unsafesql: report break glass usage of unsafe internals to the sql_exec log

angles-n-daemons · angles-n-daemons · commit 8d772022e123 · 2025-09-11T14:00:26.000-04:00
The epic below outlines a set of work to prevent users from unauthorized access to what we deem unsafe internals. These unsafe internals lie mostly in the crdb_internal schema and the system database. This PR adds a log to SENSITIVE_ACCECSS to audit each time the operator breaks glass and reaches into the unsafe internals, as well as a log when a user is denied access to those records. There is refactoring as part of this PR, specifically the transformation of a statement to a redactable string is pulled out of the sql package and into the tree package, so that it could be leveraged by the optbuilder package (which cannot depend on sql, as sql depends on it). Fixes: 151488 Epic: CRDB-24527 Release note (ops change): A log will be emitted now to the SENSITIVE_ACCESS channel both when users override the allow_unsafe_internals as well as when they are denied access to the same unsafe records.
diff --git a/docs/generated/eventlog.md b/docs/generated/eventlog.md
@@ -853,6 +853,56 @@ a table marked as audited.
 | `BulkJobId` | The job id for bulk job (IMPORT/BACKUP/RESTORE). | no |
 | `StmtPosInTxn` | The statement's index in the transaction, starting at 1. | no |
 
+### `unsafe_internals_accessed`
+
+UnsafeInternalsAccess is recorded when a query accesses unsafe internals
+using the allow_unsafe_internals override.
+
+
+| Field | Description | Sensitive |
+|--|--|--|
+| `Query` | The query that triggered the unsafe internals access. | partially |
+
+
+#### Common fields
+
+| Field | Description | Sensitive |
+|--|--|--|
+| `Timestamp` | The timestamp of the event. Expressed as nanoseconds since the Unix epoch. | no |
+| `EventType` | The type of the event. | no |
+| `Statement` | A normalized copy of the SQL statement that triggered the event. The statement string contains a mix of sensitive and non-sensitive details (it is redactable). | partially |
+| `Tag` | The statement tag. This is separate from the statement string, since the statement string can contain sensitive information. The tag is guaranteed not to. | no |
+| `User` | The user account that triggered the event. The special usernames `root` and `node` are not considered sensitive. | depends |
+| `DescriptorID` | The primary object descriptor affected by the operation. Set to zero for operations that don't affect descriptors. | no |
+| `ApplicationName` | The application name for the session where the event was emitted. This is included in the event to ease filtering of logging output by application. | no |
+| `PlaceholderValues` | The mapping of SQL placeholders to their values, for prepared statements. | yes |
+| `TxnReadTimestamp` | The current read timestamp of the transaction that triggered the event, if in a transaction. | no |
+
+### `unsafe_internals_denied`
+
+An event of type `unsafe_internals_denied` is recorded when a query attempts to access unsafe internals
+but lacks the appropriate session variables.
+
+
+| Field | Description | Sensitive |
+|--|--|--|
+| `Query` | The query that triggered the unsafe internals access. | partially |
+
+
+#### Common fields
+
+| Field | Description | Sensitive |
+|--|--|--|
+| `Timestamp` | The timestamp of the event. Expressed as nanoseconds since the Unix epoch. | no |
+| `EventType` | The type of the event. | no |
+| `Statement` | A normalized copy of the SQL statement that triggered the event. The statement string contains a mix of sensitive and non-sensitive details (it is redactable). | partially |
+| `Tag` | The statement tag. This is separate from the statement string, since the statement string can contain sensitive information. The tag is guaranteed not to. | no |
+| `User` | The user account that triggered the event. The special usernames `root` and `node` are not considered sensitive. | depends |
+| `DescriptorID` | The primary object descriptor affected by the operation. Set to zero for operations that don't affect descriptors. | no |
+| `ApplicationName` | The application name for the session where the event was emitted. This is included in the event to ease filtering of logging output by application. | no |
+| `PlaceholderValues` | The mapping of SQL placeholders to their values, for prepared statements. | yes |
+| `TxnReadTimestamp` | The current read timestamp of the transaction that triggered the event, if in a transaction. | no |
+
 ## SQL Execution Log
 
