sql: fix Usage privilege on Tables/DBs after upgrading from 20.1 #65010
Conversation
|
This change is |
RichardJCai
force-pushed
the
fix_usage_privilege_20.1_to_20.2_05112021
branch
2 times, most recently
from
cd95643 to
e6004f1
Compare
There was a problem hiding this comment.
Can you go back and create a 20.1 backup that you restore in the style of https://github.com/cockroachdb/cockroach/blob/master/pkg/ccl/backupccl/restore_old_versions_test.go#L31 to make sure that post-restore everything works as you might expect?
Reviewable status:
complete! 0 of 0 LGTMs obtained (waiting on @RichardJCai)
pkg/sql/catalog/descpb/privilege.go, line 226 at r1 (raw file):
// InitialVersion is for descriptors that were created in versions 20.1 and // earlier. if p.Version == InitialVersion {
What happens if you create a descriptor in 20.1 and grant ZONCONFIG in 20.1 and then set an owner in 20.2?
There was a problem hiding this comment.
Will do
Reviewable status:
pkg/sql/catalog/descpb/privilege.go, line 226 at r1 (raw file):
Previously, ajwerner wrote…
What happens if you create a descriptor in 20.1 and grant ZONCONFIG in 20.1 and then set an owner in 20.2?
Is it wrong to assume that this would be called before you try to set an owner in 20.2? I thought you'd have to retrieve the descriptor which then would be fixed before an owner is set.
There was a problem hiding this comment.
Reviewable status:
pkg/sql/catalog/descpb/privilege.go, line 226 at r1 (raw file):
Previously, RichardJCai (Richard Cai) wrote…
Is it wrong to assume that this would be called before you try to set an owner in 20.2? I thought you'd have to retrieve the descriptor which then would be fixed before an owner is set.
I mean 20.2 before this patch release. I'm asking whether you can have Version == OwnerVersion and still have the wrong bit set.
There was a problem hiding this comment.
Reviewable status:
pkg/sql/catalog/descpb/privilege.go, line 226 at r1 (raw file):
Previously, ajwerner wrote…
I mean 20.2 before this patch release. I'm asking whether you can have
Version == OwnerVersionand still have the wrong bit set.
Ah I see what you mean. If they're on a 20.2 patch release before this version, if the descriptor is corrupted, it would have to have been created in 20.1 (we don't actually update the Version field) and have Version == InitialVersion.
We never actually update the Version field so I believe this is fine.
There was a problem hiding this comment.
Reviewable status:
pkg/sql/catalog/descpb/privilege.go, line 226 at r1 (raw file):
Previously, RichardJCai (Richard Cai) wrote…
Ah I see what you mean. If they're on a 20.2 patch release before this version, if the descriptor is corrupted, it would have to have been created in 20.1 (we don't actually update the Version field) and have Version == InitialVersion.
We never actually update the Version field so I believe this is fine.
If we don't upgrade it, what does it mean?
There was a problem hiding this comment.
Reviewable status:
pkg/sql/catalog/descpb/privilege.go, line 226 at r1 (raw file):
Previously, ajwerner wrote…
If we don't upgrade it, what does it mean?
When I first added ownership, instead of deciding to migrate all table descriptors to have owners, I added a version field to determine if having an empty owner would be valid.
The version field is only used currently to validate if having an empty owner is valid
https://github.com/cockroachdb/cockroach/blob/master/pkg/sql/catalog/descpb/privilege.go#L299
There was a problem hiding this comment.
Reviewed 1 of 4 files at r1.
Reviewable status:
pkg/sql/catalog/descpb/privilege.go, line 226 at r1 (raw file):
Previously, RichardJCai (Richard Cai) wrote…
When I first added ownership, instead of deciding to migrate all table descriptors to have owners, I added a version field to determine if having an empty owner would be valid.
The version field is only used currently to validate if having an empty owner is valid
https://github.com/cockroachdb/cockroach/blob/master/pkg/sql/catalog/descpb/privilege.go#L299
Cool, I’m satisfied. Nit:early return if the version is new enough. Also add more commentary indicating that the version doesn’t get upgraded today and we’ll have fixed this bug by the time we ever do want to do the upgrade.
RichardJCai
requested review from
a team,
nihalpednekar and
pbardea
and removed request for
a team
|
Added a backup test and some logic some restore works. cc @cockroachdb/bulk-io and @pbardea for review PTAL at the second commit mostly. |
In 20.2, I made a mistake when introducing USAGE privilege by adding it before ZONECONFIG privilege in the bitfield. Due to this, when updating from 20.1 to 20.2, ZONECONFIG privilege will be interpretted as USAGE. Fortunately, ZONECONFIG was only a valid privilege on tables and databases while USAGE is invalid on both those objects. Due to this, whenever we encounter USAGE on a privilege descriptor versioned 20.1 (InitialVersion) we can fix this by removing the bit for USAGE and adding the bit for ZONECONFIG on the privilege descriptor. Release note: None
RichardJCai
force-pushed
the
fix_usage_privilege_20.1_to_20.2_05112021
branch
2 times, most recently
from
48977b4 to
5125ab9
Compare
There was a problem hiding this comment.
