-
Notifications
You must be signed in to change notification settings - Fork 36
Expand file tree
/
Copy pathpg_tde--1.0.sql
More file actions
363 lines (320 loc) · 13.5 KB
/
pg_tde--1.0.sql
File metadata and controls
363 lines (320 loc) · 13.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
-- complain if script is sourced in psql, rather than via CREATE EXTENSION
\echo Use "CREATE EXTENSION pg_tde" to load this file. \quit
-- Key Provider Management
CREATE FUNCTION pg_tde_add_database_key_provider(type TEXT, name TEXT, options JSON)
RETURNS VOID
LANGUAGE C
AS 'MODULE_PATHNAME';
REVOKE ALL ON FUNCTION pg_tde_add_database_key_provider(TEXT, TEXT, JSON) FROM PUBLIC;
CREATE FUNCTION pg_tde_add_database_key_provider_file(provider_name TEXT, file_path TEXT)
RETURNS VOID
LANGUAGE SQL
BEGIN ATOMIC
SELECT pg_tde_add_database_key_provider('file', provider_name,
json_object('path' VALUE file_path));
END;
CREATE FUNCTION pg_tde_add_database_key_provider_vault_v2(provider_name TEXT,
vault_url TEXT,
vault_mount_path TEXT,
vault_token_path TEXT,
vault_ca_path TEXT)
RETURNS VOID
LANGUAGE SQL
BEGIN ATOMIC
SELECT pg_tde_add_database_key_provider('vault-v2', provider_name,
json_object('url' VALUE vault_url,
'mountPath' VALUE vault_mount_path,
'tokenPath' VALUE vault_token_path,
'caPath' VALUE vault_ca_path));
END;
CREATE FUNCTION pg_tde_add_database_key_provider_kmip(provider_name TEXT,
kmip_host TEXT,
kmip_port INT,
kmip_cert_path TEXT,
kmip_key_path TEXT,
kmip_ca_path TEXT)
RETURNS VOID
LANGUAGE SQL
BEGIN ATOMIC
SELECT pg_tde_add_database_key_provider('kmip', provider_name,
json_object('host' VALUE kmip_host,
'port' VALUE kmip_port,
'certPath' VALUE kmip_cert_path,
'keyPath' VALUE kmip_key_path,
'caPath' VALUE kmip_ca_path));
END;
CREATE FUNCTION pg_tde_list_all_database_key_providers
(OUT id INT,
OUT name TEXT,
OUT type TEXT,
OUT options JSON)
RETURNS SETOF RECORD
LANGUAGE C
AS 'MODULE_PATHNAME';
REVOKE ALL ON FUNCTION pg_tde_list_all_database_key_providers() FROM PUBLIC;
CREATE FUNCTION pg_tde_list_all_global_key_providers
(OUT id INT,
OUT name TEXT,
OUT type TEXT,
OUT options JSON)
RETURNS SETOF RECORD
LANGUAGE C
AS 'MODULE_PATHNAME';
REVOKE ALL ON FUNCTION pg_tde_list_all_global_key_providers() FROM PUBLIC;
-- Global Tablespace Key Provider Management
CREATE FUNCTION pg_tde_add_global_key_provider(type TEXT, name TEXT, options JSON)
RETURNS VOID
LANGUAGE C
AS 'MODULE_PATHNAME';
REVOKE ALL ON FUNCTION pg_tde_add_global_key_provider(TEXT, TEXT, JSON) FROM PUBLIC;
CREATE FUNCTION pg_tde_add_global_key_provider_file(provider_name TEXT, file_path TEXT)
RETURNS VOID
LANGUAGE SQL
BEGIN ATOMIC
SELECT pg_tde_add_global_key_provider('file', provider_name,
json_object('path' VALUE file_path));
