maria:bb-10.9-MDEV-19281-v3

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

4f3e483... by Julius Goryavsky <email address hidden> on 2022-04-20

MDEV-28277: post-review fix

6be56ad... by Julius Goryavsky <email address hidden> on 2022-04-20

MDEV-28275: post-review fix

b025c10... by Julius Goryavsky <email address hidden> on 2022-04-20

MDEV-28279: Hashicorp: Cannot migrate hexadecimal keys from file key management

This commit fixes a bug in the algorithm for converting hexadecimal
strings to key values, which leads to incompatibility with other plugins
and reduces the effective information capacity of the key. A new conversion
mode has also been added to support keys represented by "raw" strings,
which are used directly without additional transformation (similar to
the algorithm used in the alpha version of the plugin). A new parameter
has been added to control the modes for converting strings to real key
values that the server will use:

--hashicorp-key-management-key-conversion-rules="hexadecimal"|
                                                "strings"|
                                                "old"

This parameter This setting controls the rules for interpreting
key values (the rules for converting them to a binary value that
is used by the server during encryption). By default, key values
are interpreted as numbers written in the hexadecimal number system
("hexadecimal"). However, the user can select "strings" mode, where
strings received from Hashicorp Vault will be directly interpreted
as raw key values for encryption, without any conversion between
number systems, etc. Also, the user can select the "old" mode,
which instructs to use an algorithm that compatible with the key
conversion rules that were used by the plugin before version 1.05.
The old key conversion rules are incompatible with other plugins
and reduce the effective information capacity of the keys, but
they should be used if the data in the tables has already been
encrypted using a plugin version less than 1.05. For new bases,
the "hexadecimal" rules (which are set by default) are preferred -
in this case, the keys are written as numbers in hexadecimal
notation.

caffbb6... by Julius Goryavsky <email address hidden> on 2022-04-19

MDEV-28291: Hashicorp: Cache variables claim to be dynamic but changes are ignored

This commit fixes an issue with no visible update in caching
option values after changing them dynamically while the server
is running. This issue was related to forgotten copy operations
of new values into dynamic variables. At the same time, internal
variables (responsible for caching) were always updated correctly.
The commit includes a test that checks that the update is now
reflected in the values of dynamic variables.

4ba9e9b... by Julius Goryavsky <email address hidden> on 2022-04-19

MDEV-28330: Hashicorp: Key caching doesn't appear to be working

Added test files for mtr that test failed configuration with
--loose-hashicorp-key-management-cache-version-timeout=180000
correctly set.

05fef04... by Julius Goryavsky <email address hidden> on 2022-04-19

MDEV-28281: Hashicorp: Key ID is not indicated in the log record

This commit adds an indication of the ID of the not found key
(and, when appropriate, also an indication of the version number
of the key) in the log file, making it easier to find errors.

1f0d76c... by Julius Goryavsky <email address hidden> on 2022-04-19

MDEV-28276: Hashicorp: checking that kv storage is created with version 2+

For the plugin to work properly, we need support for key versioning,
and for this, the kv storage in Hashicorp Vault must be created with
version 2 or higher. This commit adds such a check performed during
plugin initialization.

Note: checking for kv storage version during plugin initialization
can be disabled via --hashicorp-key-management-check-kv-version=off
command-line option or via the corresponding option in the server
configuration files.

d3e31cd... by Julius Goryavsky <email address hidden> on 2022-04-18

MDEV-28277: Checking for mandatory "/v1/" prefix in the URL

According to the Hashicorp Vault API specifications,
the URL to access the keys must include the "/v1/" prefix
at the beginning of the path. This commit adds this parameter
check, as well as a check for the presence of at least one
letter in the hostname inside the URL and in the secret
store name (after "/v1/").

065705f... by Julius Goryavsky <email address hidden> on 2022-04-18

MDEV-28275: Hashicorp: ASAN heap-use-after-free in get_version()

Passing a string as a parameter by value has been replaced by
passing by reference to avoid using memory after it has been freed.

1e1d340... by Julius Goryavsky <email address hidden> on 2020-07-13

MDEV-19281: Plugin implementation for the Hashicorp Vault KMS

- Authentication is done using the Hashicorp Vault's token
  authentication method;
- If additional client authentication is required, then the
  path to the CA authentication bundle file may be passed
  as a plugin parameter;
- The creation of the keys and their management is carried
  out using the Hashicorp Vault KMS and their tools;
- Key values stored as hexadecimal strings;
- Key values caching is supported.
- Implemented a time-invalidated cache for key values and
  for key version numbers received from the Hashicorp Valult
  server;
- The plugin uses libcurl (https) as an interface to
  the HashiCorp Vault server;
- JSON parsing is performed through the JSON service
  (through the include/mysql/service_json.h);
- HashiCorp Vault 1.2.4 was used for development and testing.