A keyring migration copies keys from one keystore to another, enabling a DBA to switch a MySQL installation to a different keystore. A successful migration operation has this result:密钥环迁移将密钥从一个密钥库复制到另一个,使DBA能够将MySQL安装切换到不同的密钥库。成功的迁移操作会产生以下结果:
The destination keystore contains the keys it had prior to the migration, plus the keys from the source keystore.目标密钥库包含迁移前的密钥,以及源密钥库中的密钥。
The source keystore remains the same before and after the migration (because keys are copied, not moved).源密钥库在迁移前后保持不变(因为密钥是复制的,而不是移动的)。
If a key to be copied already exists in the destination keystore, an error occurs and the destination keystore is restored to its premigration state.如果目标密钥库中已存在要复制的密钥,则会发生错误,目标密钥库将恢复到其预迁移状态。
The keyring manages keystores using keyring components and keyring plugins. This pertains to migration strategy because the way in which the source and destination keystores are managed determines whether a particular type of key migration is possible and the procedure for performing it:密钥环使用密钥环组件和密钥环插件管理密钥存储库。这与迁移策略有关,因为源和目标密钥存储的管理方式决定了特定类型的密钥迁移是否可能以及执行过程:
Migration from one keyring plugin to another: The MySQL server has an operational mode that provides this capability.从一个密钥环插件迁移到另一个:MySQL服务器具有提供此功能的操作模式。
Migration from a keyring plugin to a keyring component: The MySQL server has an operational mode that provides this capability as of MySQL 8.0.24.从密钥环插件迁移到密钥环组件:MySQL服务器有一个操作模式,从MySQL 8.0.24开始提供此功能。
Migration from one keyring component to another: The mysql_migrate_keyring utility provides this capability. 从一个密钥环组件迁移到另一个:mysql_migrate_keyring实用程序提供了此功能。mysql_migrate_keyring is available as of MySQL 8.0.24.mysql_migrate_keyring从mysql 8.0.24开始可用。
Migration from a keyring component to a keyring plugin: There is no provision for this capability.从密钥环组件迁移到密钥环插件:没有提供此功能。
The following sections discuss the characteristics of offline and online migrations and describe how to perform migrations.以下部分讨论了离线和在线迁移的特点,并描述了如何执行迁移。
A key migration is either offline or online:关键迁移可以是离线或在线:
Offline migration: For use when you are sure that no running server on the local host is using the source or destination keystore. 离线迁移:当您确定本地主机上没有正在运行的服务器使用源或目标密钥库时使用。In this case, the migration operation can copy keys from the source keystore to the destination without the possibility of a running server modifying keystore content during the operation.在这种情况下,迁移操作可以将密钥从源密钥库复制到目标,而运行中的服务器在操作过程中不可能修改密钥库内容。
Online migration: For use when a running server on the local host is using the source keystore. In this case, care must be taken to prevent that server from updating keystores during the migration. 在线迁移:当本地主机上正在运行的服务器使用源密钥库时使用。在这种情况下,必须注意防止该服务器在迁移过程中更新密钥存储。This involves connecting to the running server and instructing it to pause keyring operations so that keys can be copied safely from the source keystore to the destination. When key copying is complete, the running server is permitted to resume keyring operations.这涉及连接到正在运行的服务器并指示其暂停密钥环操作,以便密钥可以安全地从源密钥库复制到目标。密钥复制完成后,允许正在运行的服务器恢复密钥环操作。
When you plan a key migration, use these points to decide whether it should be offline or online:当您计划关键迁移时,请使用以下几点来决定它应该离线还是在线:
Do not perform offline migration involving a keystore that is in use by a running server.不要执行涉及正在运行的服务器正在使用的密钥库的脱机迁移。
Pausing keyring operations during an online migration is accomplished by connecting to the running server and setting its global 在线迁移期间暂停密钥环操作是通过连接到正在运行的服务器并在密钥复制之前将其全局keyring_operations system variable to OFF before key copying and ON after key copying. This has several implications:keyring_operations系统变量设置为OFF,在密钥复制之后设置为ON来实现的。这有几个含义:
keyring_operations was introduced in MySQL 5.7.21, so online migration is possible only if the running server is from MySQL 5.7.21 or higher. keyring_operations是在MySQL 5.7.21中引入的,因此只有当运行的服务器来自MySQL 5.7.21或更高版本时,才可能进行在线迁移。If the running server is older, you must stop it, perform an offline migration, and restart it. 如果正在运行的服务器较旧,则必须停止它,执行脱机迁移,然后重新启动它。All migration instructions elsewhere that refer to 其他所有涉及keyring_operations are subject to this condition.keyring_operations的迁移说明都受此条件的约束。
The account used to connect to the running server must have the privileges required to modify 用于连接到正在运行的服务器的帐户必须具有修改keyring_operations. keyring_operations所需的权限。These privileges are 除了ENCRYPTION_KEY_ADMIN in addition to either SYSTEM_VARIABLES_ADMIN or the deprecated SUPER privilege.SYSTEM_VARIABLES_ADMIN或已弃用的SUPER特权外,这些特权还包括ENCRYPTION_KEY_ADMIN。
If an online migration operation exits abnormally (for example, if it is forcibly terminated), it is possible for 如果联机迁移操作异常退出(例如,如果它被强制终止),则keyring_operations to remain disabled on the running server, leaving it unable to perform keyring operations. keyring_operations可能会在正在运行的服务器上保持禁用状态,使其无法执行密钥环操作。In this case, it may be necessary to connect to the running server and enable 在这种情况下,可能需要连接到正在运行的服务器,并使用以下语句手动启用keyring_operations manually using this statement:keyring_operations:
SET GLOBAL keyring_operations = ON;
Online key migration provides for pausing keyring operations on a single running server. 在线密钥迁移允许在单个正在运行的服务器上暂停密钥环操作。To perform a migration if multiple running servers are using the keystores involved, use the procedure described at Key Migration Involving Multiple Running Servers.如果多个正在运行的服务器正在使用所涉及的密钥存储库,则要执行迁移,请使用“涉及多个运行服务器的密钥迁移”中描述的过程。
A MySQL server becomes a migration server if invoked in a special operational mode that supports key migration. A migration server does not accept client connections. Instead, it runs only long enough to migrate keys, then exits. A migration server reports errors to the console (the standard error output).如果以支持密钥迁移的特殊操作模式调用MySQL服务器,则MySQL服务器将成为迁移服务器。迁移服务器不接受客户端连接。相反,它只运行足够长的时间来迁移密钥,然后退出。迁移服务器向控制台报告错误(标准错误输出)。
A migration server supports these migration types:迁移服务器支持以下迁移类型:
Migration from one keyring plugin to another.从一个密钥环插件迁移到另一个。
Migration from a keyring plugin to a keyring component. This capability is available as of MySQL 8.0.24. Older servers support only migration from one keyring plugin to another, in which case the parts of these instructions that refer to keyring components do not apply.从密钥环插件迁移到密钥环组件。MySQL 8.0.24提供此功能。较旧的服务器只支持从一个密钥环插件迁移到另一个,在这种情况下,这些说明中涉及密钥环组件的部分不适用。
A migration server does not support migration from one keyring component to another. 迁移服务器不支持从一个密钥环组件迁移到另一个。For that type of migration, see Key Migration Using the mysql_migrate_keyring Utility.对于这种类型的迁移,请参阅使用mysql_migrate_keyring实用程序进行密钥迁移。
To perform a key migration operation using a migration server, determine the key migration options required to specify which keyring plugins or components are involved, and whether the migration is offline or online:要使用迁移服务器执行密钥迁移操作,请确定指定涉及哪些密钥环插件或组件所需的密钥迁移选项,以及迁移是脱机还是联机:
To indicate the source keyring plugin and the destination keyring plugin or component, specify these options:要指示源密钥环插件和目标密钥环插件或组件,请指定以下选项:
--keyring-migration-source: The source keyring plugin that manages the keys to be migrated.:管理要迁移的密钥的源密钥环插件。
--keyring-migration-destination: The destination keyring plugin or component to which the migrated keys are to be copied.:迁移密钥要复制到的目标密钥环插件或组件。
--keyring-migration-to-component: This option is required if the destination is a keyring component rather than a keyring plugin.:如果目标是密钥环组件而不是密钥环插件,则需要此选项。
The --keyring-migration-source and --keyring-migration-destination options signify to the server that it should run in key migration mode. --keyring-migration-source和--keyring-migration-destination选项向服务器表示它应该在密钥迁移模式下运行。For key migration operations, both options are mandatory. Each plugin or component is specified using the name of its library file, including any platform-specific extension such as 对于关键的迁移操作,这两个选项都是强制性的。每个插件或组件都使用其库文件的名称指定,包括任何特定于平台的扩展名,如.so or .dll. .so或.dll。The source and destination must differ, and the migration server must support them both.源和目标必须不同,迁移服务器必须同时支持它们。
