Merge #144269 #144393 #144558 #144559 #144637

144269: roachtest: add RLS policies to the DRT cluster r=Dedej-Bergin a=Dedej-Bergin

This adds a new DRT operation to test row-level security (RLS) features in live clusters. The operation:
1. Selects a random table from a populated database
2. Checks if RLS is already enabled and records the current state
3. Enables RLS on the table (with random FORCE RLS toggle)
4. Creates 5-20 random policies with varying operations (ALL/SELECT/INSERT/UPDATE/DELETE)
5. Waits for a random time before cleanup
6. Properly restores the table to its original state

This will help test both DDL and DML related to RLS policies in a live system, stressing the system when applying/removing policies. The policies use simple expressions (true/false) to focus on testing RLS infrastructure rather than complex policy logic.

Fixes: #138831
Epic: CRDB-11724
Release note: none

144393: workload: add Row Level Security operations to Random Schema Changer r=Dedej-Bergin a=Dedej-Bergin

Added four new operations to the Random Schema Changer workload to test ROW LEVEL SECURITY commands:
```
ALTER TABLE <table> ENABLE ROW LEVEL SECURITY
ALTER TABLE <table> DISABLE ROW LEVEL SECURITY
ALTER TABLE <table> FORCE ROW LEVEL SECURITY
ALTER TABLE <table> NO FORCE ROW LEVEL SECURITY
```
These operations are available in the declarative schema changer for cluster version 25.2 and above.

Informs: #137120
Epic: CRDB-11724
Release note: none

144558: ui: fix duplicate drop unused index tags r=kyle-a-wong a=kyle-a-wong

"Drop unused index" tags were being duplicated in the table index details page for every drop index recommendation that existed for said table.

Now, only 1 tag is shown per row

Epic: CC-30965
Fixes: CC-31183
Release note (bug fix): Fixed ui bug where "Drop unused index" tag was being shown more than once in the table index details page

144559: authors: add Tuan Dau to authors r=tuansydau a=tuansydau

Epic: None
Release note: None

Thanks for the review in advance

144637: sql/schemachanger: gate CREATE POLICY in DSC prior to 25.2 r=spilchen a=spilchen

In v25.1, CREATE POLICY was partially implemented but guarded by a feature gate, which blocked usage of the DDL. That gate was removed for 25.2 since RLS is now GA.

However, CREATE POLICY still depends on DSC elements not present in 25.1. To prevent failures in mixed-version clusters, a version gate was added to the DSC logic to ensure CREATE POLICY cannot be planned unless the cluster has finalized to 25.2.

A new mixed-version test was added instead of modifying the existing `row_level_security` test, since the latter doesn't fully account for mixed-version behavior. This test is expected to be short-lived, relevant only while 25.1 remains supported.

Fixes #144625

Epic: CRDB-11724
Release note: none

Co-authored-by: Bergin Dedej <[email protected]>
Co-authored-by: Kyle Wong <[email protected]>
Co-authored-by: Tuan Dau <[email protected]>
Co-authored-by: Matt Spilchen <[email protected]>

Author: 5 people

AUTHORS

@@ -509,6 +509,7 @@ Tommy Truongchau <[email protected]> <[email protected]>
 Toshi Noguchi <[email protected]> <[email protected]>
 Tristan Ohlson <[email protected]> <@cockroachlabs.com>
 Tristan Rice <[email protected]> <[email protected]>
+Tuan Dau <[email protected]>
 Tushar Jain <[email protected]>
 Txiaozhe <[email protected]>
 Tyler Neely <[email protected]>

pkg/cmd/roachtest/operations/BUILD.bazel

@@ -7,6 +7,7 @@ go_library(
         "add_column.go",
         "add_database.go",
         "add_index.go",
+        "add_rls_policy.go",
         "backup_restore.go",
         "cluster_settings.go",
         "debug_zip.go",

