Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Control access to enable audit logs #83863

Closed
Santamaura opened this issue Jul 5, 2022 · 0 comments
Closed

Control access to enable audit logs #83863

Santamaura opened this issue Jul 5, 2022 · 0 comments
Assignees
@Santamaura
Labels
A-kv-observability C-enhancement Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)

Comments

@Santamaura
Copy link
Contributor

Santamaura commented Jul 5, 2022
edited by exalate-issue-sync bot

This task is to determine whether the user is able to enable audit logs which is determined by the “Cluster metadata operator”
or “Cluster activity writer” roles.

Jira issue: CRDB-17318

Epic CRDB-14105
@Santamaura Santamaura added C-enhancement Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception) T-kv-observability labels Jul 5, 2022
Santamaura added a commit to Santamaura/cockroach that referenced this issue Aug 9, 2022
@Santamaura
sql, server: regulate access to remaining observability features
a2bab72 
This change will control access to various observability
features based on system privileges including the following:
- admin ui databases/tables/schema endpoints requires admin or VIEWACTIVITY
- EXPERIMENTAL_AUDIT requires admin or MODIFYCLUSTERSETTING
- sql login requires not having NOSQLLOGIN or the equivalent
role option

Resolves: cockroachdb#83848, cockroachdb#83863, cockroachdb#83862

Release note (security update): require admin or system privilege
for various observability features
@Santamaura Santamaura mentioned this issue Aug 9, 2022
Merged
Santamaura added a commit to Santamaura/cockroach that referenced this issue Aug 11, 2022
@Santamaura
sql, server: regulate access to remaining observability features
bfc2497 
This change will control access to various observability
features based on system privileges including the following:
- admin ui databases/tables/schema endpoints requires admin or VIEWACTIVITY
- EXPERIMENTAL_AUDIT requires admin or MODIFYCLUSTERSETTING
- sql login requires not having NOSQLLOGIN or the equivalent
role option

Resolves: cockroachdb#83848, cockroachdb#83863, cockroachdb#83862

Release note (security update): Change requirements to access some
observability features. Databases/tables/schema endpoints for
admin ui require admin or VIEWACTIVITY. EXPERIMENTAL_AUDIT
requires admin or MODIFYCLUSTERSETTING. SQL login requires not
having NOSQLLOGIN or the equivalent role option.
Santamaura added a commit to Santamaura/cockroach that referenced this issue Aug 11, 2022
@Santamaura
sql, server: regulate access to remaining observability features
9e5c7a0 
This change will control access to various observability
features based on system privileges including the following:
- admin ui databases/tables/schema endpoints requires admin or VIEWACTIVITY
- EXPERIMENTAL_AUDIT requires admin or MODIFYCLUSTERSETTING
- sql login requires not having NOSQLLOGIN or the equivalent
role option

Resolves: cockroachdb#83848, cockroachdb#83863, cockroachdb#83862

Release note (security update): Change requirements to access some
observability features. Databases/tables/schema endpoints for
admin ui require admin or VIEWACTIVITY. EXPERIMENTAL_AUDIT
requires admin or MODIFYCLUSTERSETTING. SQL login requires not
having NOSQLLOGIN or the equivalent role option.
craig bot pushed a commit that referenced this issue Aug 11, 2022
@Santamaura @jaylim-crl
Merge #85769 #85931
5845f4b 
85769: sql, server: regulate access to remaining observability features r=Santamaura a=Santamaura

This change will control access to various observability
features based on system privileges including the following:
- admin ui databases/tables/schema endpoints requires admin or VIEWACTIVITY
- EXPERIMENTAL_AUDIT requires admin or MODIFYCLUSTERSETTING
- sql login requires not having NOSQLLOGIN or the equivalent
role option

Resolves: #83848, #83863, #83862

Release note (security update): Change requirements to access some
observability features. Databases/tables/schema endpoints for
admin ui require admin or VIEWACTIVITY. EXPERIMENTAL_AUDIT
requires admin or MODIFYCLUSTERSETTING. SQL login requires not
having NOSQLLOGIN or the equivalent role option.

85931: ccl/sqlproxyccl: ensure that connections cannot be transferred before initialization r=JeffSwenson a=jaylim-crl

Related to #80446.

In #80446, we updated the connection tracker to track server assignments
instead of forwarders. This also meant that there is a possibility where we
can start transferring the connection before we even resumed the forwarder
for the first time, breaking the TransferConnection invariant where the
processors must be resumed before being called.

This commit fixes that issue by introducing a new isInitialized flag to the
forwarder, which will only get set to true once run returns. Attempting to
transfer a connection with isInitialized=false will return an error. This
should fix flakes that we've been seeing on CI.

Release note: None

Release justification: sqlproxy bug fix. This ensures that we don't resume
the processors mid connection transfer, causing unexpected issues on the
client's end. Note that this situation is rare since it involves ensuring
timely behavior of forwarder.Run and forwarder.TransferConnection at the same
time.

Co-authored-by: Santamaura <santamaura@cockroachlabs.com>
Co-authored-by: Jay <jay@cockroachlabs.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Santamaura Santamaura

Labels
A-kv-observability C-enhancement Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Santamaura