The keyring_hashicorp plugin is an extension included in MySQL Enterprise Edition, a commercial product. keyring_hashicorp插件是商业产品MySQL企业版中包含的扩展。To learn more about commercial products, see https://www.mysql.com/products/.要了解有关商业产品的更多信息,请参阅https://www.mysql.com/products/。
The keyring_hashicorp keyring plugin communicates with HashiCorp Vault for back end storage. The plugin supports HashiCorp Vault AppRole authentication. keyring_hashicorp密钥环插件与hashicorp Vault通信以进行后端存储。该插件支持HashiCorp Vault AppRole身份验证。No key information is permanently stored in MySQL server local storage. (An optional in-memory key cache may be used as intermediate storage.) MySQL服务器本地存储中没有永久存储密钥信息。(可选的内存中密钥缓存可用作中间存储。)Random key generation is performed on the MySQL server side, with the keys subsequently stored to Hashicorp Vault.MySQL服务器端执行随机密钥生成,密钥随后存储到Hashicorp Vault。
The keyring_hashicorp plugin supports the functions that comprise the standard MySQL Keyring service interface. Keyring operations performed by those functions are accessible at two levels:keyring_hashicorp插件支持构成标准MySQL keyring服务接口的功能。这些功能执行的钥匙扣操作可在两个级别访问:
SQL interface: In SQL statements, call the functions described in Section 6.4.4.14, “General-Purpose Keyring Key-Management Functions”.SQL接口:在SQL语句中,调用第6.4.4.14节,“通用密钥管理函数”中描述的函数。
C interface: In C-language code, call the keyring service functions described in Section 5.6.9.2, “The Keyring Service”.C接口:在C语言代码中,调用第5.6.9.2节,“钥匙圈服务”中描述的钥匙圈服务函数。
Example (using the SQL interface):示例(使用SQL接口):
SELECT keyring_key_generate('MyKey', 'AES', 32);
SELECT keyring_key_remove('MyKey');
For information about the characteristics of key values permitted by 有关keyring_hashicorp, see Section 6.4.4.12, “Supported Keyring Key Types and Lengths”.keyring_hashicorp允许的键值特征的信息,请参阅第6.4.4.12节,“支持的密钥类型和长度”。
To install 要安装keyring_hashicorp, use the general instructions found in Section 6.4.4.3, “Keyring Plugin Installation”, together with the configuration information specific to keyring_hashicorp found here. Plugin-specific configuration includes preparation of the certificate and key files needed for connecting to HashiCorp Vault, as well as configuring HashiCorp Vault itself. The following sections provide the necessary instructions.keyring_hashicorp,请使用第6.4.4.3节,“keyring插件安装”中的一般说明,以及此处提供的特定于keyring_hasicorp的配置信息。插件特定的配置包括准备连接到HashiCorpVault所需的证书和密钥文件,以及配置HashiCorp Vault本身。以下部分提供了必要的说明。
The keyring_hashicorp plugin requires a secure connection to the HashiCorp Vault server, employing the HTTPS protocol. A typical setup includes a set of certificate and key files:keyring_hashicorp插件需要使用HTTPS协议与hashicorp Vault服务器建立安全连接。典型的设置包括一组证书和密钥文件:
company.crt: A custom CA certificate belonging to the organization. This file is used both by HashiCorp Vault server and the :属于该组织的自定义CA证书。HashiCorp Vault服务器和keyring_hashicorp plugin.keyring_hashicorp插件都使用此文件。
vault.key: The private key of the HashiCorp Vault server instance. This file is used by HashiCorp Vault server.:HashiCorp Vault服务器实例的私钥。此文件由HashiCorp Vault服务器使用。
vault.crt: The certificate of the HashiCorp Vault server instance. This file must be signed by the organization CA certificate.:HashiCorp Vault服务器实例的证书。此文件必须由组织CA证书签名。
The following instructions describe how to create the certificate and key files using OpenSSL. 以下说明描述了如何使用OpenSSL创建证书和密钥文件。(If you already have those files, proceeed to HashiCorp Vault Setup.) (如果您已经拥有这些文件,请继续进行HashiCorp Vault设置。)The instructions as shown apply to Linux platforms and may require adjustment for other platforms.所示的说明适用于Linux平台,可能需要针对其他平台进行调整。
Certificates generated by these instructions are self-signed, which may not be very secure. After you gain experience using such files, consider obtaining certificate/key material from a registered certificate authority.由这些指令生成的证书是自签名的,这可能不是很安全。在您获得使用此类文件的经验后,请考虑从注册的证书颁发机构获取证书/密钥材料。
