New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sql,builtins: remove HasAdminRole checks #116844
Conversation
It looks like your PR touches production code but doesn't add or edit any test code. Did you consider adding tests to your PR? 🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf. |
6c9aabc
to
0d731af
Compare
0d731af
to
37cb6d9
Compare
55e0c12
to
cb86402
Compare
return nil, err | ||
} | ||
if !isAdmin { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does “view cluster metadata” really correspond to “read all data regardless of permissions”? I don’t have the written description of it in front of me but just by the name I assume it is eg SHOW RANGES or something not reading any kv?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
my thinking was that technically, you can see arbitrary KVs using SHOW RANGES, so this PR is not a privilege escalation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can leave out builtins like scan that can expose data from arbitrary key ranges. Barring that I would be okay with this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can't see arbitrary KVs: you can see some keys if they were chosen as split keys, but you cannot see values. We already point out that indexed values end up in keys when we talk about domiciling or other data sensitivity questions, but values are generally only visible to those granted access and admins.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 1 of 1 files at r1, 21 of 21 files at r2.
Reviewable status: complete! 0 of 0 LGTMs obtained (waiting on @fqazi and @rafiss)
pkg/sql/sem/builtins/builtins.go
line 7204 at r2 (raw file):
), ), "crdb_internal.reset_index_usage_stats": makeBuiltin(
this function is not a read only data, meaning is deleted all stats from the index usage table. I'm not sure we want non-admins to be able to do it.
cc @kevin-v-ngo for some feedback
pkg/sql/sem/builtins/builtins.go
line 7230 at r2 (raw file):
}, ), "crdb_internal.reset_sql_stats": makeBuiltin(
same comment as above.
@kevin-v-ngo are we okay with non-admins that have the role REPAIRCLUSTERMETADATA be able to reset sql stats?
pkg/sql/sem/builtins/builtins.go
line 7256 at r2 (raw file):
}, ), "crdb_internal.reset_activity_tables": makeBuiltin(
same as bove
pkg/sql/sem/builtins/builtins.go
line 7282 at r2 (raw file):
}, ), "crdb_internal.reset_insights_tables": makeBuiltin(
same as above
pkg/server/application_api/stmtdiag_test.go
line 126 at r2 (raw file):
"SELECT crdb_internal.request_statement_bundle('SELECT _', 0::FLOAT, 0::INTERVAL, 0::INTERVAL)", ) require.Contains(t, err.Error(), "requesting statement bundle requires VIEWACTIVITY privilege")
did you replace the admin by another option, such as VIEWCLUSTERMETADATA
? Just confirming if VIEWACTIVITY is now the only requirement or if there is any other role that would also allow this operation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: complete! 0 of 0 LGTMs obtained (waiting on @dt, @fqazi, @kevin-v-ngo, and @maryliag)
pkg/sql/sem/builtins/builtins.go
line 7204 at r2 (raw file):
Previously, maryliag (Marylia Gutierrez) wrote…
this function is not a read only data, meaning is deleted all stats from the index usage table. I'm not sure we want non-admins to be able to do it.
cc @kevin-v-ngo for some feedback
since it's not read-only, that's why i made it use "REPAIRCLUSTERMETADATA" and not "VIEWCLUSTERMETADATA"
the reasoning is that when we are debugging cloud clusters, customers don't want us to use admin
, and instead we should only use the minimum set of privileges
I have some discomfort with this directionally, and indeed wonder we should be doing the opposite and ensuing all
There have, in the past, been I also question why we want to make |
Could we add SHOW syntax for the builtins that we want to use as non-admins instead of opening up the builtins? |
well, this was already was discussed and litigated before. the conclusion where we landed with Abhinav/Duoc/Dikshant and other stakeholders was that we should move away from admin as much as possible (CRDB-17640). this was needed urgently enough that the decision we landed on was to replace all the existing admin checks with checks for one of two new privileges that were explicitly added to replace admin (VIEWCLUSTERMETADATA or REPAIRCLUSTERMETADATA ... or one of the other existing privileges if there actually was already a good fit). since VIEW/REPAIRCLUSTERMETADATA were added purely to replace admin checks, i don't feel that it's accurate to say we are loosening up these endpoints too much. |
My worry above is that "Abhinav/Duoc/Dikshant and other stakeholders" might not have included "engineers who are adding debugging tools"? As mentioned above, implementation of low-effort/quick debugging is often not treated (for good reasons) the same as user-facing feature work.
This is what concerns me most here: if we have individual engineers hastily throwing together a quick debugging tool, relying on them to reach for the right privs in the right places increases the chance something going wrong. And when things go wrong in this way it often requires a security disclosure/TA. For functions in the "internal debugging tool" category, that do not get the more rigorous thought and care that goes into user-facing features and their carefully determined access controls, the simplicity of having a single authorization decision -- "is allowed to use potentially-all-powerful internal debug tools?" -- seems like the safest way to not accidentally violate access expectations. If we really don't want "admin" to be that check, then perhaps "repairclustermetadata" could be the check but it should be the check, that every internal builtin uses, rather than asking them to make nuanced decisions (which could be wrong)? |
That is what we are suggesting we should do. If the concern is engineers might not know to put it under If we need to modify a bunch of other built ins to use |
This change as it stands isn't quite doing that -- making So if we're suggesting we'll replace |
4959589
to
55ae099
Compare
These crdb_internal builtins are used for debugging, so should not require admin access. Instead, we use the VIEWCLUSTERMETADATA or REPAIRCLUSTERMETADATA privilege. Release note: None
All these checks already have a privilege check in the same place, which already implicitly checks for the admin role. Release note: None
Release note: None
55ae099
to
4107372
Compare
@dt this has been updated so the builtins all use REPAIRCLUSTERMETADATA. i also added a commit that aliases it to REPAIRCLUSTER. (the internal key cannot be changed) |
tftr! bors r+ |
Build failed: |
bors r- |
fc209f7
to
1df0833
Compare
Release note (sql change): The REPAIRCLUSTERMETADATA privilege now has an alternative name: REPAIRCLUSTER. Both names can be used interchangably.
1df0833
to
c4065c0
Compare
I did a find/replace of REPAIRCLUSTERMETADATA/REPAIRCLUSTER in comments, variables names, and test expectations. bors r+ |
In cockroachdb#116844 we added a CREATE USER statement to this tests setup. That statement produces 2 schema change jobs that could race with the coordination required for the assertions in this test to be valid. Here we solve this by only running the AfterJobStateMachine callback for the job we care about. Fixes cockroachdb#121149 Release note: None
121250: jobs: deflake TestRegistryLifecycle r=dt a=stevendanna In #116844 we added a CREATE USER statement to this tests setup. That statement produces 2 schema change jobs that could race with the coordination required for the assertions in this test to be valid. Here we solve this by only running the AfterJobStateMachine callback for the job we care about. Fixes #121149 Release note: None Co-authored-by: Steven Danna <danna@cockroachlabs.com>
These crdb_internal builtins are used for debugging, so should not
require admin access. Instead, we use the VIEWCLUSTERMETADATA or
REPAIRCLUSTERMETADATA privilege.
informs: #114384
sql: make admin, root, and node implicit owners of all objects
This lets us remove specific checks for the admin role in many places.
sql: remove unneeded calls to hasAdminRole
All these checks already have a privilege check in the same place, which
already implicitly checks for the admin role.
Release note: None