multitenant: add can_prepare_txns tenant capability

Informs cockroachdb#22329. This commit adds a new `can_prepare_txns` tenant capability, so that we don't allow secondary tenants to prepare transactions by default. Allowing an untrusted tenant to prepare transactions would allow it to block the progress of system-wide backups, so it is too dangerous to allow by default. Release note: None
nvanbenschoten · Dec 18, 2024 · 7b23988 · 7b23988
1 parent 302f9bd
commit 7b23988
Show file tree

Hide file tree

Showing 14 changed files with 319 additions and 39 deletions.
diff --git a/pkg/ccl/logictestccl/testdata/logic_test/tenant_capability b/pkg/ccl/logictestccl/testdata/logic_test/tenant_capability
@@ -37,6 +37,7 @@ can_admin_split            true
 can_admin_unsplit          false
 can_check_consistency      false
 can_debug_process          false
+can_prepare_txns           false
 can_use_nodelocal_storage  false
 can_view_all_metrics       false
 can_view_node_info         false
@@ -64,6 +65,7 @@ can_admin_split            true
 can_admin_unsplit          false
 can_check_consistency      false
 can_debug_process          false
+can_prepare_txns           false
 can_use_nodelocal_storage  false
 can_view_all_metrics       false
 can_view_node_info         false
@@ -84,6 +86,7 @@ can_admin_split            false
 can_admin_unsplit          false
 can_check_consistency      false
 can_debug_process          false
+can_prepare_txns           false
 can_use_nodelocal_storage  false
 can_view_all_metrics       false
 can_view_node_info         false
@@ -111,6 +114,7 @@ can_admin_split            true
 can_admin_unsplit          false
 can_check_consistency      false
 can_debug_process          false
+can_prepare_txns           false
 can_use_nodelocal_storage  false
 can_view_all_metrics       false
 can_view_node_info         false
@@ -138,6 +142,7 @@ can_admin_split            true
 can_admin_unsplit          false
 can_check_consistency      false
 can_debug_process          false
+can_prepare_txns           false
 can_use_nodelocal_storage  false
 can_view_all_metrics       false
 can_view_node_info         false
@@ -165,6 +170,7 @@ can_admin_split            true
 can_admin_unsplit          false
 can_check_consistency      false
 can_debug_process          false
+can_prepare_txns           false
 can_use_nodelocal_storage  false
 can_view_all_metrics       false
 can_view_node_info         true
@@ -185,6 +191,7 @@ can_admin_split            false
 can_admin_unsplit          false
 can_check_consistency      false
 can_debug_process          false
+can_prepare_txns           false
 can_use_nodelocal_storage  false
 can_view_all_metrics       false
 can_view_node_info         false
@@ -205,6 +212,7 @@ can_admin_split            false
 can_admin_unsplit          false
 can_check_consistency      false
 can_debug_process          false
+can_prepare_txns           false
 can_use_nodelocal_storage  false
 can_view_all_metrics       false
 can_view_node_info         false
@@ -225,6 +233,7 @@ can_admin_split            false
 can_admin_unsplit          false
 can_check_consistency      false
 can_debug_process          false
+can_prepare_txns           false
 can_use_nodelocal_storage  false
 can_view_all_metrics       false
 can_view_node_info         false
@@ -246,6 +255,7 @@ can_admin_split            true
 can_admin_unsplit          true
 can_check_consistency      true
 can_debug_process          true
+can_prepare_txns           true
 can_use_nodelocal_storage  true
 can_view_all_metrics       true
 can_view_node_info         true
@@ -289,6 +299,7 @@ can_admin_split            true
 can_admin_unsplit          false
 can_check_consistency      false
 can_debug_process          false
+can_prepare_txns           false
 can_use_nodelocal_storage  false
 can_view_all_metrics       false
 can_view_node_info         false
@@ -320,6 +331,7 @@ can_admin_split            true
 can_admin_unsplit          false
 can_check_consistency      false
 can_debug_process          false
+can_prepare_txns           false
 can_use_nodelocal_storage  false
 can_view_all_metrics       false
 can_view_node_info         false
@@ -356,6 +368,7 @@ can_admin_split            true
 can_admin_unsplit          false
 can_check_consistency      false
 can_debug_process          false
+can_prepare_txns           false
 can_use_nodelocal_storage  false
 can_view_all_metrics       false
 can_view_node_info         false
@@ -376,6 +389,7 @@ can_admin_split            false
 can_admin_unsplit          false
 can_check_consistency      false
 can_debug_process          false
+can_prepare_txns           false
 can_use_nodelocal_storage  false
 can_view_all_metrics       false
 can_view_node_info         false
@@ -396,6 +410,7 @@ can_admin_split            true
 can_admin_unsplit          true
 can_check_consistency      true
 can_debug_process          true
+can_prepare_txns           true
 can_use_nodelocal_storage  true
 can_view_all_metrics       true
 can_view_node_info         true

diff --git a/pkg/ccl/logictestccl/tests/3node-tenant/generated_test.go b/pkg/ccl/logictestccl/tests/3node-tenant/generated_test.go
diff --git a/pkg/ccl/multitenantccl/tenantcapabilitiesccl/capabilities_test.go b/pkg/ccl/multitenantccl/tenantcapabilitiesccl/capabilities_test.go
@@ -8,6 +8,7 @@ package tenantcapabilitiesccl
 import (
 	"context"
 	"fmt"
+	"regexp"
 	"testing"
 