pkg/cmd/roachtest/operations/add_rls_policy.go

@@ -0,0 +1,231 @@
+// Copyright 2024 The Cockroach Authors.
+//
+// Use of this software is governed by the CockroachDB Software License
+// included in the /LICENSE file.
+
+package operations
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/cockroachdb/cockroach/pkg/cmd/roachtest/cluster"
+	"github.com/cockroachdb/cockroach/pkg/cmd/roachtest/operation"
+	"github.com/cockroachdb/cockroach/pkg/cmd/roachtest/operations/helpers"
+	"github.com/cockroachdb/cockroach/pkg/cmd/roachtest/option"
+	"github.com/cockroachdb/cockroach/pkg/cmd/roachtest/registry"
+	"github.com/cockroachdb/cockroach/pkg/cmd/roachtest/roachtestflags"
+	"github.com/cockroachdb/cockroach/pkg/util/randutil"
+)
+
+type cleanupRLSPolicy struct {
+	db, table       string
+	policies        []string
+	originalRLSStmt string
+	locked          bool
+	waitDuration    time.Duration
+}
+
+func (cl *cleanupRLSPolicy) Cleanup(ctx context.Context, o operation.Operation, c cluster.Cluster) {
+	o.Status(fmt.Sprintf("Scheduling cleanup to happen after %s", cl.waitDuration))
+
+	// Start a goroutine to handle the wait and cleanup. Since this runs in the
+	// background, we also create a new context so that the background goroutine
+	// isn't aborted by the parent context.
+	go func() {
+		newCtx := context.Background()
+
+		if deadline, ok := ctx.Deadline(); ok {
+			var cancel context.CancelFunc
+			newCtx, cancel = context.WithDeadline(newCtx, deadline.Add(cl.waitDuration))
+			defer cancel()
+		}
+		ctx = newCtx
+
+		// Wait for the specified duration before performing cleanup.
+		time.Sleep(cl.waitDuration)
+
+		conn := c.Conn(ctx, o.L(), 1, option.VirtualClusterName(roachtestflags.VirtualCluster))
+		defer conn.Close()
+
+		// Switch to the database where the table is located
+		o.Status(fmt.Sprintf("switching to database %s for cleanup", cl.db))
+		if _, err := conn.ExecContext(ctx, fmt.Sprintf("USE %s", cl.db)); err != nil {
+			o.Fatal(err)
+		}
+
+		if cl.locked {
+			helpers.SetSchemaLocked(ctx, o, conn, cl.db, cl.table, false /* lock */)
+			defer helpers.SetSchemaLocked(ctx, o, conn, cl.db, cl.table, true /* lock */)
+		}
+
+		// Drop all policies that were created
+		for _, policy := range cl.policies {
+			o.Status(fmt.Sprintf("dropping policy %s on table %s.%s", policy, cl.db, cl.table))
+			_, err := conn.ExecContext(ctx, fmt.Sprintf("DROP POLICY %s ON %s.%s", policy, cl.db, cl.table))
+			if err != nil {
+				o.Fatal(err)
+			}
+		}
+
+		// Restore original RLS state or disable it if it wasn't enabled before
+		if cl.originalRLSStmt != "" {
+			// Restore the original RLS state
+			o.Status(fmt.Sprintf("restoring original row level security state for %s.%s", cl.db, cl.table))
+			if _, err := conn.ExecContext(ctx, cl.originalRLSStmt); err != nil {
+				o.Fatal(err)
+			}
+		} else {
+			// If the table didn't have RLS before, disable it
+			o.Status(fmt.Sprintf("disabling row level security for %s.%s", cl.db, cl.table))
+			_, err := conn.ExecContext(ctx, fmt.Sprintf("ALTER TABLE %s.%s DISABLE ROW LEVEL SECURITY, NO FORCE ROW LEVEL SECURITY", cl.db, cl.table))
+			if err != nil {
+				o.Fatal(err)
+			}
+		}
+	}()
+}
+
+func runAddRLSPolicy(
+	ctx context.Context, o operation.Operation, c cluster.Cluster,
+) registry.OperationCleanup {
+	conn := c.Conn(ctx, o.L(), 1, option.VirtualClusterName(roachtestflags.VirtualCluster))
+	defer func() { _ = conn.Close() }()
+
+	rng, _ := randutil.NewPseudoRand()
+
+	// Pick a random table
+	dbName := helpers.PickRandomDB(ctx, o, conn, helpers.SystemDBs)
+	tableName := helpers.PickRandomTable(ctx, o, conn, dbName)
+
+	// Check if the table already has RLS enabled and store the original statement if needed
+	var tblName, createStmt string
+	err := conn.QueryRowContext(ctx, fmt.Sprintf("SHOW CREATE TABLE %s.%s", dbName, tableName)).Scan(&tblName, &createStmt)
+	if err != nil {
+		o.Fatal(err)
+	}
+