Prepare the company and HashiCorp Vault server keys.准备公司和HashiCorp Vault服务器密钥。
Use the following commands to generate the key files:使用以下命令生成密钥文件:
openssl genrsa -aes256 -out company.key 4096 openssl genrsa -aes256 -out vault.key 2048
The commands produce files holding the company private key (这些命令生成包含公司私钥(company.key) and the Vault server private key (vault.key). The keys are randomly generated RSA keys of 4,096 and 2,048 bits, respectively.company.key)和Vault服务器私钥(vault.key)的文件。密钥分别是4096和2048位的随机生成的RSA密钥。
Each command prompts for a password. For testing purposes, the password is not required. To disable it, omit the 每个命令都会提示输入密码。出于测试目的,不需要密码。要禁用它,请省略-aes256 argument.-aes256参数。
The key files hold sensitive information and should be stored in a secure location. The password (also sensitive) is required later, so write it down and store it in a secure location.密钥文件包含敏感信息,应存储在安全位置。稍后需要密码(也很敏感),所以把它写下来并存储在安全的位置。
(Optional) To check key file content and validity, use the following commands:(可选)要检查密钥文件内容和有效性,请使用以下命令:
openssl rsa -in company.key -check openssl rsa -in vault.key -check
Create the company CA certificate.创建公司CA证书。
Use the following command to create a company CA certificate file named 使用以下命令创建一个名为company.crt that is valid for 365 days (enter the command on a single line):company.crt的公司CA证书文件,有效期为365天(在单行中输入命令):
openssl req -x509 -new -nodes -key company.key -sha256 -days 365 -out company.crt
If you used the 如果在密钥生成过程中使用-aes256 argument to perform key encryption during key generation, you are prompted for the company key password during CA certificate creation. -aes256参数执行密钥加密,则在CA证书创建过程中会提示您输入公司密钥密码。You are also prompted for information about the certificate holder (that is, you or your company), as shown here:系统还会提示您输入证书持有人(即您或您的公司)的信息,如下所示:
Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []:
Answer the prompts with appropriate values.用适当的值回答提示。
Create a certificate signing request.创建证书签名请求。
To create a HashiCorp Vault server certificate, a Certificate Signing Request (CSR) must be prepared for the newly created server key. 要创建HashiCorp Vault服务器证书,必须为新创建的服务器密钥准备证书签名请求(CSR)。Create a configuration file named 创建一个名为request.conf containing the following lines. request.conf的配置文件,其中包含以下行。If the HashiCorp Vault server does not run on the local host, substitute appropriate CN and IP values, and make any other changes required.如果HashiCorp Vault服务器未在本地主机上运行,请替换适当的CN和IP值,并进行所需的任何其他更改。
[req] distinguished_name = vault x509_entensions = v3_req prompt = no [vault] C = US ST = CA L = RWC O = Company CN = 127.0.0.1 [v3_req] subjectAltName = @alternatives authorityKeyIdentifier = keyid,issuer basicConstraints = CA:TRUE [alternatives] IP = 127.0.0.1
Use this command to create the signing request:使用此命令创建签名请求:
openssl req -new -key vault.key -config request.conf -out request.csr
The output file (输出文件(request.csr) is an intermediate file that serves as input for creation of the server certificate.request.csr)是一个中间文件,用作创建服务器证书的输入。
Create the HashiCorp Vault server certificate.创建HashiCorp Vault服务器证书。
Sign the combined information from the HashiCorp Vault server key (使用公司证书(vault.key) and the CSR (request.csr) with the company certificate (company.crt) to create the HashiCorp Vault server certificate (vault.crt). company.crt)对HashiCorp Vault服务器密钥(vault.key)和CSR(request.csr)的组合信息进行签名,以创建HashiCorpVault服务器证书(vaultcrt)。Use the following command to do this (enter the command on a single line):使用以下命令执行此操作(在单行中输入命令):
openssl x509 -req -in request.csr -CA company.crt -CAkey company.key -CAcreateserial -out vault.crt -days 365 -sha256
To make the 要使vault.crt server certificate useful, append the contents of the company.crt company certificate to it. This is required so that the company certificate is delivered along with the server certificate in requests.vault.crt服务器证书有用,请将company.crt公司证书的内容附加到证书中。这是必需的,以便在请求中随服务器证书一起交付公司证书。
