Chapter 6 Security

6.4.4.2 Keyring Component Installation钥匙圈组件安装

~~Keyring service consumers require that a keyring component or plugin be installed:~~钥匙圈服务消费者要求安装钥匙圈组件或插件：

~~To use a keyring component, begin with the instructions here.~~要使用钥匙圈组件，请从这里的说明开始。
~~To use a keyring plugin instead, begin with Section 6.4.4.3, “Keyring Plugin Installation”.~~要使用钥匙圈插件，请从第6.4.4.3节，“钥匙圈插件安装”开始。
If you intend to use keyring functions in conjunction with the chosen keyring component or plugin, install the functions after installing that component or plugin, using the instructions in Section 6.4.4.14, “General-Purpose Keyring Key-Management Functions”.如果您打算将钥匙圈功能与所选的钥匙圈组件或插件结合使用，请在安装该组件或插件后，按照第6.4.4.14节，“通用钥匙圈钥匙管理功能”中的说明安装这些功能。

~~Note~~注意

~~Only one keyring component or plugin should be enabled at a time. Enabling multiple keyring components or plugins is unsupported and results may not be as anticipated.~~一次只能启用一个密钥环组件或插件。不支持启用多个密钥环组件或插件，结果可能与预期不符。

~~MySQL provides these keyring component choices:~~MySQL提供了以下密钥环组件选项：

component_keyring_file~~: Stores keyring data in a file local to the server host. Available in MySQL Community Edition and MySQL Enterprise Edition distributions.~~：将密钥环数据存储在服务器主机本地的文件中。提供MySQL社区版和MySQL企业版发行版。
component_keyring_encrypted_file~~: Stores keyring data in an encrypted, password-protected file local to the server host. Available in MySQL Enterprise Edition distributions.~~：将密钥环数据存储在服务器主机本地的加密、密码保护的文件中。在MySQL企业版发行版中可用。

~~To be usable by the server, the component library file must be located in the MySQL plugin directory (the directory named by the plugin_dir system variable).~~ 为了让服务器使用，组件库文件必须位于MySQL插件目录（由plugin_dir系统变量命名的目录）中。~~If necessary, configure the plugin directory location by setting the value of plugin_dir at server startup.~~如有必要，在服务器启动时通过设置plugin_dir的值来配置插件目录位置。

~~A keyring component or plugin must be loaded early during the server startup sequence so that other components can access it as necessary during their own initialization.~~ 必须在服务器启动序列的早期加载密钥环组件或插件，以便其他组件在初始化过程中可以根据需要访问它。~~For example, the InnoDB storage engine uses the keyring for tablespace encryption, so a keyring component or plugin must be loaded and available prior to InnoDB initialization.~~例如，InnoDB存储引擎使用密钥环进行表空间加密，因此必须在InnoDB初始化之前加载密钥环组件或插件并使其可用。

~~Unlike keyring plugins, keyring components are not loaded using the --early-plugin-load server option or configured using system variables.~~ 与密钥环插件不同，密钥环组件不是使用--early-plugin-load服务器选项加载的，也不是使用系统变量配置的。Instead, the server determines which keyring component to load during startup using a manifest, and the loaded component consults its own configuration file when it initializes. Therefore, to install a keyring component, you must:相反，服务器使用清单确定在启动过程中加载哪个密钥环组件，加载的组件在初始化时查询自己的配置文件。因此，要安装钥匙圈组件，您必须：

~~Write a manifest that tells the server which keyring component to load.~~编写一个清单，告诉服务器要加载哪个密钥环组件。
~~Write a configuration file for that keyring component.~~为该钥匙圈组件编写一个配置文件。

The first step in installing a keyring component is writing a manifest that indicates which component to load. During startup, the server reads either a global manifest file, or a global manifest file paired with a local manifest file:安装钥匙圈组件的第一步是编写一个清单，指示要加载哪个组件。在启动期间，服务器读取全局清单文件或与本地清单文件配对的全局清单文件：

~~The server attempts to read its global manifest file from the directory where the server is installed.~~服务器尝试从安装服务器的目录中读取其全局清单文件。
~~If the global manifest file indicates use of a local manifest file, the server attempts to read its local manifest file from the data directory.~~如果全局清单文件指示使用本地清单文件，则服务器会尝试从数据目录读取其本地清单文件。
~~Although global and local manifest files are located in different directories, the file name is mysqld.my in both locations.~~尽管全局和本地清单文件位于不同的目录中，但这两个位置的文件名都是mysqld.my。
~~It is not an error for a manifest file not to exist. In this case, the server attempts no component loading associated with the file.~~清单文件不存在不是错误。在这种情况下，服务器不会尝试加载与文件关联的组件。

