sql: implement fine-grained transaction error redaction #93760
Conversation
|
This change is |
dhartunian
force-pushed
the
improve-sql-error-redaction
branch
2 times, most recently
from
e6fdd68
to
f17d15c
Compare
There was a problem hiding this comment.
This looks good overall, but we need to be careful on the protobuf definition. This needs more work.
Reviewed 17 of 17 files at r1, all commit messages.
Reviewable status:complete! 0 of 0 LGTMs obtained (waiting on @dhartunian)
pkg/roachpb/errors.go line 1 at r1 (raw file):
// Copyright 2014 The Cockroach Authors.
Throughout this file. I wonder if the message method shouldn't be modified to return RedactableString too.
Then you could also implement the Error() method each time as return redact.Sprint(e).StripMarkers() , which indirectly calls your new SafeFormat method. We're also doing this other places.
pkg/roachpb/errors.go line 216 at r1 (raw file):
if txn := e.GetTxn(); txn != nil { p.Printf(": %s", txn)
: %v
pkg/roachpb/errors.go line 413 at r1 (raw file):
func (e *NodeUnavailableError) SafeFormatError(p errors.Printer) (next error) { p.Printf(e.message(nil))
That Printf doesn't seem right. e.message is not guaranteed safe. Did you mean Print?
pkg/roachpb/errors.go line 485 at r1 (raw file):
func (e *LeaseRejectedError) SafeFormatError(p errors.Printer) (next error) { p.Printf(e.message(nil))
ditto
pkg/roachpb/errors.go line 607 at r1 (raw file):
mr, err := e.MismatchedRange() if err != nil { s.Printf("%s", err)
%v
pkg/roachpb/errors.go line 757 at r1 (raw file):
return s } return fmt.Sprintf("txn %s %s", pErr.GetTxn(), s)
I'd argue txn %v %s here
pkg/roachpb/errors.go line 760 at r1 (raw file):
} func (e *TransactionPushError) SafeFormatError(p errors.Printer) (next error) { p.Printf("failed to push %s", e.PusheeTxn)
%v
pkg/roachpb/errors.go line 840 at r1 (raw file):
func (e *TransactionStatusError) message(pErr *Error) string { return fmt.Sprintf("%s: %s", e.Error(), pErr.GetTxn())
%v: %v
pkg/roachpb/errors.go line 1090 at r1 (raw file):
func (e *OpRequiresTxnError) SafeFormatError(p errors.Printer) (next error) { p.Printf(e.message(nil))
ditto safety of message
pkg/roachpb/errors.go line 1110 at r1 (raw file):
func (e *ConditionFailedError) SafeFormatError(p errors.Printer) (next error) { p.Printf(e.message(nil))
ditto
pkg/roachpb/errors.go line 1126 at r1 (raw file):
func (e *RaftGroupDeletedError) SafeFormatError(p errors.Printer) (next error) { p.Printf(e.message(nil))
ditto
pkg/roachpb/errors.go line 1213 at r1 (raw file):
func (e *StoreNotFoundError) SafeFormatError(p errors.Printer) (next error) { p.Printf(e.message(nil))
ditto
pkg/roachpb/errors.go line 1287 at r1 (raw file):
func (e *UnsupportedRequestError) SafeFormatError(p errors.Printer) (next error) { p.Printf(e.message(nil))
ditto
pkg/roachpb/errors.go line 1303 at r1 (raw file):
func (e *BatchTimestampBeforeGCError) SafeFormatError(p errors.Printer) (next error) { p.Printf(e.message(nil))
ditto
pkg/roachpb/errors.go line 1383 at r1 (raw file):
func (e *MergeInProgressError) SafeFormatError(p errors.Printer) (next error) { p.Printf(e.message(nil))
ditto
pkg/roachpb/errors.go line 1410 at r1 (raw file):
func (e *RangeFeedRetryError) SafeFormatError(p errors.Printer) (next error) { p.Printf(e.message(nil))
ditto
pkg/roachpb/errors.go line 1459 at r1 (raw file):
func (e *InvalidLeaseError) SafeFormatError(p errors.Printer) (next error) { p.Printf(e.message(nil))
ditto
pkg/roachpb/errors.go line 1485 at r1 (raw file):
func (e *OptimisticEvalConflictsError) SafeFormatError(p errors.Printer) (next error) { p.Printf(e.message(nil))
ditto
pkg/roachpb/errors.go line 1516 at r1 (raw file):
func (e *MinTimestampBoundUnsatisfiableError) SafeFormatError(p errors.Printer) (next error) { p.Printf(e.message(nil))
ditto
pkg/roachpb/errors.proto line 246 at r1 (raw file):
message TransactionRetryError { optional TransactionRetryReason reason = 1 [(gogoproto.nullable) = false]; optional string extra_msg = 2 [(gogoproto.nullable) = false, (gogoproto.customtype) = "github.com/cockroachdb/redact.RedactableString"];
So this is where we need more work.
