Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

*: add privilege check for slow_query and cluster memory table #14451

Merged
merged 21 commits into from
Feb 12, 2020
Merged

*: add privilege check for slow_query and cluster memory table #14451

merged 21 commits into from
Feb 12, 2020

Conversation

crazycs520
Copy link
Contributor

@crazycs520 crazycs520 commented Jan 11, 2020
edited
Loading

What problem does this PR solve?

Before this PR, TiDB doesn't have a privilege check on below tables:

  • SLOW_QUERY
  • CLUSTER_SLOW_QUERY
  • CLUSTER_PROCESSLIST

Mainly, there is 2 points need to do:

First

For doing privilege checks in the cluster table, we need to add user and host info to RPC request. It needs to change the tipb protobuf, see PR: pingcap/tipb#169

Second

What kind of privilege is needed for query SLOW_QUERY? I think the information in SLOW_QUERY and PROCESSLIST is the same, So I use the same PROCESS privilege for checking SLOW_QUERY and CLUSTER_SLOW_QUERY privilege.

eg:

-- For user root: 
mysql -u root -h 127.0.0.1 -P 4000
tidb>select user,count(*) from `CLUSTER_SLOW_QUERY` group by user;
+------+----------+
| user | count(*) |
+------+----------+
| test | 2        |
| root | 95622    |
|      | 743      |       -- name is "" means it is a internal sql.
+------+----------+
tidb>select * from `CLUSTER_PROCESSLIST`;
+---------------+----+------+-----------+--------------------+---------+------+-------+-------------------------------------+-----+----------------------------------------+
| ADDRESS       | ID | USER | HOST      | DB                 | COMMAND | TIME | STATE | INFO                                | MEM | TxnStart                               |
+---------------+----+------+-----------+--------------------+---------+------+-------+-------------------------------------+-----+----------------------------------------+
| 0.0.0.0:10080 | 4  | test | 127.0.0.1 | information_schema | Sleep   | 131  | 2     | <null>                              | 0   |                                        |
| 0.0.0.0:10080 | 8  | test | 127.0.0.1 | <null>             | Query   | 40   | 2     | select sleep(100)                   | 0   |                                        |
| 0.0.0.0:10080 | 10 | root | 127.0.0.1 | <null>             | Query   | 27   | 2     | select sleep(100)                   | 0   |                                        |
| 0.0.0.0:10080 | 1  | root | 127.0.0.1 | information_schema | Query   | 0    | 2     | select * from `CLUSTER_PROCESSLIST` | 0   | 01-11 15:02:32.451(413853588508114945) |
+---------------+----+------+-----------+--------------------+---------+------+-------+-------------------------------------+-----+----------------------------------------+

-- At the same time:
-- For user test:
mysql -u test -h 127.0.0.1 -P 4000
tidb>select user,count(*) from `CLUSTER_SLOW_QUERY` group by user;
+------+----------+
| user | count(*) |
+------+----------+
| test | 2        |
+------+----------+
tidb>select * from `CLUSTER_PROCESSLIST`;
+---------------+----+------+-----------+--------------------+---------+------+-------+-------------------------------------+-----+----------------------------------------+
| ADDRESS       | ID | USER | HOST      | DB                 | COMMAND | TIME | STATE | INFO                                | MEM | TxnStart                               |
+---------------+----+------+-----------+--------------------+---------+------+-------+-------------------------------------+-----+----------------------------------------+
| 0.0.0.0:10080 | 8  | test | 127.0.0.1 | <null>             | Query   | 62   | 2     | select sleep(100)                   | 0   |                                        |
| 0.0.0.0:10080 | 4  | test | 127.0.0.1 | information_schema | Query   | 0    | 2     | select * from `CLUSTER_PROCESSLIST` | 0   | 01-11 15:02:54.450(413853594275020801) |
+---------------+----+------+-----------+--------------------+---------+------+-------+-------------------------------------+-----+----------------------------------------+

What is changed and how it works?

Check List

Tests

  • Unit test
  • Manual test (add detailed scripts or steps below)

Code changes

  • Has exported function/method change

Side effects

Related changes

  • Need to cherry-pick to the release branch

Release note

  • Add privilege check for slow_query.

@crazycs520 crazycs520 mentioned this pull request Jan 11, 2020
Closed
@crazycs520 crazycs520 requested a review from a team as a code owner January 14, 2020 13:21
@ghost ghost requested review from alivxxx and lzmhhh123 and removed request for a team January 14, 2020 13:21
@crazycs520 crazycs520 mentioned this pull request Jan 14, 2020
Merged
@crazycs520
Copy link
Contributor Author

CI failed in go.mod, after tipb pr pingcap/tipb#169 merged and update go.mod, ci will happy.

@crazycs520
Copy link
Contributor Author

@tiancaiamao PTAL

@tiancaiamao
Copy link
Contributor

LGTM

@tiancaiamao tiancaiamao added the status/LGT1 Indicates that a PR has LGTM 1. label Feb 4, 2020
reafans
reafans reviewed Feb 10, 2020
View reviewed changes
executor/builder.go Outdated Show resolved Hide resolved
AilinKid
AilinKid reviewed Feb 11, 2020
View reviewed changes
Copy link
Contributor

@AilinKid AilinKid left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rest LGTM.

go.sum Outdated Show resolved Hide resolved
infoschema/slow_log.go Show resolved Hide resolved
infoschema/tables_test.go Show resolved Hide resolved
privilege/privileges/privileges.go Show resolved Hide resolved
crazycs520 and others added 2 commits February 12, 2020 12:48
@crazycs520 @reafans
Update executor/builder.go
dbf242f 
Co-Authored-By: reafans <30926443+reafans@users.noreply.github.com>
@crazycs520
address comment
a25b061 
Signed-off-by: crazycs <crazycs520@gmail.com>
@reafans
Copy link
Contributor

reafans commented Feb 12, 2020

Rest LGTM. Wait for the CI fixed.

@crazycs520
update go.mod
1af1b1d 
Signed-off-by: crazycs <crazycs520@gmail.com>
@crazycs520 crazycs520 added status/LGT2 Indicates that a PR has LGTM 2. and removed status/LGT1 Indicates that a PR has LGTM 1. labels Feb 12, 2020
@crazycs520
Copy link
Contributor Author

/run-all-tests

@crazycs520
Copy link
Contributor Author

/rebuild

3 similar comments
@crazycs520
Copy link
Contributor Author

/rebuild

@crazycs520
Copy link
Contributor Author

/rebuild

@crazycs520
Copy link
Contributor Author

/rebuild

@crazycs520
Copy link
Contributor Author

/rebuild

2 similar comments
@crazycs520
Copy link
Contributor Author

/rebuild

@crazycs520
Copy link
Contributor Author

/rebuild

@crazycs520
Copy link
Contributor Author

/rebuild

1 similar comment
@crazycs520
Copy link
Contributor Author

/rebuild

reafans
reafans approved these changes Feb 12, 2020
View reviewed changes
Copy link
Contributor

@reafans reafans left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@crazycs520 crazycs520 merged commit fa04a32 into pingcap:master Feb 12, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tiancaiamao tiancaiamao tiancaiamao left review comments

@AilinKid AilinKid AilinKid left review comments

@reafans reafans reafans approved these changes

@alivxxx alivxxx Awaiting requested review from alivxxx

@lzmhhh123 lzmhhh123 Awaiting requested review from lzmhhh123

Assignees
No one assigned
Labels
status/LGT2 Indicates that a PR has LGTM 2. type/usability
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@crazycs520 @tiancaiamao @reafans @AilinKid