Restore change LGTM
Reviewed 3 of 4 files at r1, 1 of 1 files at r2.
Reviewable status:
pkg/ccl/backupccl/restore_old_versions_test.go, line 208 at r3 (raw file):
err := os.Symlink(exportDir, filepath.Join(tmpDir, "foo")) require.NoError(t, err) sqlDB.Exec(t, `RESTORE FROM $1`, LocalFoo)
A comment mentioning that this only affects cluster restores since database restores reset privileges on the descriptor wouldn't hurt
pkg/ccl/backupccl/testdata/restore_old_versions/create_with_privileges.sql, line 2 at r3 (raw file):
-- The below SQL is used to create the data that is then exported with BACKUP -- finish this comment
Looks like this comment needs to be finished, but it'd be good to mention the version that you ran this against to generate the backup
RichardJCai
force-pushed
the
fix_usage_privilege_20.1_to_20.2_05112021
branch
from
5125ab9 to
50f6587
Compare
There was a problem hiding this comment.
Reviewable status:
pkg/ccl/backupccl/restore_old_versions_test.go, line 208 at r3 (raw file):
Previously, pbardea (Paul Bardea) wrote…
A comment mentioning that this only affects cluster restores since database restores reset privileges on the descriptor wouldn't hurt
Added it to the function header comment
pkg/ccl/backupccl/testdata/restore_old_versions/create_with_privileges.sql, line 2 at r3 (raw file):
Previously, pbardea (Paul Bardea) wrote…
Looks like this comment needs to be finished, but it'd be good to mention the version that you ran this against to generate the backup
Oops, fixed.
… prior. This is needed in addition to the previous commit to fix ZONECONFIG privilege when restoring from a version from 20.1 or prior. Release note: None
RichardJCai
force-pushed
the
fix_usage_privilege_20.1_to_20.2_05112021
branch
from
50f6587 to
1e42b0d
Compare
|
Thanks for reviewing! bors r+ |
|
Build succeeded: |
This migration fixes corrupted privilege descriptors in the wild resulting from the fallout of the ZONECONFIG/USAGE bug and the ALTER DATABASE CONVERT TO SCHEMA bug. Additionally, all privilege descriptors will be updated to explicitly have Owners. Privilege descriptors created before 20.2 do not have their owner field set and instead owners are implicitly inferred. Finally all privilege descriptors will be bumped up to Version21_2 after the migration so we can strictly validate privileges. Release note (bugfix): This migration will be run when users upgrade to 21.2 (Specifically 21.2.14). This migration fixes any privilege descriptors that are corrupted from the fallout of the ZONECONFIG/USAGE bug on tables and databases after upgrading from 20.1 -> 20.2 (cockroachdb#65010) and those that are corrupted after converting a database to a schema (cockroachdb#65697).
This migration fixes corrupted privilege descriptors in the wild resulting from the fallout of the ZONECONFIG/USAGE bug and the ALTER DATABASE CONVERT TO SCHEMA bug. Additionally, all privilege descriptors will be updated to explicitly have Owners. Privilege descriptors created before 20.2 do not have their owner field set and instead owners are implicitly inferred. Finally all privilege descriptors will be bumped up to Version21_2 after the migration so we can strictly validate privileges. Release note (bugfix): Summary: upon upgrading to 21.2, users will have all privileges fixed. Details: This migration will be run when users upgrade to 21.2 (Specifically 21.2.14). This migration fixes any privilege descriptors that are corrupted from the fallout of the ZONECONFIG/USAGE bug on tables and databases after upgrading from 20.1 -> 20.2 (cockroachdb#65010) and those that are corrupted after converting a database to a schema (cockroachdb#65697).
This migration fixes corrupted privilege descriptors in the wild resulting from the fallout of the ZONECONFIG/USAGE bug and the ALTER DATABASE CONVERT TO SCHEMA bug. Additionally, all privilege descriptors will be updated to explicitly have Owners. Privilege descriptors created before 20.2 do not have their owner field set and instead owners are implicitly inferred. Finally all privilege descriptors will be bumped up to Version21_2 after the migration so we can strictly validate privileges. Release note (bug fix): Summary: upon upgrading to 21.2, users will have all privileges fixed. This means any invalid privileges on all objects will be removed. Details: This migration will be run when users upgrade to 21.2 (Specifically 21.2.14). This migration fixes any privilege descriptors that are corrupted from the fallout of the ZONECONFIG/USAGE bug on tables and databases after upgrading from 20.1 -> 20.2 (cockroachdb#65010) and those that are corrupted after converting a database to a schema (cockroachdb#65697).
This migration fixes corrupted privilege descriptors in the wild resulting from the fallout of the ZONECONFIG/USAGE bug and the ALTER DATABASE CONVERT TO SCHEMA bug. Additionally, all privilege descriptors will be updated to explicitly have Owners. Privilege descriptors created before 20.2 do not have their owner field set and instead owners are implicitly inferred. Finally all privilege descriptors will be bumped up to Version21_2 after the migration so we can strictly validate privileges. Release note (bug fix): Summary: upon upgrading to 21.2, users will have all privileges fixed. This means any invalid privileges on all objects will be removed. Details: This migration will be run when users upgrade to 21.2 (Specifically 21.2.14). This migration fixes any privilege descriptors that are corrupted from the fallout of the ZONECONFIG/USAGE bug on tables and databases after upgrading from 20.1 -> 20.2 (cockroachdb#65010) and those that are corrupted after converting a database to a schema (cockroachdb#65697).
This migration calls RunPostDeserializationChanges on every descriptor fixing any inconsistencies with the descriptor. This migration fixes corrupted privilege descriptors in the wild resulting from the fallout of the ZONECONFIG/USAGE bug and the ALTER DATABASE CONVERT TO SCHEMA bug. Additionally, all privilege descriptors will be updated to explicitly have Owners. Privilege descriptors created before 20.2 do not have their owner field set and instead owners are implicitly inferred. Finally all privilege descriptors will be bumped up to Version21_2 after the migration so we can strictly validate privileges. Additionally the IsRepaired bit will be set to true after the fix. Release note (bug fix): Summary: upon upgrading to 21.2, users will have all privileges fixed. This means any invalid privileges on all objects will be removed. Details: This migration will be run when users upgrade to 21.2 (Specifically 21.2.14). This migration fixes any privilege descriptors that are corrupted from the fallout of the ZONECONFIG/USAGE bug on tables and databases after upgrading from 20.1 -> 20.2 (cockroachdb#65010) and those that are corrupted after converting a database to a schema (cockroachdb#65697).
This migration calls RunPostDeserializationChanges on every descriptor fixing any inconsistencies with the descriptor. This migration fixes corrupted privilege descriptors in the wild resulting from the fallout of the ZONECONFIG/USAGE bug and the ALTER DATABASE CONVERT TO SCHEMA bug. Additionally, all privilege descriptors will be updated to explicitly have Owners. Privilege descriptors created before 20.2 do not have their owner field set and instead owners are implicitly inferred. Finally all privilege descriptors will be bumped up to Version21_2 after the migration so we can strictly validate privileges. Additionally the IsRepaired bit will be set to true after the fix. Release note (bug fix): Summary: upon upgrading to 21.2, users will have all privileges fixed. This means any invalid privileges on all objects will be removed. Details: This migration will be run when users upgrade to 21.2 (Specifically 21.2.14). This migration fixes any privilege descriptors that are corrupted from the fallout of the ZONECONFIG/USAGE bug on tables and databases after upgrading from 20.1 -> 20.2 (cockroachdb#65010) and those that are corrupted after converting a database to a schema (cockroachdb#65697).
This migration calls RunPostDeserializationChanges on every descriptor fixing any inconsistencies with the descriptor. This migration fixes corrupted privilege descriptors in the wild resulting from the fallout of the ZONECONFIG/USAGE bug and the ALTER DATABASE CONVERT TO SCHEMA bug. Additionally, all privilege descriptors will be updated to explicitly have Owners. Privilege descriptors created before 20.2 do not have their owner field set and instead owners are implicitly inferred. Finally all privilege descriptors will be bumped up to Version21_2 after the migration so we can strictly validate privileges. Additionally the IsRepaired bit will be set to true after the fix. Release note (bug fix): Summary: upon upgrading to 21.2, users will have all privileges fixed. This means any invalid privileges on all objects will be removed. Details: This migration will be run when users upgrade to 21.2 (Specifically 21.2.14). This migration fixes any privilege descriptors that are corrupted from the fallout of the ZONECONFIG/USAGE bug on tables and databases after upgrading from 20.1 -> 20.2 (cockroachdb#65010) and those that are corrupted after converting a database to a schema (cockroachdb#65697).
