sql, server: observability replace role options with system privileges #84198
Conversation
|
This change is |
Santamaura
force-pushed
the
equivalent-system-privileges
branch
5 times, most recently
from
1bcd62c to
05e3225
Compare
Santamaura
force-pushed
the
equivalent-system-privileges
branch
from
05e3225 to
bfdd047
Compare
Santamaura
force-pushed
the
equivalent-system-privileges
branch
2 times, most recently
from
a43bdfb to
ec718ba
Compare
Santamaura
force-pushed
the
equivalent-system-privileges
branch
from
ec718ba to
0d0cad2
Compare
|
drive-by comment -- i feel like this change deserves a release note |
There was a problem hiding this comment.
Reviewed all commit messages.
Reviewable status:complete! 0 of 0 LGTMs obtained (waiting on @koorosh, @Santamaura, and @zachlite)
-- commits line 6 at r2:
I'd add a note that you should now do GRANT SYSTEM ... TO ... instead of using the role options.
pkg/server/admin.go line 1860 at r2 (raw file):
privilege.VIEWCLUSTERSETTING, privilege.MODIFYCLUSTERSETTING) } } else {
nit: Don't need the else if we're just returning
pkg/server/admin.go line 3474 at r2 (raw file):
privilege.VIEWACTIVITY) } } else {
nit: Don't need the else if we're just returning
Ditto for other cases below
pkg/server/admin.go line 3642 at r2 (raw file):
// privilege provided. func (c *adminPrivilegeChecker) checkHasSystemPrivilege( ctx context.Context, user username.SQLUsername, privilege string,
can privilege string become privilege privilege.Kind?
I'm kind of okay with this initially but this is not ideal since it'll not use the cache which I'm implementing in a separate PR. Can you add a todo to update this to do the below?
Also can you note what the issue was with creating a planner.
desc := syntheticprivilege.GlobalPrivilegeObject.GetPrivilegeDescriptor(ctx, ie)
desc.CheckPrivilege()
...
There was a problem hiding this comment.
Reviewable status:
a discussion (no related file):
As far as I understand, system privileges should replace existing role options, but current logic requires that user has both assigned role options and system privileges.
I suggest having the following workflow:
- check the system privileges table first (for supported versions) and skip role options validation if user has explicitly defined system privilege; In this case system privileges take precedence over role options.
- if the user doesn't have appropriate privilege then fallback to role options validation;
pkg/server/admin.go
Outdated
| row, err := c.ie.QueryRowEx( | ||
| ctx, "check-has-system-privilege", nil, /* txn */ | ||
| sessiondata.InternalExecutorOverride{User: username.RootUserName()}, | ||
| `SELECT * FROM system.privileges WHERE username = $1 AND privileges @> ARRAY[$2]`, |
There was a problem hiding this comment.
One more thing, this doesn't account for inheritance.
Santamaura
force-pushed
the
equivalent-system-privileges
branch
5 times, most recently
from
1a8f3f7 to
89f9619
Compare
Santamaura
force-pushed
the
equivalent-system-privileges
branch
3 times, most recently
from
a4a723c to
6896df8
Compare
There was a problem hiding this comment.
Added
Reviewable status:
a discussion (no related file):
Previously, koorosh (Andrii Vorobiov) wrote…
As far as I understand, system privileges should replace existing role options, but current logic requires that user has both assigned role options and system privileges.
I suggest having the following workflow:
- check the system privileges table first (for supported versions) and skip role options validation if user has explicitly defined system privilege; In this case system privileges take precedence over role options.
- if the user doesn't have appropriate privilege then fallback to role options validation;
Moved stuff around so that the logic reflects this idea.
Previously, RichardJCai (Richard Cai) wrote…
I'd add a note that you should now do
GRANT SYSTEM ... TO ...instead of using the role options.
Done
pkg/server/admin.go line 3474 at r2 (raw file):
Previously, RichardJCai (Richard Cai) wrote…
nit: Don't need the else if we're just returning
Ditto for other cases below
Done.
pkg/server/admin.go line 3642 at r2 (raw file):
Previously, RichardJCai (Richard Cai) wrote…
can
privilege stringbecomeprivilege privilege.Kind?I'm kind of okay with this initially but this is not ideal since it'll not use the cache which I'm implementing in a separate PR. Can you add a todo to update this to do the below?
Also can you note what the issue was with creating a planner.
desc := syntheticprivilege.GlobalPrivilegeObject.GetPrivilegeDescriptor(ctx, ie) desc.CheckPrivilege() ...
Per our discussion, switched to using NewInternalPlanner wrapped in a function so this is no longer relevant.
pkg/server/admin.go line 3647 at r2 (raw file):
Previously, RichardJCai (Richard Cai) wrote…
One more thing, this doesn't account for inheritance.
Ack
Santamaura
force-pushed
the
equivalent-system-privileges
branch
from
6896df8 to
508d601
Compare
Santamaura
force-pushed
the
equivalent-system-privileges
branch
2 times, most recently
from
2918ecf to
35cb78c
Compare
There was a problem hiding this comment.