 Events in this category report executed queries.
diff --git a/pkg/cli/interactive_tests/test_audit_log.tcl b/pkg/cli/interactive_tests/test_audit_log.tcl
@@ -9,14 +9,9 @@ eexpect root@
 
 set logfile logs/db/logs/cockroach-sql-audit.log
 
-start_test "Check that the audit log is not created by default"
-system "if test -e $logfile; then false; fi"
-end_test
-
 start_test "Check that statements do not get logged to the audit log directly"
 send "CREATE DATABASE t; USE t; CREATE TABLE helloworld(abc INT) WITH (schema_locked=false); INSERT INTO helloworld VALUES (123);\r"
 eexpect root@
-system "if test -e $logfile; then false; fi"
 end_test
 
 start_test "Check that statements start being logged synchronously if auditing is enabled"
diff --git a/pkg/sql/authorization.go b/pkg/sql/authorization.go
@@ -125,7 +125,7 @@ func (p *planner) HasPrivilege(
 	// Do a safety check on the object, if it is considered unsafe
 	// does the caller have the appropriate session data to access it?
 	if p.objectIsUnsafe(ctx, privilegeObject) {
-		if err := unsafesql.CheckInternalsAccess(p.SessionData()); err != nil {
+		if err := unsafesql.CheckInternalsAccess(ctx, p.SessionData(), p.stmt.AST, p.extendedEvalCtx.Annotations, &p.ExecCfg().Settings.SV); err != nil {
 			return false, err
 		}
 	}
diff --git a/pkg/sql/copy_from.go b/pkg/sql/copy_from.go
@@ -1248,6 +1248,12 @@ func (c *copyMachine) insertRowsInternal(ctx context.Context, finalBatch bool) (
 		Returning: tree.AbsentReturningClause,
 	}
 
+	// Initialize annotations for the statement. This is required for proper
+	// error handling and logging during plan optimization. Since this is a
+	// synthetic INSERT statement, we provide an empty annotations array.
+	c.p.semaCtx.Annotations = tree.MakeAnnotations(0)
+	c.p.extendedEvalCtx.Annotations = &c.p.semaCtx.Annotations
+
 	// TODO(cucaroach): We shouldn't need to do this for every batch.
 	if err := c.p.makeOptimizerPlan(ctx); err != nil {
 		return err
diff --git a/pkg/sql/exec_util.go b/pkg/sql/exec_util.go
@@ -4455,38 +4455,11 @@ func scrubStmtStatKey(vt VirtualTabler, key string, ns eval.ClientNoticeSender)
 	return f.CloseAndGetString(), true
 }
 
-var redactNamesInSQLStatementLog = settings.RegisterBoolSetting(
-	settings.ApplicationLevel,
-	"sql.log.redact_names.enabled",
-	"if set, schema object identifers are redacted in SQL statements that appear in event logs",
-	false,
-	settings.WithPublic,
-)
-
 // FormatAstAsRedactableString implements scbuild.AstFormatter
 func (p *planner) FormatAstAsRedactableString(
 	statement tree.Statement, annotations *tree.Annotations,
 ) redact.RedactableString {
-	fs := tree.FmtSimple | tree.FmtAlwaysQualifyTableNames | tree.FmtMarkRedactionNode
-	if !redactNamesInSQLStatementLog.Get(&p.extendedEvalCtx.Settings.SV) {
-		fs = fs | tree.FmtOmitNameRedaction
-	}
-	return formatStmtKeyAsRedactableString(statement, annotations, fs)
-}
-
-// formatStmtKeyAsRedactableString given an AST node this function will fully
-// qualify names using annotations to format it out into a redactable string.
-// Object names are not redacted, but constants and datums are.
-func formatStmtKeyAsRedactableString(
-	rootAST tree.Statement, ann *tree.Annotations, fs tree.FmtFlags,
-) redact.RedactableString {
-	f := tree.NewFmtCtx(
-		fs,
-		tree.FmtAnnotations(ann),
-	)
-	f.FormatNode(rootAST)
-	formattedRedactableStatementString := f.CloseAndGetString()
-	return redact.RedactableString(formattedRedactableStatementString)
+	return tree.FormatAstAsRedactableString(statement, annotations, &p.extendedEvalCtx.Settings.SV)
 }
 
 // FailedHashedValue is used as a default return value for when HashForReporting
diff --git a/pkg/sql/opt/optbuilder/builder.go b/pkg/sql/opt/optbuilder/builder.go
@@ -504,7 +504,7 @@ func (b *Builder) buildStmt(
 			// invalidation). We don't care about caching plans for these statements.
 			b.DisableMemoReuse = true
 			// It's considered acceptable when we delegate to unsafe internals.
-			defer b.disableUnsafeInternalCheck()()
+			defer b.DisableUnsafeInternalCheck()()
 			return b.buildStmt(newStmt, desiredTypes, inScope)
 		}
 
@@ -590,15 +590,20 @@ func (b *Builder) maybeTrackUserDefinedTypeDepsForViews(texpr tree.TypedExpr) {
 	}
 }
 
