Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ADD: support sql block rule #6192

Merged
merged 14 commits into from
Aug 13, 2021
Merged

ADD: support sql block rule #6192

merged 14 commits into from
Aug 13, 2021

Conversation

stalary
Copy link
Contributor

@stalary stalary commented Jul 9, 2021
edited
Loading

Proposed changes

Support configuring sql_block_rule by user level to deny the specified SQL

Types of changes

What types of changes does your code introduce to Doris?
Put an x in the boxes that apply

  • Bugfix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation Update (if none of the other choices apply)
  • Code refactor (Modify the code structure, format the code, etc...)

Checklist

Put an x in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.

@morningman morningman added area/sql-block-list kind/feature Categorizes issue or PR as related to a new feature. labels Jul 9, 2021
morningman
morningman reviewed Jul 9, 2021
View reviewed changes
fe/fe-core/src/main/cup/sql_parser.cup Outdated Show resolved Hide resolved
fe/fe-core/src/main/java/org/apache/doris/analysis/AlterSqlBlockRuleStmt.java Outdated Show resolved Hide resolved
fe/fe-core/src/main/java/org/apache/doris/analysis/AlterSqlBlockRuleStmt.java Outdated Show resolved Hide resolved
fe/fe-core/src/main/java/org/apache/doris/analysis/AlterSqlBlockRuleStmt.java Show resolved Hide resolved
fe/fe-core/src/main/java/org/apache/doris/analysis/CreateSqlBlockRuleStmt.java Outdated Show resolved Hide resolved
fe/fe-core/src/main/java/org/apache/doris/persist/EditLog.java Show resolved Hide resolved
fe/fe-core/src/main/java/org/apache/doris/qe/StmtExecutor.java Outdated Show resolved Hide resolved
fe/fe-core/src/main/java/org/apache/doris/catalog/Catalog.java Outdated Show resolved Hide resolved
fe/fe-core/src/main/java/org/apache/doris/qe/StmtExecutor.java Outdated Show resolved Hide resolved
fe/fe-core/src/test/java/org/apache/doris/qe/StmtExecutorTest.java Outdated Show resolved Hide resolved
@xinghuayu007
Copy link
Contributor

I think this feature is used to block some abnormal sql, for example , sql caused core. Is it need to limit the number of rules, which will occupied a lot of memory. Is is better to store the hash value of a sql, not the sql self, when a sql is very long?

@stalary
Copy link
Contributor Author

stalary commented Jul 12, 2021

I think this feature is used to block some abnormal sql, for example , sql caused core. Is it need to limit the number of rules, which will occupied a lot of memory. Is is better to store the hash value of a sql, not the sql self, when a sql is very long?

At present, in my scenario, some special user are not allowed to join, and some large tables are not allowed to query the full table, really do not need too many rules

@morningman
Copy link
Contributor

I think this feature is used to block some abnormal sql, for example , sql caused core. Is it need to limit the number of rules, which will occupied a lot of memory. Is is better to store the hash value of a sql, not the sql self, when a sql is very long?

Using hash to block problematic SQL may also be a practical requirement. In some cases, we need to quickly block some SQL that affects the cluster through the block rules. There are pros and cons to using regular expressions or hash values:

  1. It is more flexible for regular expressions, and can match a series of sql through one rule. But the disadvantage is that the threshold for using regular expressions is high, and wrong expressions may result in matching wrong SQL.

  2. The disadvantage of Hash value is that it can only perform complete matching, but it takes up less space and matches more quickly. But any change in SQL will cause a change in its hash value, such as spaces, line breaks, and so on. Therefore, I suggest that we can print the hash value corresponding to sql in fe.audit.log, so that users can conveniently use the hash value in the log to quickly add block rule.

In summary, we can implement two block rules, one based on hash and the other based on regular expressions.

@stalary
Copy link
Contributor Author

stalary commented Jul 13, 2021

I think this feature is used to block some abnormal sql, for example , sql caused core. Is it need to limit the number of rules, which will occupied a lot of memory. Is is better to store the hash value of a sql, not the sql self, when a sql is very long?

Using hash to block problematic SQL may also be a practical requirement. In some cases, we need to quickly block some SQL that affects the cluster through the block rules. There are pros and cons to using regular expressions or hash values:

  1. It is more flexible for regular expressions, and can match a series of sql through one rule. But the disadvantage is that the threshold for using regular expressions is high, and wrong expressions may result in matching wrong SQL.
  2. The disadvantage of Hash value is that it can only perform complete matching, but it takes up less space and matches more quickly. But any change in SQL will cause a change in its hash value, such as spaces, line breaks, and so on. Therefore, I suggest that we can print the hash value corresponding to sql in fe.audit.log, so that users can conveniently use the hash value in the log to quickly add block rule.

