sql: validate constraints when secondary tenants set zone configs #69275
Conversation
|
This change is |
There was a problem hiding this comment.
Reviewable status:
complete! 0 of 0 LGTMs obtained (waiting on @ajwerner, @arulajmani, and @irfansharif)
pkg/sql/set_zone_config.go, line 989 at r1 (raw file):
// view exposed via the RegionServer and are not allowed to configure arbitrary // constraints (required or otherwise). func validateZoneLocalitiesForSecondaryTenants(
Drive by comment: Does it make sense to have this behaviour overridable via a cluster setting? While now we can't envision a reason why we'd want to allow other tiers or missing regions/zones, if something comes up, it might be helpful for support to have an escape valve.
arulajmani
force-pushed
the
zcfg-validate-localities
branch
from
bee6938 to
6dd101f
Compare
There was a problem hiding this comment.
Reviewable status:
pkg/sql/set_zone_config.go, line 989 at r1 (raw file):
Previously, ajstorm (Adam Storm) wrote…
Drive by comment: Does it make sense to have this behaviour overridable via a cluster setting? While now we can't envision a reason why we'd want to allow other tiers or missing regions/zones, if something comes up, it might be helpful for support to have an escape valve.
Are we worried at all that tenants could abuse this cluster setting to deliberately configure unsatisfiable constraints? Couldn't this have bad effects downstream?
There was a problem hiding this comment.
Reviewable status:
pkg/sql/set_zone_config.go, line 989 at r1 (raw file):
Previously, arulajmani (Arul Ajmani) wrote…
Are we worried at all that tenants could abuse this cluster setting to deliberately configure unsatisfiable constraints? Couldn't this have bad effects downstream?
Is there a way in serverless to hide a cluster setting from the secondary tenant but allow it to be injected by the host tenant? I was thinking we'd want this only set by SREs in emergencies.
pkg/sql/set_zone_config.go
Outdated
| func validateZoneAttrsAndLocalities( | ||
| ctx context.Context, execCfg *ExecutorConfig, zone *zonepb.ZoneConfig, | ||
| ) error { | ||
| // Avoid RPC calls to the Node/Region server if we don't have anything to |
pkg/sql/set_zone_config.go
Outdated
| // information via the RegionServer. Even then, they're only allowed to | ||
| // reference the "region" and "zone" tiers. | ||
| // | ||
| // Unlike the system tenant, we also catch typos in and validate prohibited |
There was a problem hiding this comment.
"tenant, we also validate prohibited constraints."
pkg/sql/set_zone_config.go
Outdated
| default: | ||
| return pgerror.Newf( | ||
| pgcode.CheckViolation, | ||
| "invalid constraint attribute: %q for tenants", |
There was a problem hiding this comment.
Mention that only "zone" and "region" are allowed.
pkg/sql/set_zone_config.go
Outdated
| if !found { | ||
| return pgerror.Newf( | ||
| pgcode.CheckViolation, | ||
| "region %q matches no existing nodes within the cluster", |
There was a problem hiding this comment.
Here and above, instead of mentioning "nodes" (which is not exposed to serverless users), just say that "region %q not found". Speaking of, is there a SHOW ALL REGIONS/ZONES or something tenants would be able to use to figure out what they can use?
pkg/sql/set_zone_config_test.go
Outdated
| errRe: "", | ||
| }, | ||
| { | ||
| cfg: `constraints: ["+zone=us-east1"]`, |
There was a problem hiding this comment.
s/us-east1/non-existent-zone
s/us-east1-a/non-existent-region
...
pkg/sql/set_zone_config.go
Outdated
| case "": | ||
| return pgerror.Newf( | ||
| pgcode.CheckViolation, | ||
| "non-locality constraints are not allowed for tenants", |
There was a problem hiding this comment.
Aren't these user visible errors? I don't think we want to use "tenants" (here and below). Also, what is a "non-locality constraint"? I don't see it in https://www.cockroachlabs.com/docs/v21.1/configure-replication-zones. Should we instead say something along the lines of "missing constraint attribute", and ask them to specify either region or zone?
arulajmani
force-pushed
the
zcfg-validate-localities
branch
from
6dd101f to
989477a
Compare
There was a problem hiding this comment.
Reviewable status:
pkg/sql/set_zone_config.go, line 989 at r1 (raw file):
Previously, ajstorm (Adam Storm) wrote…
Is there a way in serverless to hide a cluster setting from the secondary tenant but allow it to be injected by the host tenant? I was thinking we'd want this only set by SREs in emergencies.
I'm not sure how "change setting on host tenant to have effect on all secondary tenants" works (or if it even exists). Let's talk about it in todays pod meeting and if we want this escape hatch?
pkg/sql/set_zone_config.go, line 912 at r2 (raw file):
Previously, irfansharif (irfan sharif) wrote…
s/RPC calls/RPCs
Done.
pkg/sql/set_zone_config.go, line 985 at r2 (raw file):
Previously, irfansharif (irfan sharif) wrote…
"tenant, we also validate prohibited constraints."
Done.
pkg/sql/set_zone_config.go, line 1022 at r2 (raw file):
Speaking off, is there a SHOW ALL REGIONS/ZONES or something tenants would be able to use to figure out what they can use?
Yeah, tenants can use SHOW REGIONS because that thing uses this RegionServer.
pkg/sql/set_zone_config.go, line 1029 at r2 (raw file):
Also, what is a "non-locality constraint"?