Local manifest files permit setting up component loading for multiple instances of the server, such that loading instructions for each server instance are specific to a given data directory instance. This enables different MySQL instances to use different keyring components.本地清单文件允许为服务器的多个实例设置组件加载，这样每个服务器实例的加载指令都特定于给定的数据目录实例。这使得不同的MySQL实例能够使用不同的密钥环组件。

~~Server manifest files have these properties:~~服务器清单文件具有以下属性：

~~A manifest file must be in valid JSON format.~~清单文件必须采用有效的JSON格式。
~~A manifest file permits these items:~~清单文件允许这些项目：
- "read_local_manifest"~~: This item is permitted only in the global manifest file. If the item is not present, the server uses only the global manifest file.~~ ：此项目仅允许在全局清单文件中使用。如果该项不存在，服务器将仅使用全局清单文件。~~If the item is present, its value is true or false, indicating whether the server should read component-loading information from the local manifest file.~~如果该项存在，则其值为true或false，指示服务器是否应从本地清单文件读取组件加载信息。
  
  ~~If the "read_local_manifest" item is present in the global manifest file along with other items, the server checks the "read_local_manifest" item value first:~~如果"read_local_manifest"项与其他项一起出现在全局清单文件中，服务器将首先检查"read_local_manifest"项的值：
  - ~~If the value is false, the server processes the other items in the global manifest file and ignores the local manifest file.~~如果该值为false，服务器将处理全局清单文件中的其他项目，并忽略本地清单文件。
  - ~~If the value is true, the server ignores the other items in the global manifest file and attempts to read the local manifest file.~~如果该值为true，服务器将忽略全局清单文件中的其他项目，并尝试读取本地清单文件。
- "components"~~: This item indicates which component to load.~~ ：此项指示要加载哪个组件。~~The item value is a string that specifies a valid component URN, such as "file://component_keyring_file".~~ 项目值是一个指定有效组件URN的字符串，例如"file://component_keyring_file"。~~A component URN begins with file:// and indicates the base name of the library file located in the MySQL plugin directory that implements the component.~~组件URN以file://开头，表示实现该组件的MySQL插件目录中的库文件的基本名称。
~~Server access to a manifest file should be read only.~~ 对清单文件的服务器访问应该是只读的。~~For example, a mysqld.my server manifest file may be owned by root and be read/write to root, but should be read only to the account used to run the MySQL server.~~ 例如，mysqld.my服务器清单文件可能由root拥有，并且可以对root进行读/写操作，但应该只对用于运行MySQL服务器的帐户进行读操作。~~If the manifest file is found during startup to be read/write to that account, the server writes a warning to the error log suggesting that the file be made read only.~~如果在启动过程中发现清单文件要对该帐户进行读/写操作，服务器会在错误日志中写入警告，建议将该文件设置为只读。
The database administrator has the responsibility for creating any manifest files to be used, and for ensuring that their access mode and contents are correct. If an error occurs, server startup fails and the administrator must correct any issues indicated by diagnostics in the server error log.数据库管理员有责任创建要使用的任何清单文件，并确保其访问模式和内容正确。如果发生错误，服务器启动失败，管理员必须纠正服务器错误日志中诊断指示的任何问题。

Given the preceding manifest file properties, to configure the server to load component_keyring_file, create a global manifest file named mysqld.my in the mysqld installation directory, and optionally create a local manifest file, also named mysqld.my, in the data directory. 给定前面的清单文件属性，要配置服务器加载component_keyring_file，请在mysqld安装目录中创建一个名为mysqld.my的全局清单文件，并在数据目录中可选地创建一个本地清单文件，也名为mysqld.my。~~The following instructions describe how to load component_keyring_file.~~ 以下说明描述了如何加载component_keyring_file。~~To load a different keyring component, substitute its name for component_keyring_file.~~要加载其他密钥环组件，请将其名称替换为component_keyring_file。

