backupccl: fix EXECUTE privileges #114203
Conversation
|
This change is |
|
|
mgartner
force-pushed
the
udf-exec-privileges-1
branch
from
3ce0b7c
to
feb22e3
Compare
![blathers[crl]](https://avatars.githubusercontent.com/in/59700?s=40&u=373d9101a12edc3847d2fb6ae78e3adcfb4ca41e&v=4){kind=avatar}
|
Your pull request contains more than 1000 changes. It is strongly encouraged to split big PRs into smaller chunks. 🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf. |
| // Version23_2 corresponds to descriptors created in 23.2 and onwards. These | ||
| // descriptors that are function descriptions should have EXECUTE privileges | ||
| // for the public role. | ||
| Version23_2 |
There was a problem hiding this comment.
Does this require a new cluster version? I'm seeing TestSystemDatabaseSchemaBootstrapVersionBumped fail with:
Check whether you need to bump systemschema.SystemDatabaseSchemaBootstrapVersion
and then update prevSystemHash to "7d089e4c69d8d6b164b3d1a04e0f3ad5f487f9138c9585bd00b37f397691a090".
The current value of SystemDatabaseSchemaBootstrapVersion is 1000023.1-32.
feb22e3
to
7400246
Compare
| @@ -164,7 +164,7 @@ func TestSystemDatabaseSchemaBootstrapVersionBumped(t *testing.T) { | |||
|
|
|||
| // If you need to update this value (i.e. failed this test), check whether | |||
| // you need to bump systemschema.SystemDatabaseSchemaBootstrapVersion too. | |||
| const prevSystemHash = "cd85ebe773d840ecaf39fd4ccbba6345f54d7414a95b5bf5be2fa4102c26c650" | |||
| const prevSystemHash = "7d089e4c69d8d6b164b3d1a04e0f3ad5f487f9138c9585bd00b37f397691a090" | |||
There was a problem hiding this comment.
Is it ok to bump this without updating ystemschema.SystemDatabaseSchemaBootstrapVersion in this case? The system schema should have no UDFs, AFAIK, so I thought just bumping this would be fine.
mgartner
force-pushed
the
udf-exec-privileges-1
branch
from
7400246
to
cc67995
Compare
There was a problem hiding this comment.
Reviewable status:
complete! 0 of 0 LGTMs obtained (waiting on @mgartner and @yuzefovich)
pkg/sql/catalog/catpb/privilege.go line 47 at r1 (raw file):
Previously, mgartner (Marcus Gartner) wrote…
Does this require a new cluster version? I'm seeing
TestSystemDatabaseSchemaBootstrapVersionBumpedfail with:Check whether you need to bump systemschema.SystemDatabaseSchemaBootstrapVersion and then update prevSystemHash to "7d089e4c69d8d6b164b3d1a04e0f3ad5f487f9138c9585bd00b37f397691a090". The current value of SystemDatabaseSchemaBootstrapVersion is 1000023.1-32.
i wouldn't expect this to need a new cluster version. the reason this is happening is bc now the hard-coded system database descriptors that are used if you bootstrap from 23.2 no longer match the descriptors that are created if you upgrade from 23.1 to 23.2.
the full comment is
// TestSystemDatabaseSchemaBootstrapVersionBumped serves as a reminder to bump
// systemschema.SystemDatabaseSchemaBootstrapVersion whenever a new upgrade
// creates or modifies the schema of system tables. We unfortunately cannot
// programmatically determine if an upgrade should bump the version so by
// adding a test failure when the initial values change, the programmer and
// code reviewers are reminded to manually check whether the version should
// be bumped.
i think what we want here is just to change prevSystemHash
i also think we might want to use
var SystemDatabaseSchemaBootstrapVersion \= clusterversion.ByKey(clusterversion.V23\_2)
in pkg/sql/catalog/systemschema/system.go. but i'm asking about that here
pkg/sql/catalog/funcdesc/func_desc_builder.go line 121 at r3 (raw file):
// Grant EXECUTE privilege on the function for the public role if the // descriptor was created before v23.2. This mimics the // grantExecuteToPublicOnAllFunctions descriptor upgrade.
an interesting consequence of adding this logic here is that the grantExecuteToPublicOnAllFunctions upgrade is no longer necessary. the reason is that there already is an upgrade called FirstUpgradeFromRelease that will run all the post-deserialization changes on all descriptors.
i guess there's no harm in keeping grantExecuteToPublicOnAllFunctions though.
pkg/sql/catalog/funcdesc/func_desc_builder.go line 129 at r3 (raw file):
false, /* withGrantOption */ ) desc.GetPrivileges().SetVersion(catpb.Version23_2)
i believe you need a line like
fdb.changes.Add(catalog.GrantedExecuteToPublicRole)
(and create the GrantedExecuteToPublicRole enum)
mgartner
force-pushed
the
udf-exec-privileges-1
branch
from
cc67995
to
05ff156
Compare
There was a problem hiding this comment.