For an offline migration, no additional key migration options are needed.对于离线迁移,不需要额外的关键迁移选项。
For an online migration, some running server currently is using the source or destination keystore. To invoke the migration server, specify additional key migration options that indicate how to connect to the running server. 对于在线迁移,某些正在运行的服务器当前正在使用源密钥库或目标密钥库。要调用迁移服务器,请指定其他键迁移选项,以指示如何连接到正在运行的服务器。This is necessary so that the migration server can connect to the running server and tell it to pause keyring use during the migration operation.这是必要的,以便迁移服务器可以连接到正在运行的服务器,并告诉它在迁移操作期间暂停使用密钥环。
Use of any of the following options signifies an online migration:使用以下任何选项都表示在线迁移:
--keyring-migration-host: The host where the running server is located. This is always the local host because the migration server can migrate keys only between keystores managed by local plugins and components.:运行服务器所在的主机。这始终是本地主机,因为迁移服务器只能在由本地插件和组件管理的密钥存储库之间迁移密钥。
--keyring-migration-user, 、--keyring-migration-password: The account credentials to use to connect to the running server.:用于连接到正在运行的服务器的帐户凭据。
--keyring-migration-port: For TCP/IP connections, the port number to connect to on the running server.:对于TCP/IP连接,运行服务器上要连接的端口号。
--keyring-migration-socket: For Unix socket file or Windows named pipe connections, the socket file or named pipe to connect to on the running server.:对于Unix套接字文件或Windows命名管道连接,运行服务器上要连接的套接字文件或命名管道。
For additional details about the key migration options, see Section 6.4.4.17, “Keyring Command Options”.有关密钥迁移选项的更多详细信息,请参阅第6.4.4.17节,“密钥输入命令选项”。
Start the migration server with key migration options indicating the source and destination keystores and whether the migration is offline or online, possibly with other options. Keep the following considerations in mind:使用密钥迁移选项启动迁移服务器,这些选项指示源和目标密钥存储以及迁移是脱机还是联机,可能还有其他选项。请记住以下注意事项:
Other server options might be required, such as configuration parameters for the two keyring plugins. 可能需要其他服务器选项,例如两个密钥环插件的配置参数。For example, if 例如,如果keyring_file is the source or destination, you must set the keyring_file_data system variable if the keyring data file location is not the default location. keyring_file是源或目标,如果密钥环数据文件位置不是默认位置,则必须设置keyring_file_data系统变量。Other non-keyring options may be required as well. 可能还需要其他非钥匙圈选项。One way to specify these options is by using 指定这些选项的一种方法是使用--defaults-file to name an option file that contains the required options.--defaults-file来命名包含所需选项的选项文件。
The migration server expects path name option values to be full paths. Relative path names may not be resolved as you expect.迁移服务器要求路径名选项值为完整路径。相对路径名可能无法按预期解析。
The user who invokes a server in key-migration mode must not be the 在密钥迁移模式下调用服务器的用户不能是root operating system user, unless the --user option is specified with a non-root user name to run the server as that user.root操作系统用户,除非使用非root用户名指定--user选项以该用户身份运行服务器。
The user a server in key-migration mode runs as must have permission to read and write any local keyring files, such as the data file for a file-based plugin.处于密钥迁移模式的服务器用户必须具有读写任何本地密钥环文件的权限,例如基于文件的插件的数据文件。
If you invoke the migration server from a system account different from that normally used to run MySQL, it might create keyring directories or files that are inaccessible to the server during normal operation. 如果从与通常用于运行MySQL的系统帐户不同的系统帐户调用迁移服务器,则可能会创建服务器在正常操作期间无法访问的密钥环目录或文件。Suppose that mysqld normally runs as the 假设mysqld通常以mysql operating system user, but you invoke the migration server while logged in as isabel. mysql操作系统用户身份运行,但您在以isabel身份登录时调用了迁移服务器。Any new directories or files created by the migration server are owned by 迁移服务器创建的任何新目录或文件都归isabel. isabel所有。Subsequent startup fails when a server run as the 当mysql operating system user attempts to access file system objects owned by isabel.mysql操作系统用户尝试访问isabel拥有的文件系统对象时,服务器运行时,后续启动失败。
To avoid this issue, start the migration server as the 为了避免此问题,请以root operating system user and provide a --user= option, where user_nameuser_name is the system account normally used to run MySQL. root操作系统用户身份启动迁移服务器,并提供--user=user_name选项,其中user_name是通常用于运行MySQL的系统帐户。Alternatively, after the migration, examine the keyring-related file system objects and change their ownership and permissions if necessary using chown, chmod, or similar commands, so that the objects are accessible to the running server.或者,迁移后,检查与密钥环相关的文件系统对象,并在必要时使用chown、chmod或类似命令更改其所有权和权限,以便运行中的服务器可以访问这些对象。
Example command line for offline migration between two keyring plugins (enter the command on a single line):在两个钥匙圈插件之间进行离线迁移的示例命令行(在单行中输入命令):
mysqld --defaults-file=/usr/local/mysql/etc/my.cnf
--keyring-migration-source=keyring_file.so
--keyring-migration-destination=keyring_encrypted_file.so
--keyring_encrypted_file_password=password
Example command line for online migration between two keyring plugins:在两个钥匙圈插件之间进行在线迁移的示例命令行:
mysqld --defaults-file=/usr/local/mysql/etc/my.cnf --keyring-migration-source=keyring_file.so --keyring-migration-destination=keyring_encrypted_file.so --keyring_encrypted_file_password=password--keyring-migration-host=127.0.0.1 --keyring-migration-user=root --keyring-migration-password=root_password
To perform a migration when the destination is a keyring component rather than a keyring plugin, specify the 要在目标是密钥环组件而不是密钥环插件时执行迁移,请指定--keyring-migration-to-component option, and name the component as the value of the --keyring-migration-destination option.--keyring-migration-to-component选项,并将该组件命名为--keyring-migration-destination选项的值。
Example command line for offline migration from a keyring plugin to a keyring component:从密钥环插件到密钥环组件的离线迁移示例命令行:
mysqld --defaults-file=/usr/local/mysql/etc/my.cnf --keyring-migration-to-component --keyring-migration-source=keyring_file.so --keyring-migration-destination=component_keyring_encrypted_file.so
Notice that in this case, no 请注意,在这种情况下,没有指定keyring_encrypted_file_password value is specified. The password for the component data file is listed in the component configuration file.keyring_encrypted_file_password值。组件配置文件中列出了组件数据文件的密码。
Example command line for online migration from a keyring plugin to a keyring component:从钥匙圈插件在线迁移到钥匙圈组件的示例命令行:
mysqld --defaults-file=/usr/local/mysql/etc/my.cnf
--keyring-migration-to-component
--keyring-migration-source=keyring_file.so
--keyring-migration-destination=component_keyring_encrypted_file.so
--keyring-migration-host=127.0.0.1
--keyring-migration-user=root
--keyring-migration-password=root_password
The key migration server performs a migration operation as follows:密钥迁移服务器执行迁移操作如下:
(Online migration only) Connect to the running server using the connection options.(仅限在线迁移)使用连接选项连接到正在运行的服务器。
(Online migration only) Disable (仅限在线迁移)禁用正在运行的服务器上的keyring_operations on the running server.keyring_operations。
Load the keyring plugin/component libraries for the source and destination keystores.加载源密钥库和目标密钥库的密钥环插件/组件库。
Copy keys from the source keystore to the destination.将密钥从源密钥库复制到目标。
Unload the keyring plugin/component libraries for the source and destination keystores.卸载源密钥库和目标密钥库的密钥环插件/组件库。
(Online migration only) Enable (仅限在线迁移)在正在运行的服务器上启用keyring_operations on the running server.keyring_operations。
(Online migration only) Disconnect from the running server.(仅限在线迁移)断开与正在运行的服务器的连接。
If an error occurs during key migration, the destination keystore is restored to its premigration state.如果在密钥迁移过程中发生错误,目标密钥库将恢复到其预迁移状态。
After a successful online key migration operation, the running server might need to be restarted:成功完成在线密钥迁移操作后,可能需要重新启动正在运行的服务器:
