feat: support alter key expiration time. (#34390)

Author: xiao-77

include/common/tglobal.h

@@ -220,6 +220,8 @@ extern int32_t  tsEncryptKeyVersion;       // Key update version (starts from 1,
 extern int64_t  tsEncryptKeyCreateTime;    // Key creation timestamp
 extern int64_t  tsSvrKeyUpdateTime;        // SVR_KEY last update timestamp
 extern int64_t  tsDbKeyUpdateTime;         // DB_KEY last update timestamp
+extern int32_t  tsKeyExpirationDays;       // Key expiration days (default: 30)
+extern char     tsKeyExpirationStrategy[ENCRYPT_KEY_EXPIRE_STRATEGY_LEN + 1];  // Key expiration strategy (default: "ALARM")
 
 // monitor
 extern bool     tsEnableMonitor;

include/common/tmsg.h

@@ -437,6 +437,8 @@ typedef enum ENodeType {
   QUERY_NODE_ALTER_ROLE_STMT,
   QUERY_NODE_CREATE_TOTP_SECRET_STMT,
   QUERY_NODE_DROP_TOTP_SECRET_STMT,
+  QUERY_NODE_ALTER_KEY_EXPIRATION_STMT,
+
 
   // placeholder for [155, 180]
   QUERY_NODE_SHOW_CREATE_VIEW_STMT = 181,
@@ -3502,6 +3504,17 @@ int32_t tSerializeSMAlterEncryptKeyReq(void* buf, int32_t bufLen, SMAlterEncrypt
 int32_t tDeserializeSMAlterEncryptKeyReq(void* buf, int32_t bufLen, SMAlterEncryptKeyReq* pReq);
 void    tFreeSMAlterEncryptKeyReq(SMAlterEncryptKeyReq* pReq);
 
+typedef struct {
+  int32_t days;
+  char    strategy[64];
+  int32_t sqlLen;
+  char*   sql;
+} SMAlterKeyExpirationReq;
+
+int32_t tSerializeSMAlterKeyExpirationReq(void* buf, int32_t bufLen, SMAlterKeyExpirationReq* pReq);
+int32_t tDeserializeSMAlterKeyExpirationReq(void* buf, int32_t bufLen, SMAlterKeyExpirationReq* pReq);
+void    tFreeSMAlterKeyExpirationReq(SMAlterKeyExpirationReq* pReq);
+
 typedef struct {
   char    config[TSDB_DNODE_CONFIG_LEN];
   char    value[TSDB_DNODE_VALUE_LEN];

include/common/tmsgdef.h

@@ -161,6 +161,7 @@
   TD_DEF_MSG_TYPE(TDMT_MND_ALTER_ENCRYPT_KEY, "alter-encrypt-key", NULL, NULL)
   TD_DEF_MSG_TYPE(TDMT_MND_CREATE_TOTP_SECRET, "create-totp-secret", NULL, NULL)
   TD_DEF_MSG_TYPE(TDMT_MND_DROP_TOTP_SECRET, "drop-totp-secret", NULL, NULL)
+  TD_DEF_MSG_TYPE(TDMT_MND_ALTER_KEY_EXPIRATION, "alter-key-expiration", NULL, NULL)
   TD_CLOSE_MSG_SEG(TDMT_DND_MSG)
 
   TD_NEW_MSG_SEG(TDMT_MND_MSG)  // 1<<8

include/libs/nodes/cmdnodes.h

@@ -1003,6 +1003,12 @@ typedef struct SAlterEncryptKeyStmt {
   char      newKey[ENCRYPT_KEY_LEN + 1];
 } SAlterEncryptKeyStmt;
 
+typedef struct SAlterKeyExpirationStmt {
+  ENodeType type;
+  int32_t   days;
+  char      strategy[ENCRYPT_KEY_EXPIRE_STRATEGY_LEN + 1];
+} SAlterKeyExpirationStmt;
+
 typedef struct SDescribeStmt {
   ENodeType   type;
   char        dbName[TSDB_DB_NAME_LEN];

include/util/tdef.h

@@ -242,6 +242,8 @@ typedef enum ELogicConditionType {
 #define ENCRYPT_KEY_LEN     16
 #define ENCRYPT_KEY_LEN_MIN 8
 
+#define ENCRYPT_KEY_EXPIRE_STRATEGY_LEN 16
+
 #define TSDB_INT32_ID_LEN 11
 
 #define TSDB_NAME_DELIMITER_LEN 1

source/common/src/msg/tmsg.c

@@ -5985,6 +5985,48 @@ int32_t tDeserializeSMAlterEncryptKeyReq(void *buf, int32_t bufLen, SMAlterEncry
 
 void tFreeSMAlterEncryptKeyReq(SMAlterEncryptKeyReq *pReq) { FREESQL(); }
 
+int32_t tSerializeSMAlterKeyExpirationReq(void *buf, int32_t bufLen, SMAlterKeyExpirationReq *pReq) {
+  SEncoder encoder = {0};
+  int32_t  code = 0;
+  int32_t  lino;
+  int32_t  tlen;
+  tEncoderInit(&encoder, buf, bufLen);
+
+  TAOS_CHECK_EXIT(tStartEncode(&encoder));
+  TAOS_CHECK_EXIT(tEncodeI32(&encoder, pReq->days));
+  TAOS_CHECK_EXIT(tEncodeCStr(&encoder, pReq->strategy));
+  ENCODESQL();
+  tEndEncode(&encoder);
+
+_exit:
+  if (code) {
+    tlen = code;
+  } else {
+    tlen = encoder.pos;
+  }
+  tEncoderClear(&encoder);
+  return tlen;
+}
+
+int32_t tDeserializeSMAlterKeyExpirationReq(void *buf, int32_t bufLen, SMAlterKeyExpirationReq *pReq) {
+  SDecoder decoder = {0};
+  int32_t  code = 0;
+  int32_t  lino;
+  tDecoderInit(&decoder, buf, bufLen);
+
+  TAOS_CHECK_EXIT(tStartDecode(&decoder));
+  TAOS_CHECK_EXIT(tDecodeI32(&decoder, &pReq->days));
+  TAOS_CHECK_EXIT(tDecodeCStrTo(&decoder, pReq->strategy));
+  DECODESQL();
+  tEndDecode(&decoder);
+
+_exit:
+  tDecoderClear(&decoder);
+  return code;
+}
+
+void tFreeSMAlterKeyExpirationReq(SMAlterKeyExpirationReq *pReq) { FREESQL(); }
+
 int32_t tSerializeSDCfgDnodeReq(void *buf, int32_t bufLen, SDCfgDnodeReq *pReq) {
   SEncoder encoder = {0};
   int32_t  code = 0;

source/common/src/tglobal.c

@@ -203,6 +203,9 @@ int32_t  tsEncryptKeyVersion = 0;       // Key update version (starts from 1, in
 int64_t  tsEncryptKeyCreateTime = 0;    // Key creation timestamp
 int64_t  tsSvrKeyUpdateTime = 0;        // SVR_KEY last update timestamp
 int64_t  tsDbKeyUpdateTime = 0;         // DB_KEY last update timestamp
+int32_t  tsKeyExpirationDays = 30;      // Key expiration days (default: 30)
+char     tsKeyExpirationStrategy[ENCRYPT_KEY_EXPIRE_STRATEGY_LEN + 1] =
+    "ALARM";  // Key expiration strategy (default: "ALARM")
 uint32_t tsGrant = 1;
 
 bool tsCompareAsStrInGreatest = true;

source/dnode/mgmt/mgmt_dnode/inc/dmInt.h

@@ -74,6 +74,7 @@ int32_t dmProcessGrantReq(void *pInfo, SRpcMsg *pMsg);
 int32_t dmProcessGrantNotify(void *pInfo, SRpcMsg *pMsg);
 int32_t dmProcessCreateEncryptKeyReq(SDnodeMgmt *pMgmt, SRpcMsg *pMsg);
 int32_t dmProcessAlterEncryptKeyReq(SDnodeMgmt *pMgmt, SRpcMsg *pMsg);
+int32_t dmProcessAlterKeyExpirationReq(SDnodeMgmt *pMgmt, SRpcMsg *pMsg);
 int32_t dmVerifyAndInitEncryptionKeys(void);
 
 int32_t dmProcessReloadTlsConfig(SDnodeMgmt *pMgmt, SRpcMsg *pMsg);

source/dnode/mgmt/mgmt_dnode/src/dmHandle.c

@@ -1319,6 +1319,30 @@ static int32_t dmUpdateSvrKey(const char *newKey) {
   return 0;
 }
 
+static int32_t dmUpdateKeyExpiration(int32_t days, const char *strategy) {
+  if (days < 0) {
+    dError("invalid days value:%d, must be >= 0", days);
+    return TSDB_CODE_INVALID_PARA;
+  }
+
+  if (strategy == NULL || strategy[0] == '\0') {
+    dError("invalid strategy, strategy is empty");
+    return TSDB_CODE_INVALID_PARA;
+  }
+
+  // Validate strategy value
+  if (strcmp(strategy, "ALARM") != 0) {
+    dWarn("unknown strategy:%s, supported values: ALARM. Will use it anyway.", strategy);
+  }
+
+  // Update global variables directly
+  tsKeyExpirationDays = days;
+  tstrncpy(tsKeyExpirationStrategy, strategy, sizeof(tsKeyExpirationStrategy));
+
+  dInfo("successfully updated key expiration config: days=%d, strategy=%s", days, strategy);
+  return 0;
+}
+
 static int32_t dmUpdateDbKey(const char *newKey) {
   if (newKey == NULL || newKey[0] == '\0') {
     dError("invalid new DB_KEY, key is empty");
@@ -1467,6 +1491,41 @@ int32_t dmProcessAlterEncryptKeyReq(SDnodeMgmt *pMgmt, SRpcMsg *pMsg) {
 #endif
 }
 
