Rechercher dans le manuel MySQL
6.4.4.5 Using the keyring_aws Amazon Web Services Keyring Plugin
The keyring_aws
plugin is an extension
included in MySQL Enterprise Edition, a commercial product. To learn more about
commercial products, see https://www.mysql.com/products/.
The keyring_aws
plugin is a keyring plugin
that communicates with the Amazon Web Services Key Management
Service (AWS KMS) as a back end for key generation and uses a
local file for key storage. All keyring material is generated
exclusively by the AWS server, not by
keyring_aws
.
keyring_aws
is available on these platforms:
Debian 8
EL7
macOS 10.13 and 10.14
SLES 12
Ubuntu 14.04 and 16.04
Windows
The discussion here assumes that you are familiar with AWS in general and KMS in particular. Some pertinent information sources:
The following sections provide configuration and usage
information for the keyring_aws
keyring
plugin:
keyring_aws Configuration
To install the keyring_aws
plugin, use the
general installation instructions found in
Section 6.4.4.1, “Keyring Plugin Installation”, together with the
plugin-specific configuration information found here.
The plugin library file contains the
keyring_aws
plugin and two user-defined
functions (UDFs),
keyring_aws_rotate_cmk()
and
keyring_aws_rotate_keys()
.
To configure keyring_aws
, you must obtain a
secret access key that provides credentials for communicating
with AWS KMS and write it to a configuration file:
Create an AWS KMS account.
Use AWS KMS to create a secret access key ID and secret access key. The access key serves to verify your identity and that of your applications.
Use the AWS KMS account to create a customer master key (CMK) ID. At MySQL startup, set the
keyring_aws_cmk_id
system variable to the CMK ID value. This variable is mandatory and there is no default. (Its value can be changed at runtime if desired usingSET GLOBAL
.)If necessary, create the directory in which the configuration file will be located. The directory should have a restrictive mode and be accessible only to the account used to run the MySQL server. For example, on Unix and Unix-like systems, to use
/usr/local/mysql/mysql-keyring/keyring_aws_conf
as the file name, the following commands (executed asroot
) create its parent directory and set the directory mode and ownership:shell> cd /usr/local/mysql shell> mkdir mysql-keyring shell> chmod 750 mysql-keyring shell> chown mysql mysql-keyring shell> chgrp mysql mysql-keyring
At MySQL startup, set the
keyring_aws_conf_file
system variable to/usr/local/mysql/mysql-keyring/keyring_aws_conf
to indicate the configuration file location to the server.Prepare the
keyring_aws
configuration file, which should contain two lines:Line 1: The secret access key ID
Line 2: The secret access key
For example, if the key ID is
wwwwwwwwwwwwwEXAMPLE
and the key isxxxxxxxxxxxxx/yyyyyyy/zzzzzzzzEXAMPLEKEY
, the configuration file looks like this:wwwwwwwwwwwwwEXAMPLE xxxxxxxxxxxxx/yyyyyyy/zzzzzzzzEXAMPLEKEY
To be usable during the server startup process,
keyring_aws
must be loaded using the
--early-plugin-load
option. The
keyring_aws_cmk_id
system
variable is mandatory and configures the customer master key
(CMK) ID obtained from the AWS KMS server. The
keyring_aws_conf_file
and
keyring_aws_data_file
system
variables optionally configure the locations of the files used
by the keyring_aws
plugin for configuration
information and data storage. The file location variable
default values are platform specific. To configure the
locations explicitly, set the variable values at startup. For
example, use these lines in the server
my.cnf
file (adjust the
.so
suffix and file locations for your
platform as necessary):
[mysqld]
early-plugin-load=keyring_aws.so
keyring_aws_cmk_id='arn:aws:kms:us-west-2:111122223333:key/abcd1234-ef56-ab12-cd34-ef56abcd1234'
keyring_aws_conf_file=/usr/local/mysql/mysql-keyring/keyring_aws_conf
keyring_aws_data_file=/usr/local/mysql/mysql-keyring/keyring_aws_data
For the keyring_aws
plugin to start
successfully, the configuration file must exist and contain
valid secret access key information, initialized as described
previously. The storage file need not exist. If it does not,
keyring_aws
attempts to create it (as well
as its parent directory, if necessary).
For additional information about the system variables used to
configure the keyring_aws
plugin, see
Section 6.4.4.11, “Keyring System Variables”.
Start the MySQL server and install the UDFs associated with
the keyring_aws
plugin. This is a one-time
operation, performed by executing the following statements
(adjust the .so
suffix for your platform
as necessary):
At plugin startup, the keyring_aws
plugin
reads the AWS secret access key ID and key from its
configuration file. It also reads any encrypted keys contained
in its storage file into its in-memory cache.
During operation, keyring_aws
maintains
encrypted keys in the in-memory cache and uses the storage
file as local persistent storage. Each keyring operation is
transactional: keyring_aws
either
successfully changes both the in-memory key cache and the
keyring storage file, or the operation fails and the keyring
state remains unchanged.
To ensure that keys are flushed only when the correct keyring
storage file exists, keyring_aws
stores a
SHA-256 checksum of the keyring in the file. Before updating
the file, the plugin verifies that it contains the expected
checksum.
The keyring_aws
plugin supports the
functions that comprise the standard keyring service
interface. Keyring operations performed by these functions are
accessible at two levels:
C interface: In C-language code, call the keyring service functions described in Section 29.3.2, “The Keyring Service”.
SQL interface: In SQL statements, call the user-defined functions (UDFs) described in Section 6.4.4.8, “General-Purpose Keyring Key-Management Functions”.
Example (using UDFs):
In addition, the
keyring_aws_rotate_cmk()
and
keyring_aws_rotate_keys()
UDFs
“extend” the keyring plugin interface to provide
AWS-related capabilities not covered by the standard keyring
service interface. These capabilities are accessible only by
calling the UDFs. There are no corresponding C-languge key
service functions.
The key types permitted by keyring_aws
are
described in Section 6.4.4.7, “Supported Keyring Key Types”.
Assuming that the keyring_aws
plugin has
initialized properly at server startup, it is possible to
change the credentials used for communicating with AWS KMS:
Use AWS KMS to create a new secret access key ID and secret access key.
Store the new credentials in the configuration file (the file named by the
keyring_aws_conf_file
system variable). The file format is as described previously.Reinitialize the
keyring_aws
plugin so that it rereads the configuration file. Assuming that the new credentials are valid, the plugin should initialize successfully.There are two ways to reinitialize the plugin:
Restart the server. This is simpler and has no side effects, but is not suitable for installations that require minimal server downtime with as few restarts as possible.
Reinitialize the plugin without restarting the server by executing the following statements (adjust the
.so
suffix for your platform as necessary):- UNINSTALL PLUGIN keyring_aws;
NoteIn addition to loading a plugin at runtime,
INSTALL PLUGIN
has the side effect of registering the plugin it in themysql.plugin
system table. Because of this, if you decide to stop usingkeyring_aws
, it is not sufficient to remove the--early-plugin-load
option from the set of options used to start the server. That stops the plugin from loading early, but the server still attempts to load it when it gets to the point in the startup sequence where it loads the plugins registered inmysql.plugin
.Consequently, if you execute the
UNINSTALL PLUGIN
plusINSTALL PLUGIN
sequence just described to change the AWS KMS credentials, then to stop usingkeyring_aws
, it is necessary to executeUNINSTALL PLUGIN
again to unregister the plugin in addition to removing the--early-plugin-load
option.
Nederlandse vertaling
U hebt gevraagd om deze site in het Nederlands te bezoeken. Voor nu wordt alleen de interface vertaald, maar nog niet alle inhoud.Als je me wilt helpen met vertalingen, is je bijdrage welkom. Het enige dat u hoeft te doen, is u op de site registreren en mij een bericht sturen waarin u wordt gevraagd om u toe te voegen aan de groep vertalers, zodat u de gewenste pagina's kunt vertalen. Een link onderaan elke vertaalde pagina geeft aan dat u de vertaler bent en heeft een link naar uw profiel.
Bij voorbaat dank.
Document heeft de 26/06/2006 gemaakt, de laatste keer de 26/10/2018 gewijzigd
Bron van het afgedrukte document:https://www.gaudry.be/nl/mysql-rf-keyring-aws-plugin.html
De infobrol is een persoonlijke site waarvan de inhoud uitsluitend mijn verantwoordelijkheid is. De tekst is beschikbaar onder CreativeCommons-licentie (BY-NC-SA). Meer info op de gebruiksvoorwaarden en de auteur.
Referenties
Deze verwijzingen en links verwijzen naar documenten die geraadpleegd zijn tijdens het schrijven van deze pagina, of die aanvullende informatie kunnen geven, maar de auteurs van deze bronnen kunnen niet verantwoordelijk worden gehouden voor de inhoud van deze pagina.
De auteur Deze site is als enige verantwoordelijk voor de manier waarop de verschillende concepten, en de vrijheden die met de referentiewerken worden genomen, hier worden gepresenteerd. Vergeet niet dat u meerdere broninformatie moet doorgeven om het risico op fouten te verkleinen.