Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tree: correct mutation/DDL property for some opaque operators #93991

Merged
merged 1 commit into from
Dec 21, 2022

Conversation

rafiss
Copy link
Collaborator

@rafiss rafiss commented Dec 20, 2022

fixes #91713

In ed733ad, a framework was added to mark certain opaque operators as DDL or mutations.

This was enhanced in 06581b3, but that change wasn't exhaustive since it marked some statements as read-only, even if they could perform DDL.

With the addition of StatementType() in
8962176, we can make this a little more correct.

This allows the check at

if opt.IsMutationOp(e) {
to work correctly, and reject operations that shouldn't be allowed when using a read-only transaction.

To explain each change:

  • BACKUP can modify job state and write to userfiles, so shouldn't be allowed in read-only mode.
  • SET commands are always allowed in read-only mode in order to match Postgres behavior, and since those changes are all in-memory and session setting modifications don't respect transactions anyway.
  • The crdb_internal tenant functions modify system tables.
  • GRANT, REVOKE, and many other privilege-related statements are "DCL" (data control language), and all modify system tables or descriptors.

Release note (bug fix): CREATE ROLE, DELETE ROLE, GRANT, and REVOKE statements no longer work when the transaction is in read-only mode.

@rafiss rafiss requested review from stevendanna, ZhouXing19 and a team December 20, 2022 17:26
@rafiss rafiss requested a review from a team as a code owner December 20, 2022 17:26
@cockroach-teamcity
Copy link
Member

This change is Reviewable

@rafiss rafiss force-pushed the fix-role-read-only branch 2 times, most recently from deb720e to 0cb4771 Compare December 21, 2022 15:01
@rafiss rafiss requested review from e-mbrown and removed request for ZhouXing19 December 21, 2022 16:00
Copy link
Collaborator

@ZhouXing19 ZhouXing19 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:lgtm_strong: ! Just had a small q.

Reviewable status: :shipit: complete! 1 of 0 LGTMs obtained (waiting on @e-mbrown, @rafiss, and @stevendanna)


pkg/sql/tenant.go line 321 at r2 (raw file):

// CreateTenant implements the tree.TenantOperator interface.
func (p *planner) CreateTenant(

Seems that tests for CreateTenant and DestroyTenant were not added.

@ZhouXing19
Copy link
Collaborator

pkg/sql/tenant.go line 321 at r2 (raw file):

Previously, ZhouXing19 (Jane Xing) wrote…

Seems that tests for CreateTenant and DestroyTenant were not added.

And RenameTenant.

In ed733ad, a framework was added to
mark certain opaque operators as DDL or mutations.

This was enhanced in 06581b3, but that
change wasn't exhaustive since it marked some statements as read-only,
even if they could perform DDL.

With the addition of `StatementType()` in
8962176, we can make this a little more
correct.

This allows the check at
https://github.com/cockroachdb/cockroach/blob/48ef0d89e6179c0d348a5236ad308d81fa392f7c/pkg/sql/opt/exec/execbuilder/relational.go#L163
to work correctly, and reject operations that shouldn't be allowed when
using a read-only transaction.

To explain each change:
- BACKUP can modify job state and write to userfiles, so shouldn't be
  allowed in read-only mode.
- SET commands are always allowed in read-only mode in order to match
  Postgres behavior, and since those changes are all in-memory and
  session setting modifications don't respect transactions anyway.
- The crdb_internal tenant functions modify system tables.
- GRANT, REVOKE, and many other privilege-related statements are "DCL"
  (data control language), and all modify system tables or descriptors.
- Declaring cursors is allowed in Postgres read-only transactions.

Release note (bug fix): CREATE ROLE, DELETE ROLE, GRANT, and REVOKE
statements no longer work when the transaction is in read-only mode.
@rafiss rafiss force-pushed the fix-role-read-only branch from 0cb4771 to 50a7999 Compare December 21, 2022 18:38
@rafiss
Copy link
Collaborator Author

rafiss commented Dec 21, 2022

tftr! i added tests

bors r=ZhouXing19

@craig
Copy link
Contributor

craig bot commented Dec 21, 2022

Build succeeded:

@craig craig bot merged commit 8d3a94e into cockroachdb:master Dec 21, 2022
@blathers-crl
Copy link

blathers-crl bot commented Dec 21, 2022

Encountered an error creating backports. Some common things that can go wrong:

  1. The backport branch might have already existed.
  2. There was a merge conflict.
  3. The backport branch contained merge commits.

You might need to create your backport manually using the backport tool.


error creating merge commit from 50a7999 to blathers/backport-release-22.1-93991: POST https://api.github.com/repos/cockroachdb/cockroach/merges: 409 Merge conflict []

you may need to manually resolve merge conflicts with the backport tool.

Backport to branch 22.1.x failed. See errors above.


error creating merge commit from 50a7999 to blathers/backport-release-22.2-93991: POST https://api.github.com/repos/cockroachdb/cockroach/merges: 409 Merge conflict []

you may need to manually resolve merge conflicts with the backport tool.

Backport to branch 22.2.x failed. See errors above.


🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is otan.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

CREATE USER/ROLE still possible in read-only session
3 participants