Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

more privilege changes #3810

Merged
merged 87 commits into from Jul 28, 2022
Merged

more privilege changes #3810

merged 87 commits into from Jul 28, 2022

Conversation

jycor
Copy link
Contributor

@jycor jycor commented Jul 12, 2022
edited

Changes:

  • add --user to dolt sql and dolt sql -q
  • default user is persisted immediately iff --user or --password option is given
  • default super user is root@localhost instead of root@%
  • only create doltcfgdir if we need to persist something
  • has more tests

Companion PR: dolthub/go-mysql-server#1127

Fix for: #3794
Also a fix for: #3881

@jycor jycor changed the title [WIP] more privilege changes more privilege changes Jul 15, 2022
@jycor jycor mentioned this pull request Jul 15, 2022
Merged
@Hydrocharged
Copy link
Contributor

This needs a few changes as per our earlier conversation offline (with some additional comments):

  • dolt sql does not need a --password argument, as the CLI has full access and it does not make logical sense to add password checking or even the ability to specify one
  • The default user is the super user which is not persisted at all, and should actually be invisible to queries on the mysql.user table
  • For both dolt sql and dolt sql-server, if the user given via --user exists then we assume that user. What this means for dolt sql-server is that, since users are attached to connecting clients, the --user directive is just ignored if the user exists. This would also mean that --password is ignored for existing users.
  • If no user is specified for dolt sql then we can default to root. Perhaps we should default to a unique user name to guarantee that you're always the super user if no user is specified, but defaulting to root is also fine.
  • If no user is specified for dolt sql-server and the privilege file does not exist then we create the default root super user. If a privilege file exists then we only create a super user if one was specified through --user. This prevents the situation where an admin is unaware that a root super user exists that others can log into (assuming they can connect as localhost).

Of course this would all also need to be in docs too.

Hydrocharged
Hydrocharged reviewed Jul 26, 2022
View reviewed changes
Copy link
Contributor

@Hydrocharged Hydrocharged left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have to at least figure out why the tests are failing on CI. Current server behavior for --user restricts people from using root as their account name for the simplest use cases, which I'm confident someone will run into.

go/cmd/dolt/commands/sqlserver/server.go Outdated
}
} else {
// no privileges, must add superuser; will already be defaulted to root
sqlEngine.GetUnderlyingEngine().Analyzer.Catalog.MySQLDb.AddSuperUser(config.ServerUser, "%", config.ServerPass)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we be using config.ServerHost? Otherwise it looks like it's getting completely ignored. I'm assuming the default value is localhost, so it should be % (if it's not possible to have an empty default).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should, but the Sysbench and Compatibility tests fail with permission denied.
Default is localhost.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can modify both the sysbench and compatibility tests if necessary. They should be able to work with empty defaults though, as the resulting logic should end up equivalent unless they’re specifying a root user.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Functionally equivalent in this particular case I mean.

go/cmd/dolt/commands/sqlserver/server.go Outdated
Comment on lines 154 to 159
// privileges specified, only add if superuser specified is not an existing user
userSpecified := config.ServerUser != defaultUser || config.ServerHost != defaultHost || config.ServerPass != defaultPass
superuser := sqlEngine.GetUnderlyingEngine().Analyzer.Catalog.MySQLDb.GetUser(config.ServerUser, "%", false)
if userSpecified && superuser == nil {
sqlEngine.GetUnderlyingEngine().Analyzer.Catalog.MySQLDb.AddSuperUser(config.ServerUser, "%", config.ServerPass)
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assuming that people want to make a root account for adding privileges (so they'd spin up a server just to make the changes and potentially not worry about setting a password or changing the host), then they cannot use root. They're required to use the non-default password to recognize that we should be using the root account, even though it's specified as an argument.

integration-tests/bats/sql-privs.bats Outdated
@@ -45,6 +45,7 @@ delete_test_repo() {
}

setup() {
skiponwindows "no clue why this fails on CI"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs to be fixed, or we should at least have a clue as to why it's failing CI before a customer sees the same issues (especially since CI uses the same workflow that we recommend to customers)

Hydrocharged
Hydrocharged approved these changes Jul 27, 2022
View reviewed changes
Copy link
Contributor

@Hydrocharged Hydrocharged left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few simple changes and we're set!

go/cmd/dolt/commands/sqlserver/server.go Outdated
Comment on lines 171 to 182
// Add superuser
//if sqlEngine.GetUnderlyingEngine().Analyzer.Catalog.MySQLDb.UserTable().Data().Count() != 0 {
// // privileges specified, only add if superuser specified is not an existing user
// userSpecified := config.ServerUser != defaultUser || config.ServerHost != defaultHost || config.ServerPass != defaultPass
// superuser := sqlEngine.GetUnderlyingEngine().Analyzer.Catalog.MySQLDb.GetUser(config.ServerUser, serverHost, false)
// if userSpecified && superuser == nil {
// sqlEngine.GetUnderlyingEngine().Analyzer.Catalog.MySQLDb.AddSuperUser(config.ServerUser, serverHost, config.ServerPass)
// }
//} else {
// // no privileges, must add superuser; will already be defaulted to root
// sqlEngine.GetUnderlyingEngine().Analyzer.Catalog.MySQLDb.AddSuperUser(config.ServerUser, serverHost, config.ServerPass)
//}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Delete this comment

go/cmd/dolt/commands/sqlserver/server.go
// should user "%" if host is empty string, same for 0.0.0.0
serverHost := config.ServerHost
if serverHost == "" || serverHost == "0.0.0.0" {
serverHost = "%"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add a TODO to move this into GMS

go/cmd/dolt/commands/sqlserver/serverconfig.go Outdated
Comment on lines 434 to 436
//if len(config.User()) == 0 {
// return fmt.Errorf("user cannot be empty")
//}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Delete the comment

integration-tests/bats/migrate.bats Outdated
@@ -2,6 +2,7 @@
load $BATS_TEST_DIRNAME/helper/common.bash

setup() {
skip "temporary skip"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove this skip so that we'll properly see it fail, but since it's not from your changes we should still commit this

integration-tests/bats/sql-server.bats
@@ -231,7 +231,7 @@ SQL
[[ "$output" =~ "one_pk" ]] || false

# Add rows on the command line
run dolt sql -q "insert into one_pk values (1,1,1)"
run dolt sql --user=dolt -q "insert into one_pk values (1,1,1)"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need a test that show the user assumption if the privilege file already exists. We can do this by setting a password in the privilege file and providing a different password as an argument, then attempting to log in.

@jycor jycor merged commit 9623166 into main Jul 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Hydrocharged Hydrocharged Hydrocharged approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jycor @Hydrocharged