sql: anonymize query strings exposed in various `crdb_internal` tables.

[abarganier]

Is your feature request related to a problem? Please describe.
Currently, we have a number of crdb_internal.* tables that exposed user-defined SQL statements. These are useful for debugging purposes.

While some of these statement strings have been anonymized to remove any user-supplied constants (e.g. something like SELECT * FROM x WHERE name = $1 instead of SELECT * FROM x WHERE name = 'Pat'), some tables expose the user-supplied constants.

As our compliance requirements grow, this exposure of user-supplied constants restricts our ability to use these crdb_internal.* tables. For example, in a redacted version of a debug zip bundle, we're forced to omit these columns from the crdb_internal table dumps to meet our compliance requirements, which reduces observability into SQL queries.

Describe the solution you'd like
We'd like to see these statement strings properly anonymized wherever possible in various crdb_internal.* tables, so that we can expose the anonymized statement strings in redacted debug zip bundles.

The following columns have been identified as exposing unredacted statement strings and related data:

1. stmt from crdb_internal.cluster_distsql_flows
2. query from crdb_internal.cluster_queries
3. active_queries and last_active_query from crdb_internal.cluster_sessions
4. create_statement, create_nofks, and alter_statements from crdb_internal.create_statements
5. create_statement and enum_members from crdb_internal.create_type_statements
6. list_value and range_value from crdb_internal.partitions
7. query from crdb_internal.node_queries
8. active_queries and last_active_query from crdb_internal.node_sessions

Describe alternatives you've considered
We've also considered the idea of using something like a session setting to indicated to the vtable handlers that the results should be redacted, where we could optionally show the anonymized statement strings only upon request. Is this necessary, though? Can we get by in a world where they're always anonymized? There are plenty of other areas where the anonymized statement strings seem to work just fine. I'm not against doing this conditionally, but simple is good.

Jira issue: CRDB-19996

[thtruo]

Heads up @kevin-v-ngo and @maryliag this was an outstanding item that came out from Obs Infra's work to reach baseline PCI compliance before the end of September. However, the primary PCI-DSS compliance deadline maps to the end of the year, so we should aim to have this in a minor version patch release for v22.2
Let us know if SQL Obs isn't the right team to take this on - we'll triage accordingly

[michae2]

We're planning redaction / obfuscation of similar information in statement bundles in 23.1: CRDB-19756

[michae2]

6. list_value and range_value from crdb_internal.partitions

@abarganier, wouldn't partition values count as range key data? (Both list and range partition values are used as keys in the indexes that back partitions.)

[kevin-v-ngo]

@ericharmeling and I chatted about this issue today.

@thtruo, as I understand it, this is to improve the debugging experience with debug.zips given the removal of information (columns) to meet PCI compliance. This issue is not on the hot path to be PCI compliant - can you confirm Tommy?

We'd like to see these statement strings properly anonymized wherever possible in various crdb_internal.* tables

There is some concern in automatically anonymizing by default since having literals can be critical for a few cases where users are troubleshooting the cause of plan changes and/or regressions. It'd be taking something away from users that rely on this piece of information.

Can we identify that it's a debug.zip request and then redact the columns? For instance, introduce a redact function for statement text and instead of dumping the entire table, we selectively choose all columns and apply the function to sensitive columns.

[thtruo]

@thtruo, as I understand it, this is to improve the debugging experience with debug.zips given the removal of information (columns) to meet PCI compliance. This issue is not on the hot path to be PCI compliant - can you confirm Tommy?

Yes that's correct. We already reached baseline PCI compliance with the initial set of changes that made it into v22.2. This particular item is a post-PCI enhancement to improve debugging experiences

There is some concern in automatically anonymizing by default since having literals can be critical for a few cases where users are troubleshooting the cause of plan changes and/or regressions. It'd be taking something away from users that rely on this piece of information.

Your concern refers to automatically anonymizing relevant columns from crdb_internal.* tables across the board, even outside of the context of debug zips right? I believe we're only talking about the context of debug zips at this point.

Can we identify that it's a debug.zip request and then redact the columns? For instance, introduce a redact function for statement text and instead of dumping the entire table, we selectively choose all columns and apply the function to sensitive columns.

I don't know at the moment what mechanism we can/should use to identify a debug zip request. Do you happen to know @abarganier ?

[abarganier]

Hey @michae2, apologies for missing your question here.

Partition values do indeed count as range key data. Both the list_value and range_value columns from crdb_internal.partitions are omitted from redacted debug zips for this reason.

EDIT: Sorry, original response was jumbled/confusing.

If we don't have some way to switch redaction for these tables on/off (e.g. through something like a session setting), then we don't want to render columns like these useless by always redacting them. If that's the case, we can just lean on debug zip's omission of these columns and leave them as-is otherwise, since the redacted form wouldn't be useful. After talking with @xinhaoz on Slack, it sounds like the same goes for the enum_members column as well.