-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sql, server: regulate access to remaining observability features #85769
Conversation
ad69afa
to
2508ae8
Compare
877f665
to
a2bab72
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice! LGTM modulo updating the release note
Reviewed 8 of 9 files at r1, all commit messages.
Reviewable status: complete! 0 of 0 LGTMs obtained (waiting on @koorosh, @Santamaura, and @zachlite)
-- commits
line 4 at r1:
This should be moved into the release note so docs can write about the new requirements
pkg/server/admin_test.go
line 393 at r1 (raw file):
query = fmt.Sprintf( "GRANT SYSTEM %s TO %s", strings.Join(sysPrivileges, ", "),
Don't need to join here
a2bab72
to
bfc2497
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TFTR!
Reviewable status: complete! 0 of 0 LGTMs obtained (waiting on @koorosh, @RichardJCai, and @zachlite)
Previously, RichardJCai (Richard Cai) wrote…
This should be moved into the release note so docs can write about the new requirements
Ok, I have added the details to the release note.
pkg/server/admin_test.go
line 393 at r1 (raw file):
Previously, RichardJCai (Richard Cai) wrote…
Don't need to join here
Done
This change will control access to various observability features based on system privileges including the following: - admin ui databases/tables/schema endpoints requires admin or VIEWACTIVITY - EXPERIMENTAL_AUDIT requires admin or MODIFYCLUSTERSETTING - sql login requires not having NOSQLLOGIN or the equivalent role option Resolves: cockroachdb#83848, cockroachdb#83863, cockroachdb#83862 Release note (security update): Change requirements to access some observability features. Databases/tables/schema endpoints for admin ui require admin or VIEWACTIVITY. EXPERIMENTAL_AUDIT requires admin or MODIFYCLUSTERSETTING. SQL login requires not having NOSQLLOGIN or the equivalent role option.
bfc2497
to
9e5c7a0
Compare
bors r+ |
Build succeeded: |
This change will control access to various observability
features based on system privileges including the following:
role option
Resolves: #83848, #83863, #83862
Release note (security update): Change requirements to access some
observability features. Databases/tables/schema endpoints for
admin ui require admin or VIEWACTIVITY. EXPERIMENTAL_AUDIT
requires admin or MODIFYCLUSTERSETTING. SQL login requires not
having NOSQLLOGIN or the equivalent role option.