If the running server was using the source keystore before the migration and should continue to use it after the migration, it need not be restarted after the migration.如果正在运行的服务器在迁移前使用源密钥库,并且在迁移后应该继续使用它,则迁移后不需要重新启动。
If the running server was using the destination keystore before the migration and should continue to use it after the migration, it should be restarted after the migration to load all keys migrated into the destination keystore.如果正在运行的服务器在迁移前正在使用目标密钥库,并且在迁移后应该继续使用它,则应在迁移后重新启动,以将所有迁移到目标密钥库中的密钥加载到目标密钥仓库中。
If the running server was using the source keystore before the migration but should use the destination keystore after the migration, it must be reconfigured to use the destination keystore and restarted. 如果正在运行的服务器在迁移之前使用源密钥库,但在迁移之后应该使用目标密钥库,则必须将其重新配置为使用目标密钥仓库并重新启动。In this case, be aware that although the running server is paused from modifying the source keystore during the migration itself, it is not paused during the interval between the migration and the subsequent restart. 在这种情况下,请注意,虽然运行中的服务器在迁移过程中暂停了对源密钥库的修改,但在迁移和后续重启之间的间隔期间,它不会暂停。Care should be taken that the server does not modify the source keystore during this interval because any such changes will not be reflected in the destination keystore.应注意服务器在此间隔期间不要修改源密钥库,因为任何此类更改都不会反映在目标密钥库中。
The mysql_migrate_keyring utility migrates keys from one keyring component to another. mysql_migrate_keyring实用程序将密钥从一个密钥环组件迁移到另一个。It does not support migrations involving keyring plugins. For that type of migration, use a MySQL server operating in key migration mode; see Key Migration Using a Migration Server.它不支持涉及密钥环插件的迁移。对于这种类型的迁移,请使用以密钥迁移模式运行的MySQL服务器;请参阅使用迁移服务器进行密钥迁移。
To perform a key migration operation using mysql_migrate_keyring, determine the key migration options required to specify which keyring components are involved, and whether the migration is offline or online:要使用mysql_migrate_keyring执行密钥迁移操作,请确定指定涉及哪些密钥环组件所需的密钥迁移选项,以及迁移是脱机还是联机:
To indicate the source and destination keyring components and their location, specify these options:要指示源和目标密钥环组件及其位置,请指定以下选项:
--source-keyring: The source keyring component that manages the keys to be migrated.:管理要迁移的密钥的源密钥环组件。
--destination-keyring: The destination keyring component to which the migrated keys are to be copied.:要将迁移的密钥复制到的目标密钥环组件。
--component-dir: The directory containing keyring component library files. This is typically the value of the :包含密钥环组件库文件的目录。这通常是本地MySQL服务器的plugin_dir system variable for the local MySQL server.plugin_dir系统变量的值。
All three options are mandatory. Each keyring component name is a component library file name specified without any platform-specific extension such as 这三个选项都是强制性的。每个密钥环组件名称都是一个指定的组件库文件名,没有任何特定于平台的扩展名,如.so or .dll. .so或.dll。For example, to use the component for which the library file is 例如,要使用库文件为component_keyring_file.so, specify the option as --source-keyring=component_keyring_file. component_keyring_file.so的组件,请将选项指定为--source-keyring=component_keyring_file。The source and destination must differ, and mysql_migrate_keyring must support them both.源和目标必须不同,mysql_migrate_keyring必须同时支持它们。
For an offline migration, no additional options are needed.对于离线迁移,不需要其他选项。
For an online migration, some running server currently is using the source or destination keystore. 对于在线迁移,某些正在运行的服务器当前正在使用源密钥库或目标密钥库。In this case, specify the 在这种情况下,指定--online-migration option to signify an online migration. --online-migration选项以表示在线迁移。In addition, specify connection options indicating how to connect to the running server, so that mysql_migrate_keyring can connect to it and tell it to pause keyring use during the migration operation.此外,指定连接选项,指示如何连接到正在运行的服务器,以便mysql_migrate_keyring可以连接到它,并告诉它在迁移操作期间暂停使用密钥环。
The --online-migration option is commonly used in conjunction with connection options such as these:--online-migration选项通常与以下连接选项结合使用:
