-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
privilege,backupccl,importer: introduce EXTERNALIOIMPLICITACCESS #87066
Conversation
dc5bfdb
to
d3d8809
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall this LGTM. If we wanted to in a follow up, we could change the help test for the EnableNonAdminImplicitAndArbitraryOutbound flag to nudge people towards the new permission instead.
This change introduces an `EXTERNALIOIMPLICITACCESS` privilege that can be granted to users to interact with ExternalStorage resources that require implicit authentication. Previously, implicit authentication resources were only permitted to be used by admin users or users on a node that was started with the `external-io-enable-non-admin-implicit-access` flag. This system privilege is meant to gradually replace the existence of the flag. This change unifies the logic to check that a user has the required privileges to access a URI in the pkg/cloud/cloudprivilege package so that import, restore, backup can all share the same logic. Informs: cockroachdb#86263 Release note (sql change): Users can grant a new `EXTERNALIOIMPLICITACCESS` system privilege that allows a user to interact with an External Storage resource that has implicit authentication. Egs: gs, s3, nodelocal etc. Previously, this was an admin only operation. Release justification: high impact change to introduce fine grained privileges around our interaction with External Storage resources
d3d8809
to
dbf844a
Compare
I agree, I'll open a follow up to also render a notice when we see someone using it to get past this privilege check. |
TFTR! bors r=stevendanna |
Build failed (retrying...): |
Build failed: |
bors r=stevendanna |
Build succeeded: |
This change introduces an
EXTERNALIOIMPLICITACCESS
privilegethat can be granted to users to interact with ExternalStorage resources
that require implicit authentication. Previously, implicit authentication
resources were only permitted to be used by admin users or users on
a node that was started with the
external-io-enable-non-admin-implicit-access
flag. This system privilegeis meant to gradually replace the existence of the flag.
This change unifies the logic to check that a user has the required
privileges to access a URI in the pkg/cloud/cloudprivilege package so
that import, restore, backup can all share the same logic.
Informs: #86263
Release note (sql change): Users can grant a new
EXTERNALIOIMPLICITACCESS
system privilege that allows a user to interact with an External Storage resource
that has implicit authentication. Egs: gs, s3, nodelocal etc. Previously,
this was an admin only operation.
Release justification: high impact change to introduce fine grained privileges
around our interaction with External Storage resources