backupccl,importccl: fix privilege checks for BACKUP/RESTORE and IMPORT #44250
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This change is |
Add failing tests for a non-root admin user trying to IMPORT{,INTO},
BACKUP and RESTORE. These types of users should be allowed to do these
operations but we have found issues with permissions not letting them as
well as panics due to incorrect usage of the planner in IMPORT INTO.
Release note: None
pbardea
force-pushed
the
bulk-privs-fix
branch
from
9b011d4
to
6c2a04d
Compare
dt
approved these changes
Jan 23, 2020
This changes the privilege checks in IMPORT, IMPORT INTO and RESTORE to run during the *planning* of the job, in the SQL plan hook execution, rather than during the execution of the job. This is done because privilege checks are implemented on planner, and close over the planner's txn in some branches/cases, so invoking them later, on a txn-less planner in a resumed jobs execution, can cause problems. Release note (bug fix): Allow all admin users to use BACKUP/RESTORE and IMPORT.
pbardea
force-pushed
the
bulk-privs-fix
branch
from
6c2a04d
to
225a7ee
Compare
pbardea
commented
Jan 23, 2020
| @@ -473,6 +488,11 @@ func importPlanHook( | |||
| return err | |||
| } | |||
|
|
|||
| // TODO(dt): checking *CREATE* on an *existing table* is weird. | |||
There was a problem hiding this comment.
So I thought more about this after our conversation, and I think that checking any privileges is pretty weird here. If I understand correctly, for these statements we require that the user has an admin role, and if the user has admin role than they must have ALL privileges on databases.
|
TFTR |
Build failed |
|
bors r+ |
Timed out (retrying...) |
Build failed (retrying...) |
craig bot
pushed a commit
that referenced
this pull request
Jan 23, 2020
43301: sql: fix a few issues with reporting of errors to sentry r=yuzefovich a=yuzefovich **sql: use the correct context when recording an error for sentry** Previously, context.Background() was used to record an internal error. That context is missing the registered tags (e.g. 'statement' tag) which results in an incomplete sentry report. Now this is fixed. Release note: None **sql: remove CloseWithErr method from CommandResultClose interface** The behavior of CloseWithErr method can be obtained with SetError followed by Close, so this commit does such refactoring which simplifies the interface. Release note: None **sql: fix double reporting of the same error with sentry** Previously, in a certain code path both connExecutor and pgwire would record telemetry for the same error to be sent to sentry. This resulted in duplicated events. Now this is fixed. Release note: None 44246: build: fix teamcity-compose script r=mjibson a=mjibson 44250: backupccl,importccl: fix privilege checks for BACKUP/RESTORE and IMPORT r=pbardea a=pbardea This changes the privilege checks in IMPORT, IMPORT INTO and RESTORE to run during the *planning* of the job, in the SQL plan hook execution, rather than during the execution of the job. This is done because privilege checks are implemented on planner, and close over the planner's txn in some branches/cases, so invoking them later, on a txn-less planner in a resumed jobs execution, can cause problems. Before this, the planStateHook's txn was assumed to be set and caused a panic on checking RBAC privileges. Additionally, permission checks in these operations did not properly give access to all admin users. Fixes #44252. Release note (bug fix): Allow all admin users to use BACKUP/RESTORE and IMPORT. 44268: sql/sem/builtins: mark timeofday as impure r=mjibson a=mjibson Co-authored-by: Yahor Yuzefovich <yahor@cockroachlabs.com> Co-authored-by: Matt Jibson <matt.jibson@gmail.com> Co-authored-by: Paul Bardea <pbardea@gmail.com>
Build succeeded |
craig bot
pushed a commit
that referenced
this pull request
Jan 28, 2020
44456: release-19.2: backupccl,importccl: fix privilege checks for BACKUP/RESTORE and IMPORT r=pbardea a=pbardea Backport 2/2 commits from #44250. /cc @cockroachdb/release --- This changes the privilege checks in IMPORT, IMPORT INTO and RESTORE to run during the *planning* of the job, in the SQL plan hook execution, rather than during the execution of the job. This is done because privilege checks are implemented on planner, and close over the planner's txn in some branches/cases, so invoking them later, on a txn-less planner in a resumed jobs execution, can cause problems. Before this, the planStateHook's txn was assumed to be set and caused a panic on checking RBAC privileges. Additionally, permission checks in these operations did not properly give access to all admin users. Fixes #44252. Release note (bug fix): Allow all admin users to use BACKUP/RESTORE and IMPORT. Co-authored-by: Paul Bardea <pbardea@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This changes the privilege checks in IMPORT, IMPORT INTO and RESTORE to
run during the planning of the job, in the SQL plan hook execution,
rather than during the execution of the job. This is done because
privilege checks are implemented on planner, and close over the
planner's txn in some branches/cases, so invoking them later, on a
txn-less planner in a resumed jobs execution, can cause problems.
Before this, the planStateHook's txn was assumed to be set and caused a
panic on checking RBAC privileges. Additionally, permission checks in these
operations did not properly give access to all admin users.
Fixes #44252.
Release note (bug fix): Allow all admin users to use BACKUP/RESTORE and
IMPORT.