sql: fix data race in MemberOfWithAdminOption

[andyyang890]

This patch fixes a race condition in MemberOfWithAdminOption
by using a fresh transaction within the singleflight call.

Fixes #95642
Fixes #96539

Release note: None

[blathers-crl]

It looks like your PR touches production code but doesn't add or edit any test code. Did you consider adding tests to your PR?

_{🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.}

[cockroach-teamcity]

This change is 

[andyyang890]

This PR is an implementation of the idea discussed in #98469, but it seems to be hitting an issue where the system.role_members table appears to be empty. Is the modification time perhaps not set for the permanent upgrade that creates the initial row for (admin, root)?

[rafiss]

table appears to be empty. Is the modification time perhaps not set for the permanent upgrade that creates the initial row for (admin, root)?

that seems likely. if the modification time is not set, then we should be able to safely not change the txn timestamp -- since this means that the system.role_members table is in it's default state.

[ajwerner]

Modification time will always be set -- we assert it deeply. The fact that that migration fails to update it and set the version is sad. Maybe one thing we can do is detect version 1 and use a hard-coded set of data, or just keep the transaction timestamp?

[andyyang890]

or just keep the transaction timestamp?

Would you mind elaborating a bit more about what the advantages of the original suggestion to set a fixed timestamp were? Are those benefits not strictly required for correctness?

[rafiss]

If the version is 1, that means there have been no modifications to the table. So using a historical timestamp or the current timestamp would both return the same results.

[andyyang890]

If the version is 1, that means there have been no modifications to the table. So using a historical timestamp or the current timestamp would both return the same results.

I think the problem right now is that the permanent upgrade below inserts rows into the system.role_members table without bumping the table descriptor version. I'm guessing it would be unsafe to add code to the permanent upgrade that does the version bumping since it won't have been run on older clusters.

cockroach/pkg/upgrade/upgrades/permanent_upgrades.go

Lines 59 to 87 in 08f2dc4

	func addRootToAdminRole(ctx context.Context, txn isql.Txn) error {
	var upsertStmt string
	var upsertVals []interface{}
	{
	// We query the pg_attribute to determine whether the role_id and member_id
	// columns are present because we can't rely on version gates here.
	const pgAttributeStmt = `
	SELECT * FROM system.pg_catalog.pg_attribute
	WHERE attrelid = 'system.public.role_members'::REGCLASS
	AND attname IN ('role_id', 'member_id')
	LIMIT 1
	`
	if row, err := txn.QueryRow(ctx, "roleMembersColumnsGet", txn.KV(), pgAttributeStmt); err != nil {
	return err
	} else if row == nil {
	upsertStmt = `
	UPSERT INTO system.role_members ("role", "member", "isAdmin") VALUES ($1, $2, true)
	`
	upsertVals = []interface{}{username.AdminRole, username.RootUser}
	} else {
	upsertStmt = `
	UPSERT INTO system.role_members ("role", "member", "isAdmin", role_id, member_id) VALUES ($1, $2, true, $3, $4)
	`
	upsertVals = []interface{}{username.AdminRole, username.RootUser, username.AdminRoleID, username.RootUserID}
	}
	}
	_, err := txn.Exec(ctx, "addRootToAdminRole", txn.KV(), upsertStmt, upsertVals...)
	return err
	}

[rafiss]

Right, I'm saying that if the version is 1 then we know:

• the permanent upgrade has run (since the cluster isn't available until permanent upgrades are done)
• no modifications have been made to the table since the permanent upgrade ran

So we can work around this issue of the upgrade not bumping the version by just using the current timestamp for the txn timestamp.

Or to resurrect this thread #98469 (comment)

You don't want ReadTimestamp() I don't think. I think you want to take that descriptor you read for the role_memberships table and take its ModificationTime().

Maybe this is a case where we can use the outer txn's ReadTimestamp?

[andyyang890]

Ah I see, thanks for the clarification. I've updated the PR to do that!

[rafiss]

great! this lgtm, but just wanted to discuss my comment from one of the other PRs:

if possible, could we add a more targeted test that catches this bug? it feels kind of lucky to me that TestBackendDialTLS is the one that caught this. i could imagine that test being refactored in the future, and no longer catching a future regression on this.

We could add a test to pkg/sql/user_test.go that surfaces the bug? It's possible that TestGetUserTimeout already would have revealed the bug, but I see that test is skipped under race

Reviewable status: complete! 0 of 0 LGTMs obtained (waiting on @ajwerner)

[andyyang890]

Looks like TestGetUserTimeout does catch the bug so I've unskipped it under race! I also removed the backport-22.2.x tag since this issue only started happening after the internal executor refactor, which was merged in 23.1.

Reviewable status: complete! 0 of 0 LGTMs obtained (waiting on @ajwerner and @rafiss)

[andyyang890]

TFTR!

bors r=rafiss

[craig]

Build failed (retrying...):

• Bazel Essential CI (Cockroach)

[craig]

Build failed (retrying...):

• Bazel Essential CI (Cockroach)

[craig]

Build failed:

• Bazel Essential CI (Cockroach)

[andyyang890]

bors retry

[craig]

Build succeeded:

• Bazel Essential CI (Cockroach)