~~To use a global manifest file only, the file contents look like this:~~要仅使用全局清单文件，文件内容如下：
```
{
  "components": "file://component_keyring_file"
}
```
~~Create this file in the directory where mysqld is installed.~~在安装mysqld的目录中创建此文件。
~~Alternatively, to use a global and local manifest file pair, the global file looks like this:~~或者，要使用全局和本地清单文件对，全局文件看起来像这样：
```
{
  "read_local_manifest": true
}
```
~~Create this file in the directory where mysqld is installed.~~在安装mysqld的目录中创建此文件。

~~The local file looks like this:~~本地文件看起来像这样：
```
{
  "components": "file://component_keyring_file"
}
```
~~Create this file in the data directory.~~在数据目录中创建此文件。

~~With the manifest in place, proceed to configuring the keyring component. To do this, check the notes for your chosen keyring component for configuration instructions specific to that component:~~清单就绪后，继续配置钥匙圈组件。为此，请查看所选钥匙圈组件的注释，了解该组件的特定配置说明：

component_keyring_file~~: Section 6.4.4.4, “Using the component_keyring_file File-Based Keyring Component”.~~：第6.4.4.4节，“使用基于component_keyring_file文件的密钥环组件”。
component_keyring_encrypted_file~~: Section 6.4.4.5, “Using the component_keyring_encrypted_file Encrypted File-Based Keyring Component”.~~：第6.4.4.5节，“使用基于component_keyring_encrypted_file加密文件的密钥环组件”。

~~After performing any component-specific configuration, start the server.~~ 执行任何特定于组件的配置后，启动服务器。~~Verify component installation by examining the Performance Schema keyring_component_status table:~~通过检查性能架构keyring_component_status表验证组件安装：

mysql> SELECT * FROM performance_schema.keyring_component_status;
+---------------------+-------------------------------------------------+
| STATUS_KEY          | STATUS_VALUE                                    |
+---------------------+-------------------------------------------------+
| Component_name      | component_keyring_file                          |
| Author              | Oracle Corporation                              |
| License             | GPL                                             |
| Implementation_name | component_keyring_file                          |
| Version             | 1.0                                             |
| Component_status    | Active                                          |
| Data_file           | /usr/local/mysql/keyring/component_keyring_file |
| Read_only           | No                                              |
+---------------------+-------------------------------------------------+

~~A Component_status value of Active indicates that the component initialized successfully.~~Component_status值为Active表示组件已成功初始化。

~~If the component cannot be loaded, server startup fails. Check the server error log for diagnostic messages.~~ 如果无法加载组件，则服务器启动失败。检查服务器错误日志中的诊断消息。~~If the component loads but fails to initialize due to configuration problems, the server starts but the Component_status value is Disabled.~~ 如果组件加载但由于配置问题而无法初始化，则服务器将启动，但component_status值为Disabled。~~Check the server error log, correct the configuration issues, and use the ALTER INSTANCE RELOAD KEYRING statement to reload the configuration.~~检查服务器错误日志，更正配置问题，并使用ALTER INSTANCE RELOAD KEYRING语句重新加载配置。

~~Keyring components should be loaded only by using a manifest file, not by using the INSTALL COMPONENT statement.~~ 密钥环组件只能使用清单文件加载，而不能使用INSTALL COMPONENT语句加载。Keyring components loaded using that statement may be available too late in the server startup sequence for certain components that use the keyring, such as InnoDB, because they are registered in the mysql.component system table and loaded automatically for subsequent server restarts. 对于某些使用密钥环的组件（如InnoDB），使用该语句加载的密钥环组件可能在服务器启动序列中太晚才可用，因为它们已在mysql.component系统表中注册，并在后续服务器重启时自动加载。~~But mysql.component is an InnoDB table, so any components named in it can be loaded during startup only after InnoDB initialization.~~但是mysql.component是一个InnoDB表，因此其中命名的任何组件只能在InnoDB初始化后在启动期间加载。

~~If no keyring component or plugin is available when a component tries to access the keyring service, the service cannot be used by that component.~~ 如果组件尝试访问密钥环服务时没有可用的密钥环组件或插件，则该组件无法使用该服务。~~As a result, the component may fail to initialize or may initialize with limited functionality.~~ 因此，组件可能无法初始化，或者初始化时功能有限。For example, if InnoDB finds that there are encrypted tablespaces when it initializes, it attempts to access the keyring. If the keyring is unavailable, InnoDB can access only unencrypted tablespaces.例如，如果InnoDB在初始化时发现有加密的表空间，它会尝试访问密钥环。如果密钥环不可用，InnoDB只能访问未加密的表区域。