- the field with proto tag 2 needs to continue to be supported (for prev-version servers)
- there needs to be a new field with proto tag 3 with the new type.
- when creating an error object, both fields should be populated (for the benefit of prev-version servers)
- when reading an error object, inspect the new field; if non-empty use that, otherwise use the old one.
pkg/roachpb/errors.proto line 256 at r1 (raw file):
// only monotonically increase. message TransactionStatusError { optional string msg = 1 [(gogoproto.nullable) = false, (gogoproto.customtype) = "github.com/cockroachdb/redact.RedactableString"];
ditto
pkg/roachpb/errors.proto line 452 at r1 (raw file):
message TransactionRetryWithProtoRefreshError { // A user-readable message. optional string msg = 1 [(gogoproto.nullable) = false, (gogoproto.customtype) = "github.com/cockroachdb/redact.RedactableString"];
ditto
dhartunian
force-pushed
the
improve-sql-error-redaction
branch
from
f17d15c
to
b1df6d8
Compare
There was a problem hiding this comment.
Reviewable status:
pkg/roachpb/errors.go line 1 at r1 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
Throughout this file. I wonder if the
messagemethod shouldn't be modified to returnRedactableStringtoo.Then you could also implement the
Error()method each time asreturn redact.Sprint(e).StripMarkers(), which indirectly calls your new SafeFormat method. We're also doing this other places.
I removed the message method. Couldn't find any usages.
pkg/roachpb/errors.go line 216 at r1 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
: %v
done.
pkg/roachpb/errors.go line 413 at r1 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
That
Printfdoesn't seem right.e.messageis not guaranteed safe. Did you mean
In the cases where I used .Printf it was when the message was already safe, that't not obvious in the diff. However, now that I'm removing message. The usage should be clear.
pkg/roachpb/errors.go line 485 at r1 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
ditto
Done.
pkg/roachpb/errors.go line 607 at r1 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
%v
Done.
pkg/roachpb/errors.go line 757 at r1 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
I'd argue
txn %v %shere
removed.
pkg/roachpb/errors.go line 760 at r1 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
%v
Done.
pkg/roachpb/errors.go line 840 at r1 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
%v: %v
Removed.
pkg/roachpb/errors.go line 1090 at r1 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
ditto safety of message
Done.
pkg/roachpb/errors.go line 1110 at r1 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
ditto
Done.
pkg/roachpb/errors.go line 1126 at r1 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
ditto
Done.
pkg/roachpb/errors.go line 1213 at r1 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
ditto
Done.
pkg/roachpb/errors.go line 1287 at r1 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
ditto
Done.
pkg/roachpb/errors.go line 1303 at r1 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
ditto
Done.
pkg/roachpb/errors.go line 1383 at r1 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
ditto
Done.
pkg/roachpb/errors.go line 1410 at r1 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
ditto
Done.
pkg/roachpb/errors.go line 1459 at r1 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
ditto
Done.
pkg/roachpb/errors.go line 1485 at r1 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
ditto
Done.
pkg/roachpb/errors.go line 1516 at r1 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
ditto
Done.
pkg/roachpb/errors.proto line 246 at r1 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
So this is where we need more work.
- the field with proto tag 2 needs to continue to be supported (for prev-version servers)
- there needs to be a new field with proto tag 3 with the new type.
- when creating an error object, both fields should be populated (for the benefit of prev-version servers)
- when reading an error object, inspect the new field; if non-empty use that, otherwise use the old one.
Done. Thx for the reminder. Usages are nicely encapsulated in the constructor and Formatter methods so it's not too bad.
pkg/roachpb/errors.proto line 256 at r1 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
ditto
Done.
pkg/roachpb/errors.proto line 452 at r1 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
ditto
Done.
