Merge #144181 #144714 #144843 #144873

144181: security: cleanup clientcert expiration cache functionality r=angles-n-daemons a=angles-n-daemons

security: cleanup clientcert expiration cache functionality

The work done for #142686 in #143081 was truncated to make the changeset more backportable. Some of the modifications held are ported instead to this PR, so that extra functions are removed, and the `clientcert/cache.go` is simpler in terms of its responsibility. The changes include:

 - A simplified interface for creating an managing the client certificate cache.
 - Removes some of the extra code used for getting and checking times.
 - Removes the (now unused) cluster setting for limiting the size of the cache.
 - Removes the (unused and unsafe) getters from the cache, ports the tests to reading the values from the metrics.

Fixes: #144163
Epic: none

Release note (ops change): cluster setting
`server.client_cert_expiration_cache.capacity` has been deprecated. The client certificate cache now evicts client certificates based on time.

144714: builder: install a more recent version of `patchelf` r=rail a=rickystewart

The version previously in use produces buggy results on s390x.

Epic: CRDB-21133
Release note: None

144843: sql: honour RLS policies during query-based backfill r=spilchen a=spilchen

Previously, schema changes that performed backfill operations from a query—such as those for materialized views (MQTs) or CREATE TABLE ... AS (CTAS)—executed the query as the node user. This user has administrative privileges and bypasses all Row-Level Security (RLS) policies, unintentionally exposing rows the originator of the change should not have been able to access.

This change ensures that such query-based backfills run under the privileges of the user who initiated the schema change. As a result, RLS policies are correctly enforced, and only the rows visible to the initiating user are included in the result.

Fixes #144816
Fixes #144776

Epic: CRDB-11724
Release note: none


144873: sql: enable TestUpsertFastPath with buffered writes r=arulajmani a=arulajmani

We're able to hit 1PC in more cases when buffered writes are enabled. Teach TestUpsertFastPath about it.

Epic: none

Release note: None

Co-authored-by: Brian Dillmann <[email protected]>
Co-authored-by: Ricky Stewart <[email protected]>
Co-authored-by: Matt Spilchen <[email protected]>
Co-authored-by: Arul Ajmani <[email protected]>

Author: 5 people

build/.bazelbuilderversion

@@ -1 +1 @@
-us-east1-docker.pkg.dev/crl-ci-images/cockroach/bazel:20250409-061148
+us-east1-docker.pkg.dev/crl-ci-images/cockroach/bazel:20250418-212710

build/bazelbuilder/Dockerfile

@@ -24,7 +24,6 @@ RUN apt-get update \
     netbase \
     openjdk-8-jre \
     openssh-client \
-    patchelf \
     python-is-python3 \
     python3 \
     python3.8-venv \
@@ -92,6 +91,15 @@ RUN case ${TARGETPLATFORM} in \
  ./aws/install && \
  rm -rf aws awscliv2.zip
 
+RUN case ${TARGETPLATFORM} in \
+    "linux/amd64") ARCH=x86_64; SHASUM=ce84f2447fb7a8679e58bc54a20dc2b01b37b5802e12c57eece772a6f14bf3f0 ;; \
+    "linux/arm64") ARCH=aarch64; SHASUM=ae13e2effe077e829be759182396b931d8f85cfb9cfe9d49385516ea367ef7b2 ;; \
+  esac && \
+ curl -fsSL "https://github.com/NixOS/patchelf/releases/download/0.18.0/patchelf-0.18.0-$ARCH.tar.gz" -o "patchelf.tar.gz" && \
+ echo "$SHASUM patchelf.tar.gz" | sha256sum -c - && \
+ tar --strip-components=1 -C /usr -xzf patchelf.tar.gz && \
+ rm -rf patchelf.tar.gz
+
 # Install Bazelisk as Bazel.
 # NOTE: you should keep this in sync with build/packer/teamcity-agent.sh and
 # build/bootstrap/bootstrap-debian.sh -- if an update is necessary here, it's probably

