diff --git a/pkg/ccl/logictestccl/testdata/logic_test/zone_config_secondary_tenants b/pkg/ccl/logictestccl/testdata/logic_test/zone_config_secondary_tenants index abe57207fd22..95f8cd8cce0c 100644 --- a/pkg/ccl/logictestccl/testdata/logic_test/zone_config_secondary_tenants +++ b/pkg/ccl/logictestccl/testdata/logic_test/zone_config_secondary_tenants @@ -4,6 +4,12 @@ statement ok CREATE TABLE t(); +statement error pq: secondary tenants cannot set zone configurations unless sql.zone_configs.allow_for_secondary_tenant.enabled is enabled +ALTER TABLE t CONFIGURE ZONE USING num_replicas = 5; + +statement ok +SET CLUSTER SETTING sql.zone_configs.allow_for_secondary_tenant.enabled = true + statement ok ALTER TABLE t CONFIGURE ZONE USING num_replicas = 5; diff --git a/pkg/spanconfig/spanconfigmanager/manager.go b/pkg/spanconfig/spanconfigmanager/manager.go index bb77b7cf2ab9..a55fc0c5d9c0 100644 --- a/pkg/spanconfig/spanconfigmanager/manager.go +++ b/pkg/spanconfig/spanconfigmanager/manager.go @@ -7,7 +7,6 @@ // the Business Source License, use of this software will be governed // by the Apache License, Version 2.0, included in the file // licenses/APL.txt. - package spanconfigmanager import ( diff --git a/pkg/sql/logictest/testdata/logic_test/zone_config b/pkg/sql/logictest/testdata/logic_test/zone_config index b47284f356f2..056197c5fac8 100644 --- a/pkg/sql/logictest/testdata/logic_test/zone_config +++ b/pkg/sql/logictest/testdata/logic_test/zone_config @@ -1,3 +1,8 @@ +# As these tests are run for both the system tenant and secondary tenants, we +# turn on the setting that gates setting zone configs for system tenants. +statement ok +SET CLUSTER SETTING sql.zone_configs.allow_for_secondary_tenant.enabled = true + # Check that we can alter the default zone config. statement ok ALTER RANGE default CONFIGURE ZONE USING num_replicas = 1 diff --git a/pkg/sql/logictest/testdata/logic_test/zone_config_system_tenant b/pkg/sql/logictest/testdata/logic_test/zone_config_system_tenant index 39c5cf840c55..43fc648ebbd7 100644 --- a/pkg/sql/logictest/testdata/logic_test/zone_config_system_tenant +++ b/pkg/sql/logictest/testdata/logic_test/zone_config_system_tenant @@ -1,6 +1,19 @@ # LogicTest: !3node-tenant # Zone config logic tests that are only meant to work for the system tenant. +statement ok +CREATE TABLE t(); + +statement ok +ALTER TABLE t CONFIGURE ZONE USING num_replicas = 5; + +# Should have no effect on the system tenant. +statement ok +SET CLUSTER SETTING sql.zone_configs.allow_for_secondary_tenant.enabled = false + +statement ok +ALTER TABLE t CONFIGURE ZONE USING num_replicas = 3; + statement ok CREATE TABLE a(id INT PRIMARY KEY) @@ -23,3 +36,4 @@ SELECT zone_id, target FROM crdb_internal.zones ORDER BY 1 22 RANGE liveness 25 TABLE system.public.replication_constraint_stats 27 TABLE system.public.replication_stats +53 TABLE test.public.t diff --git a/pkg/sql/set_zone_config.go b/pkg/sql/set_zone_config.go index 237e699306f2..c93ce61a7b48 100644 --- a/pkg/sql/set_zone_config.go +++ b/pkg/sql/set_zone_config.go @@ -183,6 +183,14 @@ func (p *planner) SetZoneConfig(ctx context.Context, n *tree.SetZoneConfig) (pla return nil, err } + if !p.ExecCfg().Codec.ForSystemTenant() && + !secondaryTenantZoneConfigsEnabled.Get(&p.ExecCfg().Settings.SV) { + return nil, pgerror.Newf(pgcode.FeatureNotSupported, + "secondary tenants cannot set zone configurations unless %s is enabled", + secondaryTenantsZoneConfigsEnabledSettingName, + ) + } + if err := checkPrivilegeForSetZoneConfig(ctx, p, n.ZoneSpecifier); err != nil { return nil, err } diff --git a/pkg/sql/zone_config.go b/pkg/sql/zone_config.go index e0d2dd1c24d8..95188f7f8295 100644 --- a/pkg/sql/zone_config.go +++ b/pkg/sql/zone_config.go @@ -20,6 +20,7 @@ import ( "github.com/cockroachdb/cockroach/pkg/keys" "github.com/cockroachdb/cockroach/pkg/kv" "github.com/cockroachdb/cockroach/pkg/roachpb" + "github.com/cockroachdb/cockroach/pkg/settings" "github.com/cockroachdb/cockroach/pkg/sql/catalog" "github.com/cockroachdb/cockroach/pkg/sql/catalog/catalogkeys" "github.com/cockroachdb/cockroach/pkg/sql/catalog/catalogkv" @@ -41,6 +42,18 @@ func init() { var errNoZoneConfigApplies = errors.New("no zone config applies") +const secondaryTenantsZoneConfigsEnabledSettingName = "sql.zone_configs.allow_for_secondary_tenant.enabled" + +// secondaryTenantZoneConfigsEnabled controls if secondary tenants are allowed +// to set zone configurations. It has no effect for the system tenant. +// +// This setting has no effect on zone configurations that have already been set. +var secondaryTenantZoneConfigsEnabled = settings.RegisterBoolSetting( + secondaryTenantsZoneConfigsEnabledSettingName, + "allow secondary tenants to set zone configurations; does not affect the system tenant", + false, +) + // getZoneConfig recursively looks up entries in system.zones until an // entry that applies to the object with the specified id is // found. Returns the ID of the matching zone, its zone config, and an