[test](tde) Add rotate with restart docker cases

Hastyshell · Hastyshell · commit 26e6a8616623 · 2025-09-25T17:25:35.000+08:00
diff --git a/fe/fe-enterprise/src/main/java/org/apache/doris/enterprise/KeyManager.java b/fe/fe-enterprise/src/main/java/org/apache/doris/enterprise/KeyManager.java
@@ -19,6 +19,7 @@
 
 import org.apache.doris.catalog.Env;
 import org.apache.doris.common.Config;
+import org.apache.doris.common.util.DebugPointUtil;
 import org.apache.doris.common.util.MasterDaemon;
 import org.apache.doris.encryption.DataKeyMaterial;
 import org.apache.doris.encryption.EncryptionKey;
@@ -38,6 +39,7 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Base64;
 import java.util.HashMap;
@@ -320,15 +322,35 @@ public void rotateRootKey(Map<String, String> properties) {
 
             KeyOperationInfo opInfo = new KeyOperationInfo();
             opInfo.setRootKeyInfo(newRootKeyInfo);
-            List<EncryptionKey> masterKeys = store.getMasterKeys();
+            List<EncryptionKey> masterKeys = new ArrayList<>(store.getMasterKeys());
             for (EncryptionKey masterKey : masterKeys) {
                 byte[] newCiphertext = rootKeyProvider.encrypt(masterKey.plaintext);
                 masterKey.ciphertext = Base64.getEncoder().encodeToString(newCiphertext);
                 masterKey.mtime = System.currentTimeMillis();
                 opInfo.addMasterKey(masterKey);
+
+                if (DebugPointUtil.isEnable("KeyManager.stopAfterOneMasterKeyChanged")) {
+                    // wait a long time here to trigger restart
+                    sleep(100000);
+                }
+            }
+
+            if (DebugPointUtil.isEnable("KeyManager.stopAfterAllMasterKeyChanged")) {
+                sleep(100000);
             }
+
             opInfo.setOpType(KeyOPType.ROTATE_ROOT_KEY);
+
             Env.getCurrentEnv().getEditLog().logOperateKey(opInfo);
+
+            if (DebugPointUtil.isEnable("KeyManager.stopAfterRotateEditLogWritten")) {
+                sleep(100000);
+            }
+
+            store.clearMasterKeys();
+            store.getMasterKeys().addAll(masterKeys);
+        } catch (InterruptedException e) {
+            // ignore, only for debug point
         } finally {
             store.writeUnlock();
         }
diff --git a/regression-test/suites/tde/test_restart_when_rotating.groovy b/regression-test/suites/tde/test_restart_when_rotating.groovy
@@ -0,0 +1,199 @@
+import org.apache.doris.regression.suite.ClusterOptions
+import software.amazon.awssdk.auth.credentials.AwsBasicCredentials
+import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider
+import software.amazon.awssdk.regions.Region
+import software.amazon.awssdk.services.kms.KmsClient
+import software.amazon.awssdk.services.kms.model.ScheduleKeyDeletionRequest
+
+suite("test_restart_when_rotating", "docker") {
+    def tdeAlgorithm = ["AES256", "SM4"]
+    def cloudMode = [/*false,*/ true]
+    cloudMode.each { mode ->
+        tdeAlgorithm.each { algorithm ->
+            def options = new ClusterOptions()
+            options.cloudMode = mode
+            options.enableDebugPoints()
+            options.feConfigs += [
+                    'cloud_cluster_check_interval_second=1',
+                    'sys_log_verbose_modules=org',
+                    "doris_tde_key_endpoint=${context.config.tdeKeyEndpoint}",
+                    "doris_tde_key_region=${context.config.tdeKeyRegion}",
+                    "doris_tde_key_provider=${context.config.tdeKeyProvider}",
+                    "doris_tde_algorithm=${algorithm}",
+                    "doris_tde_key_id=${context.config.tdeKeyId}"
+            ]
+            options.tdeAk = context.config.tdeAk
+            options.tdeSk = context.config.tdeSk
+            options.enableDebugPoints()
+
+            docker(options) {
+                def tblName = "test_restart_when_rotating"
+                sql """ DROP TABLE IF EXISTS ${tblName} """
+                sql """
+                CREATE TABLE IF NOT EXISTS ${tblName} (
+                    `k` int NOT NULL,
+                    `v` varchar(10) NOT NULL) 
+                DUPLICATE KEY(`k`)
+                DISTRIBUTED BY HASH(`k`) BUCKETS 8
+                PROPERTIES (
+                    "replication_allocation" = "tag.location.default: 1"
+                )
+                """;
+
+                (1..10).each { i ->
+                    sql """ INSERT INTO ${tblName} VALUES (${i}, "${i}") """
+                }
+                qt_sql """ SELECT * FROM ${tblName} ORDER BY `k` """
+
+                def keys = sql """ SELECT * FROM information_schema.encryption_keys """
+                {
+                    def credProvider = StaticCredentialsProvider.create(
+                            AwsBasicCredentials.create(context.config.tdeAk, context.config.tdeSk)
+                    );
+                    def client = KmsClient.builder()
+                            .region(Region.of(context.config.tdeKeyRegion))
+                            .endpointOverride(URI.create(context.config.tdeKeyEndpoint))
+                            .credentialsProvider(credProvider)
+                            .build();
+
+                    def resp = client.createKey()
+                    def keyId = resp.keyMetadata().keyId()
+                    try {
+                        GetDebugPoint().enableDebugPointForAllFEs("KeyManager.stopAfterOneMasterKeyChanged")
+                        def t = Thread.start {
+                            try {
+                                sql """ ADMIN ROTATE TDE ROOT KEY PROPERTIES(
+                                    "doris_tde_key_provider" = "aws_kms",
+                                    "doris_tde_key_id" = "${keyId}",
+                                    "doris_tde_key_endpoint" = "${context.config.tdeKeyEndpoint}",
+                                    "doris_tde_key_region" = "${context.config.tdeKeyRegion}"
+                                    ) 
+                                """
+                            } catch (Exception ignored) {
+                                // do nothing
+                            }
+                        }
+                        sleep(3000)
+
+                        cluster.restartFrontends()
+                        sleep(30000)
+                        context.reconnectFe()
+
+                        (1..10).each { i ->
+                            sql """ INSERT INTO ${tblName} VALUES (${i}, "${i}") """
+                        }
+                        qt_sql """ SELECT * FROM ${tblName} ORDER BY `k` """
+
+                        def newKeys = sql """ SELECT * FROM information_schema.encryption_keys """
+                        assertEquals(keys[0][6], newKeys[0][6])
+                        keys = newKeys
+                    } finally {
+                        // delete cmk id
+                        def deleteReq = ScheduleKeyDeletionRequest.builder().keyId(keyId).build();
+                        client.scheduleKeyDeletion((ScheduleKeyDeletionRequest) deleteReq)
+                        GetDebugPoint().disableDebugPointForAllFEs("KeyManager.stopAfterOneMasterKeyChanged")
+                    }
+                }
+
+                {
+                    def credProvider = StaticCredentialsProvider.create(
+                            AwsBasicCredentials.create(context.config.tdeAk, context.config.tdeSk)
+                    );
+                    def client = KmsClient.builder()
+                            .region(Region.of(context.config.tdeKeyRegion))
+                            .endpointOverride(URI.create(context.config.tdeKeyEndpoint))
+                            .credentialsProvider(credProvider)
+                            .build();
+
+                    def resp = client.createKey()
+                    def keyId = resp.keyMetadata().keyId()
+                    try {
+                        GetDebugPoint().enableDebugPointForAllFEs("KeyManager.stopAfterAllMasterKeyChanged")
+                        def t = Thread.start {
+                            try {
+                                sql """ ADMIN ROTATE TDE ROOT KEY PROPERTIES(
+                                    "doris_tde_key_provider" = "aws_kms",
+                                    "doris_tde_key_id" = "${keyId}",
+                                    "doris_tde_key_endpoint" = "${context.config.tdeKeyEndpoint}",
