PS-9771 fix of component_keyring_kmip test fro useage with PyKMIP docker

lukin-oleksiy · lukin-oleksiy · commit f629286814e5 · 2025-07-25T09:32:46.000+03:00
https://perconadev.atlassian.net/browse/PS-9771 Tests results updated to pass with PyKMIP docker image from https://github.com/Percona-Lab/pxb-jenkins-images; README added to de-mystify KMIP tests; No cleanup after KMIP tests, we use new docker every time. The KMIP keyring backend now checks connexction during initialization, reports error and fails if connection is not successful.
diff --git a/components/keyrings/keyring_kmip/backend/backend.cc b/components/keyrings/keyring_kmip/backend/backend.cc
@@ -46,7 +46,19 @@ using keyring_common::utils::get_random_data;
 
 Keyring_kmip_backend::Keyring_kmip_backend(config::Config_pod const &config)
     : valid_(false), config_(config) {
-  valid_ = true;
+  // check network connection before declaring valid
+  try {
+    auto ctx = kmip_ctx();
+    valid_ = true;
+  } catch (std::exception const &e) {
+    valid_ = false;
+    std::string err_msg =
+        "Can not connect to KMIP server. Config: " + config_.server_addr + " " +
+        config_.server_port + " " + config_.client_ca + " " +
+        config_.client_key + " " + config_.server_ca + " " +
+        "Exception:" + e.what();
+    LogComponentErr(ERROR_LEVEL, ER_LOG_PRINTF_MSG, err_msg.c_str());
+  }
 }
 
 bool Keyring_kmip_backend::load_cache(
diff --git a/mysql-test/std_data/kmip_clear.py b/mysql-test/std_data/kmip_clear.py
diff --git a/mysql-test/suite/component_keyring_kmip/README.md b/mysql-test/suite/component_keyring_kmip/README.md
@@ -0,0 +1,37 @@
+## HOW TO run KMIP test suite
+
+The [PyKMIP](https://github.com/OpenKMIP/PyKMIP) server is used to run this test suite. It could be run locally or in the Docker. The source of the docker  image is [here](https://github.com/Percona-Lab/pxb-jenkins-images).
+
+This is simple script to run this image:
+```
+#!/bin/bash
+CERTS_DIR=/tmp/certs
+docker stop kmip
+docker run -d --security-opt seccomp=unconfined --cap-add=NET_ADMIN --rm -p 5696:5696  --name kmip satyapercona/kmip:latest
+mkdir /tmp/certs
+docker cp kmip:/opt/certs/root_certificate.pem $CERTS_DIR/vault-kmip-ca.pem
+docker cp kmip:/opt/certs/client_key_jane_doe.pem $CERTS_DIR/mysql-client-key.pem
+docker cp kmip:/opt/certs/client_certificate_jane_doe.pem $CERTS_DIR/mysql-client-cert.pem
+```
+
+Please note, that certificates and keys are copied to the certain location and renamed.This is important, because some tests from the suite are sensitive to that names.
+
+Before running the test suite, the following environment variables should be exported:
+
+```
+CERTS_DIR=/tmp/certs
+export  KMIP_ADDR="127.0.0.1"
+export  KMIP_PORT="5696"
+export  KMIP_CLIENT_CA="$CERTS_DIR/mysql-client-cert.pem"
+export  KMIP_CLIENT_KEY="$CERTS_DIR/mysql-client-key.pem"
+export  KMIP_SERVER_CA="$CERTS_DIR/vault-kmip-ca.pem"
+```
+Now you can run KMIP keyring tests:
+
+```
+./mtr --big-test --suite component_keyring_kmip
+```
+If you want to run the test with other KMIP server, please note the following:
+1. Copy keys and certificates to ```/tmp/certs``` directory with names as above and export variables.
+2. Some servers does not support RSA-512 keys used by all keyring tests, so you can have some failing tests.
+3. To setup KMIP servers, please refer to [this document](https://www.notion.so/percona/KMIP-Testing-1fb674d091f3809cbfbdf31369e22d35).
diff --git a/mysql-test/suite/component_keyring_kmip/inc/setup_component.inc b/mysql-test/suite/component_keyring_kmip/inc/setup_component.inc
@@ -22,7 +22,7 @@
 
 # Create local keyring config
 --let KEYRING_KMIP_PATH = `SELECT CONCAT( '$MYSQLTEST_VARDIR', '/keyring_kmip')`
---let KEYRING_CONFIG_CONTENT = `SELECT CONCAT('{ \"path\": \"', '$KEYRING_KMIP_PATH', '\", \"server_addr\": \"', '$KMIP_ADDR', '\", \"server_port\": \"', '$KMIP_PORT', '\", \"client_ca\": \"', '$KMIP_CLIENT_CA', '\", \"client_key\": \"', '$KMIP_CLIENT_KEY', '\", \"server_ca\": \"', '$KMIP_SERVER_CA', '\" }')`
+--let KEYRING_CONFIG_CONTENT = `SELECT CONCAT('{ \"path\": \"', '$KEYRING_KMIP_PATH', '\", \"server_addr\": \"', '$KMIP_ADDR', '\", \"server_port\": \"', '$KMIP_PORT', '\", \"client_ca\": \"', '$KMIP_CLIENT_CA', '\", \"client_key\": \"', '$KMIP_CLIENT_KEY', '\", \"server_ca\": \"', '$KMIP_SERVER_CA', '\", \"object_group\": \"', 'test-object-group', '\" }')`
 --source include/keyring_tests/helper/local_keyring_create_config.inc
 
 # Create local manifest file for current server instance
diff --git a/mysql-test/suite/component_keyring_kmip/inc/setup_component_customized.inc b/mysql-test/suite/component_keyring_kmip/inc/setup_component_customized.inc
@@ -14,7 +14,7 @@
 
 # Create global keyring config
 --let KEYRING_KMIP_PATH = `SELECT CONCAT( '$MYSQLTEST_VARDIR', '/keyring_kmip')`
---let KEYRING_CONFIG_CONTENT = `SELECT CONCAT('{ \"path\": \"', '$KEYRING_KMIP_PATH','\", \"server_addr\": \"127.0.0.1\", \"server_port\": \"5696\", \"client_ca\": \"/home/dutow/.local/etc/pykmip/client_certificate_jane_doe.pem\", \"client_key\":\"/home/dutow/.local/etc/pykmip/client_key_jane_doe.pem\", \"server_ca\":\"/home/dutow/.local/etc/pykmip/root_certificate.pem\" }')`
+--let KEYRING_CONFIG_CONTENT = `SELECT CONCAT('{ \"path\": \"', '$KEYRING_KMIP_PATH','\", \"server_addr\": \"127.0.0.1\", \"server_port\": \"5696\", \"client_ca\": \"/tmp/certs/mysql-client-cert.pem\", \"client_key\":\"/tmp/certs/mysql-client-key.pem\", \"server_ca\":\"/tmp/certs/vault-kmip-ca.pem\" }')`
 --source include/keyring_tests/helper/global_keyring_create_customized_config.inc
 
 # Restart server with manifest file 
diff --git a/mysql-test/suite/component_keyring_kmip/inc/teardown_component.inc b/mysql-test/suite/component_keyring_kmip/inc/teardown_component.inc
@@ -17,5 +17,3 @@
 # Restart server without manifest file
 --source include/keyring_tests/helper/cleanup_server_with_manifest.inc
 --echo # ----------------------------------------------------------------------
-
---exec python std_data/kmip_clear.py
