I implemented data in rest encryption on MariaDB 10.5 using the plugin file_key_management.so.
Here is my current configuration:
plugin_dir=/usr/lib/mysql/plugin
plugin_load_add = file_key_management.so
loose_file_key_management_filename = /etc/mysql/keyfile.enc
loose_file_key_management_filekey = FILE:/etc/mysql/keyfile.key
loose_file_key_management_encryption_algorithm = AES_CTR
encrypt_binlog = ON
encrypt_tmp_disk_tables = ON
encrypt_tmp_files = ON
innodb_encrypt_tables = FORCE
innodb_encrypt_log = ON
innodb_encryption_threads = 4
innodb_encrypt_temporary_tables = ON
innodb_encryption_rotate_key_age = 1
innodb_encryption_rotation_iops = 3000
I was able to rotate the encryption key for all tables except for innodb_system
MariaDB [(none)]> SELECT NAME,CURRENT_KEY_ID FROM information_schema.INNODB_TABLESPACES_ENCRYPTION where ENCRYPTION_SCHEME='1' and NAME like "%innodb%" \G
*************************** 1. row ***************************
NAME: innodb_system
CURRENT_KEY_ID: 1
*************************** 2. row ***************************
NAME: mysql/innodb_table_stats
CURRENT_KEY_ID: 3
*************************** 3. row ***************************
NAME: mysql/innodb_index_stats
CURRENT_KEY_ID: 3
Using the same query I was not able to rotate the key
MariaDB [(none)]> alter table innodb_system encryption_key_id=3;
ERROR 1046 (3D000): No database selected
I found some documentation on how to rotate on Mysql and if I understood correctly this is like a master key for innodb.
mysql> ALTER INSTANCE ROTATE INNODB MASTER KEY;
Which it does not work.
How can I rotate the key ?
ERROR 1046 (3D000): No database selected
Before doing anything to a TABLE (such as ALTER), you must specify which database it is in (eg, such as with a USE).
(There may be further mistakes.)
Related
I recently moved to mariadb 10.5, and have encountered this specific output where a percentage is shown along with rows in explain output. I couldn't find any documentation for the same, probably it's a new feature.
What exactly does that mean? Is it the probability of some kind regarding rows being read?
MariaDB [c6b2c772b91fd3d8]> explain
select
`execute_action`, `state_type`
from
`tabSuperflow Document State`
where
`parent` = 'Check Point'
and `state` = 'Pending TSM Approval - Delivery'
order by
modified desc \G
*************************** 1. row ***************************
id: 1
select_type: SIMPLE
table: tabSuperflow Document State
type: ref|filter
possible_keys: parent,index_on_state
key: index_on_state|parent
key_len: 563|563
ref: const
rows: 1 (17%)
Extra: Using index condition; Using where; Using filesort; Using rowid filter
1 row in set (0.001 sec)
Found out the answer in a rather unrelated documentation
https://mariadb.com/kb/en/rowid-filtering-optimization/
rows column shows the expected filter selectivity, it is 5%.
So basically that percentage shows expected filter selectivity, i.e. rows which will be filtered using where clause in this step. This output can also be seen in explain extended output in the filtered column.
MariaDB [c6b2c772b91fd3d8]> explain extended select `execute_action`, `state_type` from `tabSuperflow Document State` where `parent` = 'Check Point' and `state` = 'Pending TSM Approval - Delivery' order by modified desc \G
*************************** 1. row ***************************
id: 1
select_type: SIMPLE
table: tabSuperflow Document State
type: ref|filter
possible_keys: parent,index_on_state
key: index_on_state|parent
key_len: 563|563
ref: const
rows: 1 (17%)
filtered: 16.67
Extra: Using index condition; Using where; Using filesort; Using rowid filter
1 row in set, 1 warning (0.001 sec)
I have a parent table(profiles) in which profile_id is the primary key and is a foreign key to 3 different child tables. (s_profile, p_profile, c_profile)
Now, i want to delete a record from the table profile and want to update a "DELETED" column in the child tables with sysdate.
However my script doesn't allow it saying "Foreign key violated- Child record found".
Is there a solution to it?
What is the purpose of that foreign key constraint, if you want to allow deleting master while details exist?
Anyway, here's an example which shows what you might do; is it the right way, I can't tell (I suspect not - once again, it is cancels the purpose of the referential constraint).
Create two tables - master and its detail:
SQL> create table profiles
2 (id_profile number primary key);
Table created.
SQL> create table s_profile
2 (id number primary key,
3 id_profile number constraint fk_s_pro references profiles (id_profile),
4 deleted date);
Table created.
SQL>
Sample data and attempt to delete a master while detail exists:
SQL> insert into profiles values (1);
1 row created.
SQL> insert into s_profile (id, id_profile) values (100, 1);
1 row created.
SQL> delete from profiles where id_profile = 1;
delete from profiles where id_profile = 1
*
ERROR at line 1:
ORA-02292: integrity constraint (SCOTT.FK_S_PRO) violated - child record found
SQL>
Create a trigger on the master table which removes foreign key value and sets the date:
SQL> create or replace trigger trg_bd_prof
2 before delete on profiles
3 for each row
4 begin
5 update s_profile s set
6 s.id_profile = null,
7 s.deleted = sysdate
8 where s.id_profile = :old.id_profile;
9 end;
10 /
Trigger created.
Let's try to delete master again:
SQL> delete from profiles where id_profile = 1;
1 row deleted.
SQL> select * From s_profile;
ID ID_PROFILE DELETED
---------- ---------- ----------
100 2018-10-03
SQL>
If you want to save foreign key value, you could alter detail table and add another column, say deleted_id_profile and populate it with the same trigger. Though, what would you do with it, if parent doesn't exist any more and you can't find any info about it?
I have a table named 'ROUTE'. What "desc ROUTE" does is as follow:
Name Null Type
-------------------- ---- --------------
ROUTE_GUID RAW(16 BYTE)
LINE_GUID RAW(16 BYTE)
EVENT_GUID RAW(16 BYTE)
DESCRIPTION VARCHAR2(254)
Where ROUTE_GUID IS PK. When I tried altering the table, it showed "ORA-01442: column to be modified to NOT NULL is already NOT NULL". The real problem is that a .NET application has to use this table but it cannot unless a non-nullable column is found. There are also many database views associated with this table so that these view cannot be retrieved by .NET as well. Anyone got the same problem?
I came across this issue in Oracle 12g r 2. The desc MY_TABLE did not show the NOT NULL for a column that did have a NOT NULL constraint. Querying the DBA_TAB_COLS table for the NULLABLE column did not show it either. If I queried the DBA_CONS_COLUMNS and
DBA_CONSTRAINTS it did show up! The web site https://logic.edchen.org/how-to-resolve-ora-01442-column-to-be-modified-to-not-null-is-already-not-null/ almost helps; it showed the case where the constraint was in DISABLED status; my situation, the status was ENABLED. I just did a disable followed by an enable, and it worked; the NOT NULL is displayed now.
Code to display NOT NULL constraint name:
select a.constraint_name, b.status
from dba_cons_columns a
inner join dba_constraints b
on a.constraint_name = b.constraint_name
where a.table_name = 'MY_TABLE'
and a.owner = 'SCOTT' and a.owner=b.owner
and a.column_name = 'USER_NAME'
and b.constraint_type = 'C' and search_condition_vc like '%NOT NULL';
Code to disable and enable constraint:
alter table scott.my_table modify constraint SYS_C0019940 DISable;
alter table scott.my_table modify constraint SYS_C0019940 ENable;
I have a dependent map on my persistant class... I was thinking the indexed="true" would cause DN to add an index to the key and value columns on the generated table, but it seems completely ignored. Of course I can manually add the index.. but is there a way to make DN do it for me either via annotations (preferred) or xml?
#Persistent
#Key(types=String.class,indexed="true",index = "key_idx")
#Value(types=String.class,dependent="true",indexed="true",index = "value_idx")
#Join
private Map<String,String> metadata = new HashMap<>();
in response to DN's comment it is using mysql... here are the relevant logs I can find and the resulting schema... is there something else I can add to help figure out what I'm doing wrong?:
DataNucleus.Datastore.Schema:58 - Column "account_metadata.id_oid" added to internal representation of table.
DataNucleus.Datastore:58 - Field [com.core.data.account.Account.metadata] -> Column(s) [account_metadata.id_oid] using mapping of type "org.datanucleus.store.mapped.mapping.PersistableMapping" (org.datanucleus.store.rdbms.mapping.IntegerRDBMSMapping)
DataNucleus.Datastore.Schema:58 - Column "account_metadata.`key`" added to internal representation of table.
DataNucleus.Datastore:58 - Field [com.core.data.account.Account.metadata] -> Column(s) [account_metadata.`key`] using mapping of type "org.datanucleus.store.mapped.mapping.StringMapping" (org.datanucleus.store.rdbms.mapping.VarCharRDBMSMapping)
DataNucleus.Datastore.Schema:58 - Column "account_metadata.`value`" added to internal representation of table.
DataNucleus.Datastore:58 - Field [com.core.data.account.Account.metadata] -> Column(s) [account_metadata.`value`] using mapping of type "org.datanucleus.store.mapped.mapping.StringMapping" (org.datanucleus.store.rdbms.mapping.ClobRDBMSMapping)
DataNucleus.Datastore.Schema:58 - Validating 2 index(es) for table account_metadata
DataNucleus.Datastore.Schema:58 - Validating 1 foreign key(s) for table account_metadata
DataNucleus.Datastore.Schema:58 - Validating 1 unique key(s) for table account_metadata
CREATE TABLE `account_metadata` (
`id_oid` int(11) NOT NULL,
`key` varchar(64) CHARACTER SET latin1 COLLATE latin1_bin NOT NULL,
`value` mediumtext,
PRIMARY KEY (`id_oid`,`key`),
KEY `account_metadata_n49` (`id_oid`),
CONSTRAINT `account_metadata_fk1` FOREIGN KEY (`id_oid`) REFERENCES `account` (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1
SVN trunk of DataNucleus now supports indexes on key/value columns of map join tables where the key/value are non-persistent (previously supported for embedded key/values only).
I have the following code in SQL
-- SCHEMA VERSION: 2
-- Pre-update actions
PRAGMA foreign_keys = OFF;
-- end
-- Create HARVEST_PERIOD table
CREATE TABLE "main"."HARVEST_PERIOD" (
"ID" INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL,
"CODE" TEXT(64) NOT NULL,
"PERIOD" TEXT(64) NOT NULL,
"CURRENT_STATE" TEXT(128)
)
;
-- Post-update actions
INSERT OR REPLACE INTO "main"."SETTINGS" ("NAME", "VALUE") values ("SchemaVersion", "2");
PRAGMA foreign_keys = ON;
-- end
The new table is created as expected and the settings table updated as expected, too. What could be the reason for getting this: [Err] 21 - not an error
Is there any better suggested way to create the new schema?
I encounter this error as well. Later I figured it out. It's because another application was connected to the same db. So, my application can't modify the db -- create a table.
I created it successfully just by closing the another db connection.