NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit3187ef7

committed

Revert "Add key management system" (978f869) & later commits

The patch needs test cases, reorganization, and cfbot testing.Technically reverts commits5c31afc..e35b2ba (exclusive/inclusive)and08db7c6..ccbe341.Reported-by: Tom Lane, Michael PaquierDiscussion:https://postgr.es/m/E1ktAAG-0002V2-VB@gemulon.postgresql.org

1 parentfacad31 commit3187ef7Copy full SHA for 3187ef7

File tree

62 files changed

+52

-3370

lines changed

doc/src/sgml
src
- backend
  - Makefile
  - access/transam
    - xlog.c
  - bootstrap
    - bootstrap.c
  - crypto
  - libpq
    - be-secure-common.c
  - main
    - main.c
  - postmaster
    - pgstat.c
    - postmaster.c
  - replication
    - basebackup.c
  - storage
    - ipc
      - ipci.c
    - lmgr
      - lwlocknames.txt
  - tcop
    - postgres.c
  - utils/misc
- bin
  - Makefile
  - initdb
    - initdb.c
  - pg_alterckey
  - pg_controldata
    - pg_controldata.c
  - pg_ctl
    - pg_ctl.c
  - pg_resetwal
    - pg_resetwal.c
  - pg_rewind
    - filemap.c
  - pg_upgrade
- common
- include
  - catalog
    - pg_control.h
  - common
    - cipher.h
    - kmgr_utils.h
  - crypto
    - kmgr.h
  - pgstat.h
  - postmaster
    - postmaster.h
  - utils
    - guc_tables.h
- tools/msvc
  - Mkvcbuild.pm

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

62 files changed

+52

-3370

lines changed

`‎doc/src/sgml/config.sgml`

Lines changed: 16 additions & 80 deletions

Original file line number	Diff line number	Diff line change
`@@ -1452,18 +1452,18 @@ include_dir 'conf.d'`
`1452`	`1452`	`mechanism is used.`
`1453`	`1453`	`</para>`
`1454`	`1454`	`<para>`
`1455`		`- The command must print the passphrase to the standard output`
`1456`		`-and exitwith code 0.It can prompt from the terminal if`
`1457`		`-<option>--authprompt</option> is used.In the parameter value,`
`1458`		`- <literal>%R</literal> represents the file descriptor number opened`
`1459`		`-to the terminal that started the server. Afile descriptor is only`
`1460`		`-available if enabled at server start. If <literal>%R</literal>`
`1461`		`- is used and no file descriptor is available, the server will not`
`1462`		`- start. Value <literal>%p</literal> is replaced by a pre-defined`
`1463`		`-prompt string. (Write <literal>%%</literal>for a literal`
`1464`		`-<literal>%</literal>.) Note that the prompt string will probably`
`1465`		`-contain whitespace, so be suretoquote its use adequately.`
`1466`		`-Newlines are stripped from the end of the output if present.`
	`1455`	`+ The command must print the passphrase to the standard output and exit`
	`1456`	`+ with code 0.In the parameter value, <literal>%p</literal> is`
	`1457`	`+replaced by a prompt string.(Write <literal>%%</literal> for a`
	`1458`	`+literal<literal>%</literal>.) Note that the prompt string will`
	`1459`	`+probably contain whitespace, so be sure to quote adequately. Asingle`
	`1460`	`+newline is stripped from the end of the output if present.`
	`1461`	`+</para>`
	`1462`	`+<para>`
	`1463`	`+The command does not actually have to prompt the userfor a`
	`1464`	`+passphrase. It can read it from a file, obtain it from a keychain`
	`1465`	`+facility, or similar. It is uptothe user to make sure the chosen`
	`1466`	`+mechanism is adequately secure.`
`1467`	`1467`	`</para>`
`1468`	`1468`	`<para>`
`1469`	`1469`	`This parameter can only be set in the <filename>postgresql.conf</filename>`
`@@ -1486,12 +1486,10 @@ include_dir 'conf.d'`
`1486`	`1486`	`parameter is off (the default), then`
`1487`	`1487`	`<varname>ssl_passphrase_command</varname> will be ignored during a`
`1488`	`1488`	`reload and the SSL configuration will not be reloaded if a passphrase`
`1489`		`- is needed. This setting is appropriate for a command that requires a`
`1490`		`- terminal for prompting, which will likely not be available when the server is`
`1491`		`- running. (<option>--authprompt</option> closes the terminal file`
`1492`		`- descriptor soon after server start.) Setting this parameter on`
`1493`		`- might be appropriate, for example, if the passphrase is obtained`
`1494`		`- from a file.`
	`1489`	`+ is needed. That setting is appropriate for a command that requires a`
	`1490`	`+ TTY for prompting, which might not be available when the server is`
	`1491`	`+ running. Setting this parameter to on might be appropriate if the`
	`1492`	`+ passphrase is obtained from a file, for example.`
`1495`	`1493`	`</para>`
`1496`	`1494`	`<para>`
`1497`	`1495`	`This parameter can only be set in the <filename>postgresql.conf</filename>`
`@@ -7818,52 +7816,6 @@ COPY postgres_log FROM '/full/path/to/logfile.csv' WITH csv;`
`7818`	`7816`	`</variablelist>`
`7819`	`7817`	`</sect1>`
`7820`	`7818`
`7821`		`- <sect1 id="runtime-config-encryption">`
`7822`		`- <title>Cluster File Encryption</title>`
`7823`		`-`
`7824`		`- <variablelist>`
`7825`		`- <varlistentry id="guc-cluster-key-command" xreflabel="cluster_key_command">`
`7826`		`- <term><varname>cluster_key_command</varname> (<type>string</type>)`
`7827`		`- <indexterm>`
`7828`		`- <primary><varname>cluster_key_command</varname> configuration parameter</primary>`
`7829`		`- </indexterm>`
`7830`		`- </term>`
`7831`		`- <listitem>`
`7832`		`- <para>`
`7833`		`- This option specifies an external command to obtain the cluster-level`
`7834`		`- key for cluster file encryption during server initialization and`
`7835`		`- server start.`
`7836`		`- </para>`
`7837`		`- <para>`
`7838`		`- The command must print the cluster key to the standard output as`
`7839`		`- 64 hexadecimal characters, and exit with code 0. The command`
`7840`		`- can prompt for the passphrase or PIN from the terminal if`
`7841`		`- <option>--authprompt</option> is used. In the parameter value,`
`7842`		`- <literal>%R</literal> represents the file descriptor number opened`
`7843`		`- to the terminal that started the server. A file descriptor is only`
`7844`		`- available if enabled at server start. If <literal>%R</literal>`
`7845`		`- is used and no file descriptor is available, the server will not`
`7846`		`- start. Value <literal>%p</literal> is replaced by a pre-defined`
`7847`		`- prompt string. Value <literal>%d</literal> is replaced by the`
`7848`		`- directory containing the keys; this is useful if the command`
`7849`		`- must create files with the keys, e.g., to store a cluster-level`
`7850`		`- key encryped by a key stored in a hardware security module.`
`7851`		`- (Write <literal>%%</literal> for a literal <literal>%</literal>.)`
`7852`		`- Note that the prompt string will probably contain whitespace,`
`7853`		`- so be sure to quote its use adequately. Newlines are stripped`
`7854`		`- from the end of the output if present.`
`7855`		`- </para>`
`7856`		`- <para>`
`7857`		`- This parameter can only be set by`
`7858`		`- <application>initdb</application>, in the`
`7859`		`- <filename>postgresql.conf</filename> file, or on the server`
`7860`		`- command line.`
`7861`		`- </para>`
`7862`		`- </listitem>`
`7863`		`- </varlistentry>`
`7864`		`- </variablelist>`
`7865`		`- </sect1>`
`7866`		`-`
`7867`	`7819`	`<sect1 id="runtime-config-client">`
`7868`	`7820`	`<title>Client Connection Defaults</title>`
`7869`	`7821`
`@@ -9685,22 +9637,6 @@ dynamic_library_path = 'C:\tools\postgresql;H:\my_project\lib;$libdir'`
`9685`	`9637`	`</listitem>`
`9686`	`9638`	`</varlistentry>`
`9687`	`9639`
`9688`		`- <varlistentry id="guc-file-encryption-keylen" xreflabel="file_encryption_keylen">`
`9689`		`- <term><varname>file_encryption_keylen</varname> (<type>boolean</type>)`
`9690`		`- <indexterm>`
`9691`		`- <primary>Cluster file encryption key length</primary>`
`9692`		`- </indexterm>`
`9693`		`- </term>`
`9694`		`- <listitem>`
`9695`		`- <para>`
`9696`		`- Reports the bit length of the cluster file`
`9697`		`- encryption key, or zero if disabled. See <xref`
`9698`		`- linkend="app-initdb-cluster-key-command"/> for more`
`9699`		`- information.`
`9700`		`- </para>`
`9701`		`- </listitem>`
`9702`		`- </varlistentry>`
`9703`		`-`
`9704`	`9640`	`<varlistentry id="guc-data-directory-mode" xreflabel="data_directory_mode">`
`9705`	`9641`	`<term><varname>data_directory_mode</varname> (<type>integer</type>)`
`9706`	`9642`	`<indexterm>`

