Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Several statements were missing the DefaultDatabase method #8187

Merged
merged 1 commit into from
Apr 12, 2017
Merged

Several statements were missing the DefaultDatabase method #8187

merged 1 commit into from
Apr 12, 2017

Conversation

corylanou
Copy link
Contributor

@corylanou corylanou commented Mar 22, 2017
edited
Loading

Security depends on the default database context being present for some statements. These statements were missing that check:

&influxql.AlterRetentionPolicyStatement{},
&influxql.CreateRetentionPolicyStatement{},
&influxql.CreateSubscriptionStatement{},
&influxql.DropContinuousQueryStatement{},
&influxql.DropRetentionPolicyStatement{},
&influxql.DropSubscriptionStatement{},
Required for all non-trivial PRs
  • Rebased/mergable
  • Tests pass
  • CHANGELOG.md updated

@corylanou corylanou changed the title [Create/Drop]SubscriptionStatement should satisfies HasDefaultDatabas… Several statements were missing the DefaultDatabase method Mar 23, 2017
@corylanou corylanou force-pushed the cjl-create-subscription-add-default-database branch 3 times, most recently from 163c577 to c74d939 Compare March 23, 2017 14:51
@corylanou
Copy link
Contributor Author

@nathanielc let me know what you think about the test I put in place as a temporary "future proof" step. It's not ideal, but should allows us to ship this bug fix while we work on a stronger interface solution in the code base.

@dgnorton
Copy link
Contributor

I think we also need to consider statements with a FROM clause. E.g. DELETE FROM mydb..cpu This may also require further changes on PR #1174.

nathanielc
nathanielc suggested changes Mar 29, 2017
View reviewed changes
Copy link
Contributor

@nathanielc nathanielc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are 15 statements that are listed as exempt that should not be listed. See my internal comments for more details

@rbetts rbetts added review and removed in progress labels Apr 2, 2017
@corylanou corylanou force-pushed the cjl-create-subscription-add-default-database branch 3 times, most recently from c704a8a to b8f3b25 Compare April 10, 2017 20:45
@corylanou
Copy link
Contributor Author

@nathanielc can you re-review this and let me know if you have any outstanding concerns based on the other PR's that have been filed to support this? Thanks.

nathanielc
nathanielc suggested changes Apr 11, 2017
View reviewed changes
Copy link
Contributor

@nathanielc nathanielc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are still a few exempt statements that shouldn't be exempt as they specify a database.

influxql/ast_test.go Outdated
"ShowDiagnosticsStatement",
"ShowFieldKeysStatement",
"ShowGrantsForUserStatement",
"ShowMeasurementsStatement",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one has a database

influxdb/influxql/ast.go

Line 2860 in b8f3b25

Database string

influxql/ast_test.go Outdated
"ShowContinuousQueriesStatement",
"ShowDatabasesStatement",
"ShowDiagnosticsStatement",
"ShowFieldKeysStatement",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one too

influxdb/influxql/ast.go

Line 3281 in b8f3b25

Database string

influxql/ast_test.go
"GrantAdminStatement",
"KillQueryStatement",
"RevokeAdminStatement",
"SelectStatement",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know this one is handled separately but it has a default database for sure.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually it has the potential to have multiple databases, so it doesn't have a DefaultDatabase, which is why it is enforced at the iterator level.

influxql/ast_test.go Outdated
"CreateDatabaseStatement",
"CreateUserStatement",
"DeleteSeriesStatement",
"DeleteStatement",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't this statement also allow specifying a database.

@corylanou corylanou force-pushed the cjl-create-subscription-add-default-database branch 2 times, most recently from 83b9ff7 to 9e6c989 Compare April 11, 2017 21:28
nathanielc
nathanielc suggested changes Apr 12, 2017
View reviewed changes
Copy link
Contributor

@nathanielc nathanielc left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Found several more the have statements that are not supposed to be exempt.

influxql/ast_test.go
exemptStatements := []string{
"CreateDatabaseStatement",
"CreateUserStatement",
"DeleteSeriesStatement",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this one can have a database. There don't appear to be any docs on DeleteSeries so not 100% sure but the type has a source

influxdb/influxql/ast.go

Line 2689 in 9e6c989

Sources Sources

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can have multiple sources, so the iterators have to handle security. DefaultDatabase would not be appropriate for this one.

influxql/ast_test.go
"DeleteSeriesStatement",
"DropDatabaseStatement",
"DropMeasurementStatement",
"DropSeriesStatement",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here

influxdb/influxql/ast.go

Line 2658 in 9e6c989

Sources Sources

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here. If you have multiple sources, DefaultDatabase is the wrong mechanism to use.

influxql/ast_test.go Outdated
"ShowDiagnosticsStatement",
"ShowGrantsForUserStatement",
"ShowQueriesStatement",
"ShowRetentionPoliciesStatement",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one has a database here

influxdb/influxql/ast.go

Line 2987 in 9e6c989

Database string

influxql/ast_test.go Outdated
"ShowGrantsForUserStatement",
"ShowQueriesStatement",
"ShowRetentionPoliciesStatement",
"ShowSeriesStatement",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And this one here

influxdb/influxql/ast.go

Line 2598 in 9e6c989

Database string

influxql/ast_test.go Outdated
"ShowShardsStatement",
"ShowStatsStatement",
"ShowSubscriptionsStatement",
"ShowTagKeysStatement",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And this one here

influxdb/influxql/ast.go

Line 3152 in 9e6c989

Database string

influxql/ast_test.go Outdated
"ShowStatsStatement",
"ShowSubscriptionsStatement",
"ShowTagKeysStatement",
"ShowTagValuesStatement",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And here

influxdb/influxql/ast.go

Line 3225 in 9e6c989

Database string

@corylanou corylanou force-pushed the cjl-create-subscription-add-default-database branch 2 times, most recently from 9462803 to d3e5861 Compare April 12, 2017 18:12
@corylanou corylanou force-pushed the cjl-create-subscription-add-default-database branch from d3e5861 to 9060a2a Compare April 12, 2017 18:41
@corylanou corylanou merged commit 4ca1327 into master Apr 12, 2017
@corylanou corylanou removed the review label Apr 12, 2017
@rbetts rbetts added this to the 1.3.0 milestone Apr 14, 2017
@rbetts rbetts mentioned this pull request Apr 26, 2017
Merged
9 tasks
@mark-rushakoff mark-rushakoff deleted the cjl-create-subscription-add-default-database branch September 7, 2017 16:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nathanielc nathanielc nathanielc approved these changes

@dgnorton dgnorton dgnorton approved these changes

Assignees

@corylanou corylanou

Labels
None yet
Projects
None yet
Milestone
1.3.0
Development

Successfully merging this pull request may close these issues.
4 participants
@corylanou @dgnorton @nathanielc @rbetts