diff --git a/mysql-test/suite/component_keyring_kmip/t/import_compress_encrypt.result b/mysql-test/suite/component_keyring_kmip/t/import_compress_encrypt.result
@@ -30,16 +30,16 @@ SELECT c1, HEX(SUBSTRING(c2, 10, 10)), HEX(SUBSTRING(c3, 10, 10)),
 HEX(SUBSTRING(c4, 10, 10)), HEX(b)
 FROM t1 ORDER BY c1 limit 10;
 c1	HEX(SUBSTRING(c2, 10, 10))	HEX(SUBSTRING(c3, 10, 10))	HEX(SUBSTRING(c4, 10, 10))	HEX(b)
-50001	066C8ADC3EC72175CA77	6C8ADC3EC72175CA77CE	77CEF1FBCA5BFE739000	A
-50002	066C8ADC3EC72175CA77	6C8ADC3EC72175CA77CE	77CEF1FBCA5BFE739000	A
-50003	066C8ADC3EC72175CA77	6C8ADC3EC72175CA77CE	77CEF1FBCA5BFE739000	A
-50004	066C8ADC3EC72175CA77	6C8ADC3EC72175CA77CE	77CEF1FBCA5BFE739000	A
-50005	066C8ADC3EC72175CA77	6C8ADC3EC72175CA77CE	77CEF1FBCA5BFE739000	A
-50006	066C8ADC3EC72175CA77	6C8ADC3EC72175CA77CE	77CEF1FBCA5BFE739000	A
-50007	066C8ADC3EC72175CA77	6C8ADC3EC72175CA77CE	77CEF1FBCA5BFE739000	A
-50008	066C8ADC3EC72175CA77	6C8ADC3EC72175CA77CE	77CEF1FBCA5BFE739000	A
-50009	066C8ADC3EC72175CA77	6C8ADC3EC72175CA77CE	77CEF1FBCA5BFE739000	A
-50010	066C8ADC3EC72175CA77	6C8ADC3EC72175CA77CE	77CEF1FBCA5BFE739000	A
+50001	51AB8660A7143704DEA7	AB8660A7143704DEA78C	A78C87578839E440B5B3	A
+50002	51AB8660A7143704DEA7	AB8660A7143704DEA78C	A78C87578839E440B5B3	A
+50003	51AB8660A7143704DEA7	AB8660A7143704DEA78C	A78C87578839E440B5B3	A
+50004	51AB8660A7143704DEA7	AB8660A7143704DEA78C	A78C87578839E440B5B3	A
+50005	51AB8660A7143704DEA7	AB8660A7143704DEA78C	A78C87578839E440B5B3	A
+50006	51AB8660A7143704DEA7	AB8660A7143704DEA78C	A78C87578839E440B5B3	A
+50007	51AB8660A7143704DEA7	AB8660A7143704DEA78C	A78C87578839E440B5B3	A
+50008	51AB8660A7143704DEA7	AB8660A7143704DEA78C	A78C87578839E440B5B3	A
+50009	51AB8660A7143704DEA7	AB8660A7143704DEA78C	A78C87578839E440B5B3	A
+50010	51AB8660A7143704DEA7	AB8660A7143704DEA78C	A78C87578839E440B5B3	A
 # Flush tables for export
 FLUSH TABLES t1 FOR EXPORT;
 # Copy .cfp .cfg .ibd file to temp
@@ -59,16 +59,16 @@ ALTER TABLE t1 IMPORT TABLESPACE;
 SELECT c1, HEX(SUBSTRING(c2, 10, 10)), HEX(SUBSTRING(c3, 10, 10)),
 HEX(SUBSTRING(c4, 10, 10)), HEX(b) FROM t1 ORDER BY c1 limit 10;
 c1	HEX(SUBSTRING(c2, 10, 10))	HEX(SUBSTRING(c3, 10, 10))	HEX(SUBSTRING(c4, 10, 10))	HEX(b)
-50001	066C8ADC3EC72175CA77	6C8ADC3EC72175CA77CE	77CEF1FBCA5BFE739000	A
-50002	066C8ADC3EC72175CA77	6C8ADC3EC72175CA77CE	77CEF1FBCA5BFE739000	A
-50003	066C8ADC3EC72175CA77	6C8ADC3EC72175CA77CE	77CEF1FBCA5BFE739000	A
-50004	066C8ADC3EC72175CA77	6C8ADC3EC72175CA77CE	77CEF1FBCA5BFE739000	A
-50005	066C8ADC3EC72175CA77	6C8ADC3EC72175CA77CE	77CEF1FBCA5BFE739000	A
-50006	066C8ADC3EC72175CA77	6C8ADC3EC72175CA77CE	77CEF1FBCA5BFE739000	A
-50007	066C8ADC3EC72175CA77	6C8ADC3EC72175CA77CE	77CEF1FBCA5BFE739000	A
-50008	066C8ADC3EC72175CA77	6C8ADC3EC72175CA77CE	77CEF1FBCA5BFE739000	A
-50009	066C8ADC3EC72175CA77	6C8ADC3EC72175CA77CE	77CEF1FBCA5BFE739000	A
-50010	066C8ADC3EC72175CA77	6C8ADC3EC72175CA77CE	77CEF1FBCA5BFE739000	A
+50001	51AB8660A7143704DEA7	AB8660A7143704DEA78C	A78C87578839E440B5B3	A
+50002	51AB8660A7143704DEA7	AB8660A7143704DEA78C	A78C87578839E440B5B3	A
+50003	51AB8660A7143704DEA7	AB8660A7143704DEA78C	A78C87578839E440B5B3	A
+50004	51AB8660A7143704DEA7	AB8660A7143704DEA78C	A78C87578839E440B5B3	A
+50005	51AB8660A7143704DEA7	AB8660A7143704DEA78C	A78C87578839E440B5B3	A
+50006	51AB8660A7143704DEA7	AB8660A7143704DEA78C	A78C87578839E440B5B3	A
+50007	51AB8660A7143704DEA7	AB8660A7143704DEA78C	A78C87578839E440B5B3	A
+50008	51AB8660A7143704DEA7	AB8660A7143704DEA78C	A78C87578839E440B5B3	A
+50009	51AB8660A7143704DEA7	AB8660A7143704DEA78C	A78C87578839E440B5B3	A
+50010	51AB8660A7143704DEA7	AB8660A7143704DEA78C	A78C87578839E440B5B3	A
 # Cleanup
 DROP TABLE t1;
 
diff --git a/mysql-test/suite/component_keyring_kmip/t/keyring_component_status.result b/mysql-test/suite/component_keyring_kmip/t/keyring_component_status.result
@@ -20,10 +20,10 @@ Version	1.0
 Component_status	Active
 Server_addr	127.0.0.1
 Server_port	5696
-Client_ca	/home/dutow/.local/etc/pykmip/client_certificate_jane_doe.pem
-Client_key	/home/dutow/.local/etc/pykmip/client_key_jane_doe.pem
-Server_ca	/home/dutow/.local/etc/pykmip/root_certificate.pem
-Object_group	<NONE>
+Client_ca	/tmp/certs/mysql-client-cert.pem
+Client_key	/tmp/certs/mysql-client-key.pem
+Server_ca	/tmp/certs/vault-kmip-ca.pem
+Object_group	test-object-group
 SELECT PRIO, ERROR_CODE, SUBSYSTEM, DATA FROM performance_schema.error_log WHERE ERROR_CODE='MY-013712';
 PRIO	ERROR_CODE	SUBSYSTEM	DATA
 # Restarting server without keyring component
diff --git a/mysql-test/suite/component_keyring_kmip/t/log_encrypt_3.result b/mysql-test/suite/component_keyring_kmip/t/log_encrypt_3.result
@@ -11,11 +11,11 @@ USE tde_db;
 # Kill the server
 SELECT @@global.innodb_redo_log_encrypt ;
 @@global.innodb_redo_log_encrypt
-ON
+1
 SET GLOBAL innodb_redo_log_encrypt = 1;
 SELECT @@global.innodb_redo_log_encrypt ;
 @@global.innodb_redo_log_encrypt
-ON
+1
 CREATE TABLE tde_db.t1 (a BIGINT PRIMARY KEY, b LONGBLOB) ENGINE=InnoDB;
 INSERT INTO t1 (a, b) VALUES (1, REPEAT('a', 6*512*512));
 SELECT a,LEFT(b,10) FROM tde_db.t1;
@@ -30,7 +30,7 @@ a	LEFT(b,10)
 SET GLOBAL innodb_redo_log_encrypt = 0;
 SELECT @@global.innodb_redo_log_encrypt ;
 @@global.innodb_redo_log_encrypt
-OFF
+0
 CREATE TABLE tde_db.t3 (a BIGINT PRIMARY KEY, b LONGBLOB) ENGINE=InnoDB;
 INSERT INTO t3 (a, b) VALUES (1, REPEAT('a', 6*512*512));
 SELECT a,LEFT(b,10) FROM tde_db.t3;
@@ -59,7 +59,7 @@ a	LEFT(b,10)
 DROP TABLE tde_db.t1,tde_db.t2,tde_db.t3,tde_db.t4;
 SELECT @@global.innodb_redo_log_encrypt ;
 @@global.innodb_redo_log_encrypt
-ON
+1
 CREATE TABLE tde_db.t1 (a BIGINT PRIMARY KEY, b LONGBLOB) ENGINE=InnoDB;
 CREATE TABLE tde_db.t2 (a BIGINT PRIMARY KEY, b LONGBLOB)
 ENCRYPTION='Y' ENGINE=InnoDB;
@@ -91,7 +91,7 @@ START TRANSACTION;
 SET GLOBAL innodb_redo_log_encrypt = 0;
 SELECT @@global.innodb_redo_log_encrypt ;
 @@global.innodb_redo_log_encrypt
-OFF
+0
 INSERT INTO t3 (a, b) VALUES (1, REPEAT('a', 6*512*512));
 INSERT INTO t4 (a, b) VALUES (1, REPEAT('a', 6*512*512));
 SELECT a,LEFT(b,10) FROM tde_db.t3;
@@ -127,7 +127,7 @@ a	LEFT(b,10)
 SET GLOBAL innodb_redo_log_encrypt = 0;
 SELECT @@global.innodb_redo_log_encrypt ;
 @@global.innodb_redo_log_encrypt
-OFF
+0
 ALTER INSTANCE ROTATE INNODB MASTER KEY;
 SELECT a,LEFT(b,10) FROM tde_db.t1;
 a	LEFT(b,10)
@@ -144,7 +144,7 @@ a	LEFT(b,10)
 SET GLOBAL innodb_redo_log_encrypt = 1;
 SELECT @@global.innodb_redo_log_encrypt ;
 @@global.innodb_redo_log_encrypt
-ON
+1
 ALTER INSTANCE ROTATE INNODB MASTER KEY;
 SELECT a,LEFT(b,10) FROM tde_db.t1;
 a	LEFT(b,10)
@@ -164,12 +164,12 @@ FLUSH PRIVILEGES;
 # In connection 1 - with encryptnonprivuser
 SELECT @@global.innodb_redo_log_encrypt ;
 @@global.innodb_redo_log_encrypt
-ON
+1
 SET GLOBAL innodb_redo_log_encrypt = 0;
 ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
 SELECT @@global.innodb_redo_log_encrypt ;
 @@global.innodb_redo_log_encrypt
-ON
+1
 SET GLOBAL innodb_undo_log_encrypt = 0;
 ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
 SELECT @@global.innodb_undo_log_encrypt ;
@@ -179,7 +179,7 @@ SET GLOBAL innodb_redo_log_encrypt = 1;
 ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
 SELECT @@global.innodb_redo_log_encrypt ;
 @@global.innodb_redo_log_encrypt
-ON
+1
 SET GLOBAL innodb_undo_log_encrypt = 1;
 ERROR 42000: Access denied; you need (at least one of) the SUPER or SYSTEM_VARIABLES_ADMIN privilege(s) for this operation
 SELECT @@global.innodb_undo_log_encrypt ;
diff --git a/mysql-test/suite/component_keyring_kmip/t/tablespace_encrypt_3.result b/mysql-test/suite/component_keyring_kmip/t/tablespace_encrypt_3.result
@@ -52,10 +52,10 @@ events_stages_history	YES
 events_stages_history_long	YES
 SELECT * FROM performance_schema.setup_instruments
 WHERE NAME LIKE "%encryption%";
-NAME	ENABLED	TIMED	PROPERTIES	VOLATILITY	DOCUMENTATION
-wait/synch/mutex/innodb/resume_encryption_cond_mutex	YES	YES		0	NULL
-wait/synch/cond/innodb/resume_encryption_cond	YES	YES		0	NULL
-stage/innodb/alter tablespace (encryption)	YES	YES	progress	0	NULL
+NAME	ENABLED	TIMED	PROPERTIES	FLAGS	VOLATILITY	DOCUMENTATION
+wait/synch/mutex/innodb/resume_encryption_cond_mutex	YES	YES		NULL	0	NULL
+wait/synch/cond/innodb/resume_encryption_cond	YES	YES		NULL	0	NULL
+stage/innodb/alter tablespace (encryption)	YES	YES	progress	NULL	0	NULL
 select count(*) from performance_schema.events_stages_current
 WHERE EVENT_NAME='stage/innodb/alter tablespace (encryption)';
 count(*)
