6.4.4.3 Keyring Plugin Installation钥匙圈插件安装

Keyring service consumers require that a keyring component or plugin be installed:钥匙圈服务消费者要求安装钥匙圈组件或插件:

Note注意

Only one keyring component or plugin should be enabled at a time. Enabling multiple keyring components or plugins is unsupported and results may not be as anticipated.一次只能启用一个密钥环组件或插件。不支持启用多个密钥环组件或插件,结果可能与预期不符。

MySQL provides these keyring plugin choices:MySQL提供了以下密钥环插件选项:

To be usable by the server, the plugin library file must be located in the MySQL plugin directory (the directory named by the plugin_dir system variable). 为了让服务器使用,插件库文件必须位于MySQL插件目录(由plugin_dir系统变量命名的目录)中。If necessary, configure the plugin directory location by setting the value of plugin_dir at server startup.如有必要,在服务器启动时通过设置plugin_dir的值来配置插件目录位置。

A keyring component or plugin must be loaded early during the server startup sequence so that other components can access it as necessary during their own initialization. 必须在服务器启动序列的早期加载密钥环组件或插件,以便其他组件在初始化过程中可以根据需要访问它。For example, the InnoDB storage engine uses the keyring for tablespace encryption, so a keyring component or plugin must be loaded and available prior to InnoDB initialization.例如,InnoDB存储引擎使用密钥环进行表空间加密,因此必须在InnoDB初始化之前加载密钥环组件或插件并使其可用。

Installation for each keyring plugin is similar. The following instructions describe how to install keyring_file. 每个钥匙圈插件的安装都是相似的。以下说明描述了如何安装keyring_fileTo use a different keyring plugin, substitute its name for keyring_file.要使用其他密钥环插件,请将其名称替换为keyring_file

The keyring_file plugin library file base name is keyring_file. keyring_file插件库文件基名称是keyring_fileThe file name suffix differs per platform (for example, .so for Unix and Unix-like systems, .dll for Windows).文件名后缀因平台而异(例如,用于Unix和类Unix系统的.so,用于Windows的.dll)。

To load the plugin, use the --early-plugin-load option to name the plugin library file that contains it. 要加载插件,请使用--early-plugin-load选项来命名包含它的插件库文件。For example, on platforms where the plugin library file suffix is .so, use these lines in the server my.cnf file, adjusting the .so suffix for your platform as necessary:例如,在插件库文件后缀为.so的平台上,在服务器my.cnf文件中使用以下行,根据需要为您的平台调整.so后缀:

[mysqld]
early-plugin-load=keyring_file.so

Before starting the server, check the notes for your chosen keyring plugin for configuration instructions specific to that plugin:在启动服务器之前,请查看所选密钥环插件的注释,了解该插件的特定配置说明:

After performing any plugin-specific configuration, start the server. 执行任何特定于插件的配置后,启动服务器。Verify plugin installation by examining the INFORMATION_SCHEMA.PLUGINS table or use the SHOW PLUGINS statement (see Section 5.6.2, “Obtaining Server Plugin Information”). For example:通过检查INFORMATION_SCHEMA.PLUGINS表或使用SHOW PLUGINS语句来验证插件安装(请参阅第5.6.2节,“获取服务器插件信息”)。例如:

mysql> SELECT PLUGIN_NAME, PLUGIN_STATUS
FROM INFORMATION_SCHEMA.PLUGINS
WHERE PLUGIN_NAME LIKE 'keyring%';
+--------------+---------------+
| PLUGIN_NAME  | PLUGIN_STATUS |
+--------------+---------------+
| keyring_file | ACTIVE        |
+--------------+---------------+

If the plugin fails to initialize, check the server error log for diagnostic messages.如果插件初始化失败,请检查服务器错误日志中的诊断消息。

Plugins can be loaded by methods other than --early-plugin-load, such as the --plugin-load or --plugin-load-add option or the INSTALL PLUGIN statement. 插件可以通过早期插件加载以外的方法加载,例如--plugin-load--plugin-load-add选项或INSTALL PLUGIN语句。However, keyring plugins loaded using those methods may be available too late in the server startup sequence for certain components that use the keyring, such as InnoDB:但是,对于使用密钥环的某些组件(如InnoDB),使用这些方法加载的密钥环插件可能在服务器启动序列中太晚才可用:

If no keyring component or plugin is available when a component tries to access the keyring service, the service cannot be used by that component. 如果组件尝试访问密钥环服务时没有可用的密钥环组件或插件,则该组件无法使用该服务。As a result, the component may fail to initialize or may initialize with limited functionality. 因此,组件可能无法初始化,或者初始化时功能有限。For example, if InnoDB finds that there are encrypted tablespaces when it initializes, it attempts to access the keyring. 例如,如果InnoDB在初始化时发现有加密的表空间,它会尝试访问密钥环。If the keyring is unavailable, InnoDB can access only unencrypted tablespaces. 如果密钥环不可用,InnoDB只能访问未加密的表空间。To ensure that InnoDB can access encrypted tablespaces as well, use --early-plugin-load to load the keyring plugin.为了确保InnoDB也可以访问加密的表空间,请使用--early-plugin-load加载密钥环插件。