Bug #92757 keyring migration is not printing proper message if migration is successful.
Submitted: 12 Oct 2018 5:23 Modified: 20 Oct 2018 16:55
Reporter: Ramesh Sivaraman (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Security: Encryption Severity:S3 (Non-critical)
Version:8.0.12 OS:Ubuntu
Assigned to: CPU Architecture:Any

[12 Oct 2018 5:23] Ramesh Sivaraman
Description:
keyring migration is not printing proper message if migration is successful in MySQL-8.0. (With 5.7 version we can see proper migration successful message)

ramesh@qaserver-06:/qa/ms8/mysql-8.0.12$ sudo /qa/ms8/ms8012/bin/mysqld --defaults-file=/qa/ms8/mysql-8.0.12/my.cnf      --keyring-migration-source=keyring_file.so     --keyring-migration-destination=keyring_encrypted_file.so     --keyring_encrypted_file_password=password --user=root &
[1] 19416
ramesh@qaserver-06:/qa/ms8/mysql-8.0.12$ 2018-10-11T12:01:03.422750Z 0 [System] [MY-010116] [Server] /qa/ms8/ms8012/bin/mysqld (mysqld 8.0.12-debug) starting as process 19417
2018-10-11T12:01:03.425452Z 0 [Warning] [MY-010091] [Server] Can't create test file /qa/ms8/mysql-8.0.12/copy_mig/qaserver-06.lower-test
2018-10-11T12:01:03.425467Z 0 [Warning] [MY-010159] [Server] Setting lower_case_table_names=2 because file system for /qa/ms8/mysql-8.0.12/copy_mig/ is case insensitive
2018-10-11T12:01:03.428953Z 0 [System] [MY-010910] [Server] /qa/ms8/ms8012/bin/mysqld: Shutdown complete (mysqld 8.0.12-debug)  MySQL Community Server (GPL).

[1]+  Done                    sudo /qa/ms8/ms8012/bin/mysqld --defaults-file=/qa/ms8/mysql-8.0.12/my.cnf --keyring-migration-source=keyring_file.so --keyring-migration-destination=keyring_encrypted_file.so --keyring_encrypted_file_password=password --user=root
ramesh@qaserver-06:/qa/ms8/mysql-8.0.12$

If there is an ERROR in migration it will print that info

ramesh@qaserver-06:/qa/ms8/mysql-8.0.12$ /qa/ms8/ms8012/bin/mysqld --defaults-file=/qa/ms8/mysql-8.0.12/my.cnf  \
>     --keyring-migration-source=keyring_file.so \
>     --keyring-migration-destination=keyring_encrypted_file.so \
>     --keyring_encrypted_file_password=password &
[1] 19405
ramesh@qaserver-06:/qa/ms8/mysql-8.0.12$ 2018-10-11T12:00:28.814114Z 0 [System] [MY-010116] [Server] /qa/ms8/ms8012/bin/mysqld (mysqld 8.0.12-debug) starting as process 19405
2018-10-11T12:00:28.816856Z 0 [Warning] [MY-010091] [Server] Can't create test file /qa/ms8/mysql-8.0.12/copy_mig/qaserver-06.lower-test
2018-10-11T12:00:28.816873Z 0 [Warning] [MY-010159] [Server] Setting lower_case_table_names=2 because file system for /qa/ms8/mysql-8.0.12/copy_mig/ is case insensitive
2018-10-11T12:00:28.818736Z 0 [ERROR] [MY-011370] [Server] Plugin keyring_encrypted_file reported: 'File '/usr/local/mysql/keyring/keyring_encrypted' not found (OS errno 13 - Permission denied)'
2018-10-11T12:00:28.818750Z 0 [ERROR] [MY-011412] [Server] Plugin keyring_encrypted_file reported: 'keyring_encrypted_file initialization failure. Please check if the keyring_encrypted_file_data points to readable keyring file or keyring file can be created in the specified location or password to decrypt keyring file is correct.'
2018-10-11T12:00:28.830627Z 0 [ERROR] [MY-013106] [Server] Can not perform keyring migration : Storing key (INNODBKey-9741bdb6-cd49-11e8-8eaf-002590e9b458-1) into destination plugin failed..
2018-10-11T12:00:28.830661Z 0 [ERROR] [MY-011084] [Server] Keyring migration failed.
2018-10-11T12:00:28.830691Z 0 [ERROR] [MY-010119] [Server] Aborting
2018-10-11T12:00:28.832859Z 0 [System] [MY-010910] [Server] /qa/ms8/ms8012/bin/mysqld: Shutdown complete (mysqld 8.0.12-debug)  MySQL Community Server (GPL).

[1]+  Exit 1                  /qa/ms8/ms8012/bin/mysqld --defaults-file=/qa/ms8/mysql-8.0.12/my.cnf --keyring-migration-source=keyring_file.so --keyring-migration-destination=keyring_encrypted_file.so --keyring_encrypted_file_password=password
ramesh@qaserver-06:/qa/ms8/mysql-8.0.12$ sudo /qa/ms8/ms8012/bin/mysqld --defaults-file=/qa/ms8/mysql-8.0.12/my.cnf      --keyring-migration-source=keyring_file.so     --keyring-migration-destination=keyring_encrypted_file.so     --keyring_encrypted_file_password=password &
[1] 19413
ramesh@qaserver-06:/qa/ms8/mysql-8.0.12$

How to repeat:
1) start the server with keyring file plugin 
2) created some encrypted tables
3) migrate plugin from keyring_file to keyring_encrypted_file.
eg:
sudo /qa/ms8/ms8012/bin/mysqld --defaults-file=/qa/ms8/mysql-8.0.12/my.cnf      --keyring-migration-source=keyring_file.so     --keyring-migration-destination=keyring_encrypted_file.so     --keyring_encrypted_file_password=password --user=root &
[12 Oct 2018 9:40] Umesh Shastry
Hello Ramesh,

Thank you for the report.

regards,
Umesh
[15 Oct 2018 7:36] Georgi Kodinov
Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://dev.mysql.com/doc/ and the instructions on
how to report a bug at http://bugs.mysql.com/how-to-report.php

It does print an *INFORMATION* message when done. But by default the server doesn't enable information messages, just error and warning ones.

Please try bumping https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_log_error_verb... to 3 and it you find it lacking please re-open the bug.
[15 Oct 2018 9:36] Ramesh Sivaraman
Even if set log_error_verbosity to 3, keyring installation success message is not printing.

8.0.12>show variables like '%log_error_verbosity%';
+---------------------+-------+
| Variable_name       | Value |
+---------------------+-------+
| log_error_verbosity | 3     |
+---------------------+-------+
1 row in set (0.02 sec)

8.0.12>

$ /qa/ps8/work/ps8012/bin/mysqld --defaults-file=/qa/ps8/work/ps8012/my.cnf     --keyring-migration-destination=keyring_file.so     --keyring_vault_config=/qa/ps8/vault/keyring_vault.cnf     --keyring-migration-source=keyring_vault.so     --keyring_file_data=/qa/ps8/work/ps8012/copy_mig/keyring &
[1] 17229
ramesh@qaserver-06:/qa/ps8/work/ps8012$ 2018-10-15T08:35:28.668544Z 0 [System] [MY-010116] [Server] /qa/ps8/work/ps8012/bin/mysqld (mysqld 8.0.12-1-debug) starting as process 17229
2018-10-15T08:35:28.808889Z 0 [System] [MY-010910] [Server] /qa/ps8/work/ps8012/bin/mysqld: Shutdown complete (mysqld 8.0.12-1-debug)  MySQL Community Server (GPL).

[1]+  Done                    /qa/ps8/work/ps8012/bin/mysqld --defaults-file=/qa/ps8/work/ps8012/my.cnf --keyring-migration-destination=keyring_file.so --keyring_vault_config=/qa/ps8/vault/keyring_vault.cnf --keyring-migration-source=keyring_vault.so --keyring_file_data=/qa/ps8/work/ps8012/copy_mig/keyring
$

Reopening the bug
[15 Oct 2018 15:42] Georgi Kodinov
This is a percona server it seems: it uses keyring_vault as a source.
Can you please retry with a vanilla mysql and one of the mysql keyring backends ?
[20 Oct 2018 16:55] Ramesh Sivaraman
Looks good with vanilla MySQL. With Pecona Server I haven't added option `log_error_verbosity=3` in migrating cnf file.

ramesh@qaserver-06:/qa/ms8/mysql-8.0.12$ 2018-10-20T16:54:17.604905Z 0 [Note] [MY-010098] [Server] --secure-file-priv is set to NULL. Operations related to importing and exporting data are disabled
2018-10-20T16:54:17.604964Z 0 [Note] [MY-010949] [Server] Basedir set to /qa/ms8/mysql-8.0.12/.
2018-10-20T16:54:17.604971Z 0 [System] [MY-010116] [Server] /qa/ms8/mysql-8.0.12/bin/mysqld (mysqld 8.0.12-commercial) starting as process 25999
2018-10-20T16:54:17.606810Z 0 [Warning] [MY-010091] [Server] Can't create test file /qa/ms8/mysql-8.0.12/copy_mig/qaserver-06.lower-test
2018-10-20T16:54:17.606818Z 0 [Warning] [MY-010159] [Server] Setting lower_case_table_names=2 because file system for /qa/ms8/mysql-8.0.12/copy_mig/ is case insensitive
2018-10-20T16:54:17.608527Z 0 [Note] [MY-011085] [Server] Keyring migration successful.
2018-10-20T16:54:17.608586Z 0 [Note] [MY-010120] [Server] Binlog end
2018-10-20T16:54:17.608651Z 0 [Note] [MY-010733] [Server] Shutting down plugin 'keyring_file'
2018-10-20T16:54:17.608802Z 0 [Note] [MY-010733] [Server] Shutting down plugin 'keyring_encrypted_file'
2018-10-20T16:54:17.609933Z 0 [System] [MY-010910] [Server] /qa/ms8/mysql-8.0.12/bin/mysqld: Shutdown complete (mysqld 8.0.12-commercial)  MySQL Enterprise Server - Commercial.

[1]+  Done                    ./bin/mysqld --defaults-file=my.cnf --keyring-migration-source=keyring_encrypted_file.so --keyring_encrypted_file_data=/qa/ms8/mysql-8.0.12/data/keyring-encrypted --keyring_encrypted_file_password=test@123 --keyring-migration-destination=keyring_file.so --keyring-file-data=/qa/ms8/mysql-8.0.12/copy_mig/keyring
ramesh@qaserver-06:/qa/ms8/mysql-8.0.12$