Greetings,
There seems to be a bit of confusion here, so I'll try to clear it up.
* Tony Xu (tony.xu@rubrik.com) wrote:
> Thanks all for the discussions. It sounds like there are different
> questions to clear before we can get to a conclusion on if per-database KEK
> is possible or not.
It's not possible in PG's design today to ensure that all user data is
segregated by database, due to the fact that there's a shared WAL which
includes data from all databases running under a given postmaster
(typically considered a 'cluster' or 'instance'). There are also shared
catalogs which aren't per-database to begin with (as for if that's
considered user data or not depends on your definition of user data..
are users/roles considered user data, or not?).
> First question - do we, as a community, see the value of the proposal and
> do we believe that value is big enough for us to make any necessary changes
> to PostgreSQL? Another way to ask is, do we want/need to keep the parity
> with other database solutions that already have such ability?
TDE is clearly valuable to this community and multiple organizations
have implemented it already and there's an ongoing effort to bring TDE
into core, with patches already posted and many of these design
decisions made. Given the point made above, it seems very unlikely that
the basics of the design are going to change, at least not unless PG
changes in some fundamental way when it comes to WAL and how shared
catalogs and databases work (note: I'm not aware of anyone currently
working on this..).
> If the answer to the first question is no, then I will stop here.
> However, if the answer is yes or "it depends", then the second question is
> on how - It seems that per-cluster KEK can be a a good alternative to
> achieve the same as per-db KEK, however, there are still some shared area
> between clusters. Is it possible to further split this shared area? Are
> there more shared memory/storage between clusters?
There isn't anything shared between PG clusters, to be clear. A
"cluster" in PG is all data and processes running under one
"postmaster", there is nothing shared between two PG clusters.
Splitting up the WAL to be per-database has been contemplated before but
there's no active work trying to achieve that and there's a lot of
complications associated with trying to do that (such as- what to do
about the shared catalogs...).
Thanks,
Stephen