The keyring_oci plugin is an extension included in MySQL Enterprise Edition, a commercial product. To learn more about commercial products, see https://www.mysql.com/products/.keyring_oci插件是商业产品MySQL企业版中包含的一个扩展。要了解有关商业产品的更多信息,请参阅https://www.mysql.com/products/。
The keyring_oci plugin is a keyring plugin that communicates with Oracle Cloud Infrastructure Vault for back end storage. keyring_oci插件是一个与Oracle Cloud Infrastructure Vault通信的密钥环插件,用于后端存储。No key information is permanently stored in MySQL server local storage. All keys are stored in Oracle Cloud Infrastructure Vault, making this plugin well suited for Oracle Cloud Infrastructure MySQL customers for management of their MySQL Enterprise Edition keys.MySQL服务器本地存储中没有永久存储密钥信息。所有密钥都存储在Oracle Cloud Infrastructure Vault中,因此此插件非常适合Oracle Cloud Infrastructure MySQL客户管理其MySQL Enterprise Edition密钥。
The keyring_oci plugin supports the functions that comprise the standard MySQL Keyring service interface. Keyring operations performed by those functions are accessible at two levels:keyring_oci插件支持构成标准MySQL keyring服务接口的功能。这些功能执行的钥匙扣操作可在两个级别访问:
SQL interface: In SQL statements, call the functions described in Section 6.4.4.14, “General-Purpose Keyring Key-Management Functions”.SQL接口:在SQL语句中,调用第6.4.4.14节,“通用密钥管理函数”中描述的函数。
C interface: In C-language code, call the keyring service functions described in Section 5.6.9.2, “The Keyring Service”.C接口:在C语言代码中,调用第5.6.9.2节,“钥匙圈服务”中描述的钥匙圈服务函数。
Example (using the SQL interface):示例(使用SQL接口):
SELECT keyring_key_generate('MyKey', 'AES', 32);
SELECT keyring_key_remove('MyKey');
For information about the characteristics of key values permitted by 有关keyring_oci, see Section 6.4.4.12, “Supported Keyring Key Types and Lengths”.keyring_oci允许的键值特征的信息,请参阅第6.4.4.12节,“支持的keyring密钥类型和长度”。
To install 要安装keyring_oci, use the general instructions found in Section 6.4.4.3, “Keyring Plugin Installation”, together with the configuration information specific to keyring_oci found here. keyring_oci,请使用第6.4.4.3节,“keyring插件安装”中的一般说明,以及此处提供的特定于keyring_oci的配置信息。Plugin-specific configuration involves setting a number of system variables to indicate the names or values of Oracle Cloud Infrastructure resources.插件特定的配置涉及设置多个系统变量,以指示Oracle云基础架构资源的名称或值。
You are assumed to be familiar with Oracle Cloud Infrastructure concepts, but the following documentation may be helpful when setting up resources to be used by the 假设您熟悉Oracle云基础架构概念,但在设置keyring_oci plugin:keyring_oci插件使用的资源时,以下文档可能会有所帮助:
The keyring_oci plugin supports the configuration parameters shown in the following table. To specify these parameters, assign values to the corresponding system variables.keyring_oci插件支持下表所示的配置参数。要指定这些参数,请为相应的系统变量赋值。
keyring_oci_user | Yes | |
keyring_oci_tenancy | Yes | |
keyring_oci_compartment | Yes | |
keyring_oci_virtual_vault | Yes | |
keyring_oci_master_key | Yes | |
keyring_oci_encryption_endpoint | Yes | |
keyring_oci_management_endpoint | Yes | |
keyring_oci_vaults_endpoint | Yes | |
keyring_oci_secrets_endpoint | Yes | |
keyring_oci_key_file | Yes | |
keyring_oci_key_fingerprint | Yes | |
keyring_oci_ca_certificate | No |
To be usable during the server startup process, 为了在服务器启动过程中使用,必须使用keyring_oci must be loaded using the --early-plugin-load option. --early-plugin-load选项加载keyring_oci。As indicated by the preceding table, several plugin-related system variables are mandatory and must also be set:如上表所示,几个与插件相关的系统变量是强制性的,也必须进行设置:
Oracle Cloud Infrastructure uses Oracle Cloud IDs (OCIDs) extensively to designate resources, and several Oracle Cloud Infrastructure广泛使用Oracle Cloud ID(OCID)来指定资源,几个keyring_oci parameters specify OCID values of the resources to use. keyring_oci参数指定要使用的资源的OCID值。Consequently, prior to using the 因此,在使用keyring_oci plugin, these prerequisites must be satisfied:keyring_oci插件之前,必须满足以下先决条件:
A user for connecting to Oracle Cloud Infrastructure must exist. Create the user if necessary and assign the user OCID to the 必须存在用于连接到Oracle云基础架构的用户。必要时创建用户,并将用户OCID分配给keyring_oci_user system variable.keyring_oci_user系统变量。
The Oracle Cloud Infrastructure tenancy to be used must exist, as well as the MySQL compartment within the tenancy, and the vault within the compartment. 要使用的Oracle云基础架构租约必须存在,租约中的MySQL分区和分区中的vault也必须存在。Create these resources if necessary and make sure the user is enabled to use them. 必要时创建这些资源,并确保用户能够使用它们。Assign the OCIDs for the tenancy, compartment and vault to the 将租赁、隔间和保险库的OCID分配给keyring_oci_tenancy, keyring_oci_compartment, and keyring_oci_virtual_vault system variables.keyring_oci_tenancy、keyring_oci_compartment和keyring_oci_virtual_vault系统变量。
A master key for encryption must exist. Create it if necessary and assign its OCID to the 加密的主密钥必须存在。必要时创建它,并将其OCID分配给keyring_oci_master_key system variable.keyring_oci_master_key系统变量。
Several server endpoints must be specified. These endpoints are vault specific and Oracle Cloud Infrastructure assigns them at vault-creation time. 必须指定多个服务器端点。这些端点是特定于vault的,Oracle Cloud Infrastructure在创建vault时分配它们。Obtain their values from the vault details page and assign them to the 从保管库详细信息页面获取它们的值,并将其分配给keyring_oci_encryption_endpoint, keyring_oci_management_endpoint, keyring_oci_vaults_endpoint, and keyring_oci_secrets_endpoint system variables.keyring_oci_encrypt_endpoint、keyring_oci_management_endpoint、keyring_oci_vults_endpoint和keyring_oci_secrets_endpoint系统变量。
The Oracle Cloud Infrastructure API uses an RSA private/public key pair for authentication. Oracle云基础架构API使用RSA私钥/公钥对进行身份验证。To create this key pair and obtain the key fingerprint, use the instructions at Required Keys and OCIDs. 要创建此密钥对并获取密钥指纹,请使用所需密钥和OCID中的说明。Assign the private key file name and key fingerprint to the 将私钥文件名和密钥指纹分配给keyring_oci_key_file and keyring_oci_key_fingerprint system variables.keyring_oci_key_file和keyring_oci_key_fingerprint系统变量。
In addition to the mandatory system variables, 除了强制性系统变量外,还可以选择设置keyring_oci_ca_certificate optionally may be set to specify a certificate authority (CA) certificate bundle file for peer authentication.keyring_oci_ca_certificate来指定用于对等身份验证的证书颁发机构(ca)证书捆绑文件。
If you copy a parameter from the Oracle Cloud Infrastructure Console, the copied value may include an initial 如果从Oracle云基础架构控制台复制参数,则复制的值可能包括初始https:// part. Omit that part when setting the corresponding keyring_oci system variable.https://部分。在设置相应的keyring_oci系统变量时省略该部分。
For example, to load and configure 例如,要加载和配置keyring_oci8, use these lines in the server my.cnf file (adjust the .so suffix and file location for your platform as necessary):keyring_oci8,请在服务器my.cnf文件中使用以下行(根据需要为您的平台调整.so后缀和文件位置):
[mysqld] early-plugin-load=keyring_oci.so keyring_oci_user=ocid1.user.oc1..longAlphaNumericStringkeyring_oci_tenancy=ocid1.tenancy.oc1..longAlphaNumericStringkeyring_oci_compartment=ocid1.compartment.oc1..longAlphaNumericStringkeyring_oci_virtual_vault=ocid1.vault.oc1.iad.shortAlphaNumericString.longAlphaNumericStringkeyring_oci_master_key=ocid1.key.oc1.iad.shortAlphaNumericString.longAlphaNumericStringkeyring_oci_encryption_endpoint=shortAlphaNumericString-crypto.kms.us-ashburn-1.oraclecloud.com keyring_oci_management_endpoint=shortAlphaNumericString-management.kms.us-ashburn-1.oraclecloud.com keyring_oci_vaults_endpoint=vaults.us-ashburn-1.oci.oraclecloud.com keyring_oci_secrets_endpoint=secrets.vaults.us-ashburn-1.oci.oraclecloud.com keyring_oci_key_file=file_namekeyring_oci_key_fingerprint=12:34:56:78:90:ab:cd:ef:12:34:56:78:90:ab:cd:ef
For additional information about the 有关keyring_oci plugin-specific system variables, see Section 6.4.4.18, “Keyring System Variables”.keyring_oci插件特定系统变量的更多信息,请参阅第6.4.4.18节,“keyring系统变量”。
The keyring_oci plugin does not support runtime reconfiguration and none of its system variables can be modified at runtime. To change configuration parameters, do this:keyring_oci插件不支持运行时重新配置,其系统变量在运行时都不能修改。要更改配置参数,请执行以下操作:
Modify parameter settings in the 修改my.cnf file, or use SET PERSIST_ONLY for parameters that are persisted to mysqld-auto.conf.my.cnf文件中的参数设置,或对持久化到mysqld-auto.conf的参数使用SET PERSIST_ONLY。
Restart the server.重新启动服务器。