build/toolchains/BUILD.bazel

@@ -32,7 +32,7 @@ platform(
         "@platforms//cpu:x86_64",
     ],
     exec_properties = {
-        "container-image": "docker://us-east1-docker.pkg.dev/crl-ci-images/cockroach/bazel@sha256:dd13f3b97a0baac1dc311cc1d81c39b97071907efb3c6669fa659667a4df5d9b",
+        "container-image": "docker://us-east1-docker.pkg.dev/crl-ci-images/cockroach/bazel@sha256:97228ff5e3ccfed242b49b37fa427d03203bb69ee74c5129f29b6a6fa7662ad1",
         "dockerReuse": "True",
         "Pool": "default",
     },
@@ -137,7 +137,7 @@ platform(
         "@platforms//cpu:arm64",
     ],
     exec_properties = {
-        "container-image": "docker://us-east1-docker.pkg.dev/crl-ci-images/cockroach/bazel@sha256:3c43c89d875fe1d1c05ce40313fad76a928b8dd29af1554e9cb765e9aaaab054",
+        "container-image": "docker://us-east1-docker.pkg.dev/crl-ci-images/cockroach/bazel@sha256:57c597624ed396b33be80548acfef221e5c340b09ed36a0d826c1798a414b10d",
         "dockerReuse": "True",
         "Pool": "default",
     },

docs/generated/settings/settings-for-tenants.txt

@@ -115,7 +115,6 @@ server.auth_log.sql_sessions.enabled	boolean	false	if set, log verbose SQL sessi
 server.authentication_cache.enabled	boolean	true	enables a cache used during authentication to avoid lookups to system tables when retrieving per-user authentication-related information	application
 server.child_metrics.enabled	boolean	false	enables the exporting of child metrics, additional prometheus time series with extra labels	application
 server.child_metrics.include_aggregate.enabled	boolean	true	include the reporting of the aggregate time series when child metrics are enabled. This cluster setting has no effect if child metrics are disabled.	application
-server.client_cert_expiration_cache.capacity	integer	1000	the maximum number of client cert expirations stored	application
 server.clock.forward_jump_check.enabled (alias: server.clock.forward_jump_check_enabled)	boolean	false	if enabled, forward clock jumps > max_offset/2 will cause a panic	application
 server.clock.persist_upper_bound_interval	duration	0s	the interval between persisting the wall time upper bound of the clock. The clock does not generate a wall time greater than the persisted timestamp and will panic if it sees a wall time greater than this value. When cockroach starts, it waits for the wall time to catch-up till this persisted timestamp. This guarantees monotonic wall time across server restarts. Not setting this or setting a value of 0 disables this feature.	application
 server.eventlog.enabled	boolean	true	if set, logged notable events are also stored in the table system.eventlog	application

docs/generated/settings/settings.html

@@ -146,7 +146,6 @@
 <tr><td><div id="setting-server-authentication-cache-enabled" class="anchored"><code>server.authentication_cache.enabled</code></div></td><td>boolean</td><td><code>true</code></td><td>enables a cache used during authentication to avoid lookups to system tables when retrieving per-user authentication-related information</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
 <tr><td><div id="setting-server-child-metrics-enabled" class="anchored"><code>server.child_metrics.enabled</code></div></td><td>boolean</td><td><code>false</code></td><td>enables the exporting of child metrics, additional prometheus time series with extra labels</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
 <tr><td><div id="setting-server-child-metrics-include-aggregate-enabled" class="anchored"><code>server.child_metrics.include_aggregate.enabled</code></div></td><td>boolean</td><td><code>true</code></td><td>include the reporting of the aggregate time series when child metrics are enabled. This cluster setting has no effect if child metrics are disabled.</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
-<tr><td><div id="setting-server-client-cert-expiration-cache-capacity" class="anchored"><code>server.client_cert_expiration_cache.capacity</code></div></td><td>integer</td><td><code>1000</code></td><td>the maximum number of client cert expirations stored</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
 <tr><td><div id="setting-server-clock-forward-jump-check-enabled" class="anchored"><code>server.clock.forward_jump_check.enabled<br />(alias: server.clock.forward_jump_check_enabled)</code></div></td><td>boolean</td><td><code>false</code></td><td>if enabled, forward clock jumps &gt; max_offset/2 will cause a panic</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
 <tr><td><div id="setting-server-clock-persist-upper-bound-interval" class="anchored"><code>server.clock.persist_upper_bound_interval</code></div></td><td>duration</td><td><code>0s</code></td><td>the interval between persisting the wall time upper bound of the clock. The clock does not generate a wall time greater than the persisted timestamp and will panic if it sees a wall time greater than this value. When cockroach starts, it waits for the wall time to catch-up till this persisted timestamp. This guarantees monotonic wall time across server restarts. Not setting this or setting a value of 0 disables this feature.</td><td>Serverless/Dedicated/Self-Hosted</td></tr>
 <tr><td><div id="setting-server-consistency-check-max-rate" class="anchored"><code>server.consistency_check.max_rate</code></div></td><td>byte size</td><td><code>8.0 MiB</code></td><td>the rate limit (bytes/sec) to use for consistency checks; used in conjunction with server.consistency_check.interval to control the frequency of consistency checks. Note that setting this too high can negatively impact performance.</td><td>Dedicated/Self-Hosted</td></tr>

