New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sql: grant to all tables did not skip privileges on sequences #120685
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just had a nit to clean things up a bit, nice fix!
Reviewable status: complete! 0 of 0 LGTMs obtained (waiting on @fqazi)
pkg/sql/grant_revoke.go
line 288 at r1 (raw file):
// Ensure we are only setting privilleges valid for this object type. // i.e. We only expect this for sequences. validPrivs, err := privilege.GetValidPrivilegesForObject(objType)
nit: all the new logic could be done once outside of the for loop
pkg/sql/grant_revoke.go
line 302 at r1 (raw file):
} if objType != privilege.Sequence { log.Warningf(ctx, "object type %s does not support privilege %v", objType, missingPrivs.SortedDisplayNames())
instead of a warning log, could we send this with BufferClientNotice
? then i think it would also make sense to remove the objType != privilege.Sequence
check
Previously, grant privilege to all tables attempted to apply privileges meant only for tables on to sequences. This could lead to validation error preventing certain combinations like "GRANT BACKUP ON ALL TABLES..." from working correctly. To address this, this patch adds support for correctly propogating the object type and skipping over unsupported privileges. When an unsupported privilege is encountered on an object other then a sequence a warning is now logged. Fixes: cockroachdb#117861 Release note (bug fix): GRANT <...> ON ALL TABLES could fail if sequences existed and they did not support a privilege (for example BACKUP).
431ec65
to
007005f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: complete! 0 of 0 LGTMs obtained (waiting on @rafiss)
pkg/sql/grant_revoke.go
line 302 at r1 (raw file):
Previously, rafiss (Rafi Shamim) wrote…
instead of a warning log, could we send this with
BufferClientNotice
? then i think it would also make sense to remove theobjType != privilege.Sequence
check
Good point and I generalized the logic from the original SEQUENCE logic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm!
Reviewable status: complete! 0 of 0 LGTMs obtained
@rafiss TFTR! bors r+ |
blathers backport 23.2 |
blathers backport 23.1 |
Encountered an error creating backports. Some common things that can go wrong:
You might need to create your backport manually using the backport tool. error creating merge commit from 007005f to blathers/backport-release-23.1-120685: POST https://api.github.com/repos/cockroachdb/cockroach/merges: 409 Merge conflict [] you may need to manually resolve merge conflicts with the backport tool. Backport to branch 23.1 failed. See errors above. 🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf. |
Previously, grant privilege to all tables attempted to apply privileges meant only for tables on to sequences. This could lead to validation error preventing certain combinations like "GRANT BACKUP ON ALL TABLES..." from working correctly. To address this, this patch adds support for correctly propogating the object type and skipping over unsupported privileges. When an unsupported privilege is encountered on an object other then a sequence a warning is now logged.
Fixes: #117861
Release note (bug fix): GRANT <...> ON ALL TABLES could fail if sequences existed and they did not support a privilege (for example BACKUP).