Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sql: security issue in sql stats #79688

Closed
Azhng opened this issue Apr 8, 2022 · 0 comments · Fixed by #79810
Closed

sql: security issue in sql stats #79688

Azhng opened this issue Apr 8, 2022 · 0 comments · Fixed by #79810
Labels
A-sql-observability Related to observability of the SQL layer C-bug Code not up to spec/doc, specs & docs deemed correct. Solution expected to change code/behavior.

Comments

@Azhng
Copy link
Contributor

Azhng commented Apr 8, 2022
edited
Loading

CRDB-14980
@Azhng Azhng added C-bug Code not up to spec/doc, specs & docs deemed correct. Solution expected to change code/behavior. A-sql-observability Related to observability of the SQL layer T-sql-observability labels Apr 8, 2022
@Azhng Azhng changed the title sql: reset_sql_stats builtin is not checking VIEWACTIVITY permission sql: reset_sql_stats builtin is not checking ADMIN permission Apr 8, 2022
@Azhng Azhng mentioned this issue Apr 11, 2022
Merged
Azhng added a commit to Azhng/cockroach that referenced this issue Apr 12, 2022
@Azhng
sql: enforce admin role for resetting sql stats and index usage stats
2e168ca 
Resolves cockroachdb#79688

Previously, SQL Stats and Index Usage Stats can be reset through SQL CLI
using crdb_internal.reset_sql_stats() and
crdb_internal.reset_index_usage_stats() builtins. However, these two
builtins were not checking for users admin role. Hence, any user can
reset SQL Stats and Index Usage Stats.
This commit enforces the permission check.

Release note (security update): crdb_internal.reset_sql_stats() and
crdb_internal.reset_index_usage_stats() builtins now check if user has
admin role.
@Azhng Azhng changed the title sql: reset_sql_stats builtin is not checking ADMIN permission sql: security issue is sql stats Apr 12, 2022
@Azhng Azhng changed the title sql: security issue is sql stats sql: security issue in sql stats Apr 12, 2022
@cockroachdb cockroachdb deleted a comment from data-matt Apr 12, 2022
@cockroachdb cockroachdb deleted a comment from data-matt Apr 12, 2022
Azhng added a commit to Azhng/cockroach that referenced this issue Apr 13, 2022
@Azhng
sql: enforce admin role for resetting sql stats and index usage stats
aeab727 
Resolves cockroachdb#79688

Previously, SQL Stats and Index Usage Stats can be reset through SQL CLI
using crdb_internal.reset_sql_stats() and
crdb_internal.reset_index_usage_stats() builtins. However, these two
builtins were not checking for users admin role. Hence, any user can
reset SQL Stats and Index Usage Stats.
This commit enforces the permission check.

Release note (security update): crdb_internal.reset_sql_stats() and
crdb_internal.reset_index_usage_stats() builtins now check if user has
admin role.
@craig craig bot closed this as completed in 0dd5073 Apr 20, 2022
@blathers-crl blathers-crl bot mentioned this issue Apr 20, 2022
Merged
blathers-crl bot pushed a commit that referenced this issue Apr 20, 2022
@Azhng
sql: enforce admin role for resetting sql stats and index usage stats
013ae0e 
Resolves #79688

Previously, SQL Stats and Index Usage Stats can be reset through SQL CLI
using crdb_internal.reset_sql_stats() and
crdb_internal.reset_index_usage_stats() builtins. However, these two
builtins were not checking for users admin role. Hence, any user can
reset SQL Stats and Index Usage Stats.
This commit enforces the permission check.

Release note (security update): crdb_internal.reset_sql_stats() and
crdb_internal.reset_index_usage_stats() builtins now check if user has
admin role.
@blathers-crl blathers-crl bot mentioned this issue Apr 20, 2022
Merged
Azhng added a commit that referenced this issue Apr 21, 2022
@Azhng
sql: enforce admin role for resetting sql stats and index usage stats
213a0dd 
Resolves #79688

Previously, SQL Stats and Index Usage Stats can be reset through SQL CLI
using crdb_internal.reset_sql_stats() and
crdb_internal.reset_index_usage_stats() builtins. However, these two
builtins were not checking for users admin role. Hence, any user can
reset SQL Stats and Index Usage Stats.
This commit enforces the permission check.

Release note (security update): crdb_internal.reset_sql_stats() and
crdb_internal.reset_index_usage_stats() builtins now check if user has
admin role.
@blathers-crl blathers-crl bot mentioned this issue Apr 22, 2022
Merged
blathers-crl bot pushed a commit that referenced this issue Apr 22, 2022
@Azhng
sql: enforce admin role for resetting sql stats and index usage stats
cd4ff02 
Resolves #79688

Previously, SQL Stats and Index Usage Stats can be reset through SQL CLI
using crdb_internal.reset_sql_stats() and
crdb_internal.reset_index_usage_stats() builtins. However, these two
builtins were not checking for users admin role. Hence, any user can
reset SQL Stats and Index Usage Stats.
This commit enforces the permission check.

Release note (security update): crdb_internal.reset_sql_stats() and
crdb_internal.reset_index_usage_stats() builtins now check if user has
admin role.
Azhng added a commit to Azhng/cockroach that referenced this issue Apr 22, 2022
@Azhng
sql: enforce admin role for resetting sql stats and index usage stats
f754a67 
Resolves cockroachdb#79688

Previously, SQL Stats and Index Usage Stats can be reset through SQL CLI
using crdb_internal.reset_sql_stats() and
crdb_internal.reset_index_usage_stats() builtins. However, these two
builtins were not checking for users admin role. Hence, any user can
reset SQL Stats and Index Usage Stats.
This commit enforces the permission check.

Release note (security update): crdb_internal.reset_sql_stats() and
crdb_internal.reset_index_usage_stats() builtins now check if user has
admin role.
@data-matt data-matt mentioned this issue May 18, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-sql-observability Related to observability of the SQL layer C-bug Code not up to spec/doc, specs & docs deemed correct. Solution expected to change code/behavior.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

sql: enforce admin role for resetting sql stats and index usage stats Azhng/cockroach
2 participants
@jlinder @Azhng