Merge #149001 #149632 #149638

149001: pkg/cli: Implement redaction validation and user confirmation for debug zip uploads r=Abhinav1299 a=Abhinav1299

This change improves the safety and user awareness regarding sensitive data in debug zip uploads to Datadog.
- Added `validateRedactionStatus` function to check the redaction status of debug zips based on the `debug_zip_command_flags.txt` file.
- Introduced user prompts for confirmation when redaction is unclear or not enabled.
- Updated `runDebugZipUpload` to validate redaction status before proceeding with uploads.

Part of: CRDB-49203
Epic: None
Release Notes: None

149632: asim: port second batch of testing framework changes  r=tbg a=wenyihu6

**Note that this is based on top of #149582
Epic: [CRDB-25222](https://cockroachlabs.atlassian.net/browse/CRDB-25222)

----

**asim: remove replica_weights and lease_weights**

This commit removes replica_weights and lease_weights entirely since future
commits will add replica_placement which serves a similar but better purpose.

Epic: none
Release note: none

---

**asim: add "print" command to output initial cluster state**

This commit adds a print command to the data driven test that outputs the
cluster state just before the simulation starts, helping future commits verify
correctness against the initial state.

Epic: none
Release note: none

---

**asim: add replica_placement option to gen_ranges**

This commit adds a placement_type=replica_placement command to gen_ranges. It
takes the next line as a ratio of replica placement combinations. For example,
{s1:*,s2,s3:NON_VOTER}:1 {s4:*,s5,s6}:1 means half the ranges will have s1 as
the leaseholder, s2, and s3 as a non-voter; the other half of ranges will have
s4 as leaseholder, s5, and s6.

Epic: none
Release note: none

---

**asim: refactor the code to use rebalancing snapshot rate**

Previously, asim used ReplicaAddRate for SimulationSettings, which was an
artificial approximation and differed from the real cluster behaviour with
snapshot-based calculation. This patch refactors it to use the actual snapshot
rate instead. There is no behavioral change, since SnapshotRate = AddRate /
(1024*1024). So
(RangeSize/(1024*1024))/(AddRate)=RangeSize/(1024*1024*AddRate)=RangeSize/SnapshotRate.
NB: there's an existing bug here; the calculation is missing a final
multiplication by time.Second, and snapshot rate is defined per second. A future
commit will address this.

Epic: none
Release note: none

---

**asim: add time.Second to snapshot rate delay calculation**

Previously, the delay calculation used snapshot_rate (per second) but forgot to
multiply the result by time.Second, resulting in an incorrectly small delay in
nanoseconds. This commit fixes the bug by applying the correct time unit.

Epic: none
Release note: none

---

**asim: change defaultRebalancingSnapshotRate to 32MiB/s**

This commit updates defaultRebalancingSnapshotRate from 16MiB/s to 32MiB/s to
match with the default value of the kv.snapshot_rebalance.max_rate cluster
setting.

Epic: none
Release note: none

---

**asim: use << 20 instead of 1024*1024**

This commit updates defaultRangeSizeSplitThreshold to use bit shifting instead
of multiplication for convention.

Epic: none
Release note: none

---

**asim: fix bug with missing ticket in controller**

Previously, tickets were incorrectly deleted immediately after checking for
their existence, even if they weren't completed yet. This caused tickets to be
missing on subsequent checks. This commit fixes the issue by keeping the tickets
around.

Epic: none
Release note: none

---

**asim: remove unused return value in checkPendingTicket**

This commit removes an unused return value from checkPendingTicket(), as it is
not used anywhere.

Epic: none
Release note: none

---

**asim: add SetSimulationSettings as a mutation event**

This commit adds SetSimulationSettings as a delayed mutation event, enabling
data-driven tests to modify simulation settings in the middle of the simulation.
Note that this is left unused as of now. This will support future changes like
updating the rebalance mode during a run.

