Details
-
Admin & Maintenance Task
-
Status: Done
-
High
-
Resolution: Fixed
-
8.0.x
-
None
-
None
Description
Upgrade:
All tables from encrypted tablespace need to have ENCRYPTION='Y' clause
assigned and DD'table option encryption set to Y. In previous versions
we have assigned encryption clause and DD encryption option only to
tablespaces. Thus on update now we need to assign ENCRYPTION='Y' and set
DD option encryption to Y for all tables that resided in encrypted
tablespace. Also we can be upgrading from PS with encrypted system
tablespace (ibdata).
EXPLICIT ENCRYPTION clause:
MySQL now adds clause ENCRYPTION=Y/N to all tables. However, in MySQL,
ENCRYPTION=N it is shown to the user in SHOW CREATE TABLE statement only
when it resides in schema with DEFAULT ENCRYPTION=Y. Thus only when it
was explicilty specified that table/space should stay decrypted. We were
using explicit ENCRYPTION=N clause to mark table/spaces that are to be
excluded from encryption threads. Thus we also show ENCRYPTION=N when it
was explicitly specified. This means that in PS - ENCRYPTION=N will show
up in SHOW CREATE TABLE even if SCHEMA has DEFAULT ENCRYPTION=N. This
behavior was retained to be able to tests encryption threads - we may
drop this behavior in favor of ENCRYPTION=NO_ONLINE.
--innodb-encrypt-tables to --default-table-encryption migration:
innodb-encrypt-tables has been removed. Now all encryption is directed
by database's default encryption and default_table_encryption variable.
Tablespaces and schema's inherit encryption clause from
default_table_encryption. Tables created in schema must obey schema's
default encryption when table_encryption_privilege_check - unless user
has privilege to overwrite table_encryption_privilege_check. Tables
created in tablespace - of course - must obey tablespace encryption and
when table_encryption_privilege_check is on - schema's default
encryption. encryption='y' is no longer added to all tables/tablespaces.
The code from adjust_encryption_options that was doing that was
commented out.
The relation between innodb-encrypt-tables and default-table-encryption
can be summarized as:
schema encryption = 'y' && table_encryption_privilege_check = ON => innodb_encrypt_tables = FORCE
schema encryption = 'y' && table_encryption_privilege_check = OFF => innodb_encrypt_tables = ON
Please note this is oversimplification and for whole scope of those variables please refer to MySQL
documentation. For instance user with TABLE_ENCRYPTION_ADMIN can overwrite table_encryption_privilege_check.