-
Notifications
You must be signed in to change notification settings - Fork 459
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Further restrict mz_introspection
cluster
#18075
Comments
There were some alternatives proposed, like providing a larger
|
If this is the central purpose for this cluster, then I agree that locking down its capabilities to avoid accidental misuse while preserving what the front end and support needs is ideal. My primary concern with the use patterns we've seen against this cluster is that heavy usage from one user can negatively affect the entire organization's ability to interact with the console UI (manifesting in errors and slowness). It sounds like this proposal should mitigate that risk sufficiently. One last thing to check is that this change wouldn't interfere with any of our observability tooling (I don't think it does, but worth verifying). |
Whatever approach we settle on, I think #17609 would be the most effective way to prevent this situation while also improving the user experience (incl. removing the need for that annotation in
The introspection queries dbt runs hit |
Question: is this the central use for this cluster? It's also the one used by default by |
Yes, this is the central purpose for this cluster: https://www.notion.so/materialize/System-clusters-26b20f5ecb93457a8164f1bd59650f91?pvs=4#229115f89e95421a943e4dc4cc23e659 |
If this is the case then I'd be strongly 👍🏽 in favor of limiting |
### Motivation * This PR adds a known-desirable feature. * Fixes #18075 This PR restricts what queries can get run on the `mz_introspection` cluster. Specifically only queries that depend on system tables can get run. As part of this change, we also update the dbt-adapter to set the `auto_route_introspection_queries` session var to make sure all of its introspection queries automatically get run on the mz_introspection cluster, regardless of what cluster is currently set. <!-- Leave some tips for your reviewer, like: * The diff is much smaller if viewed with whitespace hidden. * [Some function/module/file] deserves extra attention. * [Some function/module/file] is pure code movement and only needs a skim. Delete this section if no tips. --> ### Checklist - [ ] This PR has adequate test coverage / QA involvement has been duly considered. - [ ] This PR has an associated up-to-date [design doc](https://github.com/MaterializeInc/materialize/blob/main/doc/developer/design/README.md), is a design doc ([template](https://github.com/MaterializeInc/materialize/blob/main/doc/developer/design/00000000_template.md)), or is sufficiently small to not require a design. <!-- Reference the design in the description. --> - [ ] This PR evolves [an existing `$T ⇔ Proto$T` mapping](https://github.com/MaterializeInc/materialize/blob/main/doc/developer/command-and-response-binary-encoding.md) (possibly in a backwards-incompatible way) and therefore is tagged with a `T-proto` label. - [ ] If this PR will require changes to cloud orchestration, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label ([example](https://github.com/MaterializeInc/cloud/pull/5021)). <!-- Ask in #team-cloud on Slack if you need help preparing the cloud PR. --> - [ ] This PR includes the following [user-facing behavior changes](https://github.com/MaterializeInc/materialize/blob/main/doc/developer/guide-changes.md#what-changes-require-a-release-note): - <!-- Add release notes here or explicitly state that there are no user-facing behavior changes. --> --------- Co-authored-by: morsapaes <marta.paes.moreira@gmail.com> Co-authored-by: Matt Jibson <matt.jibson@gmail.com>
We've had quite a bit of confusion about the
mz_introspection
cluster lately:SELECT count(*) FROM big_source
query on theirmz_introspection
cluster, which ran it out of CPU/memory. This is expected, given its size, but was not obvious to the customer.mz_introspection
has improved performance for introspection queries, but some internal folks worry this is easy to misinterpret.mz_introspection
was only usable for querying the system catalog.We should chart a path forward here that reduces confusion. Here's a proposal: don't allow querying user objects on the
mz_introspection
cluster. Put another way: all queries that targetmz_introspection
may only reference objects whose name begins withmz_
orpg_
.This should make it very difficult to abuse the
mz_introspection
cluster. You can still construct a heinous join out of catalog tables that crashes the cluster, but .. that's adversarial. The proposed restriction will eliminate approximately all accidental misuse of the cluster, I think.h/t @sjwiesman for the proposal
Open questions:
mz_introspection
for some metadata queries.If we decide to do this, the sooner the better. This is technically a backwards incompatible change, but one that's ok if we don't break any of the known existing tools.
Work items:
cc @materializesupport @sjwiesman @jpepin @umanwizard @RobinClowers @necaris @doy-materialize
The text was updated successfully, but these errors were encountered: