Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sql: enforce permissions on sql endpoint #1830

Closed
mberhault opened this issue Jul 28, 2015 · 4 comments
Closed

sql: enforce permissions on sql endpoint #1830

mberhault opened this issue Jul 28, 2015 · 4 comments
Assignees
@mberhault

Comments

@mberhault
Copy link
Contributor

Short-term solution:

  • add a namespace descriptor containing: repeated read/write string corresponding to user names
  • read/write apply to the entire namespace (database). this means table creation, and all read/write operations on the table.
  • default read/write entries are the root user only. a separate admin command will allow modification.

Further considerations:

  • KV permissions enforcement is removed and the mysql user is passed down to the KV layer for logging purposes.
  • KV endpoint restricted to root (maybe even node user)
  • proper roles/policies/etc...
  • alternate storage location (maybe a table)
  • get/set through sql api (create role, grant * to role, etc...)
mberhault pushed a commit that referenced this issue Jul 28, 2015
Show unenforced permissions: #1830
30540fb
@mberhault mberhault mentioned this issue Jul 28, 2015
Closed
@tamird
Copy link
Contributor

tamird commented Jul 28, 2015

command-line tool to set permissions using database/table names

This bit is not strictly necessary IMO.

@mberhault
Copy link
Contributor Author

Well, we need some way of doing it. The currently prefix-based config tool assume that you know what the mapping is. It's trivial enough to do the conversion automatically.

@mberhault
Copy link
Contributor Author

Ok, I don't think this will work. Having authorization done at the KV layer requires way too many prefixes (unique namespace ID, namespace prefix, table prefix, etc...).
A more reasonable solution for the near-term is to store permissions in the namespace/table descriptors and perform the authorization check at the sql layer.

I'll write something up.

This was referenced Jul 29, 2015
Merged
Closed
@mberhault mberhault self-assigned this Jul 30, 2015
@petermattis petermattis changed the title Enforce permissions on sql endpoint. sql: enforce permissions on sql endpoint Aug 2, 2015
mberhault pushed a commit that referenced this issue Aug 5, 2015
Enforce database-level privileges: #1830
842efc8 
Enforce read/write db-level privileges.

I've annotated the enforced functions with the privileges required
and notes about what postgres and mysql do. This will be useful when
adding real privileges (eg: create|select|insert|delete|etc...).
mberhault added a commit that referenced this issue Aug 5, 2015
@mberhault
Merge pull request #1967 from cockroachdb/marc/enforce_sql_permissions
a418616 
Enforce database-level privileges: #1830
mberhault pushed a commit that referenced this issue Aug 5, 2015
Add table privileges: #1830
6e92b36 
* add privileges to the table descriptor, inherited from the DB descriptor
at creation time.
* modify grant/revoke/show grants statements to operate on a table
* split grant sql logic test into grant_database and grant_table

Table-level permissions are not yet enforced.
mberhault added a commit that referenced this issue Aug 5, 2015
@mberhault
Merge pull request #1975 from cockroachdb/marc/table_privileges
7ff84d0 
Add table privileges: #1830
@mberhault mberhault mentioned this issue Aug 6, 2015
Merged
mberhault pushed a commit that referenced this issue Aug 6, 2015
Enforce table-level privileges
8a54d87 
Work torwards #1830

Apply table-level READ|WRITE privileges and test.
Each statement has a note about privileges, including what postgres and
mysql do.

Due to the always-build SELECT nodes in DELETE and UPDATE, we need both
READ and WRITE for those statements.
@mberhault
Copy link
Contributor Author

Privileges are enforced. Closing in favor of #2005

pav-kv pushed a commit to pav-kv/cockroach that referenced this issue Mar 5, 2024
@xiang90
Merge pull request cockroachdb#1830 from xiang90/raft_snap_log
54c398f 
raft: log snapshot events
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mberhault mberhault

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tamird @mberhault