cat company.crt >> vault.crt
If you display the contents of the 如果显示vault.crt file, it should look like this:vault.crt文件的内容,它应该看起来像这样:
-----BEGIN CERTIFICATE----- ...content of HashiCorp Vault server certificate... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ...content of company certificate... -----END CERTIFICATE-----
The following instructions describe how to create a HashiCorp Vault setup that facilitates testing the 以下说明描述了如何创建HashiCorp Vault设置,以方便测试keyring_hashicorp plugin.keyring_hashicorp插件。
A test setup is similar to a production setup, but production use of HashiCorp Vault entails additional security considerations such as use of non-self-signed certificates and storing the company certificate in the system trust store. 测试设置类似于生产设置,但HashiCorp Vault的生产使用需要额外的安全考虑,例如使用非自签名证书和将公司证书存储在系统信任存储中。You must implement whatever additional security steps are needed to satisfy your operational requirements.您必须实施任何需要的额外安全步骤来满足您的运营要求。
These instructions assume availability of the certificate and key files created in Certificate and Key Preparation. See that section if you do not have those files.这些说明假定在证书和密钥准备中创建的证书和密钥文件可用。如果您没有这些文件,请参阅该部分。
Fetch the HashiCorp Vault binary.获取HashiCorp Vault二进制文件。
Download the HashiCorp Vault binary appropriate for your platform from https://www.vaultproject.io/downloads.html.从https://www.vaultproject.io/downloads.html下载适用于您平台的HashiCorp Vault二进制文件。
Extract the content of the archive to produce the executable vault command, which is used to perform HashiCorp Vault operations. If necessary, add the directory where you install the command to the system path.提取存档的内容以生成可执行的vault命令,该命令用于执行HashiCorp vault操作。如有必要,将安装命令的目录添加到系统路径中。
(Optional) HashiCorp Vault supports autocomplete options that make it easier to use. For more information, see https://learn.hashicorp.com/vault/getting-started/install#command-completion.(可选)HashiCorp Vault支持自动补全选项,使其更易于使用。有关更多信息,请参阅https://learn.hashicorp.com/vault/getting-started/install#command-completion。
Create the HashiCorp Vault server configuration file.创建HashiCorp Vault服务器配置文件。
Prepare a configuration file named 准备一个名为config.hcl with the following content. config.hcl的配置文件,其中包含以下内容。For the 对于tls_cert_file, tls_key_file, and path values, substitute path names appropriate for your system.tls_cert_file、tls_key_file和path值,请替换适合您系统的路径名。
listener "tcp" {
address="127.0.0.1:8200"
tls_cert_file="/home/username/certificates/vault.crt"
tls_key_file="/home/username/certificates/vault.key"
}
storage "file" {
path = "/home/username/vaultstorage/storage"
}
ui = trueStart the HashiCorp Vault server.启动HashiCorp Vault服务器。
To start the Vault server, use the following command, where the 要启动Vault服务器,请使用以下命令,其中-config option specifies the path to the configuration file just created:-config选项指定刚刚创建的配置文件的路径:
vault server -config=config.hcl
During this step, you may be prompted for a password for the Vault server private key stored in the 在此步骤中,系统可能会提示您输入存储在vault.key file.vault.key文件中的Vault服务器私钥的密码。
The server should start, displaying some information on the console (IP, port, and so forth).服务器应该启动,在控制台上显示一些信息(IP、端口等)。
So that you can enter the remaining commands, put the vault server command in the background or open another terminal before continuing.为了输入其余命令,请在继续之前将vault server命令置于后台或打开另一个终端。
Initialize the HashiCorp Vault server.初始化HashiCorp Vault服务器。
The operations described in this step are required only when starting Vault the first time, to obtain the unseal key and root token. Subsequent Vault instance restarts require only unsealing using the unseal key.仅当首次启动Vault时,才需要执行此步骤中描述的操作,以获取解封密钥和根令牌。后续Vault实例重新启动只需要使用解封密钥解封。
Issue the following commands (assuming Bourne shell syntax):发出以下命令(假设Bourne shell语法):
export VAULT_SKIP_VERIFY=1 vault operator init -n 1 -t 1
