Thanks to visit codestin.com
Credit goes to github.com

Skip to content

PG-1663 Make sure indexes on paritioned tables are encrypted #435

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 17, 2025
Merged

PG-1663 Make sure indexes on paritioned tables are encrypted #435

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions contrib/pg_tde/expected/partition_table.out
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,4 +161,50 @@ SELECT pg_tde_is_encrypted('partition_child_tde_heap');

DROP TABLE partition_parent;
RESET pg_tde.enforce_encryption;
-- Partitioned indexes should be encrypted
CREATE TABLE partition_parent (a int) PARTITION BY RANGE (a);
CREATE TABLE partition_child PARTITION OF partition_parent FOR VALUES FROM (0) TO (9) USING tde_heap;
CREATE INDEX ON partition_parent (a);
SELECT pg_tde_is_encrypted('partition_parent_a_idx'); -- Also check that the parent index is NULL
pg_tde_is_encrypted
---------------------

(1 row)

SELECT pg_tde_is_encrypted('partition_child_a_idx');
pg_tde_is_encrypted
---------------------
t
(1 row)

DROP TABLE partition_parent;
-- Partitioned indexes should be not encrypted with heap
CREATE TABLE partition_parent (a int) PARTITION BY RANGE (a);
CREATE TABLE partition_child PARTITION OF partition_parent FOR VALUES FROM (0) TO (9) USING heap;
CREATE INDEX ON partition_parent (a);
SELECT pg_tde_is_encrypted('partition_child_a_idx');
pg_tde_is_encrypted
---------------------
f
(1 row)

DROP TABLE partition_parent;
-- We refuse to create an index when the inheritance heirarchy has mixed statuses
CREATE TABLE partition_parent (a int) PARTITION BY RANGE (a);
CREATE TABLE partition_child_heap PARTITION OF partition_parent FOR VALUES FROM (0) TO (9) USING heap;
CREATE TABLE partition_child_tde_heap PARTITION OF partition_parent FOR VALUES FROM (10) TO (19) USING tde_heap;
CREATE INDEX ON partition_parent (a);
ERROR: Recursive CREATE INDEX on a mix of encrypted and unencrypted relations is not supported
DROP TABLE partition_parent;
-- Index should also be encrypted for new partitionins
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens if it ends up with mixed encrypted/non encrypted with the additional partition?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Things will just work since when adding a parition the index's status will be based on the added parition's status, that is not recurisve DDL.

CREATE TABLE partition_parent (a int) PARTITION BY RANGE (a);
CREATE INDEX ON partition_parent (a);
CREATE TABLE partition_child PARTITION OF partition_parent FOR VALUES FROM (10) TO (19) USING tde_heap;
SELECT pg_tde_is_encrypted('partition_child_a_idx');
pg_tde_is_encrypted
---------------------
t
(1 row)

DROP TABLE partition_parent;
DROP EXTENSION pg_tde;
29 changes: 29 additions & 0 deletions contrib/pg_tde/sql/partition_table.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,4 +80,33 @@ SELECT pg_tde_is_encrypted('partition_child_tde_heap');
DROP TABLE partition_parent;
RESET pg_tde.enforce_encryption;

-- Partitioned indexes should be encrypted
CREATE TABLE partition_parent (a int) PARTITION BY RANGE (a);
CREATE TABLE partition_child PARTITION OF partition_parent FOR VALUES FROM (0) TO (9) USING tde_heap;
CREATE INDEX ON partition_parent (a);
SELECT pg_tde_is_encrypted('partition_parent_a_idx'); -- Also check that the parent index is NULL
SELECT pg_tde_is_encrypted('partition_child_a_idx');
DROP TABLE partition_parent;

-- Partitioned indexes should be not encrypted with heap
CREATE TABLE partition_parent (a int) PARTITION BY RANGE (a);
CREATE TABLE partition_child PARTITION OF partition_parent FOR VALUES FROM (0) TO (9) USING heap;
CREATE INDEX ON partition_parent (a);
SELECT pg_tde_is_encrypted('partition_child_a_idx');
DROP TABLE partition_parent;

-- We refuse to create an index when the inheritance heirarchy has mixed statuses
CREATE TABLE partition_parent (a int) PARTITION BY RANGE (a);
CREATE TABLE partition_child_heap PARTITION OF partition_parent FOR VALUES FROM (0) TO (9) USING heap;
CREATE TABLE partition_child_tde_heap PARTITION OF partition_parent FOR VALUES FROM (10) TO (19) USING tde_heap;
CREATE INDEX ON partition_parent (a);
DROP TABLE partition_parent;

-- Index should also be encrypted for new partitionins
CREATE TABLE partition_parent (a int) PARTITION BY RANGE (a);
CREATE INDEX ON partition_parent (a);
CREATE TABLE partition_child PARTITION OF partition_parent FOR VALUES FROM (10) TO (19) USING tde_heap;
SELECT pg_tde_is_encrypted('partition_child_a_idx');
DROP TABLE partition_parent;

DROP EXTENSION pg_tde;
21 changes: 11 additions & 10 deletions contrib/pg_tde/src/pg_tde_event_capture.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -258,21 +258,22 @@ pg_tde_ddl_command_start_capture(PG_FUNCTION_ARGS)
if (IsA(parsetree, IndexStmt))
{
IndexStmt *stmt = castNode(IndexStmt, parsetree);
Relation rel;
TdeDdlEvent event = {.parsetree = parsetree};
EncryptionMix encmix;
Oid relid = RangeVarGetRelid(stmt->relation, AccessShareLock, false);

rel = table_openrv(stmt->relation, AccessShareLock);
encmix = alter_table_encryption_mix(relid);

if (rel->rd_rel->relam == get_tde_table_am_oid())
{
if (encmix == ENC_MIX_ENCRYPTED)
event.encryptMode = TDE_ENCRYPT_MODE_ENCRYPT;
checkPrincipalKeyConfigured();
}
else
else if (encmix == ENC_MIX_PLAIN)
event.encryptMode = TDE_ENCRYPT_MODE_PLAIN;

/* Hold on to lock until end of transaction */
table_close(rel, NoLock);
else if (encmix == ENC_MIX_UNKNOWN)
event.encryptMode = TDE_ENCRYPT_MODE_RETAIN;
else
ereport(ERROR,
errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("Recursive CREATE INDEX on a mix of encrypted and unencrypted relations is not supported"));

push_event_stack(&event);
}
Expand Down