-
Notifications
You must be signed in to change notification settings - Fork 3.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
server: hook up tenant capabilities subsystem on startup
This patch wires up the tenant capabilities subsystem during server startup. This includes both starting the subsystem and adding a handle to the Authorizer so that it can be used by GRPC interceptors to perform authorization checks. While working through this patch, I realized we can't instantiate an Authorizer with a handle to the tenant capability state (tenantcapabilities.Reader). This is because the afformentioned GRPC setup happens early on during the Server startup process, and at that point we do not have access to the dependencies required to setup the capabilities Watcher (which is what provides the Reader interface to the Authorizer). To break this dependency cycle, we end up with an approach to lazily bind the Reader to the Authorizer. With the Authorizer wired up, we can now start using it to perform capability checks for incoming tenant requests. Currently, this is limited to batch requests. Note that the Authorizer is only responsible for performing capability checks -- other authorization checks, such as bounds checks, continue to happen outside of Authorizer. This patch also adds a datadriven framework to test tenant capabilities end to end. The nice thing about it is it hides the asynchronous nature of capability checks from test writers. The hope is that we'll be able to extend this as we add more capabilities. Informs #94643 Release note: None
- Loading branch information
1 parent
0ab83da
commit 724598b
Showing
59 changed files
with
980 additions
and
237 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 change: 1 addition & 0 deletions
1
pkg/ccl/logictestccl/testdata/logic_test/partitioning_hash_sharded_index_mr
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 change: 1 addition & 0 deletions
1
pkg/ccl/logictestccl/testdata/logic_test/partitioning_hash_sharded_index_query_plan
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,4 @@ | ||
# cluster-opt: can-admin-split | ||
# LogicTest: 5node !metamorphic-batch-sizes | ||
|
||
statement ok | ||
|
1 change: 1 addition & 0 deletions
1
pkg/ccl/logictestccl/testdata/logic_test/regional_by_row_hash_sharded_index
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
load("//build/bazelutil/unused_checker:unused.bzl", "get_x_data") | ||
load("@io_bazel_rules_go//go:def.bzl", "go_test") | ||
|
||
go_test( | ||
name = "tenantcapabilitiesccl_test", | ||
srcs = [ | ||
"capabilities_test.go", | ||
"main_test.go", | ||
], | ||
args = ["-test.timeout=295s"], | ||
data = glob(["testdata/**"]), | ||
deps = [ | ||
"//pkg/base", | ||
"//pkg/ccl", | ||
"//pkg/kv/kvclient/rangefeed/rangefeedcache", | ||
"//pkg/multitenant/tenantcapabilities", | ||
"//pkg/multitenant/tenantcapabilities/tenantcapabilitieswatcher", | ||
"//pkg/security/securityassets", | ||
"//pkg/security/securitytest", | ||
"//pkg/security/username", | ||
"//pkg/server", | ||
"//pkg/settings/cluster", | ||
"//pkg/sql", | ||
"//pkg/testutils", | ||
"//pkg/testutils/datapathutils", | ||
"//pkg/testutils/serverutils", | ||
"//pkg/testutils/sqlutils", | ||
"//pkg/testutils/testcluster", | ||
"//pkg/util/hlc", | ||
"//pkg/util/leaktest", | ||
"//pkg/util/randutil", | ||
"//pkg/util/syncutil", | ||
"@com_github_cockroachdb_datadriven//:datadriven", | ||
"@com_github_cockroachdb_errors//:errors", | ||
"@com_github_stretchr_testify//require", | ||
], | ||
) | ||
|
||
get_x_data(name = "get_x_data") |
Oops, something went wrong.