--host: The host where the running server is located. This is always the local host because mysql_migrate_keyring can migrate keys only between keystores managed by local components.:运行服务器所在的主机。这始终是本地主机,因为mysql_migrate_keyring只能在本地组件管理的密钥存储库之间迁移密钥。
--user, 、--password: The account credentials to use to connect to the running server.:用于连接到正在运行的服务器的帐户凭据。
--port: For TCP/IP connections, the port number to connect to on the running server.:对于TCP/IP连接,运行服务器上要连接的端口号。
--socket: For Unix socket file or Windows named pipe connections, the socket file or named pipe to connect to on the running server.:对于Unix套接字文件或Windows命名管道连接,运行服务器上要连接的套接字文件或命名管道。
For descriptions of all available options, see Section 4.6.8, “mysql_migrate_keyring — Keyring Key Migration Utility”.有关所有可用选项的说明,请参阅第4.6.8节,“mysql_migrate_keyring--密钥环密钥迁移实用程序”。
Start mysql_migrate_keyring with options indicating the source and destination keystores and whether the migration is offline or online, possibly with other options. Keep the following considerations in mind:启动mysql_migrate_keyring时,可以使用指示源和目标密钥存储以及迁移是脱机还是联机的选项,也可以使用其他选项。请记住以下注意事项:
The user who invokes mysql_migrate_keyring must not be the 调用mysql_migrate_keyring的用户不能是root operating system user.root操作系统用户。
The user who invokes mysql_migrate_keyring must have permission to read and write any local keyring files, such as the data file for a file-based plugin.调用mysql_migrate_keyring的用户必须具有读写任何本地密钥环文件的权限,例如基于文件的插件的数据文件。
If you invoke mysql_migrate_keyring from a system account different from that normally used to run MySQL, it might create keyring directories or files that are inaccessible to the server during normal operation. 如果您从与通常用于运行mysql的系统帐户不同的系统帐户调用mysql_migrate_keyring,则可能会创建服务器在正常操作期间无法访问的密钥环目录或文件。Suppose that mysqld normally runs as the 假设mysqld通常以mysql operating system user, but you invoke mysql_migrate_keyring while logged in as isabel. mysql操作系统用户身份运行,但您在以isabel身份登录时调用mysql_migrate_keyring。Any new directories or files created by mysql_migrate_keyring are owned by mysql_migrate_keyring创建的任何新目录或文件都归isabel. isabel所有。Subsequent startup fails when a server run as the 当mysql operating system user attempts to access file system objects owned by isabel.mysql操作系统用户尝试访问isabel拥有的文件系统对象时,服务器运行时,后续启动失败。
To avoid this issue, invoke mysql_migrate_keyring as the 为了避免此问题,请以mysql operating system user. mysql操作系统用户的身份调用mysql_migrate_keyring。Alternatively, after the migration, examine the keyring-related file system objects and change their ownership and permissions if necessary using chown, chmod, or similar commands, so that the objects are accessible to the running server.或者,迁移后,检查与密钥环相关的文件系统对象,并在必要时使用chown、chmod或类似命令更改其所有权和权限,以便运行中的服务器可以访问这些对象。
Suppose that you want to migrate keys from 假设您想将密钥从component_keyring_file to component_keyring_encrypted_file, and that the local server stores its keyring component library files in /usr/local/mysql/lib/plugin.component_keyring_file迁移到component_keysring_encrypted_file,并且本地服务器将其密钥环组件库文件存储在/usr/local/mysql/lib/plugin中。
If no running server is using the keyring, an offline migration is permitted. Invoke mysql_migrate_keyring like this (enter the command on a single line):如果没有正在运行的服务器使用密钥环,则允许脱机迁移。像这样调用mysql_migrate_keyring(在一行中输入命令):
mysql_migrate_keyring --component-dir=/usr/local/mysql/lib/plugin --source-keyring=component_keyring_file --destination-keyring=component_keyring_encrypted_file
If a running server is using the keyring, you must perform an online migration instead. In this case, the 如果正在运行的服务器正在使用密钥环,则必须执行联机迁移。在这种情况下,必须给出--online-migration option must be given, along with any connection options required to specify which server to connect to and the MySQL account to use.--online-migration选项,以及指定要连接到哪个服务器和要使用的MySQL帐户所需的任何连接选项。
