Resolve the conflict between encrypted derived columns and primary key columns(#36841) #36899
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #36841.
Changes proposed in this pull request:
I have fully reproduced this issue locally and identified the root cause.
Reproduction scenario:
When the encrypted column is the last field in the table, and both encrypted assisted query columns and Snowflake algorithm for generating primary key IDs are enabled.
Root cause:
In this insert SQL, Sharding needs to ensure the final SQL includes inserts for both the order_id and assisted_username columns, requiring SQL rewriting by Sharding.
The SQL rewriting process involves the following steps:
Add the values to be inserted - the Snowflake-generated order_id value (1186337235088179200) and the assisted column value generated from username (9de37a0627c25684fdd519ca84073e34):
a. The logic for adding order_id is located in GeneratedKeyInsertValueParameterRewriter#rewrite, which appends the value 1186337235088179200 to the end of the parameter list.
b. The logic for adding assisted_username is located in EncryptInsertValueParameterRewriter#rewrite, which finds the position of username in the list and places the assisted_username value immediately after it.
This results in the value list becoming:
(1, 23.4, 2025-10-18 16:16:21.7380934, 1, PENDING, null, bg+LQMPvSU8G0cnJuWM/1g==, 9de37a0627c25684fdd519ca84073e34, 1186341196495060992)
Add the column names to be inserted - both order_id and assisted_username:
a. In org.apache.shardingsphere.infra.rewrite.sql.token.keygen.generator.GeneratedKeyInsertColumnTokenGenerator#generateSQLToken,
order_id is inserted at the end of the column name list.
b. In org.apache.shardingsphere.encrypt.rewrite.token.generator.insert.EncryptInsertDerivedColumnsTokenGenerator#generateSQLTokens,
the derived assisted_username is placed after username.
The problem arises here:
Since username itself is already the last field, placing assisted_username after username is equivalent to placing it at the end, causing disorder between assisted_username and order_id.
As shown in the figure, the insertion indexes become identical.
Therefore, to resolve this issue, we need to ensure consistent ordering between the derived parameter columns and derived value columns.
The approach I'm taking:
Modify the derivation logic to keep the derived primary key token at the very end. This way, even if the encrypted column is in the last position, the derived auxiliary column will still appear before the primary key.
I believe this approach requires minimal changes. I appreciate everyone's perspectives on this solution
Before committing this PR, I'm sure that I have checked the following options:
./mvnw clean install -B -T1C -Dmaven.javadoc.skip -Dmaven.jacoco.skip -e.