New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
backupccl: Add option to RESTORE to preserve grants to specified users #45359
Comments
A first step here could be to just add a flag
|
cc @livlobo @mwang1026 for visibility |
Would it throw an error with the invalid user name? And would the UX be that they would have to create that user before the RESTORE would succeed? Alternatives could be
Also, re: restoring of |
@mwang1026 @livlobo and I think @vy-ton: Another question is what we should do with the default grants: do we replace them with the backed up grants (so you get back exactly what was backed up, which is generally the expectation) or do we add the backed up grants to the default grants on the newly created restoring tables, so that root/admin on the new cluster are assured to have the usual grants? |
Are the default grants inherited or are they explicit? Like could you revoke select from admin on a table? |
What does "default grants" mean here?
|
That that's what I meant by "default" -- that root and admin have grants to everything. I wasn't sure if that's explicit (i.e. the descriptor explicitly says root has access) or whether it's inferred/inherited (i.e. we don't need the descriptor to say so because it is just fact that admin and root have access to everything) |
|
IIRC in the demo that we saw from Casper
|
@gh-casper - Could you comment on the status of this PR? |
Co-authored-by: casper@cockroachlabs.com Fixes: cockroachdb#45359 Release note (enterprise change): This change adds an option to database and table level restores to `preserve_grants_for` user(s) when restoring the table or database. A cluster restore is not allowed to specify this option since we already restore all users as part of the `system.users` table, and therefore the descriptor privileges are restored exactly how they were backed up. In the case of table and database level restores, the users specified in the `preserve_grants_for` option must be present in the restoring cluster. If they are, then the privileges on the restored database, schema, type and table descriptors for those users will be restored exactly how they were backed up. Privileges for users not specified in the `preserve_grants_for` list will continue to be wiped and the descriptors will be restored with the "default" privileges as they are today.
Currently all BACKUPs include the privilege grant information on individual tables and databases, even if those backups do not include the actual users/roles to which those privileges are granted.
During restore, these grants are wiped and replaced with default privileges as if the restore had created new tables, since it isn't obvious that RESTORE can assume that a grant to user "jsmith" on the old cluster should still apply to user "jsmith" on the new cluster -- they may not be the same person, they may have different access, or may not even exist, etc.
However if can operator is restoring into the same cluster or another cluster that does have the same users configured, it would be nice if they could choose to preserve that grant information instead of being forced to re-grant everything from scratch.
An option like
RESTORE mytable ... WITH preserve_grants_for = 'jsmith,dtaylor,...'
would allow operators to express when a grant to a given pre-backup user should be preserved and apply to a post-restore user. As a shorthand,preserve_grants_for = '*'
could mean for all users (and error if any table in the backup has a grant to a username that does not exist on the restoring cluster).Epic: CRDB-9127
Jira issue: CRDB-5156
gz#11757
The text was updated successfully, but these errors were encountered: