Added high level overview to documentation #112
Conversation
| * Temporary tables | ||
| * Write ahead log | ||
| * PG-994 System tables (not yet implemented) | ||
| * PG-993 Temporary files (not yet implemented) |
There was a problem hiding this comment.
Make sense to have PG-XXX as links or remove it
There was a problem hiding this comment.
I vote for removing it. We'll have to remove the links anyway once implemented
|
|
||
| ## Main components | ||
|
|
||
| Pg_tde consist of 3 main components: |
There was a problem hiding this comment.
It says 3 components but in following text is har to comprehend what those 3 are exactly are. Maybe, either add some kind of numeration in the text (not necessary numbered list, maybe just "Firstly, ...") or remove 3 from these sentence
|
|
||
| ### Two key hierarchy | ||
|
|
||
| `Pg_tde` uses a two level key structure, also found commonly in other database servers: |
There was a problem hiding this comment.
I don't think pg_tde should start from the capital letter even in the beginning of a sentence etc. We don't do this across the rest of the docs anyway.
There was a problem hiding this comment.
Does it make sense to add a digram how all those components interact with each other?
|
|
||
| ### Internal key storage | ||
|
|
||
| Internal keys, and generally `pg_tde` metadata is kept in a single directory in `$PGDATA/pg_tde`. |
There was a problem hiding this comment.
| Internal keys, and generally `pg_tde` metadata is kept in a single directory in `$PGDATA/pg_tde`. | |
| Internal keys and generally `pg_tde` metadata are kept in a single directory in `$PGDATA/pg_tde`. |
|
|
||
| ### Adding providers | ||
|
|
||
| Keyring providers can be added to either the GLOBAL or to the database specific scope. |
There was a problem hiding this comment.
Does it make sense to elaborate on what the GLOBAL scope is and what it is for?
There was a problem hiding this comment.
Yes as it is confusing
There was a problem hiding this comment.
But I'd ask a different question: do we need to have a User Interface section in the Architecture doc at all? It basically duplicates what we have in the whole doc set: how to set up pg_tde, what functions and params are there, etc.
There was a problem hiding this comment.
This is structured differently, as it was/is intended as a single document overview of everything.
| pg_tde_set_server_principal_key(‘key-name', ‘provider-name', ensure_new_key) | ||
| ``` | ||
|
|
||
| `Ensure_new_key` is a boolean parameter defaulting to false. |
There was a problem hiding this comment.
| `Ensure_new_key` is a boolean parameter defaulting to false. | |
| `ensure_new_key` is a boolean parameter defaulting to false. |
| Also, the `pg_tde_(grant/revoke)_key_management_to_role` function deals with only the specific permission for the above function: | ||
| it allows a user to change the key for the database, but not to modify the provider configuration. | ||
|
|
||
| ### Creating tables |
There was a problem hiding this comment.
| ### Creating tables | |
| ### Creating encrypted tables |
| * Encrypted internal keys and internal key mapping to tables | ||
| * Information about the key providers | ||
|
|
||
| There's also a special global section marked with the OID 607, which includes the global key providers / global internal keys. |
There was a problem hiding this comment.
Is this the global scope?
|
|
||
| There's also a special global section marked with the OID 607, which includes the global key providers / global internal keys. | ||
|
|
||
| This is used by the WAL encryption, and can optionally be used by specific databases too, if global provider inheritance is enabled. |
There was a problem hiding this comment.
Don't they use the default provider for this purpose?
If not, let's explain the default scope and default provider here too.
This is just a conversion of the google doc into markdown, with actualizing some of the outdated details in the document. The last section (researc/investigation topics) is left out, as that doesn't make much sense in a public documentation.
This is just a conversion of the google doc into markdown, with actualizing some of the outdated details in the document.
The last section (researc/investigation topics) is left out, as that doesn't make much sense in a public documentation.