sql: unify InternalExecutor and SessionBoundInternalExecutor#44170
sql: unify InternalExecutor and SessionBoundInternalExecutor#44170craig[bot] merged 3 commits intocockroachdb:masterfrom
Conversation
|
This change is |
knz
left a comment
There was a problem hiding this comment.
Thanks it was useful to extract this in its own PR because now TC is teaching you something useful. I think the tests are pointing out that the default db should not be set automatically in some cases (that's on purpose).
Reviewable status:
complete! 0 of 0 LGTMs obtained (waiting on @knz)
|
Well TC was teaching me the same thing on the old branch too. |
|
yes it is the opposite. The message
If the current db is not the empty string, the vtable can be accessed properly and instead the regular SQL semantics on the result kick in. |
|
So the test is telling you "I want my current db to be empty" and your new internal executor is making it non-empty. |
c15bbfc to
5252ccc
Compare
|
I've fixed the failing test by no longer running in the "system" database when running as root. |
knz
left a comment
There was a problem hiding this comment.
Reviewed 19 of 22 files at r1, 4 of 4 files at r2.
Reviewable status:
pkg/sql/internal.go, line 178 at r2 (raw file):
// // Query is deprecated because it may transparently execute a query as root. Use // QueryEx instead.
Can you file an issue and assign it to @otan and me to review all the SQL builtins and check that they are not using this method in unsafe ways (i.e. giving access to privileged data to non-admin users).
This implicit-run-as-root behavior is indeed highly problematic and I'm not sure we fully realized that before. There may be a sec vulnerability hidden in there.
pkg/sql/sqlutil/internal_executor.go, line 57 at r2 (raw file):
// Query executes the supplied SQL statement and returns the resulting rows. // The statement is executed as the root user.
Please update the mention about the user here.
The internal executor is a library that started bad and got worse. It came in two flavors: InternalExecutor and SessionBoundInternalExecutor. The interface was confusing, only matched by the implementation. And besides tomes of code, neither of them could do the basic thing of allowing a higher layer to bind most of the session data for future internal queries, but let the user be overriden at the query site. This patch does away with the SessionBoundInternalExecutor. It's functionality is absorbed into the InternalExecutor. The ie now gets a SetSessionData() method, used to bind session data. An extended query interface is added, allowing some aspects of this session data to be overriden on a per-query basis. Release note: None
s/QueryWithUser/QueryEx (or QueryWithCols) Release note: None
5252ccc to
b6bc2e3
Compare
b6bc2e3 to
6d9e5f1
Compare
This patch changes many users of the internal executor to explicitly declare whether they want to run as root (or as node in rare cases) or if they want to inherit the user previously set on the InternalExecutor instance that they're using. If they want to inherit and no user has previously been set on that executor, they'll get a runtime error (which hopefully is not the case for any of the callsites). There's still remaining callers to the old interface which gives you either root or another user based on what the executor has been previously set; I've given up on converting all of them. And there's some that can't simply be converted: callers in the sem package can't use the new interface because of package dependencies reasons. Release note: None
6d9e5f1 to
a636c92
Compare
andreimatei
left a comment
There was a problem hiding this comment.
Reviewable status:
pkg/sql/internal.go, line 178 at r2 (raw file):
Previously, knz (kena) wrote…
Can you file an issue and assign it to @otan and me to review all the SQL builtins and check that they are not using this method in unsafe ways (i.e. giving access to privileged data to non-admin users).
This implicit-run-as-root behavior is indeed highly problematic and I'm not sure we fully realized that before. There may be a sec vulnerability hidden in there.
pkg/sql/sqlutil/internal_executor.go, line 57 at r2 (raw file):
Previously, knz (kena) wrote…
Please update the mention about the user here.
done
|
👍 |
andreimatei
left a comment
There was a problem hiding this comment.
TFTR
bors r+
Reviewable status:
Timed out (retrying...) |
Build failed (retrying...) |
44170: sql: unify InternalExecutor and SessionBoundInternalExecutor r=andreimatei a=andreimatei The internal executor is a library that started bad and got worse. It came in two flavors: InternalExecutor and SessionBoundInternalExecutor. The interface was confusing, only matched by the implementation. And besides tomes of code, neither of them could do the basic thing of allowing a higher layer to bind most of the session data for future internal queries, but let the user be overriden at the query site. This patch does away with the SessionBoundInternalExecutor. It's functionality is absorbed into the InternalExecutor. The ie now gets a SetSessionData() method, used to bind session data. An extended query interface is added, allowing some aspects of this session data to be overriden on a per-query basis. Release note: None 44251: builtins: fix to_english(math.MinInt64) r=yuzefovich a=otan Resolves #44152. Release note (bug fix): `TO_ENGLISH(math.MinInt64)` previously errored. This is now fixed to return the correct result. Co-authored-by: Andrei Matei <andrei@cockroachlabs.com> Co-authored-by: Oliver Tan <otan@cockroachlabs.com>
Build succeeded |
The internal executor is a library that started bad and got worse. It
came in two flavors: InternalExecutor and SessionBoundInternalExecutor.
The interface was confusing, only matched by the implementation. And
besides tomes of code, neither of them could do the basic thing of
allowing a higher layer to bind most of the session data for future
internal queries, but let the user be overriden at the query site.
This patch does away with the SessionBoundInternalExecutor. It's
functionality is absorbed into the InternalExecutor. The ie now gets a
SetSessionData() method, used to bind session data. An extended query
interface is added, allowing some aspects of this session data to be
overriden on a per-query basis.
Release note: None