+	// Look for any RLS statements in the CREATE TABLE
+	originalRLSStmt := ""
+
+	// Check if RLS is enabled and capture the original statement
+	if strings.Contains(createStmt, "ROW LEVEL SECURITY") {
+		// Extract the ALTER TABLE statement for RLS
+		lines := strings.Split(createStmt, "\n")
+		for _, line := range lines {
+			if strings.Contains(line, "ROW LEVEL SECURITY") {
+				addMissingSemicolon := ""
+				if !strings.Contains(line, ";") {
+					addMissingSemicolon = ";"
+				}
+				// Store the line as the original RLS statement and semicolon if missing
+				originalRLSStmt = strings.TrimSpace(line + addMissingSemicolon)
+				break
+			}
+		}
+	}
+
+	// If the table's schema is locked, then unlock the table and make sure it will
+	// be re-locked during cleanup.
+	locked := helpers.IsSchemaLocked(o, conn, dbName, tableName)
+	if locked {
+		helpers.SetSchemaLocked(ctx, o, conn, dbName, tableName, false /* lock */)
+		defer helpers.SetSchemaLocked(ctx, o, conn, dbName, tableName, true /* lock */)
+	}
+
+	// Enable RLS on the table with random FORCE option
+	shouldForceRLS := rng.Intn(2) == 0 // 50% chance of using FORCE
+	forceClause := ""
+	if shouldForceRLS {
+		forceClause = ", FORCE ROW LEVEL SECURITY"
+	}
+
+	o.Status(fmt.Sprintf("enabling row level security on table %s.%s%s", dbName, tableName, forceClause))
+	_, err = conn.ExecContext(ctx, fmt.Sprintf("ALTER TABLE %s.%s ENABLE ROW LEVEL SECURITY%s", dbName, tableName, forceClause))
+	if err != nil {
+		o.Fatal(err)
+	}
+
+	// Create between 0-5 policies
+	numPolicies := rng.Intn(6)
+	policies := make([]string, 0, numPolicies)
+
+	operations := []string{"ALL", "SELECT", "INSERT", "UPDATE", "DELETE"}
+	users := []string{"public", "current_user", "session_user"}
+
+	for i := 0; i < numPolicies; i++ {
+		// Pick a random operation
+		operation := operations[rng.Intn(len(operations))]
+
+		// Pick a random user
+		user := users[rng.Intn(len(users))]
+
+		// Create unique policy name
+		policyName := fmt.Sprintf("rls_policy_%s_%d", operation, rng.Uint32())
+		policies = append(policies, policyName)
+
+		o.Status(fmt.Sprintf("creating policy %s on table %s.%s for %s to %s",
+			policyName, dbName, tableName, user, operation))
+
+		withCheck := ""
+		using := ""
+
+		// WITH CHECK does is not supported for INSERT and DELETE
+		if operation != "SELECT" && operation != "DELETE" {
+			// Randomly choose between true or false
+			checkExpr := "true"
+			if rng.Intn(2) == 0 {
+				checkExpr = "false"
+			}
+			withCheck = fmt.Sprintf("WITH CHECK (%s)", checkExpr)
+		}
+
+		// USING is not supported for INSERT
+		if operation != "INSERT" {
+			// Randomly choose between true or false
+			usingExpr := "true"
+			if rng.Intn(2) == 0 {
+				usingExpr = "false"
+			}
+			using = fmt.Sprintf("USING (%s)", usingExpr)
+		}
+
+		_, err = conn.ExecContext(ctx, fmt.Sprintf(`
+			CREATE POLICY %s ON %s.%s 
+			FOR %s 
+			TO %s 
+			%s 
+			%s
+		`, policyName, dbName, tableName, operation, user, using, withCheck))
+		if err != nil {
+			o.Fatal(err)
+		}
+	}
+
+	o.Status(fmt.Sprintf("created %d RLS policies on table %s.%s", numPolicies, dbName, tableName))
+
+	// Return the cleanup struct with wait duration.
+	waitTime := time.Hour
+	return &cleanupRLSPolicy{
+		db:              dbName,
+		table:           tableName,
+		policies:        policies,
+		originalRLSStmt: originalRLSStmt,
+		locked:          locked,
+		waitDuration:    waitTime,
+	}
+}
+
+func registerAddRLSPolicy(r registry.Registry) {
+	r.AddOperation(registry.OperationSpec{
+		Name:               "add-rls-policy",
+		Owner:              registry.OwnerSQLFoundations,
+		Timeout:            30 * time.Minute,
+		CompatibleClouds:   registry.AllClouds,
+		CanRunConcurrently: registry.OperationCanRunConcurrently,
+		Dependencies:       []registry.OperationDependency{registry.OperationRequiresPopulatedDatabase},
+		Run:                runAddRLSPolicy,
+	})
+}

pkg/cmd/roachtest/operations/register.go

@@ -15,6 +15,7 @@ func RegisterOperations(r registry.Registry) {
 	registerAddColumn(r)
 	registerAddDatabase(r)
 	registerAddIndex(r)
+	registerAddRLSPolicy(r)
 	registerGrantRevoke(r)
 	registerNetworkPartition(r)
 	registerDiskStall(r)

pkg/sql/logictest/testdata/logic_test/mixed_version_row_level_security

@@ -0,0 +1,19 @@
+# LogicTest: local-mixed-25.1
+
+subtest create_drop_sanity
+
+statement ok
+CREATE TABLE sanity1();
+
+statement error pq: unimplemented: CREATE POLICY is not yet implemented
+CREATE POLICY p1 on sanity1 USING (true);
+
+# No block for DROP POLICY because policies shouldn't exist in versions prior to 25.2
+statement error pq: policy "nonexist1" for table "sanity1" does not exist
+DROP POLICY nonexist1 on sanity1;
+
+# Attempting to alter RLS returns this error because the declarative schema
+# changer fails with an unimplemented error, causing a fallback to the legacy
+# schema changer—which also doesn't support it.
+statement error pq: ALTER TABLE ... ROW LEVEL SECURITY is only implemented in the declarative schema changer
+ALTER TABLE sanity1 ENABLE ROW LEVEL SECURITY, FORCE ROW LEVEL SECURITY;

pkg/sql/logictest/tests/local-mixed-25.1/generated_test.go

@@ -6,6 +6,7 @@
 package scbuildstmt
 
 import (
+	"github.com/cockroachdb/cockroach/pkg/clusterversion"
 	"github.com/cockroachdb/cockroach/pkg/security/username"
 	"github.com/cockroachdb/cockroach/pkg/sql/catalog"
 	"github.com/cockroachdb/cockroach/pkg/sql/catalog/catpb"
@@ -23,11 +24,15 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/sql/sem/tree"
 	"github.com/cockroachdb/cockroach/pkg/sql/sem/volatility"
 	"github.com/cockroachdb/cockroach/pkg/sql/types"
+	"github.com/cockroachdb/cockroach/pkg/util/errorutil/unimplemented"
 	"github.com/cockroachdb/errors"
 )
 
