release-23.1: sql: block DROP TENANT based on a session var #100022
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport 1/1 commits from #99607 on behalf of @knz.
/cc @cockroachdb/release
Fixes #97972.
Epic: CRDB-23559
In clusters where we will promote tenant management operations, we would like to ensure there is one extra step needed for administrators to drop a tenant (and thus irremedially lose data). Given that
sql_safe_updates
is not set automatically when users open their SQL session using their own client, we need another mechanism.This change introduces the new (hidden) session var,
disable_drop_tenant
. When set, tenant deletion fails with the following error message:(The session var
sql_safe_updates
is also included as a blocker in the mechanism so that folk usingcockroach sql
get double protection).The default value of this session var is
false
in single-tenant clusters, for compatibility with CC Serverless. It will be set totrue
via a config profile (#98466) when suitable.Release note: None
Release justification: critical bit of functionality