roachtest: make secure/non-root the default for new tests #63145
Comments
solongordon
added
C-enhancement
|
Might relate to this roachprod issue: #38539 |
rafiss
added
the
T-sql-foundations
114354: sql: ALTER PK carries over comments from old to new primary index r=Xiang-Gu a=Xiang-Gu Fixes #114081 Release note (bug fix): Previously, when session variable `use_declarative_schema_changer=off`, ALTER PK would delete any comments associated with the old primary index and with the old primary key constraint. This is inconsistent with the behavior with when `use_declarative_schema_changer=on`, which is the default setting, where those comments would be carried over to the new primary index. Furthermore, the old behavior also caused a bug that could prevent command `SHOW CREATE t` from working (see #114081). 114531: roachtest: use secure cluster and non-root user for kv workload r=rafiss a=rafiss A recent performance regression (#114472) flew under the radar because we lack performance tests that use a non-root user. In advance of a full-throated effort to improve our tests across the board, this commit changes only the basic KV workload roachtests to use a non-root user. informs #63145 Release note: None 114583: changefeedccl: Avoid logging when context may be canceled r=miretskiy a=miretskiy Calling log methods on a context that's already canceled may produce "use of Span after Finish" under tests. Avoid doing that when pacing CPU usage. Fixes #114130 Release note: None Co-authored-by: Xiang Gu <xiang@cockroachlabs.com> Co-authored-by: Rafi Shamim <rafi@cockroachlabs.com> Co-authored-by: Yevgeniy Miretskiy <yevgeniy@cockroachlabs.com>
![blathers[crl]](https://avatars.githubusercontent.com/in/59700?s=40&u=373d9101a12edc3847d2fb6ae78e3adcfb4ca41e&v=4){kind=avatar}
|
cc @cockroachdb/test-eng |
Current StateAt this time only a small subset of roachtests is executed in By default, The new mixed-version API defaults to The other issue is the generated certs are not signed by a recognized root CA. Thus, by default http clients will fail to verify the node cert. This is essentially another blocker for a number of existing roachtests. The immediate workaround is to skip this verification step; e.g., the following can be added as an option to NOTE: Authentication APIHost-basedDefault host-based rules (HBA) permit root (admin) access via loopback as well as remote host access via client certs [4]. Thus, we can run sql as Cert-basedSimilarly, we can enable (client) cert-based authentication [5], The Password-basedWe can also execute SQL via password-based authentication, e.g., HTTP APIRecall [1] requires programmatic authentication to adminURL via HTTP. It appears we may have to build such an API. Programmatically (via roachprod API), we can also extract the most recent session id, but it's best not to rely on these implementation details; i.e., create and use an HTTP api instead. [1] [2] cockroach/pkg/cmd/roachtest/roachtestutil/mixedversion/mixedversion.go Lines 139 to 141 in 51ead2a [3] #115317 [4] cockroach/pkg/sql/pgwire/hba_conf.go Lines 296 to 301 in 51ead2a [5] https://www.cockroachlabs.com/docs/v22.2/cockroach-cert#create-the-certificate-and-key-pair-for-a-client |
Not sure what is meant here, but the passwords should be persisted? We use them to log in to the DB console after the cluster is setup. |
I just meant that the user/password is not currently persisted with the rest of the (roachprod) cluster metadata, which makes it hard to reuse programmatically, e.g., invoking a console endpoint via http client. |
exalate-issue-sync
bot
added
T-testeng
|
cc @cockroachdb/test-eng |
|
Linking another authentication example from Renato [1] which retrieves the session id via (cockroach) CLI, |
117677: server: wait for all KV nodes to observe tenant stop request r=stevendanna a=stevendanna
In order to make it possible for a caller to know that no new SQL
requests will be served by a tenant after a STOP command, this PR adds
a new STOPPING state. While nodes are in the STOPPING state, KV
requests will be rejected. We then wait for all nodes to observe the
STOPPING state before transitioning the cluster to NONE.
Epic: none
Release note: None
118504: roachtest: create secure clusters by default r=renatolabs a=DarrylWong
Previously, the default for roachtests was to create insecure clusters. This change now switches the default to create secure clusters, allowing tests to opt out as needed. To support this, the following changes were made:
1. Refactor PGUrl functions to use PGURLOptions instead of tenant/SQLInstance, which were usually not specified anyway. This change allows up to add an authMode option, which we currently only use to specify root user authentication but in the future can use to allow for non root authentication.
2. Add helpers to extract session ID and create an HTTP Client with the extracted session ID. This lets us create HTTP Requests to secure clusters.
3. Explicitly specify a connection string with a root certificate or a certs directory when connecting to a cluster. If not specified, the connection will be rejected as the default behavior is to authenticate with root and no certificates. Many tests already did this through specifying `{pgurl}`.
Follow up work would be to start using non root user everywhere now that we are running on secure clusters and have the ability to easily generate non root urls.
Release note: None
Epic: None
Informs: #63145
119007: catalog: fix tracking of id and name state r=rafiss a=rafiss
This allows us to re-enable the COMMENT ON statements in the
schemachange workload.
The previous code only updated the entries that were already in the
byIDState map. However, some descriptor IDs may not be in that map, so
instead we should add everything we just read into the map.
fixes #116795
Release note (bug fix): Fixed a bug where COMMENT statements could
fail with an "unexpected value" error if multiple COMMENT statements
were running concurrently.
119012: technotes: add tech notes for sql statistics r=maryliag a=maryliag
Add the tech notes of the values generated for statement and transaction statistics.
Part Of CRDB-35839
Release note: None
Co-authored-by: Steven Danna <danna@cockroachlabs.com>
Co-authored-by: DarrylWong <darryl@cockroachlabs.com>
Co-authored-by: Rafi Shamim <rafi@cockroachlabs.com>
Co-authored-by: maryliag <marylia@cockroachlabs.com>
Most of our roachtests use the root user on insecure clusters, which is not realistic. Now that we have one roachtest which does the proper thing, let's look at making that the default behavior for future tests. This should also make it easier to switch over existing tests.
Jira issue: CRDB-6444
The text was updated successfully, but these errors were encountered: