New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cli,sql: stop using RPC conns in CLI client commands #51454
Comments
I am 100% behind this. |
In some cases a virtual table might make more sense than a built-in function. For example, |
Built-in functions can return tables (we have those already, called set-returning functions) |
51563: builtins: handle builtins involving string casts to geometry r=rytaft a=otan Release note (sql change): Implement geospatial functions that take in a string argument such that when an ambiguous function that could be either geometry or geography is encountered, geometry is chosen. This is the case for the following functions: * st_area * st_asewkt * st_asgeojson * st_buffer * st_coveredby * st_covers * st_distance * st_dwithin * st_intersects * st_length 51570: cli/sql: support Kerberos auth r=mjibson a=mjibson Informs #42488 Informs #51454 Release note: add Kerberos (GSS) support to `cockroach sql` and other CLI commands that only use the SQL protocol (such as `node ls`, or `node status`). Other `cockroach` CLI commands that also use the RPC protocol still cannot use Kerberos (such as `node decommission`, `debug zip`, etc). Co-authored-by: Oliver Tan <otan@cockroachlabs.com> Co-authored-by: Matt Jibson <matt.jibson@gmail.com>
Here's the analysis of the current behavior, with what we can aim for:
There's a tricky bit: for
|
We have marked this issue as stale because it has been inactive for |
Today the CLI admin commands use a mix of RPC and SQL connections.
(They don't use the HTTP interface.)
For example,
node decommission
is RPC-only.node ls
is SQL-only.debug zip
uses both RPC and SQL.We want everything to use a single protocol, ideally SQL. The reason why we want SQL is that the SQL server has the strongest authentication policies. IT would also enable using Kerberos tokens with the CLI client commands (as requested by customers, e.g. cockroach workloads - cc @BramGruneir )
Discussed this with @bdarnell . We can achieve this as follows: define SQL built-in functions for the various CLI commands. The built-in function would generate the command's results. The client-side program would then become a "dumb" SQL client that just issues the appropriate SQL queries.
The other advantage of this approach is that it then becomes possible to "run CLI admin commands" from a SQL shell, for example a UI tool.
Note that this feature might be rendered more secure by combining it with #51453.
A technical implementation detail for this approach: whatever service we make available via a SQL built-in function should also simultaneously become available over the HTTP REST API, using a similarly (ideally, identically) named endpoint.
For example, if I have a "command"
SELECT crdb_internal.admin_node_status()
I should have/api/v2/node/status
(or something like that).With this system, the
debug zip
command would send a SQL request forcrdb_internal.admin_debug_zip()
(or something like that) and there would also be a HTTP endpoint/api/v2/debug/zip
(or something like that), which is incidentally a requirement for #51008.cc @celiala who might be interested.
Jira issue: CRDB-6312
The text was updated successfully, but these errors were encountered: