release-22.1: admin: statement diagnostics uses correct auth helpers #99055
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dhartunian
changed the title
|
This change is |
knz
approved these changes
Mar 20, 2023
dhartunian
force-pushed
the
release-22.1-stmtdiag-fix
branch
4 times, most recently
from
1655b41 to
79fb33b
Compare
Previously, the statement diagnostics HTTP handler was initialized using the incorrect `ctx` value. This caused the HTTP request context to not be correctly handed down to the handler. Furthermore, the call to `userFromIncomingRPCContext` was incorrect in this scenario since it relied on a gRPC context being populated with HTTP session information, which did not exist. That code sets a `root` user when context is missing because the gRPC handlers are used for inter-node communication *and* HTTP with the DB console and external tools. This commit attaches the request context to the diagnostics bundle handler correctly, and amends the authorization code to use `userFromHTTPAuthInfoContext` which correctly reads the session cookie info from the request (like many `api/v2` handlers do since those exist outside the gRPC infrastructure). Resolves cockroachdb#99049 Epic: None Release note (security update): Previously, users could gain unauthorized access to statement diagnostic bundles they did not create if they requested the bundle through an HTTP request to `/_admin/v1/stmtbundle/<id>` and correctly guessed its (non-secret) ID. This change locks down this endpoint behind the usual SQL gating that correctly uses the SQL user in the HTTP session as identified by their cookie.
dhartunian
force-pushed
the
release-22.1-stmtdiag-fix
branch
from
79fb33b to
a94bdad
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously, the statement diagnostics HTTP handler was initialized using the incorrect
ctxvalue. This caused the HTTP request context to not be correctly handed down to the handler. Furthermore, the call touserFromIncomingRPCContextwas incorrect in this scenario since it relied on a gRPC context being populated with HTTP session information, which did not exist. That code sets arootuser when context is missing because the gRPC handlers are used for inter-node communication and HTTP with the DB console and external tools.This commit attaches the request context to the diagnostics bundle handler correctly, and amends the authorization code to use
userFromHTTPAuthInfoContextwhich correctly reads the session cookie info from the request (like manyapi/v2handlers do since those exist outside the gRPC infrastructure).Resolves #99049
Epic: None
Release note (security update): Previously, users could gain unauthorized access to statement diagnostic bundles they did not create if they requested the bundle through an HTTP request to
/_admin/v1/stmtbundle/<id>and correctly guessed its (non-secret) ID. This change locks down this endpoint behind the usual SQL gating that correctly uses the SQL user in the HTTP session as identified by their cookie.Release justification: security bug