mirror of
https://github.com/postgres/postgres.git
synced 2025-05-31 00:01:57 -04:00
PG-1457 Key management funcs renaming (#126)
* PG-1457 Rename some key management funcions * PG-1457 Fix some tests * PG-1457 Hit CI * PG-1457 Rename key in CI setup * PG-1457 Rename pg_tde_verify_global_principal_key to pg_tde_verify_server_principal_key * PG-1457 Rename keys in tests * PG-1457 Renaming * PG-1457 Renaming * PG-1457 Fix tests * PG-1457 Fix tests * PG-1457 Fix tabs * PG-1457 Fix tests * PG-1457 Fix tests * PG-1457 Fix * PG-1457 Fix test * PG-1457 Fix test * PG-1457 Hit CI * PG-1457 Fix after rebase * PG-1457 Fix * PG-1457 Fix * PG-1457 Fix * PG-1457 Fix test * PG-1457 Fix tests * PG-1457 Fix tests * PG-1457 Fix
This commit is contained in:
Artem Gavrilov
GitHub
parent
fef106d785
commit
3b8a234d3e
@ -104,8 +104,8 @@ setup_tde_heap(){
|
||||
sudo -u "$PG_USER" psql -p $PG_PORT -c "DROP DATABASE IF EXISTS $DB_NAME;"
|
||||
sudo -u "$PG_USER" psql -p $PG_PORT -c "CREATE DATABASE $DB_NAME;"
|
||||
sudo -u "$PG_USER" psql -d "$DB_NAME" -p "$PG_PORT" -c "CREATE EXTENSION IF NOT EXISTS pg_tde;"
|
||||
sudo -u "$PG_USER" psql -d "$DB_NAME" -p "$PG_PORT" -c "SELECT pg_tde_add_key_provider_file('file-vault','$KEYLOCATION');"
|
||||
sudo -u "$PG_USER" psql -d "$DB_NAME" -p "$PG_PORT" -c "SELECT pg_tde_set_principal_key('test-db-master-key','file-vault');"
|
||||
sudo -u "$PG_USER" psql -d "$DB_NAME" -p "$PG_PORT" -c "SELECT pg_tde_add_database_key_provider_file('file-vault','$KEYLOCATION');"
|
||||
sudo -u "$PG_USER" psql -d "$DB_NAME" -p "$PG_PORT" -c "SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-master-key','file-vault');"
|
||||
sudo -u "$PG_USER" psql -p $PG_PORT -c "ALTER DATABASE $DB_NAME SET default_table_access_method='tde_heap';"
|
||||
sudo -u "$PG_USER" psql -p $PG_PORT -c "SELECT pg_reload_conf();"
|
||||
}
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
CREATE SCHEMA IF NOT EXISTS tde;
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde SCHEMA tde;
|
||||
SELECT tde.pg_tde_add_key_provider_file('reg_file-vault', '/tmp/pg_tde_test_keyring.per');
|
||||
SELECT tde.pg_tde_set_principal_key('test-db-principal-key', 'reg_file-vault');
|
||||
SELECT tde.pg_tde_add_database_key_provider_file('reg_file-vault', '/tmp/pg_tde_test_keyring.per');
|
||||
SELECT tde.pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key', 'reg_file-vault');
|
||||
|
||||
@ -2,7 +2,7 @@ CREATE SCHEMA tde;
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde SCHEMA tde;
|
||||
|
||||
SELECT tde.pg_tde_add_global_key_provider_file('reg_file-global', '/tmp/pg_tde_test_keyring.per');
|
||||
SELECT tde.pg_tde_set_server_principal_key('global-principal-key', 'reg_file-global');
|
||||
SELECT tde.pg_tde_set_server_principal_key_using_global_key_provider('server-principal-key', 'reg_file-global');
|
||||
ALTER SYSTEM SET pg_tde.wal_encrypt = on;
|
||||
ALTER SYSTEM SET default_table_access_method = 'tde_heap';
|
||||
ALTER SYSTEM SET search_path = "$user",public,tde;
|
||||
|
||||
@ -112,16 +112,16 @@ _See [Make Builds for Developers](https://github.com/percona/pg_tde/wiki/Make-bu
|
||||
|
||||
```sql
|
||||
-- For Vault-V2 key provider
|
||||
-- pg_tde_add_key_provider_vault_v2(provider_name, vault_token, vault_url, vault_mount_path, vault_ca_path)
|
||||
SELECT pg_tde_add_key_provider_vault_v2(
|
||||
-- pg_tde_add_database_key_provider_vault_v2(provider_name, vault_token, vault_url, vault_mount_path, vault_ca_path)
|
||||
SELECT pg_tde_add_database_key_provider_vault_v2(
|
||||
'vault-provider',
|
||||
json_object( 'type' VALUE 'remote', 'url' VALUE 'http://localhost:8888/token' ),
|
||||
json_object( 'type' VALUE 'remote', 'url' VALUE 'http://localhost:8888/url' ),
|
||||
to_json('secret'::text), NULL);
|
||||
|
||||
-- For File key provider
|
||||
-- pg_tde_add_key_provider_file(provider_name, file_path);
|
||||
SELECT pg_tde_add_key_provider_file('file','/tmp/pgkeyring');
|
||||
-- pg_tde_add_database_key_provider_file(provider_name, file_path);
|
||||
SELECT pg_tde_add_database_key_provider_file('file','/tmp/pgkeyring');
|
||||
```
|
||||
|
||||
**Note: The `File` provided is intended for development and stores the keys unencrypted in the specified data file.**
|
||||
@ -129,8 +129,8 @@ _See [Make Builds for Developers](https://github.com/percona/pg_tde/wiki/Make-bu
|
||||
5. Set the principal key for the database using the `pg_tde_set_principal_key` function.
|
||||
|
||||
```sql
|
||||
-- pg_tde_set_principal_key(principal_key_name, provider_name);
|
||||
SELECT pg_tde_set_principal_key('my-principal-key','file');
|
||||
-- pg_tde_set_principal_key_using_database_key_provider(principal_key_name, provider_name);
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('my-principal-key','file');
|
||||
```
|
||||
|
||||
6. Specify `tde_heap` access method during table creation
|
||||
|
||||
@ -15,7 +15,7 @@ To use the file provider with a file location specified by the `remote` method,
|
||||
use the following command:
|
||||
|
||||
```
|
||||
SELECT pg_tde_add_key_provider_file(
|
||||
SELECT pg_tde_add_database_key_provider_file(
|
||||
'file-provider',
|
||||
json_object( 'type' VALUE 'remote', 'url' VALUE 'http://localhost:8888/hello' )
|
||||
);"
|
||||
@ -24,7 +24,7 @@ SELECT pg_tde_add_key_provider_file(
|
||||
Or to use the `file` method, use the following command:
|
||||
|
||||
```
|
||||
SELECT pg_tde_add_key_provider_file(
|
||||
SELECT pg_tde_add_database_key_provider_file(
|
||||
'file-provider',
|
||||
json_object( 'type' VALUE 'remote', 'path' VALUE '/tmp/datafile-location' )
|
||||
);"
|
||||
|
||||
@ -14,8 +14,8 @@ The following functions are also provided for easier management of functionality
|
||||
|
||||
Use these functions to grant or revoke permissions to manage permissions for the current database. They enable or disable all functions related to the providers and keys on the current database:
|
||||
|
||||
* `pg_tde_grant_local_key_management_to_role(role)`
|
||||
* `pg_tde_revoke_local_key_management_from_role(role)`
|
||||
* `pg_tde_grant_database_key_management_to_role(role)`
|
||||
* `pg_tde_revoke_database_key_management_from_role(role)`
|
||||
|
||||
### Global scope key management
|
||||
|
||||
@ -72,7 +72,7 @@ You can change an existing key provider using the provided functions, which are
|
||||
|
||||
There are two functions to change existing providers: one to change a provider in the current database, and another one to change a provider in the global scope.
|
||||
|
||||
* `pg_tde_change_key_provider_<type>('provider-name', <provider specific parameters>)`
|
||||
* `pg_tde_change_database_key_provider_<type>('provider-name', <provider specific parameters>)`
|
||||
* `pg_tde_change_global_key_provider_<type>('provider-name', <provider specific parameters>)`
|
||||
|
||||
When you change a provider, the referred name must exist in the database local or a global scope.
|
||||
@ -90,14 +90,14 @@ The Vault provider connects to a HashiCorp Vault or an OpenBao server, and store
|
||||
Use the following functions to add the Vault provider:
|
||||
|
||||
```
|
||||
SELECT pg_tde_add_key_provider_vault_v2('provider-name','secret_token','url','mount','ca_path');
|
||||
SELECT pg_tde_add_database_key_provider_vault_v2('provider-name','secret_token','url','mount','ca_path');
|
||||
SELECT pg_tde_add_global_key_provider_vault_v2('provider-name','secret_token','url','mount','ca_path');
|
||||
```
|
||||
|
||||
These functions change the Vault provider:
|
||||
|
||||
```
|
||||
SELECT pg_tde_change_key_provider_vault_v2('provider-name','secret_token','url','mount','ca_path');
|
||||
SELECT pg_tde_change_database_key_provider_vault_v2('provider-name','secret_token','url','mount','ca_path');
|
||||
SELECT pg_tde_change_global_key_provider_vault_v2('provider-name','secret_token','url','mount','ca_path');
|
||||
```
|
||||
|
||||
@ -121,14 +121,14 @@ The KMIP provider uses a remote KMIP server.
|
||||
Use these functions to add a KMIP provider:
|
||||
|
||||
```
|
||||
SELECT pg_tde_add_key_provider_kmip('provider-name','kmip-addr', `port`, '/path_to/server_certificate.pem', '/path_to/client_key.pem');
|
||||
SELECT pg_tde_add_database_key_provider_kmip('provider-name','kmip-addr', `port`, '/path_to/server_certificate.pem', '/path_to/client_key.pem');
|
||||
SELECT pg_tde_add_global_key_provider_kmip('provider-name','kmip-addr', `port`, '/path_to/server_certificate.pem', '/path_to/client_key.pem');
|
||||
```
|
||||
|
||||
These functions change the KMIP provider:
|
||||
|
||||
```
|
||||
SELECT pg_tde_change_key_provider_kmip('provider-name','kmip-addr', `port`, '/path_to/server_certificate.pem', '/path_to/client_key.pem');
|
||||
SELECT pg_tde_change_database_key_provider_kmip('provider-name','kmip-addr', `port`, '/path_to/server_certificate.pem', '/path_to/client_key.pem');
|
||||
SELECT pg_tde_change_global_key_provider_kmip('provider-name','kmip-addr', `port`, '/path_to/server_certificate.pem', '/path_to/client_key.pem');
|
||||
```
|
||||
|
||||
@ -156,14 +156,14 @@ This function is intended for development or quick testing, and stores the keys
|
||||
Add a local keyfile provider:
|
||||
|
||||
```
|
||||
SELECT pg_tde_add_key_provider_file('provider-name','/path/to/the/key/provider/data.file');
|
||||
SELECT pg_tde_add_database_key_provider_file('provider-name','/path/to/the/key/provider/data.file');
|
||||
SELECT pg_tde_add_global_key_provider_file('provider-name','/path/to/the/key/provider/data.file');
|
||||
```
|
||||
|
||||
Change a local keyfile provider:
|
||||
|
||||
```
|
||||
SELECT pg_tde_change_key_provider_file('provider-name','/path/to/the/key/provider/data.file');
|
||||
SELECT pg_tde_change_database_key_provider_file('provider-name','/path/to/the/key/provider/data.file');
|
||||
SELECT pg_tde_change_global_key_provider_file('provider-name','/path/to/the/key/provider/data.file');
|
||||
```
|
||||
|
||||
@ -178,7 +178,7 @@ All parameters can be either strings, or JSON objects [referencing remote parame
|
||||
|
||||
These functions delete an existing provider in the current database or in the global scope:
|
||||
|
||||
* `pg_tde_delete_key_provider('provider-name)`
|
||||
* `pg_tde_delete_database_key_provider('provider-name)`
|
||||
* `pg_tde_delete_global_key_provider('provider-name)`
|
||||
|
||||
You can only delete key providers that are not currently in use. An error is returned if the current principal key is using the provider you are trying to delete.
|
||||
@ -189,7 +189,7 @@ If the use of global key providers is enabled via the `pg_tde.inherit_global` GU
|
||||
|
||||
These functions list the details of all key providers for the current database or for the global scope, including all configuration values:
|
||||
|
||||
* `pg_tde_list_all_key_providers()`
|
||||
* `pg_tde_list_all_database_key_providers()`
|
||||
* `pg_tde_list_all_global_key_providers()`
|
||||
|
||||
**All configuration values include possibly sensitive values, such as passwords. Never specify these directly, use the remote configuration option instead.**
|
||||
@ -201,12 +201,12 @@ Use these functions to create a new principal key for a specific scope such as a
|
||||
|
||||
Princial keys are stored on key providers by the name specified in this function - for example, when using the Vault provider, after creating a key named "foo", a key named "foo" will be visible on the Vault server at the specified mount point.
|
||||
|
||||
### pg_tde_set_principal_key
|
||||
### pg_tde_set_principal_key_using_database_key_provider
|
||||
|
||||
Creates or rotates the principal key for the current database using the specified database key provider and key name.
|
||||
|
||||
```
|
||||
SELECT pg_tde_set_principal_key('name-of-the-principal-key','provider-name','ensure_new_key');
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('name-of-the-principal-key','provider-name','ensure_new_key');
|
||||
```
|
||||
|
||||
The `ensure_new_key` parameter instructs the function how to handle a principal key during key rotation:
|
||||
@ -215,12 +215,12 @@ SELECT pg_tde_set_principal_key('name-of-the-principal-key','provider-name','ens
|
||||
If the provider already stores a key by that name, the function returns an error.
|
||||
* If set to `false`, an existing principal key may be reused.
|
||||
|
||||
### pg_tde_set_global_principal_key
|
||||
### pg_tde_set_principal_key_using_global_key_provider
|
||||
|
||||
Creates or rotates the global principal key using the specified global key provider and the key name. This key is used for global settings like WAL encryption.
|
||||
|
||||
```
|
||||
SELECT pg_tde_set_global_principal_key('name-of-the-principal-key','provider-name','ensure_new_key');
|
||||
SELECT pg_tde_set_principal_key_using_global_key_provider('name-of-the-principal-key','provider-name','ensure_new_key');
|
||||
```
|
||||
|
||||
The `ensure_new_key` parameter instructs the function how to handle a principal key during key rotation:
|
||||
@ -229,12 +229,12 @@ SELECT pg_tde_set_global_principal_key('name-of-the-principal-key','provider-nam
|
||||
If the provider already stores a key by that name, the function returns an error.
|
||||
* If set to `false`, an existing principal key may be reused.
|
||||
|
||||
### pg_tde_set_server_principal_key
|
||||
### pg_tde_set_server_principal_key_using_global_key_provider
|
||||
|
||||
Creates or rotates the global principal key using the specified key provider. Use this function to set a principal key for WAL encryption.
|
||||
Creates or rotates the server principal key using the specified global key provider. Use this function to set a principal key for WAL encryption.
|
||||
|
||||
```
|
||||
SELECT pg_tde_set_server_principal_key('name-of-the-principal-key','provider-name','ensure_new_key');
|
||||
SELECT pg_tde_set_server_principal_key_using_global_key_provider('name-of-the-principal-key','provider-name','ensure_new_key');
|
||||
```
|
||||
|
||||
The `ensure_new_key` parameter instructs the function how to handle a principal key during key rotation:
|
||||
@ -244,14 +244,14 @@ The `ensure_new_key` parameter instructs the function how to handle a principal
|
||||
* If set to `false`, an existing principal key may be reused.
|
||||
|
||||
|
||||
### pg_tde_set_default_principal_key
|
||||
### pg_tde_set_default_principal_key_using_global_key_provider
|
||||
|
||||
Creates or rotates the default principal key for the server using the specified key provider.
|
||||
Creates or rotates the default principal key for the server using the specified global key provider.
|
||||
|
||||
The default key is automatically used as a principal key by any database that doesn't have an individual key provider and key configuration.
|
||||
|
||||
```
|
||||
SELECT pg_tde_set_default_principal_key('name-of-the-principal-key','provider-name','ensure_new_key');
|
||||
SELECT pg_tde_set_default_principal_key_using_global_key_provider('name-of-the-principal-key','provider-name','ensure_new_key');
|
||||
```
|
||||
|
||||
The `ensure_new_key` parameter instructs the function how to handle a principal key during key rotation:
|
||||
@ -290,12 +290,12 @@ Displays information about the principal key for the current database, if it exi
|
||||
SELECT pg_tde_principal_key_info()
|
||||
```
|
||||
|
||||
### pg_tde_global_principal_key_info
|
||||
### pg_tde_server_principal_key_info
|
||||
|
||||
Displays information about the principal key for the global scope, if exists.
|
||||
Displays information about the principal key for the server scope, if exists.
