-
Notifications
You must be signed in to change notification settings - Fork 3.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
multitenant: add can_prepare_txns tenant capability
Informs #22329. This commit adds a new `can_prepare_txns` tenant capability, so that we don't allow secondary tenants to prepare transactions by default. Allowing an untrusted tenant to prepare transactions would allow it to block the progress of system-wide backups, so it is too dangerous to allow by default. Release note: None
- Loading branch information
1 parent
302f9bd
commit 7b23988
Showing
14 changed files
with
319 additions
and
39 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
133 changes: 133 additions & 0 deletions
133
pkg/ccl/multitenantccl/tenantcapabilitiesccl/testdata/can_prepare_txns
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,133 @@ | ||
query-sql-system | ||
SELECT * FROM [SHOW TENANT [10] WITH CAPABILITIES] WHERE capability_name = 'can_prepare_txns' | ||
---- | ||
10 cluster-10 ready external can_prepare_txns false | ||
|
||
exec-sql-tenant | ||
CREATE TABLE t(a INT PRIMARY KEY) | ||
---- | ||
ok | ||
|
||
# By default, we should not be able to prepare transactions. | ||
exec-privileged-op-tenant | ||
BEGIN | ||
---- | ||
ok | ||
|
||
exec-privileged-op-tenant | ||
INSERT INTO t VALUES (1) | ||
---- | ||
ok | ||
|
||
exec-privileged-op-tenant | ||
PREPARE TRANSACTION 'txn1' | ||
---- | ||
pq: ba: QueryIntent [/Tenant/10/Table/104/1/1/0], EndTxn(commit) [/Tenant/10/Table/104/1/1/0], [txn: ‹×›], [can-forward-ts] RPC error: rpc error: code = Unauthenticated desc = client tenant does not have capability "can_prepare_txns" (*kvpb.EndTxnRequest) | ||
|
||
|
||
# Grant the capability. | ||
update-capabilities | ||
ALTER TENANT [10] GRANT CAPABILITY can_prepare_txns=true | ||
---- | ||
ok | ||
|
||
exec-privileged-op-tenant | ||
BEGIN | ||
---- | ||
ok | ||
|
||
exec-privileged-op-tenant | ||
INSERT INTO t VALUES (1) | ||
---- | ||
ok | ||
|
||
exec-privileged-op-tenant | ||
PREPARE TRANSACTION 'txn2' | ||
---- | ||
ok | ||
|
||
exec-privileged-op-tenant | ||
ROLLBACK PREPARED 'txn2' | ||
---- | ||
ok | ||
|
||
|
||
# Revoke the capability using REVOKE syntax. | ||
update-capabilities | ||
ALTER TENANT [10] REVOKE CAPABILITY can_prepare_txns | ||
---- | ||
ok | ||
|
||
# Prepared transactions should no longer work. | ||
exec-privileged-op-tenant | ||
BEGIN | ||
---- | ||
ok | ||
|
||
exec-privileged-op-tenant | ||
INSERT INTO t VALUES (1) | ||
---- | ||
ok | ||
|
||
exec-privileged-op-tenant | ||
PREPARE TRANSACTION 'txn3' | ||
---- | ||
pq: ba: QueryIntent [/Tenant/10/Table/104/1/1/0], EndTxn(commit) [/Tenant/10/Table/104/1/1/0], [txn: ‹×›], [can-forward-ts] RPC error: rpc error: code = Unauthenticated desc = client tenant does not have capability "can_prepare_txns" (*kvpb.EndTxnRequest) | ||
|
||
|
||
# However, transactions that have not acquired locks are able to be prepared, | ||
# since they don't actually prepare a transaction record in the KV layer. This | ||
# isn't necessarily intentional, but it is also not harmful or worth changing. | ||
exec-privileged-op-tenant | ||
BEGIN | ||
---- | ||
ok | ||
|
||
exec-privileged-op-tenant | ||
SELECT * FROM t | ||
---- | ||
ok | ||
|
||
exec-privileged-op-tenant | ||
PREPARE TRANSACTION 'txn4' | ||
---- | ||
ok | ||
|
||
exec-privileged-op-tenant | ||
COMMIT PREPARED 'txn4' | ||
---- | ||
ok | ||
|
||
|
||
# Grant the capability one more time. | ||
update-capabilities | ||
ALTER TENANT [10] GRANT CAPABILITY can_prepare_txns | ||
---- | ||
ok | ||
|
||
exec-privileged-op-tenant | ||
BEGIN | ||
---- | ||
ok | ||
|
||
exec-privileged-op-tenant | ||
INSERT INTO t VALUES (1) | ||
---- | ||
ok | ||
|
||
exec-privileged-op-tenant | ||
PREPARE TRANSACTION 'txn5' | ||
---- | ||
ok | ||
|
||
# Revoke the capability one more time, which will **not** prevent us from | ||
# committing (or rolling back) the already prepared transaction. | ||
update-capabilities | ||
ALTER TENANT [10] REVOKE CAPABILITY can_prepare_txns | ||
---- | ||
ok | ||
|
||
exec-privileged-op-tenant | ||
COMMIT PREPARED 'txn5' | ||
---- | ||
ok |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Oops, something went wrong.