-
Notifications
You must be signed in to change notification settings - Fork 3.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
sql: ensure user has correct privileges when adding/removing regions
Previously we did not account for privileges on database objects when adding the default locality ocnfig on first region add or removing the locality config on last region drop properly. In particular, we weren't adding/removing the locality config on any descriptor that wasn't visible to the user. This is bad because our validation logic expects only and all objects in multi-region databases to have a valid locality config. This means future accesses to such descriptors would fail validation. The root of this problem was the API choice here, `ForEachTableDesc`, which filters out invisible descriptors. This patch instead switches to using `forEachTableInMultiRegionDatabase`. While here, instead of issuing separate requests for every table, I refactored this thing to issue a single batch request instead. Now that we view all the descriptors inside the database, unfiltered, we perform privilege checks on them before proceeding with the add/drop operation. In particular, the semantics are: - admin users are allowed to add/drop regions as they wish. - non admin-users require the CREATE privilege or must have ownership on all the objects inside the database. Closes #61003 Release note (sql change): `ALTER DATABASE .. SET PRIMARY REGION` now requires both CREATE and ZONECONFIG privilege on all objects inside the database when adding the first region to the database. Same for dropping the last region using `ALTER DATABASE ... DROP REGION`.
- Loading branch information
1 parent
f810c6c
commit 0ea0538
Showing
5 changed files
with
271 additions
and
216 deletions.
There are no files selected for viewing
61 changes: 61 additions & 0 deletions
61
pkg/ccl/logictestccl/testdata/logic_test/multi_region_privileges
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
# LogicTest: multiregion-9node-3region-3azs | ||
|
||
user root | ||
|
||
statement ok | ||
CREATE DATABASE db; | ||
CREATE TABLE db.t(); | ||
GRANT CREATE ON DATABASE db TO testuser; | ||
CREATE TABLE db.t2(); | ||
ALTER USER testuser CREATEDB; | ||
|
||
user testuser | ||
|
||
statement error user testuser must be owner of t or have CREATE privilege on t | ||
ALTER DATABASE db SET PRIMARY REGION "us-east-1" | ||
|
||
user root | ||
|
||
statement ok | ||
GRANT CREATE ON TABLE db.t TO testuser | ||
|
||
user testuser | ||
|
||
statement ok | ||
ALTER DATABASE db SET PRIMARY REGION "us-east-1" | ||
|
||
user root | ||
|
||
statement ok | ||
REVOKE CREATE ON TABLE db.t FROM testuser | ||
|
||
user testuser | ||
|
||
statement error user testuser must be owner of t or have CREATE privilege on t | ||
ALTER DATABASE db DROP REGION "us-east-1" | ||
|
||
user root | ||
|
||
statement ok | ||
GRANT CREATE ON TABLE db.t TO testuser | ||
|
||
user testuser | ||
|
||
statement ok | ||
ALTER DATABASE db DROP REGION "us-east-1" | ||
|
||
# Same thing, but this time testuser is the owner of the table (and doesn't have | ||
# CREATE privileges on it). | ||
user root | ||
|
||
statement ok | ||
REVOKE CREATE ON TABLE db.t FROM testuser; | ||
ALTER TABLE db.t OWNER TO testuser | ||
|
||
user testuser | ||
|
||
statement ok | ||
ALTER DATABASE db SET PRIMARY REGION "us-east-1" | ||
|
||
statement ok | ||
ALTER DATABASE db DROP REGION "us-east-1" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.