Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sql: grant to all tables did not skip privileges on sequences #120685

Merged
merged 1 commit into from Mar 19, 2024
Merged

sql: grant to all tables did not skip privileges on sequences #120685

merged 1 commit into from Mar 19, 2024

Conversation

fqazi
Copy link
Collaborator

@fqazi fqazi commented Mar 19, 2024

Previously, grant privilege to all tables attempted to apply privileges meant only for tables on to sequences. This could lead to validation error preventing certain combinations like "GRANT BACKUP ON ALL TABLES..." from working correctly. To address this, this patch adds support for correctly propogating the object type and skipping over unsupported privileges. When an unsupported privilege is encountered on an object other then a sequence a warning is now logged.

Fixes: #117861

Release note (bug fix): GRANT <...> ON ALL TABLES could fail if sequences existed and they did not support a privilege (for example BACKUP).

@cockroach-teamcity
Copy link
Member

This change is Reviewable

@fqazi fqazi marked this pull request as ready for review March 19, 2024 03:29
@fqazi fqazi requested a review from a team as a code owner March 19, 2024 03:29
rafiss
rafiss requested changes Mar 19, 2024
View reviewed changes
Copy link
Collaborator

@rafiss rafiss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just had a nit to clean things up a bit, nice fix!

Reviewable status: :shipit: complete! 0 of 0 LGTMs obtained (waiting on @fqazi)

pkg/sql/grant_revoke.go line 288 at r1 (raw file):

				// Ensure we are only setting privilleges valid for this object type.
				// i.e. We only expect this for sequences.
				validPrivs, err := privilege.GetValidPrivilegesForObject(objType)

nit: all the new logic could be done once outside of the for loop

pkg/sql/grant_revoke.go line 302 at r1 (raw file):

					}
					if objType != privilege.Sequence {
						log.Warningf(ctx, "object type %s does not support privilege %v", objType, missingPrivs.SortedDisplayNames())

instead of a warning log, could we send this with BufferClientNotice? then i think it would also make sense to remove the objType != privilege.Sequence check

@fqazi
sql: grant to all tables did not skip privileges on sequences
007005f 
Previously, grant privilege to all tables attempted to apply privileges
meant only for tables on to sequences. This could lead to validation
error preventing certain combinations like "GRANT BACKUP ON ALL
TABLES..." from working correctly. To address this, this patch adds
support for correctly propogating the object type and skipping over
unsupported privileges. When an unsupported privilege is encountered on
an object other then a sequence a warning is now logged.

Fixes: cockroachdb#117861

Release note (bug fix): GRANT <...> ON ALL TABLES could fail if
sequences existed and they did not support a privilege (for example
BACKUP).
fqazi
fqazi commented Mar 19, 2024
View reviewed changes
Copy link
Collaborator Author

@fqazi fqazi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: :shipit: complete! 0 of 0 LGTMs obtained (waiting on @rafiss)

pkg/sql/grant_revoke.go line 302 at r1 (raw file):

Previously, rafiss (Rafi Shamim) wrote…

instead of a warning log, could we send this with BufferClientNotice? then i think it would also make sense to remove the objType != privilege.Sequence check

Good point and I generalized the logic from the original SEQUENCE logic.

rafiss
rafiss approved these changes Mar 19, 2024
View reviewed changes
Copy link
Collaborator

@rafiss rafiss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

Reviewable status: :shipit: complete! 0 of 0 LGTMs obtained

@fqazi
Copy link
Collaborator Author

fqazi commented Mar 19, 2024

@rafiss TFTR!

bors r+

@craig
Copy link
Contributor

craig bot commented Mar 19, 2024

Build succeeded:

@craig craig bot merged commit 8e5f891 into cockroachdb:master Mar 19, 2024
22 checks passed
@fqazi
Copy link
Collaborator Author

fqazi commented Apr 9, 2024

blathers backport 23.2

@blathers-crl blathers-crl bot mentioned this pull request Apr 9, 2024
Merged
@fqazi
Copy link
Collaborator Author

fqazi commented Apr 9, 2024

blathers backport 23.1

@blathers-crl blathers[crl]
Copy link

blathers-crl bot commented Apr 9, 2024

Encountered an error creating backports. Some common things that can go wrong:

  1. The backport branch might have already existed.
  2. There was a merge conflict.
  3. The backport branch contained merge commits.

You might need to create your backport manually using the backport tool.

error creating merge commit from 007005f to blathers/backport-release-23.1-120685: POST https://api.github.com/repos/cockroachdb/cockroach/merges: 409 Merge conflict []

you may need to manually resolve merge conflicts with the backport tool.

Backport to branch 23.1 failed. See errors above.

🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.

@fqazi fqazi mentioned this pull request Apr 9, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rafiss rafiss rafiss approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Granting BACKUP to all tables causes stack trace if there's a sequence
3 participants
@fqazi @cockroach-teamcity @rafiss