Merge pull request #154395 from kyle-a-wong/blathers/backport-release-25.4-154267

kyle-a-wong · web-flow · commit 217a510284e7 · 2025-09-29T16:49:27.000-05:00
release-25.4: sql,unsafesql,sessiondata: do not log unsafe access logs for internal app names
diff --git a/pkg/sql/conn_executor.go b/pkg/sql/conn_executor.go
@@ -920,7 +920,7 @@ func (s *Server) SetupConn(
 	// to use the InternalMetrics. However, some external connections use the prefix as well, for example
 	// the debug zip cli tool.
 	metrics := &s.Metrics
-	if strings.HasPrefix(sd.ApplicationName, catconstants.InternalAppNamePrefix) {
+	if sd.IsInternalAppName() {
 		metrics = &s.InternalMetrics
 	}
 
@@ -1255,7 +1255,6 @@ func (s *Server) newConnExecutor(
 	}
 
 	ex.applicationName.Store(ex.sessionData().ApplicationName)
-
 	ex.applicationStats = applicationStats
 	// We ignore statements and transactions run by the internal executor by
 	// passing a nil writer.
diff --git a/pkg/sql/sessiondata/session_data.go b/pkg/sql/sessiondata/session_data.go
@@ -9,9 +9,11 @@ import (
 	"net"
 	"reflect"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/cockroachdb/cockroach/pkg/security/username"
+	"github.com/cockroachdb/cockroach/pkg/sql/sem/catconstants"
 	"github.com/cockroachdb/cockroach/pkg/sql/sessiondatapb"
 	"github.com/cockroachdb/cockroach/pkg/util/duration"
 	"github.com/cockroachdb/cockroach/pkg/util/timeutil"
@@ -154,6 +156,10 @@ func (s *SessionData) SessionUser() username.SQLUsername {
 	return s.SessionUserProto.Decode()
 }
 
+func (s *SessionData) IsInternalAppName() bool {
+	return strings.HasPrefix(s.ApplicationName, catconstants.InternalAppNamePrefix)
+}
+
 // LocalUnmigratableSessionData contains session parameters that cannot
 // be propagated to remote nodes and cannot be migrated to another
 // session.
diff --git a/pkg/sql/unsafesql/BUILD.bazel b/pkg/sql/unsafesql/BUILD.bazel
@@ -29,6 +29,7 @@ go_test(
         "//pkg/sql/isql",
         "//pkg/sql/sqlerrors",
         "//pkg/testutils/serverutils",
+        "//pkg/testutils/sqlutils",
         "//pkg/util/leaktest",
         "//pkg/util/log",
         "//pkg/util/log/eventpb",
diff --git a/pkg/sql/unsafesql/unsafesql.go b/pkg/sql/unsafesql/unsafesql.go
@@ -49,7 +49,7 @@ func CheckInternalsAccess(
 	sv *settings.Values,
 ) error {
 	// If the querier is internal, we should allow it.
-	if sd.Internal {
+	if sd.Internal || sd.IsInternalAppName() {
 		return nil
 	}
 
diff --git a/pkg/sql/unsafesql/unsafesql_test.go b/pkg/sql/unsafesql/unsafesql_test.go
@@ -20,6 +20,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/sql/sqlerrors"
 	"github.com/cockroachdb/cockroach/pkg/sql/unsafesql"
 	"github.com/cockroachdb/cockroach/pkg/testutils/serverutils"
+	"github.com/cockroachdb/cockroach/pkg/testutils/sqlutils"
 	"github.com/cockroachdb/cockroach/pkg/util/leaktest"
 	"github.com/cockroachdb/cockroach/pkg/util/log"
 	"github.com/cockroachdb/cockroach/pkg/util/log/eventpb"
@@ -67,12 +68,12 @@ func TestAccessCheckServer(t *testing.T) {
 	pool := s.SQLConn(t)
 	defer pool.Close()
 
+	runner := sqlutils.MakeSQLRunner(pool)
 	// override the log limiter so that the tests can run without pauses.
 	defer unsafesql.TestRemoveLimiters()()
 
 	// create a user table to test user table access.
-	_, err := pool.Exec("CREATE TABLE foo (id INT PRIMARY KEY)")
-	require.NoError(t, err)
+	runner.Exec(t, "CREATE TABLE foo (id INT PRIMARY KEY)")
 
 	// create and register a log accessedSpy to see the unsafe access logs
 	accessedSpy := logtestutils.NewStructuredLogSpy[eventpb.UnsafeInternalsAccessed](
@@ -119,6 +120,7 @@ func TestAccessCheckServer(t *testing.T) {
 
 	for _, test := range []struct {
 		Query                string
+		AppName              string
 		Internal             bool
 		AllowUnsafeInternals bool
 		Passes               bool
@@ -157,6 +159,14 @@ func TestAccessCheckServer(t *testing.T) {
 			Passes:               true,
 			LogsAccessed:         true,
 		},
+		{
+			Query:                "SELECT * FROM system.namespace",
+			AppName:              "$ internal app",
+			Internal:             false,
+			AllowUnsafeInternals: false,
+			Passes:               true,
+			LogsAccessed:         false,
+		},
 		// Tests on unsupported crdb_internal objects.
 		{
 			Query:                "SELECT * FROM crdb_internal.gossip_alerts",
@@ -223,6 +233,7 @@ func TestAccessCheckServer(t *testing.T) {
 		t.Run(fmt.Sprintf("query=%s,internal=%t,allowUnsafe=%t", test.Query, test.Internal, test.AllowUnsafeInternals), func(t *testing.T) {
 			accessedSpy.Reset()
 			deniedSpy.Reset()
+			runner.Exec(t, "SET application_name = $1", test.AppName)
 			err := sendQuery(test.AllowUnsafeInternals, test.Internal, test.Query)
 			if test.Passes {
 				require.NoError(t, err)

Original file line number	Diff line number	Diff line change
`@@ -920,7 +920,7 @@ func (s *Server) SetupConn(`
`920`	`920`	`// to use the InternalMetrics. However, some external connections use the prefix as well, for example`
`921`	`921`	`// the debug zip cli tool.`
`922`	`922`	`metrics := &s.Metrics`
`923`		`- if strings.HasPrefix(sd.ApplicationName, catconstants.InternalAppNamePrefix) {`
	`923`	`+ if sd.IsInternalAppName() {`
`924`	`924`	`metrics = &s.InternalMetrics`
`925`	`925`	`}`
`926`	`926`
`@@ -1255,7 +1255,6 @@ func (s *Server) newConnExecutor(`
`1255`	`1255`	`}`
`1256`	`1256`
`1257`	`1257`	`ex.applicationName.Store(ex.sessionData().ApplicationName)`
`1258`		`-`
`1259`	`1258`	`ex.applicationStats = applicationStats`
`1260`	`1259`	`// We ignore statements and transactions run by the internal executor by`
`1261`	`1260`	`// passing a nil writer.`
Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,7 @@ func CheckInternalsAccess(`
`49`	`49`	`sv *settings.Values,`
`50`	`50`	`) error {`
`51`	`51`	`// If the querier is internal, we should allow it.`
`52`		`- if sd.Internal {`
	`52`	`+ if sd.Internal \|\| sd.IsInternalAppName() {`
`53`	`53`	`return nil`
`54`	`54`	`}`
`55`	`55`