multitenant: Protect from accidental use of DROP TENANT

[ajstorm]

DROP TENANT is an extremely destructive command. In the unified architecture world, it could be effectively equivalent to deleting a cluster's worth of data. As a result, users should not be entering into it lightly. To signal that care should be taken in its use we should somehow protect against misuse (cluster/session setting, sql_safe_updates, etc).

In this same issue, we may also consider gating CREATE TENANT so that we don't over-expose the tenant architecture to unsuspecting customers.

Epic: CRDB-23559

Jira issue: CRDB-24996

[blathers-crl]

Hi @ajstorm, please add branch-* labels to identify which branch(es) this release-blocker affects.

_{🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.}

[knz]

we may also consider gating CREATE TENANT so that we don't over-expose the tenant architecture to unsuspecting customers.

I don't understand the point of this -- none of this is documented nor visible unless you go look for it. If we create a cluster setting, folk will see it with show all cluster settings and that will raise more eyebrows. Further than that, access to cluster settings (and modifying them) requires fewer privileges than create tenant so there would be no benefit wrt restricting access to entry.

[ajstorm]

If we create a cluster setting, folk will see it with show all cluster settings and that will raise more eyebrows.

Interesting. I didn't realize that was the case. Is there no mechanism today to hide cluster settings?

The rationale behind hiding it was that we didn't want non-C2C customers to start creating a bunch of tenants because they stumbled upon the syntax, which isn't overly hard to do.

demo@127.0.0.1:26257/movr> \h create
Command: CREATE
Syntax:
CREATE DATABASE, CREATE TABLE, CREATE INDEX, CREATE TABLE AS,
CREATE USER, CREATE VIEW, CREATE SEQUENCE, CREATE STATISTICS,
CREATE ROLE, CREATE TYPE, CREATE EXTENSION, CREATE TENANT, CREATE SCHEDULE

The thinking was that with a hidden cluster setting, it wouldn't be immediately obvious for users how to enable the CREATE functionality. Even if there wasn't a way to hide them, if we returned a sufficiently cryptic error message from CREATE TENANT (like "unsupported functionality") users would have to know that a given cluster setting unlocks the functionality and find that cluster setting (presumably by digging through the code).

I'm still of the opinion that there's value in adding this protection.

[knz]

Is there no mechanism today to hide cluster settings?

no

demo@127.0.0.1:26257/movr> \h create

We can improve this specifically.

if we returned a sufficiently cryptic error message

lol, no. Obscurity does not define effective policy, it rather incurs expensive support escalations.

I'm still of the opinion that there's value in adding this protection.

we'll discuss it at pod meeting