END;
CREATE FUNCTION pg_tde_add_global_key_provider_vault_v2(provider_name TEXT,
vault_url TEXT,
vault_mount_path TEXT,
vault_token_path TEXT,
vault_ca_path TEXT)
RETURNS VOID
LANGUAGE SQL
BEGIN ATOMIC
SELECT pg_tde_add_global_key_provider('vault-v2', provider_name,
json_object('url' VALUE vault_url,
'mountPath' VALUE vault_mount_path,
'tokenPath' VALUE vault_token_path,
'caPath' VALUE vault_ca_path));
END;
CREATE FUNCTION pg_tde_add_global_key_provider_kmip(provider_name TEXT,
kmip_host TEXT,
kmip_port INT,
kmip_cert_path TEXT,
kmip_key_path TEXT,
kmip_ca_path TEXT)
RETURNS VOID
LANGUAGE SQL
BEGIN ATOMIC
SELECT pg_tde_add_global_key_provider('kmip', provider_name,
json_object('host' VALUE kmip_host,
'port' VALUE kmip_port,
'certPath' VALUE kmip_cert_path,
'keyPath' VALUE kmip_key_path,
'caPath' VALUE kmip_ca_path));
END;
-- Key Provider Management
CREATE FUNCTION pg_tde_change_database_key_provider(type TEXT, name TEXT, options JSON)
RETURNS VOID
LANGUAGE C
AS 'MODULE_PATHNAME';
REVOKE ALL ON FUNCTION pg_tde_change_database_key_provider(TEXT, TEXT, JSON) FROM PUBLIC;
CREATE FUNCTION pg_tde_change_database_key_provider_file(provider_name TEXT, file_path TEXT)
RETURNS VOID
LANGUAGE SQL
BEGIN ATOMIC
SELECT pg_tde_change_database_key_provider('file', provider_name,
json_object('path' VALUE file_path));
END;
CREATE FUNCTION pg_tde_change_database_key_provider_vault_v2(provider_name TEXT,
vault_url TEXT,
vault_mount_path TEXT,
vault_token_path TEXT,
vault_ca_path TEXT)
RETURNS VOID
LANGUAGE SQL
BEGIN ATOMIC
SELECT pg_tde_change_database_key_provider('vault-v2', provider_name,
json_object('url' VALUE vault_url,
'mountPath' VALUE vault_mount_path,
'tokenPath' VALUE vault_token_path,
'caPath' VALUE vault_ca_path));
END;
CREATE FUNCTION pg_tde_change_database_key_provider_kmip(provider_name TEXT,
kmip_host TEXT,
kmip_port INT,
kmip_cert_path TEXT,
kmip_key_path TEXT,
kmip_ca_path TEXT)
RETURNS VOID
LANGUAGE SQL
BEGIN ATOMIC
SELECT pg_tde_change_database_key_provider('kmip', provider_name,
json_object('host' VALUE kmip_host,
'port' VALUE kmip_port,
'caPath' VALUE kmip_ca_path,
'certPath' VALUE kmip_cert_path,
'keyPath' VALUE kmip_key_path));
END;
-- Global Tablespace Key Provider Management
CREATE FUNCTION pg_tde_change_global_key_provider(type TEXT, name TEXT, options JSON)
RETURNS VOID
LANGUAGE C
AS 'MODULE_PATHNAME';
REVOKE ALL ON FUNCTION pg_tde_change_global_key_provider(TEXT, TEXT, JSON) FROM PUBLIC;
CREATE FUNCTION pg_tde_change_global_key_provider_file(provider_name TEXT, file_path TEXT)
RETURNS VOID
LANGUAGE SQL
BEGIN ATOMIC
SELECT pg_tde_change_global_key_provider('file', provider_name,
json_object('path' VALUE file_path));
END;
CREATE FUNCTION pg_tde_change_global_key_provider_vault_v2(provider_name TEXT,
vault_url TEXT,
vault_mount_path TEXT,
vault_token_path TEXT,
vault_ca_path TEXT)
RETURNS VOID
LANGUAGE SQL
BEGIN ATOMIC
SELECT pg_tde_change_global_key_provider('vault-v2', provider_name,
json_object('url' VALUE vault_url,
'mountPath' VALUE vault_mount_path,
'tokenPath' VALUE vault_token_path,
'caPath' VALUE vault_ca_path));
END;
CREATE FUNCTION pg_tde_change_global_key_provider_kmip(provider_name TEXT,
kmip_host TEXT,
kmip_port INT,
kmip_cert_path TEXT,
kmip_key_path TEXT,
kmip_ca_path TEXT)
RETURNS VOID
LANGUAGE SQL
BEGIN ATOMIC
SELECT pg_tde_change_global_key_provider('kmip', provider_name,
json_object('host' VALUE kmip_host,
'port' VALUE kmip_port,
'certPath' VALUE kmip_cert_path,
'keyPath' VALUE kmip_key_path,
'caPath' VALUE kmip_ca_path));
END;
CREATE FUNCTION pg_tde_is_encrypted(relation REGCLASS)
RETURNS BOOLEAN
STRICT
LANGUAGE C
AS 'MODULE_PATHNAME';
CREATE FUNCTION pg_tde_create_key_using_database_key_provider(key_name TEXT, provider_name TEXT)
RETURNS VOID
LANGUAGE C
AS 'MODULE_PATHNAME';
REVOKE ALL ON FUNCTION pg_tde_create_key_using_database_key_provider(TEXT, TEXT) FROM PUBLIC;
CREATE FUNCTION pg_tde_create_key_using_global_key_provider(key_name TEXT, provider_name TEXT)
RETURNS VOID
LANGUAGE C
AS 'MODULE_PATHNAME';
REVOKE ALL ON FUNCTION pg_tde_create_key_using_global_key_provider(TEXT, TEXT) FROM PUBLIC;
CREATE FUNCTION pg_tde_set_key_using_database_key_provider(key_name TEXT, provider_name TEXT)
RETURNS VOID
LANGUAGE C
AS 'MODULE_PATHNAME';
REVOKE ALL ON FUNCTION pg_tde_set_key_using_database_key_provider(TEXT, TEXT) FROM PUBLIC;
CREATE FUNCTION pg_tde_set_key_using_global_key_provider(key_name TEXT, provider_name TEXT)
RETURNS VOID
LANGUAGE C
AS 'MODULE_PATHNAME';
REVOKE ALL ON FUNCTION pg_tde_set_key_using_global_key_provider(TEXT, TEXT) FROM PUBLIC;
CREATE FUNCTION pg_tde_set_server_key_using_global_key_provider(key_name TEXT, provider_name TEXT)
RETURNS VOID
LANGUAGE C
AS 'MODULE_PATHNAME';
REVOKE ALL ON FUNCTION pg_tde_set_server_key_using_global_key_provider(TEXT, TEXT) FROM PUBLIC;
CREATE FUNCTION pg_tde_set_default_key_using_global_key_provider(key_name TEXT, provider_name TEXT)
RETURNS VOID
AS 'MODULE_PATHNAME'
LANGUAGE C;
REVOKE ALL ON FUNCTION pg_tde_set_default_key_using_global_key_provider(TEXT, TEXT) FROM PUBLIC;
CREATE FUNCTION pg_tde_verify_key()
RETURNS VOID
LANGUAGE C
AS 'MODULE_PATHNAME';
REVOKE ALL ON FUNCTION pg_tde_verify_key() FROM PUBLIC;
CREATE FUNCTION pg_tde_verify_server_key()
RETURNS VOID
LANGUAGE C
AS 'MODULE_PATHNAME';
REVOKE ALL ON FUNCTION pg_tde_verify_server_key() FROM PUBLIC;
CREATE FUNCTION pg_tde_verify_default_key()
RETURNS VOID
LANGUAGE C
AS 'MODULE_PATHNAME';
REVOKE ALL ON FUNCTION pg_tde_verify_default_key() FROM PUBLIC;