Reviewed 1 of 12 files at r1, 2 of 5 files at r2, 12 of 12 files at r3, all commit messages.
Reviewable status:
pkg/server/admin.go line 1838 at r3 (raw file):
if s.st.Version.IsActive(ctx, clusterversion.SystemPrivilegesTable) { hasView = s.checkHasSystemPrivilege(ctx, user, privilege.VIEWCLUSTERSETTING) hasModify = s.checkHasSystemPrivilege(ctx, user, privilege.MODIFYCLUSTERSETTING)
nit. It doesn't relate to this PR specifically, but it might be useful to introduce an extended version of heckHasSystemPrivilege to check the list of privileges and return a single result if some of the provided privileges exist (ie checkHasSomeSystemPrivileges)
hasPrivilege := s.checkHasSomeSystemPrivileges(ctx, user, []privilege.Kind{privilege.VIEWCLUSTERSETTING, privilege.MODIFYCLUSTERSETTING})
if hasPrivilege {
...
}pkg/sql/crdb_internal.go line 1565 at r3 (raw file):
hasView := false if p.ExecCfg().Settings.Version.IsActive(ctx, clusterversion.SystemPrivilegesTable) { hasModify = p.CheckPrivilege(ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.MODIFYCLUSTERSETTING) == nil
Ignored possible errors here. p.CheckPrivilege can return error that is not handled.
Santamaura
force-pushed
the
equivalent-system-privileges
branch
from
35cb78c to
4eee60c
Compare
There was a problem hiding this comment.
Reviewable status:
pkg/server/admin.go line 1838 at r3 (raw file):
Previously, koorosh (Andrii Vorobiov) wrote…
nit. It doesn't relate to this PR specifically, but it might be useful to introduce an extended version of
heckHasSystemPrivilegeto check the list of privileges and return a single result if some of the provided privileges exist (iecheckHasSomeSystemPrivileges)hasPrivilege := s.checkHasSomeSystemPrivileges(ctx, user, []privilege.Kind{privilege.VIEWCLUSTERSETTING, privilege.MODIFYCLUSTERSETTING}) if hasPrivilege { ... }
I could see that being potentially useful but maybe it should be added as needed.
pkg/sql/crdb_internal.go line 1565 at r3 (raw file):
Previously, koorosh (Andrii Vorobiov) wrote…
Ignored possible errors here.
p.CheckPrivilegecan return error that is not handled.
p.CheckPrivilege only returns an error or nil so regardless of how the logic is shuffled around we can't return prematurely here with the error since we need to fallback to checking the role options
| @@ -8,9 +8,11 @@ SELECT count(distinct(node_id)), count(*) FROM crdb_internal.node_runtime_info | |||
| query IT | |||
| SELECT node_id, name FROM crdb_internal.leases ORDER BY name | |||
| ---- | |||
| 0 defaultdb | |||
There was a problem hiding this comment.
I'm surprised this changed.
There was a problem hiding this comment.
Yeah still not sure why it had to be updated
| @@ -1,8 +1,8 @@ | |||
| # LogicTest: local-mixed-22.1-22.2 | |||
|
|
|||
| # test MODIFYCLUSTERSETTING | |||
This patch introduces system privileges that exist currently as role options. For observability they are the following: VIEWACTIVITY, VIEWACTIVTYREDACTED, VIEWCLUSTERSETTING, CANCELQUERY and NOSQLLOGIN. Users should now do GRANT SYSTEM <privilege> TO <role>; instead of using role options. Brand new system privileges for observability will be introduced in a subsequent PR. Any additional gating with these system privileges beyond the basic ones made in this PR will be done in a subsequent PR. Resolves cockroachdb#83843 Release note (sql change): introduced VIEWACTIVITY, VIEWACTIVITYREDACTED, VIEWCLUSTERSETTING, CANCELQUERY, and NOSQLLOGIN as system privileges.
Santamaura
force-pushed
the
equivalent-system-privileges
branch
from
4eee60c to
be41f0a
Compare
|
TFTRs |
|
bors r+ |
|
Build failed (retrying...): |
|
Build succeeded: |
This patch introduces system privileges that exist currently as
role options. For observability they are the following: VIEWACTIVITY,
VIEWACTIVTYREDACTED, VIEWCLUSTERSETTING, CANCELQUERY and NOSQLLOGIN.
Users should now do GRANT SYSTEM
privilegeTOrole; instead ofusing role options.
Brand new system privileges for observability will be introduced in
a subsequent PR.
Any additional gating with these system privileges beyond the basic
ones made in this PR will be done in a subsequent PR.
Resolves #83843
Release note (sql change): introduced
VIEWACTIVITY, VIEWACTIVITYREDACTED,
VIEWCLUSTERSETTING, CANCELQUERY,
and NOSQLLOGIN as system privileges.