Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

release-23.1: sql: block DROP TENANT based on a session var #100022

Merged
merged 1 commit into from
Mar 30, 2023
Merged

release-23.1: sql: block DROP TENANT based on a session var #100022

merged 1 commit into from
Mar 30, 2023

Conversation

blathers-crl[bot]
Copy link

@blathers-crl blathers-crl bot commented Mar 30, 2023
edited by knz
Loading

Backport 1/1 commits from #99607 on behalf of @knz.

/cc @cockroachdb/release

Fixes #97972.
Epic: CRDB-23559

In clusters where we will promote tenant management operations, we would like to ensure there is one extra step needed for administrators to drop a tenant (and thus irremedially lose data). Given that sql_safe_updates is not set automatically when users open their SQL session using their own client, we need another mechanism.

This change introduces the new (hidden) session var, disable_drop_tenant. When set, tenant deletion fails with the following error message:

demo@127.0.0.1:26257/movr> drop tenant foo;
ERROR: rejected (via sql_safe_updates or disable_drop_tenant): DROP TENANT causes irreversible data loss
SQLSTATE: 01000

(The session var sql_safe_updates is also included as a blocker in the mechanism so that folk using cockroach sql get double protection).

The default value of this session var is false in single-tenant clusters, for compatibility with CC Serverless. It will be set to true via a config profile (#98466) when suitable.

Release note: None

Release justification: critical bit of functionality

@knz
sql: block DROP TENANT based on a session var
113ebcf 
In clusters where we will promote tenant management operations, we
would like to ensure there is one extra step needed for administrators
to drop a tenant (and thus irremedially lose data). Given that
`sql_safe_updates` is not set automatically when users open their
SQL session using their own client, we need another mechanism.

This change introduces the new (hidden) session var,
`disable_drop_tenant`. When set, tenant deletion fails with the
following error message:

```
demo@127.0.0.1:26257/movr> drop tenant foo;
ERROR: rejected (via sql_safe_updates or disable_drop_tenant): DROP TENANT causes irreversible data loss
SQLSTATE: 01000
```

(The session var `sql_safe_updates` is _also_ included as a blocker in
the mechanism so that folk using `cockroach sql` get double
protection).

The default value of this session var is `false` in single-tenant
clusters (set via a cluster setting `sql.drop_tenant.enabled`), for
compatibility with CC Serverless. The default will be set to `true`
via a config profile when suitable.

Release note: None
@blathers-crl blathers-crl bot requested a review from a team as a code owner March 30, 2023 05:35
@blathers-crl blathers-crl bot force-pushed the blathers/backport-release-23.1-99607 branch from aec78f3 to 0b769bf Compare March 30, 2023 05:35
@blathers-crl blathers-crl bot requested a review from mgartner March 30, 2023 05:35
@blathers-crl blathers-crl bot force-pushed the blathers/backport-release-23.1-99607 branch from 33963fc to 113ebcf Compare March 30, 2023 05:35
@blathers-crl
Copy link
Author

blathers-crl bot commented Mar 30, 2023
edited by knz
Loading

Thanks for opening a backport.

Please check the backport criteria before merging:

  • Patches should only be created for serious issues or test-only changes.
  • Patches should not break backwards-compatibility.
  • Patches should change as little code as possible.
  • Patches should not change on-disk formats or node communication protocols.
  • Patches should not add new functionality.
  • Patches must not add, edit, or otherwise modify cluster versions; or add version gates.
If some of the basic criteria cannot be satisfied, ensure that the exceptional criteria are satisfied within.
  • There is a high priority need for the functionality that cannot wait until the next release and is difficult to address in another way.
  • The new functionality is additive-only and only runs for clusters which have specifically “opted in” to it (e.g. by a cluster setting).
  • New code is protected by a conditional check that is trivial to verify and ensures that it only runs for opt-in clusters.
  • The PM and TL on the team that owns the changed code have signed off that the change obeys the above rules.

Add a brief release justification to the body of your PR to justify this backport.

Some other things to consider:

  • What did we do to ensure that a user that doesn’t know & care about this backport, has no idea that it happened?
  • Will this work in a cluster of mixed patch versions? Did we test that?
  • If a user upgrades a patch version, uses this feature, and then downgrades, what happens?

@blathers-crl blathers-crl bot added blathers-backport This is a backport that Blathers created automatically. O-robot Originated from a bot. labels Mar 30, 2023
@cockroach-teamcity
Copy link
Member

This change is Reviewable

@knz knz merged commit 9d70e72 into release-23.1 Mar 30, 2023
@knz knz deleted the blathers/backport-release-23.1-99607 branch March 30, 2023 15:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevendanna stevendanna stevendanna approved these changes

@mgartner mgartner Awaiting requested review from mgartner mgartner was automatically assigned from cockroachdb/sql-queries

@knz knz Awaiting requested review from knz

@rafiss rafiss Awaiting requested review from rafiss

@yuzefovich yuzefovich Awaiting requested review from yuzefovich

Assignees

@knz knz

Labels
blathers-backport This is a backport that Blathers created automatically. O-robot Originated from a bot.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cockroach-teamcity @stevendanna @knz