sql/builtins: remove the root special case
#76518
Conversation
Release note (sql change): The buil-in functions `crdb_internal.force_panic`, `crdb_internal.force_log_fatal`, `crdb_internal.set_vmodule`, `crdb_internal.get_vmodule` are now available to all `admin` users, not just `root`.
|
This change is |
|
Does this seem like a bug / do we think a backport would be (in)appropriate here? |
|
I don't see it as a bug unless you can point me to a doc that spells out these specific functions should have been allowed to all I put this PR out as a general v22.1 enhancement, but happy to backport if you have the evidence it's a bug fix. |
|
lgtm, but one question: this would mean that a CC admin user (either serverless or dedicated) could now cause a lot of extra logging. does our SRE team already expect that? |
They could do so already via cluster settings (statements exec log, txn tracing, session log). In dedicated they could also do it via the |
|
I do see your point with serverless though. These don't have access to cluster settings (yet, but will soon) and don't have access to the HTTP service. Perhaps we're missing a big picture analysis of what opening cluster settings to serverless admins will enable? |
|
I'm sure you can already find a statement or query that logs and just execute it a bunch if you want to generate more log-lines, so don't know that locking admins out of vmodule is really buying us protection there, vs just making things difficult/annoying to debug. |
|
thanks bors r=rafiss,dt |
|
Build succeeded: |
Discovered by @dt. This was leftover complexity from an earlier age.
Release note (sql change): The buil-in functions
crdb_internal.force_panic,crdb_internal.force_log_fatal,crdb_internal.set_vmodule,crdb_internal.get_vmoduleare nowavailable to all
adminusers, not justroot.