-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kvserver: tenants can trace into KV #70407
Comments
tbg
added
the
C-bug
Code not up to spec/doc, specs & docs deemed correct. Solution expected to change code/behavior.
label
Sep 20, 2021
tbg
added a commit
to tbg/cockroach
that referenced
this issue
Sep 20, 2021
Touches cockroachdb#70407. It does not exactly fix it, as the approach here is a blocklist on our main KV endpoint, whereas we really need an allowlist that applies to all possible current and future endpoints. Release note: None
This is now "fixed" and the remainder of the work is owned by the obs-inf team. On 21.2, tenant redaction was reverted and we instead drop the verbose logs entirely (and obs-inf owns bringing them back), on master we redact tenant traces but we have a perf regression (which is also owned by obs-inf). Here are the issues: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the problem
When a tenant traces their SQL queries, they also get the KV portions of the traces. These are not suitably redacted and thus should not be handed to tenants.
To Reproduce
#70406
Expected behavior
Tenants don't get any unredacted KV-level traces. They need to get their ContentionEvents though (with an unredacted or at least unredacted-enough key).
The text was updated successfully, but these errors were encountered: