debug: add encryption-status command.#28582
Merged
craig[bot] merged 1 commit intocockroachdb:masterfrom Aug 14, 2018
Merged
Conversation
Member
|
This change is |
mberhault
commented
Aug 14, 2018
| return "plain"; | ||
| } | ||
| return fmt::StringPrintf("ID: %s, Type: %s, Source: %s", info.key_id().substr(0, 8).c_str(), | ||
| return fmt::StringPrintf("ID: %s, Type: %s, Source: %s", info.key_id().c_str(), |
Contributor
Author
There was a problem hiding this comment.
Switch to displaying the key ID in full in the logs. This was the only place it was done, the Admin UI shows full key IDs.
29 tasks
bdarnell
approved these changes
Aug 14, 2018
Contributor
bdarnell
left a comment
There was a problem hiding this comment.
Reviewed 19 of 19 files at r1.
Reviewable status:complete! 0 of 0 LGTMs obtained
pkg/cli/debug.go, line 100 at r1 (raw file):
} // OpenExistinStore opens the rocksdb engine rooted at 'dir'.
s/Existin/Existing/
When encryption is enabled, this outputs full key details and associated
files.
Shows the hierarchy of store keys, data keys, and files.
We do not currently show encryption progress as it requires opening
rocksdb in read/write mode. This will eventually be added.
For example, this is the output on a store that has had two different
store keys and multiple data keys:
```
$ ./cockroach debug encryption-status --enterprise-encryption=path=cockroach-data,key=keys/aes-192.key,old-key=keys/aes-128.key cockroach-data
[
{
"ID": "222430e9b9e6bdb54b66dcb4124778da6c284a9d47e6a1637e0b26d059e61a80",
"Type": "AES128_CTR",
"Created": "2018-06-19 09:59:38 -0400 EDT",
"Source": "/store/cockroach/src/github.com/cockroachdb/cockroach/keys/aes-128.key",
"DataKeys": [
{
"ID": "1cfd71ab16fdc332aea838ae70b7952f28bfd247fd9da8ebef03d9576f8b7d30",
"Created": "2018-06-19 09:59:38 -0400 EDT",
"Files": [
"IDENTITY"
]
}
]
},
{
"ID": "dc8a5767b73746f69c9245fe01688c0f9b934adb2b592d2d199c4a85f6d72d93",
"Active": true,
"Type": "AES192_CTR",
"Created": "2018-06-19 14:04:04 -0400 EDT",
"Source": "/store/cockroach/src/github.com/cockroachdb/cockroach/keys/aes-192.key",
"Files": [
"COCKROACHDB_DATA_KEYS"
],
"DataKeys": [
{
"ID": "72b1a1162dbcc934f3d6c275ca845c1bfb74e81c24d9779132017ad5defcb7de",
"Created": "2018-06-19 14:04:04 -0400 EDT"
},
{
"ID": "99f26acfaf9004ebcfc8f7fad8d06e54ab101d5b3c77a0b7f912f5b270884564",
"Created": "2018-07-09 11:59:11 -0400 EDT"
},
{
"ID": "123df81c7ad822168bf2e84502691c68a07bba5af52e66b7b33751306c4ac9a8",
"Active": true,
"Created": "2018-08-08 07:16:27 -0400 EDT",
"Files": [
"000166.log",
"000169.sst",
"CURRENT",
"MANIFEST-000165",
"OPTIONS-000165",
"OPTIONS-000168"
]
}
]
}
]
```
And on a store running with just plaintext (still with encryption flag
passed):
```
$ ./cockroach debug encryption-status --enterprise-encryption=path=cockroach-data2,key=plain,old-key=plain cockroach-data2
[
{
"ID": "plain",
"Active": true,
"Type": "Plaintext",
"Created": "2018-06-19 14:24:31 -0400 EDT",
"Source": "plain",
"Files": [
"000109.log",
"000112.sst",
"CURRENT",
"MANIFEST-000108",
"OPTIONS-000108",
"OPTIONS-000111"
],
"DataKeys": [
{
"ID": "plain",
"Active": true,
"Exposed": true,
"Created": "2018-06-19 14:24:31 -0400 EDT"
}
]
}
]
```
A store that does not even use the file registry will not output
anything (eg: a store without the `--enterprise-encryption` flag).
Release note (enterprise change): add encryption-status debug command to
display encryption key information.
21ad92f to
d44e68e
Compare
mberhault
commented
Aug 14, 2018
Contributor
Author
mberhault
left a comment
There was a problem hiding this comment.
Reviewable status:
pkg/cli/debug.go, line 100 at r1 (raw file):
Previously, bdarnell (Ben Darnell) wrote…
s/Existin/Existing/
Done, as well as other lint errors.
Contributor
Author
|
bors r+ |
craig bot
pushed a commit
that referenced
this pull request
Aug 14, 2018
28582: debug: add encryption-status command. r=mberhault a=mberhault
When encryption is enabled, this outputs full key details and associated
files.
Shows the hierarchy of store keys, data keys, and files.
We do not currently show encryption progress as it requires opening
rocksdb in read/write mode. This will eventually be added.
For example, this is the output on a store that has had two different
store keys and multiple data keys:
```
$ ./cockroach debug encryption-status --enterprise-encryption=path=cockroach-data,key=keys/aes-192.key,old-key=keys/aes-128.key cockroach-data
[
{
"ID": "222430e9b9e6bdb54b66dcb4124778da6c284a9d47e6a1637e0b26d059e61a80",
"Type": "AES128_CTR",
"Created": "2018-06-19 09:59:38 -0400 EDT",
"Source": "/store/cockroach/src/github.com/cockroachdb/cockroach/keys/aes-128.key",
"DataKeys": [
{
"ID": "1cfd71ab16fdc332aea838ae70b7952f28bfd247fd9da8ebef03d9576f8b7d30",
"Created": "2018-06-19 09:59:38 -0400 EDT",
"Files": [
"IDENTITY"
]
}
]
},
{
"ID": "dc8a5767b73746f69c9245fe01688c0f9b934adb2b592d2d199c4a85f6d72d93",
"Active": true,
"Type": "AES192_CTR",
"Created": "2018-06-19 14:04:04 -0400 EDT",
"Source": "/store/cockroach/src/github.com/cockroachdb/cockroach/keys/aes-192.key",
"Files": [
"COCKROACHDB_DATA_KEYS"
],
"DataKeys": [
{
"ID": "72b1a1162dbcc934f3d6c275ca845c1bfb74e81c24d9779132017ad5defcb7de",
"Created": "2018-06-19 14:04:04 -0400 EDT"
},
{
"ID": "99f26acfaf9004ebcfc8f7fad8d06e54ab101d5b3c77a0b7f912f5b270884564",
"Created": "2018-07-09 11:59:11 -0400 EDT"
},
{
"ID": "123df81c7ad822168bf2e84502691c68a07bba5af52e66b7b33751306c4ac9a8",
"Active": true,
"Created": "2018-08-08 07:16:27 -0400 EDT",
"Files": [
"000166.log",
"000169.sst",
"CURRENT",
"MANIFEST-000165",
"OPTIONS-000165",
"OPTIONS-000168"
]
}
]
}
]
```
And on a store running with just plaintext (still with encryption flag
passed):
```
$ ./cockroach debug encryption-status --enterprise-encryption=path=cockroach-data2,key=plain,old-key=plain cockroach-data2
[
{
"ID": "plain",
"Active": true,
"Type": "Plaintext",
"Created": "2018-06-19 14:24:31 -0400 EDT",
"Source": "plain",
"Files": [
"000109.log",
"000112.sst",
"CURRENT",
"MANIFEST-000108",
"OPTIONS-000108",
"OPTIONS-000111"
],
"DataKeys": [
{
"ID": "plain",
"Active": true,
"Exposed": true,
"Created": "2018-06-19 14:24:31 -0400 EDT"
}
]
}
]
```
A store that does not even use the file registry will not output
anything (eg: a store without the `--enterprise-encryption` flag).
Release note (enterprise change): add encryption-status debug command to
display encryption key information.
Co-authored-by: marc <marc@cockroachlabs.com>
Contributor
Build succeeded |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When encryption is enabled, this outputs full key details and associated
files.
Shows the hierarchy of store keys, data keys, and files.
We do not currently show encryption progress as it requires opening
rocksdb in read/write mode. This will eventually be added.
For example, this is the output on a store that has had two different
store keys and multiple data keys:
And on a store running with just plaintext (still with encryption flag
passed):
A store that does not even use the file registry will not output
anything (eg: a store without the
--enterprise-encryptionflag).Release note (enterprise change): add encryption-status debug command to
display encryption key information.