Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

executor, privilege: require CONFIG or Process privilege for is.cluster_* #26220

Merged
merged 9 commits into from
Jul 16, 2021
Merged

executor, privilege: require CONFIG or Process privilege for is.cluster_* #26220

merged 9 commits into from
Jul 16, 2021

Conversation

mjonss
Copy link
Contributor

@mjonss mjonss commented Jul 13, 2021

What problem does this PR solve?

Issue Number: close #26121,#26122,#26123,#26124,#26126

Problem Summary:
The information_schema.cluster_* tables should require the CONFIG or Process privilege. This is consistent with the behavior change in #25379 which requires CONFIG for SHOW CONFIG.

It makes sense to cherry pick to 5.1, but not 5.0; because the behavior in 5.0 was not established yet, and SHOW CONFIG still requires no privileges.

What is changed and how it works?

What's Changed:

Reading from the table information_schema.cluster_hardware now requires the CONFIG privilege.
Reading from the table information_schema.cluster_{info,load,systeminfo,log} now requires the CONFIG privilege.

Check List

Tests

  • Unit test

Side effects

  • Breaking backward compatibility (for security)

Release note

  • Reading from the table information_schema.cluster_hardware now requires the CONFIG privilege.
  • Reading from the table information_schema.cluster_info now requires the Process privilege.
  • Reading from the table information_schema.cluster_load now requires the Process privilege.
  • Reading from the table information_schema.cluster_systeminfo now requires the Process privilege.
  • Reading from the table information_schema.cluster_log now requires the Process privilege.

@ti-chi-bot ti-chi-bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jul 13, 2021
@github-actions github-actions bot added the sig/execution SIG execution label Jul 13, 2021
@mjonss
Cleanup, removed no-needed tests, better formatting
6b4da1e 
And testing different case of table names...
@ti-chi-bot ti-chi-bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 13, 2021
This was referenced Jul 13, 2021
Closed
Closed
mjonss
mjonss commented Jul 13, 2021
View reviewed changes
Copy link
Contributor Author

@mjonss mjonss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Current patch breaks the telemetry test, due to lack of Process privileges for i_s.cluster_info table.

executor/infoschema_reader.go Outdated Show resolved Hide resolved
AilinKid
AilinKid approved these changes Jul 14, 2021
View reviewed changes
Copy link
Contributor

@AilinKid AilinKid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ti-chi-bot ti-chi-bot added the status/LGT1 Indicates that a PR has LGTM 1. label Jul 14, 2021
@ti-chi-bot ti-chi-bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jul 15, 2021
@morgo morgo self-requested a review July 15, 2021 21:06
@ti-chi-bot
Copy link
Member

@morgo: Thanks for your review. The bot only counts approvals from reviewers and higher roles in list, but you're still welcome to leave your comments.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.

@morgo morgo added the sig/sql-infra SIG: SQL Infra label Jul 15, 2021
@morgo morgo self-requested a review July 15, 2021 21:16
@ti-chi-bot
Copy link
Member

[REVIEW NOTIFICATION]

This pull request has been approved by:

  • AilinKid
  • morgo

To complete the pull request process, please ask the reviewers in the list to review by filling /cc @reviewer in the comment.
After your PR has acquired the required number of LGTMs, you can assign this pull request to the committer in the list by filling /assign @committer in the comment to help you merge this pull request.

The full list of commands accepted by this bot can be found here.

Reviewer can indicate their review by submitting an approval review.
Reviewer can cancel approval by submitting a request changes review.

@ti-chi-bot ti-chi-bot added status/LGT2 Indicates that a PR has LGTM 2. and removed status/LGT1 Indicates that a PR has LGTM 1. labels Jul 15, 2021
@morgo
Copy link
Contributor

morgo commented Jul 15, 2021

/merge

@ti-chi-bot
Copy link
Member

This pull request has been accepted and is ready to merge.

Commit hash: b1b06e9

@ti-chi-bot ti-chi-bot added the status/can-merge Indicates a PR has been approved by a committer. label Jul 15, 2021
@morgo
Copy link
Contributor

morgo commented Jul 16, 2021

/run-unit-test

@ti-chi-bot ti-chi-bot merged commit 946b384 into pingcap:master Jul 16, 2021
@AilinKid AilinKid mentioned this pull request Jul 16, 2021
Closed
10 tasks
This was referenced Jul 16, 2021
Closed
Closed
Closed
Closed
@ti-srebot ti-srebot mentioned this pull request Jul 16, 2021
Merged
2 tasks
@ti-srebot
Copy link
Contributor

cherry pick to release-5.1 in PR #26297

AilinKid added a commit to ti-srebot/tidb that referenced this pull request Jul 16, 2021
@AilinKid
cherrypick executor, privilege: require CONFIG or Process privilege f…
cd38815 
…or is.cluster_* (pingcap#26220)

Signed-off-by: ailinkid <[email protected]>
@mjonss mjonss deleted the issue-26123 branch July 19, 2021 12:59
ti-chi-bot pushed a commit that referenced this pull request Jul 19, 2021
@ti-srebot
executor, privilege: require CONFIG or Process privilege for is.clust…
39d41b1 
…er_* (#26220) (#26297)
@mjonss mjonss mentioned this pull request Jul 20, 2021
Closed
2 tasks
@djshow832 djshow832 mentioned this pull request Aug 17, 2021
Merged
11 tasks
@ti-chi-bot ti-chi-bot mentioned this pull request Aug 17, 2021
Merged
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@djshow832 djshow832 djshow832 left review comments

@AilinKid AilinKid AilinKid approved these changes

@bb7133 bb7133 bb7133 left review comments

@morgo morgo morgo approved these changes

Assignees
No one assigned
Labels
needs-cherry-pick-release-5.1 sig/execution SIG execution sig/sql-infra SIG: SQL Infra size/L Denotes a PR that changes 100-499 lines, ignoring generated files. status/can-merge Indicates a PR has been approved by a committer. status/LGT2 Indicates that a PR has LGTM 2.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Users without process privilege should be unable to query cluster_hardware
7 participants
@mjonss @ti-chi-bot @morgo @ti-srebot @bb7133 @AilinKid @djshow832