tracing: perf regression due to trace redactability

[tbg]

Describe the problem

In #58610 we discussed trace data sent to tenants from the KV layer. This data
was not redactable and there was a concern that tenants could learn privileged
information (such as keys belonging to another tenant, for example).

We reacted to this by adding redactability for traces (#70562). Unfortunately,
this introduced inacceptably high overhead in the case in which tracing is
enabled across the board (as will be the case with the
sql.trace.*.enable_threshold cluster setting, which is known to see some
usage) and, on release-21.2, we switched to a blunter approach with degraded
observability, #71606. This degraded observability is tracked in #58610 and is
out of scope here as it does not affect master (at the time of writing).

Details on the regression can be found in
#71610. Concretely, in a simple
"select single row" end-to-end local benchmark, we see approximately a 20%
regression in average request latency.

We have to either mitigate the regression or revert the work but are then
forced to add the redactability again in some way, as for better or worse
traces as observed by tenants are an invaluable tool in CockroachDB support
today.

Epic CRDB-2574

[dhartunian]

After discussing with @knz and @andreimatei we've decided on the following two-part solution to this problem:

1. Reintroduce the original fix from @tbg in release-21.2: default redactability to "off" #71610. This approach was set aside in favor of release-21.2: revert trace redactability, drop tenant-bound recordings instead #71606 during the stability period since we favored a simpler solution instead of one that introduced more conditional logic. This will ensure that the redaction code is utilized in the release branch, but not on single-tenant deployments where it caused performance regressions we didn't want to ship with. These performance hits will be easier to manage on multi-tenant deployments where we will never enable tracing on all queries anyway.

2. In situations where we do want redaction enabled between kv and tenant layers, we will add redactabilty to structured payloads. We will ensure that contention payloads are passed through properly to keep sql observability features that use those payloads operational in multi-tenant deployments. After that, we will progressively add more granular redaction to structured payloads to facilitate debugging. Since usage of log.VEventf is difficult to improve performance-wise, we may choose to omit those log statements from logs that pass from kv to the tenant layer in situations where we enforce redaction.

[dhartunian]

After discussing this issue with more folks, it seems that the original need for #71606 is not as strong as initially assumed. We do not want to keep a "wall" between tenants and KV when tracing and customers can expect to learn and interpret information from the KV layer to debug query execution on multi-tenant clusters.

In that spirit, I will be simplifying the immediate work on the release-21.2 branch: simply reverting the final commit in #71606 (fc95ad8) to drop tenant-bound trace recordings. Our existing boundaries between tenants should do a good job of preventing leakage of information across the tenant boundary since all range-related info will be confined to the tenant.

Separately, we will continue to pursue trace redaction on master for the 22.1 release for customers with the intent of reducing PII captured in traces. That concern maps equally over both single and multi-tenant customers and the code currently on release-21.2 does not offer new functionality here that the revert I described will regress on.

[andreimatei]

Our existing boundaries between tenants should do a good job of preventing leakage of information across the tenant boundary since all range-related info will be confined to the tenant.

I imagine that the original reason we panicked about these recording coming from tenants was about RPCs that internally cross range and tenant boundaries. Like I'm thinking a scan that internally does a PushTxn on a system transaction, or even on a transaction from the same tenant but where we have to scan the meta ranges to figure out where the respective txn record is. Is all this a ruse?

[dhartunian]

I imagine that the original reason we panicked about these recording coming from tenants was about RPCs that internally cross range and tenant boundaries. Like I'm thinking a scan that internally does a PushTxn on a system transaction, or even on a transaction from the same tenant but where we have to scan the meta ranges to figure out where the respective txn record is. Is all this a ruse?

How viable is it to audit all VEvent calls for stuff like this? It seems like the majority stay within Range boundaries so that's why a globally optimal redaction solution is harder to get to right now.

[tbg]

We need redaction on that boundary for sure (if the proposal is to leak unredacted KV traces to tenants then I think we need to talk about this again, certainly our security team would want to sign off on that and I'd be surprised if they did). But we do not need to prevent redacted KV trace recordings from reaching the tenant. This isn't thought to be useful for users directly but it is important for our ability to support users, as we don't currently have infrastructure to capture these traces internally.

[dhartunian]

There’s been a lot of back and forth on how to address this ticket in light of Serverless needs on the release-21.2 branch so I wanted to quickly summarize the reasoning behind all the commits that are in the PR I have up on the release branch right now: #73117

Here’s a summary of conflicting needs:

1. Trace redactability as implemented on master via log,kvserver: hand redacted KV traces to tenants #70562 created performance regressions that we could not ship in 21.2. Hence, this work was reverted on release-21.2.

2. Trace redactability is critical for Serverless needs due to the fact that KV traces can contain sensitive information that crosses range (and therefore tenant) boundaries. Currently, the branch that Serverless launched with contains the PR above and takes the performance hit in order to maintain redactability for traces.

3. Serverless needs to switch to using the release-21.2 branch in order to get back in line with the rest of the codebase. It branched during launch for stability. It currently cannot do this because of release-21.2: revert trace redactability, drop tenant-bound recordings instead #71606 which dropped redactability.

4. We cannot “turn off” KV tracing data for Serverless tenants as the PR mentioned in (3) does because we need them for debugging customer queries.

What are we doing?

The way forward is contained in #73117 which:

• Restores trace redactability from log,kvserver: hand redacted KV traces to tenants #70562
• Adds code from Tobi that was rejected during the stability period which makes redactability configurable on the Tracer [release-21.2] tracing: restore trace redactability and default to "off" #73117
• Adds a commit from David H that enables redactability for tenant-bound traces only

Consequences of the above PR:

• Serverless can use release-21.2 branch without losing redactable traces
• Dedicated/On-Prem customers can continue using 21.2 patches without redactability being enabled on their traces (avoiding the performance cost associated)

Alternative paths considered

• Don’t redact traces.
  • This creates a security issue where sensitive info from other tenants might become visible to Serverless customers
• Don’t redact traces. Turn off KV traces for Serverless
  • At this point this would be a feature regression on Serverless
  • We need these traces to debug customer queries ourselves and there is no easy mechanism for managing different kinds of redaction for different users
• Don’t redact traces. Omit the KV trace data in the SQL shell when “SHOW TRACE FOR SESSION” is used (but continue showing in logs)
  • This would keep the trace data only where we have access (logs) and omit from customer eyes (customers can see SQL, but not logs)
  • This is a hacky solution that breaks the way a feature works for customers
  • Relies on customers not having access to logs which may not be true in the future
  • Requires debugging queries to look at logs which likely requires SRE intervention or something
• Make trace redactability a cluster setting
  • Don’t want to add a cluster setting on release branch…is this even allowed?