Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[YSQL] Allow yb_db_admin to CREATE/DROP functions #12207

Closed
paullee-yb opened this issue Apr 19, 2022 · 1 comment
Closed

[YSQL] Allow yb_db_admin to CREATE/DROP functions #12207

paullee-yb opened this issue Apr 19, 2022 · 1 comment
Assignees
Labels
2.14 Backport Required area/ysql Yugabyte SQL (YSQL) kind/bug This issue is a bug priority/medium Medium priority issue
Projects

Comments

@paullee-yb
Copy link
Contributor

paullee-yb commented Apr 19, 2022

Jira Link: [DB-346](https://yugabyte.atlassian.net/browse/DB-346)

Description

  • create function
  • delete function
  • create function with language specified (except untrusted languages)
@paullee-yb paullee-yb added area/ysql Yugabyte SQL (YSQL) status/awaiting-triage Issue awaiting triage labels Apr 19, 2022
@paullee-yb paullee-yb self-assigned this Apr 19, 2022
@paullee-yb paullee-yb changed the title [YSQL] Allow yb_db_admin to CREATE and DROP functions [YSQL] Allow yb_db_admin to CREATE/DROP functions and use leakproof functions Apr 20, 2022
@sushantrmishra sushantrmishra added this to Backlog in YSQL via automation Apr 20, 2022
@sushantrmishra sushantrmishra removed the status/awaiting-triage Issue awaiting triage label Apr 20, 2022
@paullee-yb paullee-yb changed the title [YSQL] Allow yb_db_admin to CREATE/DROP functions and use leakproof functions [YSQL] Allow yb_db_admin to CREATE/DROP functions May 7, 2022
paullee-yb added a commit that referenced this issue May 9, 2022
Summary:
This change expands the permissions of yb_db_admin to do the following:
  - create function
  - delete function
  - create function with language specified

Test Plan: ybd --java-test 'org.yb.pgsql.TestPgRegressProc'

Reviewers: smishra, fizaa

Reviewed By: fizaa

Subscribers: jason, yql

Differential Revision: https://phabricator.dev.yugabyte.com/D16611
@yugabyte-ci yugabyte-ci added kind/bug This issue is a bug priority/medium Medium priority issue labels May 14, 2022
paullee-yb added a commit that referenced this issue May 21, 2022
…sted languages.

Summary:
**Background**
`yb_db_admin` is a role that is GRANTED to the `admin` role in YB Managed. Currently, `yb_db_admin` allows users to create functions with untrusted languages, which has security concerns. For example, C-language functions can gain access to the OS or database server processes.

**Solution**
This diff removes the ability for `yb_db_admin` to create functions with untrusted languages, as this can be a security vulnerability.
RDS follows an identical approach for functions.

Test Plan: ybd --java-test 'org.yb.pgsql.TestPgRegressProc'

Reviewers: jason, smishra, fizaa

Reviewed By: fizaa

Subscribers: yql

Differential Revision: https://phabricator.dev.yugabyte.com/D16985
paullee-yb added a commit that referenced this issue May 24, 2022
Summary:
This change expands the permissions of yb_db_admin to do the following:
  - create function
  - delete function
  - create function with language specified

Test Plan: ybd --java-test 'org.yb.pgsql.TestPgRegressProc'

Reviewers: smishra, fizaa

Reviewed By: fizaa

Subscribers: jason, yql

Differential Revision: https://phabricator.dev.yugabyte.com/D16611
YSQL automation moved this from Backlog to Done May 24, 2022
@paullee-yb
Copy link
Contributor Author

Basically backport a3287bc to 2.14

@paullee-yb paullee-yb reopened this Jun 8, 2022
YSQL automation moved this from Done to In progress Jun 8, 2022
paullee-yb added a commit that referenced this issue Jun 9, 2022
Summary:
This change expands the permissions of yb_db_admin to do the following:
  - create function
  - delete function
  - create function with language specified

Test Plan: ybd --java-test 'org.yb.pgsql.TestPgRegressProc'

Reviewers: smishra, fizaa

Reviewed By: fizaa

Subscribers: jason, yql

Differential Revision: https://phabricator.dev.yugabyte.com/D16611
YSQL automation moved this from In progress to Done Jun 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
2.14 Backport Required area/ysql Yugabyte SQL (YSQL) kind/bug This issue is a bug priority/medium Medium priority issue
Projects
YSQL
  
Done
Development

No branches or pull requests

3 participants