The following command performs an online migration. It connects to the local server using a TCP/IP connection and the 以下命令执行联机迁移。它使用TCP/IP连接和admin account. The command prompts for a password, which you should enter when prompted:admin帐户连接到本地服务器。该命令会提示输入密码,当系统提示时,您应该输入密码:
mysql_migrate_keyring --component-dir=/usr/local/mysql/lib/plugin --source-keyring=component_keyring_file --destination-keyring=component_keyring_encrypted_file --online-migration --host=127.0.0.1 --user=admin --password
mysql_migrate_keyring performs a migration operation as follows:mysql_migrate_keyring执行迁移操作如下:
(Online migration only) Connect to the running server using the connection options.(仅限在线迁移)使用连接选项连接到正在运行的服务器。
(Online migration only) Disable (仅限在线迁移)禁用正在运行的服务器上的keyring_operations on the running server.keyring_operations。
Load the keyring component libraries for the source and destination keystores.加载源密钥库和目标密钥库的密钥环组件库。
Copy keys from the source keystore to the destination.将密钥从源密钥库复制到目标。
Unload the keyring component libraries for the source and destination keystores.卸载源密钥库和目标密钥库的密钥环组件库。
(Online migration only) Enable (仅限在线迁移)在正在运行的服务器上启用keyring_operations on the running server.keyring_operations。
(Online migration only) Disconnect from the running server.(仅限在线迁移)断开与正在运行的服务器的连接。
If an error occurs during key migration, the destination keystore is restored to its premigration state.如果在密钥迁移过程中发生错误,目标密钥库将恢复到其预迁移状态。
After a successful online key migration operation, the running server might need to be restarted:成功完成在线密钥迁移操作后,可能需要重新启动正在运行的服务器:
If the running server was using the source keystore before the migration and should continue to use it after the migration, it need not be restarted after the migration.如果正在运行的服务器在迁移前使用源密钥库,并且在迁移后应该继续使用它,则迁移后不需要重新启动。
If the running server was using the destination keystore before the migration and should continue to use it after the migration, it should be restarted after the migration to load all keys migrated into the destination keystore.如果正在运行的服务器在迁移前正在使用目标密钥库,并且在迁移后应该继续使用它,则应在迁移后重新启动,以将所有迁移到目标密钥库中的密钥加载到目标密钥仓库中。
If the running server was using the source keystore before the migration but should use the destination keystore after the migration, it must be reconfigured to use the destination keystore and restarted. 如果正在运行的服务器在迁移之前使用源密钥库,但在迁移之后应该使用目标密钥库,则必须将其重新配置为使用目标密钥仓库并重新启动。In this case, be aware that although the running server is paused from modifying the source keystore during the migration itself, it is not paused during the interval between the migration and the subsequent restart. 在这种情况下,请注意,虽然运行中的服务器在迁移过程中暂停了对源密钥库的修改,但在迁移和后续重启之间的间隔期间,它不会暂停。Care should be taken that the server does not modify the source keystore during this interval because any such changes will not be reflected in the destination keystore.应注意服务器在此间隔期间不要修改源密钥库,因为任何此类更改都不会反映在目标密钥库中。
Online key migration provides for pausing keyring operations on a single running server. To perform a migration if multiple running servers are using the keystores involved, use this procedure:在线密钥迁移允许在单个正在运行的服务器上暂停密钥环操作。如果多个正在运行的服务器正在使用所涉及的密钥存储库,则要执行迁移,请使用以下过程:
Connect to each running server manually and set 手动连接到每个正在运行的服务器,并设置keyring_operations=OFF. keyring_operations=OFF。This ensures that no running server is using the source or destination keystore and satisfies the required condition for offline migration.这确保了没有正在运行的服务器使用源或目标密钥库,并满足离线迁移所需的条件。
Use a migration server or mysql_migrate_keyring to perform an offline key migration for each paused server.使用迁移服务器或mysql_migrate_keyring为每个暂停的服务器执行离线密钥迁移。
Connect to each running server manually and set 手动连接到每个正在运行的服务器,并将keyring_operations=ON.keyring_operations设置为ON。
All running servers must support the 所有正在运行的服务器都必须支持keyring_operations system variable. Any server that does not must be stopped before the migration and restarted after.keyring_operations系统变量。任何不需要在迁移前停止并在迁移后重新启动的服务器。