Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Admin privileges are necessary, to view EVENTS in the DB console under UI->Metrics->event #103341

Open
Arivijay opened this issue May 15, 2023 · 3 comments
Open

Admin privileges are necessary, to view EVENTS in the DB console under UI->Metrics->event #103341

Arivijay opened this issue May 15, 2023 · 3 comments
Labels
A-cluster-observability Related to cluster observability A-observability-inf C-enhancement Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception) T-observability

Comments

@Arivijay
Copy link

Arivijay commented May 15, 2023
edited by exalate-issue-sync bot
Loading

Describe the problem
Admin privileges are necessary, to view EVENTS in the DB console under UI->Metrics->event

Given the current events, the following system privileges should all be required (slack context):

  • VIEWACTIVITY or VIEWACTIVITYREDACTED
  • VIEWCLUSTERMETADATA
  • VIEWCLUSTERSETTING

To Reproduce

Create a non-admin user and go to DB console->Metrics->Events
Please see image attached for error.
DBConsole

Environment:

  • CockroachDB version 22.2.7

@kevin-v-ngo @rafiss @maryliag

Jira issue: CRDB-27954

Epic CRDB-32130
@Arivijay Arivijay added the T-sql-foundations SQL Foundations Team (formerly SQL Schema + SQL Sessions) label May 15, 2023
@blathers-crl
Copy link

blathers-crl bot commented May 15, 2023

Hi @Arivijay, please add a C-ategory label to your issue. Check out the label system docs.

While you're here, please consider adding an A- label to help keep our repository tidy.

🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.

@rafiss rafiss removed the T-sql-foundations SQL Foundations Team (formerly SQL Schema + SQL Sessions) label May 16, 2023
@rafiss rafiss added C-enhancement Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception) A-cluster-observability Related to cluster observability labels May 16, 2023
@kevin-v-ngo
Copy link

List of current events: https://www.cockroachlabs.com/docs/stable/ui-overview-dashboard.html#events-panel

THardy98 added a commit to THardy98/cockroach that referenced this issue Aug 10, 2023
@THardy98
server: allow non-admins to see system events
44ba965 
Part of: cockroachdb#103341

This change allows non-admin users that have `VIEWACTIVITY` +
`VIEWCLUSTERMETADATA` + `VIEWCLUSTERSETTING` permissions to view system
events from the admin api events endpoint.

Release note (server change): Non-admin users that have `VIEWACTIVITY` +
`VIEWCLUSTERMETADATA` + `VIEWCLUSTERSETTING` permissions can view system
events from the admin api events endpoint
@THardy98 THardy98 mentioned this issue Aug 10, 2023
Closed
THardy98 added a commit to THardy98/cockroach that referenced this issue Aug 10, 2023
@THardy98
server: allow non-admins to see system events
49921f9 
Part of: cockroachdb#103341

This change allows non-admin users that have `VIEWACTIVITY` +
`VIEWCLUSTERMETADATA` + `VIEWCLUSTERSETTING` permissions to view system
events from the admin api events endpoint.

Release note (bug fix): Non-admin users that have `VIEWACTIVITY` +
`VIEWCLUSTERMETADATA` + `VIEWCLUSTERSETTING` permissions can view system
events from the admin api events endpoint
THardy98 added a commit to THardy98/cockroach that referenced this issue Aug 16, 2023
@THardy98
sql: add crdb_internal.eventlog virtual table
6b2eddd 
Addresses: cockroachdb#103341

This change add the `crdb_internal.eventlog` virtual table. This table
is a thin wrapper around the `system.eventlog` table with more
permissive access. Non-admins can query this table if they have:
- `VIEWACTIVITY`/`VIEWACTIVITYREDACTED` permission and
- `VIEWCLUSTERMETADATA` permission and
- `VIEWCLUSTERSETTING`/`MODIFYCLUSTERSETTING` permission

This table is used for the Events page on the console, allowing
non-admin users with these permissions to view events on the console.

Release note (sql change): Add the `crdb_internal.eventlog` virtual
table. This table is a thin wrapper around the `system.eventlog` table
with more permissive access. Non-admins can query this table if they
have:
- `VIEWACTIVITY`/`VIEWACTIVITYREDACTED` permission and
- `VIEWCLUSTERMETADATA` permission and
- `VIEWCLUSTERSETTING`/`MODIFYCLUSTERSETTING` permission
@THardy98 THardy98 mentioned this issue Aug 16, 2023
Open
THardy98 added a commit to THardy98/cockroach that referenced this issue Aug 16, 2023
@THardy98
sql: add crdb_internal.eventlog virtual table
6a6d5df 
Addresses: cockroachdb#103341

This change add the `crdb_internal.eventlog` virtual table. This table
is a thin wrapper around the `system.eventlog` table with more
permissive access. Non-admins can query this table if they have:
- `VIEWACTIVITY`/`VIEWACTIVITYREDACTED` permission and
- `VIEWCLUSTERMETADATA` permission and
- `VIEWCLUSTERSETTING`/`MODIFYCLUSTERSETTING` permission

This table is used for the Events page on the console, allowing
non-admin users with these permissions to view events on the console.

Release note (sql change): Add the `crdb_internal.eventlog` virtual
table. This table is a thin wrapper around the `system.eventlog` table
with more permissive access. Non-admins can query this table if they
have:
- `VIEWACTIVITY`/`VIEWACTIVITYREDACTED` permission and
- `VIEWCLUSTERMETADATA` permission and
- `VIEWCLUSTERSETTING`/`MODIFYCLUSTERSETTING` permission
THardy98 added a commit to THardy98/cockroach that referenced this issue Aug 17, 2023
@THardy98
sql: add crdb_internal.eventlog virtual table
bfc0e85 
Addresses: cockroachdb#103341

This change add the `crdb_internal.eventlog` virtual table. This table
is a thin wrapper around the `system.eventlog` table with more
permissive access. Non-admins can query this table if they have:
- `VIEWACTIVITY`/`VIEWACTIVITYREDACTED` permission and
- `VIEWCLUSTERMETADATA` permission and
- `VIEWCLUSTERSETTING`/`MODIFYCLUSTERSETTING` permission

This table is used for the Events page on the console, allowing
non-admin users with these permissions to view events on the console.

Release note (sql change): Add the `crdb_internal.eventlog` virtual
table. This table is a thin wrapper around the `system.eventlog` table
with more permissive access. Non-admins can query this table if they
have:
- `VIEWACTIVITY`/`VIEWACTIVITYREDACTED` permission and
- `VIEWCLUSTERMETADATA` permission and
- `VIEWCLUSTERSETTING`/`MODIFYCLUSTERSETTING` permission
@kevin-v-ngo kevin-v-ngo mentioned this issue Aug 23, 2023
Open
@rafiss rafiss mentioned this issue Nov 14, 2023
Closed
@rafiss
Copy link
Collaborator

rafiss commented Nov 15, 2023

The VIEWSYSTEMTABLE privilege has been added, and should allow the events page to be viewed. However, it still seems useful to add a finer-grained privilege that doesn't give read access to all other system tables.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-cluster-observability Related to cluster observability A-observability-inf C-enhancement Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception) T-observability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rafiss @THardy98 @kevin-v-ngo @Arivijay