Epic: none
Release note: none

---

**asim: add ChangeReplicasOp as an operation**

This commit adds ChangeReplicasOp, enabling the simulator’s store rebalancer to
enqueue replica change operations. It is currently unused; future commits will
integrate it with mma to enqueue replica changes.

Epic: none
Release note: none

---

**asim: support store_byte_capacity option with gen_cluster**

This commit adds support for the store_byte_capacity option in the gen_cluster
command, enabling data-driven tests to change configuration of store capacity in
bytes.

Epic: none
Release note: none

---

**asim: support region and nodes_per_region with gen_cluster**

Previously, gen_cluster did not support specifying node localities, making
constraint testing difficult; users had to add nodes manually with add_node.
This commit adds region and nodes_per_region options to gen_cluster. Note taht
len(region) == len(nodes_per_region). For example, region=(a,b,c) and
nodes_per_region=(1,1,2) assigns 1 node to a, 1 to b, and 2 to c. No new tests
are added yet, but future commits will utilize this feature.

Epic: none
Release note: none

---

**asim: integrate cluster setting properly**

Previously, new cluster settings were created ad hoc throughout asim, making it
hard to change cluster settings. In addition, it was also hard to distinguish
between simulation and cluster settings. This commit adds a cluster settings
field to the simulation settings struct, initializing it once and passing it
throughout. Note that many simulation settings that should be cluster settings
still remain; a TODO is left to clean this up in the future.

Epic: none
Release note: none

---

**asim: fix snapshot rate delay integer division**

Previously, integer division was used when computing the delay for adding a
replica, resulting in shorter than expected delays. This patch improves accuracy
in tracking the delay by calculating a ratio with float.

(Note: This issue was just raised in Slack, not from the prototype.)

Epic: none
Release note: none



149638: sql: prevent auth failure when no roles are granted during sync r=souravcrl a=shriramters

Previously, the EnsureUserOnlyBelongsToRoles function would construct and execute a GRANT statement even if the list of roles to grant was empty after filtering for roles that exist in the database.

This was inadequate because it caused authentication to fail for users logging in via external providers (LDAP, JWT, OIDC). If a user belonged to external groups that did not map to any existing roles in CockroachDB, the function would generate an invalid SQL statement (GRANT TO <user>), resulting in a syntax error that blocked the user's session.

To address this, this patch modifies EnsureUserOnlyBelongsToRoles to only build and execute the GRANT statement if at least one valid, existing role is being granted. This prevents the syntax error and allows users to log in successfully even if their external group memberships do not result in any new role grants.

This commit also adds unit tests for `EnsureUserOnlyBelongsToRoles()`.

Fixes: #143878 

Release note (bug fix): Fixed a bug where database login could fail during LDAP, JWT, or OIDC authentication if the user's external group memberships did not correspond to any existing roles in the database. The login will now succeed, and no roles will be granted or revoked in this scenario.

Co-authored-by: Abhinav1299 <[email protected]>
Co-authored-by: wenyihu6 <[email protected]>
Co-authored-by: Shriram Ravindranathan <[email protected]>

Author: 4 people

pkg/cli/testdata/table_dumps/debug_zip_command_flags.txt

@@ -0,0 +1 @@
+ --concurrency=15 --cpu-profile-duration=5s --files-from=2025-06-15 08:45:34 --files-until=2025-06-18 08:45:34 --include-goroutine-stacks=true --include-range-info=true --include-running-job-traces=true --redact=true

pkg/cli/zip.go

@@ -48,6 +48,10 @@ type zipRequest struct {
 	pathName string
 }
 
+const (
+	debugZipCommandFlagsFileName = "debug_zip_command_flags.txt"
+)
+
 type debugZipContext struct {
 	z              *zipper
 	clusterPrinter *zipReporter
@@ -415,7 +419,7 @@ done
 				return filter
 			})
 
-			if err := z.createRaw(s, zc.prefix+"/debug_zip_command_flags.txt", []byte(flags)); err != nil {
+			if err := z.createRaw(s, zc.prefix+"/"+debugZipCommandFlagsFileName, []byte(flags)); err != nil {
 				return err
 			}
 

pkg/cli/zip_test.go

@@ -1236,7 +1236,7 @@ func TestCommandFlags(t *testing.T) {
 	}
 
 	for _, f := range r.File {
-		if f.Name == "debug/debug_zip_command_flags.txt" {
+		if f.Name == "debug/"+debugZipCommandFlagsFileName {
 			rc, err := f.Open()
 			if err != nil {
 				t.Fatal(err)
@@ -1253,7 +1253,7 @@ func TestCommandFlags(t *testing.T) {
 			return
 		}
 	}
-	assert.Fail(t, "debug/debug_zip_command_flags.txt is not generated")
+	assert.Fail(t, "debug/"+debugZipCommandFlagsFileName+" is not generated")
 
 	if err = r.Close(); err != nil {
 		t.Fatal(err)

pkg/cli/zip_upload.go

@@ -6,6 +6,7 @@
 package cli
 
 import (
+	"bufio"
 	"bytes"
 	"compress/gzip"
 	"context"
@@ -37,6 +38,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/util/system"
 	"github.com/cockroachdb/cockroach/pkg/util/timeutil"
 	"github.com/cockroachdb/errors"
+	"github.com/cockroachdb/errors/oserror"
 	"github.com/spf13/cobra"
 	"golang.org/x/oauth2/google"
 	"google.golang.org/api/option"
@@ -202,13 +204,114 @@ func uploadJSONFile(fileName string, message any, uuid string) error {
 // pipeline which enriches the logs with more fields.
 var defaultDDTags = []string{"service:CRDB-SH", "env:debug", "source:cockroachdb"}
 
+// buildRedactionWarning creates a warning message about sensitive data in debug zips.
+// It includes a common list of sensitive data types that may be present.
+func buildRedactionWarning(prefix string) string {
+	return prefix +
+		"This means it may contain sensitive data including:\n" +
+		"  • Personally Identifiable Information (PII)\n" +
+		"  • Database credentials and connection strings\n" +
+		"  • Internal cluster details\n" +
+		"  • Potentially sensitive log data\n\n" +
+		"It is advisable to only upload redacted debug zips to Datadog.\n"
+}
+
+// promptUserForConfirmationImpl shows a warning message and prompts the user for confirmation.
+// It returns nil if the user confirms, or an error if they decline or if there's an input error.
+// In dry-run mode, it shows the warning but skips the prompt.
+func promptUserForConfirmationImpl(warningMsg string) error {
+	// Skip interactive prompt in dry-run mode
+	if debugZipUploadOpts.dryRun {
+		fmt.Fprintf(os.Stderr, "%s", warningMsg)
+		fmt.Fprintf(os.Stderr, "DRY RUN: Would prompt for confirmation here.\n")
+		return nil
+	}
+
+	fmt.Fprintf(os.Stderr, "%s", warningMsg)
+	fmt.Fprintf(os.Stderr, "Do you want to continue with the upload? (y/N): ")
+
+	reader := bufio.NewReader(os.Stdin)
+	line, err := reader.ReadString('\n')
+	if err != nil {
+		return fmt.Errorf("failed to read user input: %w", err)
+	}
+
+	line = strings.ToLower(strings.TrimSpace(line))
+	if len(line) == 0 {
+		line = "n" // Default to 'no' when user presses enter without input
+	}
+
+	if line == "y" || line == "yes" {
+		fmt.Fprintf(os.Stderr, "Proceeding with upload...\n")
+		return nil
+	}
+
+	return fmt.Errorf("upload aborted")
+}
+
+// promptUserForConfirmation is a variable that can be mocked in tests
+var promptUserForConfirmation = promptUserForConfirmationImpl
+
+// validateRedactionStatus checks if the debug zip was created with redaction enabled
+// by examining the debugZipCommandFlagsFileName file in the system tenant.
+// If redaction is not enabled, it warns the user and prompts for confirmation.
+//
+// User experience examples:
+//
+//  1. Redacted zip (--redact=true): Proceeds silently
+//  2. Unredacted zip (--redact=false): Shows warning and prompts:
+//     "⚠️  WARNING: Your debug zip was created WITHOUT redaction..."
+//     "Do you want to continue with the upload? (y/N): "
+//  3. Unknown redaction status: Shows warning and prompts similarly
+//
+// The function respects dry-run mode by showing warnings without prompting.
+func validateRedactionStatus(debugDirPath string) error {
+	flagsFilePath := path.Join(debugDirPath, debugZipCommandFlagsFileName)
+
+	flagsContent, err := os.ReadFile(flagsFilePath)
+	if err != nil {
+		if oserror.IsNotExist(err) {
+			// File doesn't exist - we can't determine redaction status, so warn and prompt
+			warningMsg := buildRedactionWarning(
+				"⚠️  WARNING: The debug zip redaction status is unclear.\n")
+
+			return promptUserForConfirmation(warningMsg)
+		}
+		return fmt.Errorf("⚠️  error: the debug zip redaction status is unclear, err: %w", err)
+	}
+
+	flagsStr := string(flagsContent)
+
+	if strings.Contains(flagsStr, "--redact=true") {
+		return nil
+	}
+
+	var warningMsg string
+	if strings.Contains(flagsStr, "--redact=false") {
+		warningMsg = buildRedactionWarning(
+			"⚠️  WARNING: The debug zip was created WITHOUT redaction.\n",
+		)
+	} else {
+		warningMsg = buildRedactionWarning(
+			"⚠️  WARNING: The debug zip redaction status is unclear.\n",
+		)
+	}
+
+	return promptUserForConfirmation(warningMsg)
+}
+
 func runDebugZipUpload(cmd *cobra.Command, args []string) error {
 	runtime.GOMAXPROCS(system.NumCPU())
 
 	if err := validateZipUploadReadiness(); err != nil {
 		return err
 	}
 
+	// Check redaction status before proceeding with upload
+	if err := validateRedactionStatus(args[0]); err != nil {
+		return err
+	}
+
 	// a unique ID for this upload session. This should be used to tag all the artifacts uploaded in this session
 	uploadID := newUploadID(debugZipUploadOpts.clusterName, getCurrentTime())
 

pkg/cli/zip_upload_test.go

@@ -164,6 +164,11 @@ func TestUploadZipEndToEnd(t *testing.T) {
 
 	defer testutils.TestingHook(&gcsLogUpload, writeLogsToGCSHook)()
 
+	// Mock the interactive prompt to always accept (return nil) for end-to-end tests
+	defer testutils.TestingHook(&promptUserForConfirmation, func(warningMsg string) error {
+		return nil // Always accept in end-to-end tests
+	})()
+
 	datadriven.Walk(t, "testdata/upload", func(t *testing.T, path string) {
 		datadriven.RunTest(t, path, func(t *testing.T, d *datadriven.TestData) string {
 			c := NewCLITest(TestCLIParams{})
@@ -285,6 +290,127 @@ func TestAppendUserTags(t *testing.T) {
 	}
 }
 
+func TestValidateRedactionStatus(t *testing.T) {
+	defer leaktest.AfterTest(t)()
+
+	tests := []struct {
+		name          string
+		flagsContent  string
+		fileExists    bool
+		dryRun        bool
+		expectError   bool
+		errorContains string
+		description   string
+	}{
+		{
+			name:         "redacted zip with other flags proceeds silently",
+			flagsContent: " --concurrency=15 --cpu-profile-duration=5s --files-from=2025-06-15 08:45:34 --redact=true --include-range-info=true",
+			fileExists:   true,
+			dryRun:       false,
+			expectError:  false,
+			description:  "When --redact=true is found, no warnings should be shown and upload proceeds",
+		},
+		{
+			name:          "missing file user declines",
+			flagsContent:  "",
+			fileExists:    false,
+			dryRun:        false,
+			expectError:   true,
+			errorContains: "upload aborted",
+			description:   "When file is missing and user declines, should return cancellation error",
+		},
+		{
+			name:          "missing file user accepts",
+			flagsContent:  "",
+			fileExists:    false,
+			dryRun:        false,
+			expectError:   false,
+			errorContains: "user accepts",
+			description:   "When file is missing and user accepts, should proceed without error",
+		},
+		{
+			name:          "unredacted zip user declines",
+			flagsContent:  " --concurrency=1 --redact=false --nodes=1",
+			fileExists:    true,
+			dryRun:        false,
+			expectError:   true,
+			errorContains: "upload aborted",
+			description:   "When --redact=false and user declines, should return cancellation error",
+		},
+		{
+			name:          "unredacted zip user accepts",
+			flagsContent:  " --concurrency=1 --redact=false --nodes=1",
+			fileExists:    true,
+			dryRun:        false,
