PG-1213 Add SQL function for checking if WAL record is encrypted #514
Conversation
artemgavrilov
force-pushed
the
PG-1213-check-wal-enc-func
branch
7 times, most recently
from
d411530 to
f23f140
Compare
Codecov Report❌ Patch coverage is ❌ Your project status has failed because the head coverage (82.15%) is below the target coverage (90.00%). You can increase the head coverage or adjust the target coverage. Additional details and impacted files@@ Coverage Diff @@
## TDE_REL_17_STABLE #514 +/- ##
=====================================================
+ Coverage 82.08% 82.15% +0.06%
=====================================================
Files 25 25
Lines 3170 3216 +46
Branches 505 514 +9
=====================================================
+ Hits 2602 2642 +40
- Misses 460 464 +4
- Partials 108 110 +2
🚀 New features to boost your workflow:
|
artemgavrilov
force-pushed
the
PG-1213-check-wal-enc-func
branch
4 times, most recently
from
80db6f8 to
6d0da57
Compare
artemgavrilov
force-pushed
the
PG-1213-check-wal-enc-func
branch
from
6d0da57 to
9967248
Compare
| ); | ||
| ``` | ||
|
|
||
| ### pg_tde_get_wal_encryption_ranges |
There was a problem hiding this comment.
| ### pg_tde_get_wal_encryption_ranges | |
| ### pg_tde_get_wal_encryption_ranges | |
| .tli = tli,.lsn = 0 | ||
| }; | ||
|
|
||
| keys = pg_tde_fetch_wal_keys(loc); |
There was a problem hiding this comment.
We shouldn't fetch them, as they are most likely are already in the cache. This should be pg_tde_get_wal_cache_keys
There was a problem hiding this comment.
Writes may produce new WAL key, but writes don't update cache as allocations are forbidden there. So WAL reads have some logic how to check if new key was produced and refresh cache entries. After discussion with @dAdAbird we decided that doing it the same way in this function will make code too complex and we can just read keys from disk for now.
postgres/contrib/pg_tde/src/access/pg_tde_xlog_smgr.c
Lines 471 to 478 in 80e0bb0
There was a problem hiding this comment.
But pg_tde_fetch_wal_keys always adds the fetched keys to the cache, it doesn't check if it's already in the cache. So if we call it multiple times with the beginning, we end up spamming the cache with duplicate records.
Also, if the cache already has items, it doesn't return the first key in the cache, but the first item added to the cache in this read.
There was a problem hiding this comment.
Writes may produce new WAL key, but writes don't update cache as allocations are forbidden there
This is also no longer true since #539 now the current key is also in the cache. So reading the cache should be enough.
There was a problem hiding this comment.
Eah, but thinking on it, pg_tde_fetch_wal_keys() will not only fetch data from disk dub populate cache with it. In the reader, we specify the last LSN so it'll add only the absent key to the cache. Here it will pull all the keys and add them for the second/third etc, time to the backend's cache. I'm not sure what consequences it may lead to... Unfortunately, we don't have an existing function to read only from the disk and don't flood the cache...
There was a problem hiding this comment.
Ahh damn, you're right. I didn't check how cached was populated 🤦
| $node->append_conf('postgresql.conf', "shared_preload_libraries = 'pg_tde'"); | ||
| $node->append_conf('postgresql.conf', "wal_level = 'logical'"); | ||
| # We don't test that it can't start: the test framework doesn't have an easy way to do this | ||
| #$node->append_conf('postgresql.conf', "pg_tde.wal_encrypt = 1"); |
| stdout => \$psql_out); | ||
| is($psql_out, 't', "Check that WAL record is still encrypted"); | ||
|
|
||
| # Check that WAL records that we recoreded before match the encryption ranges. We doint this |
| is($psql_out, 't', "Check that WAL record is still encrypted"); | ||
|
|
||
| # Check that WAL records that we recoreded before match the encryption ranges. We doint this | ||
| # that way because LSN numbers are not stable across different runs of the test. |
There was a problem hiding this comment.
"We doint this that way..." needs rephrasing
| .tli = tli,.lsn = 0 | ||
| }; | ||
|
|
||
| keys = pg_tde_fetch_wal_keys(loc); |
There was a problem hiding this comment.
Eah, but thinking on it, pg_tde_fetch_wal_keys() will not only fetch data from disk dub populate cache with it. In the reader, we specify the last LSN so it'll add only the absent key to the cache. Here it will pull all the keys and add them for the second/third etc, time to the backend's cache. I'm not sure what consequences it may lead to... Unfortunately, we don't have an existing function to read only from the disk and don't flood the cache...
Add user function for checking if WAL record with given LSN is encrypted. Function assumes that provided LSN belongs to current timeline, however it allows to specify timeline ID as second argument.
Add user function that shows LSN ranges for encrypted records in WAL.
artemgavrilov
force-pushed
the
PG-1213-check-wal-enc-func
branch
from
9967248 to
c8e5310
Compare
https://perconadev.atlassian.net/browse/PG-1213
This PR bumps major version for the extension and introduces two new functions: