From d64594932b2a358e31a532d32fd6676395bc6a39 Mon Sep 17 00:00:00 2001 From: kailixu Date: Wed, 27 Mar 2024 20:03:38 +0800 Subject: [PATCH] feat: support database encryption --- include/common/tglobal.h | 6 ++- include/common/tmsg.h | 3 ++ include/util/taoserror.h | 2 + include/util/tdef.h | 4 ++ source/common/src/tglobal.c | 8 +-- source/common/src/tmsg.c | 10 +++- source/dnode/mgmt/mgmt_dnode/src/dmHandle.c | 1 + source/dnode/mnode/impl/inc/mndDef.h | 3 ++ source/dnode/mnode/impl/src/mndDb.c | 58 ++++++++++++++++++++- source/dnode/mnode/impl/src/mndDnode.c | 12 ++++- source/dnode/mnode/impl/src/mndDump.c | 1 + source/dnode/vnode/inc/vnode.h | 1 + source/dnode/vnode/src/vnd/vnodeCfg.c | 7 ++- source/libs/command/src/command.c | 16 +++++- source/libs/parser/src/parAstCreater.c | 1 + source/libs/parser/src/parTranslater.c | 10 +++- source/util/src/terror.c | 3 ++ 17 files changed, 130 insertions(+), 16 deletions(-) diff --git a/include/common/tglobal.h b/include/common/tglobal.h index 7a7f19c3af..0d884d419e 100644 --- a/include/common/tglobal.h +++ b/include/common/tglobal.h @@ -94,8 +94,6 @@ extern char tsSnodeAddress[]; // 127.0.0.1:873 // mnode extern int64_t tsMndSdbWriteDelta; extern int64_t tsMndLogRetention; -extern int8_t tsGrant; -extern int32_t tsMndGrantMode; extern bool tsMndSkipGrant; extern bool tsEnableWhiteList; @@ -104,6 +102,10 @@ extern int64_t tsDndStart; extern int64_t tsDndStartOsUptime; extern int64_t tsDndUpTime; +// dnode misc +extern int8_t tsEncryptionKeyStat; +extern int8_t tsGrant; + // monitor extern bool tsEnableMonitor; extern int32_t tsMonitorInterval; diff --git a/include/common/tmsg.h b/include/common/tmsg.h index 6ed69e7d8c..e33c106c22 100644 --- a/include/common/tmsg.h +++ b/include/common/tmsg.h @@ -1158,6 +1158,7 @@ typedef struct { int32_t sqlLen; char* sql; int8_t withArbitrator; + int8_t encryptAlgorithm; } SCreateDbReq; int32_t tSerializeSCreateDbReq(void* buf, int32_t bufLen, SCreateDbReq* pReq); @@ -1300,6 +1301,7 @@ typedef struct { int8_t replications; int8_t strict; int8_t cacheLast; + int8_t encryptAlgorithm; int32_t tsdbPageSize; int32_t walRetentionPeriod; int32_t walRollPeriod; @@ -1498,6 +1500,7 @@ typedef struct { char charset[TD_LOCALE_LEN]; // tsCharset int8_t ttlChangeOnWrite; int8_t enableWhiteList; + int8_t encryptionKeyStat; } SClusterCfg; typedef struct { diff --git a/include/util/taoserror.h b/include/util/taoserror.h index 4c3990306a..f9ba4d208e 100644 --- a/include/util/taoserror.h +++ b/include/util/taoserror.h @@ -303,6 +303,8 @@ int32_t* taosGetErrno(); #define TSDB_CODE_MND_DB_OPTION_UNCHANGED TAOS_DEF_ERROR_CODE(0, 0x038A) // #define TSDB_CODE_MND_DB_INDEX_NOT_EXIST TAOS_DEF_ERROR_CODE(0, 0x038B) #define TSDB_CODE_MND_DB_RETENTION_PERIOD_ZERO TAOS_DEF_ERROR_CODE(0, 0x038C) +#define TSDB_CODE_MND_INCONSIST_ENCRYPT_KEY TAOS_DEF_ERROR_CODE(0, 0x038D) +#define TSDB_CODE_MND_INVALID_ENCRYPT_KEY TAOS_DEF_ERROR_CODE(0, 0x038E) // #define TSDB_CODE_MND_INVALID_DB_OPTION_DAYS TAOS_DEF_ERROR_CODE(0, 0x0390) // 2.x // #define TSDB_CODE_MND_INVALID_DB_OPTION_KEEP TAOS_DEF_ERROR_CODE(0, 0x0391) // 2.x // #define TSDB_CODE_MND_INVALID_TOPIC TAOS_DEF_ERROR_CODE(0, 0x0392) // 2.x diff --git a/include/util/tdef.h b/include/util/tdef.h index 4013107be8..a4abe90c47 100644 --- a/include/util/tdef.h +++ b/include/util/tdef.h @@ -397,6 +397,9 @@ typedef enum ELogicConditionType { #define TSDB_ENCRYPT_ALGO_SM2 2 #define TSDB_ENCRYPT_ALGO_SM3 3 #define TSDB_ENCRYPT_ALGO_SM4 4 +#define TSDB_DEFAULT_ENCRYPT_ALGO TSDB_ENCRYPT_ALGO_NONE +#define TSDB_MIN_ENCRYPT_ALGO TSDB_ENCRYPT_ALGO_NONE +#define TSDB_MAX_ENCRYPT_ALGO TSDB_ENCRYPT_ALGO_SM4 #define TSDB_DEFAULT_CACHE_MODEL TSDB_CACHE_MODEL_NONE #define TSDB_MIN_DB_CACHE_SIZE 1 // MB #define TSDB_MAX_DB_CACHE_SIZE 65536 @@ -522,6 +525,7 @@ typedef enum ELogicConditionType { enum { TRANS_STAT_INIT = 0, TRANS_STAT_EXECUTING, TRANS_STAT_EXECUTED, TRANS_STAT_ROLLBACKING, TRANS_STAT_ROLLBACKED }; enum { TRANS_OPER_INIT = 0, TRANS_OPER_EXECUTE, TRANS_OPER_ROLLBACK }; +enum { ENCRYPT_KEY_STAT_UNKNOWN = 0, ENCRYPT_KEY_STAT_UNSET, ENCRYPT_KEY_STAT_SET, ENCRYPT_KEY_STAT_LOADED}; typedef struct { char dir[TSDB_FILENAME_LEN]; diff --git a/source/common/src/tglobal.c b/source/common/src/tglobal.c index 3381d52050..0479c65962 100644 --- a/source/common/src/tglobal.c +++ b/source/common/src/tglobal.c @@ -77,8 +77,6 @@ int32_t tsSnapReplMaxWaitN = 128; // mnode int64_t tsMndSdbWriteDelta = 200; int64_t tsMndLogRetention = 2000; -int8_t tsGrant = 1; -int32_t tsMndGrantMode = 0; bool tsMndSkipGrant = false; bool tsEnableWhiteList = false; // ip white list cfg @@ -92,6 +90,10 @@ int64_t tsDndStart = 0; int64_t tsDndStartOsUptime = 0; int64_t tsDndUpTime = 0; +// dnode misc +int8_t tsEncryptionKeyStat = 0; +int8_t tsGrant = 1; + // monitor bool tsEnableMonitor = true; int32_t tsMonitorInterval = 30; @@ -691,7 +693,6 @@ static int32_t taosAddServerCfg(SConfig *pCfg) { return -1; if (cfgAddInt64(pCfg, "mndLogRetention", tsMndLogRetention, 500, 10000, CFG_SCOPE_SERVER, CFG_DYN_NONE) != 0) return -1; - if (cfgAddInt32(pCfg, "grantMode", tsMndGrantMode, 0, 10000, CFG_SCOPE_SERVER, CFG_DYN_NONE) != 0) return -1; if (cfgAddBool(pCfg, "skipGrant", tsMndSkipGrant, CFG_SCOPE_SERVER, CFG_DYN_NONE) != 0) return -1; if (cfgAddString(pCfg, "monitorFqdn", tsMonitorFqdn, CFG_SCOPE_SERVER, CFG_DYN_NONE) != 0) return -1; @@ -1209,7 +1210,6 @@ static int32_t taosSetServerCfg(SConfig *pCfg) { tsMndSdbWriteDelta = cfgGetItem(pCfg, "mndSdbWriteDelta")->i64; tsMndLogRetention = cfgGetItem(pCfg, "mndLogRetention")->i64; tsMndSkipGrant = cfgGetItem(pCfg, "skipGrant")->bval; - tsMndGrantMode = cfgGetItem(pCfg, "grantMode")->i32; tsEnableWhiteList = cfgGetItem(pCfg, "enableWhiteList")->bval; tsStartUdfd = cfgGetItem(pCfg, "udf")->bval; diff --git a/source/common/src/tmsg.c b/source/common/src/tmsg.c index ff424ee558..1aaceeac98 100644 --- a/source/common/src/tmsg.c +++ b/source/common/src/tmsg.c @@ -1177,6 +1177,7 @@ int32_t tSerializeSStatusReq(void *buf, int32_t bufLen, SStatusReq *pReq) { if (tEncodeCStr(&encoder, pReq->clusterCfg.locale) < 0) return -1; if (tEncodeCStr(&encoder, pReq->clusterCfg.charset) < 0) return -1; if (tEncodeI8(&encoder, pReq->clusterCfg.enableWhiteList) < 0) return -1; + if (tEncodeI8(&encoder, pReq->clusterCfg.encryptionKeyStat) < 0) return -1; // vnode loads int32_t vlen = (int32_t)taosArrayGetSize(pReq->pVloads); @@ -1269,6 +1270,7 @@ int32_t tDeserializeSStatusReq(void *buf, int32_t bufLen, SStatusReq *pReq) { if (tDecodeCStrTo(&decoder, pReq->clusterCfg.locale) < 0) return -1; if (tDecodeCStrTo(&decoder, pReq->clusterCfg.charset) < 0) return -1; if (tDecodeI8(&decoder, &pReq->clusterCfg.enableWhiteList) < 0) return -1; + if (tDecodeI8(&decoder, &pReq->clusterCfg.encryptionKeyStat) < 0) return -1; // vnode loads int32_t vlen = 0; @@ -3025,7 +3027,8 @@ int32_t tSerializeSCreateDbReq(void *buf, int32_t bufLen, SCreateDbReq *pReq) { ENCODESQL(); - if (tEncodeI32(&encoder, pReq->withArbitrator) < 0) return -1; + if (tEncodeI8(&encoder, pReq->withArbitrator) < 0) return -1; + if (tEncodeI8(&encoder, pReq->encryptAlgorithm) < 0) return -1; tEndEncode(&encoder); @@ -3097,8 +3100,10 @@ int32_t tDeserializeSCreateDbReq(void *buf, int32_t bufLen, SCreateDbReq *pReq) DECODESQL(); pReq->withArbitrator = TSDB_DEFAULT_DB_WITH_ARBITRATOR; + pReq->encryptAlgorithm = TSDB_DEFAULT_ENCRYPT_ALGO; if (!tDecodeIsEnd(&decoder)) { if (tDecodeI8(&decoder, &pReq->withArbitrator) < 0) return -1; + if (tDecodeI8(&decoder, &pReq->encryptAlgorithm) < 0) return -1; } tEndDecode(&decoder); @@ -3982,6 +3987,7 @@ int32_t tSerializeSDbCfgRspImpl(SEncoder *encoder, const SDbCfgRsp *pRsp) { if (tEncodeI16(encoder, pRsp->sstTrigger) < 0) return -1; if (tEncodeI32(encoder, pRsp->keepTimeOffset) < 0) return -1; if (tEncodeI8(encoder, pRsp->withArbitrator) < 0) return -1; + if (tEncodeI8(encoder, pRsp->encryptAlgorithm) < 0) return -1; return 0; } @@ -4055,8 +4061,10 @@ int32_t tDeserializeSDbCfgRspImpl(SDecoder *decoder, SDbCfgRsp *pRsp) { if (tDecodeI32(decoder, &pRsp->keepTimeOffset) < 0) return -1; } pRsp->withArbitrator = TSDB_DEFAULT_DB_WITH_ARBITRATOR; + pRsp->encryptAlgorithm = TSDB_DEFAULT_ENCRYPT_ALGO; if (!tDecodeIsEnd(decoder)) { if (tDecodeI8(decoder, &pRsp->withArbitrator) < 0) return -1; + if (tDecodeI8(decoder, &pRsp->encryptAlgorithm) < 0) return -1; } return 0; diff --git a/source/dnode/mgmt/mgmt_dnode/src/dmHandle.c b/source/dnode/mgmt/mgmt_dnode/src/dmHandle.c index 393db84e18..c67c4adbbb 100644 --- a/source/dnode/mgmt/mgmt_dnode/src/dmHandle.c +++ b/source/dnode/mgmt/mgmt_dnode/src/dmHandle.c @@ -113,6 +113,7 @@ void dmSendStatusReq(SDnodeMgmt *pMgmt) { req.clusterCfg.checkTime = 0; req.clusterCfg.ttlChangeOnWrite = tsTtlChangeOnWrite; req.clusterCfg.enableWhiteList = tsEnableWhiteList ? 1 : 0; + req.clusterCfg.encryptionKeyStat = tsEncryptionKeyStat; // ENCRYPT_TODO char timestr[32] = "1970-01-01 00:00:00.00"; (void)taosParseTime(timestr, &req.clusterCfg.checkTime, (int32_t)strlen(timestr), TSDB_TIME_PRECISION_MILLI, 0); memcpy(req.clusterCfg.timezone, tsTimezoneStr, TD_TIMEZONE_LEN); diff --git a/source/dnode/mnode/impl/inc/mndDef.h b/source/dnode/mnode/impl/inc/mndDef.h index a63157445b..7389cde27c 100644 --- a/source/dnode/mnode/impl/inc/mndDef.h +++ b/source/dnode/mnode/impl/inc/mndDef.h @@ -141,6 +141,7 @@ typedef enum { DND_REASON_CHARSET_NOT_MATCH, DND_REASON_TTL_CHANGE_ON_WRITE_NOT_MATCH, DND_REASON_ENABLE_WHITELIST_NOT_MATCH, + DND_REASON_ENCRYPTION_KEY_NOT_MATCH, DND_REASON_OTHERS } EDndReason; @@ -214,6 +215,7 @@ typedef struct { int64_t memAvail; int64_t memUsed; EDndReason offlineReason; + int8_t encryptionKeyStat; uint16_t port; char fqdn[TSDB_FQDN_LEN]; char ep[TSDB_EP_LEN]; @@ -379,6 +381,7 @@ typedef struct { int64_t walRetentionSize; int64_t walSegmentSize; int8_t withArbitrator; + int8_t encryptAlgorithm; } SDbCfg; typedef struct { diff --git a/source/dnode/mnode/impl/src/mndDb.c b/source/dnode/mnode/impl/src/mndDb.c index 527105a7b8..a6027aae2e 100644 --- a/source/dnode/mnode/impl/src/mndDb.c +++ b/source/dnode/mnode/impl/src/mndDb.c @@ -36,7 +36,7 @@ #include "tjson.h" #define DB_VER_NUMBER 1 -#define DB_RESERVE_SIZE 41 +#define DB_RESERVE_SIZE 40 static SSdbRow *mndDbActionDecode(SSdbRaw *pRaw); static int32_t mndDbActionInsert(SSdb *pSdb, SDbObj *pDb); @@ -141,6 +141,7 @@ SSdbRaw *mndDbActionEncode(SDbObj *pDb) { SDB_SET_INT64(pRaw, dataPos, pDb->compactStartTime, _OVER) SDB_SET_INT32(pRaw, dataPos, pDb->cfg.keepTimeOffset, _OVER) SDB_SET_INT8(pRaw, dataPos, pDb->cfg.withArbitrator, _OVER) + SDB_SET_INT8(pRaw, dataPos, pDb->cfg.encryptAlgorithm, _OVER) SDB_SET_RESERVE(pRaw, dataPos, DB_RESERVE_SIZE, _OVER) SDB_SET_DATALEN(pRaw, dataPos, _OVER) @@ -233,6 +234,7 @@ static SSdbRow *mndDbActionDecode(SSdbRaw *pRaw) { SDB_GET_INT64(pRaw, dataPos, &pDb->compactStartTime, _OVER) SDB_GET_INT32(pRaw, dataPos, &pDb->cfg.keepTimeOffset, _OVER) SDB_GET_INT8(pRaw, dataPos, &pDb->cfg.withArbitrator, _OVER) + SDB_GET_INT8(pRaw, dataPos, &pDb->cfg.encryptAlgorithm, _OVER) SDB_GET_RESERVE(pRaw, dataPos, DB_RESERVE_SIZE, _OVER) taosInitRWLatch(&pDb->lock); @@ -399,9 +401,12 @@ static int32_t mndCheckDbCfg(SMnode *pMnode, SDbCfg *pCfg) { if (pCfg->replications < TSDB_MIN_DB_REPLICA || pCfg->replications > TSDB_MAX_DB_REPLICA) return -1; #ifdef TD_ENTERPRISE if ((pCfg->replications == 2) ^ (pCfg->withArbitrator == TSDB_MAX_DB_WITH_ARBITRATOR)) return -1; + if (pCfg->encryptAlgorithm < TSDB_MIN_ENCRYPT_ALGO || pCfg->encryptAlgorithm > TSDB_MAX_ENCRYPT_ALGO) return -1; #else if (pCfg->replications != 1 && pCfg->replications != 3) return -1; + if (pCfg->encryptAlgorithm != TSDB_DEFAULT_ENCRYPT_ALGO) return -1; #endif + if (pCfg->strict < TSDB_DB_STRICT_OFF || pCfg->strict > TSDB_DB_STRICT_ON) return -1; if (pCfg->schemaless < TSDB_DB_SCHEMALESS_OFF || pCfg->schemaless > TSDB_DB_SCHEMALESS_ON) return -1; if (pCfg->cacheLast < TSDB_CACHE_MODEL_NONE || pCfg->cacheLast > TSDB_CACHE_MODEL_BOTH) return -1; @@ -681,6 +686,7 @@ static int32_t mndCreateDb(SMnode *pMnode, SRpcMsg *pReq, SCreateDbReq *pCreate, .hashSuffix = pCreate->hashSuffix, .tsdbPageSize = pCreate->tsdbPageSize, .withArbitrator = pCreate->withArbitrator, + .encryptAlgorithm = pCreate->encryptAlgorithm, }; dbObj.cfg.numOfRetensions = pCreate->numOfRetensions; @@ -766,6 +772,32 @@ static void mndBuildAuditDetailInt64(char *detail, char *tmp, char *format, int6 } } +static int32_t mndCheckDbEncryptKey(SMnode *pMnode, SCreateDbReq *pReq) { + int32_t code = 0; + SSdb *pSdb = pMnode->pSdb; + SDnodeObj *pDnode = NULL; + void *pIter = NULL; + + if (pReq->encryptAlgorithm == TSDB_ENCRYPT_ALGO_NONE) goto _exit; + if (tsEncryptionKeyStat != ENCRYPT_KEY_STAT_LOADED) { + code = TSDB_CODE_MND_INVALID_ENCRYPT_KEY; + goto _exit; + } + + int64_t curMs = taosGetTimestampMs(); + while ((pIter = sdbFetch(pSdb, SDB_DNODE, pIter, (void **)&pDnode))) { + bool online = false; + if (pDnode->encryptionKeyStat != tsEncryptionKeyStat && (online = mndIsDnodeOnline(pDnode, curMs))) { + code = TSDB_CODE_MND_INVALID_ENCRYPT_KEY; + sdbRelease(pSdb, pDnode); + break; + } + sdbRelease(pSdb, pDnode); + } +_exit: + return code; +} + static int32_t mndProcessCreateDbReq(SRpcMsg *pReq) { SMnode *pMnode = pReq->info.node; int32_t code = -1; @@ -816,6 +848,11 @@ static int32_t mndProcessCreateDbReq(SRpcMsg *pReq) { } } + if ((code = mndCheckDbEncryptKey(pMnode, &createReq)) != 0) { + terrno = code; + goto _OVER; + } + pUser = mndAcquireUser(pMnode, pReq->info.conn.user); if (pUser == NULL) { goto _OVER; @@ -1152,6 +1189,7 @@ static void mndDumpDbCfgInfo(SDbCfgRsp *cfgRsp, SDbObj *pDb) { cfgRsp->schemaless = pDb->cfg.schemaless; cfgRsp->sstTrigger = pDb->cfg.sstTrigger; cfgRsp->withArbitrator = pDb->cfg.withArbitrator; + cfgRsp->encryptAlgorithm = pDb->cfg.encryptAlgorithm; } static int32_t mndProcessGetDbCfgReq(SRpcMsg *pReq) { @@ -1890,6 +1928,18 @@ static const char *getCacheModelStr(int8_t cacheModel) { return "unknown"; } +static const char *getEncryptAlgorithmStr(int8_t encryptAlgorithm) { + switch (encryptAlgorithm) { + case TSDB_ENCRYPT_ALGO_NONE: + return TSDB_ENCRYPT_ALGO_NONE_STR; + case TSDB_ENCRYPT_ALGO_SM4: + return TSDB_ENCRYPT_ALGO_SM4_STR; + default: + break; + } + return "unknown"; +} + bool mndIsDbReady(SMnode *pMnode, SDbObj *pDb) { if (pDb->cfg.replications == 1) return true; @@ -2098,6 +2148,12 @@ static void mndDumpDbInfoData(SMnode *pMnode, SSDataBlock *pBlock, SDbObj *pDb, pColInfo = taosArrayGet(pBlock->pDataBlock, cols++); colDataSetVal(pColInfo, rows, (const char *)&pDb->cfg.withArbitrator, false); + + const char *encryptAlgorithmStr = getEncryptAlgorithmStr(pDb->cfg.encryptAlgorithm); + char encryptAlgorithmVStr[24] = {0}; + STR_WITH_MAXSIZE_TO_VARSTR(encryptAlgorithmVStr, encryptAlgorithmStr, 24); + pColInfo = taosArrayGet(pBlock->pDataBlock, cols++); + colDataSetVal(pColInfo, rows, (const char *)encryptAlgorithmVStr, false); } taosMemoryFree(buf); diff --git a/source/dnode/mnode/impl/src/mndDnode.c b/source/dnode/mnode/impl/src/mndDnode.c index 57c947eb81..6641ed6946 100644 --- a/source/dnode/mnode/impl/src/mndDnode.c +++ b/source/dnode/mnode/impl/src/mndDnode.c @@ -47,6 +47,8 @@ static const char *offlineReason[] = { "locale not match", "charset not match", "ttlChangeOnWrite not match", + "enableWhiteList not match", + "encryptionKey not match", "unknown", }; @@ -462,10 +464,16 @@ static int32_t mndCheckClusterCfgPara(SMnode *pMnode, SDnodeObj *pDnode, const S } int8_t enable = tsEnableWhiteList ? 1 : 0; if (pCfg->enableWhiteList != enable) { - mError("dnode:%d, enable :%d inconsistent with cluster:%d", pDnode->id, pCfg->enableWhiteList, enable); + mError("dnode:%d, enableWhiteList:%d inconsistent with cluster:%d", pDnode->id, pCfg->enableWhiteList, enable); return DND_REASON_ENABLE_WHITELIST_NOT_MATCH; } + if (pCfg->encryptionKeyStat != tsEncryptionKeyStat) { + mError("dnode:%d, encryptionKey:%d inconsistent with cluster:%d", pDnode->id, pCfg->encryptionKeyStat, + tsEncryptionKeyStat); + return DND_REASON_ENCRYPTION_KEY_NOT_MATCH; + } + return 0; } @@ -1550,7 +1558,7 @@ static int32_t mndRetrieveDnodes(SRpcMsg *pReq, SShowObj *pShow, SSDataBlock *pB ESdbStatus objStatus = 0; SDnodeObj *pDnode = NULL; int64_t curMs = taosGetTimestampMs(); - char buf[TSDB_CONN_ACTIVE_KEY_LEN + VARSTR_HEADER_SIZE]; // make sure TSDB_CONN_ACTIVE_KEY_LEN >= TSDB_EP_LEN + char buf[TSDB_EP_LEN + VARSTR_HEADER_SIZE]; while (numOfRows < rows) { pShow->pIter = sdbFetchAll(pSdb, SDB_DNODE, pShow->pIter, (void **)&pDnode, &objStatus, true); diff --git a/source/dnode/mnode/impl/src/mndDump.c b/source/dnode/mnode/impl/src/mndDump.c index 00e72fb329..5561eea405 100644 --- a/source/dnode/mnode/impl/src/mndDump.c +++ b/source/dnode/mnode/impl/src/mndDump.c @@ -104,6 +104,7 @@ void dumpDb(SSdb *pSdb, SJson *json) { tjsonAddStringToObject(item, "maxRows", i642str(pObj->cfg.maxRows)); tjsonAddStringToObject(item, "precision", i642str(pObj->cfg.precision)); tjsonAddStringToObject(item, "compression", i642str(pObj->cfg.compression)); + tjsonAddStringToObject(item, "encryptAlgorithm", i642str(pObj->cfg.encryptAlgorithm)); tjsonAddStringToObject(item, "replications", i642str(pObj->cfg.replications)); tjsonAddStringToObject(item, "strict", i642str(pObj->cfg.strict)); tjsonAddStringToObject(item, "cacheLast", i642str(pObj->cfg.cacheLast)); diff --git a/source/dnode/vnode/inc/vnode.h b/source/dnode/vnode/inc/vnode.h index 8ae7e9706d..12df70f9cb 100644 --- a/source/dnode/vnode/inc/vnode.h +++ b/source/dnode/vnode/inc/vnode.h @@ -302,6 +302,7 @@ struct SVnodeCfg { int8_t isRsma; int8_t hashMethod; int8_t standby; + int8_t encryptAlgorithm; STsdbCfg tsdbCfg; SWalCfg walCfg; SSyncCfg syncCfg; diff --git a/source/dnode/vnode/src/vnd/vnodeCfg.c b/source/dnode/vnode/src/vnd/vnodeCfg.c index 07bfa6c719..775cdf4bb8 100644 --- a/source/dnode/vnode/src/vnd/vnodeCfg.c +++ b/source/dnode/vnode/src/vnd/vnodeCfg.c @@ -88,9 +88,10 @@ int vnodeEncodeConfig(const void *pObj, SJson *pJson) { if (tjsonAddIntegerToObject(pJson, "dbId", pCfg->dbId) < 0) return -1; if (tjsonAddIntegerToObject(pJson, "szPage", pCfg->szPage) < 0) return -1; if (tjsonAddIntegerToObject(pJson, "szCache", pCfg->szCache) < 0) return -1; + if (tjsonAddIntegerToObject(pJson, "szBuf", pCfg->szBuf) < 0) return -1; if (tjsonAddIntegerToObject(pJson, "cacheLast", pCfg->cacheLast) < 0) return -1; if (tjsonAddIntegerToObject(pJson, "cacheLastSize", pCfg->cacheLastSize) < 0) return -1; - if (tjsonAddIntegerToObject(pJson, "szBuf", pCfg->szBuf) < 0) return -1; + if (tjsonAddIntegerToObject(pJson, "encryptAlgorithm", pCfg->encryptAlgorithm) < 0) return -1; if (tjsonAddIntegerToObject(pJson, "isHeap", pCfg->isHeap) < 0) return -1; if (tjsonAddIntegerToObject(pJson, "isWeak", pCfg->isWeak) < 0) return -1; if (tjsonAddIntegerToObject(pJson, "isTsma", pCfg->isTsma) < 0) return -1; @@ -187,11 +188,13 @@ int vnodeDecodeConfig(const SJson *pJson, void *pObj) { if (code < 0) return -1; tjsonGetNumberValue(pJson, "szCache", pCfg->szCache, code); if (code < 0) return -1; + tjsonGetNumberValue(pJson, "szBuf", pCfg->szBuf, code); + if (code < 0) return -1; tjsonGetNumberValue(pJson, "cacheLast", pCfg->cacheLast, code); if (code < 0) return -1; tjsonGetNumberValue(pJson, "cacheLastSize", pCfg->cacheLastSize, code); if (code < 0) return -1; - tjsonGetNumberValue(pJson, "szBuf", pCfg->szBuf, code); + tjsonGetNumberValue(pJson, "encryptAlgorithm", pCfg->encryptAlgorithm, code); if (code < 0) return -1; tjsonGetNumberValue(pJson, "isHeap", pCfg->isHeap, code); if (code < 0) return -1; diff --git a/source/libs/command/src/command.c b/source/libs/command/src/command.c index c45a8931d2..3a8135a7fd 100644 --- a/source/libs/command/src/command.c +++ b/source/libs/command/src/command.c @@ -262,6 +262,18 @@ static const char* cacheModelStr(int8_t cacheModel) { return TSDB_CACHE_MODEL_NONE_STR; } +static const char* encryptAlgorithmStr(int8_t encryptAlgorithm) { + switch (encryptAlgorithm) { + case TSDB_ENCRYPT_ALGO_NONE: + return TSDB_ENCRYPT_ALGO_NONE_STR; + case TSDB_ENCRYPT_ALGO_SM4: + return TSDB_ENCRYPT_ALGO_SM4_STR; + default: + break; + } + return TSDB_CACHE_MODEL_NONE_STR; +} + static void setCreateDBResultIntoDataBlock(SSDataBlock* pBlock, char* dbName, char* dbFName, SDbCfgInfo* pCfg) { blockDataEnsureCapacity(pBlock, 1); pBlock->info.rows = 1; @@ -307,12 +319,12 @@ static void setCreateDBResultIntoDataBlock(SSDataBlock* pBlock, char* dbName, ch "CREATE DATABASE `%s` BUFFER %d CACHESIZE %d CACHEMODEL '%s' COMP %d DURATION %dm " "WAL_FSYNC_PERIOD %d MAXROWS %d MINROWS %d STT_TRIGGER %d KEEP %dm,%dm,%dm PAGES %d PAGESIZE %d PRECISION '%s' REPLICA %d " "WAL_LEVEL %d VGROUPS %d SINGLE_STABLE %d TABLE_PREFIX %d TABLE_SUFFIX %d TSDB_PAGESIZE %d " - "WAL_RETENTION_PERIOD %d WAL_RETENTION_SIZE %" PRId64 " KEEP_TIME_OFFSET %d", + "WAL_RETENTION_PERIOD %d WAL_RETENTION_SIZE %" PRId64 " KEEP_TIME_OFFSET %d ENCRYPT_ALGORITHM '%s'", dbName, pCfg->buffer, pCfg->cacheSize, cacheModelStr(pCfg->cacheLast), pCfg->compression, pCfg->daysPerFile, pCfg->walFsyncPeriod, pCfg->maxRows, pCfg->minRows, pCfg->sstTrigger, pCfg->daysToKeep0, pCfg->daysToKeep1, pCfg->daysToKeep2, pCfg->pages, pCfg->pageSize, prec, pCfg->replications, pCfg->walLevel, pCfg->numOfVgroups, 1 == pCfg->numOfStables, hashPrefix, pCfg->hashSuffix, pCfg->tsdbPageSize, pCfg->walRetentionPeriod, pCfg->walRetentionSize, - pCfg->keepTimeOffset); + pCfg->keepTimeOffset, encryptAlgorithmStr(pCfg->encryptAlgorithm)); if (retentions) { len += sprintf(buf2 + VARSTR_HEADER_SIZE + len, " RETENTIONS %s", retentions); diff --git a/source/libs/parser/src/parAstCreater.c b/source/libs/parser/src/parAstCreater.c