Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sql: default privileges, granting excess privileges when creating an object #72322

Closed
RichardJCai opened this issue Nov 2, 2021 · 0 comments · Fixed by #72323
Closed

sql: default privileges, granting excess privileges when creating an object #72322

RichardJCai opened this issue Nov 2, 2021 · 0 comments · Fixed by #72323
Labels
A-sql-privileges SQL privilege handling and permission checks. C-bug Code not up to spec/doc, specs & docs deemed correct. Solution expected to change code/behavior. T-sql-foundations SQL Foundations Team (formerly SQL Schema + SQL Sessions)

Comments

@RichardJCai
Copy link
Contributor

create user foo with password 'roach';
# login as foo
alter default privileges grant select on tables to foo
# login as root
create table t1();
show grants on table t1;

root@localhost:26257/defaultdb> show grants on table t1;
  database_name | schema_name | table_name | grantee | privilege_type
----------------+-------------+------------+---------+-----------------
  defaultdb     | public      | t1         | admin   | ALL
  defaultdb     | public      | t1         | foo    | SELECT
  defaultdb     | public      | t1         | root    | ALL

We're granting too many privileges when creating an object due to default privileges - in this case, foo should not be getting select on this table

@RichardJCai RichardJCai added C-bug Code not up to spec/doc, specs & docs deemed correct. Solution expected to change code/behavior. A-sql-privileges SQL privilege handling and permission checks. T-sql-foundations SQL Foundations Team (formerly SQL Schema + SQL Sessions) labels Nov 2, 2021
craig bot pushed a commit that referenced this issue Nov 3, 2021
69614: spanconfig: introduce spanconfig.KVSubscriber r=irfansharif a=irfansharif

KVSubscriber presents a consistent[^1] snapshot of a spanconfig.StoreReader that's incrementally maintained with changes made to the global span configurations state. The maintenance happens transparently; callers can subscribe to learn about what key spans may have seen a configuration change. After learning about a span update, consulting the embedded StoreReader would retrieve an up-to-date[^2] config for it.

When a callback is first installed, it's invoked with the [min,max) span -- a shorthand to indicate that callers should consult the StoreReader for all spans of interest. Subsequent updates are of the more incremental kind. It's possible that the span updates received are no-ops, i.e.  consulting the StoreReader for the given span would retrieve the last config observed for the span[^2].  

```go
type KVSubscriber interface {
  StoreReader
  Subscribe(func(updated roachpb.Span))
}
```

Internally we maintain a rangefeed over the global store of span configurations (system.span_configurations), applying updates from it into an embedded spanconfig.Store. A read-only view of this data structure (spanconfig.StoreReader) is exposed as part of the KVSubscriber interface. Rangefeeds used as is don't offer any ordering guarantees with respect to updates made over non-overlapping keys, which is something we care about[^4]. For that reason we make use of a rangefeed buffer, accumulating raw rangefeed updates and flushing them out en-masse in timestamp order when the rangefeed frontier is bumped[^5]. If the buffer overflows (as dictated by the memory limit the KVSubscriber is instantiated with), the subscriber is wound down and an appropriate error is returned to the caller.

When running into the errors above, it's safe for the caller to re-subscribe to effectively re-establish the underlying rangefeeds. When re-establishing a new rangefeed and populating a spanconfig.Store using the contents of the initial scan[^6], we wish to preserve the existing spanconfig.StoreReader.  Discarding it would entail either blocking all external readers until a new spanconfig.StoreReader was fully populated, or presenting an inconsistent view of the spanconfig.Store that's currently being populated. For new rangefeeds what we do then is route all updates from the initial scan to a fresh spanconfig.Store, and once the initial scan is done, swap at the source for the exported spanconfig.StoreReader. During the initial scan, concurrent readers would continue to observe the last spanconfig.StoreReader if any. After the swap, it would observe the more up-to-date source instead.  Future incremental updates will also target the new source. When this source swap occurs, we inform handlers of the need to possibly refresh their view of all configs.  

This commit also wires up the KVSubscriber into KV stores, replacing the use of the gossiped system config span (possible given the StoreReader interface, only happens if a testing flag/env var is set).  

[^1]: The contents of the StoreReader at t1 corresponds exactly to the contents of the global span configuration state at t0 where t0 <= t1. If the StoreReader is read from at t2 where t2 > t1, it's guaranteed to observe a view of the global state at t >= t0.
[^2]: For the canonical KVSubscriber implementation, this is typically the closed timestamp target duration.
[^3]: The canonical KVSubscriber implementation internally re-establishes feeds when errors occur, possibly re-transmitting earlier updates (usually through a lazy [min,max) span) despite possibly not needing to. We could do a bit better and diff the two data structures, emitting only targeted updates.
[^4]: For a given key k, it's config may be stored as part of a larger span S (where S.start <= k < S.end). It's possible for S to get deleted and replaced with sub-spans S1...SN in the same transaction if the span is getting split. When applying these updates, we need to make sure to process the deletion event for S before processing S1...SN.
[^5]: In our example above deleting the config for S and adding configs for S1...Nwe want to make sure that we apply the full set of updates all at once -- lest we expose the intermediate state where the config for S was deleted but the configs for S1...SN were not yet applied.
[^6]: When tearing down the subscriber due to underlying errors, we could also surface a checkpoint to use the next time the subscriber is established. That way we can avoid the full initial scan over the span configuration state and simply pick up where we left off with our existing spanconfig.Store.

Release note: None

71239: sql: improve historical descriptor look up efficiency r=jameswsj10 a=jameswsj10

Fixes #70692. The existing implementation for looking up old
historical descriptors required multiple round trips to storage.
This improvement requires only 1, at most 2, KV calls to storage
by using a single ExportRequest.

Release note (performance improvement): reduce kv calls when
looking up old historical descriptors to 1 or at most 2.

72314: kvserver: trim state used from snapshots r=erikgrinaker a=tbg

Snapshots contain a serialized copy of the `ReplicaState`. However, the
snapshot itself contains that data already. Having two sources of data
that may be interpreted differently can lead to problems, as we saw in
[#72239].

This commit deprecates using the entire ReplicaState. Instead, we pick
out the descriptor and ignore everything else. Instead of using the
copy of the state to initialize the recipient's in-memory state, we
now use a state loader.

In 22.2 we can only send the descriptor but maybe we won't do that; for
logging and debugging it's kind of nice to have everything present.

Fixes #72222.

[#72239]: #72239

Release note: None

72323: sql: fix excess privileges being created from default privileges. r=RichardJCai a=RichardJCai

Release note (bug fix): Previously, when creating an object
default privileges from users that were not the user creating
the object would be added to the privileges of the object.
This fix ensures only the relevant default privileges are applied.

Resolves #72322

72346: roachtest: fix gorm roachtest r=rafiss a=RichardJCai

Release note: None

Fixes #72023

72352: server,cli: fix improperly wrapped errors r=knz a=rafiss

refs #42510

I'm working on a linter that detects errors that are not wrapped
correctly, and it discovered these.

Release note: None

72366: roachtest: update ruby-pg blocklist for 22.1 r=rafiss a=ZhouXing19

Fixes #72316

Release note: None

72390: roachprod: avoid flaky test due to unused functions r=[RaduBerinde,stevendanna,rail] a=healthy-pod

Merging #71660 trigerred a flaky test due to unused functions.

This patch avoids that test by making use of / commenting out unused functions.

Release note: None

Co-authored-by: irfan sharif <[email protected]>
Co-authored-by: jameswsj10 <[email protected]>
Co-authored-by: Tobias Grieger <[email protected]>
Co-authored-by: richardjcai <[email protected]>
Co-authored-by: Rafi Shamim <[email protected]>
Co-authored-by: Jane Xing <[email protected]>
Co-authored-by: Ahmad Abedalqader <[email protected]>
@craig craig bot closed this as completed in #72323 Nov 3, 2021
craig bot pushed a commit that referenced this issue Nov 4, 2021
72304: bazel: add `pkg/cmd/mirror` r=rail a=rickystewart

This tool will be extended with functionality to mirror Go module ZIP's
to cloud storage. For now, the mirroring functionality is missing, so
we just generate the `DEPS.bzl` content in much the same way as
`gazelle update-repos` does. (This doesn't change the content of
`DEPS.bzl` in any way besides alphabetizing the contents.)

Release note: None

72353: *: fix improperly wrapped errors r=otan,RaduBerinde,stevendanna a=rafiss

refs #42510

I'm working on a linter that detects errors that are not wrapped
correctly, and it discovered these.

Release note: None

72417: sql: add unit tests for creating default privileges r=ajwerner a=RichardJCai

Adding some unit test coverage so we don't hit bugs like this again.
#72322

Release note: None

Co-authored-by: Ricky Stewart <[email protected]>
Co-authored-by: Rafi Shamim <[email protected]>
Co-authored-by: richardjcai <[email protected]>
Co-authored-by: Richard Cai <[email protected]>
craig bot pushed a commit that referenced this issue Nov 4, 2021
70330: util/log: add buffer sink decorator r=knz a=rauchenstein

Previously, only the file sink had buffering, and in that case it is
built into the sink.  It's important to add buffering to network sinks
for various reasons -- reducing network chatter, and making the
networking call itself asynchronous so the log call returns with very
low latency.

This change adds a buffering decorator so that buffering can be added to
any log sink with little or no development effort, and allowing
buffering to be configured in a uniform way.

Release note (cli change): Add buffering to log sinks. This can be
configured with the new "buffering" field on any log sink provided via
the "--log" or "--log-config-file" flags.

Release justification: This change is safe because it is a no-op without
a configuration change specifically enabling it.

72353: *: fix improperly wrapped errors r=otan,RaduBerinde,stevendanna a=rafiss

refs #42510

I'm working on a linter that detects errors that are not wrapped
correctly, and it discovered these.

Release note: None

72417: sql: add unit tests for creating default privileges r=ajwerner a=RichardJCai

Adding some unit test coverage so we don't hit bugs like this again.
#72322

Release note: None

72430: kvserver: use wrapper type for Store.mu.replicas r=erikgrinaker a=tbg

This simplifies lots of callers and it will also make it easier to work
on #72374, where this map will start containing more than one type as
value.

Release note: None


72432: roachprod: fix `roachprod start` ignoring --binary flag r=[rail,tbg] a=healthy-pod

Merging #71660 introduced a bug where roachprod ignores --binary
flag when running `roachprod start`.

This patch reverts to the old way of setting config.Binary as a quick solution to the bug.

Release note: None

Fixes #72425 #72420 #72373 #72372

Co-authored-by: Jay Rauchenstein <[email protected]>
Co-authored-by: Raphael 'kena' Poss <[email protected]>
Co-authored-by: Rafi Shamim <[email protected]>
Co-authored-by: richardjcai <[email protected]>
Co-authored-by: Richard Cai <[email protected]>
Co-authored-by: Tobias Grieger <[email protected]>
Co-authored-by: Ahmad Abedalqader <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-sql-privileges SQL privilege handling and permission checks. C-bug Code not up to spec/doc, specs & docs deemed correct. Solution expected to change code/behavior. T-sql-foundations SQL Foundations Team (formerly SQL Schema + SQL Sessions)
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant