privilege,backupccl: introduce a RESTORE privilege #86918
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This change is |
|
Only the last commit is new. |
stevendanna
reviewed
Aug 26, 2022
| @@ -653,12 +698,12 @@ func getDatabaseIDAndDesc( | |||
| func dropDefaultUserDBs(ctx context.Context, execCfg *sql.ExecutorConfig) error { | |||
| return sql.DescsTxn(ctx, execCfg, func(ctx context.Context, txn *kv.Txn, col *descs.Collection) error { | |||
| ie := execCfg.InternalExecutor | |||
| _, err := ie.Exec(ctx, "drop-defaultdb", nil, "DROP DATABASE IF EXISTS defaultdb") | |||
| _, err := ie.Exec(ctx, "drop-defaultdb", txn, "DROP DATABASE IF EXISTS defaultdb") | |||
There was a problem hiding this comment.
yeah...going to pull this one out maybe or backport it for sure. Possibly related thread - https://cockroachlabs.slack.com/archives/C2C5FKPPB/p1661202884691609
adityamaru
force-pushed
the
restore-privilege
branch
from
cab37c9 to
2a23b90
Compare
adityamaru
force-pushed
the
restore-privilege
branch
from
2a23b90 to
c00f8db
Compare
This change introduces a RESTORE privilege that is grantable as a system, or database, or table level privilege. The purpose of this privilege is to offer a fine-grained permission model for users that wish to run restores. First let us outline the existing privilege model that governs backups: Cluster restores - admin only. Database restores - users must have CREATEDB role option. Table restores - users must have CREATE on the database we are restoring into. With the new fine grained permission model we would like to stop having to grant users privileges such as CREATE and CREATEDB only for the purpose of being able to restore a target. To this effect the new privilege model that will govern restores is: Cluster backups - user requires the system RESTORE privilege Database backups - user requires the system RESTORE privilege Table backups - user requires the database RESTORE privilege Note, admins will ofcourse continue to bypass all these checks. This diff does not change the privilege checks we perform on the backup destination URIs related to IMPLICIT authentication. That will be done as a follow-up. In 22.2 to prevent breaking user flows we will continue to respect the old privilege model, but emit a notice indicating our plans to replace this model in 23.1. At which point users will need to be granted the appropriate BACKUP privileges. Informs: cockroachdb#86263 Release note (sql change): This change introduces a new RESTORE privilege that is grantable as a system or database level privilege. Users can opt-in to the new privilege model by granting the appropriate privileges as per the following model: Cluster backups - user requires the system RESTORE privilege Database backups - user requires the system RESTORE privilege Table backups - user requires the database RESTORE privilege In 22.2 we will continue to respect the old privilege model, but will completely swithover to the RESTORE privilege in 23.1. Release justification: high impact change to offer fine grained privileges for bulk operations
adityamaru
force-pushed
the
restore-privilege
branch
from
c00f8db to
9f447c5
Compare
|
Flake is |
stevendanna
approved these changes
Aug 29, 2022
|
TFTR! bors r=stevendanna |
|
Build succeeded: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change introduces a RESTORE privilege that is grantable
as a system, or database level privilege. The purpose
of this privilege is to offer a fine-grained permission model
for users that wish to run restores. First let us outline the
existing privilege model that governs backups:
Cluster restores - admin only.
Database restores - users must have CREATEDB role option.
Table restores - users must have CREATE on the database we
are restoring into.
With the new fine grained permission model we would like to stop
having to grant users privileges such as CREATE and CREATEDB only
for the purpose of being able to restore a target. To this effect
the new privilege model that will govern restores is:
Cluster backups - user requires the system RESTORE privilege
Database backups - user requires the system RESTORE privilege
Table backups - user requires the database RESTORE privilege
Note, admins will ofcourse continue to bypass all these checks.
This diff does not change the privilege checks we perform on the backup
destination URIs related to IMPLICIT authentication. That will be done
as a follow-up.
In 22.2 to prevent breaking user flows we will continue to respect the
old privilege model, but emit a notice indicating our plans to replace
this model in 23.1. At which point users will need to be granted the
appropriate BACKUP privileges.
Informs: #86263
Release note (sql change): This change introduces a new RESTORE
privilege that is grantable as a system or database level privilege.
Users can opt-in to the new privilege model by granting the appropriate
privileges as per the following model:
Cluster backups - user requires the system RESTORE privilege
Database backups - user requires the system RESTORE privilege
Table backups - user requires the database RESTORE privilege
In 22.2 we will continue to respect the old privilege model, but will
completely swithover to the RESTORE privilege in 23.1.
Release justification: high impact change to offer fine grained privileges
for bulk operations