The first command enables the vault command to temporarily ignore the fact that no company certificate has been added to the system trust store. 第一个命令使vault命令能够暂时忽略没有公司证书添加到系统信任存储中的事实。It compensates for the fact that our self-signed CA is not added to that store. (For production use, such a certificate should be added.)它弥补了自签名CA没有添加到该商店的事实。(对于生产使用,应添加此类证书。)
The second command creates a single unseal key with a requirement for a single unseal key to be present for unsealing. (For production use, an instance would have multiple unseal keys with up to that many keys required to be entered to unseal it. 第二个命令创建一个单独的解封密钥,并要求在解封时存在一个解封密钥。(对于生产使用,一个实例将有多个解封密钥,需要输入多达该数量的密钥才能解封它。The unseal keys should be delivered to key custodians within the company. Use of a single key might be considered a security issue because that permits the vault to be unsealed by a single key custodian.)未密封的钥匙应交给公司内的钥匙保管人。使用单个密钥可能被认为是一个安全问题,因为这允许单个密钥保管人打开保险库。)
Vault should reply with information about the unseal key and root token, plus some additional text (the actual unseal key and root token values differ from those shown here):Vault应回复有关解封密钥和根令牌的信息,以及一些额外的文本(实际的解封密钥值和根令牌值与此处显示的值不同):
... Unseal Key 1: I2xwcFQc892O0Nt2pBiRNlnkHzTUrWS+JybL39BjcOE= Initial Root Token: s.vTvXeo3tPEYehfcd9WH7oUKz ...
Store the unseal key and root token in a secure location.将解封密钥和根令牌存储在安全位置。
Unseal the HashiCorp Vault server.解除HashiCorp Vault服务器的密封。
Use this command to unseal the Vault server:使用此命令打开Vault服务器的密封:
vault operator unseal
When prompted to enter the unseal key, use the key obtained previously during Vault initialization.当系统提示输入解封密钥时,请使用之前在Vault初始化期间获得的密钥。
Vault should produce output indicating that setup is complete and the vault is unsealed.Vault应生成输出,指示设置已完成且Vault已解封。
Log in to the HashiCorp Vault server and verify its status.登录HashiCorp Vault服务器并验证其状态。
Prepare the environment variables required for logging in as root:准备以root身份登录所需的环境变量:
vault login s.vTvXeo3tPEYehfcd9WH7oUKz
For the token value in that command, substitute the content of the root token obtained previously during Vault initialization.对于该命令中的令牌值,替换之前在Vault初始化期间获得的根令牌的内容。
Verify the Vault server status:验证Vault服务器状态:
vault status
The output should contain these lines (among others):输出应包含以下行(以及其他行):
... Initialized true Sealed false ...
Set up HashiCorp Vault authentication and storage.设置HashiCorp Vault身份验证和存储。
The operations described in this step are needed only the first time the Vault instance is run. They need not be repeated afterward.仅在首次运行Vault实例时才需要执行此步骤中描述的操作。之后不必重复。
Enable the AppRole authentication method and verify that it is in the authentication method list:启用AppRole身份验证方法,并验证它是否在身份验证方法列表中:
vault auth enable approle vault auth list
Enable the Vault KeyValue storage engine:启用Vault KeyValue存储引擎:
vault secrets enable -version=1 kv
Create and set up a role for use with the 创建并设置一个与keyring_hashicorp plugin (enter the command on a single line):keyring_hashicorp插件一起使用的角色(在一行中输入命令):
vault write auth/approle/role/mysql token_num_uses=0 token_ttl=20m token_max_ttl=30m secret_id_num_uses=0
Add an AppRole security policy.添加AppRole安全策略。
The operations described in this step are needed only the first time the Vault instance is run. They need not be repeated afterward.仅在首次运行Vault实例时才需要执行此步骤中描述的操作。之后不必重复。
Prepare a policy that to permit the previously created role to access appropriate secrets. 制定一项策略,允许之前创建的角色访问适当的机密。Create a new file named 创建一个名为mysql.hcl with the following content:mysql.hcl的新文件,内容如下:
path "kv/mysql/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
kv/mysql/ in this example may need adjustment per your local installation policies and security requirements. kv/mysql/可能需要根据您的本地安装策略和安全要求进行调整。If so, make the same adjustment wherever else 如果是这样,请在这些说明中出现kv/mysql/ appears in these instructions.kv/mysql/的其他地方进行相同的调整。
Import the policy file to the Vault server to create a policy named 将策略文件导入Vault服务器以创建名为mysql-policy, then assign the policy to the new role:mysql-policy的策略,然后将该策略分配给新角色:
vault policy write mysql-policy mysql.hcl vault write auth/approle/role/mysql policies=mysql-policy
Obtain the ID of the newly created role and store it in a secure location:获取新创建角色的ID并将其存储在安全位置:
vault read auth/approle/role/mysql/role-id
Generate a secret ID for the role and store it in a secure location:为角色生成一个秘密ID并将其存储在安全位置:
vault write -f auth/approle/role/mysql/secret-id
After these AppRole role ID and secret ID credentials are generated, they are expected to remain valid indefinitely. 生成这些AppRole角色ID和秘密ID凭据后,它们将无限期保持有效。They need not be generated again and the 它们不需要再次生成,keyring_hashicorp plugin can be configured with them for use on an ongoing basis. keyring_hashicorp插件可以配置它们以供持续使用。For more information about AuthRole authentication, visit https://www.vaultproject.io/docs/auth/approle.html.有关AuthRole身份验证的更多信息,请访问https://www.vaultproject.io/docs/auth/approle.html。
The plugin library file contains the 插件库文件包含keyring_hashicorp plugin and a loadable function, keyring_hashicorp_update_config(). keyring_hashicorp插件和可加载函数keyring_hashicorp_update_config()。When the plugin initializes and terminates, it automatically loads and unloads the function. There is no need to load and unload the function manually.当插件初始化和终止时,它会自动加载和卸载函数。无需手动加载和卸载该功能。
The keyring_hashicorp plugin supports the configuration parameters shown in the following table. To specify these parameters, assign values to the corresponding system variables.keyring_hashicorp插件支持下表所示的配置参数。要指定这些参数,请为相应的系统变量赋值。
| HashiCorp Server URL | keyring_hashicorp_server_url | No |
|---|---|---|
| AppRole role ID | keyring_hashicorp_role_id | Yes |
| AppRole secret ID | keyring_hashicorp_secret_id | Yes |
| Store path | keyring_hashicorp_store_path | Yes |
| Authorization Path | keyring_hashicorp_auth_path | No |
| CA certificate file path | keyring_hashicorp_ca_path | No |
| Cache control | keyring_hashicorp_caching | No |
To be usable during the server startup process, 为了在服务器启动过程中使用,必须使用keyring_hashicorp must be loaded using the --early-plugin-load option. --early-plugin-load选项加载keyring_hashicorp。As indicated by the preceding table, several plugin-related system variables are mandatory and must also be set. 如上表所示,几个与插件相关的系统变量是强制性的,也必须进行设置。For example, use these lines in the server 例如,在服务器my.cnf file, adjusting the .so suffix and file locations for your platform as necessary:my.cnf文件中使用这些行,根据需要调整.so后缀和平台的文件位置:
[mysqld] early-plugin-load=keyring_hashicorp.so keyring_hashicorp_role_id='ee3b495c-d0c9-11e9-8881-8444c71c32aa' keyring_hashicorp_secret_id='0512af29-d0ca-11e9-95ee-0010e00dd718' keyring_hashicorp_store_path='/v1/kv/mysql' keyring_hashicorp_auth_path='/v1/auth/approle/login'
Per the HashiCorp documentation, all API routes are prefixed with a protocol version (which you can see in the preceding example as 根据HashiCorp文档,所有API路由都以协议版本为前缀(您可以在前面的示例中看到/v1/ in the keyring_hashicorp_store_path and keyring_hashicorp_auth_path values). If HashiCorp develops new protocol versions, it may be necessary to change /v1/ to something else in your configuration.keyring_HashiCorp_store_path和keyring_ashicorp_auth_path值中的/v1/)。如果HashiCorp开发了新的协议版本,可能需要将/v1/更改为配置中的其他内容。
MySQL Server authenticates against HashiCorp Vault using AppRole authentication. Successful authentication requires that two secrets be provided to Vault, a role ID and a secret ID, which are similar in concept to user name and password. MySQL服务器使用AppRole身份验证对HashiCorp Vault进行身份验证。成功的身份验证要求向Vault提供两个秘密,一个角色ID和一个秘密ID,它们在概念上与用户名和密码相似。The role ID and secret ID values to use are those obtained during the HashiCorp Vault setup procedure performed previously. 要使用的角色ID和秘密ID值是在之前执行的HashiCorp Vault设置过程中获得的值。To specify the two IDs, assign their respective values to the 要指定这两个id,请将它们各自的值分配给keyring_hashicorp_role_id and keyring_hashicorp_secret_id system variables. keyring_hashicorp_role_id和keyring_hasicorp_secret_id系统变量。The setup procedure also results in a store path of 设置过程还会产生一个存储路径/v1/kv/mysql, which is the value to assign to keyring_hashicorp_commit_store_path./v1/kv/mysql,这是要分配给keyring_hashicorp_commit_store_path的值。
At plugin initialization time, 在插件初始化时,keyring_hashicorp attempts to connect to the HashiCorp Vault server using the configuration values. keyring_hashicorp尝试使用配置值连接到hashicorp Vault服务器。If the connection is successful, the plugin stores the values in corresponding system variables that have 如果连接成功,插件会将值存储在相应的系统变量中,这些变量的名称中有_commit_ in their name. _commit_。For example, upon successful connection, the plugin stores the values of 例如,成功连接后,插件会将keyring_hashicorp_role_id and keyring_hashicorp_store_path in keyring_hashicorp_commit_role_id and keyring_hashicorp_commit_store_path.keyring_hashicorp_role_id和keyring_hashcorp_store_path的值存储在keyring_hasicorp_comit_role_id以及keyring_hushicorp_comit_store_path中。
Reconfiguration at runtime can be performed with the assistance of the 运行时的重新配置可以在keyring_hashicorp_update_config() function:keyring_hashicorp_update_config()函数的帮助下执行:
Use 使用SET statements to assign the desired new values to the configuration system variables shown in the preceding table. These assignments in themselves have no effect on ongoing plugin operation.SET语句将所需的新值分配给上表所示的配置系统变量。这些任务本身对正在进行的插件操作没有影响。
Invoke 调用keyring_hashicorp_update_config() to cause the plugin to reconfigure and reconnect to the HashiCorp Vault server using the new variable values.keyring_hashicorp_update_config(),使插件使用新的变量值重新配置并重新连接到hashicorp Vault服务器。
If the connection is successful, the plugin stores the updated configuration values in corresponding system variables that have 如果连接成功,插件会将更新的配置值存储在相应的系统变量中,这些变量的名称中有_commit_ in their name._commit_。
For example, if you have reconfigured HashiCorp Vault to listen on port 8201 rather than the default 8200, reconfigure 例如,如果您已将HashiCorp Vault重新配置为在端口8201而不是默认的8200上侦听,请按如下方式重新配置keyring_hashicorp like this:keyring_hashicorp:
mysql>SET GLOBAL keyring_hashicorp_server_url = 'https://127.0.0.1:8201';Query OK, 0 rows affected (0.00 sec) mysql>SELECT keyring_hashicorp_update_config();+--------------------------------------+ | keyring_hashicorp_update_config() | +--------------------------------------+ | Configuration update was successful. | +--------------------------------------+ 1 row in set (0.03 sec)
If the plugin is not able to connect to HashiCorp Vault during initialization or reconfiguration and there was no existing connection, the 如果插件在初始化或重新配置期间无法连接到HashiCorp Vault,并且没有现有连接,则字符串值变量的_commit_ system variables are set to 'Not committed' for string-valued variables, and OFF for Boolean-valued variables. _commit_系统变量设置为“未提交”,布尔值变量设置为OFF。If the plugin is not able to connect but there was an existing connection, that connection remains active and the 如果插件无法连接,但存在现有连接,则该连接保持活动状态,_commit_ variables reflect the values used for it._commit_变量反映了用于它的值。
If you do not set the mandatory system variables at server startup, or if some other plugin initialization error occurs, initialization fails. In this case, you can use the runtime reconfiguration procedure to initialize the plugin without restarting the server.如果在服务器启动时未设置强制系统变量,或者发生其他插件初始化错误,初始化将失败。在这种情况下,您可以使用运行时重新配置过程来初始化插件,而无需重新启动服务器。
For additional information about the 有关keyring_hashicorp插件特定系统变量和函数的更多信息,请参阅第6.4.4.18节,“钥匙圈系统变量”和第6.4.4.15节,“插件特定钥匙圈密钥管理功能”。keyring_hashicorp plugin-specific system variables and function, see Section 6.4.4.18, “Keyring System Variables”, and Section 6.4.4.15, “Plugin-Specific Keyring Key-Management Functions”.