Reviewable status:
pkg/sql/catalog/funcdesc/func_desc_builder.go line 121 at r3 (raw file):
Previously, rafiss (Rafi Shamim) wrote…
an interesting consequence of adding this logic here is that the
grantExecuteToPublicOnAllFunctionsupgrade is no longer necessary. the reason is that there already is an upgrade calledFirstUpgradeFromReleasethat will run all the post-deserialization changes on all descriptors.i guess there's no harm in keeping
grantExecuteToPublicOnAllFunctionsthough.
I've removed it — the best code is no code.
pkg/sql/catalog/funcdesc/func_desc_builder.go line 129 at r3 (raw file):
Previously, rafiss (Rafi Shamim) wrote…
i believe you need a line like
fdb.changes.Add(catalog.GrantedExecuteToPublicRole)(and create the
GrantedExecuteToPublicRoleenum)
I didn't need it before when this was in RunRestoreChanges (or maybe I did?), but I've added it now that I've moved this logic to RunPostDeserializationChanges.
mgartner
force-pushed
the
udf-exec-privileges-1
branch
3 times, most recently
from
d8f1c2f
to
86a08ba
Compare
There was a problem hiding this comment.
Reviewable status:
pkg/sql/catalog/bootstrap/bootstrap_test.go line 167 at r2 (raw file):
Previously, mgartner (Marcus Gartner) wrote…
Is it ok to bump this without updating
ystemschema.SystemDatabaseSchemaBootstrapVersionin this case? The system schema should have no UDFs, AFAIK, so I thought just bumping this would be fine.
yeah i think just bumping the hash should be fine
mgartner
force-pushed
the
udf-exec-privileges-1
branch
2 times, most recently
from
ee90df1
to
da9bc9f
Compare
There was a problem hiding this comment.
lgtm! thanks for taking this on
Reviewable status:
pkg/ccl/backupccl/testdata/backup-restore/user-defined-functions line 412 at r2 (raw file):
SHOW GRANTS ON FUNCTION add ---- db1 public 100109 add(int8, int8) admin ALL true
unrelated for now, but i am surprised by our decision to include the function ID in the results, given that SHOW commands are intended for usage by humans, not computers.
This commit fixes some bugs with restoring UDFs from a backup: 1. Restoring UDFs from a backup created on a v23.1 cluster will have `EXECUTE` privilege added for the public role, matching the new default privileges for functions in v23.2. This ensures that the backed-up functions can be executed without privilege errors. 2. Restoring a full cluster from a v23.2 backup with UDFs will retain the original privileges of the UDF. For example, if EXECUTE privileges on the public role have been revoked, they will remain revoked after the restore. 3. Restoring UDFs from a partial v23.2 backup, i.e., not a full cluster backup, will now have default privileges, including `EXECUTE` privilege for the public role. Fixes cockroachdb#112866 There is no release note because no release includes this issue. Release note: None
The `grantExecuteToPublicOnAllFunctions` upgrade is no longer necessary because post-serialization changes now grant `EXECUTE` on functions to the public role. The upgrade has been removed. Release note: None
mgartner
force-pushed
the
udf-exec-privileges-1
branch
from
da9bc9f
to
1d3b393
Compare
|
bors r+ |
|
Previously, rafiss (Rafi Shamim) wrote…
@chengxiong-ruan any reason we included this? I'll remove it if not. |
|
Previously, mgartner (Marcus Gartner) wrote…
I don't have a strong reason, just thought it might be good for debugging. But, since we also have function signature, function id is really not needed for sure. |
|
Build succeeded: |
|
Encountered an error creating backports. Some common things that can go wrong:
You might need to create your backport manually using the backport tool. error creating merge commit from 074b3e9 to blathers/backport-release-23.2-114203: POST https://api.github.com/repos/cockroachdb/cockroach/merges: 409 Merge conflict [] you may need to manually resolve merge conflicts with the backport tool. Backport to branch 23.2.x failed. See errors above. 🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf. |
|
I still need to backport this. |
backupccl: fix EXECUTE privileges
This commit fixes some bugs with restoring UDFs from a backup:
EXECUTEprivilege added for the public role, matching the newdefault privileges for functions in v23.2. This ensures that the
backed-up functions can be executed without privilege errors.
the original privileges of the UDF. For example, if EXECUTE
privileges on the public role have been revoked, they will remain
revoked after the restore.
backup, will now have default privileges, including
EXECUTEprivilege for the public role.
Fixes #112866
There is no release note because no release includes this issue.
Release note: None
upgrade: remove grantExecuteToPublicOnAllFunctions upgrade
The
grantExecuteToPublicOnAllFunctionsupgrade is no longer necessarybecause post-serialization changes now grant
EXECUTEon functions tothe public role. The upgrade has been removed.
Release note: None