 + shift)); - char *provider_name = text_to_cstring(PG_GETARG_TEXT_PP(1 + shift)); - char *options = text_to_cstring(PG_GETARG_TEXT_PP(2 + shift)); + char *provider_type = text_to_cstring(PG_GETARG_TEXT_PP(0)); + char *provider_name = text_to_cstring(PG_GETARG_TEXT_PP(1)); + char *options = text_to_cstring(PG_GETARG_TEXT_PP(2)); KeyringProvideRecord provider; provider.provider_id = 0; @@ -260,7 +265,20 @@ pg_tde_add_key_provider_internal(PG_FUNCTION_ARGS, Oid dbOid, int shift) Datum pg_tde_list_all_key_providers(PG_FUNCTION_ARGS) { - List *all_providers = GetAllKeyringProviders(PG_NARGS() == 1 ? GLOBAL_DATA_TDE_OID : MyDatabaseId); + return pg_tde_list_all_key_providers_internal("pg_tde_list_all_key_providers", false, fcinfo); +} + +Datum +pg_tde_list_all_global_key_providers(PG_FUNCTION_ARGS) +{ + return pg_tde_list_all_key_providers_internal("pg_tde_list_all_key_providers_global", true, fcinfo); +} + +static Datum +pg_tde_list_all_key_providers_internal(const char *fname, bool global, PG_FUNCTION_ARGS) +{ + Oid database = (global ? GLOBAL_DATA_TDE_OID : MyDatabaseId); + List *all_providers = GetAllKeyringProviders(database); ListCell *lc; Tuplestorestate *tupstore; TupleDesc tupdesc; @@ -272,11 +290,11 @@ pg_tde_list_all_key_providers(PG_FUNCTION_ARGS) if (rsinfo == NULL || !IsA(rsinfo, ReturnSetInfo)) ereport(ERROR, (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), - errmsg("pg_tde_list_all_key_providers: set-valued function called in context that cannot accept a set"))); + errmsg("%s: set-valued function called in context that cannot accept a set", fname))); if (!(rsinfo->allowedModes & SFRM_Materialize)) ereport(ERROR, (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), - errmsg("pg_tde_list_all_key_providers: materialize mode required, but it is not allowed in this context"))); + errmsg("%s: materialize mode required, but it is not allowed in this context", fname))); /* Switch into long-lived context to construct returned data structures */ per_query_ctx = rsinfo->econtext->ecxt_per_query_memory; @@ -284,7 +302,7 @@ pg_tde_list_all_key_providers(PG_FUNCTION_ARGS) /* Build a tuple descriptor for our result type */ if (get_call_result_type(fcinfo, NULL, &tupdesc) != TYPEFUNC_COMPOSITE) - elog(ERROR, "pg_tde_list_all_key_providers: return type must be a row type"); + elog(ERROR, "%s: return type must be a row type", fname); tupstore = tuplestore_begin_heap(true, false, work_mem); rsinfo->returnMode = SFRM_Materialize; diff --git a/contrib/pg_tde/src/catalog/tde_principal_key.c b/contrib/pg_tde/src/catalog/tde_principal_key.c index a9540f22987..4436e8e0f9d 100644 --- a/contrib/pg_tde/src/catalog/tde_principal_key.c +++ b/contrib/pg_tde/src/catalog/tde_principal_key.c @@ -47,7 +47,7 @@ #ifndef FRONTEND PG_FUNCTION_INFO_V1(pg_tde_delete_key_provider); -PG_FUNCTION_INFO_V1(pg_tde_delete_key_provider_global); +PG_FUNCTION_INFO_V1(pg_tde_delete_global_key_provider); PG_FUNCTION_INFO_V1(pg_tde_verify_principal_key); PG_FUNCTION_INFO_V1(pg_tde_verify_global_principal_key); @@ -109,10 +109,10 @@ Datum pg_tde_set_default_principal_key(PG_FUNCTION_ARGS); PG_FUNCTION_INFO_V1(pg_tde_set_principal_key); Datum pg_tde_set_principal_key(PG_FUNCTION_ARGS); -PG_FUNCTION_INFO_V1(pg_tde_set_principal_key_global); +PG_FUNCTION_INFO_V1(pg_tde_set_global_principal_key); Datum pg_tde_set_principal_key(PG_FUNCTION_ARGS); -PG_FUNCTION_INFO_V1(pg_tde_set_principal_key_server); +PG_FUNCTION_INFO_V1(pg_tde_set_server_principal_key); Datum pg_tde_set_principal_key(PG_FUNCTION_ARGS); enum global_status @@ -565,8 +565,8 @@ Datum pg_tde_set_default_principal_key(PG_FUNCTION_ARGS) { char *principal_key_name = text_to_cstring(PG_GETARG_TEXT_PP(0)); - char *provider_name = PG_ARGISNULL(2) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(2)); - bool ensure_new_key = PG_GETARG_BOOL(3); + char *provider_name = PG_ARGISNULL(1) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(1)); + bool ensure_new_key = PG_GETARG_BOOL(2); return pg_tde_set_principal_key_internal(principal_key_name, GS_DEFAULT, provider_name, ensure_new_key); } @@ -582,21 +582,21 @@ pg_tde_set_principal_key(PG_FUNCTION_ARGS) } Datum -pg_tde_set_principal_key_global(PG_FUNCTION_ARGS) +pg_tde_set_global_principal_key(PG_FUNCTION_ARGS) { char *principal_key_name = text_to_cstring(PG_GETARG_TEXT_PP(0)); - char *provider_name = PG_ARGISNULL(2) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(2)); - bool ensure_new_key = PG_GETARG_BOOL(3); + char *provider_name = PG_ARGISNULL(1) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(1)); + bool ensure_new_key = PG_GETARG_BOOL(2); return pg_tde_set_principal_key_internal(principal_key_name, GS_GLOBAL, provider_name, ensure_new_key); } Datum -pg_tde_set_principal_key_server(PG_FUNCTION_ARGS) +pg_tde_set_server_principal_key(PG_FUNCTION_ARGS) { char *principal_key_name = text_to_cstring(PG_GETARG_TEXT_PP(0)); - char *provider_name = PG_ARGISNULL(2) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(2)); - bool ensure_new_key = PG_GETARG_BOOL(3); + char *provider_name = PG_ARGISNULL(1) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(1)); + bool ensure_new_key = PG_GETARG_BOOL(2); return pg_tde_set_principal_key_internal(principal_key_name, GS_SERVER, provider_name, ensure_new_key); } @@ -679,9 +679,9 @@ pg_tde_principal_key_info(PG_FUNCTION_ARGS) return pg_tde_get_key_info(fcinfo, MyDatabaseId); } -PG_FUNCTION_INFO_V1(pg_tde_principal_key_info_global); +PG_FUNCTION_INFO_V1(pg_tde_global_principal_key_info); Datum -pg_tde_principal_key_info_global(PG_FUNCTION_ARGS) +pg_tde_global_principal_key_info(PG_FUNCTION_ARGS) { return pg_tde_get_key_info(fcinfo, GLOBAL_DATA_TDE_OID); } @@ -1090,7 +1090,7 @@ pg_tde_delete_key_provider(PG_FUNCTION_ARGS) } Datum -pg_tde_delete_key_provider_global(PG_FUNCTION_ARGS) +pg_tde_delete_global_key_provider(PG_FUNCTION_ARGS) { return pg_tde_delete_key_provider_internal(fcinfo, 1); } @@ -1098,7 +1098,7 @@ pg_tde_delete_key_provider_global(PG_FUNCTION_ARGS) Datum pg_tde_delete_key_provider_internal(PG_FUNCTION_ARGS, int is_global) { - char *provider_name = text_to_cstring(PG_GETARG_TEXT_PP(0 + is_global)); + char *provider_name = text_to_cstring(PG_GETARG_TEXT_PP(0)); Oid db_oid = (is_global == 1) ? GLOBAL_DATA_TDE_OID : MyDatabaseId; GenericKeyring *provider = GetKeyProviderByName(provider_name, db_oid); int provider_id; diff --git a/contrib/pg_tde/t/002_rotate_key.pl b/contrib/pg_tde/t/002_rotate_key.pl index b6d110441da..f2e29aec7ff 100644 --- a/contrib/pg_tde/t/002_rotate_key.pl +++ b/contrib/pg_tde/t/002_rotate_key.pl @@ -46,9 +46,9 @@ $stdout = $node->safe_psql('postgres', "SELECT pg_tde_add_key_provider_file('fil PGTDE::append_to_file($stdout); $stdout = $node->safe_psql('postgres', "SELECT pg_tde_add_key_provider_file('file-2','/tmp/pg_tde_test_keyring_2.per');", extra_params => ['-a']); PGTDE::append_to_file($stdout); -$stdout = $node->safe_psql('postgres', "SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-2','/tmp/pg_tde_test_keyring_2g.per');", extra_params => ['-a']); +$stdout = $node->safe_psql('postgres', "SELECT pg_tde_add_global_key_provider_file('file-2','/tmp/pg_tde_test_keyring_2g.per');", extra_params => ['-a']); PGTDE::append_to_file($stdout); -$stdout = $node->safe_psql('postgres', "SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-3','/tmp/pg_tde_test_keyring_3.per');", extra_params => ['-a']); +$stdout = $node->safe_psql('postgres', "SELECT pg_tde_add_global_key_provider_file('file-3','/tmp/pg_tde_test_keyring_3.per');", extra_params => ['-a']); PGTDE::append_to_file($stdout); $stdout = $node->safe_psql('postgres', "SELECT pg_tde_list_all_key_providers();", extra_params => ['-a']); @@ -79,7 +79,7 @@ $rt_value = $node->start(); $stdout = $node->safe_psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();", extra_params => ['-a']); PGTDE::append_to_file($stdout); -($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info('PG_TDE_GLOBAL');", extra_params => ['-a']); +($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();", extra_params => ['-a']); PGTDE::append_to_file($stdout); PGTDE::append_to_file($stderr); $stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id ASC;', extra_params => ['-a']); @@ -99,14 +99,14 @@ $rt_value = $node->start(); $stdout = $node->safe_psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();", extra_params => ['-a']); PGTDE::append_to_file($stdout); -($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info('PG_TDE_GLOBAL');", extra_params => ['-a']); +($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();", extra_params => ['-a']); PGTDE::append_to_file($stdout); PGTDE::append_to_file($stderr); $stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id ASC;', extra_params => ['-a']); PGTDE::append_to_file($stdout); #Again rotate key -$stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_principal_key('rotated-principal-key', 'PG_TDE_GLOBAL', 'file-3', false);", extra_params => ['-a']); +$stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_global_principal_key('rotated-principal-key', 'file-3', false);", extra_params => ['-a']); PGTDE::append_to_file($stdout); $stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id ASC;', extra_params => ['-a']); PGTDE::append_to_file($stdout); @@ -118,7 +118,7 @@ $rt_value = $node->start(); $stdout = $node->safe_psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();", extra_params => ['-a']); PGTDE::append_to_file($stdout); -($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info('PG_TDE_GLOBAL');", extra_params => ['-a']); +($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();", extra_params => ['-a']); PGTDE::append_to_file($stdout); PGTDE::append_to_file($stderr); $stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id ASC;', extra_params => ['-a']); @@ -128,7 +128,7 @@ PGTDE::append_to_file($stdout); # And maybe debug tools to show what's in a file keyring? #Again rotate key -$stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_principal_key('rotated-principal-keyX', 'PG_TDE_GLOBAL', 'file-2', false);", extra_params => ['-a']); +$stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_global_principal_key('rotated-principal-keyX', 'file-2', false);", extra_params => ['-a']); PGTDE::append_to_file($stdout); $stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id ASC;', extra_params => ['-a']); PGTDE::append_to_file($stdout); @@ -140,7 +140,7 @@ $rt_value = $node->start(); $stdout = $node->safe_psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();", extra_params => ['-a']); PGTDE::append_to_file($stdout); -($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info('PG_TDE_GLOBAL');", extra_params => ['-a']); +($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();", extra_params => ['-a']); PGTDE::append_to_file($stdout); PGTDE::append_to_file($stderr); $stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id ASC;', extra_params => ['-a']); @@ -156,11 +156,11 @@ $rt_value = $node->stop(); $rt_value = $node->start(); # But now can't be changed to another global provider -($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT pg_tde_set_principal_key('rotated-principal-keyX2', 'PG_TDE_GLOBAL', 'file-2', false);", extra_params => ['-a']); +($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT pg_tde_set_global_principal_key('rotated-principal-keyX2', 'file-2', false);", extra_params => ['-a']); PGTDE::append_to_file($stderr); $stdout = $node->safe_psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();", extra_params => ['-a']); PGTDE::append_to_file($stdout); -($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info('PG_TDE_GLOBAL');", extra_params => ['-a']); +($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();", extra_params => ['-a']); PGTDE::append_to_file($stdout); PGTDE::append_to_file($stderr); @@ -168,7 +168,7 @@ $stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_principal_key('rotated PGTDE::append_to_file($stdout); $stdout = $node->safe_psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();", extra_params => ['-a']); PGTDE::append_to_file($stdout); -($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info('PG_TDE_GLOBAL');", extra_params => ['-a']); +($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();", extra_params => ['-a']); PGTDE::append_to_file($stdout); PGTDE::append_to_file($stderr); diff --git a/contrib/pg_tde/t/010_wal_encrypt.pl b/contrib/pg_tde/t/010_wal_encrypt.pl index 388d08437ac..31ded5a0b0f 100644 --- a/contrib/pg_tde/t/010_wal_encrypt.pl +++ b/contrib/pg_tde/t/010_wal_encrypt.pl @@ -29,10 +29,10 @@ ok($rt_value == 1, "Start Server"); my $stdout = $node->safe_psql('postgres', "CREATE EXTENSION IF NOT EXISTS pg_tde;", extra_params => ['-a']); PGTDE::append_to_file($stdout); -$stdout = $node->safe_psql('postgres', "SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-keyring-010','/tmp/pg_tde_test_keyring010.per');", extra_params => ['-a']); +$stdout = $node->safe_psql('postgres', "SELECT pg_tde_add_global_key_provider_file('file-keyring-010','/tmp/pg_tde_test_keyring010.per');", extra_params => ['-a']); PGTDE::append_to_file($stdout); -$stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_server_principal_key('global-db-principal-key', 'PG_TDE_GLOBAL', 'file-keyring-010');", extra_params => ['-a']); +$stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_server_principal_key('global-db-principal-key', 'file-keyring-010');", extra_params => ['-a']); PGTDE::append_to_file($stdout); $stdout = $node->safe_psql('postgres', "SELECT pg_tde_create_wal_key();", extra_params => ['-a']); diff --git a/contrib/pg_tde/t/expected/002_rotate_key.out b/contrib/pg_tde/t/expected/002_rotate_key.out index 4935dcd1925..c622f724402 100644 --- a/contrib/pg_tde/t/expected/002_rotate_key.out +++ b/contrib/pg_tde/t/expected/002_rotate_key.out @@ -4,9 +4,9 @@ SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per') 1 SELECT pg_tde_add_key_provider_file('file-2','/tmp/pg_tde_test_keyring_2.per'); 2 -SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-2','/tmp/pg_tde_test_keyring_2g.per'); +SELECT pg_tde_add_global_key_provider_file('file-2','/tmp/pg_tde_test_keyring_2g.per'); -1 -SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-3','/tmp/pg_tde_test_keyring_3.per'); +SELECT pg_tde_add_global_key_provider_file('file-3','/tmp/pg_tde_test_keyring_3.per'); -2 SELECT pg_tde_list_all_key_providers(); (1,file-vault,file,"{""type"" : ""file"", ""path"" : ""/tmp/pg_tde_test_keyring.per""}") @@ -25,7 +25,7 @@ SELECT * FROM test_enc ORDER BY id ASC; -- server restart SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info(); 1|file-vault|rotated-principal-key1 -SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info('PG_TDE_GLOBAL'); +SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info(); psql::1: ERROR: Principal key does not exists for the database HINT: Use set_principal_key interface to set the principal key SELECT * FROM test_enc ORDER BY id ASC; @@ -39,13 +39,13 @@ SELECT * FROM test_enc ORDER BY id ASC; -- server restart SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info(); 2|file-2|rotated-principal-key2 -SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info('PG_TDE_GLOBAL'); +SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info(); psql::1: ERROR: Principal key does not exists for the database HINT: Use set_principal_key interface to set the principal key SELECT * FROM test_enc ORDER BY id ASC; 1|5 2|6 -SELECT pg_tde_set_principal_key('rotated-principal-key', 'PG_TDE_GLOBAL', 'file-3', false); +SELECT pg_tde_set_global_principal_key('rotated-principal-key', 'file-3', false); t SELECT * FROM test_enc ORDER BY id ASC; 1|5 @@ -53,13 +53,13 @@ SELECT * FROM test_enc ORDER BY id ASC; -- server restart SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info(); -2|file-3|rotated-principal-key -SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info('PG_TDE_GLOBAL'); +SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info(); psql::1: ERROR: Principal key does not exists for the database HINT: Use set_principal_key interface to set the principal key SELECT * FROM test_enc ORDER BY id ASC; 1|5 2|6 -SELECT pg_tde_set_principal_key('rotated-principal-keyX', 'PG_TDE_GLOBAL', 'file-2', false); +SELECT pg_tde_set_global_principal_key('rotated-principal-keyX', 'file-2', false); t SELECT * FROM test_enc ORDER BY id ASC; 1|5 @@ -67,7 +67,7 @@ SELECT * FROM test_enc ORDER BY id ASC; -- server restart SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info(); -1|file-2|rotated-principal-keyX -SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info('PG_TDE_GLOBAL'); +SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info(); psql::1: ERROR: Principal key does not exists for the database HINT: Use set_principal_key interface to set the principal key SELECT * FROM test_enc ORDER BY id ASC; @@ -78,14 +78,14 @@ ALTER SYSTEM SET pg_tde.inherit_global_providers = OFF; psql::1: ERROR: Usage of global key providers is disabled. Enable it with pg_tde.inherit_global_providers = ON SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info(); -1|file-2|rotated-principal-keyX -SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info('PG_TDE_GLOBAL'); +SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info(); psql::1: ERROR: Principal key does not exists for the database HINT: Use set_principal_key interface to set the principal key SELECT pg_tde_set_principal_key('rotated-principal-key2','file-2'); t SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info(); 2|file-2|rotated-principal-key2 -SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info('PG_TDE_GLOBAL'); +SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info(); psql::1: ERROR: Principal key does not exists for the database HINT: Use set_principal_key interface to set the principal key DROP TABLE test_enc; diff --git a/contrib/pg_tde/t/expected/010_wal_encrypt.out b/contrib/pg_tde/t/expected/010_wal_encrypt.out index ec84e85ef99..7df67d02653 100644 --- a/contrib/pg_tde/t/expected/010_wal_encrypt.out +++ b/contrib/pg_tde/t/expected/010_wal_encrypt.out @@ -1,7 +1,7 @@ CREATE EXTENSION IF NOT EXISTS pg_tde; -SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-keyring-010','/tmp/pg_tde_test_keyring010.per'); +SELECT pg_tde_add_global_key_provider_file('file-keyring-010','/tmp/pg_tde_test_keyring010.per'); -1 -SELECT pg_tde_set_server_principal_key('global-db-principal-key', 'PG_TDE_GLOBAL', 'file-keyring-010'); +SELECT pg_tde_set_server_principal_key('global-db-principal-key', 'file-keyring-010'); t SELECT pg_tde_create_wal_key(); t diff --git a/src/bin/pg_waldump/t/003_basic_encrypted.pl b/src/bin/pg_waldump/t/003_basic_encrypted.pl index 868b09ac2f2..e998c910fa0 100644 --- a/src/bin/pg_waldump/t/003_basic_encrypted.pl +++ b/src/bin/pg_waldump/t/003_basic_encrypted.pl @@ -27,8 +27,8 @@ shared_preload_libraries = 'pg_tde' $node->start; $node->safe_psql('postgres', "CREATE EXTENSION IF NOT EXISTS pg_tde;"); -$node->safe_psql('postgres', "SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-keyring-wal','/tmp/pg_tde_test_keyring-wal.per');");; -$node->safe_psql('postgres', "SELECT pg_tde_set_server_principal_key('global-db-principal-key', 'PG_TDE_GLOBAL', 'file-keyring-wal');"); +$node->safe_psql('postgres', "SELECT pg_tde_add_global_key_provider_file('file-keyring-wal','/tmp/pg_tde_test_keyring-wal.per');");; +$node->safe_psql('postgres', "SELECT pg_tde_set_server_principal_key('global-db-principal-key', 'file-keyring-wal');"); $node->safe_psql('postgres', "SELECT pg_tde_create_wal_key();"); $node->append_conf( diff --git a/src/bin/pg_waldump/t/004_save_fullpage_encrypted.pl b/src/bin/pg_waldump/t/004_save_fullpage_encrypted.pl index 5e4d720129f..170bb55fe0b 100644 --- a/src/bin/pg_waldump/t/004_save_fullpage_encrypted.pl +++ b/src/bin/pg_waldump/t/004_save_fullpage_encrypted.pl @@ -41,8 +41,8 @@ shared_preload_libraries = 'pg_tde' $node->start; $node->safe_psql('postgres', "CREATE EXTENSION IF NOT EXISTS pg_tde;"); -$node->safe_psql('postgres', "SELECT pg_tde_add_key_provider_file('PG_TDE_GLOBAL', 'file-keyring-wal','/tmp/pg_tde_test_keyring-wal.per');");; -$node->safe_psql('postgres', "SELECT pg_tde_set_server_principal_key('global-db-principal-key', 'PG_TDE_GLOBAL', 'file-keyring-wal');"); +$node->safe_psql('postgres', "SELECT pg_tde_add_global_key_provider_file('file-keyring-wal','/tmp/pg_tde_test_keyring-wal.per');");; +$node->safe_psql('postgres', "SELECT pg_tde_set_server_principal_key('global-db-principal-key', 'file-keyring-wal');"); $node->safe_psql('postgres', "SELECT pg_tde_create_wal_key();"); $node->append_conf(