CREATE FUNCTION pg_tde_delete_key()
RETURNS VOID
LANGUAGE C
AS 'MODULE_PATHNAME';
REVOKE ALL ON FUNCTION pg_tde_delete_key() FROM PUBLIC;
CREATE FUNCTION pg_tde_delete_default_key()
RETURNS VOID
LANGUAGE C
AS 'MODULE_PATHNAME';
REVOKE ALL ON FUNCTION pg_tde_delete_default_key() FROM PUBLIC;
CREATE FUNCTION pg_tde_key_info()
RETURNS TABLE ( key_name TEXT,
provider_name TEXT,
provider_id INT,
key_creation_time TIMESTAMP WITH TIME ZONE)
LANGUAGE C
AS 'MODULE_PATHNAME';
REVOKE ALL ON FUNCTION pg_tde_key_info() FROM PUBLIC;
CREATE FUNCTION pg_tde_server_key_info()
RETURNS TABLE ( key_name TEXT,
provider_name TEXT,
provider_id INT,
key_creation_time TIMESTAMP WITH TIME ZONE)
LANGUAGE C
AS 'MODULE_PATHNAME';
REVOKE ALL ON FUNCTION pg_tde_server_key_info() FROM PUBLIC;
CREATE FUNCTION pg_tde_default_key_info()
RETURNS TABLE ( key_name TEXT,
provider_name TEXT,
provider_id INT,
key_creation_time TIMESTAMP WITH TIME ZONE)
LANGUAGE C
AS 'MODULE_PATHNAME';
REVOKE ALL ON FUNCTION pg_tde_default_key_info() FROM PUBLIC;
CREATE FUNCTION pg_tde_delete_global_key_provider(provider_name TEXT)
RETURNS VOID
LANGUAGE C
AS 'MODULE_PATHNAME';
REVOKE ALL ON FUNCTION pg_tde_delete_global_key_provider(TEXT) FROM PUBLIC;
CREATE FUNCTION pg_tde_delete_database_key_provider(provider_name TEXT)
RETURNS VOID
LANGUAGE C
AS 'MODULE_PATHNAME';
REVOKE ALL ON FUNCTION pg_tde_delete_database_key_provider(TEXT) FROM PUBLIC;
CREATE FUNCTION pg_tde_version() RETURNS TEXT LANGUAGE C AS 'MODULE_PATHNAME';
-- Table access method
CREATE FUNCTION pg_tdeam_handler(internal)
RETURNS TABLE_AM_HANDLER
LANGUAGE C
AS 'MODULE_PATHNAME';
REVOKE ALL ON FUNCTION pg_tdeam_handler(internal) FROM PUBLIC;
CREATE ACCESS METHOD tde_heap TYPE TABLE HANDLER pg_tdeam_handler;
COMMENT ON ACCESS METHOD tde_heap IS 'tde_heap table access method';
CREATE FUNCTION pg_tde_ddl_command_start_capture()
RETURNS EVENT_TRIGGER
LANGUAGE C
AS 'MODULE_PATHNAME';
REVOKE ALL ON FUNCTION pg_tde_ddl_command_start_capture() FROM PUBLIC;
CREATE FUNCTION pg_tde_ddl_command_end_capture()
RETURNS EVENT_TRIGGER
LANGUAGE C
AS 'MODULE_PATHNAME';
REVOKE ALL ON FUNCTION pg_tde_ddl_command_end_capture() FROM PUBLIC;
CREATE EVENT TRIGGER pg_tde_ddl_start
ON ddl_command_start
EXECUTE FUNCTION pg_tde_ddl_command_start_capture();
ALTER EVENT TRIGGER pg_tde_ddl_start ENABLE ALWAYS;
CREATE EVENT TRIGGER pg_tde_ddl_end
ON ddl_command_end
EXECUTE FUNCTION pg_tde_ddl_command_end_capture();
ALTER EVENT TRIGGER pg_tde_ddl_end ENABLE ALWAYS;
-- Per database extension initialization
CREATE FUNCTION pg_tde_extension_initialize()
RETURNS VOID
LANGUAGE C
AS 'MODULE_PATHNAME';
SELECT pg_tde_extension_initialize();
DROP FUNCTION pg_tde_extension_initialize();