This migration calls RunPostDeserializationChanges on every descriptor fixing any inconsistencies with the descriptor. This migration fixes corrupted privilege descriptors in the wild resulting from the fallout of the ZONECONFIG/USAGE bug and the ALTER DATABASE CONVERT TO SCHEMA bug. Additionally, all privilege descriptors will be updated to explicitly have Owners. Privilege descriptors created before 20.2 do not have their owner field set and instead owners are implicitly inferred. Finally all privilege descriptors will be bumped up to Version21_2 after the migration so we can strictly validate privileges. Additionally the IsRepaired bit will be set to true after the fix. Release note (bug fix): Summary: upon upgrading to 21.2, users will have all privileges fixed. This means any invalid privileges on all objects will be removed. Details: This migration will be run when users upgrade to 21.2 (Specifically 21.2.14). This migration fixes any privilege descriptors that are corrupted from the fallout of the ZONECONFIG/USAGE bug on tables and databases after upgrading from 20.1 -> 20.2 (cockroachdb#65010) and those that are corrupted after converting a database to a schema (cockroachdb#65697).
This migration calls RunPostDeserializationChanges on every descriptor fixing any inconsistencies with the descriptor. This migration fixes corrupted privilege descriptors in the wild resulting from the fallout of the ZONECONFIG/USAGE bug and the ALTER DATABASE CONVERT TO SCHEMA bug. Additionally, all privilege descriptors will be updated to explicitly have Owners. Privilege descriptors created before 20.2 do not have their owner field set and instead owners are implicitly inferred. Finally all privilege descriptors will be bumped up to Version21_2 after the migration so we can strictly validate privileges. Additionally the IsRepaired bit will be set to true after the fix. Release note (bug fix): Summary: upon upgrading to 21.2, users will have all privileges fixed. This means any invalid privileges on all objects will be removed. Details: This migration will be run when users upgrade to 21.2 (Specifically 21.2.14). This migration fixes any privilege descriptors that are corrupted from the fallout of the ZONECONFIG/USAGE bug on tables and databases after upgrading from 20.1 -> 20.2 (cockroachdb#65010) and those that are corrupted after converting a database to a schema (cockroachdb#65697).
This migration calls RunPostDeserializationChanges on every descriptor fixing any inconsistencies with the descriptor. This migration fixes corrupted privilege descriptors in the wild resulting from the fallout of the ZONECONFIG/USAGE bug and the ALTER DATABASE CONVERT TO SCHEMA bug. Additionally, all privilege descriptors will be updated to explicitly have Owners. Privilege descriptors created before 20.2 do not have their owner field set and instead owners are implicitly inferred. Finally all privilege descriptors will be bumped up to Version21_2 after the migration so we can strictly validate privileges. Additionally the IsRepaired bit will be set to true after the fix. Release note (bug fix): Summary: upon upgrading to 21.2, users will have all privileges fixed. This means any invalid privileges on all objects will be removed. Details: This migration will be run when users upgrade to 21.2 (Specifically 21.2.14). This migration fixes any privilege descriptors that are corrupted from the fallout of the ZONECONFIG/USAGE bug on tables and databases after upgrading from 20.1 -> 20.2 (cockroachdb#65010) and those that are corrupted after converting a database to a schema (cockroachdb#65697).
66495: sql: migration for descriptors fixes r=ajwerner a=RichardJCai This migration fixes corrupted privilege descriptors in the wild resulting from the fallout of the ZONECONFIG/USAGE bug and the ALTER DATABASE CONVERT TO SCHEMA bug. Additionally, all privilege descriptors will be updated to explicitly have Owners. Privilege descriptors created before 20.2 do not have their owner field set and instead owners are implicitly inferred. Finally all privilege descriptors will be bumped up to Version21_2 after the migration so we can strictly validate privileges. Release note (bugfix): This migration will be run when users upgrade to 21.2 (Specifically 21.2.14). This migration fixes any privilege descriptors that are corrupted from the fallout of the ZONECONFIG/USAGE bug on tables and databases after upgrading from 20.1 -> 20.2 (#65010) and those that are corrupted after converting a database to a schema (#65697). Fixes #65012 Co-authored-by: richardjcai <[email protected]>
In 20.2, I made a mistake when introducing USAGE privilege by
adding it before ZONECONFIG privilege in the bitfield.
Due to this, when updating from 20.1 to 20.2, ZONECONFIG privilege will be
interpretted as USAGE.
Fortunately, ZONECONFIG was only a valid privilege on tables and databases
while USAGE is invalid on both those objects. Due to this, whenever we encounter
USAGE on a privilege descriptor versioned 20.1 (InitialVersion) we can fix
this by removing the bit for USAGE and adding the bit for ZONECONFIG on the
privilege descriptor.
Release note: None