|
||||
|
||||
```
|
||||
SELECT pg_tde_global_principal_key_info()
|
||||
SELECT pg_tde_server_principal_key_info()
|
||||
```
|
||||
|
||||
### pg_tde_verify_principal_key
|
||||
@ -314,9 +314,9 @@ If any of the above checks fail, the function reports an error.
|
||||
SELECT pg_tde_verify_principal_key()
|
||||
```
|
||||
|
||||
### pg_tde_verify_global_principal_key
|
||||
### pg_tde_verify_server_principal_key
|
||||
|
||||
This function checks that the global scope has a properly functional encryption setup, which means:
|
||||
This function checks that the server scope has a properly functional encryption setup, which means:
|
||||
|
||||
* A key provider is configured
|
||||
* The key provider is accessible using the specified configuration
|
||||
@ -327,5 +327,5 @@ This function checks that the global scope has a properly functional encryption
|
||||
If any of the above checks fail, the function reports an error.
|
||||
|
||||
```
|
||||
SELECT pg_tde_verify_principal_key()
|
||||
SELECT pg_tde_verify_server_principal_key()
|
||||
```
|
||||
|
||||
@ -61,7 +61,7 @@ You must do these steps for every database where you have created the extension.
|
||||
For testing purposes, you can use the PyKMIP server which enables you to set up required certificates. To use a real KMIP server, make sure to obtain the valid certificates issued by the key management appliance.
|
||||
|
||||
```
|
||||
SELECT pg_tde_add_key_provider_kmip('provider-name','kmip-addr', 5696, '/path_to/server_certificate.pem', '/path_to/client_key.pem');
|
||||
SELECT pg_tde_add_database_key_provider_kmip('provider-name','kmip-addr', 5696, '/path_to/server_certificate.pem', '/path_to/client_key.pem');
|
||||
```
|
||||
|
||||
where:
|
||||
@ -75,7 +75,7 @@ You must do these steps for every database where you have created the extension.
|
||||
<i warning>:material-information: Warning:</i> This example is for testing purposes only:
|
||||
|
||||
```
|
||||
SELECT pg_tde_add_key_provider_kmip('kmip','127.0.0.1', 5696, '/tmp/server_certificate.pem', '/tmp/client_key_jane_doe.pem');
|
||||
SELECT pg_tde_add_database_key_provider_kmip('kmip','127.0.0.1', 5696, '/tmp/server_certificate.pem', '/tmp/client_key_jane_doe.pem');
|
||||
```
|
||||
|
||||
=== "With HashiCorp Vault"
|
||||
@ -83,7 +83,7 @@ You must do these steps for every database where you have created the extension.
|
||||
The Vault server setup is out of scope of this document.
|
||||
|
||||
```sql
|
||||
SELECT pg_tde_add_key_provider_vault_v2('provider-name','root_token','url','mount','ca_path');
|
||||
SELECT pg_tde_add_database_key_provider_vault_v2('provider-name','root_token','url','mount','ca_path');
|
||||
```
|
||||
|
||||
where:
|
||||
@ -96,7 +96,7 @@ You must do these steps for every database where you have created the extension.
|
||||
<i warning>:material-information: Warning:</i> This example is for testing purposes only:
|
||||
|
||||
```
|
||||
SELECT pg_tde_add_key_provider_file_vault_v2('my-vault','http://vault.vault.svc.cluster.local:8200,'secret/data','hvs.zPuyktykA...example...ewUEnIRVaKoBzs2', NULL);
|
||||
SELECT pg_tde_add_database_key_provider_file_vault_v2('my-vault','http://vault.vault.svc.cluster.local:8200,'secret/data','hvs.zPuyktykA...example...ewUEnIRVaKoBzs2', NULL);
|
||||
```
|
||||
|
||||
=== "With a keyring file"
|
||||
@ -104,20 +104,20 @@ You must do these steps for every database where you have created the extension.
|
||||
This setup is intended for development and stores the keys unencrypted in the specified data file.
|
||||
|
||||
```sql
|
||||
SELECT pg_tde_add_key_provider_file('provider-name','/path/to/the/keyring/data.file');
|
||||
SELECT pg_tde_add_database_key_provider_file('provider-name','/path/to/the/keyring/data.file');
|
||||
```
|
||||
|
||||
<i warning>:material-information: Warning:</i> This example is for testing purposes only:
|
||||
|
||||
```sql
|
||||
SELECT pg_tde_add_key_provider_file('file-keyring','/tmp/pg_tde_test_local_keyring.per');
|
||||
SELECT pg_tde_add_database_key_provider_file('file-keyring','/tmp/pg_tde_test_local_keyring.per');
|
||||
```
|
||||
|
||||
|
||||
2. Add a principal key
|
||||
|
||||
```sql
|
||||
SELECT pg_tde_set_principal_key('name-of-the-principal-key', 'provider-name','ensure_new_key');
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('name-of-the-principal-key', 'provider-name','ensure_new_key');
|
||||
```
|
||||
|
||||
where:
|
||||
@ -129,7 +129,7 @@ You must do these steps for every database where you have created the extension.
|
||||
<i warning>:material-information: Warning:</i> This example is for testing purposes only:
|
||||
|
||||
```sql
|
||||
SELECT pg_tde_set_principal_key('test-db-master-key','file-vault','ensure_new_key');
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-master-key','file-vault','ensure_new_key');
|
||||
```
|
||||
|
||||
The key is auto-generated.
|
||||
|
||||
@ -112,7 +112,7 @@ Load the `pg_tde` at startup time. The extension requires additional shared memo
|
||||
2. Add a default principal key
|
||||
|
||||
```sql
|
||||
SELECT pg_tde_set_default_principal_key('name-of-the-principal-key','provider-name','ensure_new_key');
|
||||
SELECT pg_tde_set_default_principal_key_using_global_key_provider('name-of-the-principal-key','provider-name','ensure_new_key');
|
||||
```
|
||||
|
||||
where:
|
||||
@ -124,7 +124,7 @@ Load the `pg_tde` at startup time. The extension requires additional shared memo
|
||||
<i warning>:material-information: Warning:</i> This example is for testing purposes only. Replace the key name and provider name with your values:
|
||||
|
||||
```sql
|
||||
SELECT pg_tde_set_global_principal_key('test-db-master-key','file-vault','ensure_new_key');
|
||||
SELECT pg_tde_set_principal_key_using_global_key_provider('test-db-master-key','file-vault','ensure_new_key');
|
||||
```
|
||||
|
||||
The key is auto-generated.
|
||||
|
||||
@ -32,7 +32,7 @@ Here's what to do:
|
||||
<i warning>:material-information: Warning:</i> This example is for testing purposes only:
|
||||
|
||||
```
|
||||
SELECT pg_tde_add_key_global_provider_kmip('kmip','127.0.0.1', 5696, '/tmp/server_certificate.pem', '/tmp/client_key_jane_doe.pem');
|
||||
SELECT pg_tde_add_key_using_global_key_provider_kmip('kmip','127.0.0.1', 5696, '/tmp/server_certificate.pem', '/tmp/client_key_jane_doe.pem');
|
||||
```
|
||||
|
||||
=== "With HashiCorp Vault"
|
||||
@ -61,7 +61,7 @@ Here's what to do:
|
||||
3. Create principal key
|
||||
|
||||
```sql
|
||||
SELECT pg_tde_set_server_principal_key('principal-key', 'provider-name');
|
||||
SELECT pg_tde_set_server_principal_key_using_global_key_provider('principal-key', 'provider-name');
|
||||
```
|
||||
|
||||
4. Enable WAL level encryption using the `ALTER SYSTEM` command. You need the privileges of the superuser to run this command:
|
||||
|
||||
@ -2,14 +2,14 @@ CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
CREATE USER regress_pg_tde_access_control;
|
||||
SET ROLE regress_pg_tde_access_control;
|
||||
-- should throw access denied
|
||||
SELECT pg_tde_add_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
|
||||
ERROR: permission denied for function pg_tde_add_key_provider_file
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key', 'file-vault');
|
||||
ERROR: permission denied for function pg_tde_set_principal_key
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
|
||||
ERROR: permission denied for function pg_tde_add_database_key_provider_file
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key', 'file-vault');
|
||||
ERROR: permission denied for function pg_tde_set_principal_key_using_database_key_provider
|
||||
RESET ROLE;
|
||||
SELECT pg_tde_grant_local_key_management_to_role('regress_pg_tde_access_control');
|
||||
pg_tde_grant_local_key_management_to_role
|
||||
-------------------------------------------
|
||||
SELECT pg_tde_grant_database_key_management_to_role('regress_pg_tde_access_control');
|
||||
pg_tde_grant_database_key_management_to_role
|
||||
----------------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
@ -21,25 +21,25 @@ SELECT pg_tde_grant_key_viewer_to_role('regress_pg_tde_access_control');
|
||||
|
||||
SET ROLE regress_pg_tde_access_control;
|
||||
-- should now be allowed
|
||||
SELECT pg_tde_add_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_key_provider_file
|
||||
------------------------------
|
||||
1
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_database_key_provider_file
|
||||
---------------------------------------
|
||||
1
|
||||
(1 row)
|
||||
|
||||
SELECT pg_tde_add_key_provider_file('file-2', '/tmp/pg_tde_test_keyring_2.per');
|
||||
pg_tde_add_key_provider_file
|
||||
------------------------------
|
||||
2
|
||||
SELECT pg_tde_add_database_key_provider_file('file-2', '/tmp/pg_tde_test_keyring_2.per');
|
||||
pg_tde_add_database_key_provider_file
|
||||
---------------------------------------
|
||||
2
|
||||
(1 row)
|
||||
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key', 'file-vault');
|
||||
pg_tde_set_principal_key
|
||||
--------------------------
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key', 'file-vault');
|
||||
pg_tde_set_principal_key_using_database_key_provider
|
||||
------------------------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
id | provider_name | provider_type | options
|
||||
----+---------------+---------------+--------------------------------------------------------------
|
||||
1 | file-vault | file | {"type" : "file", "path" : "/tmp/pg_tde_test_keyring.per"}
|
||||
@ -61,8 +61,8 @@ SELECT pg_tde_revoke_key_viewer_from_role('regress_pg_tde_access_control');
|
||||
|
||||
SET ROLE regress_pg_tde_access_control;
|
||||
-- verify the view access is revoked
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
ERROR: permission denied for function pg_tde_list_all_key_providers
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
ERROR: permission denied for function pg_tde_list_all_database_key_providers
|
||||
SELECT principal_key_name, key_provider_name, key_provider_id FROM pg_tde_principal_key_info();
|
||||
ERROR: permission denied for function pg_tde_principal_key_info
|
||||
RESET ROLE;
|
||||
|
||||
@ -1,13 +1,13 @@
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_key_provider_file
|
||||
------------------------------
|
||||
1
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_database_key_provider_file
|
||||
---------------------------------------
|
||||
1
|
||||
(1 row)
|
||||
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');
|
||||
pg_tde_set_principal_key
|
||||
--------------------------
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-vault');
|
||||
pg_tde_set_principal_key_using_database_key_provider
|
||||
------------------------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
|
||||
@ -1,14 +1,14 @@
|
||||
-- Just checking there are no mem debug WARNINGs during the cache population
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_key_provider_file
|
||||
------------------------------
|
||||
1
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_database_key_provider_file
|
||||
---------------------------------------
|
||||
1
|
||||
(1 row)
|
||||
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');
|
||||
pg_tde_set_principal_key
|
||||
--------------------------
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-vault');
|
||||
pg_tde_set_principal_key_using_database_key_provider
|
||||
------------------------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
|
||||
@ -1,13 +1,13 @@
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_key_provider_file
|
||||
------------------------------
|
||||
1
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_database_key_provider_file
|
||||
---------------------------------------
|
||||
1
|
||||
(1 row)
|
||||
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');
|
||||
pg_tde_set_principal_key
|
||||
--------------------------
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-vault');
|
||||
pg_tde_set_principal_key_using_database_key_provider
|
||||
------------------------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
|
||||
@ -5,9 +5,9 @@ SELECT pg_tde_add_global_key_provider_file('file-provider','/tmp/pg_tde_regressi
|
||||
-3
|
||||
(1 row)
|
||||
|
||||
SELECT pg_tde_set_default_principal_key('default-principal-key', 'file-provider', false);
|
||||
pg_tde_set_default_principal_key
|
||||
----------------------------------
|
||||
SELECT pg_tde_set_default_principal_key_using_global_key_provider('default-principal-key', 'file-provider', false);
|
||||
pg_tde_set_default_principal_key_using_global_key_provider
|
||||
------------------------------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
@ -67,9 +67,9 @@ SELECT key_provider_id, key_provider_name, principal_key_name
|
||||
(1 row)
|
||||
|
||||
\c :regress_database
|
||||
SELECT pg_tde_set_default_principal_key('new-default-principal-key', 'file-provider', false);
|
||||
pg_tde_set_default_principal_key
|
||||
----------------------------------
|
||||
SELECT pg_tde_set_default_principal_key_using_global_key_provider('new-default-principal-key', 'file-provider', false);
|
||||
pg_tde_set_default_principal_key_using_global_key_provider
|
||||
------------------------------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
|
||||
@ -5,9 +5,9 @@ SELECT pg_tde_add_global_key_provider_file('file-provider','/tmp/pg_tde_regressi
|
||||
-4
|
||||
(1 row)
|
||||
|
||||
SELECT pg_tde_set_default_principal_key('default-principal-key', 'file-provider', false);
|
||||
pg_tde_set_default_principal_key
|
||||
----------------------------------
|
||||
SELECT pg_tde_set_default_principal_key_using_global_key_provider('default-principal-key', 'file-provider', false);
|
||||
pg_tde_set_default_principal_key_using_global_key_provider
|
||||
------------------------------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
@ -68,9 +68,9 @@ SELECT key_provider_id, key_provider_name, principal_key_name
|
||||
(1 row)
|
||||
|
||||
\c :regress_database
|
||||
SELECT pg_tde_set_default_principal_key('new-default-principal-key', 'file-provider', false);
|
||||
pg_tde_set_default_principal_key
|
||||
----------------------------------
|
||||
SELECT pg_tde_set_default_principal_key_using_global_key_provider('new-default-principal-key', 'file-provider', false);
|
||||
pg_tde_set_default_principal_key_using_global_key_provider
|
||||
------------------------------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
|
||||
@ -2,71 +2,71 @@ CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
SELECT * FROM pg_tde_principal_key_info();
|
||||
ERROR: Principal key does not exists for the database
|
||||
HINT: Use set_principal_key interface to set the principal key
|
||||
SELECT pg_tde_add_key_provider_file('file-provider','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_key_provider_file
|
||||
------------------------------
|
||||
1
|
||||
SELECT pg_tde_add_database_key_provider_file('file-provider','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_database_key_provider_file
|
||||
---------------------------------------
|
||||
1
|
||||
(1 row)
|
||||
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
id | provider_name | provider_type | options
|
||||
----+---------------+---------------+------------------------------------------------------------
|
||||
1 | file-provider | file | {"type" : "file", "path" : "/tmp/pg_tde_test_keyring.per"}
|
||||
(1 row)
|
||||
|
||||
SELECT pg_tde_delete_key_provider('file-provider');
|
||||
pg_tde_delete_key_provider
|
||||
----------------------------
|
||||
SELECT pg_tde_delete_database_key_provider('file-provider');
|
||||
pg_tde_delete_database_key_provider
|
||||
-------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
id | provider_name | provider_type | options
|
||||
----+---------------+---------------+---------
|
||||
(0 rows)
|
||||
|
||||
SELECT pg_tde_add_key_provider_file('file-provider','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_key_provider_file
|
||||
------------------------------
|
||||
2
|
||||
SELECT pg_tde_add_database_key_provider_file('file-provider','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_database_key_provider_file
|
||||
---------------------------------------
|
||||
2
|
||||
(1 row)
|
||||
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
id | provider_name | provider_type | options
|
||||
----+---------------+---------------+------------------------------------------------------------
|
||||
2 | file-provider | file | {"type" : "file", "path" : "/tmp/pg_tde_test_keyring.per"}
|
||||
(1 row)
|
||||
|
||||
SELECT pg_tde_delete_key_provider('file-provider');
|
||||
pg_tde_delete_key_provider
|
||||
----------------------------
|
||||
SELECT pg_tde_delete_database_key_provider('file-provider');
|
||||
pg_tde_delete_database_key_provider
|
||||
-------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
id | provider_name | provider_type | options
|
||||
----+---------------+---------------+---------
|
||||
(0 rows)
|
||||
|
||||
SELECT pg_tde_add_key_provider_file('file-provider','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_key_provider_file
|
||||
------------------------------
|
||||
3
|
||||
SELECT pg_tde_add_database_key_provider_file('file-provider','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_database_key_provider_file
|
||||
---------------------------------------
|
||||
3
|
||||
(1 row)
|
||||
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
id | provider_name | provider_type | options
|
||||
----+---------------+---------------+------------------------------------------------------------
|
||||
3 | file-provider | file | {"type" : "file", "path" : "/tmp/pg_tde_test_keyring.per"}
|
||||
(1 row)
|
||||
|
||||
SELECT pg_tde_delete_key_provider('file-provider');
|
||||
pg_tde_delete_key_provider
|
||||
----------------------------
|
||||
SELECT pg_tde_delete_database_key_provider('file-provider');
|
||||
pg_tde_delete_database_key_provider
|
||||
-------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
id | provider_name | provider_type | options
|
||||
----+---------------+---------------+---------
|
||||
(0 rows)
|
||||
|
||||
@ -1,13 +1,13 @@
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_key_provider_file
|
||||
------------------------------
|
||||
1
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_database_key_provider_file
|
||||
---------------------------------------
|
||||
1
|
||||
(1 row)
|
||||
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');
|
||||
pg_tde_set_principal_key
|
||||
--------------------------
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-vault');
|
||||
pg_tde_set_principal_key_using_database_key_provider
|
||||
------------------------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
|
||||
@ -2,32 +2,32 @@ CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
SELECT * FROM pg_tde_principal_key_info();
|
||||
ERROR: Principal key does not exists for the database
|
||||
HINT: Use set_principal_key interface to set the principal key
|
||||
SELECT pg_tde_add_key_provider_file('incorrect-file-provider', json_object('foo' VALUE '/tmp/pg_tde_test_keyring.per'));
|
||||
SELECT pg_tde_add_database_key_provider_file('incorrect-file-provider', json_object('foo' VALUE '/tmp/pg_tde_test_keyring.per'));
|
||||
ERROR: parse json keyring config: unexpected field foo
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
id | provider_name | provider_type | options
|
||||
----+---------------+---------------+---------
|
||||
(0 rows)
|
||||
|
||||
SELECT pg_tde_add_key_provider_file('file-provider','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_key_provider_file
|
||||
------------------------------
|
||||
1
|
||||
SELECT pg_tde_add_database_key_provider_file('file-provider','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_database_key_provider_file
|
||||
---------------------------------------
|
||||
1
|
||||
(1 row)
|
||||
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
id | provider_name | provider_type | options
|
||||
----+---------------+---------------+------------------------------------------------------------
|
||||
1 | file-provider | file | {"type" : "file", "path" : "/tmp/pg_tde_test_keyring.per"}
|
||||
(1 row)
|
||||
|
||||
SELECT pg_tde_add_key_provider_file('file-provider2','/tmp/pg_tde_test_keyring2.per');
|
||||
pg_tde_add_key_provider_file
|
||||
------------------------------
|
||||
2
|
||||
SELECT pg_tde_add_database_key_provider_file('file-provider2','/tmp/pg_tde_test_keyring2.per');
|
||||
pg_tde_add_database_key_provider_file
|
||||
---------------------------------------
|
||||
2
|
||||
(1 row)
|
||||
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
id | provider_name | provider_type | options
|
||||
----+----------------+---------------+-------------------------------------------------------------
|
||||
1 | file-provider | file | {"type" : "file", "path" : "/tmp/pg_tde_test_keyring.per"}
|
||||
@ -36,9 +36,9 @@ SELECT * FROM pg_tde_list_all_key_providers();
|
||||
|
||||
SELECT pg_tde_verify_principal_key();
|
||||
ERROR: principal key not configured for current database
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','file-provider');
|
||||
pg_tde_set_principal_key
|
||||
--------------------------
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-provider');
|
||||
pg_tde_set_principal_key_using_database_key_provider
|
||||
------------------------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
@ -48,23 +48,23 @@ SELECT pg_tde_verify_principal_key();
|
||||
|
||||
(1 row)
|
||||
|
||||
SELECT pg_tde_change_key_provider_file('not-existent-provider','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_change_database_key_provider_file('not-existent-provider','/tmp/pg_tde_test_keyring.per');
|
||||
ERROR: key provider "not-existent-provider" does not exists
|
||||
HINT: Use pg_tde_add_key_provider interface to create the key provider
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
HINT: Create the key provider
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
id | provider_name | provider_type | options
|
||||
----+----------------+---------------+-------------------------------------------------------------
|
||||
1 | file-provider | file | {"type" : "file", "path" : "/tmp/pg_tde_test_keyring.per"}
|
||||
2 | file-provider2 | file | {"type" : "file", "path" : "/tmp/pg_tde_test_keyring2.per"}
|
||||
(2 rows)
|
||||
|
||||
SELECT pg_tde_change_key_provider_file('file-provider','/tmp/pg_tde_test_keyring_other.per');
|
||||
pg_tde_change_key_provider_file
|
||||
---------------------------------
|
||||
1
|
||||
SELECT pg_tde_change_database_key_provider_file('file-provider','/tmp/pg_tde_test_keyring_other.per');
|
||||
pg_tde_change_database_key_provider_file
|
||||
------------------------------------------
|
||||
1
|
||||
(1 row)
|
||||
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
id | provider_name | provider_type | options
|
||||
----+----------------+---------------+------------------------------------------------------------------
|
||||
1 | file-provider | file | {"type" : "file", "path" : "/tmp/pg_tde_test_keyring_other.per"}
|
||||
@ -73,9 +73,9 @@ SELECT * FROM pg_tde_list_all_key_providers();
|
||||
|
||||
SELECT pg_tde_verify_principal_key();
|
||||
ERROR: failed to retrieve principal key test-db-principal-key from keyring with ID 1
|
||||
SELECT pg_tde_change_key_provider_file('file-provider', json_object('foo' VALUE '/tmp/pg_tde_test_keyring.per'));
|
||||
SELECT pg_tde_change_database_key_provider_file('file-provider', json_object('foo' VALUE '/tmp/pg_tde_test_keyring.per'));
|
||||
ERROR: parse json keyring config: unexpected field foo
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
id | provider_name | provider_type | options
|
||||
----+----------------+---------------+------------------------------------------------------------------
|
||||
1 | file-provider | file | {"type" : "file", "path" : "/tmp/pg_tde_test_keyring_other.per"}
|
||||
@ -103,9 +103,9 @@ SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
|
||||
|
||||
-- TODO: verify that we can also can change the type of it
|
||||
-- fails
|
||||
SELECT pg_tde_delete_key_provider('file-provider');
|
||||
SELECT pg_tde_delete_database_key_provider('file-provider');
|
||||
ERROR: Can't delete a provider which is currently in use
|
||||
SELECT id, provider_name FROM pg_tde_list_all_key_providers();
|
||||
SELECT id, provider_name FROM pg_tde_list_all_database_key_providers();
|
||||
id | provider_name
|
||||
----+----------------
|
||||
1 | file-provider
|
||||
@ -113,13 +113,13 @@ SELECT id, provider_name FROM pg_tde_list_all_key_providers();
|
||||
(2 rows)
|
||||
|
||||
-- works
|
||||
SELECT pg_tde_delete_key_provider('file-provider2');
|
||||
pg_tde_delete_key_provider
|
||||
----------------------------
|
||||
SELECT pg_tde_delete_database_key_provider('file-provider2');
|
||||
pg_tde_delete_database_key_provider
|
||||
-------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
SELECT id, provider_name FROM pg_tde_list_all_key_providers();
|
||||
SELECT id, provider_name FROM pg_tde_list_all_database_key_providers();
|
||||
id | provider_name
|
||||
----+---------------
|
||||
1 | file-provider
|
||||
@ -132,9 +132,9 @@ SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
|
||||
-2 | file-keyring2
|
||||
(2 rows)
|
||||
|
||||
SELECT pg_tde_set_global_principal_key('test-db-principal-key', 'file-keyring', false);
|
||||
pg_tde_set_global_principal_key
|
||||
---------------------------------
|
||||
SELECT pg_tde_set_principal_key_using_global_key_provider('test-db-principal-key', 'file-keyring', false);
|
||||
pg_tde_set_principal_key_using_global_key_provider
|
||||
----------------------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
|
||||
@ -2,32 +2,32 @@ CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
SELECT * FROM pg_tde_principal_key_info();
|
||||
ERROR: Principal key does not exists for the database
|
||||
HINT: Use set_principal_key interface to set the principal key
|
||||
SELECT pg_tde_add_key_provider_file('incorrect-file-provider', json_object('foo' VALUE '/tmp/pg_tde_test_keyring.per'));
|
||||
SELECT pg_tde_add_database_key_provider_file('incorrect-file-provider', json_object('foo' VALUE '/tmp/pg_tde_test_keyring.per'));
|
||||
ERROR: parse json keyring config: unexpected field foo
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
id | provider_name | provider_type | options
|
||||
----+---------------+---------------+---------
|
||||
(0 rows)
|
||||
|
||||
SELECT pg_tde_add_key_provider_file('file-provider','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_key_provider_file
|
||||
------------------------------
|
||||
1
|
||||
SELECT pg_tde_add_database_key_provider_file('file-provider','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_database_key_provider_file
|
||||
---------------------------------------
|
||||
1
|
||||
(1 row)
|
||||
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
id | provider_name | provider_type | options
|
||||
----+---------------+---------------+------------------------------------------------------------
|
||||
1 | file-provider | file | {"type" : "file", "path" : "/tmp/pg_tde_test_keyring.per"}
|
||||
(1 row)
|
||||
|
||||
SELECT pg_tde_add_key_provider_file('file-provider2','/tmp/pg_tde_test_keyring2.per');
|
||||
pg_tde_add_key_provider_file
|
||||
------------------------------
|
||||
2
|
||||
SELECT pg_tde_add_database_key_provider_file('file-provider2','/tmp/pg_tde_test_keyring2.per');
|
||||
pg_tde_add_database_key_provider_file
|
||||
---------------------------------------
|
||||
2
|
||||
(1 row)
|
||||
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
id | provider_name | provider_type | options
|
||||
----+----------------+---------------+-------------------------------------------------------------
|
||||
1 | file-provider | file | {"type" : "file", "path" : "/tmp/pg_tde_test_keyring.per"}
|
||||
@ -36,9 +36,9 @@ SELECT * FROM pg_tde_list_all_key_providers();
|
||||
|
||||
SELECT pg_tde_verify_principal_key();
|
||||
ERROR: principal key not configured for current database
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','file-provider');
|
||||
pg_tde_set_principal_key
|
||||
--------------------------
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-provider');
|
||||
pg_tde_set_principal_key_using_database_key_provider
|
||||
------------------------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
@ -48,23 +48,23 @@ SELECT pg_tde_verify_principal_key();
|
||||
|
||||
(1 row)
|
||||
|
||||
SELECT pg_tde_change_key_provider_file('not-existent-provider','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_change_database_key_provider_file('not-existent-provider','/tmp/pg_tde_test_keyring.per');
|
||||
ERROR: key provider "not-existent-provider" does not exists
|
||||
HINT: Use pg_tde_add_key_provider interface to create the key provider
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
HINT: Create the key provider
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
id | provider_name | provider_type | options
|
||||
----+----------------+---------------+-------------------------------------------------------------
|
||||
1 | file-provider | file | {"type" : "file", "path" : "/tmp/pg_tde_test_keyring.per"}
|
||||
2 | file-provider2 | file | {"type" : "file", "path" : "/tmp/pg_tde_test_keyring2.per"}
|
||||
(2 rows)
|
||||
|
||||
SELECT pg_tde_change_key_provider_file('file-provider','/tmp/pg_tde_test_keyring_other.per');
|
||||
pg_tde_change_key_provider_file
|
||||
---------------------------------
|
||||
1
|
||||
SELECT pg_tde_change_database_key_provider_file('file-provider','/tmp/pg_tde_test_keyring_other.per');
|
||||
pg_tde_change_database_key_provider_file
|
||||
------------------------------------------
|
||||
1
|
||||
(1 row)
|
||||
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
id | provider_name | provider_type | options
|
||||
----+----------------+---------------+------------------------------------------------------------------
|
||||
1 | file-provider | file | {"type" : "file", "path" : "/tmp/pg_tde_test_keyring_other.per"}
|
||||
@ -73,9 +73,9 @@ SELECT * FROM pg_tde_list_all_key_providers();
|
||||
|
||||
SELECT pg_tde_verify_principal_key();
|
||||
ERROR: failed to retrieve principal key test-db-principal-key from keyring with ID 1
|
||||
SELECT pg_tde_change_key_provider_file('file-provider', json_object('foo' VALUE '/tmp/pg_tde_test_keyring.per'));
|
||||
SELECT pg_tde_change_database_key_provider_file('file-provider', json_object('foo' VALUE '/tmp/pg_tde_test_keyring.per'));
|
||||
ERROR: parse json keyring config: unexpected field foo
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
id | provider_name | provider_type | options
|
||||
----+----------------+---------------+------------------------------------------------------------------
|
||||
1 | file-provider | file | {"type" : "file", "path" : "/tmp/pg_tde_test_keyring_other.per"}
|
||||
@ -104,9 +104,9 @@ SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
|
||||
|
||||
-- TODO: verify that we can also can change the type of it
|
||||
-- fails
|
||||
SELECT pg_tde_delete_key_provider('file-provider');
|
||||
SELECT pg_tde_delete_database_key_provider('file-provider');
|
||||
ERROR: Can't delete a provider which is currently in use
|
||||
SELECT id, provider_name FROM pg_tde_list_all_key_providers();
|
||||
SELECT id, provider_name FROM pg_tde_list_all_database_key_providers();
|
||||
id | provider_name
|
||||
----+----------------
|
||||
1 | file-provider
|
||||
@ -114,13 +114,13 @@ SELECT id, provider_name FROM pg_tde_list_all_key_providers();
|
||||
(2 rows)
|
||||
|
||||
-- works
|
||||
SELECT pg_tde_delete_key_provider('file-provider2');
|
||||
pg_tde_delete_key_provider
|
||||
----------------------------
|
||||
SELECT pg_tde_delete_database_key_provider('file-provider2');
|
||||
pg_tde_delete_database_key_provider
|
||||
-------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
SELECT id, provider_name FROM pg_tde_list_all_key_providers();
|
||||
SELECT id, provider_name FROM pg_tde_list_all_database_key_providers();
|
||||
id | provider_name
|
||||
----+---------------
|
||||
1 | file-provider
|
||||
@ -134,9 +134,9 @@ SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
|
||||
-3 | file-keyring2
|
||||
(3 rows)
|
||||
|
||||
SELECT pg_tde_set_global_principal_key('test-db-principal-key', 'file-keyring', false);
|
||||
pg_tde_set_global_principal_key
|
||||
---------------------------------
|
||||
SELECT pg_tde_set_principal_key_using_global_key_provider('test-db-principal-key', 'file-keyring', false);
|
||||
pg_tde_set_principal_key_using_global_key_provider
|
||||
----------------------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
|
||||
@ -1,23 +1,23 @@
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
SELECT pg_tde_add_key_provider_file('mk-file','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_key_provider_file
|
||||
------------------------------
|
||||
1
|
||||
SELECT pg_tde_add_database_key_provider_file('mk-file','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_database_key_provider_file
|
||||
---------------------------------------
|
||||
1
|
||||
(1 row)
|
||||
|
||||
SELECT pg_tde_add_key_provider_file('free-file','/tmp/pg_tde_test_keyring_2.per');
|
||||
pg_tde_add_key_provider_file
|
||||
------------------------------
|
||||
2
|
||||
SELECT pg_tde_add_database_key_provider_file('free-file','/tmp/pg_tde_test_keyring_2.per');
|
||||
pg_tde_add_database_key_provider_file
|
||||
---------------------------------------
|
||||
2
|
||||
(1 row)
|
||||
|
||||
SELECT pg_tde_add_key_provider_vault_v2('V2-vault','vault-token','percona.com/vault-v2/percona','/mount/dev','ca-cert-auth');
|
||||
pg_tde_add_key_provider_vault_v2
|
||||
----------------------------------
|
||||
3
|
||||
SELECT pg_tde_add_database_key_provider_vault_v2('V2-vault','vault-token','percona.com/vault-v2/percona','/mount/dev','ca-cert-auth');
|
||||
pg_tde_add_database_key_provider_vault_v2
|
||||
-------------------------------------------
|
||||
3
|
||||
(1 row)
|
||||
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
id | provider_name | provider_type | options
|
||||
----+---------------+---------------+-----------------------------------------------------------------------------------------------------------------------------------------------
|
||||
1 | mk-file | file | {"type" : "file", "path" : "/tmp/pg_tde_test_keyring.per"}
|
||||
@ -25,9 +25,9 @@ SELECT * FROM pg_tde_list_all_key_providers();
|
||||
3 | V2-vault | vault-v2 | {"type" : "vault-v2", "url" : "percona.com/vault-v2/percona", "token" : "vault-token", "mountPath" : "/mount/dev", "caPath" : "ca-cert-auth"}
|
||||
(3 rows)
|
||||
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','mk-file');
|
||||
pg_tde_set_principal_key
|
||||
--------------------------
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','mk-file');
|
||||
pg_tde_set_principal_key_using_database_key_provider
|
||||
------------------------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
|
||||
@ -1,13 +1,13 @@
|
||||
CREATE EXTENSION pg_tde;
|
||||
SELECT pg_tde_add_key_provider_kmip('kmip-prov','127.0.0.1', 5696, '/tmp/server_certificate.pem', '/tmp/client_key_jane_doe.pem');
|
||||
pg_tde_add_key_provider_kmip
|
||||
------------------------------
|
||||
1
|
||||
SELECT pg_tde_add_database_key_provider_kmip('kmip-prov','127.0.0.1', 5696, '/tmp/server_certificate.pem', '/tmp/client_key_jane_doe.pem');
|
||||
pg_tde_add_database_key_provider_kmip
|
||||
---------------------------------------
|
||||
1
|
||||
(1 row)
|
||||
|
||||
SELECT pg_tde_set_principal_key('kmip-principal-key','kmip-prov');
|
||||
pg_tde_set_principal_key
|
||||
--------------------------
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('kmip-principal-key','kmip-prov');
|
||||
pg_tde_set_principal_key_using_database_key_provider
|
||||
------------------------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
|
||||
@ -2,15 +2,15 @@ CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
SELECT * FROM pg_tde_principal_key_info();
|
||||
ERROR: Principal key does not exists for the database
|
||||
HINT: Use set_principal_key interface to set the principal key
|
||||
SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_key_provider_file
|
||||
------------------------------
|
||||
1
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_database_key_provider_file
|
||||
---------------------------------------
|
||||
1
|
||||
(1 row)
|
||||
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');
|
||||
pg_tde_set_principal_key
|
||||
--------------------------
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-vault');
|
||||
pg_tde_set_principal_key_using_database_key_provider
|
||||
------------------------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
|
||||
@ -1,13 +1,13 @@
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_key_provider_file
|
||||
------------------------------
|
||||
1
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_database_key_provider_file
|
||||
---------------------------------------
|
||||
1
|
||||
(1 row)
|
||||
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');
|
||||
pg_tde_set_principal_key
|
||||
--------------------------
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-vault');
|
||||
pg_tde_set_principal_key_using_database_key_provider
|
||||
------------------------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
|
||||
@ -3,10 +3,10 @@ SET client_min_messages = 'warning';
|
||||
DROP EXTENSION IF EXISTS pg_tde;
|
||||
CREATE SCHEMA other;
|
||||
CREATE EXTENSION pg_tde SCHEMA other;
|
||||
SELECT other.pg_tde_add_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_key_provider_file
|
||||
------------------------------
|
||||
1
|
||||
SELECT other.pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_database_key_provider_file
|
||||
---------------------------------------
|
||||
1
|
||||
(1 row)
|
||||
|
||||
SELECT other.pg_tde_grant_key_viewer_to_role('public');
|
||||
|
||||
@ -1,13 +1,13 @@
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_key_provider_file
|
||||
------------------------------
|
||||
1
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_database_key_provider_file
|
||||
---------------------------------------
|
||||
1
|
||||
(1 row)
|
||||
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');
|
||||
pg_tde_set_principal_key
|
||||
--------------------------
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-vault');
|
||||
pg_tde_set_principal_key_using_database_key_provider
|
||||
------------------------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
|
||||
@ -1,13 +1,13 @@
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_key_provider_file
|
||||
------------------------------
|
||||
1
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_database_key_provider_file
|
||||
---------------------------------------
|
||||
1
|
||||
(1 row)
|
||||
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');
|
||||
pg_tde_set_principal_key
|
||||
--------------------------
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-vault');
|
||||
pg_tde_set_principal_key_using_database_key_provider
|
||||
------------------------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
|
||||
@ -1,13 +1,13 @@
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_key_provider_file
|
||||
------------------------------
|
||||
1
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_database_key_provider_file
|
||||
---------------------------------------
|
||||
1
|
||||
(1 row)
|
||||
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');
|
||||
pg_tde_set_principal_key
|
||||
--------------------------
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-vault');
|
||||
pg_tde_set_principal_key_using_database_key_provider
|
||||
------------------------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
|
||||
@ -1,14 +1,14 @@
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
NOTICE: extension "pg_tde" already exists, skipping
|
||||
SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_key_provider_file
|
||||
------------------------------
|
||||
2
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
pg_tde_add_database_key_provider_file
|
||||
---------------------------------------
|
||||
2
|
||||
(1 row)
|
||||
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');
|
||||
pg_tde_set_principal_key
|
||||
--------------------------
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-vault');
|
||||
pg_tde_set_principal_key_using_database_key_provider
|
||||
------------------------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
|
||||
@ -1,13 +1,13 @@
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
\getenv root_token ROOT_TOKEN
|
||||
SELECT pg_tde_add_key_provider_vault_v2('vault-incorrect',:'root_token','http://127.0.0.1:8200','DUMMY-TOKEN',NULL);
|
||||
pg_tde_add_key_provider_vault_v2
|
||||
----------------------------------
|
||||
1
|
||||
SELECT pg_tde_add_database_key_provider_vault_v2('vault-incorrect',:'root_token','http://127.0.0.1:8200','DUMMY-TOKEN',NULL);
|
||||
pg_tde_add_database_key_provider_vault_v2
|
||||
-------------------------------------------
|
||||
1
|
||||
(1 row)
|
||||
|
||||
-- FAILS
|
||||
SELECT pg_tde_set_principal_key('vault-v2-principal-key','vault-incorrect');
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('vault-v2-principal-key','vault-incorrect');
|
||||
ERROR: Invalid HTTP response from keyring provider "vault-incorrect": 404
|
||||
CREATE TABLE test_enc(
|
||||
id SERIAL,
|
||||
@ -16,15 +16,15 @@ CREATE TABLE test_enc(
|
||||
) USING tde_heap;
|
||||
ERROR: principal key not configured
|
||||
HINT: create one using pg_tde_set_principal_key before using encrypted tables
|
||||
SELECT pg_tde_add_key_provider_vault_v2('vault-v2',:'root_token','http://127.0.0.1:8200','secret',NULL);
|
||||
pg_tde_add_key_provider_vault_v2
|
||||
----------------------------------
|
||||
2
|
||||
SELECT pg_tde_add_database_key_provider_vault_v2('vault-v2',:'root_token','http://127.0.0.1:8200','secret',NULL);
|
||||
pg_tde_add_database_key_provider_vault_v2
|
||||
-------------------------------------------
|
||||
2
|
||||
(1 row)
|
||||
|
||||
SELECT pg_tde_set_principal_key('vault-v2-principal-key','vault-v2');
|
||||
pg_tde_set_principal_key
|
||||
--------------------------
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('vault-v2-principal-key','vault-v2');
|
||||
pg_tde_set_principal_key_using_database_key_provider
|
||||
------------------------------------------------------
|
||||
|
||||
(1 row)
|
||||
|
||||
|
||||
@ -4,32 +4,32 @@
|
||||
\echo Use "CREATE EXTENSION pg_tde" to load this file. \quit
|
||||
|
||||
-- Key Provider Management
|
||||
CREATE FUNCTION pg_tde_add_key_provider(provider_type TEXT, provider_name TEXT, options JSON)
|
||||
CREATE FUNCTION pg_tde_add_database_key_provider(provider_type TEXT, provider_name TEXT, options JSON)
|
||||
RETURNS INT
|
||||
LANGUAGE C
|
||||
AS 'MODULE_PATHNAME';
|
||||
|
||||
CREATE FUNCTION pg_tde_add_key_provider_file(provider_name TEXT, file_path TEXT)
|
||||
CREATE FUNCTION pg_tde_add_database_key_provider_file(provider_name TEXT, file_path TEXT)
|
||||
RETURNS INT
|
||||
LANGUAGE SQL
|
||||
BEGIN ATOMIC
|
||||
-- JSON keys in the options must be matched to the keys in
|
||||
-- load_file_keyring_provider_options function.
|
||||
SELECT pg_tde_add_key_provider('file', provider_name,
|
||||
SELECT pg_tde_add_database_key_provider('file', provider_name,
|
||||
json_object('type' VALUE 'file', 'path' VALUE COALESCE(file_path, '')));
|
||||
END;
|
||||
|
||||
CREATE FUNCTION pg_tde_add_key_provider_file(provider_name TEXT, file_path JSON)
|
||||
CREATE FUNCTION pg_tde_add_database_key_provider_file(provider_name TEXT, file_path JSON)
|
||||
RETURNS INT
|
||||
LANGUAGE SQL
|
||||
BEGIN ATOMIC
|
||||
-- JSON keys in the options must be matched to the keys in
|
||||
-- load_file_keyring_provider_options function.
|
||||
SELECT pg_tde_add_key_provider('file', provider_name,
|
||||
SELECT pg_tde_add_database_key_provider('file', provider_name,
|
||||
json_object('type' VALUE 'file', 'path' VALUE file_path));
|
||||
END;
|
||||
|
||||
CREATE FUNCTION pg_tde_add_key_provider_vault_v2(provider_name TEXT,
|
||||
CREATE FUNCTION pg_tde_add_database_key_provider_vault_v2(provider_name TEXT,
|
||||
vault_token TEXT,
|
||||
vault_url TEXT,
|
||||
vault_mount_path TEXT,
|
||||
@ -39,7 +39,7 @@ LANGUAGE SQL
|
||||
BEGIN ATOMIC
|
||||
-- JSON keys in the options must be matched to the keys in
|
||||
-- load_vaultV2_keyring_provider_options function.
|
||||
SELECT pg_tde_add_key_provider('vault-v2', provider_name,
|
||||
SELECT pg_tde_add_database_key_provider('vault-v2', provider_name,
|
||||
json_object('type' VALUE 'vault-v2',
|
||||
'url' VALUE COALESCE(vault_url, ''),
|
||||
'token' VALUE COALESCE(vault_token, ''),
|
||||
@ -47,7 +47,7 @@ BEGIN ATOMIC
|
||||
'caPath' VALUE COALESCE(vault_ca_path, '')));
|
||||
END;
|
||||
|
||||
CREATE FUNCTION pg_tde_add_key_provider_vault_v2(provider_name TEXT,
|
||||
CREATE FUNCTION pg_tde_add_database_key_provider_vault_v2(provider_name TEXT,
|
||||
vault_token JSON,
|
||||
vault_url JSON,
|
||||
vault_mount_path JSON,
|
||||
@ -57,7 +57,7 @@ LANGUAGE SQL
|
||||
BEGIN ATOMIC
|
||||
-- JSON keys in the options must be matched to the keys in
|
||||
-- load_vaultV2_keyring_provider_options function.
|
||||
SELECT pg_tde_add_key_provider('vault-v2', provider_name,
|
||||
SELECT pg_tde_add_database_key_provider('vault-v2', provider_name,
|
||||
json_object('type' VALUE 'vault-v2',
|
||||
'url' VALUE vault_url,
|
||||
'token' VALUE vault_token,
|
||||
@ -65,7 +65,7 @@ BEGIN ATOMIC
|
||||
'caPath' VALUE vault_ca_path));
|
||||
END;
|
||||
|
||||
CREATE FUNCTION pg_tde_add_key_provider_kmip(provider_name TEXT,
|
||||
CREATE FUNCTION pg_tde_add_database_key_provider_kmip(provider_name TEXT,
|
||||
kmip_host TEXT,
|
||||
kmip_port INT,
|
||||
kmip_ca_path TEXT,
|
||||
@ -75,7 +75,7 @@ LANGUAGE SQL
|
||||
BEGIN ATOMIC
|
||||
-- JSON keys in the options must be matched to the keys in
|
||||
-- load_kmip_keyring_provider_options function.
|
||||
SELECT pg_tde_add_key_provider('kmip', provider_name,
|
||||
SELECT pg_tde_add_database_key_provider('kmip', provider_name,
|
||||
json_object('type' VALUE 'kmip',
|
||||
'host' VALUE COALESCE(kmip_host, ''),
|
||||
'port' VALUE kmip_port,
|
||||
@ -83,7 +83,7 @@ BEGIN ATOMIC
|
||||
'certPath' VALUE COALESCE(kmip_cert_path, '')));
|
||||
END;
|
||||
|
||||
CREATE FUNCTION pg_tde_add_key_provider_kmip(provider_name TEXT,
|
||||
CREATE FUNCTION pg_tde_add_database_key_provider_kmip(provider_name TEXT,
|
||||
kmip_host JSON,
|
||||
kmip_port JSON,
|
||||
kmip_ca_path JSON,
|
||||
@ -93,7 +93,7 @@ LANGUAGE SQL
|
||||
BEGIN ATOMIC
|
||||
-- JSON keys in the options must be matched to the keys in
|
||||
-- load_kmip_keyring_provider_options function.
|
||||
SELECT pg_tde_add_key_provider('kmip', provider_name,
|
||||
SELECT pg_tde_add_database_key_provider('kmip', provider_name,
|
||||
json_object('type' VALUE 'kmip',
|
||||
'host' VALUE kmip_host,
|
||||
'port' VALUE kmip_port,
|
||||
@ -101,12 +101,8 @@ BEGIN ATOMIC
|
||||
'certPath' VALUE kmip_cert_path));
|
||||
END;
|
||||
|
||||
CREATE FUNCTION pg_tde_set_default_principal_key(principal_key_name TEXT, provider_name TEXT DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE)
|
||||
RETURNS VOID
|
||||
AS 'MODULE_PATHNAME'
|
||||
LANGUAGE C;
|
||||
|
||||
CREATE FUNCTION pg_tde_list_all_key_providers
|
||||
CREATE FUNCTION pg_tde_list_all_database_key_providers
|
||||
(OUT id INT,
|
||||
OUT provider_name TEXT,
|
||||
OUT provider_type TEXT,
|
||||
@ -223,32 +219,32 @@ BEGIN ATOMIC
|
||||
END;
|
||||
|
||||
-- Key Provider Management
|
||||
CREATE FUNCTION pg_tde_change_key_provider(provider_type TEXT, provider_name TEXT, options JSON)
|
||||
CREATE FUNCTION pg_tde_change_database_key_provider(provider_type TEXT, provider_name TEXT, options JSON)
|
||||
RETURNS INT
|
||||
LANGUAGE C
|
||||
AS 'MODULE_PATHNAME';
|
||||
|
||||
CREATE FUNCTION pg_tde_change_key_provider_file(provider_name TEXT, file_path TEXT)
|
||||
CREATE FUNCTION pg_tde_change_database_key_provider_file(provider_name TEXT, file_path TEXT)
|
||||
RETURNS INT
|
||||
LANGUAGE SQL
|
||||
BEGIN ATOMIC
|
||||
-- JSON keys in the options must be matched to the keys in
|
||||
-- load_file_keyring_provider_options function.
|
||||
SELECT pg_tde_change_key_provider('file', provider_name,
|
||||
SELECT pg_tde_change_database_key_provider('file', provider_name,
|
||||
json_object('type' VALUE 'file', 'path' VALUE COALESCE(file_path, '')));
|
||||
END;
|
||||
|
||||
CREATE FUNCTION pg_tde_change_key_provider_file(provider_name TEXT, file_path JSON)
|
||||
CREATE FUNCTION pg_tde_change_database_key_provider_file(provider_name TEXT, file_path JSON)
|
||||
RETURNS INT
|
||||
LANGUAGE SQL
|
||||
BEGIN ATOMIC
|
||||
-- JSON keys in the options must be matched to the keys in
|
||||
-- load_file_keyring_provider_options function.
|
||||
SELECT pg_tde_change_key_provider('file', provider_name,
|
||||
SELECT pg_tde_change_database_key_provider('file', provider_name,
|
||||
json_object('type' VALUE 'file', 'path' VALUE file_path));
|
||||
END;
|
||||
|
||||
CREATE FUNCTION pg_tde_change_key_provider_vault_v2(provider_name TEXT,
|
||||
CREATE FUNCTION pg_tde_change_database_key_provider_vault_v2(provider_name TEXT,
|
||||
vault_token TEXT,
|
||||
vault_url TEXT,
|
||||
vault_mount_path TEXT,
|
||||
@ -258,7 +254,7 @@ LANGUAGE SQL
|
||||
BEGIN ATOMIC
|
||||
-- JSON keys in the options must be matched to the keys in
|
||||
-- load_vaultV2_keyring_provider_options function.
|
||||
SELECT pg_tde_change_key_provider('vault-v2', provider_name,
|
||||
SELECT pg_tde_change_database_key_provider('vault-v2', provider_name,
|
||||
json_object('type' VALUE 'vault-v2',
|
||||
'url' VALUE COALESCE(vault_url, ''),
|
||||
'token' VALUE COALESCE(vault_token, ''),
|
||||
@ -266,7 +262,7 @@ BEGIN ATOMIC
|
||||
'caPath' VALUE COALESCE(vault_ca_path, '')));
|
||||
END;
|
||||
|
||||
CREATE FUNCTION pg_tde_change_key_provider_vault_v2(provider_name TEXT,
|
||||
CREATE FUNCTION pg_tde_change_database_key_provider_vault_v2(provider_name TEXT,
|
||||
vault_token JSON,
|
||||
vault_url JSON,
|
||||
vault_mount_path JSON,
|
||||
@ -276,7 +272,7 @@ LANGUAGE SQL
|
||||
BEGIN ATOMIC
|
||||
-- JSON keys in the options must be matched to the keys in
|
||||
-- load_vaultV2_keyring_provider_options function.
|
||||
SELECT pg_tde_change_key_provider('vault-v2', provider_name,
|
||||
SELECT pg_tde_change_database_key_provider('vault-v2', provider_name,
|
||||
json_object('type' VALUE 'vault-v2',
|
||||
'url' VALUE vault_url,
|
||||
'token' VALUE vault_token,
|
||||
@ -284,7 +280,7 @@ BEGIN ATOMIC
|
||||
'caPath' VALUE vault_ca_path));
|
||||
END;
|
||||
|
||||
CREATE FUNCTION pg_tde_change_key_provider_kmip(provider_name TEXT,
|
||||
CREATE FUNCTION pg_tde_change_database_key_provider_kmip(provider_name TEXT,
|
||||
kmip_host TEXT,
|
||||
kmip_port INT,
|
||||
kmip_ca_path TEXT,
|
||||
@ -294,7 +290,7 @@ LANGUAGE SQL
|
||||
BEGIN ATOMIC
|
||||
-- JSON keys in the options must be matched to the keys in
|
||||
-- load_kmip_keyring_provider_options function.
|
||||
SELECT pg_tde_change_key_provider('kmip', provider_name,
|
||||
SELECT pg_tde_change_database_key_provider('kmip', provider_name,
|
||||
json_object('type' VALUE 'kmip',
|
||||
'host' VALUE COALESCE(kmip_host, ''),
|
||||
'port' VALUE kmip_port,
|
||||
@ -302,7 +298,7 @@ BEGIN ATOMIC
|
||||
'certPath' VALUE COALESCE(kmip_cert_path, '')));
|
||||
END;
|
||||
|
||||
CREATE FUNCTION pg_tde_change_key_provider_kmip(provider_name TEXT,
|
||||
CREATE FUNCTION pg_tde_change_database_key_provider_kmip(provider_name TEXT,
|
||||
kmip_host JSON,
|
||||
kmip_port JSON,
|
||||
kmip_ca_path JSON,
|
||||
@ -312,7 +308,7 @@ LANGUAGE SQL
|
||||
BEGIN ATOMIC
|
||||
-- JSON keys in the options must be matched to the keys in
|
||||
-- load_kmip_keyring_provider_options function.
|
||||
SELECT pg_tde_change_key_provider('kmip', provider_name,
|
||||
SELECT pg_tde_change_database_key_provider('kmip', provider_name,
|
||||
json_object('type' VALUE 'kmip',
|
||||
'host' VALUE kmip_host,
|
||||
'port' VALUE kmip_port,
|
||||
@ -461,21 +457,26 @@ STRICT
|
||||
LANGUAGE C
|
||||
AS 'MODULE_PATHNAME';
|
||||
|
||||
CREATE FUNCTION pg_tde_set_principal_key(principal_key_name TEXT, provider_name TEXT DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE)
|
||||
CREATE FUNCTION pg_tde_set_principal_key_using_database_key_provider(principal_key_name TEXT, provider_name TEXT DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE)
|
||||
RETURNS VOID
|
||||
LANGUAGE C
|
||||
AS 'MODULE_PATHNAME';
|
||||
|
||||
CREATE FUNCTION pg_tde_set_global_principal_key(principal_key_name TEXT, provider_name TEXT DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE)
|
||||
CREATE FUNCTION pg_tde_set_principal_key_using_global_key_provider(principal_key_name TEXT, provider_name TEXT DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE)
|
||||
RETURNS VOID
|
||||
LANGUAGE C
|
||||
AS 'MODULE_PATHNAME';
|
||||
|
||||
CREATE FUNCTION pg_tde_set_server_principal_key(principal_key_name TEXT, provider_name TEXT DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE)
|
||||
CREATE FUNCTION pg_tde_set_server_principal_key_using_global_key_provider(principal_key_name TEXT, provider_name TEXT DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE)
|
||||
RETURNS VOID
|
||||
LANGUAGE C
|
||||
AS 'MODULE_PATHNAME';
|
||||
|
||||
CREATE FUNCTION pg_tde_set_default_principal_key_using_global_key_provider(principal_key_name TEXT, provider_name TEXT DEFAULT NULL, ensure_new_key BOOLEAN DEFAULT FALSE)
|
||||
RETURNS VOID
|
||||
AS 'MODULE_PATHNAME'
|
||||
LANGUAGE C;
|
||||
|
||||
CREATE FUNCTION pg_tde_extension_initialize()
|
||||
RETURNS VOID
|
||||
LANGUAGE C
|
||||
@ -486,7 +487,7 @@ RETURNS VOID
|
||||
LANGUAGE C
|
||||
AS 'MODULE_PATHNAME';
|
||||
|
||||
CREATE FUNCTION pg_tde_verify_global_principal_key()
|
||||
CREATE FUNCTION pg_tde_verify_server_principal_key()
|
||||
RETURNS VOID
|
||||
LANGUAGE C
|
||||
AS 'MODULE_PATHNAME';
|
||||
@ -499,7 +500,7 @@ RETURNS TABLE ( principal_key_name text,
|
||||
LANGUAGE C
|
||||
AS 'MODULE_PATHNAME';
|
||||
|
||||
CREATE FUNCTION pg_tde_global_principal_key_info()
|
||||
CREATE FUNCTION pg_tde_server_principal_key_info()
|
||||
RETURNS TABLE ( principal_key_name text,
|
||||
key_provider_name text,
|
||||
key_provider_id integer,
|
||||
@ -512,7 +513,7 @@ RETURNS VOID
|
||||
LANGUAGE C
|
||||
AS 'MODULE_PATHNAME';
|
||||
|
||||
CREATE FUNCTION pg_tde_delete_key_provider(provider_name TEXT)
|
||||
CREATE FUNCTION pg_tde_delete_database_key_provider(provider_name TEXT)
|
||||
RETURNS VOID
|
||||
LANGUAGE C
|
||||
AS 'MODULE_PATHNAME';
|
||||
@ -578,41 +579,40 @@ BEGIN
|
||||
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_delete_global_key_provider(text) TO %I', target_role);
|
||||
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_set_global_principal_key(text, text, BOOLEAN) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_set_server_principal_key(text, text, BOOLEAN) TO %I', target_role);
|
||||
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_set_default_principal_key(text, text, BOOLEAN) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_set_principal_key_using_global_key_provider(text, text, BOOLEAN) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_set_server_principal_key_using_global_key_provider(text, text, BOOLEAN) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_set_default_principal_key_using_global_key_provider(text, text, BOOLEAN) TO %I', target_role);
|
||||
END;
|
||||
$$;
|
||||
|
||||
CREATE FUNCTION pg_tde_grant_local_key_management_to_role(
|
||||
CREATE FUNCTION pg_tde_grant_database_key_management_to_role(
|
||||
target_role TEXT)
|
||||
RETURNS VOID
|
||||
LANGUAGE plpgsql
|
||||
SET search_path = @extschema@
|
||||
AS $$
|
||||
BEGIN
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_key_provider(text, text, JSON) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_database_key_provider(text, text, JSON) TO %I', target_role);
|
||||
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_key_provider_file(text, json) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_key_provider_file(text, text) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_key_provider_vault_v2(text, text, text, text, text) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_key_provider_vault_v2(text, JSON, JSON, JSON, JSON) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_key_provider_kmip(text, text, int, text, text) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_key_provider_kmip(text, JSON, JSON, JSON, JSON) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_database_key_provider_file(text, json) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_database_key_provider_file(text, text) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_database_key_provider_vault_v2(text, text, text, text, text) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_database_key_provider_vault_v2(text, JSON, JSON, JSON, JSON) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_database_key_provider_kmip(text, text, int, text, text) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_add_database_key_provider_kmip(text, JSON, JSON, JSON, JSON) TO %I', target_role);
|
||||
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_key_provider(text, text, JSON) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_database_key_provider(text, text, JSON) TO %I', target_role);
|
||||
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_key_provider_file(text, json) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_key_provider_file(text, text) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_key_provider_vault_v2(text, text, text,text,text) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_key_provider_vault_v2(text, JSON, JSON,JSON,JSON) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_key_provider_kmip(text, text, int, text, text) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_key_provider_kmip(text, JSON, JSON, JSON, JSON) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_database_key_provider_file(text, json) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_database_key_provider_file(text, text) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_database_key_provider_vault_v2(text, text, text,text,text) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_database_key_provider_vault_v2(text, JSON, JSON,JSON,JSON) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_database_key_provider_kmip(text, text, int, text, text) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_change_database_key_provider_kmip(text, JSON, JSON, JSON, JSON) TO %I', target_role);
|
||||
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_delete_key_provider(text) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_delete_database_key_provider(text) TO %I', target_role);
|
||||
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_set_principal_key(text, text, BOOLEAN) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_set_principal_key_using_database_key_provider(text, text, BOOLEAN) TO %I', target_role);
|
||||
END;
|
||||
$$;
|
||||
|
||||
@ -623,13 +623,13 @@ LANGUAGE plpgsql
|
||||
SET search_path = @extschema@
|
||||
AS $$
|
||||
BEGIN
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_list_all_key_providers() TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_list_all_database_key_providers() TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_list_all_global_key_providers() TO %I', target_role);
|
||||
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_principal_key_info() TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_global_principal_key_info() TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_server_principal_key_info() TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_verify_principal_key() TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_verify_global_principal_key() TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_verify_server_principal_key() TO %I', target_role);
|
||||
END;
|
||||
$$;
|
||||
|
||||
@ -660,41 +660,40 @@ BEGIN
|
||||
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_delete_global_key_provider(text) FROM %I', target_role);
|
||||
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_set_global_principal_key(text, text, BOOLEAN) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_set_server_principal_key(text, text, BOOLEAN) FROM %I', target_role);
|
||||
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_set_default_principal_key(text, text, BOOLEAN) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_set_principal_key_using_global_key_provider(text, text, BOOLEAN) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_set_server_principal_key_using_global_key_provider(text, text, BOOLEAN) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_set_default_principal_key_using_global_key_provider(text, text, BOOLEAN) FROM %I', target_role);
|
||||
END;
|
||||
$$;
|
||||
|
||||
CREATE FUNCTION pg_tde_revoke_local_key_management_from_role(
|
||||
CREATE FUNCTION pg_tde_revoke_database_key_management_from_role(
|
||||
target_role TEXT)
|
||||
RETURNS VOID
|
||||
LANGUAGE plpgsql
|
||||
SET search_path = @extschema@
|
||||
AS $$
|
||||
BEGIN
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_key_provider(text, text, JSON) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_database_key_provider(text, text, JSON) FROM %I', target_role);
|
||||
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_key_provider_file(text, json) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_key_provider_file(text, text) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_key_provider_vault_v2(text, text, text, text, text) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_key_provider_vault_v2(text, JSON, JSON, JSON, JSON) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_key_provider_kmip(text, text, int, text, text) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_key_provider_kmip(text, JSON, JSON, JSON, JSON) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_database_key_provider_file(text, json) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_database_key_provider_file(text, text) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_database_key_provider_vault_v2(text, text, text, text, text) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_database_key_provider_vault_v2(text, JSON, JSON, JSON, JSON) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_database_key_provider_kmip(text, text, int, text, text) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_add_database_key_provider_kmip(text, JSON, JSON, JSON, JSON) FROM %I', target_role);
|
||||
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_key_provider(text, text, JSON) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_database_key_provider(text, text, JSON) FROM %I', target_role);
|
||||
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_key_provider_file(text, json) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_key_provider_file(text, text) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_key_provider_vault_v2(text, text, text, text, text) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_key_provider_vault_v2(text, JSON, JSON, JSON, JSON) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_key_provider_kmip(text, text, int, text, text) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_key_provider_kmip(text, JSON, JSON, JSON, JSON) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_database_key_provider_file(text, json) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_database_key_provider_file(text, text) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_database_key_provider_vault_v2(text, text, text, text, text) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_database_key_provider_vault_v2(text, JSON, JSON, JSON, JSON) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_database_key_provider_kmip(text, text, int, text, text) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_change_database_key_provider_kmip(text, JSON, JSON, JSON, JSON) FROM %I', target_role);
|
||||
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_delete_key_provider(text) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_delete_database_key_provider(text) FROM %I', target_role);
|
||||
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_set_principal_key(text, text, BOOLEAN) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_set_principal_key_using_database_key_provider(text, text, BOOLEAN) FROM %I', target_role);
|
||||
END;
|
||||
$$;
|
||||
|
||||
@ -705,13 +704,13 @@ LANGUAGE plpgsql
|
||||
SET search_path = @extschema@
|
||||
AS $$
|
||||
BEGIN
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_list_all_key_providers() FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_list_all_database_key_providers() FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_list_all_global_key_providers() FROM %I', target_role);
|
||||
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_principal_key_info() FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_global_principal_key_info() FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_server_principal_key_info() FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_verify_principal_key() FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_verify_global_principal_key() FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_verify_server_principal_key() FROM %I', target_role);
|
||||
END;
|
||||
$$;
|
||||
|
||||
@ -723,12 +722,12 @@ SET search_path = @extschema@
|
||||
AS $$
|
||||
BEGIN
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_grant_global_key_management_to_role(TEXT) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_grant_local_key_management_to_role(TEXT) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_grant_database_key_management_to_role(TEXT) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_grant_grant_management_to_role(TEXT) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_grant_key_viewer_to_role(TEXT) TO %I', target_role);
|
||||
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_revoke_global_key_management_from_role(TEXT) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_revoke_local_key_management_from_role(TEXT) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_revoke_database_key_management_from_role(TEXT) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_revoke_grant_management_from_role(TEXT) TO %I', target_role);
|
||||
EXECUTE format('GRANT EXECUTE ON FUNCTION pg_tde_revoke_key_viewer_from_role(TEXT) TO %I', target_role);
|
||||
END;
|
||||
@ -742,19 +741,19 @@ SET search_path = @extschema@
|
||||
AS $$
|
||||
BEGIN
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_grant_global_key_management_to_role(TEXT) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_grant_local_key_management_to_role(TEXT) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_grant_database_key_management_to_role(TEXT) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_grant_grant_management_to_role(TEXT) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_grant_key_viewer_to_role(TEXT) FROM %I', target_role);
|
||||
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_revoke_global_key_management_from_role(TEXT) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_revoke_local_key_management_from_role(TEXT) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_revoke_database_key_management_from_role(TEXT) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_revoke_grant_management_from_role(TEXT) FROM %I', target_role);