+			expectError:   false,
+			errorContains: "user accepts",
+			description:   "When --redact=false and user accepts, should proceed without error",
+		},
+		{
+			name:          "unclear redaction status user declines",
+			flagsContent:  " --concurrency=1 --nodes=1",
+			fileExists:    true,
+			dryRun:        false,
+			expectError:   true,
+			errorContains: "upload aborted",
+			description:   "When no --redact flag and user declines, should return cancellation error",
+		},
+		{
+			name:          "unclear redaction status user accepts",
+			flagsContent:  " --concurrency=1 --nodes=1",
+			fileExists:    true,
+			dryRun:        false,
+			expectError:   false,
+			errorContains: "user accepts",
+			description:   "When no --redact flag and user accepts, should proceed without error",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			tempDir := t.TempDir()
+
+			if test.fileExists {
+				flagsFile := path.Join(tempDir, debugZipCommandFlagsFileName)
+				if err := os.WriteFile(flagsFile, []byte(test.flagsContent), 0644); err != nil {
+					t.Fatal(err)
+				}
+			}
+
+			originalDryRun := debugZipUploadOpts.dryRun
+			debugZipUploadOpts.dryRun = test.dryRun
+			defer func() { debugZipUploadOpts.dryRun = originalDryRun }()
+
+			if test.errorContains == "upload aborted" || test.errorContains == "user accepts" {
+				originalPrompt := promptUserForConfirmation
+				switch test.errorContains {
+				case "upload aborted":
+					promptUserForConfirmation = func(warningMsg string) error {
+						require.Contains(t, warningMsg, "WARNING:")
+						return fmt.Errorf("upload aborted")
+					}
+				case "user accepts":
+					promptUserForConfirmation = func(warningMsg string) error {
+						require.Contains(t, warningMsg, "WARNING:")
+						return nil
+					}
+				}
+				defer func() { promptUserForConfirmation = originalPrompt }()
+			}
+
+			// Test validation
+			err := validateRedactionStatus(tempDir)
+
+			if test.expectError {
+				require.Error(t, err, fmt.Sprintf("Test case: %s", test.description))
+				require.Contains(t, err.Error(), test.errorContains, fmt.Sprintf("Test case: %s", test.description))
+			} else {
+				require.NoError(t, err, fmt.Sprintf("Test case: %s", test.description))
+			}
+		})
+	}
+}
+
 func TestZipUploadArtifactTypes(t *testing.T) {
 	defer leaktest.AfterTest(t)()
 

pkg/kv/kvserver/asim/config/BUILD.bazel

@@ -5,4 +5,5 @@ go_library(
     srcs = ["settings.go"],
     importpath = "github.com/cockroachdb/cockroach/pkg/kv/kvserver/asim/config",
     visibility = ["//visibility:public"],
+    deps = ["//pkg/settings/cluster"],
 )

pkg/kv/kvserver/asim/config/settings.go

@@ -5,15 +5,19 @@
 
 package config
 
-import "time"
+import (
+	"time"
+
+	"github.com/cockroachdb/cockroach/pkg/settings/cluster"
+)
 
