sql: add SHOW DEFAULT SESSION VARIABLES FOR ROLE command #117875
Conversation
![blathers[crl]](https://avatars.githubusercontent.com/in/59700?s=40&u=373d9101a12edc3847d2fb6ae78e3adcfb4ca41e&v=4){kind=avatar}
|
It looks like your PR touches SQL parser code but doesn't add or edit parser tests. Please make sure you add or edit parser tests if you edit the parser. 🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf. |
|
|
|
This change is |
jasminejsun
force-pushed
the
show_variables_for_role
branch
4 times, most recently
from
f3bacc0
to
ee004ae
Compare
jasminejsun
force-pushed
the
show_variables_for_role
branch
from
ee004ae
to
08ac19d
Compare
There was a problem hiding this comment.
Great work, just a few minor things!
Reviewed 16 of 16 files at r1, all commit messages.
Reviewable status:complete! 0 of 0 LGTMs obtained (waiting on @jasminejsun)
pkg/sql/delegate/show_variables_for_role.go line 26 at r1 (raw file):
) (tree.Statement, error) { getVariablesForRoleQuery := `SELECT split_part(split_part(unnest(settings), ',', 1), '=', 1) as session_variables, split_part(split_part(unnest(settings), ',', 1), '=', 2) as default_values
I worry this might break if we have things with commands or equal signs within the settings themselves. i.e.
Imagine if someone did something stupid like:
'alter role demo set search_path='a='';
pkg/sql/parser/testdata/show line 2125 at r1 (raw file):
SHOW VARIABLES FOR ROLE ALL -- fully parenthesized SHOW VARIABLES FOR ROLE ALL -- literals removed SHOW VARIABLES FOR ROLE ALL -- identifiers removed
One more test here try using a parametrized query...i.e. ROLE $1
|
Previously, fqazi (Faizan Qazi) wrote…
Good point! |
jasminejsun
force-pushed
the
show_variables_for_role
branch
from
08ac19d
to
efd0ad7
Compare
|
Previously, jasminejsun (Jasmine Sun) wrote…
Should take care of commands where they're setting values with equal signs in them now! |
There was a problem hiding this comment.
Reviewed 3 of 3 files at r2, all commit messages.
Reviewable status:
-- commits line 4 at r2:
Add a release note describing the functionality and follow the format from the wiki
jasminejsun
force-pushed
the
show_variables_for_role
branch
from
efd0ad7
to
78c5408
Compare
|
Previously, fqazi (Faizan Qazi) wrote…
Non-applicables since role_spec utilizes identifiers rather than expressions! 😄 |
Previously, fqazi (Faizan Qazi) wrote…
Done! |
There was a problem hiding this comment.
Reviewed 1 of 1 files at r3.
Reviewable status:
-- commits line 2 at r3:
Instead of going low level lets focus on why this was needed / what it solves i.e.:
Previously, if a database administrator wanted to know which session variables they had set by default for a role they would need to switch into that user or scan a system table manually. This could be more time consuming or difficult to us. To address this, this patch adds a new command: SHOW VARIABLES FOR ROLE, which allows the database administrator to easily view the default values for a session variables applied to a given user.
pkg/sql/delegate/show_variables_for_role.go line 19 at r3 (raw file):
) // delegateShowVariablesForRole implements SHOW VARIABLES FOR ROLE <name> which returns all the default session values
Nit: session variables for a user.
jasminejsun
force-pushed
the
show_variables_for_role
branch
4 times, most recently
from
377be54
to
bc90409
Compare
There was a problem hiding this comment.
this is nice work! i have a few comments that i think we should address before merging
i saw that SHOW VARIABLES FOR ROLE was the syntax that @dikshant suggested in CRDB-26921. However, I don't think this is that intuitive -- we don't use the word "variable" like this anywhere else in our product. Can we change the command to something even more explicit, like: SHOW DEFAULT SESSION VARIABLES FOR ROLE ... ?
the rest of my comments are inline
Reviewable status:
pkg/sql/delegate/show_variables_for_role.go line 28 at r4 (raw file):
getVariablesForRoleQuery := `SELECT split_part(setting, '=', 1) AS session_variables, substring(setting FROM position('=' in setting) + 1) AS default_values FROM system.database_role_settings,
implementing the query this way, with a lookup on system.database_role_settings, has a downside. it means that you need to have privileges on the system table, which is something that normally only admins have. instead, i think we should make the query look at pg_catalog.pg_db_role_setting, which does not require additional privileges.
then, at the beginning of this function, we should have the specific privilege checks we need in place. let's make the required privileges be the same as the ones needed to run ALTER ROLE ... SET; that is, running this SHOW command requires at least one of CREATEROLE, MODIFYCLUSTERSETTING, or MODIFYSQLCLUSTERSETTING. you can see that they are checked in this part of the code:
cockroach/pkg/sql/alter_role.go
Lines 301 to 316 in df6457a
here is an example of how a different SHOW command does privilege checking:
cockroach/pkg/sql/delegate/show_all_cluster_settings.go
Lines 29 to 50 in df6457a
finally, let's make sure that the logictests cover the privilege checking too
pkg/sql/logictest/testdata/logic_test/alter_role_set line 303 at r4 (raw file):
statement ok ALTER ROLE ALL SET application_name = 'c';
can we add more tests for the following:
ALTER ROLE roach IN DATABASE defaultdb SET ...
ALTER ROLE ALL IN DATABASE defaultdb SET ...
as you can see, some of the defaults are per-database. so i think it would be important for the SHOW output to indicate if a given default is applicable to all databases, or a specific database. i think maybe there should be a third column, named something like database_name, and if that's NULL it means the default applies to all databases
|
+1 on SHOW DEFAULT SESSION VARIABLES FOR ROLE ... |
jasminejsun
force-pushed
the
show_variables_for_role
branch
from
bc90409
to
7fe9f93
Compare
jasminejsun
changed the title
jasminejsun
force-pushed
the
show_variables_for_role
branch
from
7fe9f93
to
6d5ef9d
Compare
There was a problem hiding this comment.
this looks great! really nice work coming up with the delegate SQL query
Reviewable status:
There was a problem hiding this comment.
Reviewed 16 of 18 files at r5, all commit messages.
Reviewable status:
-- commits line 11 at r5:
This should be the body of the commit message. Release note can simply just say you added SHOW VARIABLES FOR ROLE with a brief description of the feature.
Previously, if a database administrator wanted to know which session variables they had set by default for a role they would need to switch into that user or scan a system table manually. This could be more time consuming or difficult to us. To address this, this patch adds a new command: SHOW VARIABLES FOR ROLE, which allows the database administrator to easily view the default values for a session variables applied to a given user. Epic: CRDB-26921 Release note (sql change): Add the SHOW VARIABLES FOR ROLE command which allows the database administrator to easily view the default values for a session variables applied to a given user.
jasminejsun
force-pushed
the
show_variables_for_role
branch
from
6d5ef9d
to
538dc00
Compare
|
bors r+ |
|
Build succeeded: |
Epic: CRDB-26921
Issue: #117500
Release note (sql change): Previously, if a database administrator wanted to know which session variables they had set by default for a role they would need to switch into that user or scan a system table manually. This could be more time consuming or difficult to us. To address this, this patch adds a new command: SHOW VARIABLES FOR ROLE, which allows the database administrator to easily view the default values for a session variables applied to a given user.