sql: add setting to validate privs for secondary tenants

annrpom · annrpom · commit 6b643830361b · 2025-04-07T13:53:14.000-04:00
This patch adds a cluster setting, `sql.zone_configs.default_range_modifiable_by_non_root.enabled`, to help prevent virtual clusters from setting undesired zone configs. This settings determines if non-root users on these clusters should be restricted from modifying the `default` range. Other named ranges are not allowed to be modified as a secondary tenant. Epic: none Fixes: #142856 Release note: None
diff --git a/pkg/ccl/logictestccl/testdata/logic_test/multi_region_secondary_tenants_abstractions_allowed b/pkg/ccl/logictestccl/testdata/logic_test/multi_region_secondary_tenants_abstractions_allowed
@@ -60,3 +60,26 @@ statement ok
 ALTER DATABASE test CONFIGURE ZONE USING num_replicas = 4, constraints = '{-region=us-east-1: 4}'
 
 subtest end
+
+subtest privileged_range
+
+statement ok
+ALTER RANGE default CONFIGURE ZONE USING num_replicas = 10
+
+user host-cluster-root
+
+statement ok
+ALTER TENANT ALL SET CLUSTER SETTING sql.zone_configs.default_range_modifiable_by_non_root.enabled = false
+
+user root
+
+statement ok
+ALTER RANGE default CONFIGURE ZONE USING num_replicas = 10
+
+statement ok
+SET ROLE admin
+
+statement error pgcode 42501 only root users are allowed to modify the default range
+ALTER RANGE default CONFIGURE ZONE USING num_replicas = 10
+
+subtest end
diff --git a/pkg/config/zonepb/zone.go b/pkg/config/zonepb/zone.go
@@ -103,6 +103,14 @@ var MaxReplicasPerRegion = settings.RegisterIntSetting(
 	settings.WithVisibility(settings.Reserved),
 	settings.NonNegativeInt)
 
+var DefaultRangeModifiableByNonRoot = settings.RegisterBoolSetting(
+	settings.ApplicationLevel,
+	"sql.zone_configs.default_range_modifiable_by_non_root.enabled",
+	"if true, allows non-root users to modify zone config for the "+
+		"default range",
+	true,
+	settings.WithVisibility(settings.Reserved))
+
 // MultiRegionZoneConfigFieldsSet contain the items in
 // MultiRegionZoneConfigFields but in a set form for fast lookup.
 var MultiRegionZoneConfigFieldsSet = func() map[tree.Name]struct{} {
diff --git a/pkg/sql/schemachanger/scbuild/internal/scbuildstmt/named_range_zone_config.go b/pkg/sql/schemachanger/scbuild/internal/scbuildstmt/named_range_zone_config.go
@@ -59,6 +59,21 @@ func (rzo *namedRangeZoneConfigObj) getZoneConfigElemForDrop(
 func (rzo *namedRangeZoneConfigObj) checkPrivilegeForSetZoneConfig(
 	b BuildCtx, _ tree.ZoneSpecifier,
 ) error {
+	// Only block privileges for non-root users if this is the default range
+	// for a secondary tenant with
+	// sql.zone_configs.default_range_modifiable_by_non_root.enabled set to
+	// false; other ranges just need the REPAIRCLUSTER privilege.
+	//
+	// N.B. The default range has a rangeID of catid.InvalidDescID.
+	if rzo.rangeID == catid.InvalidDescID && !b.Codec().ForSystemTenant() &&
+		!zonepb.DefaultRangeModifiableByNonRoot.Get(&b.ClusterSettings().SV) {
+		if !b.CurrentUser().IsRootUser() {
+			return pgerror.New(
+				pgcode.InsufficientPrivilege,
+				"only root users are allowed to modify the default range",
+			)
+		}
+	}
 	return b.CheckGlobalPrivilege(privilege.REPAIRCLUSTER)
 }
 
diff --git a/pkg/sql/schemachanger/scbuild/internal/scbuildstmt/zone_config_helpers.go b/pkg/sql/schemachanger/scbuild/internal/scbuildstmt/zone_config_helpers.go
@@ -381,7 +381,7 @@ func evaluateZoneOptions(
 					pgerror.Newf(pgcode.InvalidParameterValue, "unsupported NULL value for %q",
 						tree.ErrString(name))
 			}
-			opt := zone.SupportedZoneConfigOptions[*name] // Portions Copyright (c) 1996-2015, PostgreSQL Global Development Group
+			opt := zone.SupportedZoneConfigOptions[*name]
 			if opt.CheckAllowed != nil {
 				if err := opt.CheckAllowed(b, b.ClusterSettings(), datum); err != nil {
 					return nil, nil, nil, err
diff --git a/pkg/sql/set_zone_config.go b/pkg/sql/set_zone_config.go
@@ -173,6 +173,19 @@ func checkPrivilegeForSetZoneConfig(ctx context.Context, p *planner, zs tree.Zon
 	// an admin. Otherwise we require CREATE privileges on the database or table
 	// in question.
 	if zs.NamedZone != "" {
+		// Only block privileges for non-root users if this is the default range
+		// for a secondary tenant with
+		// sql.zone_configs.default_range_modifiable_by_non_root.enabled set to
+		// false; other ranges just need the REPAIRCLUSTER privilege.
+		if zonepb.NamedZone(zs.NamedZone.String()) == zonepb.DefaultZoneName && !p.execCfg.Codec.ForSystemTenant() &&
+			!zonepb.DefaultRangeModifiableByNonRoot.Get(&p.execCfg.Settings.SV) {
+			if !p.EvalContext().SessionData().User().IsRootUser() {
+				return pgerror.New(
+					pgcode.InsufficientPrivilege,
+					"only root users are allowed to modify the default range",
+				)
+			}
+		}
 		return p.CheckPrivilege(ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.REPAIRCLUSTER)
 	}
 	if zs.Database != "" {

Original file line number	Diff line number	Diff line change
`@@ -381,7 +381,7 @@ func evaluateZoneOptions(`
`381`	`381`	`pgerror.Newf(pgcode.InvalidParameterValue, "unsupported NULL value for %q",`
`382`	`382`	`tree.ErrString(name))`
`383`	`383`	`}`
`384`		`- opt := zone.SupportedZoneConfigOptions[*name] // Portions Copyright (c) 1996-2015, PostgreSQL Global Development Group`
	`384`	`+ opt := zone.SupportedZoneConfigOptions[*name]`
`385`	`385`	`if opt.CheckAllowed != nil {`
`386`	`386`	`if err := opt.CheckAllowed(b, b.ClusterSettings(), datum); err != nil {`
`387`	`387`	`return nil, nil, nil, err`