 const (
 	defaultTickInteval             = 500 * time.Millisecond
 	defaultMetricsInterval         = 10 * time.Second
 	defaultReplicaChangeBaseDelay  = 100 * time.Millisecond
-	defaultReplicaAddDelayFactor   = 16
+	defaultRebalancingSnapshotRate = 32 << 20 // 32MiB/s
 	defaultSplitQueueDelay         = 100 * time.Millisecond
-	defaultRangeSizeSplitThreshold = 512 * 1024 * 1024 // 512mb
+	defaultRangeSizeSplitThreshold = 512 << 20 // 512MiB
 	defaultRangeRebalanceThreshold = 0.05
 	defaultPacerLoopInterval       = 10 * time.Minute
 	defaultPacerMinIterInterval    = 10 * time.Millisecond
@@ -56,13 +60,11 @@ type SimulationSettings struct {
 	// (add,remove). It accounts for a fixed overhead of initiating a replica
 	// movement.
 	ReplicaChangeBaseDelay time.Duration
-	// ReplicaAddRate is the factor applied to the range size (MB) when
-	// calculating how long a replica addition will take for a given range
-	// size. For adding a replica to a new store, the delay is calculated as
-	// ReplicaChangeBaseDelay + (RangeSize(MB)  * ReplicaAddRate) milliseconds.
-	// This is analogous to the rate at which a store will ingest snapshots for
-	// up replication.
-	ReplicaAddRate float64
+	// RebalancingSnapshotRate is rate at which newly added replicas will be
+	// added based on the range size. e.g., When the range size is 32MiB, and the
+	// RebalancingSnapshotRate is 32 << 20, the delay for adding a replica wil be
+	// 1 second + ReplicaChangeBaseDelay.
+	RebalancingSnapshotRate int64
 	// SplitQueueDelay is the delay that range splits take to complete.
 	SplitQueueDelay time.Duration
 	// RangeSizeSplitThreshold is the threshold in MB, below which ranges will
@@ -116,6 +118,11 @@ type SimulationSettings struct {
 	LeaseQueueEnabled bool
 	// SplitQueueEnabled controls whether the split queue is enabled.
 	SplitQueueEnabled bool
+	// st is used to update cockroach cluster settings.
+	//
+	// TODO(wenyihu6): Remove any non-simulation settings from this struct and
+	// instead override the settings below.
+	ST *cluster.Settings
 }
 
 // DefaultSimulationSettings returns a set of default settings for simulation.
@@ -126,7 +133,7 @@ func DefaultSimulationSettings() *SimulationSettings {
 		MetricsInterval:         defaultMetricsInterval,
 		Seed:                    defaultSeed,
 		ReplicaChangeBaseDelay:  defaultReplicaChangeBaseDelay,
-		ReplicaAddRate:          defaultReplicaAddDelayFactor,
+		RebalancingSnapshotRate: defaultRebalancingSnapshotRate,
 		SplitQueueDelay:         defaultSplitQueueDelay,
 		RangeSizeSplitThreshold: defaultRangeSizeSplitThreshold,
 		RangeRebalanceThreshold: defaultRangeRebalanceThreshold,
@@ -145,6 +152,7 @@ func DefaultSimulationSettings() *SimulationSettings {
 		ReplicateQueueEnabled:   true,
 		LeaseQueueEnabled:       true,
 		SplitQueueEnabled:       true,
+		ST:                      cluster.MakeClusterSettings(),
 	}
 }
 
@@ -154,7 +162,8 @@ func (s *SimulationSettings) ReplicaChangeDelayFn() func(rangeSize int64, add bo
 	return func(rangeSize int64, add bool) time.Duration {
 		delay := s.ReplicaChangeBaseDelay
 		if add {
-			delay += (time.Duration(rangeSize/(1024*1024)) / time.Duration(s.ReplicaAddRate))
+			estimatedTimeToAddReplica := float64(rangeSize) / float64(s.RebalancingSnapshotRate)
+			delay += time.Duration(estimatedTimeToAddReplica) * time.Second
 		}
 		return delay
 	}