sql: block DROP TENANT based on a session var

[knz]

Fixes #97972.
Epic: CRDB-23559

In clusters where we will promote tenant management operations, we would like to ensure there is one extra step needed for administrators to drop a tenant (and thus irremedially lose data). Given that sql_safe_updates is not set automatically when users open their SQL session using their own client, we need another mechanism.

This change introduces the new (hidden) session var, disable_drop_tenant. When set, tenant deletion fails with the following error message:

[email protected]:26257/movr> drop tenant foo;
ERROR: rejected (via sql_safe_updates or disable_drop_tenant): DROP TENANT causes irreversible data loss
SQLSTATE: 01000

(The session var sql_safe_updates is also included as a blocker in the mechanism so that folk using cockroach sql get double protection).

The default value of this session var is false in single-tenant clusters, for compatibility with CC Serverless. It will be set to true via a config profile (#98466) when suitable.

Release note: None

[cockroach-teamcity]

This change is 

[yuzefovich]

Reviewed 6 of 6 files at r1, all commit messages.
Reviewable status: complete! 0 of 0 LGTMs obtained (waiting on @knz and @stevendanna)

---

pkg/sql/vars.go line 1547 at r1 (raw file):

			//   default value (false) to mean that tenant deletion is enabled.
			//   This is needed for backward-compatibility with Cockroach Cloud.
			return fmt.Sprint(!enableDropTenant.Get(sv))

nit: maybe use formatBoolAsPostgresSetting?

---

pkg/sql/sessiondatapb/local_only_session_data.proto line 368 at r1 (raw file):

  // prepared again.
  int64 prepared_statements_cache_size = 97;
    

nit: dangling spaces. Also this proto doesn't use empty lines between members.

[knz]

Reviewable status: complete! 0 of 0 LGTMs obtained (waiting on @stevendanna)

---

pkg/sql/vars.go line 1547 at r1 (raw file):

Previously, yuzefovich (Yahor Yuzefovich) wrote…

nit: maybe use formatBoolAsPostgresSetting?

Done.

---

pkg/sql/sessiondatapb/local_only_session_data.proto line 368 at r1 (raw file):

Previously, yuzefovich (Yahor Yuzefovich) wrote…

nit: dangling spaces. Also this proto doesn't use empty lines between members.

Done.

[stevendanna]

This looks reasonable to me.

Reviewed 4 of 6 files at r1, 2 of 2 files at r2, all commit messages.
Reviewable status: complete! 0 of 0 LGTMs obtained (waiting on @knz)

[knz]

TFYR!

bors r=stevendanna

[craig]

Build failed (retrying...):

• Bazel Essential CI (Cockroach)

[craig]

Build failed (retrying...):

• Bazel Essential CI (Cockroach)

[craig]

Build failed (retrying...):

• Bazel Essential CI (Cockroach)

[craig]

Build failed (retrying...):

• Bazel Essential CI (Cockroach)

[knz]

bors r=stevendanna

[craig]

Already running a review

[knz]

bors r-

[craig]

Canceled.

[knz]

bors r=stevendanna single on

[craig]

Build failed (retrying...):

• Bazel Essential CI (Cockroach)

[rafiss]

Reviewable status: complete! 0 of 0 LGTMs obtained (waiting on @knz)

---

pkg/sql/exec_util.go line 764 at r2 (raw file):

var enableDropTenant = settings.RegisterBoolSetting(
	settings.SystemOnly,
	"sql.drop_tenant.enabled",

I'm curious - why doesn't this use the convention we use for other cluster settings that set default values for session vars? i.e., name it something like sql.defaults.disable_drop_tenant

[craig]

Build succeeded:

• Bazel Essential CI (Cockroach)

[knz]

@rafiss because we now have a linter that blocks the introduction of settings named sql.defaults.*.

[rafiss]

I see now that this is SystemOnly and non-public, so I'm no longer concerned. I just thought it would be harder to find for users, but that concern doesn't apply here.