-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
backupccl,importccl: fix privilege checks for BACKUP/RESTORE and IMPORT #44250
Conversation
Add failing tests for a non-root admin user trying to IMPORT{,INTO}, BACKUP and RESTORE. These types of users should be allowed to do these operations but we have found issues with permissions not letting them as well as panics due to incorrect usage of the planner in IMPORT INTO. Release note: None
9b011d4
to
6c2a04d
Compare
This changes the privilege checks in IMPORT, IMPORT INTO and RESTORE to run during the *planning* of the job, in the SQL plan hook execution, rather than during the execution of the job. This is done because privilege checks are implemented on planner, and close over the planner's txn in some branches/cases, so invoking them later, on a txn-less planner in a resumed jobs execution, can cause problems. Release note (bug fix): Allow all admin users to use BACKUP/RESTORE and IMPORT.
6c2a04d
to
225a7ee
Compare
@@ -473,6 +488,11 @@ func importPlanHook( | |||
return err | |||
} | |||
|
|||
// TODO(dt): checking *CREATE* on an *existing table* is weird. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So I thought more about this after our conversation, and I think that checking any privileges is pretty weird here. If I understand correctly, for these statements we require that the user has an admin role, and if the user has admin role than they must have ALL privileges on databases.
TFTR |
Build failed |
bors r+ |
Timed out (retrying...) |
Build failed (retrying...) |
43301: sql: fix a few issues with reporting of errors to sentry r=yuzefovich a=yuzefovich **sql: use the correct context when recording an error for sentry** Previously, context.Background() was used to record an internal error. That context is missing the registered tags (e.g. 'statement' tag) which results in an incomplete sentry report. Now this is fixed. Release note: None **sql: remove CloseWithErr method from CommandResultClose interface** The behavior of CloseWithErr method can be obtained with SetError followed by Close, so this commit does such refactoring which simplifies the interface. Release note: None **sql: fix double reporting of the same error with sentry** Previously, in a certain code path both connExecutor and pgwire would record telemetry for the same error to be sent to sentry. This resulted in duplicated events. Now this is fixed. Release note: None 44246: build: fix teamcity-compose script r=mjibson a=mjibson 44250: backupccl,importccl: fix privilege checks for BACKUP/RESTORE and IMPORT r=pbardea a=pbardea This changes the privilege checks in IMPORT, IMPORT INTO and RESTORE to run during the *planning* of the job, in the SQL plan hook execution, rather than during the execution of the job. This is done because privilege checks are implemented on planner, and close over the planner's txn in some branches/cases, so invoking them later, on a txn-less planner in a resumed jobs execution, can cause problems. Before this, the planStateHook's txn was assumed to be set and caused a panic on checking RBAC privileges. Additionally, permission checks in these operations did not properly give access to all admin users. Fixes #44252. Release note (bug fix): Allow all admin users to use BACKUP/RESTORE and IMPORT. 44268: sql/sem/builtins: mark timeofday as impure r=mjibson a=mjibson Co-authored-by: Yahor Yuzefovich <yahor@cockroachlabs.com> Co-authored-by: Matt Jibson <matt.jibson@gmail.com> Co-authored-by: Paul Bardea <pbardea@gmail.com>
Build succeeded |
44456: release-19.2: backupccl,importccl: fix privilege checks for BACKUP/RESTORE and IMPORT r=pbardea a=pbardea Backport 2/2 commits from #44250. /cc @cockroachdb/release --- This changes the privilege checks in IMPORT, IMPORT INTO and RESTORE to run during the *planning* of the job, in the SQL plan hook execution, rather than during the execution of the job. This is done because privilege checks are implemented on planner, and close over the planner's txn in some branches/cases, so invoking them later, on a txn-less planner in a resumed jobs execution, can cause problems. Before this, the planStateHook's txn was assumed to be set and caused a panic on checking RBAC privileges. Additionally, permission checks in these operations did not properly give access to all admin users. Fixes #44252. Release note (bug fix): Allow all admin users to use BACKUP/RESTORE and IMPORT. Co-authored-by: Paul Bardea <pbardea@gmail.com>
This changes the privilege checks in IMPORT, IMPORT INTO and RESTORE to
run during the planning of the job, in the SQL plan hook execution,
rather than during the execution of the job. This is done because
privilege checks are implemented on planner, and close over the
planner's txn in some branches/cases, so invoking them later, on a
txn-less planner in a resumed jobs execution, can cause problems.
Before this, the planStateHook's txn was assumed to be set and caused a
panic on checking RBAC privileges. Additionally, permission checks in these
operations did not properly give access to all admin users.
Fixes #44252.
Release note (bug fix): Allow all admin users to use BACKUP/RESTORE and
IMPORT.