|
||||
EXECUTE format('REVOKE EXECUTE ON FUNCTION pg_tde_revoke_key_viewer_from_role(TEXT) FROM %I', target_role);
|
||||
END;
|
||||
$$;
|
||||
|
||||
-- Revoking all the privileges from the public role
|
||||
SELECT pg_tde_revoke_local_key_management_from_role('public');
|
||||
SELECT pg_tde_revoke_database_key_management_from_role('public');
|
||||
SELECT pg_tde_revoke_global_key_management_from_role('public');
|
||||
SELECT pg_tde_revoke_grant_management_from_role('public');
|
||||
SELECT pg_tde_revoke_key_viewer_from_role('public');
|
||||
|
||||
@ -5,21 +5,21 @@ CREATE USER regress_pg_tde_access_control;
|
||||
SET ROLE regress_pg_tde_access_control;
|
||||
|
||||
-- should throw access denied
|
||||
SELECT pg_tde_add_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key', 'file-vault');
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key', 'file-vault');
|
||||
|
||||
RESET ROLE;
|
||||
|
||||
SELECT pg_tde_grant_local_key_management_to_role('regress_pg_tde_access_control');
|
||||
SELECT pg_tde_grant_database_key_management_to_role('regress_pg_tde_access_control');
|
||||
SELECT pg_tde_grant_key_viewer_to_role('regress_pg_tde_access_control');
|
||||
|
||||
SET ROLE regress_pg_tde_access_control;
|
||||
|
||||
-- should now be allowed
|
||||
SELECT pg_tde_add_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_add_key_provider_file('file-2', '/tmp/pg_tde_test_keyring_2.per');
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key', 'file-vault');
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_add_database_key_provider_file('file-2', '/tmp/pg_tde_test_keyring_2.per');
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key', 'file-vault');
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
SELECT principal_key_name, key_provider_name, key_provider_id FROM pg_tde_principal_key_info();
|
||||
|
||||
RESET ROLE;
|
||||
@ -29,7 +29,7 @@ SELECT pg_tde_revoke_key_viewer_from_role('regress_pg_tde_access_control');
|
||||
SET ROLE regress_pg_tde_access_control;
|
||||
|
||||
-- verify the view access is revoked
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
SELECT principal_key_name, key_provider_name, key_provider_id FROM pg_tde_principal_key_info();
|
||||
|
||||
RESET ROLE;
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
|
||||
SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-vault');
|
||||
|
||||
SET default_table_access_method = "tde_heap";
|
||||
|
||||
|
||||
@ -2,8 +2,8 @@
|
||||
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
|
||||
SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-vault');
|
||||
|
||||
do $$
|
||||
DECLARE idx integer;
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
|
||||
SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-vault');
|
||||
|
||||
CREATE TABLE country_table (
|
||||
country_id serial primary key,
|
||||
|
||||
@ -2,7 +2,7 @@ CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
|
||||
SELECT pg_tde_add_global_key_provider_file('file-provider','/tmp/pg_tde_regression_default_principal_key.per');
|
||||
|
||||
SELECT pg_tde_set_default_principal_key('default-principal-key', 'file-provider', false);
|
||||
SELECT pg_tde_set_default_principal_key_using_global_key_provider('default-principal-key', 'file-provider', false);
|
||||
|
||||
-- fails
|
||||
SELECT pg_tde_delete_global_key_provider('file-provider');
|
||||
@ -53,7 +53,7 @@ SELECT key_provider_id, key_provider_name, principal_key_name
|
||||
|
||||
\c :regress_database
|
||||
|
||||
SELECT pg_tde_set_default_principal_key('new-default-principal-key', 'file-provider', false);
|
||||
SELECT pg_tde_set_default_principal_key_using_global_key_provider('new-default-principal-key', 'file-provider', false);
|
||||
|
||||
SELECT key_provider_id, key_provider_name, principal_key_name
|
||||
FROM pg_tde_principal_key_info();
|
||||
|
||||
@ -2,19 +2,19 @@ CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
|
||||
SELECT * FROM pg_tde_principal_key_info();
|
||||
|
||||
SELECT pg_tde_add_key_provider_file('file-provider','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT pg_tde_delete_key_provider('file-provider');
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT pg_tde_add_database_key_provider_file('file-provider','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
SELECT pg_tde_delete_database_key_provider('file-provider');
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
|
||||
SELECT pg_tde_add_key_provider_file('file-provider','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT pg_tde_delete_key_provider('file-provider');
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT pg_tde_add_database_key_provider_file('file-provider','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
SELECT pg_tde_delete_database_key_provider('file-provider');
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
|
||||
SELECT pg_tde_add_key_provider_file('file-provider','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT pg_tde_delete_key_provider('file-provider');
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT pg_tde_add_database_key_provider_file('file-provider','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
SELECT pg_tde_delete_database_key_provider('file-provider');
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
|
||||
DROP EXTENSION pg_tde;
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
|
||||
SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-vault');
|
||||
|
||||
CREATE TABLE albums (
|
||||
id INTEGER GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
|
||||
|
||||
@ -2,29 +2,29 @@ CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
|
||||
SELECT * FROM pg_tde_principal_key_info();
|
||||
|
||||
SELECT pg_tde_add_key_provider_file('incorrect-file-provider', json_object('foo' VALUE '/tmp/pg_tde_test_keyring.per'));
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT pg_tde_add_database_key_provider_file('incorrect-file-provider', json_object('foo' VALUE '/tmp/pg_tde_test_keyring.per'));
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
|
||||
SELECT pg_tde_add_key_provider_file('file-provider','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT pg_tde_add_database_key_provider_file('file-provider','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
|
||||
SELECT pg_tde_add_key_provider_file('file-provider2','/tmp/pg_tde_test_keyring2.per');
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT pg_tde_add_database_key_provider_file('file-provider2','/tmp/pg_tde_test_keyring2.per');
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
|
||||
SELECT pg_tde_verify_principal_key();
|
||||
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','file-provider');
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-provider');
|
||||
SELECT pg_tde_verify_principal_key();
|
||||
|
||||
SELECT pg_tde_change_key_provider_file('not-existent-provider','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT pg_tde_change_database_key_provider_file('not-existent-provider','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
|
||||
SELECT pg_tde_change_key_provider_file('file-provider','/tmp/pg_tde_test_keyring_other.per');
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT pg_tde_change_database_key_provider_file('file-provider','/tmp/pg_tde_test_keyring_other.per');
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
SELECT pg_tde_verify_principal_key();
|
||||
|
||||
SELECT pg_tde_change_key_provider_file('file-provider', json_object('foo' VALUE '/tmp/pg_tde_test_keyring.per'));
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT pg_tde_change_database_key_provider_file('file-provider', json_object('foo' VALUE '/tmp/pg_tde_test_keyring.per'));
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
|
||||
SELECT pg_tde_add_global_key_provider_file('file-keyring','/tmp/pg_tde_test_keyring.per');
|
||||
|
||||
@ -35,16 +35,16 @@ SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
|
||||
-- TODO: verify that we can also can change the type of it
|
||||
|
||||
-- fails
|
||||
SELECT pg_tde_delete_key_provider('file-provider');
|
||||
SELECT id, provider_name FROM pg_tde_list_all_key_providers();
|
||||
SELECT pg_tde_delete_database_key_provider('file-provider');
|
||||
SELECT id, provider_name FROM pg_tde_list_all_database_key_providers();
|
||||
|
||||
-- works
|
||||
SELECT pg_tde_delete_key_provider('file-provider2');
|
||||
SELECT id, provider_name FROM pg_tde_list_all_key_providers();
|
||||
SELECT pg_tde_delete_database_key_provider('file-provider2');
|
||||
SELECT id, provider_name FROM pg_tde_list_all_database_key_providers();
|
||||
|
||||
SELECT id, provider_name FROM pg_tde_list_all_global_key_providers();
|
||||
|
||||
SELECT pg_tde_set_global_principal_key('test-db-principal-key', 'file-keyring', false);
|
||||
SELECT pg_tde_set_principal_key_using_global_key_provider('test-db-principal-key', 'file-keyring', false);
|
||||
|
||||
-- fails
|
||||
SELECT pg_tde_delete_global_key_provider('file-keyring');
|
||||
|
||||
@ -1,11 +1,11 @@
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
|
||||
SELECT pg_tde_add_key_provider_file('mk-file','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_add_key_provider_file('free-file','/tmp/pg_tde_test_keyring_2.per');
|
||||
SELECT pg_tde_add_key_provider_vault_v2('V2-vault','vault-token','percona.com/vault-v2/percona','/mount/dev','ca-cert-auth');
|
||||
SELECT pg_tde_add_database_key_provider_file('mk-file','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_add_database_key_provider_file('free-file','/tmp/pg_tde_test_keyring_2.per');
|
||||
SELECT pg_tde_add_database_key_provider_vault_v2('V2-vault','vault-token','percona.com/vault-v2/percona','/mount/dev','ca-cert-auth');
|
||||
|
||||
SELECT * FROM pg_tde_list_all_key_providers();
|
||||
SELECT * FROM pg_tde_list_all_database_key_providers();
|
||||
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','mk-file');
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','mk-file');
|
||||
|
||||
DROP EXTENSION pg_tde;
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
CREATE EXTENSION pg_tde;
|
||||
|
||||
SELECT pg_tde_add_key_provider_kmip('kmip-prov','127.0.0.1', 5696, '/tmp/server_certificate.pem', '/tmp/client_key_jane_doe.pem');
|
||||
SELECT pg_tde_set_principal_key('kmip-principal-key','kmip-prov');
|
||||
SELECT pg_tde_add_database_key_provider_kmip('kmip-prov','127.0.0.1', 5696, '/tmp/server_certificate.pem', '/tmp/client_key_jane_doe.pem');
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('kmip-principal-key','kmip-prov');
|
||||
|
||||
CREATE TABLE test_enc(
|
||||
id SERIAL,
|
||||
|
||||
@ -2,8 +2,8 @@ CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
|
||||
SELECT * FROM pg_tde_principal_key_info();
|
||||
|
||||
SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-vault');
|
||||
|
||||
CREATE TABLE test_enc(
|
||||
id SERIAL,
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
|
||||
SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-vault');
|
||||
|
||||
SET default_table_access_method = "tde_heap";
|
||||
|
||||
|
||||
@ -6,7 +6,7 @@ CREATE SCHEMA other;
|
||||
|
||||
CREATE EXTENSION pg_tde SCHEMA other;
|
||||
|
||||
SELECT other.pg_tde_add_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
|
||||
SELECT other.pg_tde_add_database_key_provider_file('file-vault', '/tmp/pg_tde_test_keyring.per');
|
||||
|
||||
SELECT other.pg_tde_grant_key_viewer_to_role('public');
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
|
||||
SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-vault');
|
||||
|
||||
|
||||
BEGIN; -- Nesting level 1
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
|
||||
SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-vault');
|
||||
|
||||
CREATE TABLE test(num1 bigint, num2 double precision, t text) USING tde_heap;
|
||||
INSERT INTO test(num1, num2, t)
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
|
||||
SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-vault');
|
||||
|
||||
CREATE TABLE src (f1 TEXT STORAGE EXTERNAL) USING tde_heap;
|
||||
INSERT INTO src VALUES(repeat('abcdeF',1000));
|
||||
|
||||
@ -2,9 +2,9 @@ CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
|
||||
\getenv root_token ROOT_TOKEN
|
||||
|
||||
SELECT pg_tde_add_key_provider_vault_v2('vault-incorrect',:'root_token','http://127.0.0.1:8200','DUMMY-TOKEN',NULL);
|
||||
SELECT pg_tde_add_database_key_provider_vault_v2('vault-incorrect',:'root_token','http://127.0.0.1:8200','DUMMY-TOKEN',NULL);
|
||||
-- FAILS
|
||||
SELECT pg_tde_set_principal_key('vault-v2-principal-key','vault-incorrect');
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('vault-v2-principal-key','vault-incorrect');
|
||||
|
||||
CREATE TABLE test_enc(
|
||||
id SERIAL,
|
||||
@ -12,8 +12,8 @@ CREATE TABLE test_enc(
|
||||
PRIMARY KEY (id)
|
||||
) USING tde_heap;
|
||||
|
||||
SELECT pg_tde_add_key_provider_vault_v2('vault-v2',:'root_token','http://127.0.0.1:8200','secret',NULL);
|
||||
SELECT pg_tde_set_principal_key('vault-v2-principal-key','vault-v2');
|
||||
SELECT pg_tde_add_database_key_provider_vault_v2('vault-v2',:'root_token','http://127.0.0.1:8200','secret',NULL);
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('vault-v2-principal-key','vault-v2');
|
||||
|
||||
CREATE TABLE test_enc(
|
||||
id SERIAL,
|
||||
|
||||
@ -76,22 +76,22 @@ static void simple_list_free(SimplePtrList *list);
|
||||
|
||||
static List *scan_key_provider_file(ProviderScanType scanType, void *scanKey, Oid dbOid);
|
||||
|
||||
PG_FUNCTION_INFO_V1(pg_tde_add_key_provider);
|
||||
Datum pg_tde_add_key_provider(PG_FUNCTION_ARGS);
|
||||
PG_FUNCTION_INFO_V1(pg_tde_add_database_key_provider);
|
||||
Datum pg_tde_add_database_key_provider(PG_FUNCTION_ARGS);
|
||||
|
||||
PG_FUNCTION_INFO_V1(pg_tde_add_global_key_provider);
|
||||
Datum pg_tde_add_global_key_provider(PG_FUNCTION_ARGS);
|
||||
|
||||
PG_FUNCTION_INFO_V1(pg_tde_change_key_provider);
|
||||
Datum pg_tde_change_key_provider(PG_FUNCTION_ARGS);
|
||||
PG_FUNCTION_INFO_V1(pg_tde_change_database_key_provider);
|
||||
Datum pg_tde_change_database_key_provider(PG_FUNCTION_ARGS);
|
||||
|
||||
PG_FUNCTION_INFO_V1(pg_tde_change_global_key_provider);
|
||||
Datum pg_tde_change_global_key_provider(PG_FUNCTION_ARGS);
|
||||
|
||||
static Datum pg_tde_list_all_key_providers_internal(const char *fname, bool global, PG_FUNCTION_ARGS);
|
||||
|
||||
PG_FUNCTION_INFO_V1(pg_tde_list_all_key_providers);
|
||||
Datum pg_tde_list_all_key_providers(PG_FUNCTION_ARGS);
|
||||
PG_FUNCTION_INFO_V1(pg_tde_list_all_database_key_providers);
|
||||
Datum pg_tde_list_all_database_key_providers(PG_FUNCTION_ARGS);
|
||||
|
||||
PG_FUNCTION_INFO_V1(pg_tde_list_all_global_key_providers);
|
||||
Datum pg_tde_list_all_global_key_providers(PG_FUNCTION_ARGS);
|
||||
@ -206,7 +206,7 @@ cleanup_key_provider_info(Oid databaseId)
|
||||
}
|
||||
|
||||
Datum
|
||||
pg_tde_change_key_provider(PG_FUNCTION_ARGS)
|
||||
pg_tde_change_database_key_provider(PG_FUNCTION_ARGS)
|
||||
{
|
||||
return pg_tde_change_key_provider_internal(fcinfo, MyDatabaseId);
|
||||
}
|
||||
@ -256,7 +256,7 @@ pg_tde_change_key_provider_internal(PG_FUNCTION_ARGS, Oid dbOid)
|
||||
}
|
||||
|
||||
Datum
|
||||
pg_tde_add_key_provider(PG_FUNCTION_ARGS)
|
||||
pg_tde_add_database_key_provider(PG_FUNCTION_ARGS)
|
||||
{
|
||||
return pg_tde_add_key_provider_internal(fcinfo, MyDatabaseId);
|
||||
}
|
||||
@ -301,15 +301,15 @@ pg_tde_add_key_provider_internal(PG_FUNCTION_ARGS, Oid dbOid)
|
||||
}
|
||||
|
||||
Datum
|
||||
pg_tde_list_all_key_providers(PG_FUNCTION_ARGS)
|
||||
pg_tde_list_all_database_key_providers(PG_FUNCTION_ARGS)
|
||||
{
|
||||
return pg_tde_list_all_key_providers_internal("pg_tde_list_all_key_providers", false, fcinfo);
|
||||
return pg_tde_list_all_key_providers_internal("pg_tde_list_all_database_key_providers_database", false, fcinfo);
|
||||
}
|
||||
|
||||
Datum
|
||||
pg_tde_list_all_global_key_providers(PG_FUNCTION_ARGS)
|
||||
{
|
||||
return pg_tde_list_all_key_providers_internal("pg_tde_list_all_key_providers_global", true, fcinfo);
|
||||
return pg_tde_list_all_key_providers_internal("pg_tde_list_all_database_key_providers_global", true, fcinfo);
|
||||
}
|
||||
|
||||
static Datum
|
||||
@ -921,7 +921,7 @@ GetKeyProviderByName(const char *provider_name, Oid dbOid)
|
||||
ereport(ERROR,
|
||||
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
|
||||
errmsg("key provider \"%s\" does not exists", provider_name),
|
||||
errhint("Use pg_tde_add_key_provider interface to create the key provider")));
|
||||
errhint("Create the key provider")));
|
||||
}
|
||||
return keyring;
|
||||
}
|
||||
|
||||
@ -86,8 +86,8 @@ static const char *JK_FIELD_NAMES[JK_FIELDS_TOTAL] = {
|
||||
[JK_FIELD_PATH] = "path",
|
||||
|
||||
/*
|
||||
* These values should match pg_tde_add_key_provider_vault_v2 and
|
||||
* pg_tde_add_key_provider_file SQL interfaces
|
||||
* These values should match pg_tde_add_database_key_provider_vault_v2 and
|
||||
* pg_tde_add_database_key_provider_file SQL interfaces
|
||||
*/
|
||||
[JF_FILE_PATH] = "path",
|
||||
[JK_VAULT_TOKEN] = "token",
|
||||
|
||||
@ -49,11 +49,11 @@
|
||||
|
||||
#ifndef FRONTEND
|
||||
|
||||
PG_FUNCTION_INFO_V1(pg_tde_delete_key_provider);
|
||||
PG_FUNCTION_INFO_V1(pg_tde_delete_database_key_provider);
|
||||
PG_FUNCTION_INFO_V1(pg_tde_delete_global_key_provider);
