kvserver: tenants can trace into KV #70407
Comments
tbg
added
the
C-bug
tbg
added a commit
to tbg/cockroach
that referenced
this issue
Sep 20, 2021
Touches cockroachdb#70407. It does not exactly fix it, as the approach here is a blocklist on our main KV endpoint, whereas we really need an allowlist that applies to all possible current and future endpoints. Release note: None
|
This is now "fixed" and the remainder of the work is owned by the obs-inf team. On 21.2, tenant redaction was reverted and we instead drop the verbose logs entirely (and obs-inf owns bringing them back), on master we redact tenant traces but we have a perf regression (which is also owned by obs-inf). Here are the issues: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the problem
When a tenant traces their SQL queries, they also get the KV portions of the traces. These are not suitably redacted and thus should not be handed to tenants.
To Reproduce
#70406
Expected behavior
Tenants don't get any unredacted KV-level traces. They need to get their ContentionEvents though (with an unredacted or at least unredacted-enough key).
The text was updated successfully, but these errors were encountered: