6.4.4.11 Using the Oracle Cloud Infrastructure Vault Keyring Plugin使用Oracle云基础架构保险库密钥环插件

Note注意

The keyring_oci plugin is an extension included in MySQL Enterprise Edition, a commercial product. To learn more about commercial products, see https://www.mysql.com/products/.keyring_oci插件是商业产品MySQL企业版中包含的一个扩展。要了解有关商业产品的更多信息,请参阅https://www.mysql.com/products/

The keyring_oci plugin is a keyring plugin that communicates with Oracle Cloud Infrastructure Vault for back end storage. keyring_oci插件是一个与Oracle Cloud Infrastructure Vault通信的密钥环插件,用于后端存储。No key information is permanently stored in MySQL server local storage. All keys are stored in Oracle Cloud Infrastructure Vault, making this plugin well suited for Oracle Cloud Infrastructure MySQL customers for management of their MySQL Enterprise Edition keys.MySQL服务器本地存储中没有永久存储密钥信息。所有密钥都存储在Oracle Cloud Infrastructure Vault中,因此此插件非常适合Oracle Cloud Infrastructure MySQL客户管理其MySQL Enterprise Edition密钥。

The keyring_oci plugin supports the functions that comprise the standard MySQL Keyring service interface. Keyring operations performed by those functions are accessible at two levels:keyring_oci插件支持构成标准MySQL keyring服务接口的功能。这些功能执行的钥匙扣操作可在两个级别访问:

Example (using the SQL interface):示例(使用SQL接口):

SELECT keyring_key_generate('MyKey', 'AES', 32);
SELECT keyring_key_remove('MyKey');

For information about the characteristics of key values permitted by keyring_oci, see Section 6.4.4.12, “Supported Keyring Key Types and Lengths”.有关keyring_oci允许的键值特征的信息,请参阅第6.4.4.12节,“支持的keyring密钥类型和长度”

To install keyring_oci, use the general instructions found in Section 6.4.4.3, “Keyring Plugin Installation”, together with the configuration information specific to keyring_oci found here. 要安装keyring_oci,请使用第6.4.4.3节,“keyring插件安装”中的一般说明,以及此处提供的特定于keyring_oci的配置信息。Plugin-specific configuration involves setting a number of system variables to indicate the names or values of Oracle Cloud Infrastructure resources.插件特定的配置涉及设置多个系统变量,以指示Oracle云基础架构资源的名称或值。

You are assumed to be familiar with Oracle Cloud Infrastructure concepts, but the following documentation may be helpful when setting up resources to be used by the keyring_oci plugin:假设您熟悉Oracle云基础架构概念,但在设置keyring_oci插件使用的资源时,以下文档可能会有所帮助:

The keyring_oci plugin supports the configuration parameters shown in the following table. To specify these parameters, assign values to the corresponding system variables.keyring_oci插件支持下表所示的配置参数。要指定这些参数,请为相应的系统变量赋值。

Configuration Parameter配置参数System Variable系统变量Mandatory强制性的
User OCID用户OCIDkeyring_oci_userYes
Tenancy OCID租赁OCIDkeyring_oci_tenancyYes
Compartment OCID隔间OCIDkeyring_oci_compartmentYes
Vault OCID保险库OCIDkeyring_oci_virtual_vaultYes
Master key OCID主密钥OCIDkeyring_oci_master_keyYes
Encryption server endpoint加密服务器端点keyring_oci_encryption_endpointYes
Key management server endpoint密钥管理服务器端点keyring_oci_management_endpointYes
Vaults server endpointVault服务器端点keyring_oci_vaults_endpointYes
Secrets server endpoint机密服务器端点keyring_oci_secrets_endpointYes
RSA private key fileRSA私钥文件keyring_oci_key_fileYes
RSA private key fingerprintRSA私钥指纹keyring_oci_key_fingerprintYes
CA certificate bundle fileCA证书捆绑文件keyring_oci_ca_certificateNo

To be usable during the server startup process, keyring_oci must be loaded using the --early-plugin-load option. 为了在服务器启动过程中使用,必须使用--early-plugin-load选项加载keyring_ociAs indicated by the preceding table, several plugin-related system variables are mandatory and must also be set:如上表所示,几个与插件相关的系统变量是强制性的,也必须进行设置:

In addition to the mandatory system variables, keyring_oci_ca_certificate optionally may be set to specify a certificate authority (CA) certificate bundle file for peer authentication.除了强制性系统变量外,还可以选择设置keyring_oci_ca_certificate来指定用于对等身份验证的证书颁发机构(ca)证书捆绑文件。

Important重要

If you copy a parameter from the Oracle Cloud Infrastructure Console, the copied value may include an initial https:// part. Omit that part when setting the corresponding keyring_oci system variable.如果从Oracle云基础架构控制台复制参数,则复制的值可能包括初始https://部分。在设置相应的keyring_oci系统变量时省略该部分。

For example, to load and configure keyring_oci8, use these lines in the server my.cnf file (adjust the .so suffix and file location for your platform as necessary):例如,要加载和配置keyring_oci8,请在服务器my.cnf文件中使用以下行(根据需要为您的平台调整.so后缀和文件位置):

[mysqld]
early-plugin-load=keyring_oci.so
keyring_oci_user=ocid1.user.oc1..longAlphaNumericString
keyring_oci_tenancy=ocid1.tenancy.oc1..longAlphaNumericString
keyring_oci_compartment=ocid1.compartment.oc1..longAlphaNumericString
keyring_oci_virtual_vault=ocid1.vault.oc1.iad.shortAlphaNumericString.longAlphaNumericString
keyring_oci_master_key=ocid1.key.oc1.iad.shortAlphaNumericString.longAlphaNumericString
keyring_oci_encryption_endpoint=shortAlphaNumericString-crypto.kms.us-ashburn-1.oraclecloud.com
keyring_oci_management_endpoint=shortAlphaNumericString-management.kms.us-ashburn-1.oraclecloud.com
keyring_oci_vaults_endpoint=vaults.us-ashburn-1.oci.oraclecloud.com
keyring_oci_secrets_endpoint=secrets.vaults.us-ashburn-1.oci.oraclecloud.com
keyring_oci_key_file=file_name
keyring_oci_key_fingerprint=12:34:56:78:90:ab:cd:ef:12:34:56:78:90:ab:cd:ef

For additional information about the keyring_oci plugin-specific system variables, see Section 6.4.4.18, “Keyring System Variables”.有关keyring_oci插件特定系统变量的更多信息,请参阅第6.4.4.18节,“keyring系统变量”

The keyring_oci plugin does not support runtime reconfiguration and none of its system variables can be modified at runtime. To change configuration parameters, do this:keyring_oci插件不支持运行时重新配置,其系统变量在运行时都不能修改。要更改配置参数,请执行以下操作: