kv: lock down manual splits (and maybe all admin KV requests) on sql tenants #52360
Assignees
Labels
A-multitenancy
Related to multi-tenancy
C-enhancement
Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)
Comments
nvanbenschoten
added
A-multitenancy
|
Hi @nvanbenschoten, I've guessed the C-ategory of your issue and suitably labeled it. Please re-label if inaccurate. 🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is otan. |
blathers-crl
bot
added
the
C-enhancement
nvanbenschoten
added a commit
to nvanbenschoten/cockroach
that referenced
this issue
Aug 10, 2020
Fixes cockroachdb#52360. First two commits from cockroachdb#52589. This commit adds a new restriction to the tenantAuth policy that it accepts no "Admin" KV requests. This prevents tenants from splitting ranges, merging range, rebalancing ranges, or issuing any other KV requests with the `isAdmin` flag that could dictate KV-level distribution decisions. This further mitigates the impact that a compromised tenant SQL process could have on the rest of the cluster.
craig bot
pushed a commit
that referenced
this issue
Aug 11, 2020
52592: kv: reject admin KV requests from tenant SQL processes r=nvanbenschoten a=nvanbenschoten Fixes #52360. This commit adds a new restriction to the tenantAuth policy that it accepts no "Admin" KV requests. This prevents tenants from splitting ranges, merging range, rebalancing ranges, or issuing any other KV requests with the `isAdmin` flag that could dictate KV-level distribution decisions. This further mitigates the impact that a compromised tenant SQL process could have on the rest of the cluster. Co-authored-by: Nathan VanBenschoten <[email protected]>
madelineliao
pushed a commit
to madelineliao/cockroach
that referenced
this issue
Aug 12, 2020
Fixes cockroachdb#52360. This commit adds a new restriction to the tenantAuth policy that it accepts no "Admin" KV requests. This prevents tenants from splitting ranges, merging range, rebalancing ranges, or issuing any other KV requests with the `isAdmin` flag that could dictate KV-level distribution decisions. This further mitigates the impact that a compromised tenant SQL process could have on the rest of the cluster.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
SQL tenants must not be allowed to perform manual range splits. This would allow them to create arbitrarily many ranges, instead of the maximum range count of a tenant being a function of the maximum data size offered to it.
The best way to do this might be to lock down all Admin KV requests in a follow-up change to #52094. I need to explore that and see if it's possible or if we need to support other admin kv requests.
The text was updated successfully, but these errors were encountered: