Skip to content

Adapter: unify RBAC for Side Effecting Functions#35220

Open
DAlperin wants to merge 1 commit intoMaterializeInc:mainfrom
DAlperin:dov/unify-rbac-side-effecting-function
Open

Adapter: unify RBAC for Side Effecting Functions#35220
DAlperin wants to merge 1 commit intoMaterializeInc:mainfrom
DAlperin:dov/unify-rbac-side-effecting-function

Conversation

@DAlperin
Copy link
Member

@DAlperin DAlperin commented Feb 25, 2026
edited
Loading

During an incident I tried to kill some backends with mz_system and I couldn't. This was because the usually RBAC bypass doesn't work for the special impl in the coord for side effect functions. I'd prefer to unify this where possible and feel it's worth paying an extra coord hop is worth it.

@github-actions
Copy link

github-actions bot commented Feb 25, 2026
edited by DAlperin
Loading

Thanks for opening this PR! Here are a few tips to help make the review process smooth for everyone.

PR title guidelines

  • Use imperative mood: "Fix X" not "Fixed X" or "Fixes X"
  • Be specific: "Fix panic in catalog sync when controller restarts" not "Fix bug" or "Update catalog code"
  • Prefix with area if helpful: compute: , storage: , adapter: , sql:

Pre-merge checklist

  • The PR title is descriptive and will make sense in the git log.
  • This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
  • If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.
  • This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
  • If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
  • If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).

@DAlperin DAlperin force-pushed the dov/unify-rbac-side-effecting-function branch 2 times, most recently from 1f82600 to 66b07dd Compare February 25, 2026 22:23
@DAlperin
Adapter: unify RBAC for Side Effecting Functions
129c4ed 
During an incident I tried to kill some backends with mz_system and I
couldn't. This was because the usually RBAC bypass doesn't work for the
special impl in the coord for side effect functions. I'd prefer to unify
this where possible and feel it's worth paying an extra coord hop is
worth it.
@DAlperin DAlperin force-pushed the dov/unify-rbac-side-effecting-function branch from 66b07dd to 129c4ed Compare February 26, 2026 17:13
@DAlperin DAlperin marked this pull request as ready for review February 26, 2026 18:08
@DAlperin DAlperin requested a review from a team as a code owner February 26, 2026 18:08
@DAlperin DAlperin requested a review from ggevay February 26, 2026 18:08
ggevay
ggevay approved these changes Feb 27, 2026
View reviewed changes
Copy link
Contributor

@ggevay ggevay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Thank you very much for figuring this out and fixing it! And sorry for the bug!

src/adapter/src/frontend_peek.rs

rbac::check_plan(
&conn_catalog,
Some(move |_id: u32| active_conns_role),
Copy link
Contributor

@ggevay ggevay Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Making the closure not use _id (just always returning PgCancelBackend's target connection's role) runs the risk that some code written later will call the closure with some other connection, and silently get a wrong role. How about asserting in the closure that the closure's argument is the same as the target conn, i.e., _id == connection_id?

Copy link
Contributor

@ggevay ggevay Feb 27, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or we could maybe even simplify this from a closure to a simple Option<RoleId>, because the closure is never called with a variety of connections, but only ever called on PgCancelBackend's target connection. Also, the closure's generality is not really needed even for further side-effecting funcs in Postgres that we might want to implement at some point: The only other such functions where roles of some other connections than the issuer are relevant are pg_terminate_backend and pg_log_backend_memory_contexts, which also just want to look at the role of a single connection, i.e., their target connection. So, an Option<RoleId> would be enough for them as well. What do you think?

src/adapter/src/command.rs
plan: SideEffectingFunc,
conn_id: ConnectionId,
/// The current role of the session, used for RBAC checks.
current_role: RoleId,
Copy link
Contributor

@ggevay ggevay Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dangling doc comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ggevay ggevay ggevay approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DAlperin @ggevay