 	"github.com/cockroachdb/cockroach/pkg/base"
@@ -112,7 +113,10 @@ func TestDataDriven(t *testing.T) {
 				})
 				_, err := tenantSQLDB.Exec(d.Input)
 				if err != nil {
-					return err.Error()
+					errStr := err.Error()
+					// Redact transaction IDs from error strings, for determinism.
+					errStr = regexp.MustCompile(`\[txn: [0-9a-f]+]`).ReplaceAllString(errStr, `[txn: ‹×›]`)
+					return errStr
 				}
 
 			case "exec-sql-tenant":

diff --git a/pkg/ccl/multitenantccl/tenantcapabilitiesccl/testdata/can_prepare_txns b/pkg/ccl/multitenantccl/tenantcapabilitiesccl/testdata/can_prepare_txns
@@ -0,0 +1,133 @@
+query-sql-system
+SELECT * FROM [SHOW TENANT [10] WITH CAPABILITIES] WHERE capability_name = 'can_prepare_txns'
+----
+10 cluster-10 ready external can_prepare_txns false
+
+exec-sql-tenant
+CREATE TABLE t(a INT PRIMARY KEY)
+----
+ok
+
+# By default, we should not be able to prepare transactions.
+exec-privileged-op-tenant
+BEGIN
+----
+ok
+
+exec-privileged-op-tenant
+INSERT INTO t VALUES (1)
+----
+ok
+
+exec-privileged-op-tenant
+PREPARE TRANSACTION 'txn1'
+----
+pq: ba: QueryIntent [/Tenant/10/Table/104/1/1/0], EndTxn(commit) [/Tenant/10/Table/104/1/1/0], [txn: ‹×›], [can-forward-ts] RPC error: rpc error: code = Unauthenticated desc = client tenant does not have capability "can_prepare_txns" (*kvpb.EndTxnRequest)
+
+
+# Grant the capability.
+update-capabilities
+ALTER TENANT [10] GRANT CAPABILITY can_prepare_txns=true
+----
+ok
+
+exec-privileged-op-tenant
+BEGIN
+----
+ok
+
+exec-privileged-op-tenant
+INSERT INTO t VALUES (1)
+----
+ok
+
+exec-privileged-op-tenant
+PREPARE TRANSACTION 'txn2'
+----
+ok
+
+exec-privileged-op-tenant
+ROLLBACK PREPARED 'txn2'
+----
+ok
+
+
+# Revoke the capability using REVOKE syntax.
+update-capabilities
+ALTER TENANT [10] REVOKE CAPABILITY can_prepare_txns
+----
+ok
+
+# Prepared transactions should no longer work.
+exec-privileged-op-tenant
+BEGIN
+----
+ok
+
+exec-privileged-op-tenant
+INSERT INTO t VALUES (1)
+----
+ok
+
+exec-privileged-op-tenant
+PREPARE TRANSACTION 'txn3'
+----
+pq: ba: QueryIntent [/Tenant/10/Table/104/1/1/0], EndTxn(commit) [/Tenant/10/Table/104/1/1/0], [txn: ‹×›], [can-forward-ts] RPC error: rpc error: code = Unauthenticated desc = client tenant does not have capability "can_prepare_txns" (*kvpb.EndTxnRequest)
+
+
+# However, transactions that have not acquired locks are able to be prepared,
+# since they don't actually prepare a transaction record in the KV layer. This
+# isn't necessarily intentional, but it is also not harmful or worth changing.
+exec-privileged-op-tenant
+BEGIN
+----
+ok
+
+exec-privileged-op-tenant
+SELECT * FROM t
+----
+ok
+
+exec-privileged-op-tenant
+PREPARE TRANSACTION 'txn4'
+----
+ok
+
+exec-privileged-op-tenant
+COMMIT PREPARED 'txn4'
+----
+ok
+
+
+# Grant the capability one more time.
+update-capabilities
+ALTER TENANT [10] GRANT CAPABILITY can_prepare_txns
+----
+ok
+
+exec-privileged-op-tenant
+BEGIN
+----
+ok
+
+exec-privileged-op-tenant
+INSERT INTO t VALUES (1)
+----
+ok
+
+exec-privileged-op-tenant
+PREPARE TRANSACTION 'txn5'
+----
+ok
+
+# Revoke the capability one more time, which will **not** prevent us from
+# committing (or rolling back) the already prepared transaction.
+update-capabilities
+ALTER TENANT [10] REVOKE CAPABILITY can_prepare_txns
+----
+ok
+
+exec-privileged-op-tenant
+COMMIT PREPARED 'txn5'
+----
+ok
diff --git a/pkg/multitenant/tenantcapabilities/capabilities.go b/pkg/multitenant/tenantcapabilities/capabilities.go
@@ -92,6 +92,10 @@ const (
 	// metrics, but this implementation is simpler).
 	CanViewAllMetrics // can_view_all_metrics
 
+	// CanPrepareTxns describes the ability of a tenant to prepare transactions as
+	// part of the XA two-phase commit protocol.
+	CanPrepareTxns // can_prepare_txns
+
 	MaxCapabilityID ID = iota - 1
 )
 
@@ -124,6 +128,7 @@ var capabilities = [MaxCapabilityID + 1]Capability{
 	TenantSpanConfigBounds: spanConfigBoundsCapability(TenantSpanConfigBounds),
 	CanDebugProcess:        boolCapability(CanDebugProcess),
 	CanViewAllMetrics:      boolCapability(CanViewAllMetrics),
+	CanPrepareTxns:         boolCapability(CanPrepareTxns),
 }
 
 // EnableAll enables maximum access to services.

diff --git a/pkg/multitenant/tenantcapabilities/id_string.go b/pkg/multitenant/tenantcapabilities/id_string.go