There was a problem hiding this comment.
i still like it
Reviewed 5 of 5 files at r2, all commit messages.
Reviewable status:
pkg/roachpb/errors.go line 607 at r1 (raw file):
Previously, dhartunian (David Hartunian) wrote…
Done.
nb this is also equivalent to s.Print(err).
pkg/roachpb/errors.proto line 246 at r2 (raw file):
message TransactionRetryError { optional TransactionRetryReason reason = 1 [(gogoproto.nullable) = false]; // Note: Deprecated. `extra_msg_redactable` takes precedence if present.
What wlll be the condition for us to remove the field outright and the conditional logic around it? Whivh version? Usually we state that in the explanatory comment.
pkg/roachpb/errors.proto line 258 at r2 (raw file):
// only monotonically increase. message TransactionStatusError { // Note: Deprecated. `msg_redactable` takes precedence if present.
same
pkg/roachpb/errors.proto line 456 at r2 (raw file):
message TransactionRetryWithProtoRefreshError { // A user-readable message. // Note: Deprecated in favor of `msg_redactable` below. Both fields will be
same
There was a problem hiding this comment.
I think some crdb_internal tables will benefit from this! For example, in crdb_internal.cluster_transactions today we omit the last_auto_retry_reason column from redacted debug zips. Looks like these fields are eventually pulled from the txnState. I see at least one usage where the error in the txnState is set to a TransactionRetryWithProtoRefreshError. When this is merged I can take a deeper look to see if we can reintroduce this column into redacted debug zip bundles.
Reviewable status:
There was a problem hiding this comment.
(Forgot to actually approve :|)
Reviewable status:
dhartunian
force-pushed
the
improve-sql-error-redaction
branch
from
b1df6d8
to
9af0832
Compare
dhartunian
force-pushed
the
improve-sql-error-redaction
branch
2 times, most recently
from
f3871ca
to
a8759b1
Compare
Previously, transaction errors would be redacted in full since there was no redaction implemented for their internals. This commit updates all the errors defined in pkg/roachpb/errors.proto to implement `SafeErrorFormatter` in order to be properly redacted. The methods `message` in `ErrorDetailInterface` contained no usages so it was removed. The tests in place are checking to see that redaction markers *do not* appear in the logs. They will be in place when Errors contain redacted values such as Keys containing row data. An additional test was added to the telemetry logging suite to ensure that these errors are surfaced unredacted in telemetry logs as well. Some message fields in Error protobufs have been updated to use `RedactedString` to better support fine grained redaction. A simple migration was applied for those fields but further work may be necessary for further improvements. Epic: CRDB-12732 Resolves: CRDB-14087 Release note (ops change): Transaction errors will contain more detailed information in redacted logs.
dhartunian
force-pushed
the
improve-sql-error-redaction
branch
from
a8759b1
to
3e1cdb0
Compare
There was a problem hiding this comment.
Reviewable status:
pkg/roachpb/errors.go line 607 at r1 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
nb this is also equivalent to
s.Print(err).
Done.
pkg/roachpb/errors.proto line 246 at r2 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
What wlll be the condition for us to remove the field outright and the conditional logic around it? Whivh version? Usually we state that in the explanatory comment.
Added note and TODO
pkg/roachpb/errors.proto line 258 at r2 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
same
Added note and TODO
pkg/roachpb/errors.proto line 456 at r2 (raw file):
Previously, knz (Raphael 'kena' Poss) wrote…
same
Added note and TODO
|
TFTRs! bors r=abarganier |
|
Build failed (retrying...): |
|
Build succeeded: |
Previously, transaction errors would be redacted in full since there was no redaction implemented for their internals. This commit updates all the errors defined in pkg/roachpb/errors.proto to implement
SafeErrorFormatterin order to be properly redacted.The tests in place are checking to see that redaction markers do not appear in the logs. They will be in place when Errors contain redacted values such as Keys containing row data.
An additional test was added to the telemetry logging suite to ensure that these errors are surfaced unredacted in telemetry logs as well.
Some message fields in Error protobufs have been updated to use
RedactedStringto better support fine grained redaction. A simple migration was applied for those fields but further work may be necessary for further improvements.Epic: CRDB-12732
Resolves: CRDB-14087
Release note (ops change): Transaction errors will contain more detailed information in redacted logs.