Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

release-22.2: privilege: don't include NOSQLLOGIN in ALL check #105081

Merged
merged 1 commit into from
Jun 21, 2023
Merged

release-22.2: privilege: don't include NOSQLLOGIN in ALL check #105081

merged 1 commit into from
Jun 21, 2023

Conversation

rafiss
Copy link
Collaborator

@rafiss rafiss commented Jun 16, 2023

Backport 1/1 commits from #104685.

/cc @cockroachdb/release

Release justification: bug fix

fixes #101292

Release note (bug fix): GRANT SYSTEM ALL ... no longer causes the grantee to be unable to login. This was due to a UX oversight/bug where ALL would include the NOSQLLOGIN system privilege. Since NOSQLLOGIN is the only "negative" privilege, it is now excluded from the ALL shorthand, and must be granted explicitly in order to restrict logins.

@rafiss rafiss requested a review from ecwall June 16, 2023 21:06
@rafiss rafiss requested a review from a team as a code owner June 16, 2023 21:06
@blathers-crl
Copy link

blathers-crl bot commented Jun 16, 2023

Thanks for opening a backport.

Please check the backport criteria before merging:

  • Patches should only be created for serious issues or test-only changes.
  • Patches should not break backwards-compatibility.
  • Patches should change as little code as possible.
  • Patches should not change on-disk formats or node communication protocols.
  • Patches should not add new functionality.
  • Patches must not add, edit, or otherwise modify cluster versions; or add version gates.
If some of the basic criteria cannot be satisfied, ensure that the exceptional criteria are satisfied within.
  • There is a high priority need for the functionality that cannot wait until the next release and is difficult to address in another way.
  • The new functionality is additive-only and only runs for clusters which have specifically “opted in” to it (e.g. by a cluster setting).
  • New code is protected by a conditional check that is trivial to verify and ensures that it only runs for opt-in clusters.
  • The PM and TL on the team that owns the changed code have signed off that the change obeys the above rules.

Add a brief release justification to the body of your PR to justify this backport.

Some other things to consider:

  • What did we do to ensure that a user that doesn’t know & care about this backport, has no idea that it happened?
  • Will this work in a cluster of mixed patch versions? Did we test that?
  • If a user upgrades a patch version, uses this feature, and then downgrades, what happens?

@cockroach-teamcity
Copy link
Member

This change is Reviewable

@rafiss
privilege: don't include NOSQLLOGIN in ALL check
2857e15 
Release note (bug fix): GRANT SYSTEM ALL ... no longer causes the
grantee to be unable to login. This was due to a UX oversight/bug where
ALL would include the NOSQLLOGIN system privilege. Since NOSQLLOGIN is
the only "negative" privilege, it is now excluded from the ALL
shorthand, and must be granted explicitly in order to restrict logins.
@rafiss rafiss merged commit 555e0a3 into cockroachdb:release-22.2 Jun 21, 2023
6 checks passed
@rafiss rafiss deleted the backport22.2-104685 branch June 21, 2023 16:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ecwall ecwall ecwall approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@rafiss @cockroach-teamcity @ecwall