v25.4 changes related to allow_unsafe_internals session variable #20486
+96
−4
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In crdb-internal.md, added a section for Access control. In functions-and-operators.md, removed reference to a crdb_internal built-in function. In logging-use-cases, added a section for Example: Unsafe internals. In system-catalogs.md, modified by codex.
✅ Deploy Preview for cockroachdb-interactivetutorials-docs canceled.
|
Files changed: |
✅ Deploy Preview for cockroachdb-api-docs canceled.
|
✅ Netlify Preview
To edit notification comments on pull requests, go to your Netlify project configuration. |
florence-crl
changed the title
| | Variable name | Description | Initial value | Modify with [`SET`]({% link {{ page.version.version }}/set-vars.md %})? | View with [`SHOW`]({% link {{ page.version.version }}/show-vars.md %})? | | ||
| |---|---|---|---|---| | ||
| | <a id="always-distribute-full-scans"></a> `always_distribute_full_scans` | When set to `on`, full table scans are always [distributed]({% link {{ page.version.version }}/architecture/sql-layer.md %}#distsql). | `off` | Yes | Yes | | ||
| | <a id="allow-unsafe-internals"></a><span class="version-tag">New in v25.4:</span> `allow_unsafe_internals` | Controls access to unsafe internals in the `system` database and the [`crdb_internal`]({% link {{ page.version.version }}/crdb-internal.md %}#access-control) schema. When set to `off`, only allowlisted objects are accessible without internal privileges.<br><br>**Warning**: In future releases, this session variable will default to `off` and then will be removed. To assess potential downstream impacts on your setup, set `allow_unsafe_internals` to `off` in a non-production environment. | `on` | Yes | Yes | |
There was a problem hiding this comment.
Florence, I'm not sure whether we're planning to remove this variable, can you double check that with Kevin?
There was a problem hiding this comment.
Agree! Let's not call out removal yet.
| SET allow_unsafe_internals = off; | ||
| ~~~ | ||
|
|
||
| When set to `off`, external sessions can read only the allowlisted `crdb_internal` objects that are supported for production use (the tables marked ✓ in the table below). All other tables and built-in functions that use the `crdb_internal` namespace require either an internal caller or explicitly enabling `allow_unsafe_internals` for the session: |
There was a problem hiding this comment.
If we're going to mention "internal callers" it might be worth defining what that means a little further down.
There was a problem hiding this comment.
discussed with @kevin-v-ngo : direct access to these tables will not be available for end users. Add a footnote that some crl tools (console and debug zip) may use these and will be unaffected.
|
|
||
| These events record both successful and denied attempts to access internal system objects. | ||
|
|
||
| This command enables access to unsafe internals for the user `max`: |
There was a problem hiding this comment.
suggestion: unless max is a common moniker for a db user, it might be worth choosing a different name. max is a keyword which commonly shows up in postgres sql and other programming languages.
| All possible `SENSITIVE_ACCESS` event types are detailed in the [reference documentation]({% link {{ page.version.version }}/eventlog.md %}#sql-access-audit-events). For a detailed tutorial on table auditing, see [SQL Audit Logging]({% link {{ page.version.version }}/sql-audit-logging.md %}). | ||
| {{site.data.alerts.end}} | ||
|
|
||
| #### Example: Unsafe internals |
There was a problem hiding this comment.
Nice, this section is great 🎉
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes DOC-14622 DOC-14631 DOC-14634 DOC-14650 DOC-14818
Rendered preview