|
||||
|
||||
PG_FUNCTION_INFO_V1(pg_tde_verify_principal_key);
|
||||
PG_FUNCTION_INFO_V1(pg_tde_verify_global_principal_key);
|
||||
PG_FUNCTION_INFO_V1(pg_tde_verify_server_principal_key);
|
||||
|
||||
typedef struct TdePrincipalKeySharedState
|
||||
{
|
||||
@ -110,17 +110,17 @@ static bool pg_tde_verify_principal_key_internal(Oid databaseOid);
|
||||
|
||||
static Datum pg_tde_delete_key_provider_internal(PG_FUNCTION_ARGS, int is_global);
|
||||
|
||||
PG_FUNCTION_INFO_V1(pg_tde_set_default_principal_key);
|
||||
Datum pg_tde_set_default_principal_key(PG_FUNCTION_ARGS);
|
||||
PG_FUNCTION_INFO_V1(pg_tde_set_default_principal_key_using_global_key_provider);
|
||||
Datum pg_tde_set_default_principal_key_using_global_key_provider(PG_FUNCTION_ARGS);
|
||||
|
||||
PG_FUNCTION_INFO_V1(pg_tde_set_principal_key);
|
||||
Datum pg_tde_set_principal_key(PG_FUNCTION_ARGS);
|
||||
PG_FUNCTION_INFO_V1(pg_tde_set_principal_key_using_database_key_provider);
|
||||
Datum pg_tde_set_principal_key_using_database_key_provider(PG_FUNCTION_ARGS);
|
||||
|
||||
PG_FUNCTION_INFO_V1(pg_tde_set_global_principal_key);
|
||||
Datum pg_tde_set_principal_key(PG_FUNCTION_ARGS);
|
||||
PG_FUNCTION_INFO_V1(pg_tde_set_principal_key_using_global_key_provider);
|
||||
Datum pg_tde_set_principal_key_using_global_key_provider(PG_FUNCTION_ARGS);
|
||||
|
||||
PG_FUNCTION_INFO_V1(pg_tde_set_server_principal_key);
|
||||
Datum pg_tde_set_principal_key(PG_FUNCTION_ARGS);
|
||||
PG_FUNCTION_INFO_V1(pg_tde_set_server_principal_key_using_global_key_provider);
|
||||
Datum pg_tde_set_server_principal_key_using_global_key_provider(PG_FUNCTION_ARGS);
|
||||
|
||||
enum global_status
|
||||
{
|
||||
@ -485,7 +485,7 @@ clear_principal_key_cache(Oid databaseId)
|
||||
*/
|
||||
|
||||
Datum
|
||||
pg_tde_set_default_principal_key(PG_FUNCTION_ARGS)
|
||||
pg_tde_set_default_principal_key_using_global_key_provider(PG_FUNCTION_ARGS)
|
||||
{
|
||||
char *principal_key_name = text_to_cstring(PG_GETARG_TEXT_PP(0));
|
||||
char *provider_name = PG_ARGISNULL(1) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(1));
|
||||
@ -497,7 +497,7 @@ pg_tde_set_default_principal_key(PG_FUNCTION_ARGS)
|
||||
}
|
||||
|
||||
Datum
|
||||
pg_tde_set_principal_key(PG_FUNCTION_ARGS)
|
||||
pg_tde_set_principal_key_using_database_key_provider(PG_FUNCTION_ARGS)
|
||||
{
|
||||
char *principal_key_name = text_to_cstring(PG_GETARG_TEXT_PP(0));
|
||||
char *provider_name = PG_ARGISNULL(1) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(1));
|
||||
@ -509,7 +509,7 @@ pg_tde_set_principal_key(PG_FUNCTION_ARGS)
|
||||
}
|
||||
|
||||
Datum
|
||||
pg_tde_set_global_principal_key(PG_FUNCTION_ARGS)
|
||||
pg_tde_set_principal_key_using_global_key_provider(PG_FUNCTION_ARGS)
|
||||
{
|
||||
char *principal_key_name = text_to_cstring(PG_GETARG_TEXT_PP(0));
|
||||
char *provider_name = PG_ARGISNULL(1) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(1));
|
||||
@ -521,7 +521,7 @@ pg_tde_set_global_principal_key(PG_FUNCTION_ARGS)
|
||||
}
|
||||
|
||||
Datum
|
||||
pg_tde_set_server_principal_key(PG_FUNCTION_ARGS)
|
||||
pg_tde_set_server_principal_key_using_global_key_provider(PG_FUNCTION_ARGS)
|
||||
{
|
||||
char *principal_key_name = text_to_cstring(PG_GETARG_TEXT_PP(0));
|
||||
char *provider_name = PG_ARGISNULL(1) ? NULL : text_to_cstring(PG_GETARG_TEXT_PP(1));
|
||||
@ -607,9 +607,9 @@ pg_tde_principal_key_info(PG_FUNCTION_ARGS)
|
||||
return pg_tde_get_key_info(fcinfo, MyDatabaseId);
|
||||
}
|
||||
|
||||
PG_FUNCTION_INFO_V1(pg_tde_global_principal_key_info);
|
||||
PG_FUNCTION_INFO_V1(pg_tde_server_principal_key_info);
|
||||
Datum
|
||||
pg_tde_global_principal_key_info(PG_FUNCTION_ARGS)
|
||||
pg_tde_server_principal_key_info(PG_FUNCTION_ARGS)
|
||||
{
|
||||
return pg_tde_get_key_info(fcinfo, GLOBAL_DATA_TDE_OID);
|
||||
}
|
||||
@ -621,7 +621,7 @@ pg_tde_verify_principal_key(PG_FUNCTION_ARGS)
|
||||
}
|
||||
|
||||
Datum
|
||||
pg_tde_verify_global_principal_key(PG_FUNCTION_ARGS)
|
||||
pg_tde_verify_server_principal_key(PG_FUNCTION_ARGS)
|
||||
{
|
||||
return pg_tde_verify_principal_key_internal(GLOBAL_DATA_TDE_OID);
|
||||
}
|
||||
@ -1030,7 +1030,7 @@ pg_tde_update_global_principal_key_everywhere(TDEPrincipalKey *oldKey, TDEPrinci
|
||||
}
|
||||
|
||||
Datum
|
||||
pg_tde_delete_key_provider(PG_FUNCTION_ARGS)
|
||||
pg_tde_delete_database_key_provider(PG_FUNCTION_ARGS)
|
||||
{
|
||||
return pg_tde_delete_key_provider_internal(fcinfo, 0);
|
||||
}
|
||||
|
||||
@ -45,8 +45,8 @@ $node->stop();
|
||||
$rt_value = $node->start();
|
||||
ok($rt_value == 1, "Restart Server");
|
||||
|
||||
$rt_value = $node->psql('postgres', "SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');", extra_params => ['-a']);
|
||||
$rt_value = $node->psql('postgres', "SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');", extra_params => ['-a']);
|
||||
$rt_value = $node->psql('postgres', "SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');", extra_params => ['-a']);
|
||||
$rt_value = $node->psql('postgres', "SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-vault');", extra_params => ['-a']);
|
||||
|
||||
$stdout = $node->safe_psql('postgres', 'CREATE TABLE test_enc(id SERIAL,k VARCHAR(32),PRIMARY KEY (id)) USING tde_heap;', extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
|
||||
@ -42,19 +42,19 @@ $node->stop();
|
||||
$rt_value = $node->start();
|
||||
ok($rt_value == 1, "Restart Server");
|
||||
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');", extra_params => ['-a']);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_add_key_provider_file('file-2','/tmp/pg_tde_test_keyring_2.per');", extra_params => ['-a']);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_add_database_key_provider_file('file-2','/tmp/pg_tde_test_keyring_2.per');", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_add_global_key_provider_file('file-2','/tmp/pg_tde_test_keyring_2g.per');", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_add_global_key_provider_file('file-3','/tmp/pg_tde_test_keyring_3.per');", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_list_all_key_providers();", extra_params => ['-a']);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_list_all_database_key_providers();", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');", extra_params => ['-a']);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-vault');", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
|
||||
$stdout = $node->safe_psql('postgres', 'CREATE TABLE test_enc(id SERIAL,k INTEGER,PRIMARY KEY (id)) USING tde_heap;', extra_params => ['-a']);
|
||||
@ -67,7 +67,7 @@ $stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id ASC;'
|
||||
PGTDE::append_to_file($stdout);
|
||||
|
||||
#rotate key
|
||||
$stdout = $node->psql('postgres', "SELECT pg_tde_set_principal_key('rotated-principal-key1');", extra_params => ['-a']);
|
||||
$stdout = $node->psql('postgres', "SELECT pg_tde_set_principal_key_using_database_key_provider('rotated-principal-key1');", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
$stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id ASC;', extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
@ -79,7 +79,7 @@ $rt_value = $node->start();
|
||||
|
||||
$stdout = $node->safe_psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();", extra_params => ['-a']);
|
||||
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_server_principal_key_info();", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
PGTDE::append_to_file($stderr);
|
||||
$stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id ASC;', extra_params => ['-a']);
|
||||
@ -87,7 +87,7 @@ PGTDE::append_to_file($stdout);
|
||||
|
||||
|
||||
#Again rotate key
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_principal_key('rotated-principal-key2','file-2');", extra_params => ['-a']);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_principal_key_using_database_key_provider('rotated-principal-key2','file-2');", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
$stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id ASC;', extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
@ -99,14 +99,14 @@ $rt_value = $node->start();
|
||||
|
||||
$stdout = $node->safe_psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();", extra_params => ['-a']);
|
||||
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_server_principal_key_info();", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
PGTDE::append_to_file($stderr);
|
||||
$stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id ASC;', extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
|
||||
#Again rotate key
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_global_principal_key('rotated-principal-key', 'file-3', false);", extra_params => ['-a']);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_principal_key_using_global_key_provider('rotated-principal-key', 'file-3', false);", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
$stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id ASC;', extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
@ -118,7 +118,7 @@ $rt_value = $node->start();
|
||||
|
||||
$stdout = $node->safe_psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();", extra_params => ['-a']);
|
||||
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_server_principal_key_info();", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
PGTDE::append_to_file($stderr);
|
||||
$stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id ASC;', extra_params => ['-a']);
|
||||
@ -128,7 +128,7 @@ PGTDE::append_to_file($stdout);
|
||||
# And maybe debug tools to show what's in a file keyring?
|
||||
|
||||
#Again rotate key
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_global_principal_key('rotated-principal-keyX', 'file-2', false);", extra_params => ['-a']);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_principal_key_using_global_key_provider('rotated-principal-keyX', 'file-2', false);", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
$stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id ASC;', extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
@ -140,7 +140,7 @@ $rt_value = $node->start();
|
||||
|
||||
$stdout = $node->safe_psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();", extra_params => ['-a']);
|
||||
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_server_principal_key_info();", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
PGTDE::append_to_file($stderr);
|
||||
$stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id ASC;', extra_params => ['-a']);
|
||||
@ -156,19 +156,19 @@ $rt_value = $node->stop();
|
||||
$rt_value = $node->start();
|
||||
|
||||
# But now can't be changed to another global provider
|
||||
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT pg_tde_set_global_principal_key('rotated-principal-keyX2', 'file-2', false);", extra_params => ['-a']);
|
||||
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT pg_tde_set_principal_key_using_global_key_provider('rotated-principal-keyX2', 'file-2', false);", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stderr);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();", extra_params => ['-a']);
|
||||
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_server_principal_key_info();", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
PGTDE::append_to_file($stderr);
|
||||
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_principal_key('rotated-principal-key2','file-2');", extra_params => ['-a']);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_principal_key_using_database_key_provider('rotated-principal-key2','file-2');", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();", extra_params => ['-a']);
|
||||
($cmdret, $stdout, $stderr) = $node->psql('postgres', "SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_server_principal_key_info();", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
PGTDE::append_to_file($stderr);
|
||||
|
||||
|
||||
@ -70,8 +70,8 @@ my ($cmdret, $stdout, $stderr) = $node->psql('postgres', 'CREATE EXTENSION IF NO
|
||||
ok($cmdret == 0, "CREATE PGTDE EXTENSION");
|
||||
PGTDE::append_to_file($stdout);
|
||||
|
||||
$rt_value = $node->psql('postgres', "SELECT pg_tde_add_key_provider_file('file-provider', json_object( 'type' VALUE 'remote', 'url' VALUE 'http://localhost:8888/hello' ));", extra_params => ['-a']);
|
||||
$rt_value = $node->psql('postgres', "SELECT pg_tde_set_principal_key('test-db-principal-key','file-provider');", extra_params => ['-a']);
|
||||
$rt_value = $node->psql('postgres', "SELECT pg_tde_add_database_key_provider_file('file-provider', json_object( 'type' VALUE 'remote', 'url' VALUE 'http://localhost:8888/hello' ));", extra_params => ['-a']);
|
||||
$rt_value = $node->psql('postgres', "SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-provider');", extra_params => ['-a']);
|
||||
|
||||
$stdout = $node->safe_psql('postgres', 'CREATE TABLE test_enc2(id SERIAL,k INTEGER,PRIMARY KEY (id)) USING tde_heap;', extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
|
||||
@ -34,8 +34,8 @@ my ($cmdret, $stdout, $stderr) = $node->psql('postgres', 'CREATE EXTENSION IF NO
|
||||
ok($cmdret == 0, "CREATE PGTDE EXTENSION");
|
||||
PGTDE::append_to_file($stdout);
|
||||
|
||||
$rt_value = $node->psql('postgres', "SELECT pg_tde_add_key_provider_file('file-provider', json_object( 'type' VALUE 'file', 'path' VALUE '/tmp/datafile-location' ));", extra_params => ['-a']);
|
||||
$rt_value = $node->psql('postgres', "SELECT pg_tde_set_principal_key('test-db-principal-key','file-provider');", extra_params => ['-a']);
|
||||
$rt_value = $node->psql('postgres', "SELECT pg_tde_add_database_key_provider_file('file-provider', json_object( 'type' VALUE 'file', 'path' VALUE '/tmp/datafile-location' ));", extra_params => ['-a']);
|
||||
$rt_value = $node->psql('postgres', "SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-provider');", extra_params => ['-a']);
|
||||
|
||||
$stdout = $node->safe_psql('postgres', 'CREATE TABLE test_enc1(id SERIAL,k INTEGER,PRIMARY KEY (id)) USING tde_heap;', extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
|
||||
@ -86,8 +86,8 @@ PGTDE::append_to_debug_file($stdout);
|
||||
ok($cmdret == 0, "CREATE postgis_tiger_geocoder EXTENSION");
|
||||
PGTDE::append_to_debug_file($stdout);
|
||||
|
||||
$rt_value = $node->psql('postgres', "SELECT pg_tde_add_key_provider_file('file-provider', json_object( 'type' VALUE 'file', 'path' VALUE '/tmp/datafile-location' ));", extra_params => ['-a']);
|
||||
$rt_value = $node->psql('postgres', "SELECT pg_tde_set_principal_key('test-db-principal-key','file-provider');", extra_params => ['-a']);
|
||||
$rt_value = $node->psql('postgres', "SELECT pg_tde_add_database_key_provider_file('file-provider', json_object( 'type' VALUE 'file', 'path' VALUE '/tmp/datafile-location' ));", extra_params => ['-a']);
|
||||
$rt_value = $node->psql('postgres', "SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-provider');", extra_params => ['-a']);
|
||||
|
||||
$stdout = $node->safe_psql('postgres', 'CREATE TABLE test_enc1(id SERIAL,k INTEGER,PRIMARY KEY (id)) USING tde_heap;', extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
|
||||
@ -78,8 +78,8 @@ my ($cmdret, $stdout, $stderr) = $node->psql('postgres', 'CREATE EXTENSION IF NO
|
||||
ok($cmdret == 0, "CREATE PGTDE EXTENSION");
|
||||
PGTDE::append_to_file($stdout);
|
||||
|
||||
$rt_value = $node->psql('postgres', "SELECT pg_tde_add_key_provider_vault_v2('vault-provider', json_object( 'type' VALUE 'remote', 'url' VALUE 'http://localhost:8889/token' ), json_object( 'type' VALUE 'remote', 'url' VALUE 'http://localhost:8889/url' ), to_json('secret'::text), NULL);", extra_params => ['-a']);
|
||||
$rt_value = $node->psql('postgres', "SELECT pg_tde_set_principal_key('test-db-principal-key','vault-provider');", extra_params => ['-a']);
|
||||
$rt_value = $node->psql('postgres', "SELECT pg_tde_add_database_key_provider_vault_v2('vault-provider', json_object( 'type' VALUE 'remote', 'url' VALUE 'http://localhost:8889/token' ), json_object( 'type' VALUE 'remote', 'url' VALUE 'http://localhost:8889/url' ), to_json('secret'::text), NULL);", extra_params => ['-a']);
|
||||
$rt_value = $node->psql('postgres', "SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','vault-provider');", extra_params => ['-a']);
|
||||
|
||||
$stdout = $node->safe_psql('postgres', 'CREATE TABLE test_enc2(id SERIAL,k INTEGER,PRIMARY KEY (id)) USING tde_heap;', extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
|
||||
@ -49,8 +49,8 @@ $node->stop();
|
||||
$rt_value = $node->start();
|
||||
ok($rt_value == 1, "Restart Server");
|
||||
|
||||
$rt_value = $node->psql('postgres', "SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');", extra_params => ['-a']);
|
||||
$rt_value = $node->psql('postgres', "SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');", extra_params => ['-a']);
|
||||
$rt_value = $node->psql('postgres', "SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');", extra_params => ['-a']);
|
||||
$rt_value = $node->psql('postgres', "SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-vault');", extra_params => ['-a']);
|
||||
|
||||
|
||||
|
||||
|
||||
@ -37,8 +37,8 @@ CREATE DATABASE tbc TABLESPACE = test_tblspace;
|
||||
$stdout = $node->safe_psql('tbc',