pkg/security/certificate_manager.go

@@ -13,7 +13,6 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/security/certnames"
 	"github.com/cockroachdb/cockroach/pkg/security/clientcert"
 	"github.com/cockroachdb/cockroach/pkg/security/username"
-	"github.com/cockroachdb/cockroach/pkg/settings/cluster"
 	"github.com/cockroachdb/cockroach/pkg/util/log"
 	"github.com/cockroachdb/cockroach/pkg/util/log/eventpb"
 	"github.com/cockroachdb/cockroach/pkg/util/log/severity"
@@ -57,7 +56,7 @@ type CertificateManager struct {
 	certMetrics *Metrics
 
 	// Client cert expiration cache.
-	clientCertExpirationCache *clientcert.ClientCertExpirationCache
+	clientCertExpirationCache *clientcert.Cache
 
 	// mu protects all remaining fields.
 	mu syncutil.RWMutex
@@ -201,12 +200,16 @@ func (cm *CertificateManager) RegisterSignalHandler(
 // It is called during server startup.
 func (cm *CertificateManager) RegisterExpirationCache(
 	ctx context.Context,
-	st *cluster.Settings,
 	stopper *stop.Stopper,
 	timeSrc timeutil.TimeSource,
 	parentMon *mon.BytesMonitor,
-) {
-	cm.clientCertExpirationCache = clientcert.NewClientCertExpirationCache(ctx, st, stopper, timeSrc, parentMon, cm.certMetrics.ClientExpiration, cm.certMetrics.ClientTTL)
+) error {
+	m := mon.NewMonitorInheritWithLimit(mon.MakeName("client-expiration-caches"), 0 /* limit */, parentMon, true /* longLiving */)
+	acc := m.MakeConcurrentBoundAccount()
+	m.StartNoReserved(ctx, parentMon)
+
+	cm.clientCertExpirationCache = clientcert.NewCache(timeSrc, acc, cm.certMetrics.ClientExpiration, cm.certMetrics.ClientTTL)
+	return cm.clientCertExpirationCache.StartPurgeJob(ctx, stopper)
 }
 
 // MaybeUpsertClientExpiration updates or inserts the expiration time for the
@@ -216,7 +219,7 @@ func (cm *CertificateManager) MaybeUpsertClientExpiration(
 	ctx context.Context, identity string, serial string, expiration int64,
 ) {
 	if cache := cm.clientCertExpirationCache; cache != nil {
-		cache.MaybeUpsert(ctx,
+		cache.Upsert(ctx,
 			identity,
 			serial,
 			expiration,

pkg/security/clientcert/BUILD.bazel

@@ -6,11 +6,8 @@ go_library(
     importpath = "github.com/cockroachdb/cockroach/pkg/security/clientcert",
     visibility = ["//visibility:public"],
     deps = [
-        "//pkg/settings",
-        "//pkg/settings/cluster",
         "//pkg/util/log",
         "//pkg/util/metric/aggmetric",
-        "//pkg/util/mon",
         "//pkg/util/stop",
         "//pkg/util/syncutil",
         "//pkg/util/timeutil",
@@ -22,7 +19,6 @@ go_test(
     srcs = ["cert_expiry_cache_test.go"],
     deps = [
         ":clientcert",
-        "//pkg/settings/cluster",
         "//pkg/util/leaktest",
         "//pkg/util/metric",
         "//pkg/util/metric/aggmetric",