sql,*: align settings defaults for UA #119221
Conversation
dt
requested review from
herkolategan,
DarrylWong and
yuzefovich
and removed request for
a team
|
This change is |
This makes the out-of-the-box UA behavior match the pre-UA behavior. For serverless / hosted MT deployments, we can configure the non-default behavior accordingly. Release note: none. Epic: none.
…efault Today non-UA clusters see non-redacted traces. With this change, UA clusters will as well out of the box, making the out-of-the-box UA behavior match the pre-UA behavior. For hosted MT / serverless deployment, we can override this ourselves to redact traces shown to MT tenants. Release note: none. Epic: none.
Prior to UA, zone config operations worked out of the box. With this change a UA cluster will also allow them out of the box without any modification. In a serverless/MT deployment we can override this to restrict secondary tenants. Release note: none. Epic: none.
These didn't match their non-UA behavior of being default on. Release note (enterprise change): clusters created to run PCR no longer automatically disable the spanconfig.range_coalescing settings. Users who started using PCR on 23.1 or 23.2 may wish to manually reset these settings. Epic: none.
…ault Pre-UA this worked by default, and now in a UA cluster it will work by default out of the box as well. For non-UA MT clusters where MR is not supported, it can be overridden accordingly. Release note: none. Epic: none.
Other drop operations are gated only on safe updates, so this one can be too. Release note: none. Epic: none.
There was a problem hiding this comment.
Overall, I think this is the right direction to take things. We'll want to make a list of overrides that CC should set.
The last commit regarding disable_drop_virtual_cluster gives me a little pause. I agree that DROP TENANT isn't different from DROP DATABASE in terms of the danger it represents. Our main concern at the time is that DROP TENANT is something we might instruct the user to run on a PCR destination cluster that would be pretty disastrous to run on the source cluster (combined with the concern that sql_safe_updates doesn't apply to someone who is driving their cluster through something that doesn't set that session var). But, you were very clever putting this last in the series of commits as that empty initial cluster config makes it much more tempting.
| // Disable range coalescing (as long as the problems related | ||
| // to range coalescing have not been solved yet). | ||
| "SET CLUSTER SETTING spanconfig.range_coalescing.system.enabled = false", | ||
| "SET CLUSTER SETTING spanconfig.range_coalescing.application.enabled = false", |
There was a problem hiding this comment.
We might consider backporting this change to 23.2.
There was a problem hiding this comment.
I would feel better if we did, but we need to identify/write up a bug it is fixing first to do so.
Sure, and DROP DATABASE is something that you might run in your staging or development cluster but which would be disastrous if run in production, right? |
I have this sitting my editor to copy to a Jira ticket when this merges: |
|
TFTR! bors r+ |
Could we also set these settings now (prior to 23.2 upgrade), if we used the old names? |
Yep, any of them that exist now, if we set them using their current (23.1) names, that'll still be the storage key for them in 23.2 and 24.1, so no need to wait for the aliases. |
|
Build succeeded: |
Several features are controlled for such that they can behave differently secondary tenants, with settings or knobs that can choose between restricting or altering the behavior to be more aligned with a multi-tenant hosted service like CC Serverless or a dedicated cluster, either in the system tenant today or in UA app tenants.
Previously, when multi-tenant hosted deployments were the only deployments in which secondary tenants were used, it made sense for such controls to assume it as their default, e.g. default to restricting a behavior that is running int a secondary tenant to run as if it is in a hosted MT service. However, as we move to unified architecture and running all workloads in secondary tenants, even in dedicated and self-hosted clusters, these defaults no longer make as much sense: the out-of-the-box default experience for an application using a UA cluster should be as close to one using a pre-UA cluster, and if the behavior needs to behave differently in a MT hosted/serverless environment, that environment can be responsible for reconfiguring or overriding it accordingly.
To that end, the changes in this CL flip the defaults on several controls of behaviors in secondary tenants, to align the out-of-box experience of a UA cluster with that of a non-UA cluster. When our hosted MT service deploys the version in which these default changes take effect, it will need to add explicit configuration overrides accordingly.
See individual commits for details and release notes.
Epic: none.