|
||||
q{
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-vault');
|
||||
|
||||
CREATE TABLE country_table (
|
||||
country_id serial primary key,
|
||||
@ -57,7 +57,7 @@ SELECT * FROM country_table;
|
||||
PGTDE::append_to_file($stdout);
|
||||
|
||||
|
||||
$cmdret = $node->psql('tbc', "SELECT pg_tde_set_principal_key('new-k', 'file-vault');", extra_params => ['-a']);
|
||||
$cmdret = $node->psql('tbc', "SELECT pg_tde_set_principal_key_using_database_key_provider('new-k', 'file-vault');", extra_params => ['-a']);
|
||||
ok($cmdret == 0, "ROTATE KEY");
|
||||
PGTDE::append_to_file($stdout);
|
||||
|
||||
|
||||
@ -33,7 +33,7 @@ PGTDE::append_to_file($stdout);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_add_global_key_provider_file('file-keyring-010','/tmp/pg_tde_test_keyring010.per');", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_server_principal_key('global-db-principal-key', 'file-keyring-010');", extra_params => ['-a']);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_server_principal_key_using_global_key_provider('server-principal-key', 'file-keyring-010');", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
|
||||
$stdout = $node->safe_psql('postgres', 'ALTER SYSTEM SET pg_tde.wal_encrypt = on;', extra_params => ['-a']);
|
||||
|
||||
@ -35,11 +35,11 @@ my ($cmdret, $stdout, $stderr) = $node->psql('postgres', 'CREATE EXTENSION IF NO
|
||||
ok($cmdret == 0, "CREATE PGTDE EXTENSION");
|
||||
PGTDE::append_to_file($stdout);
|
||||
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_add_key_provider_file('file-vault', '/tmp/change_key_provider_1.per');", extra_params => ['-a']);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/change_key_provider_1.per');", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_list_all_key_providers();", extra_params => ['-a']);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_list_all_database_key_providers();", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_principal_key('test-key', 'file-vault');", extra_params => ['-a']);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_set_principal_key_using_database_key_provider('test-key', 'file-vault');", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
|
||||
$stdout = $node->safe_psql('postgres', 'CREATE TABLE test_enc (id serial, k integer, PRIMARY KEY (id)) USING tde_heap;', extra_params => ['-a']);
|
||||
@ -57,9 +57,9 @@ PGTDE::append_to_file($stdout);
|
||||
# Change provider and move file
|
||||
PGTDE::append_to_file("-- mv /tmp/change_key_provider_1.per /tmp/change_key_provider_2.per");
|
||||
move('/tmp/change_key_provider_1.per', '/tmp/change_key_provider_2.per');
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_change_key_provider_file('file-vault', '/tmp/change_key_provider_2.per');", extra_params => ['-a']);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_change_database_key_provider_file('file-vault', '/tmp/change_key_provider_2.per');", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_list_all_key_providers();", extra_params => ['-a']);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_list_all_database_key_providers();", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_verify_principal_key();", extra_params => ['-a']);
|
||||
@ -83,9 +83,9 @@ $stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id;', ex
|
||||
PGTDE::append_to_file($stdout);
|
||||
|
||||
# Change provider and do not move file
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_change_key_provider_file('file-vault', '/tmp/change_key_provider_3.per');", extra_params => ['-a']);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_change_database_key_provider_file('file-vault', '/tmp/change_key_provider_3.per');", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_list_all_key_providers();", extra_params => ['-a']);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_list_all_database_key_providers();", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
|
||||
(undef, $stdout, $stderr) = $node->psql('postgres', "SELECT pg_tde_verify_principal_key();", extra_params => ['-a']);
|
||||
@ -139,9 +139,9 @@ ok($cmdret == 0, "CREATE PGTDE EXTENSION");
|
||||
PGTDE::append_to_file($stdout);
|
||||
|
||||
# Change provider and generate a new principal key
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_add_key_provider_file('file-vault', '/tmp/change_key_provider_4.per');", extra_params => ['-a']);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/change_key_provider_4.per');", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
$stdout = $node->psql('postgres', "SELECT pg_tde_set_principal_key('test-key', 'file-vault');", extra_params => ['-a']);
|
||||
$stdout = $node->psql('postgres', "SELECT pg_tde_set_principal_key_using_database_key_provider('test-key', 'file-vault');", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
|
||||
$stdout = $node->safe_psql('postgres', 'CREATE TABLE test_enc (id serial, k integer, PRIMARY KEY (id)) USING tde_heap;', extra_params => ['-a']);
|
||||
@ -156,7 +156,7 @@ PGTDE::append_to_file($stdout);
|
||||
$stdout = $node->safe_psql('postgres', 'SELECT * FROM test_enc ORDER BY id;', extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_change_key_provider_file('file-vault', '/tmp/change_key_provider_3.per');", extra_params => ['-a']);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_change_database_key_provider_file('file-vault', '/tmp/change_key_provider_3.per');", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
|
||||
# Restart the server
|
||||
@ -178,7 +178,7 @@ PGTDE::append_to_file($stderr);
|
||||
PGTDE::append_to_file($stdout);
|
||||
PGTDE::append_to_file($stderr);
|
||||
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_change_key_provider_file('file-vault', '/tmp/change_key_provider_4.per');", extra_params => ['-a']);
|
||||
$stdout = $node->safe_psql('postgres', "SELECT pg_tde_change_database_key_provider_file('file-vault', '/tmp/change_key_provider_4.per');", extra_params => ['-a']);
|
||||
PGTDE::append_to_file($stdout);
|
||||
|
||||
# Verify
|
||||
|
||||
@ -1,17 +1,17 @@
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
-- server restart
|
||||
SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
1
|
||||
SELECT pg_tde_add_key_provider_file('file-2','/tmp/pg_tde_test_keyring_2.per');
|
||||
SELECT pg_tde_add_database_key_provider_file('file-2','/tmp/pg_tde_test_keyring_2.per');
|
||||
2
|
||||
SELECT pg_tde_add_global_key_provider_file('file-2','/tmp/pg_tde_test_keyring_2g.per');
|
||||
-1
|
||||
SELECT pg_tde_add_global_key_provider_file('file-3','/tmp/pg_tde_test_keyring_3.per');
|
||||
-2
|
||||
SELECT pg_tde_list_all_key_providers();
|
||||
SELECT pg_tde_list_all_database_key_providers();
|
||||
(1,file-vault,file,"{""type"" : ""file"", ""path"" : ""/tmp/pg_tde_test_keyring.per""}")
|
||||
(2,file-2,file,"{""type"" : ""file"", ""path"" : ""/tmp/pg_tde_test_keyring_2.per""}")
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-vault');
|
||||
|
||||
CREATE TABLE test_enc(id SERIAL,k INTEGER,PRIMARY KEY (id)) USING tde_heap;
|
||||
INSERT INTO test_enc (k) VALUES (5),(6);
|
||||
@ -25,13 +25,13 @@ SELECT * FROM test_enc ORDER BY id ASC;
|
||||
-- server restart
|
||||
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();
|
||||
1|file-vault|rotated-principal-key1
|
||||
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();
|
||||
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_server_principal_key_info();
|
||||
psql:<stdin>:1: ERROR: Principal key does not exists for the database
|
||||
HINT: Use set_principal_key interface to set the principal key
|
||||
SELECT * FROM test_enc ORDER BY id ASC;
|
||||
1|5
|
||||
2|6
|
||||
SELECT pg_tde_set_principal_key('rotated-principal-key2','file-2');
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('rotated-principal-key2','file-2');
|
||||
|
||||
SELECT * FROM test_enc ORDER BY id ASC;
|
||||
1|5
|
||||
@ -39,13 +39,13 @@ SELECT * FROM test_enc ORDER BY id ASC;
|
||||
-- server restart
|
||||
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();
|
||||
2|file-2|rotated-principal-key2
|
||||
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();
|
||||
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_server_principal_key_info();
|
||||
psql:<stdin>:1: ERROR: Principal key does not exists for the database
|
||||
HINT: Use set_principal_key interface to set the principal key
|
||||
SELECT * FROM test_enc ORDER BY id ASC;
|
||||
1|5
|
||||
2|6
|
||||
SELECT pg_tde_set_global_principal_key('rotated-principal-key', 'file-3', false);
|
||||
SELECT pg_tde_set_principal_key_using_global_key_provider('rotated-principal-key', 'file-3', false);
|
||||
|
||||
SELECT * FROM test_enc ORDER BY id ASC;
|
||||
1|5
|
||||
@ -53,13 +53,13 @@ SELECT * FROM test_enc ORDER BY id ASC;
|
||||
-- server restart
|
||||
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();
|
||||
-2|file-3|rotated-principal-key
|
||||
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();
|
||||
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_server_principal_key_info();
|
||||
psql:<stdin>:1: ERROR: Principal key does not exists for the database
|
||||
HINT: Use set_principal_key interface to set the principal key
|
||||
SELECT * FROM test_enc ORDER BY id ASC;
|
||||
1|5
|
||||
2|6
|
||||
SELECT pg_tde_set_global_principal_key('rotated-principal-keyX', 'file-2', false);
|
||||
SELECT pg_tde_set_principal_key_using_global_key_provider('rotated-principal-keyX', 'file-2', false);
|
||||
|
||||
SELECT * FROM test_enc ORDER BY id ASC;
|
||||
1|5
|
||||
@ -67,7 +67,7 @@ SELECT * FROM test_enc ORDER BY id ASC;
|
||||
-- server restart
|
||||
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();
|
||||
-1|file-2|rotated-principal-keyX
|
||||
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();
|
||||
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_server_principal_key_info();
|
||||
psql:<stdin>:1: ERROR: Principal key does not exists for the database
|
||||
HINT: Use set_principal_key interface to set the principal key
|
||||
SELECT * FROM test_enc ORDER BY id ASC;
|
||||
@ -78,14 +78,14 @@ ALTER SYSTEM SET pg_tde.inherit_global_providers = OFF;
|
||||
psql:<stdin>:1: ERROR: Usage of global key providers is disabled. Enable it with pg_tde.inherit_global_providers = ON
|
||||
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();
|
||||
-1|file-2|rotated-principal-keyX
|
||||
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();
|
||||
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_server_principal_key_info();
|
||||
psql:<stdin>:1: ERROR: Principal key does not exists for the database
|
||||
HINT: Use set_principal_key interface to set the principal key
|
||||
SELECT pg_tde_set_principal_key('rotated-principal-key2','file-2');
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('rotated-principal-key2','file-2');
|
||||
|
||||
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_principal_key_info();
|
||||
2|file-2|rotated-principal-key2
|
||||
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_global_principal_key_info();
|
||||
SELECT key_provider_id, key_provider_name, principal_key_name FROM pg_tde_server_principal_key_info();
|
||||
psql:<stdin>:1: ERROR: Principal key does not exists for the database
|
||||
HINT: Use set_principal_key interface to set the principal key
|
||||
DROP TABLE test_enc;
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
1
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-vault');
|
||||
|
||||
CREATE TABLE country_table (
|
||||
country_id serial primary key,
|
||||
@ -17,9 +17,9 @@ SELECT * FROM country_table;
|
||||
2|UK|Europe
|
||||
3|USA|North America
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
SELECT pg_tde_add_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault','/tmp/pg_tde_test_keyring.per');
|
||||
1
|
||||
SELECT pg_tde_set_principal_key('test-db-principal-key','file-vault');
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-db-principal-key','file-vault');
|
||||
|
||||
CREATE TABLE country_table (
|
||||
country_id serial primary key,
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
SELECT pg_tde_add_global_key_provider_file('file-keyring-010','/tmp/pg_tde_test_keyring010.per');
|
||||
-1
|
||||
SELECT pg_tde_set_server_principal_key('global-db-principal-key', 'file-keyring-010');
|
||||
SELECT pg_tde_set_server_principal_key_using_global_key_provider('server-principal-key', 'file-keyring-010');
|
||||
|
||||
ALTER SYSTEM SET pg_tde.wal_encrypt = on;
|
||||
-- server restart with wal encryption
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
SELECT pg_tde_add_key_provider_file('file-vault', '/tmp/change_key_provider_1.per');
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/change_key_provider_1.per');
|
||||
1
|
||||
SELECT pg_tde_list_all_key_providers();
|
||||
SELECT pg_tde_list_all_database_key_providers();
|
||||
(1,file-vault,file,"{""type"" : ""file"", ""path"" : ""/tmp/change_key_provider_1.per""}")
|
||||
SELECT pg_tde_set_principal_key('test-key', 'file-vault');
|
||||
SELECT pg_tde_set_principal_key_using_database_key_provider('test-key', 'file-vault');
|
||||
|
||||
CREATE TABLE test_enc (id serial, k integer, PRIMARY KEY (id)) USING tde_heap;
|
||||
INSERT INTO test_enc (k) VALUES (5), (6);
|
||||
@ -15,9 +15,9 @@ SELECT * FROM test_enc ORDER BY id;
|
||||
1|5
|
||||
2|6
|
||||
-- mv /tmp/change_key_provider_1.per /tmp/change_key_provider_2.per
|
||||
SELECT pg_tde_change_key_provider_file('file-vault', '/tmp/change_key_provider_2.per');
|
||||
SELECT pg_tde_change_database_key_provider_file('file-vault', '/tmp/change_key_provider_2.per');
|
||||
1
|
||||
SELECT pg_tde_list_all_key_providers();
|
||||
SELECT pg_tde_list_all_database_key_providers();
|
||||
(1,file-vault,file,"{""type"" : ""file"", ""path"" : ""/tmp/change_key_provider_2.per""}")
|
||||
SELECT pg_tde_verify_principal_key();
|
||||
|
||||
@ -34,9 +34,9 @@ t
|
||||
SELECT * FROM test_enc ORDER BY id;
|
||||
1|5
|
||||
2|6
|
||||
SELECT pg_tde_change_key_provider_file('file-vault', '/tmp/change_key_provider_3.per');
|
||||
SELECT pg_tde_change_database_key_provider_file('file-vault', '/tmp/change_key_provider_3.per');
|
||||
1
|
||||
SELECT pg_tde_list_all_key_providers();
|
||||
SELECT pg_tde_list_all_database_key_providers();
|
||||
(1,file-vault,file,"{""type"" : ""file"", ""path"" : ""/tmp/change_key_provider_3.per""}")
|
||||
SELECT pg_tde_verify_principal_key();
|
||||
psql:<stdin>:1: ERROR: failed to retrieve principal key test-key from keyring with ID 1
|
||||
@ -64,7 +64,7 @@ SELECT * FROM test_enc ORDER BY id;
|
||||
DROP EXTENSION pg_tde CASCADE;
|
||||
psql:<stdin>:1: NOTICE: drop cascades to table test_enc
|
||||
CREATE EXTENSION IF NOT EXISTS pg_tde;
|
||||
SELECT pg_tde_add_key_provider_file('file-vault', '/tmp/change_key_provider_4.per');
|
||||
SELECT pg_tde_add_database_key_provider_file('file-vault', '/tmp/change_key_provider_4.per');
|
||||
1
|
||||
0
|
||||
CREATE TABLE test_enc (id serial, k integer, PRIMARY KEY (id)) USING tde_heap;
|
||||
@ -76,7 +76,7 @@ t
|
||||
SELECT * FROM test_enc ORDER BY id;
|
||||
1|5
|
||||
2|6
|
||||
SELECT pg_tde_change_key_provider_file('file-vault', '/tmp/change_key_provider_3.per');
|
||||
SELECT pg_tde_change_database_key_provider_file('file-vault', '/tmp/change_key_provider_3.per');
|
||||
1
|
||||
-- server restart
|
||||
SELECT pg_tde_verify_principal_key();
|
||||
@ -87,7 +87,7 @@ SELECT * FROM test_enc ORDER BY id;
|
||||
psql:<stdin>:1: ERROR: Failed to verify principal key header for key test-key, incorrect principal key or corrupted key file
|
||||
CREATE TABLE test_enc2 (id serial, k integer, PRIMARY KEY (id)) USING tde_heap;
|
||||
psql:<stdin>:1: ERROR: Failed to verify principal key header for key test-key, incorrect principal key or corrupted key file
|
||||
SELECT pg_tde_change_key_provider_file('file-vault', '/tmp/change_key_provider_4.per');
|
||||
SELECT pg_tde_change_database_key_provider_file('file-vault', '/tmp/change_key_provider_4.per');
|
||||
1
|
||||
SELECT pg_tde_verify_principal_key();
|
||||
|
||||
|
||||
@ -28,7 +28,7 @@ $node->start;
|
||||
|
||||
$node->safe_psql('postgres', "CREATE EXTENSION IF NOT EXISTS pg_tde;");
|
||||
$node->safe_psql('postgres', "SELECT pg_tde_add_global_key_provider_file('file-keyring-wal','/tmp/pg_tde_test_keyring-wal.per');");;
|
||||
$node->safe_psql('postgres', "SELECT pg_tde_set_server_principal_key('global-db-principal-key', 'file-keyring-wal');");
|
||||
$node->safe_psql('postgres', "SELECT pg_tde_set_server_principal_key_using_global_key_provider('server-principal-key', 'file-keyring-wal');");
|
||||
|
||||
$node->append_conf(
|
||||
'postgresql.conf', q{
|
||||
|
||||
@ -42,7 +42,7 @@ $node->start;
|
||||
|
||||
$node->safe_psql('postgres', "CREATE EXTENSION IF NOT EXISTS pg_tde;");
|
||||
$node->safe_psql('postgres', "SELECT pg_tde_add_global_key_provider_file('file-keyring-wal','/tmp/pg_tde_test_keyring-wal.per');");;
|
||||
$node->safe_psql('postgres', "SELECT pg_tde_set_server_principal_key('global-db-principal-key', 'file-keyring-wal');");
|
||||
$node->safe_psql('postgres', "SELECT pg_tde_set_server_principal_key_using_global_key_provider('server-principal-key', 'file-keyring-wal');");
|
||||
|
||||
$node->append_conf(
|
||||
'postgresql.conf', q{
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user