Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sql: ensure revalidate_unique_constraint* builtins respect privileges #83959

Merged
merged 1 commit into from
Jul 9, 2022
Merged

sql: ensure revalidate_unique_constraint* builtins respect privileges #83959

merged 1 commit into from
Jul 9, 2022

Conversation

rytaft
Copy link
Collaborator

@rytaft rytaft commented Jul 7, 2022

This commit updates the builtins
crdb_internal.revalidate_unique_constraints_in_all_tables,
crdb_internal.revalidate_unique_constraints_in_table,
and crdb_internal.revalidate_unique_constraint to ensure that the correct
user is passed to the internal executor when running the validation query.
This ensures that privileges will be respected.

Release note (bug fix): Fixed the following builtins so that users can only
run them if they have SELECT privileges on the relevant tables:
crdb_internal.revalidate_unique_constraints_in_all_tables,
crdb_internal.revalidate_unique_constraints_in_table,
and crdb_internal.revalidate_unique_constraint.

@rytaft rytaft requested review from knz, rafiss, a team and msbutler July 7, 2022 02:24
@cockroach-teamcity
Copy link
Member

This change is Reviewable

knz
knz reviewed Jul 7, 2022
View reviewed changes
Copy link
Contributor

@knz knz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 4 of 4 files at r1, all commit messages.
Reviewable status: :shipit: complete! 0 of 0 LGTMs obtained (waiting on @msbutler, @rafiss, and @rytaft)

pkg/sql/backfill.go line 2608 at r1 (raw file):

			ie,
			txn,
			username.NodeUserName(),

why node here?

pkg/sql/importer/import_job.go line 1124 at r1 (raw file):

			ie := execCfg.InternalExecutorFactory(ctx, sql.NewFakeSessionData(execCfg.SV()))
			return ie.WithSyntheticDescriptors([]catalog.Descriptor{desc}, func() error {
				return sql.RevalidateUniqueConstraintsInTable(ctx, txn, username.NodeUserName(), ie, desc)

I think this should use the job user owner instead of node.

@rytaft rytaft force-pushed the revalidate-permissions branch from b8b95cd to 1cdb741 Compare July 8, 2022 01:53
rytaft
rytaft commented Jul 8, 2022
View reviewed changes
Copy link
Collaborator Author

@rytaft rytaft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TFTRs!

Reviewable status: :shipit: complete! 0 of 0 LGTMs obtained (waiting on @knz, @msbutler, and @rafiss)

pkg/sql/backfill.go line 2608 at r1 (raw file):

Previously, knz (kena) wrote…

why node here?

Fixed.

pkg/sql/importer/import_job.go line 1124 at r1 (raw file):

Previously, knz (kena) wrote…

I think this should use the job user owner instead of node.

Done.

msbutler
msbutler approved these changes Jul 8, 2022
View reviewed changes
Copy link
Collaborator

@msbutler msbutler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good on the bulk side!

knz
knz reviewed Jul 8, 2022
View reviewed changes
Copy link
Contributor

@knz knz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 3 of 3 files at r2, all commit messages.
Reviewable status: :shipit: complete! 0 of 0 LGTMs obtained (waiting on @rafiss and @rytaft)

pkg/sql/backfill.go line 768 at r2 (raw file):

				} else if c.IsUniqueWithoutIndex() {
					if err := validateUniqueWithoutIndexConstraintInTxn(
						ctx, sc.ieFactory(ctx, evalCtx.SessionData()), desc, txn, username.NodeUserName(), c.GetName(),

maybe evalCtx.SessionData().User() here?

@rytaft rytaft force-pushed the revalidate-permissions branch from 1cdb741 to 3390373 Compare July 8, 2022 15:09
rytaft
rytaft commented Jul 8, 2022
View reviewed changes
Copy link
Collaborator Author

@rytaft rytaft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: :shipit: complete! 0 of 0 LGTMs obtained (waiting on @knz and @rafiss)

pkg/sql/backfill.go line 768 at r2 (raw file):

Previously, knz (kena) wrote…

maybe evalCtx.SessionData().User() here?

Done.

mgartner
mgartner approved these changes Jul 8, 2022
View reviewed changes
Copy link
Collaborator

@mgartner mgartner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 1 of 4 files at r1, 2 of 3 files at r2, 2 of 2 files at r3, all commit messages.
Reviewable status: :shipit: complete! 0 of 0 LGTMs obtained (waiting on @knz and @rafiss)

knz
knz approved these changes Jul 8, 2022
View reviewed changes
Copy link
Contributor

@knz knz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:lgtm:

Reviewed 2 of 2 files at r3, all commit messages.
Reviewable status: :shipit: complete! 1 of 0 LGTMs obtained (waiting on @rafiss)

rytaft
rytaft commented Jul 8, 2022
View reviewed changes
Copy link
Collaborator Author

@rytaft rytaft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TFTRs!

bors r+

Reviewable status: :shipit: complete! 1 of 0 LGTMs obtained (waiting on @rafiss)

@craig
Copy link
Contributor

craig bot commented Jul 8, 2022

🕐 Waiting for PR status (Github check) to be set, probably by CI. Bors will automatically try to run when all required PR statuses are set.

@craig
Copy link
Contributor

craig bot commented Jul 8, 2022

GitHub status checks took too long to complete, so bors is giving up. You can adjust bors configuration to have it wait longer if you like.

@rytaft
sql: ensure revalidate_unique_constraint* builtins respect privileges
d2715d2 
This commit updates the builtins
crdb_internal.revalidate_unique_constraints_in_all_tables,
crdb_internal.revalidate_unique_constraints_in_table,
and crdb_internal.revalidate_unique_constraint to ensure that the correct
user is passed to the internal executor when running the validation query.
This ensures that privileges will be respected.

Release note (bug fix): Fixed the following builtins so that users can only
run them if they have SELECT privileges on the relevant tables:
crdb_internal.revalidate_unique_constraints_in_all_tables,
crdb_internal.revalidate_unique_constraints_in_table,
and crdb_internal.revalidate_unique_constraint.
@rytaft rytaft force-pushed the revalidate-permissions branch from 3390373 to d2715d2 Compare July 8, 2022 21:20
rytaft
rytaft commented Jul 8, 2022
View reviewed changes
Copy link
Collaborator Author

@rytaft rytaft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bors r+

Reviewable status: :shipit: complete! 1 of 0 LGTMs obtained (waiting on @rafiss)

@craig
Copy link
Contributor

craig bot commented Jul 8, 2022

Build failed (retrying...):

@craig
Copy link
Contributor

craig bot commented Jul 9, 2022

Build succeeded:

@craig craig bot merged commit cc22360 into cockroachdb:master Jul 9, 2022
@blathers-crl
Copy link

blathers-crl bot commented Jul 9, 2022

Encountered an error creating backports. Some common things that can go wrong:

  1. The backport branch might have already existed.
  2. There was a merge conflict.
  3. The backport branch contained merge commits.

You might need to create your backport manually using the backport tool.

error creating merge commit from d2715d2 to blathers/backport-release-21.2-83959: POST https://api.github.com/repos/cockroachdb/cockroach/merges: 409 Merge conflict []

you may need to manually resolve merge conflicts with the backport tool.

Backport to branch 21.2.x failed. See errors above.

error creating merge commit from d2715d2 to blathers/backport-release-22.1-83959: POST https://api.github.com/repos/cockroachdb/cockroach/merges: 409 Merge conflict []

you may need to manually resolve merge conflicts with the backport tool.

Backport to branch 22.1.x failed. See errors above.

🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is otan.

This was referenced Jul 12, 2022
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@msbutler msbutler msbutler approved these changes

@postamar postamar postamar approved these changes

@mgartner mgartner mgartner approved these changes

@knz knz knz approved these changes

@rafiss rafiss Awaiting requested review from rafiss

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@rytaft @cockroach-teamcity @knz @mgartner @postamar @msbutler