+int32_t dmProcessAlterKeyExpirationReq(SDnodeMgmt *pMgmt, SRpcMsg *pMsg) {
+#if defined(TD_ENTERPRISE) && defined(TD_HAS_TAOSK)
+  int32_t                 code = 0;
+  SMAlterKeyExpirationReq alterReq = {0};
+  if (tDeserializeSMAlterKeyExpirationReq(pMsg->pCont, pMsg->contLen, &alterReq) != 0) {
+    code = TSDB_CODE_INVALID_MSG;
+    dError("failed to deserialize alter key expiration req, since %s", tstrerror(code));
+    goto _exit;
+  }
+
+  dInfo("received alter key expiration req, days:%d, strategy:%s", alterReq.days, alterReq.strategy);
+
+  // Update key expiration configuration
+  code = dmUpdateKeyExpiration(alterReq.days, alterReq.strategy);
+  if (code == 0) {
+    dInfo("successfully updated key expiration: %d days, strategy: %s", alterReq.days, alterReq.strategy);
+  } else {
+    dError("failed to update key expiration, since %s", tstrerror(code));
+  }
+
+_exit:
+  tFreeSMAlterKeyExpirationReq(&alterReq);
+  pMsg->code = code;
+  pMsg->info.rsp = NULL;
+  pMsg->info.rspLen = 0;
+  return code;
+#else
+  dError("key expiration management is only available in enterprise edition");
+  pMsg->code = TSDB_CODE_OPS_NOT_SUPPORT;
+  pMsg->info.rsp = NULL;
+  pMsg->info.rspLen = 0;
+  return TSDB_CODE_OPS_NOT_SUPPORT;
+#endif
+}
+
 int32_t dmProcessReloadTlsConfig(SDnodeMgmt *pMgmt, SRpcMsg *pMsg) {
   int32_t code = 0;
   int32_t lino = 0;
@@ -1756,6 +1815,7 @@ SArray *dmGetMsgHandles() {
   if (dmSetMgmtHandle(pArray, TDMT_DND_ALTER_MNODE_TYPE, dmPutNodeMsgToMgmtQueue, 0) == NULL) goto _OVER;
   if (dmSetMgmtHandle(pArray, TDMT_DND_CREATE_ENCRYPT_KEY, dmPutNodeMsgToMgmtQueue, 0) == NULL) goto _OVER;
   if (dmSetMgmtHandle(pArray, TDMT_MND_ALTER_ENCRYPT_KEY, dmPutNodeMsgToMgmtQueue, 0) == NULL) goto _OVER;
+  if (dmSetMgmtHandle(pArray, TDMT_MND_ALTER_KEY_EXPIRATION, dmPutNodeMsgToMgmtQueue, 0) == NULL) goto _OVER;
   if (dmSetMgmtHandle(pArray, TDMT_MND_STREAM_HEARTBEAT_RSP, dmPutMsgToStreamMgmtQueue, 0) == NULL) goto _OVER;
   if (dmSetMgmtHandle(pArray, TDMT_DND_RELOAD_DNODE_TLS, dmPutNodeMsgToMgmtQueue, 0) == NULL) goto _OVER;
 

source/dnode/mgmt/mgmt_dnode/src/dmWorker.c

@@ -23,9 +23,7 @@
 #endif
 
 // Encryption key expiration constants
-#define ENCRYPT_KEY_EXPIRE_DAYS      30
-#define MILLISECONDS_PER_DAY         (24 * 3600 * 1000)
-#define ENCRYPT_KEY_EXPIRE_THRESHOLD ((int64_t)ENCRYPT_KEY_EXPIRE_DAYS * MILLISECONDS_PER_DAY)
+#define MILLISECONDS_PER_DAY (24 * 3600 * 1000)
 
 static void *dmStatusThreadFp(void *param) {
   SDnodeMgmt *pMgmt = param;
@@ -85,14 +83,17 @@ static void *dmKeySyncThreadFp(void *param) {
     if (interval >= tsStatusIntervalMs) {
       // Sync keys periodically (every 30 seconds) or on first run
       if (tsEncryptKeysStatus == TSDB_ENCRYPT_KEY_STAT_LOADED) {
-        // Check if encryption keys are expired
+        // Check if encryption keys are expired based on configured threshold
+        int64_t keyExpirationThreshold = (int64_t)tsKeyExpirationDays * MILLISECONDS_PER_DAY;
         int64_t svrKeyAge = curTime - tsSvrKeyUpdateTime;
         int64_t dbKeyAge = curTime - tsDbKeyUpdateTime;
 
-        if (svrKeyAge > ENCRYPT_KEY_EXPIRE_THRESHOLD || dbKeyAge > ENCRYPT_KEY_EXPIRE_THRESHOLD) {
-          dWarn("encryption keys may be expired, svrKeyAge:%" PRId64 " days, dbKeyAge:%" PRId64
-                " days, attempting reload",
-                svrKeyAge / MILLISECONDS_PER_DAY, dbKeyAge / MILLISECONDS_PER_DAY);
+        if (svrKeyAge > keyExpirationThreshold || dbKeyAge > keyExpirationThreshold) {
+          const char *action = (strcmp(tsKeyExpirationStrategy, "ALARM") == 0) ? "warning" : "attempting reload";
+          dWarn("encryption keys may be expired (threshold:%d days, strategy:%s), svrKeyAge:%" PRId64
+                " days, dbKeyAge:%" PRId64 " days, %s",
+                tsKeyExpirationDays, tsKeyExpirationStrategy, svrKeyAge / MILLISECONDS_PER_DAY,
+                dbKeyAge / MILLISECONDS_PER_DAY, action);
 #if defined(TD_ENTERPRISE) && defined(TD_HAS_TAOSK)
           // Try to reload keys from file
           char masterKeyFile[PATH_MAX] = {0};
@@ -139,19 +140,20 @@ static void *dmKeySyncThreadFp(void *param) {
             // Check if keys are still expired after reload
             svrKeyAge = curTime - tsSvrKeyUpdateTime;
             dbKeyAge = curTime - tsDbKeyUpdateTime;
-            if (svrKeyAge > ENCRYPT_KEY_EXPIRE_THRESHOLD || dbKeyAge > ENCRYPT_KEY_EXPIRE_THRESHOLD) {
-              dError("encryption keys are still expired after reload, svrKeyAge:%" PRId64 " days, dbKeyAge:%" PRId64
-                     " days, please rotate keys",
-                     svrKeyAge / MILLISECONDS_PER_DAY, dbKeyAge / MILLISECONDS_PER_DAY);
+            if (svrKeyAge > keyExpirationThreshold || dbKeyAge > keyExpirationThreshold) {
+              dError("encryption keys are still expired after reload (threshold:%d days), svrKeyAge:%" PRId64
+                     " days, dbKeyAge:%" PRId64 " days, please rotate keys",
+                     tsKeyExpirationDays, svrKeyAge / MILLISECONDS_PER_DAY, dbKeyAge / MILLISECONDS_PER_DAY);
             } else {
-              dInfo("successfully reloaded encryption keys, svrKeyAge:%" PRId64 " days, dbKeyAge:%" PRId64 " days",
-                    svrKeyAge / MILLISECONDS_PER_DAY, dbKeyAge / MILLISECONDS_PER_DAY);
+              dInfo("successfully reloaded encryption keys, svrKeyAge:%" PRId64 " days, dbKeyAge:%" PRId64
+                    " days (threshold:%d days)",
+                    svrKeyAge / MILLISECONDS_PER_DAY, dbKeyAge / MILLISECONDS_PER_DAY, tsKeyExpirationDays);
             }
           } else {
             dError("failed to reload encryption keys since %s", tstrerror(code));
           }
 #endif
-      }
+        }
       } else if (tsEncryptKeysStatus == TSDB_ENCRYPT_KEY_STAT_DISABLED) {
         dInfo("encryption keys are disabled, stopping key sync thread");
         break;
@@ -767,6 +769,9 @@ static void dmProcessMgmtQueue(SQueueInfo *pInfo, SRpcMsg *pMsg) {
     case TDMT_MND_ALTER_ENCRYPT_KEY:
       code = dmProcessAlterEncryptKeyReq(pMgmt, pMsg);
       break;
+    case TDMT_MND_ALTER_KEY_EXPIRATION:
+      code = dmProcessAlterKeyExpirationReq(pMgmt, pMsg);
+      break;
     case TDMT_DND_RELOAD_DNODE_TLS:
       code = dmProcessReloadTlsConfig(pMgmt, pMsg);
       // code = dmProcessReloadEncryptKeyReq(pMgmt, pMsg);