+                                    "doris_tde_key_region" = "${context.config.tdeKeyRegion}"
+                                    ) 
+                                """
+                            } catch (Exception ignored) {
+                                // do nothing
+                            }
+                        }
+                        sleep(3000)
+
+                        cluster.restartFrontends()
+                        sleep(30000)
+                        context.reconnectFe()
+
+                        (1..10).each { i ->
+                            sql """ INSERT INTO ${tblName} VALUES (${i}, "${i}") """
+                        }
+                        qt_sql """ SELECT * FROM ${tblName} ORDER BY `k` """
+
+                        def newKeys = sql """ SELECT * FROM information_schema.encryption_keys """
+                        assertEquals(keys[0][6], newKeys[0][6])
+                        keys = newKeys
+                    } finally {
+                        // delete cmk id
+                        def deleteReq = ScheduleKeyDeletionRequest.builder().keyId(keyId).build();
+                        client.scheduleKeyDeletion((ScheduleKeyDeletionRequest) deleteReq)
+                        GetDebugPoint().disableDebugPointForAllFEs("KeyManager.stopAfterAllMasterKeyChanged")
+                    }
+                }
+
+                {
+                    def credProvider = StaticCredentialsProvider.create(
+                            AwsBasicCredentials.create(context.config.tdeAk, context.config.tdeSk)
+                    );
+                    def client = KmsClient.builder()
+                            .region(Region.of(context.config.tdeKeyRegion))
+                            .endpointOverride(URI.create(context.config.tdeKeyEndpoint))
+                            .credentialsProvider(credProvider)
+                            .build();
+
+                    def resp = client.createKey()
+                    def keyId = resp.keyMetadata().keyId()
+                    try {
+                        GetDebugPoint().enableDebugPointForAllFEs("KeyManager.stopAfterRotateEditLogWritten")
+                        def t = Thread.start {
+                            try {
+                                sql """ ADMIN ROTATE TDE ROOT KEY PROPERTIES(
+                                    "doris_tde_key_provider" = "aws_kms",
+                                    "doris_tde_key_id" = "${keyId}",
+                                    "doris_tde_key_endpoint" = "${context.config.tdeKeyEndpoint}",
+                                    "doris_tde_key_region" = "${context.config.tdeKeyRegion}"
+                                    ) 
+                                """
+                            } catch (Exception ignored) {
+                                // do nothing
+                            }
+                        }
+                        sleep(3000)
+
+                        cluster.restartFrontends()
+                        sleep(30000)
+                        context.reconnectFe()
+
+                        (1..10).each { i ->
+                            sql """ INSERT INTO ${tblName} VALUES (${i}, "${i}") """
+                        }
+                        qt_sql """ SELECT * FROM ${tblName} ORDER BY `k` """
+
+                        def newKeys = sql """ SELECT * FROM information_schema.encryption_keys """
+                        assertNotEquals(keys[0][6], newKeys[0][6])
+                    } finally {
+                        // delete cmk id
+                        def deleteReq = ScheduleKeyDeletionRequest.builder().keyId(keyId).build();
+                        client.scheduleKeyDeletion((ScheduleKeyDeletionRequest) deleteReq)
+                        GetDebugPoint().disableDebugPointForAllFEs("KeyManager.stopAfterRotateEditLogWritten")
+                    }
+                }
+
+                qt_sql """ SELECT * FROM ${tblName} ORDER BY `k` """
+            }
+        }
+    }
+}
diff --git a/regression-test/suites/tde/test_rotate_root_key.groovy b/regression-test/suites/tde/test_rotate_root_key.groovy
@@ -81,6 +81,8 @@ suite("test_rotate_root_key", "docker") {
                     exception("unknown properties")
                 }
 
