-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VIEWACTIVITYREDACTED should redact query text literals for SHOW SESSIONS #106588
Comments
Fixes cockroachdb#104354. Partially addresses cockroachdb#106588. Previously, when a non-admin user was given the `VIEWACTIVITY` privilege, they were able to see other users' sessions from the SQL shell but not from the UI. This commit fixes the ListSessions endpoint to check for the `VIEWACTIVITY` privilege in addition to the `VIEWACTIVITY` role when returning a response for the ListSessions endpoint. Release note (bug fix): users with the `VIEWACTIVITY` privilege should be able to see other users' sessions from both the CLI and the DB Console.
Update on this issue: I put the fix for the This is the current behavior:
Furthermore, for any I'm leaning to move away from using this empty username field as an indicator to "show all sessions" and instead relying on the permissions that the given username has to determine which sessions to show. This will also require the UI to attach a username to any calls to |
Fixes cockroachdb#104354. Partially addresses cockroachdb#106588. Previously, when a non-admin user was given the `VIEWACTIVITY` privilege, they were able to see other users' sessions from the SQL shell but not from the UI. This commit fixes the ListSessions endpoint to check for the `VIEWACTIVITY` privilege in addition to the `VIEWACTIVITY` role when returning a response for the ListSessions endpoint. Release note (bug fix): users with the `VIEWACTIVITY` privilege should be able to see other users' sessions from both the CLI and the DB Console.
Fixes cockroachdb#104354. Partially addresses cockroachdb#106588. Previously, when a non-admin user was given the `VIEWACTIVITY` privilege, they were able to see other users' sessions from the SQL shell but not from the UI. This commit fixes the ListSessions endpoint to check for the `VIEWACTIVITY` privilege in addition to the `VIEWACTIVITY` role when returning a response for the ListSessions endpoint. Release note (bug fix): users with the `VIEWACTIVITY` privilege should be able to see other users' sessions from both the CLI and the DB Console.
Fixes cockroachdb#104354. Partially addresses cockroachdb#106588. Previously, when a non-admin user was given the `VIEWACTIVITY` privilege, they were able to see other users' sessions from the SQL shell but not from the UI. This commit fixes the ListSessions endpoint to check for the `VIEWACTIVITY` privilege in addition to the `VIEWACTIVITY` role when returning a response for the ListSessions endpoint. Release note (bug fix): users with the `VIEWACTIVITY` privilege should be able to see other users' sessions from both the CLI and the DB Console.
Fixes cockroachdb#104354. Partially addresses cockroachdb#106588. Previously, when a non-admin user was given the `VIEWACTIVITY` privilege, they were able to see other users' sessions from the SQL shell but not from the UI. This commit fixes the ListSessions endpoint to check for the `VIEWACTIVITY` privilege in addition to the `VIEWACTIVITY` role when returning a response for the ListSessions endpoint. Release note (bug fix): users with the `VIEWACTIVITY` privilege should be able to see other users' sessions from both the CLI and the DB Console.
Fixes cockroachdb#104354. Partially addresses cockroachdb#106588. Previously, when a non-admin user was given the `VIEWACTIVITY` privilege, they were able to see other users' sessions from the SQL shell but not from the UI. This commit fixes the ListSessions endpoint to check for the `VIEWACTIVITY` privilege in addition to the `VIEWACTIVITY` role when returning a response for the ListSessions endpoint. Release note (bug fix): users with the `VIEWACTIVITY` privilege should be able to see other users' sessions from both the CLI and the DB Console.
Fixes cockroachdb#104354. Partially addresses cockroachdb#106588. Previously, when a non-admin user was given the `VIEWACTIVITY` privilege, they were able to see other users' sessions from the SQL shell but not from the UI. This commit fixes the ListSessions endpoint to check for the `VIEWACTIVITY` privilege in addition to the `VIEWACTIVITY` role when returning a response for the ListSessions endpoint. Release note (bug fix): users with the `VIEWACTIVITY` privilege should be able to see other users' sessions from both the CLI and the DB Console.
Fixes cockroachdb#104354. Partially addresses cockroachdb#106588. Previously, when a non-admin user was given the `VIEWACTIVITY` privilege, they were able to see other users' sessions from the SQL shell but not from the UI. This commit fixes the ListSessions endpoint to check for the `VIEWACTIVITY` privilege in addition to the `VIEWACTIVITY` role when returning a response for the ListSessions endpoint. Release note (bug fix): users with the `VIEWACTIVITY` privilege should be able to see other users' sessions from both the CLI and the DB Console.
106590: sql: fix VIEWACTIVITY privilege for ListSessions r=gtr a=gtr Fixes #104354. Partially addresses #106588. Previously, when a non-admin user was given the `VIEWACTIVITY` privilege, they were able to see other users' sessions from the SQL shell but not from the UI. This commit fixes the ListSessions endpoint to check for the `VIEWACTIVITY` privilege in addition to the `VIEWACTIVITY` role when returning a response for the ListSessions endpoint. loom: https://www.loom.com/share/8224628f7e7e4af298306c83f158d593 Release note (bug fix): users with the `VIEWACTIVITY` privilege should be able to see other users' sessions from both the CLI and the DB Console. Co-authored-by: gtr <gerardo@cockroachlabs.com>
Fixes cockroachdb#104354. Partially addresses cockroachdb#106588. Previously, when a non-admin user was given the `VIEWACTIVITY` privilege, they were able to see other users' sessions from the SQL shell but not from the UI. This commit fixes the ListSessions endpoint to check for the `VIEWACTIVITY` privilege in addition to the `VIEWACTIVITY` role when returning a response for the ListSessions endpoint. Release note (bug fix): users with the `VIEWACTIVITY` privilege should be able to see other users' sessions from both the CLI and the DB Console.
This issue tracks adding redaction for the
SHOW SESSIONS
command and theListSessions
endpoint.In accordance with #103560, users with the
VIEWACTIVITYREDACTED
privilege should see a redacted version of theactive_queries
field from theSHOW SESSIONS
response.The current behavior allows a user with
VIEWACTIVITYREDACTED
to see the full query:Run
SHOW SESSIONS
fromgerardo
:SELECT pg_sleep(1000)
should have its literals redacted, e.g.SELECT pg_sleep(_)
.Jira issue: CRDB-29633
The text was updated successfully, but these errors were encountered: