fixup! PG-1504 Make partitions inherit encryption status

Anders Åstrand · Anders Åstrand · commit bcb9f9a389df · 2025-04-23T20:00:25.000+02:00
diff --git a/contrib/pg_tde/expected/partition_table.out b/contrib/pg_tde/expected/partition_table.out
@@ -86,7 +86,8 @@ SELECT pg_tde_is_encrypted('partition_q4_2024');
  t
 (1 row)
 
--- Partition inherits encryption status from parent table
+-- Partition inherits encryption status from parent table if default is heap and parent is tde_heap
+SET default_table_access_method = "heap";
 CREATE TABLE partition_inherit_parent (a int) PARTITION BY RANGE (a) USING tde_heap;
 CREATE TABLE partition_inherit_child PARTITION OF partition_inherit_parent FOR VALUES FROM (0) TO (10);
 SELECT pg_tde_is_encrypted('partition_inherit_child');
@@ -96,5 +97,18 @@ SELECT pg_tde_is_encrypted('partition_inherit_child');
 (1 row)
 
 DROP TABLE partition_inherit_parent;
+RESET default_table_access_method;
+-- Partition inherits encryption status from parent table if default is tde_heap and parent is heap
+SET default_table_access_method = "tde_heap";
+CREATE TABLE partition_inherit_parent (a int) PARTITION BY RANGE (a) USING heap;
+CREATE TABLE partition_inherit_child PARTITION OF partition_inherit_parent FOR VALUES FROM (0) TO (10);
+SELECT pg_tde_is_encrypted('partition_inherit_child');
+ pg_tde_is_encrypted 
+---------------------
+ f
+(1 row)
+
+DROP TABLE partition_inherit_parent;
+RESET default_table_access_method;
 DROP TABLE partitioned_table;
 DROP EXTENSION pg_tde;
diff --git a/contrib/pg_tde/sql/partition_table.sql b/contrib/pg_tde/sql/partition_table.sql
@@ -31,11 +31,21 @@ SELECT pg_tde_is_encrypted('partition_q2_2024');
 SELECT pg_tde_is_encrypted('partition_q3_2024');
 SELECT pg_tde_is_encrypted('partition_q4_2024');
 
--- Partition inherits encryption status from parent table
+-- Partition inherits encryption status from parent table if default is heap and parent is tde_heap
+SET default_table_access_method = "heap";
 CREATE TABLE partition_inherit_parent (a int) PARTITION BY RANGE (a) USING tde_heap;
 CREATE TABLE partition_inherit_child PARTITION OF partition_inherit_parent FOR VALUES FROM (0) TO (10);
 SELECT pg_tde_is_encrypted('partition_inherit_child');
 DROP TABLE partition_inherit_parent;
+RESET default_table_access_method;
+
+-- Partition inherits encryption status from parent table if default is tde_heap and parent is heap
+SET default_table_access_method = "tde_heap";
+CREATE TABLE partition_inherit_parent (a int) PARTITION BY RANGE (a) USING heap;
+CREATE TABLE partition_inherit_child PARTITION OF partition_inherit_parent FOR VALUES FROM (0) TO (10);
+SELECT pg_tde_is_encrypted('partition_inherit_child');
+DROP TABLE partition_inherit_parent;
+RESET default_table_access_method;
 
 DROP TABLE partitioned_table;
 DROP EXTENSION pg_tde;
diff --git a/contrib/pg_tde/src/pg_tde_event_capture.c b/contrib/pg_tde/src/pg_tde_event_capture.c
@@ -155,16 +155,17 @@ pg_tde_ddl_command_start_capture(PG_FUNCTION_ARGS)
 		validateCurrentEventTriggerState(true);
 		tdeCurrentCreateEvent.tid = GetCurrentFullTransactionId();
 
-		if (shouldEncryptTable(stmt->accessMethod))
+
+		if (stmt->accessMethod && strcmp(stmt->accessMethod, "tde_heap") == 0)
 		{
+			/* If access method is explicitly set to tde_heap, always encrypt. */
 			tdeCurrentCreateEvent.encryptMode = true;
 		}
 		else if (!stmt->accessMethod && stmt->partbound)
 		{
-
 			/*
-			 * If this is a partition of a parent table, and no access method
-			 * is specified, access method will be inherited and we need to
+			 * If no access method is specified, and this is a partition of a
+			 * parent table, access method will be inherited and we need to
 			 * deal with setting the encryption status properly.
 			 *
 			 * AccessExclusiveLock might seem excessive, but it's what
@@ -184,6 +185,15 @@ pg_tde_ddl_command_start_capture(PG_FUNCTION_ARGS)
 				tdeCurrentCreateEvent.encryptMode = true;
 			}
 		}
+		else if (!stmt->accessMethod && strcmp(default_table_access_method, "tde_heap") == 0)
+		{
+			/*
+			 * If no access method is specified, and this is not a partition
+			 * of a parent table, refer to the default access method to set
+			 * encryption status.
+			 */
+			tdeCurrentCreateEvent.encryptMode = true;
+		}
 
 		checkEncryptionStatus();
 	}

Original file line number	Diff line number	Diff line change
`@@ -155,16 +155,17 @@ pg_tde_ddl_command_start_capture(PG_FUNCTION_ARGS)`
`155`	`155`	`validateCurrentEventTriggerState(true);`
`156`	`156`	`tdeCurrentCreateEvent.tid = GetCurrentFullTransactionId();`
`157`	`157`
`158`		`- if (shouldEncryptTable(stmt->accessMethod))`
	`158`	`+`
	`159`	`+ if (stmt->accessMethod && strcmp(stmt->accessMethod, "tde_heap") == 0)`
`159`	`160`	`{`
	`161`	`+ /* If access method is explicitly set to tde_heap, always encrypt. */`
`160`	`162`	`tdeCurrentCreateEvent.encryptMode = true;`
`161`	`163`	`}`
`162`	`164`	`else if (!stmt->accessMethod && stmt->partbound)`
`163`	`165`	`{`
`164`		`-`
`165`	`166`	`/*`
`166`		`- * If this is a partition of a parent table, and no access method`
`167`		`- * is specified, access method will be inherited and we need to`
	`167`	`+ * If no access method is specified, and this is a partition of a`
	`168`	`+ * parent table, access method will be inherited and we need to`
`168`	`169`	`* deal with setting the encryption status properly.`
`169`	`170`	`*`
`170`	`171`	`* AccessExclusiveLock might seem excessive, but it's what`
`@@ -184,6 +185,15 @@ pg_tde_ddl_command_start_capture(PG_FUNCTION_ARGS)`
`184`	`185`	`tdeCurrentCreateEvent.encryptMode = true;`
`185`	`186`	`}`
`186`	`187`	`}`
	`188`	`+ else if (!stmt->accessMethod && strcmp(default_table_access_method, "tde_heap") == 0)`
	`189`	`+ {`
	`190`	`+ /*`
	`191`	`+ * If no access method is specified, and this is not a partition`
	`192`	`+ * of a parent table, refer to the default access method to set`
	`193`	`+ * encryption status.`
	`194`	`+ */`
	`195`	`+ tdeCurrentCreateEvent.encryptMode = true;`
	`196`	`+ }`
`187`	`197`
`188`	`198`	`checkEncryptionStatus();`
`189`	`199`	`}`