resource_control: introduce privilege RESOURCE_GROUP_USER to restrict the switch of resource group #53483
Conversation
ti-chi-bot
bot
added
release-note
|
Hi @glorv. Thanks for your PR. PRs from untrusted users cannot be marked as trusted with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/ok-to-test |
ti-chi-bot
bot
added
size/XXL
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #53483 +/- ##
=================================================
- Coverage 74.5222% 56.1128% -18.4095%
=================================================
Files 1508 1628 +120
Lines 358470 605138 +246668
=================================================
+ Hits 267140 339560 +72420
- Misses 71953 242498 +170545
- Partials 19377 23080 +3703
Flags with carried forward coverage won't be shown. Click here to find out more.
|
|
/retest |
|
@tiancaiamao @nolouch PTAL |
pkg/executor/simple.go
Outdated
| hasSystemUserPriv := checker.RequestDynamicVerification(activeRoles, "SYSTEM_USER", false) | ||
| hasRestrictedUserPriv := checker.RequestDynamicVerification(activeRoles, "RESTRICTED_USER_ADMIN", false) | ||
| hasSystemUserPriv := checker.RequestDynamicVerification(activeRoles, []string{"SYSTEM_USER"}, false) | ||
| hasRestrictedUserPriv := checker.RequestDynamicVerification(activeRoles, []string{"RESTRICTED_USER_ADMIN"}, false) |
There was a problem hiding this comment.
It seems that we can also use the old interface to check a list of privileges? like here
There was a problem hiding this comment.
Yes, it doable, but not very convenient in some cases. While except for ResourceGroup there is only 1 other cases that need to pass 2 permissions. I'm also not sure if there are other cases in the future.
There was a problem hiding this comment.
cc @tiancaiamao Do you think this modification is okay?
There was a problem hiding this comment.
Maybe change the interface is unnecessary.
We do not have much cases relying on the new interface.
Yes |
|
@tiancaiamao PTAL, thanks~ |
ti-chi-bot
bot
added
size/XL
| return append(vi, visitInfo{ | ||
| privilege: mysql.ExtendedPriv, | ||
| dynamicPriv: priv, | ||
| dynamicPrivs: privs, |
There was a problem hiding this comment.
Is this change necessary? Maybe you can 'git checkout master xxx.go' for most of the changes. @glorv
There was a problem hiding this comment.
Yes, I think this change is necessary to express that user should have at least one of the privileges. I added a comment for the field dynamicPrivs
ti-chi-bot
bot
added
lgtm
and removed
needs-1-more-lgtm
[LGTM Timeline notifier]Timeline:
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: nolouch, qw4990, tiancaiamao The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What problem does this PR solve?
Issue Number: close #53440
Problem Summary:
What changed and how does it work?
This PR introduces a new dynamic privilege
RESOURCE_GROUP_USERto restrict switch current session or query's resource group.RESOURCE_GROUP_USERorRESOURCE_GROUP_ADMINcan executeSET RESOURCE GROUP namestatement.RESOURCE_GROUP_USERorRESOURCE_GROUP_ADMINcan use optimizer hintRESOURCE_GROUP(name), this hint will be ignored and return a warning if the user doesn't has this two privilege.Check List
Tests
Side effects
Documentation
Release note
Please refer to Release Notes Language Style Guide to write a quality release note.