 // CreatePolicy implements CREATE POLICY.
 func CreatePolicy(b BuildCtx, n *tree.CreatePolicy) {
+	if !b.EvalCtx().Settings.Version.ActiveVersion(b).IsActive(clusterversion.V25_2) {
+		panic(unimplemented.NewWithIssue(136696, "CREATE POLICY is not yet implemented"))
+	}
 	b.IncrementSchemaChangeCreateCounter("policy")
 
 	tableElems := b.ResolveTable(n.TableName, ResolveParams{

pkg/sql/schemachanger/scbuild/internal/scbuildstmt/create_policy.go

@@ -88,7 +88,11 @@ export const useTableIndexStats = ({
           stat?.statistics?.stats?.total_rows_read?.toNumber() ?? 0,
         indexRecs:
           data?.index_recommendations
-            ?.filter(rec => rec?.type != null)
+            ?.filter(
+              rec =>
+                rec?.type != null &&
+                rec.index_id === stat.statistics?.key?.index_id,
+            )
             .map(formatIndexRecsProto) ?? [],
       };
     });

pkg/ui/workspaces/cluster-ui/src/api/databases/tableIndexesApi.ts

@@ -3048,6 +3048,7 @@ func (og *operationGenerator) insertRow(ctx context.Context, tx pgx.Tx) (stmt *o
 		{code: pgcode.ForeignKeyViolation, condition: fkViolation},
 		{code: pgcode.NotNullViolation, condition: true},
 		{code: pgcode.CheckViolation, condition: true},
+		{code: pgcode.InsufficientPrivilege, condition: true}, // For RLS violations
 	})
 	og.expectedCommitErrors.addAll(codesWithConditions{
 		{code: pgcode.ForeignKeyViolation, condition: fkViolation},
@@ -4862,3 +4863,45 @@ func (og *operationGenerator) setSeedInDB(ctx context.Context, tx pgx.Tx) error
 	}
 	return nil
 }
+
+func (og *operationGenerator) alterTableRLS(ctx context.Context, tx pgx.Tx) (*opStmt, error) {
+	tableName, err := og.randTable(ctx, tx, og.pctExisting(true), "")
+	if err != nil {
+		return nil, err
+	}
+
+	tableExists, err := og.tableExists(ctx, tx, tableName)
+	if err != nil {
+		return nil, err
+	}
+
+	// Define the available RLS options
+	rlsOptions := []string{
+		"ENABLE ROW LEVEL SECURITY",
+		"DISABLE ROW LEVEL SECURITY",
+		"FORCE ROW LEVEL SECURITY",
+		"NO FORCE ROW LEVEL SECURITY",
+	}
+
+	// Randomly decide between 1 or 2 options
+	numOptions := og.randIntn(2) + 1
+
+	// Randomly select a unique permutation of the options
+	perm := og.params.rng.Perm(len(rlsOptions))
+	selectedOptions := make([]string, numOptions)
+	for i := 0; i < numOptions; i++ {
+		selectedOptions[i] = rlsOptions[perm[i]]
+	}
+
+	// Build the SQL statement
+	sqlStatement := fmt.Sprintf(`ALTER TABLE %s %s`, tableName, strings.Join(selectedOptions, ", "))
+
+	opStmt := makeOpStmt(OpStmtDDL)
+	opStmt.expectedExecErrors.addAll(codesWithConditions{
+		{code: pgcode.FeatureNotSupported, condition: !og.useDeclarativeSchemaChanger},
+		{code: pgcode.UndefinedTable, condition: !tableExists},
+	})
+
+	opStmt.sql = sqlStatement
+	return opStmt, nil
+}