index 1be4df131b..44d474d9b4 100644 --- a/source/libs/parser/src/parAstCreater.c +++ b/source/libs/parser/src/parAstCreater.c @@ -1264,6 +1264,7 @@ SNode* createDefaultDatabaseOptions(SAstCreateContext* pCxt) { pOptions->tablePrefix = TSDB_DEFAULT_HASH_PREFIX; pOptions->tableSuffix = TSDB_DEFAULT_HASH_SUFFIX; pOptions->withArbitrator = TSDB_DEFAULT_DB_WITH_ARBITRATOR; + pOptions->encryptAlgorithm = TSDB_DEFAULT_ENCRYPT_ALGO; return (SNode*)pOptions; } diff --git a/source/libs/parser/src/parTranslater.c b/source/libs/parser/src/parTranslater.c index 329bd620b3..ea4e91f3e7 100644 --- a/source/libs/parser/src/parTranslater.c +++ b/source/libs/parser/src/parTranslater.c @@ -5152,6 +5152,7 @@ static int32_t buildCreateDbReq(STranslateContext* pCxt, SCreateDatabaseStmt* pS pReq->keepTimeOffset = pStmt->pOptions->keepTimeOffset; pReq->ignoreExist = pStmt->ignoreExists; pReq->withArbitrator = pStmt->pOptions->withArbitrator; + pReq->encryptAlgorithm = pStmt->pOptions->encryptAlgorithm; return buildCreateDbRetentions(pStmt->pOptions->pRetentions, pReq); } @@ -5285,12 +5286,13 @@ static int32_t checkDbEncryptAlgorithmOption(STranslateContext* pCxt, SDatabaseO if (0 == strcasecmp(pOptions->encryptAlgorithmStr, TSDB_ENCRYPT_ALGO_NONE_STR)) { pOptions->encryptAlgorithm = TSDB_ENCRYPT_ALGO_NONE; } else if (0 == strcasecmp(pOptions->encryptAlgorithmStr, TSDB_ENCRYPT_ALGO_SM4_STR)) { - pOptions->cacheModel = TSDB_CACHE_MODEL_LAST_ROW; + pOptions->encryptAlgorithm = TSDB_ENCRYPT_ALGO_SM4; } else { return generateSyntaxErrMsgExt(&pCxt->msgBuf, TSDB_CODE_PAR_INVALID_DB_OPTION, - "Invalid option encryptAlgorithm: %s", pOptions->encryptAlgorithmStr); + "Invalid option encrypt_algorithm: %s", pOptions->encryptAlgorithmStr); } } + return TSDB_CODE_SUCCESS; } @@ -5571,6 +5573,10 @@ static int32_t checkDatabaseOptions(STranslateContext* pCxt, const char* pDbName code = checkDbEnumOption(pCxt, "withArbitrator", pOptions->withArbitrator, TSDB_MIN_DB_WITH_ARBITRATOR, TSDB_MAX_DB_WITH_ARBITRATOR); } + if (TSDB_CODE_SUCCESS == code) { + code = checkDbEnumOption(pCxt, "encryptionAlgorithm", pOptions->encryptAlgorithm, TSDB_MIN_ENCRYPT_ALGO, + TSDB_MAX_ENCRYPT_ALGO); + } if (TSDB_CODE_SUCCESS == code) { code = checkDbTbPrefixSuffixOptions(pCxt, pOptions->tablePrefix, pOptions->tableSuffix); } diff --git a/source/util/src/terror.c b/source/util/src/terror.c index 8723f227dd..95646eb2d4 100644 --- a/source/util/src/terror.c +++ b/source/util/src/terror.c @@ -243,6 +243,9 @@ TAOS_DEFINE_ERROR(TSDB_CODE_MND_DB_OPTION_UNCHANGED, "Database options not TAOS_DEFINE_ERROR(TSDB_CODE_MND_DB_INDEX_NOT_EXIST, "Index not exist") TAOS_DEFINE_ERROR(TSDB_CODE_MND_INVALID_SYS_TABLENAME, "Invalid system table name") TAOS_DEFINE_ERROR(TSDB_CODE_MND_DB_IN_CREATING, "Database in creating status") +TAOS_DEFINE_ERROR(TSDB_CODE_MND_INCONSIST_ENCRYPT_KEY, "Inconsistent encryption key") +TAOS_DEFINE_ERROR(TSDB_CODE_MND_INVALID_ENCRYPT_KEY, "The cluster has not been set properly for database encryption") + // mnode-node TAOS_DEFINE_ERROR(TSDB_CODE_MND_MNODE_ALREADY_EXIST, "Mnode already exists")