sql: delegate SHOW SYSTEM GRANTS to new crdb_internal.kv_system_privileges vtable#104565
sql: delegate SHOW SYSTEM GRANTS to new crdb_internal.kv_system_privileges vtable#104565craig[bot] merged 1 commit intocockroachdb:masterfrom ecwall:sql_show_system_grants
Conversation
|
This change is |
pkg/sql/crdb_internal.go
Outdated
| rows, err := p.ExecCfg().InternalDB.Executor().QueryIteratorEx( | ||
| ctx, | ||
| op, | ||
| nil, |
pkg/sql/crdb_internal.go
Outdated
| ctx, | ||
| op, | ||
| nil, | ||
| sessiondata.RootUserSessionDataOverride, |
There was a problem hiding this comment.
Could you make this a parameter of populateFromQuery instead of hard-coding it to the root user, please? I have another use-case in mind where populateFromQuery might be useful but it would be for the node user.
pkg/sql/crdb_internal.go
Outdated
| }, | ||
| } | ||
|
|
||
| func populateFromQuery(query string, op string) populateFunc { |
There was a problem hiding this comment.
style nit: s/op/opName? also have it precede the query arg perhaps?
There was a problem hiding this comment.
I replaced this func with virtualSchemaView{}.
pkg/sql/crdb_internal.go
Outdated
| } | ||
|
|
||
| var crdbInternalSystemPrivileges = virtualSchemaTable{ | ||
| comment: `vtable backing SHOW SYSTEM GRANTS`, |
There was a problem hiding this comment.
nit: this comment deserves to be improved, how about something along the lines of "this vtable is a view on system.privileges with the root user and is used to back SHOW SYSTEM GRANTS"
pkg/sql/crdb_internal.go
Outdated
| var crdbInternalSystemPrivileges = virtualSchemaTable{ | ||
| comment: `vtable backing SHOW SYSTEM GRANTS`, | ||
| schema: ` | ||
| CREATE TABLE crdb_internal.system_privileges ( |
There was a problem hiding this comment.
There's a naming scheme in force for this virtual schema which requires new tables to have a prefix depending on what they do, in this case this prefix is kv_.
There was a problem hiding this comment.
Why do user privileges get a kv_ prefix?
There was a problem hiding this comment.
According to https://github.com/cockroachdb/cockroach/blob/master/pkg/sql/crdb_internal.go#L107 this vtable needs the kv_ prefix because it's populated (ultimately) by performing a KV scan on a physical table. That's my understanding, at least, which so far hasn't been challenged.
There was a problem hiding this comment.
Ok sounds good to me. I never noticed that comment.
pkg/sql/crdb_internal.go
Outdated
| if err != nil { | ||
| return err | ||
| } | ||
| defer func() { |
There was a problem hiding this comment.
The motivation for the existence of this defer deserves a comment.
pkg/sql/crdb_internal.go
Outdated
| } | ||
| } | ||
|
|
||
| var crdbInternalSystemPrivileges = virtualSchemaTable{ |
There was a problem hiding this comment.
I think (but I'm not sure) that you could define this as a virtualSchemaView and this way you would not need to introduce populateFromQuery at all!
I investigated this a bit. In master we already have crdb_internal.transaction_statistics_persisted which is the same thing for system.transaction_statistics; I set up a logictest in which testuser was non-admin and querying the latter would correctly raise an error however it totally can query the vtable.
There was a problem hiding this comment.
Thanks I was looking for something like this, but did not know what to search for.
…s vtable Fixes #104412 SHOW SYSTEM GRANTS previously delegated to system.privileges which requires the admin or root user privileges. This change adds a new crdb_internal.kv_system_privileges vtable that is accessible to anyone. Release note (bug fix): Fixes issue requiring admin or root user privileges to use SHOW SYSTEM GRANTS.
rafiss
left a comment
There was a problem hiding this comment.
nice! glad the view works
Reviewable status:
complete! 0 of 0 LGTMs obtained (waiting on @ecwall and @postamar)
|
bors r=rafiss |
|
Build succeeded: |
|
Encountered an error creating backports. Some common things that can go wrong:
You might need to create your backport manually using the backport tool. error creating merge commit from f8c7d67 to blathers/backport-release-22.2-104565: POST https://api.github.com/repos/cockroachdb/cockroach/merges: 409 Merge conflict [] you may need to manually resolve merge conflicts with the backport tool. Backport to branch 22.2.x failed. See errors above. error creating merge commit from f8c7d67 to blathers/backport-release-23.1-104565: POST https://api.github.com/repos/cockroachdb/cockroach/merges: 409 Merge conflict [] you may need to manually resolve merge conflicts with the backport tool. Backport to branch 23.1.x failed. See errors above. 🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf. |
Fixes #104412
SHOW SYSTEM GRANTS previously delegated to system.privileges which requires
the admin or root user privileges.
This change adds a new crdb_internal.kv_system_privileges vtable that is
accessible to anyone.
Release note (bug fix): Fixes issue requiring admin or root user privileges to
use SHOW SYSTEM GRANTS.