Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

catalog: add descriptor repair to remove missing roles #122557

Merged
merged 1 commit into from
Apr 19, 2024

Conversation

fqazi
Copy link
Collaborator

@fqazi fqazi commented Apr 17, 2024

Previously, we had a bug that could lead to descriptors having privileages to roles that no longer exist. This could lead to certain commands like SHOW GRANTS breaking. To address this, this patch will add descirptor repair logic to automatically clean up oprhaned privileges.

Fixes: #122552

Release note (bug fix): Add automated clean up / validation for dropped roles inside descriptors.

Copy link

blathers-crl bot commented Apr 17, 2024

Your pull request contains more than 1000 changes. It is strongly encouraged to split big PRs into smaller chunks.

🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.

@cockroach-teamcity
Copy link
Member

This change is Reviewable

@fqazi fqazi force-pushed the stripMissingRoles branch 2 times, most recently from 74a6be3 to 699f5a6 Compare April 18, 2024 03:52
@fqazi fqazi marked this pull request as ready for review April 18, 2024 12:09
@fqazi fqazi requested a review from a team as a code owner April 18, 2024 12:09
Copy link
Collaborator

@rafiss rafiss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice, this should be really useful! just had a comment

Reviewable status: :shipit: complete! 0 of 0 LGTMs obtained (waiting on @fqazi)


pkg/sql/sem/builtins/builtins.go line 5454 at r1 (raw file):

					for _, roleDatum := range (*roles).Array {
						role := tree.MustBeDString(roleDatum)
						roleMap[username.MakeSQLUsernameFromPreNormalizedString(string(role))] = struct{}{}

this can come from user input, so we must use MakeSQLUsernameFromUserInput instead.

Previously, we had a bug that could lead to descriptors having
privileages to roles that no longer exist. This could lead to certain
commands like SHOW GRANTS breaking. To address this, this patch will add
descirptor repair logic to automatically clean up oprhaned privileges.

Fixes: cockroachdb#122552

Release note (bug fix): Add automated clean up / validation for dropped
roles inside descriptors.
@fqazi fqazi force-pushed the stripMissingRoles branch from 699f5a6 to 91b2074 Compare April 19, 2024 13:32
Copy link
Collaborator Author

@fqazi fqazi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: :shipit: complete! 0 of 0 LGTMs obtained (waiting on @rafiss)


pkg/sql/sem/builtins/builtins.go line 5454 at r1 (raw file):

Previously, rafiss (Rafi Shamim) wrote…

this can come from user input, so we must use MakeSQLUsernameFromUserInput instead.

Done.

Copy link
Collaborator

@rafiss rafiss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great work! could we backport to 24.1?

Reviewed 23 of 24 files at r1, 1 of 1 files at r2, all commit messages.
Reviewable status: :shipit: complete! 0 of 0 LGTMs obtained (waiting on @fqazi)

@fqazi fqazi added the backport-24.1.x Flags PRs that need to be backported to 24.1. label Apr 19, 2024
@fqazi
Copy link
Collaborator Author

fqazi commented Apr 19, 2024

@rafiss TFTR!

bors r+

@craig
Copy link
Contributor

craig bot commented Apr 19, 2024

Build failed (retrying...):

@craig craig bot merged commit 50393fa into cockroachdb:master Apr 19, 2024
21 of 22 checks passed
@fqazi
Copy link
Collaborator Author

fqazi commented May 24, 2024

blathers backport 23.2

Copy link

blathers-crl bot commented May 24, 2024

Encountered an error creating backports. Some common things that can go wrong:

  1. The backport branch might have already existed.
  2. There was a merge conflict.
  3. The backport branch contained merge commits.

You might need to create your backport manually using the backport tool.


error creating merge commit from 91b2074 to blathers/backport-release-23.2-122557: POST https://api.github.com/repos/cockroachdb/cockroach/merges: 409 Merge conflict []

you may need to manually resolve merge conflicts with the backport tool.

Backport to branch 23.2 failed. See errors above.


🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport-24.1.x Flags PRs that need to be backported to 24.1.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

catalog: support validating / repair orphan roles in descriptors
3 participants