+                def keys = sql """ SELECT * FROM information_schema.encryption_keys """
+
                 (1..10).each { i ->
                     sql """ INSERT INTO ${tblName} VALUES (${i}, "${i}") """
                 }
@@ -121,6 +123,9 @@ suite("test_rotate_root_key", "docker") {
                         }
 
                         qt_sql """ SELECT * FROM ${tblName} ORDER BY `k` """
+                        def newKeys = sql """ SELECT * FROM information_schema.encryption_keys """
+                        assertNotEquals(keys[0][6], newKeys[0][6])
+                        keys = newKeys
                     } finally {
                         // delete cmk id
                         def deleteReq = ScheduleKeyDeletionRequest.builder().keyId(keyId).build();
@@ -153,12 +158,15 @@ suite("test_rotate_root_key", "docker") {
                         }
 
                         qt_sql """ SELECT * FROM ${tblName} ORDER BY `k` """
+                        def newKeys = sql """ SELECT * FROM information_schema.encryption_keys """
+                        assertNotEquals(keys[0][6], newKeys[0][6])
                     } finally {
                         // delete cmk id
                         def deleteReq = ScheduleKeyDeletionRequest.builder().keyId(keyId).build();
                         client.scheduleKeyDeletion((ScheduleKeyDeletionRequest) deleteReq)
                     }
                 }
+                cluster.restartBackends()
                 cluster.restartFrontends()
                 sleep(30000)
                 context.reconnectFe()

Original file line number	Diff line number	Diff line change
`@@ -81,6 +81,8 @@ suite("test_rotate_root_key", "docker") {`
`81`	`81`	`exception("unknown properties")`
`82`	`82`	`}`
`83`	`83`
	`84`	`+ def keys = sql """ SELECT * FROM information_schema.encryption_keys """`
	`85`	`+`
`84`	`86`	`(1..10).each { i ->`
`85`	`87`	`sql """ INSERT INTO ${tblName} VALUES (${i}, "${i}") """`
`86`	`88`	`}`
`@@ -121,6 +123,9 @@ suite("test_rotate_root_key", "docker") {`
`121`	`123`	`}`
`122`	`124`
`123`	`125`	qt_sql """ SELECT * FROM ${tblName} ORDER BY `k` """
	`126`	`+ def newKeys = sql """ SELECT * FROM information_schema.encryption_keys """`
	`127`	`+ assertNotEquals(keys[0][6], newKeys[0][6])`
	`128`	`+ keys = newKeys`
`124`	`129`	`} finally {`
`125`	`130`	`// delete cmk id`
`126`	`131`	`def deleteReq = ScheduleKeyDeletionRequest.builder().keyId(keyId).build();`
`@@ -153,12 +158,15 @@ suite("test_rotate_root_key", "docker") {`
`153`	`158`	`}`
`154`	`159`
`155`	`160`	qt_sql """ SELECT * FROM ${tblName} ORDER BY `k` """
	`161`	`+ def newKeys = sql """ SELECT * FROM information_schema.encryption_keys """`
	`162`	`+ assertNotEquals(keys[0][6], newKeys[0][6])`
`156`	`163`	`} finally {`
`157`	`164`	`// delete cmk id`
`158`	`165`	`def deleteReq = ScheduleKeyDeletionRequest.builder().keyId(keyId).build();`
`159`	`166`	`client.scheduleKeyDeletion((ScheduleKeyDeletionRequest) deleteReq)`
`160`	`167`	`}`
`161`	`168`	`}`
	`169`	`+ cluster.restartBackends()`
`162`	`170`	`cluster.restartFrontends()`
`163`	`171`	`sleep(30000)`
`164`	`172`	`context.reconnectFe()`