-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Framework for multi-tenancy support #121
Commits on Feb 21, 2024
-
Introducing catalog table for managing key providers
This commit introduces a user catalog table, percona_tde.pg_tde_key_provider, within the percona_tde schema, as part of the pg_tde extension. The purpose of this table is to store essential provider information. The catalog accommodates various key providers, present and future, utilizing a JSON type options field to capture provider-specific details. To facilitate the creation of key providers, the commit introduces new SQL interfaces: - pg_tde_add_key_provider(provider_type VARCHAR(10), provider_name VARCHAR(128), options JSON) - pg_tde_add_key_provider_file(provider_name VARCHAR(128), file_path TEXT) - pg_tde_add_key_provider_vault_v2(provider_name VARCHAR(128), vault_token TEXT, vault_url TEXT, vault_mount_path TEXT, vault_ca_path TEXT) Additionally, the commit implements the C interface for catalog interaction, detailed in the 'tde_keyring.h' file. These changes lay the foundation for implementing multi-tenancy in pg_tde by eliminating the necessity of a 'keyring.json' file for configuring a cluster-wide key provider. With this enhancement, each database can have its dedicated key provider, added via SQL interface, removing the need for DBA intervention in TDE setup."
Configuration menu - View commit details
-
Copy full SHA for 82639c6 - Browse repository at this point
Copy the full SHA 82639c6View commit details -
Establishing a Framework for Master Key and Shared Cache Management
Up until now, pg_tde relied on a hard-coded master key name, primarily for proof-of-concept purposes. This commit introduces a more robust infrastructure for configuring the master key and managing a dynamic shared memory-based master-key cache to enhance accessibility. For user interaction, a new SQL interface is provided: - pg_tde_set_master_key(master_key_name VARCHAR(255), provider_name VARCHAR(255)); This interface enables users to set a master key for a specific database and make further enhancements toward implementing the multi-tenancy. In addition to the public SQL interface, the commit optimizes the internal master-key API. It introduces straightforward Get and Set functions, handling locking, retrieval, caching, and assignment of a master key for a database seamlessly. The commit also introduces a unified internal interface for requesting and utilizing shared memory, contributing to a more cohesive and efficient master key and cache management system.
Configuration menu - View commit details
-
Copy full SHA for a28ab81 - Browse repository at this point
Copy the full SHA a28ab81View commit details -
Revamping the Keyring API Interface and Integrating Master Key
This commit unifies the master-key and key-provider modules with the core of pg_tde, marking a significant evolution in the architecture. As part of this integration, the keyring API undergoes substantial changes to enhance flexibility and remove unnecessary components such as the key cache. As a result of the keyring refactoring, the file keyring is also rewritten, offering a template for implementing additional key providers for the extension. The modifications make the keyring API more pluggable, streamlining interactions and paving the way for future enhancements.
Configuration menu - View commit details
-
Copy full SHA for e3e07c5 - Browse repository at this point
Copy the full SHA e3e07c5View commit details -
An Interface for Informing the Shared Memory Manager about Lock Requi…
…rements This commit addresses PostgreSQL core's requirement for upfront information regarding the number of locks needed by the extension. Given the connection between locks and the shared memory interface, a new callback routine is introduced. This routine allows modules to specify the number of locks they require. In addition to this functionality, the commit includes code cleanups and adjustments to nomenclature for improved clarity and consistency.
Configuration menu - View commit details
-
Copy full SHA for 03df7d2 - Browse repository at this point
Copy the full SHA 03df7d2View commit details -
Configuration menu - View commit details
-
Copy full SHA for e8b1381 - Browse repository at this point
Copy the full SHA e8b1381View commit details
Commits on Feb 22, 2024
-
Configuration menu - View commit details
-
Copy full SHA for 7e4b41f - Browse repository at this point
Copy the full SHA 7e4b41fView commit details
Commits on Feb 26, 2024
-
Fix typo in src/catalog/tde_master_key.c
Co-authored-by: Andrew Pogrebnoi <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 2a82f57 - Browse repository at this point
Copy the full SHA 2a82f57View commit details -
Update comment in src/catalog/tde_master_key.c
Co-authored-by: Andrew Pogrebnoi <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for d49c679 - Browse repository at this point
Copy the full SHA d49c679View commit details
Commits on Feb 27, 2024
-
Taking care of review comments
Adjusting provider_name length in pg_tde_key_provider catalog definition and adding a TODO note for implementing an eviction policy for the master key cache.
Configuration menu - View commit details
-
Copy full SHA for ce0ce5c - Browse repository at this point
Copy the full SHA ce0ce5cView commit details -
Extension Initialization and Cleanup Mechanism
This commit enhances the extension by adding a new mechanism to facilitate cleanup or setup procedures when the extension is installed in a database. The core addition is a function "pg_tde_extension_initialize" invoked upon executing the database's 'CREATE EXTENSION' command. To streamline future development and ensure extensibility, the commit introduces a callback registration mechanism. This enables any module to specify a callback function (registered using on_ext_install() ) to be invoked during extension creation. As of this commit, the callback functionality is explicitly utilized by the master key module to handle the cleanup of the master key information file. This file might persist in the database directory if the extension had been previously deleted in the same database. This enhancement paves the way for a more modular and maintainable extension architecture, allowing individual modules to manage their specific setup and cleanup tasks seamlessly." Commit also contains the test case adjustments.
Configuration menu - View commit details
-
Copy full SHA for ce9a7cd - Browse repository at this point
Copy the full SHA ce9a7cdView commit details -
Configuration menu - View commit details
-
Copy full SHA for 5f31b50 - Browse repository at this point
Copy the full SHA 5f31b50View commit details
Commits on Feb 28, 2024
-
Adjusting Vault-V2 key provider to use new keyring architecture
Commit also contains the fix for review comments and a test case for Vault-V2 type key provider
Configuration menu - View commit details
-
Copy full SHA for fc7bedf - Browse repository at this point
Copy the full SHA fc7bedfView commit details -
Configuration menu - View commit details
-
Copy full SHA for 52e9d24 - Browse repository at this point
Copy the full SHA 52e9d24View commit details -
Configuration menu - View commit details
-
Copy full SHA for cdcba4d - Browse repository at this point
Copy the full SHA cdcba4dView commit details