`‎doc/src/sgml/database-encryption.sgml`

Lines changed: 0 additions & 97 deletions

This file was deleted.

`‎doc/src/sgml/filelist.sgml`

Lines changed: 0 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,6 @@`
`49`	`49`	`<!ENTITY wal SYSTEM "wal.sgml">`
`50`	`50`	`<!ENTITY logical-replication SYSTEM "logical-replication.sgml">`
`51`	`51`	`<!ENTITY jit SYSTEM "jit.sgml">`
`52`		`-<!ENTITY database-encryption SYSTEM "database-encryption.sgml">`
`53`	`52`
`54`	`53`	`<!-- programmer's guide -->`
`55`	`54`	`<!ENTITY bgworker SYSTEM "bgworker.sgml">`

`‎doc/src/sgml/installation.sgml`

Lines changed: 2 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -976,9 +976,8 @@ build-postgresql:`
`976`	`976`	`<listitem>`
`977`	`977`	`<para>`
`978`	`978`	`Build with support for <acronym>SSL</acronym> (encrypted)`
`979`		`- connections and cluster file encryption. This requires the`
`980`		`- <productname>OpenSSL</productname> package to be installed.`
`981`		`- <filename>configure</filename> will check`
	`979`	`+ connections. This requires the <productname>OpenSSL</productname>`
	`980`	`+ package to be installed. <filename>configure</filename> will check`
`982`	`981`	`for the required header files and libraries to make sure that`
`983`	`982`	`your <productname>OpenSSL</productname> installation is sufficient`
`984`	`983`	`before proceeding.`

`‎doc/src/sgml/postgres.sgml`

Lines changed: 0 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -171,7 +171,6 @@ break is not needed in a wider output rendering.`
`171`	`171`	`&wal;`
`172`	`172`	`&logical-replication;`
`173`	`173`	`&jit;`
`174`		`- &database-encryption;`
`175`	`174`	`&regress;`
`176`	`175`
`177`	`176`	`</part>`

`‎doc/src/sgml/ref/allfiles.sgml`

Lines changed: 1 addition & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -189,7 +189,6 @@ Complete list of usable sgml source files in this directory.`
`189`	`189`	`<!ENTITY values SYSTEM "values.sgml">`
`190`	`190`
`191`	`191`	`<!-- applications and utilities -->`
`192`		`-<!ENTITY pgalterckey SYSTEM "pg_alterckey.sgml">`
`193`	`192`	`<!ENTITY clusterdb SYSTEM "clusterdb.sgml">`
`194`	`193`	`<!ENTITY createdb SYSTEM "createdb.sgml">`
`195`	`194`	`<!ENTITY createuser SYSTEM "createuser.sgml">`
`@@ -216,7 +215,7 @@ Complete list of usable sgml source files in this directory.`
`216`	`215`	`<!ENTITY pgtestfsync SYSTEM "pgtestfsync.sgml">`
`217`	`216`	`<!ENTITY pgtesttiming SYSTEM "pgtesttiming.sgml">`
`218`	`217`	`<!ENTITY pgupgrade SYSTEM "pgupgrade.sgml">`
`219`		`-<!ENTITY pgwaldumpSYSTEM "pg_waldump.sgml">`
	`218`	`+<!ENTITY pgwaldump SYSTEM "pg_waldump.sgml">`
`220`	`219`	`<!ENTITY postgres SYSTEM "postgres-ref.sgml">`
`221`	`220`	`<!ENTITY postmaster SYSTEM "postmaster.sgml">`
`222`	`221`	`<!ENTITY psqlRef SYSTEM "psql-ref.sgml">`

`‎doc/src/sgml/ref/initdb.sgml`

Lines changed: 0 additions & 46 deletions

Original file line number	Diff line number	Diff line change
`@@ -163,17 +163,6 @@ PostgreSQL documentation`
`163`	`163`	`</listitem>`
`164`	`164`	`</varlistentry>`
`165`	`165`
`166`		`- <varlistentry id="app-initdb-cluster-key-command" xreflabel="cluster key command">`
`167`		`- <term><option>--cluster-key-command=<replaceable class="parameter">command</replaceable></option></term>`
`168`		`- <listitem>`
`169`		`- <para>`
`170`		`- This option specifies an external command to obtain the cluster-level`
`171`		`- key for cluster file encryption during server initialization and`
`172`		`- server start; see <xref linkend="guc-cluster-key-command"/> for details.`
`173`		`- </para>`
`174`		`- </listitem>`
`175`		`- </varlistentry>`
`176`		`-`
`177`	`166`	`<varlistentry>`
`178`	`167`	`<term><option>-D <replaceable class="parameter">directory</replaceable></option></term>`
`179`	`168`	`<term><option>--pgdata=<replaceable class="parameter">directory</replaceable></option></term>`
`@@ -234,18 +223,6 @@ PostgreSQL documentation`
`234`	`223`	`</listitem>`
`235`	`224`	`</varlistentry>`
`236`	`225`
`237`		`- <varlistentry id="app-initdb-file-encryption-keylen"`
`238`		`- xreflabel="file encryption">`
`239`		`- <term><option>-K <replaceable class="parameter">length</replaceable></option></term>`
`240`		`- <term><option>--file-encryption-keylen=<replaceable class="parameter">length</replaceable></option></term>`
`241`		`- <listitem>`
`242`		`- <para>`
`243`		`- Specifies the number of bits for the file encryption keys. The`
`244`		`- default is 128 bits.`
`245`		`- </para>`
`246`		`- </listitem>`
`247`		`- </varlistentry>`
`248`		`-`
`249`	`226`	`<varlistentry>`
`250`	`227`	`<term><option>--locale=<replaceable>locale</replaceable></option></term>`
`251`	`228`	`<listitem>`
`@@ -308,17 +285,6 @@ PostgreSQL documentation`
`308`	`285`	`</listitem>`
`309`	`286`	`</varlistentry>`
`310`	`287`
`311`		`- <varlistentry>`
`312`		`- <term><option>-R</option></term>`
`313`		`- <term><option>--authprompt</option></term>`
`314`		`- <listitem>`
`315`		`- <para>`
`316`		`- Allows the <option>--cluster-key-command</option> command`
`317`		`- to prompt for a passphrase or PIN.`
`318`		`- </para>`
`319`		`- </listitem>`
`320`		`- </varlistentry>`
`321`		`-`
`322`	`288`	`<varlistentry>`
`323`	`289`	`<term><option>-S</option></term>`
`324`	`290`	`<term><option>--sync-only</option></term>`
`@@ -341,18 +307,6 @@ PostgreSQL documentation`
`341`	`307`	`</listitem>`
`342`	`308`	`</varlistentry>`
`343`	`309`
`344`		`- <varlistentry>`
`345`		`- <term><option>-u <replaceable>datadir</replaceable></option></term>`
`346`		`- <term><option>--copy-encryption-keys=<replaceable>datadir</replaceable></option></term>`
`347`		`- <listitem>`
`348`		`- <para>`
`349`		`- Copies cluster file encryption keys from another cluster; required`
`350`		`- when using <application>pg_upgrade</application> on a cluster`
`351`		`- with cluster file encryption enabled.`
`352`		`- </para>`
`353`		`- </listitem>`
`354`		`- </varlistentry>`
`355`		`-`
`356`	`310`	`<varlistentry>`
`357`	`311`	`<term><option>-U <replaceable class="parameter">username</replaceable></option></term>`
`358`	`312`	`<term><option>--username=<replaceable class="parameter">username</replaceable></option></term>`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit3187ef7

File tree

62 files changed

Some content is hidden

62 files changed

`‎doc/src/sgml/config.sgml`

`‎doc/src/sgml/database-encryption.sgml`

`‎doc/src/sgml/filelist.sgml`

`‎doc/src/sgml/installation.sgml`

`‎doc/src/sgml/postgres.sgml`

`‎doc/src/sgml/ref/allfiles.sgml`

`‎doc/src/sgml/ref/initdb.sgml`

0 commit comments