In summary, we can implement two block rules, one based on hash and the other based on regular expressions.

Okay, I'm going to support both matches

morningman
morningman reviewed Jul 25, 2021
View reviewed changes
docs/zh-CN/administrator-guide/block-rule/sql-block.md Outdated Show resolved Hide resolved
fe/fe-core/src/main/java/org/apache/doris/analysis/AlterSqlBlockRuleStmt.java Show resolved Hide resolved
fe/fe-core/src/main/java/org/apache/doris/blockrule/SqlBlockRule.java Show resolved Hide resolved
fe/fe-core/src/main/java/org/apache/doris/blockrule/SqlBlockRuleMgr.java Outdated Show resolved Hide resolved
fe/fe-core/src/main/java/org/apache/doris/blockrule/SqlBlockRuleMgr.java Outdated Show resolved Hide resolved
fe/fe-core/src/main/java/org/apache/doris/blockrule/SqlBlockRuleMgr.java Outdated Show resolved Hide resolved
fe/fe-core/src/main/java/org/apache/doris/blockrule/SqlBlockRuleMgr.java Show resolved Hide resolved
fe/fe-core/src/main/java/org/apache/doris/blockrule/SqlBlockRuleMgr.java Outdated Show resolved Hide resolved
fe/fe-core/src/main/java/org/apache/doris/qe/ConnectProcessor.java Outdated Show resolved Hide resolved
fe/fe-core/src/main/java/org/apache/doris/qe/ConnectProcessor.java Outdated Show resolved Hide resolved
@stalary stalary force-pushed the support_sql_block_rule branch 2 times, most recently from 2a51703 to b0c8bcc Compare July 27, 2021 06:44
@stalary stalary force-pushed the support_sql_block_rule branch from b1aa4ef to 80ce658 Compare August 8, 2021 07:48
@stalary stalary force-pushed the support_sql_block_rule branch from 71423dd to 2e0b697 Compare August 8, 2021 15:32
morningman
morningman previously approved these changes Aug 9, 2021
View reviewed changes
Copy link
Contributor

@morningman morningman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@github-actions github-actions bot added the approved Indicates a PR has been approved by one committer. label Aug 9, 2021
@github-actions
Copy link
Contributor

github-actions bot commented Aug 9, 2021

PR approved by at least one committer and no changes requested.

@github-actions
Copy link
Contributor

github-actions bot commented Aug 9, 2021

PR approved by anyone and no changes requested.

@github-actions github-actions bot removed the approved Indicates a PR has been approved by one committer. label Aug 9, 2021
@stalary stalary force-pushed the support_sql_block_rule branch from 5d5bb52 to a4b6d49 Compare August 12, 2021 14:40
morningman
morningman approved these changes Aug 12, 2021
View reviewed changes
Copy link
Contributor

@morningman morningman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@github-actions github-actions bot added the approved Indicates a PR has been approved by one committer. label Aug 12, 2021
@github-actions
Copy link
Contributor

PR approved by at least one committer and no changes requested.

@morningman morningman merged commit 5e6f1b8 into apache:master Aug 13, 2021
songchuangyuan pushed a commit to songchuangyuan/incubator-doris that referenced this pull request Aug 20, 2021
@stalary
[Feature] Support sql block rule (apache#6192)
3a28b02 
Support grammar:
- SHOW SQL_BLOCK_RULE [FOR NAME]
- CREATE SQL_BLOCK_RULE test_rule PROPERTIES ("user"="default", "sql"="select .* from .* join .*", "enable": "true");
- ALTER SQL_BLOCK_RULE test_rule PROPERTIES ("user"="test_user", "enable": "false");
- DROP SQL_BLOCK_RULE test_rule1,test_rule2;
@ccoffline ccoffline mentioned this pull request Sep 8, 2021
Merged
13 tasks
@morningman morningman mentioned this pull request Oct 14, 2021
Closed
songchuangyuan pushed a commit to songchuangyuan/incubator-doris that referenced this pull request Oct 18, 2021
@stalary
[Feature] Support sql block rule (apache#6192)
8153155 
Support grammar:
- SHOW SQL_BLOCK_RULE [FOR NAME]
- CREATE SQL_BLOCK_RULE test_rule PROPERTIES ("user"="default", "sql"="select .* from .* join .*", "enable": "true");
- ALTER SQL_BLOCK_RULE test_rule PROPERTIES ("user"="test_user", "enable": "false");
- DROP SQL_BLOCK_RULE test_rule1,test_rule2;
@stalary stalary deleted the support_sql_block_rule branch November 11, 2022 00:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@morningman morningman morningman approved these changes

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by one committer. area/sql-block-list kind/feature Categorizes issue or PR as related to a new feature. reviewed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@stalary @xinghuayu007 @morningman