Something that references a node/store attribute, such as constraints = '[+ssd]'. I don't think "missing constraint attribute" makes sense in this case. Wdyt of this new revision?
pkg/sql/set_zone_config.go, line 1034 at r2 (raw file):
Previously, irfansharif (irfan sharif) wrote…
Mention that only "zone" and "region" are allowed.
Added a hint.
pkg/sql/set_zone_config_test.go, line 111 at r2 (raw file):
Previously, irfansharif (irfan sharif) wrote…
s/us-east1/non-existent-zone
s/us-east1-a/non-existent-region
...
Done.
There was a problem hiding this comment.
Reviewed 1 of 4 files at r1, 1 of 3 files at r3.
Reviewable status:
-- commits, line 4 at r3:
Typo: Previously
pkg/sql/set_zone_config.go, line 989 at r1 (raw file):
Previously, arulajmani (Arul Ajmani) wrote…
I'm not sure how "change setting on host tenant to have effect on all secondary tenants" works (or if it even exists). Let's talk about it in todays pod meeting and if we want this escape hatch?
I can't think of a scenario where we'd want this very specific escape hatch. It's also easy enough to add after the fact should something come up; I'd err on the side of not introducing Yet Another Cluster Setting until then.
pkg/sql/set_zone_config.go, line 985 at r2 (raw file):
Previously, arulajmani (Arul Ajmani) wrote…
Done.
We have an unnecessary "catch" in there.
pkg/sql/set_zone_config.go, line 1029 at r2 (raw file):
Previously, arulajmani (Arul Ajmani) wrote…
Also, what is a "non-locality constraint"?
Something that references a node/store attribute, such as constraints = '[+ssd]'. I don't think "missing constraint attribute" makes sense in this case. Wdyt of this new revision?
I figured, I just meant it's not terminology we've used before/elsewhere. To me this error should read the same as the one below (invalid constraint attribute: ""), and missing constraint attribute: specify either "region" or "zone" seems like the next best thing.
I'm not a fan of the "for tenants" qualifier given it bubbles up to end users. Ideally tenants wouldn't know they're tenants. The right place to document this limitation would be in our docs. I'm not sure where our we generally spell out the differences between on-prem CRDB and serverless (if we do), but worth asking Rich or someone about it.
pkg/sql/set_zone_config.go, line 1038 at r3 (raw file):
constraint.Key, ), `only "zone" and "region" are allowed in constraints`,
s/in constraints//
Previously, we would validate constraints/voter_constraints/ lease_preferences fields only for the system tenant. This patch extends this validation for secondary tenants as well. Crucially, the validation of these fields differs for secondary tenants in a couple of ways. Firstly, secondary tenants are only allowed to set locality attributes in their constraints clause. Even then, they're only allowed to set zone/region tiers. All other constraints (such as disk type, or rack locality) are rejected. This is because secondary tenants have a very narrow view of the cluster via the `RegionServer`. Secondly, we validate both positive and negative constraints for secondary tenants (unlike the system tenant where we validate only positive constraints). This follows from the "narrow view" secondary tenants get -- we don't want them configuring arbitrary constraints, positive or negative. Closes cockroachdb#69199 Release justification: Non production code change Release note: None
arulajmani
force-pushed
the
zcfg-validate-localities
branch
from
989477a to
66336a3
Compare
There was a problem hiding this comment.
Will bors once CI is green.
Reviewable status:
Previously, irfansharif (irfan sharif) wrote…
Typo: Previously
Done.
pkg/sql/set_zone_config.go, line 985 at r2 (raw file):
Previously, irfansharif (irfan sharif) wrote…
We have an unnecessary "catch" in there.
Oops.
pkg/sql/set_zone_config.go, line 1029 at r2 (raw file):
Previously, irfansharif (irfan sharif) wrote…
I figured, I just meant it's not terminology we've used before/elsewhere. To me this error should read the same as the one below (
invalid constraint attribute: ""), andmissing constraint attribute: specify either "region" or "zone"seems like the next best thing.I'm not a fan of the "for tenants" qualifier given it bubbles up to end users. Ideally tenants wouldn't know they're tenants. The right place to document this limitation would be in our docs. I'm not sure where our we generally spell out the differences between on-prem CRDB and serverless (if we do), but worth asking Rich or someone about it.
Meant to remove the "for tenants" part, my bad. I'm fine not differentiating between these two cases.
pkg/sql/set_zone_config.go, line 1038 at r3 (raw file):
Previously, irfansharif (irfan sharif) wrote…
s/in constraints//
Done.
|
TFTRs! borsr=otan,irfansharif |
|
I can't type. bors r=otan,irfansharif |
|
Build succeeded: |
Previousl, we would validate constraints/voter_constraints/
lease_preferences fields only for the system tenant. This patch extends
this validation for secondary tenants as well.
Crucially, the validation of these fields differs for secondary tenants
in a couple of ways. Firstly, secondary tenants are only allowed to set
locality attributes in their constraints clause. Even then, they're
only allowed to set zone/region tiers. All other constraints
(such as disk type, or rack locality) are rejected. This is because
secondary tenants have a very narrow view of the cluster via the
RegionServer.Secondly, we validate both positive and negative constraints for
secondary tenants (unlike the system tenant where we validate only
positive constraints). This follows from the "narrow view" secondary
tenants get -- we don't want them configuring arbitrary constraints,
positive or negative.
Closes #69199
Release justification: Non production code change
Release note: None