diff options
| author | Lingxian Kong <anlin.kong@gmail.com> | 2020-10-29 10:55:22 +1300 |
|---|---|---|
| committer | Lingxian Kong <anlin.kong@gmail.com> | 2020-10-29 23:19:03 +1300 |
| commit | bd2b256a377a5648586ec4a5d51edd58dd88a620 (patch) | |
| tree | a101d3b1c6c2c53ba9afa71db1bd9cf43890628b /backup | |
| parent | 69c8467854795fd3a01d3fd0865aceb2c1806219 (diff) | |
| download | trove-bd2b256a377a5648586ec4a5d51edd58dd88a620.tar.gz | |
Fix restore encrypted backup
For the backups created prior to Victoria which may be encrypted, the restore
function in Victoria or later release should correctly decrypt the backup data.
Backup encryption from Victoria is disabled.
Bump the backup docker image tag to 1.1.0.
Change-Id: I7abf5563b22ab1914fa355c089a3793da07f2215
Diffstat (limited to 'backup')
| -rw-r--r-- | backup/drivers/base.py | 26 | ||||
| -rw-r--r-- | backup/main.py | 7 |
2 files changed, 28 insertions, 5 deletions
diff --git a/backup/drivers/base.py b/backup/drivers/base.py index 20ed75cf..4367f88e 100644 --- a/backup/drivers/base.py +++ b/backup/drivers/base.py @@ -47,7 +47,16 @@ class BaseRunner(object): self.restore_content_length = 0 self.command = self.cmd % kwargs - self.restore_command = (self.decrypt_cmd + + + if self.location.endswith('.enc') and not self.encrypt_key: + raise Exception("Encryption key not provided with an encrypted " + "backup.") + + self.restore_command = '' + # Only decrypt if the object name ends with .enc + if self.location.endswith('.enc'): + self.restore_command = self.decrypt_cmd + self.restore_command = (self.restore_command + self.unzip_cmd + (self.restore_cmd % kwargs)) self.prepare_command = self.prepare_cmd % kwargs @@ -78,12 +87,21 @@ class BaseRunner(object): @property def encrypt_cmd(self): - return (' | openssl enc -aes-256-cbc -md sha512 -pbkdf2 -iter 10000 ' - '-salt -pass pass:%s' % - self.encrypt_key) if self.encrypt_key else '' + """Encryption command. + + Since Victoria, trove no longer encrypts the backup data for the end + user. This could be improved by giving users the capability to specify + password when creating the backups. + """ + return "" @property def decrypt_cmd(self): + """Decryption command. + + Since Victoria, trove no longer encrypts the backup data for the end + user. This command is only for backward compatibility. + """ if self.encrypt_key: return ('openssl enc -d -aes-256-cbc -md sha512 -pbkdf2 -iter ' '10000 -salt -pass pass:%s | ' diff --git a/backup/main.py b/backup/main.py index 04b38eca..acc57467 100644 --- a/backup/main.py +++ b/backup/main.py @@ -39,7 +39,12 @@ cli_opts = [ choices=['innobackupex', 'mariabackup', 'pg_basebackup', 'xtrabackup'] ), cfg.BoolOpt('backup'), - cfg.StrOpt('backup-encryption-key'), + cfg.StrOpt( + 'backup-encryption-key', + help='This is only for backward compatibility. The backups ' + 'created prior to Victoria may be encrypted. Trove guest ' + 'agent is responsible for passing the key.' + ), cfg.StrOpt('db-user'), cfg.StrOpt('db-password'), cfg.StrOpt('db-host'), |