-// disableUnsafeInternalCheck is used to disable the check that the
+// DisableUnsafeInternalCheck is used to disable the check that the
 // prevents external users from accessing unsafe internals.
-func (b *Builder) disableUnsafeInternalCheck() func() {
+func (b *Builder) DisableUnsafeInternalCheck() func() {
 	b.skipUnsafeInternalsCheck = true
-	cleanup := b.catalog.DisableUnsafeInternalCheck()
+	var cleanup func()
+	if b.catalog != nil {
+		cleanup = b.catalog.DisableUnsafeInternalCheck()
+	}
 
 	return func() {
 		b.skipUnsafeInternalsCheck = false
-		cleanup()
+		if cleanup != nil {
+			cleanup()
+		}
 	}
 }
 
diff --git a/pkg/sql/opt/optbuilder/scalar.go b/pkg/sql/opt/optbuilder/scalar.go
@@ -550,7 +550,7 @@ func (b *Builder) buildFunction(
 		return b.buildUDF(f, def, inScope, outScope, outCol, colRefs)
 	}
 	if b.isUnsafeBuiltin(overload, def) {
-		if err := unsafesql.CheckInternalsAccess(b.evalCtx.SessionData()); err != nil {
+		if err := unsafesql.CheckInternalsAccess(b.ctx, b.evalCtx.SessionData(), b.stmt, b.evalCtx.Annotations, &b.evalCtx.Settings.SV); err != nil {
 			panic(err)
 		}
 	}
diff --git a/pkg/sql/opt/testutils/opttester/opt_tester.go b/pkg/sql/opt/testutils/opttester/opt_tester.go
@@ -2316,6 +2316,7 @@ func (ot *OptTester) buildExpr(factory *norm.Factory) error {
 	ot.semaCtx.Placeholders.Init(stmt.NumPlaceholders, nil /* typeHints */)
 	ot.semaCtx.Annotations = tree.MakeAnnotations(stmt.NumAnnotations)
 	ot.semaCtx.TypeResolver = ot.catalog
+	ot.evalCtx.Annotations = &ot.semaCtx.Annotations
 	b := optbuilder.New(ot.ctx, &ot.semaCtx, &ot.evalCtx, ot.catalog, factory, stmt.AST)
 	return b.Build()
 }
diff --git a/pkg/sql/sem/eval/eval_test.go b/pkg/sql/sem/eval/eval_test.go
@@ -95,6 +95,7 @@ func optBuildScalar(evalCtx *eval.Context, e tree.Expr) (tree.TypedExpr, error)
 	o.Init(ctx, evalCtx, nil /* catalog */)
 	semaCtx := tree.MakeSemaContext(nil /* resolver */)
 	b := optbuilder.NewScalar(ctx, &semaCtx, evalCtx, o.Factory())
+	defer b.DisableUnsafeInternalCheck()()
 	scalar, err := b.Build(e)
 	if err != nil {
 		return nil, err
diff --git a/pkg/sql/sem/tree/BUILD.bazel b/pkg/sql/sem/tree/BUILD.bazel
@@ -86,6 +86,7 @@ go_library(
         "prepare.go",
         "pretty.go",
         "reassign_owned_by.go",
+        "redact_ast.go",
         "regexp_cache.go",
         "region.go",
         "rename.go",
@@ -140,6 +141,7 @@ go_library(
         "//pkg/geo",
         "//pkg/geo/geopb",
         "//pkg/kv/kvserver/concurrency/isolation",
+        "//pkg/settings",
         "//pkg/sql/lex",
         "//pkg/sql/lexbase",
         "//pkg/sql/oidext",
diff --git a/pkg/sql/sem/tree/annotation.go b/pkg/sql/sem/tree/annotation.go
@@ -45,5 +45,8 @@ func (a *Annotations) Set(idx AnnotationIdx, annotation interface{}) {
 
 // Get an annotation from the container.
 func (a *Annotations) Get(idx AnnotationIdx) interface{} {
+	if len(*a) < int(idx) {
+		return nil
+	}
 	return (*a)[idx-1]
 }
diff --git a/pkg/sql/sem/tree/redact_ast.go b/pkg/sql/sem/tree/redact_ast.go
@@ -0,0 +1,45 @@
+// Copyright 2025 The Cockroach Authors.
+//
+// Use of this software is governed by the CockroachDB Software License
+// included in the /LICENSE file.
+
+package tree
+
+import (
+	"github.com/cockroachdb/cockroach/pkg/settings"
+	"github.com/cockroachdb/redact"
+)
+
+var redactNamesInSQLStatementLog = settings.RegisterBoolSetting(
+	settings.ApplicationLevel,
+	"sql.log.redact_names.enabled",
+	"if set, schema object identifers are redacted in SQL statements that appear in event logs",
+	false,
+	settings.WithPublic,
+)
+
+// FormatAstAsRedactableString implements scbuild.AstFormatter
+func FormatAstAsRedactableString(
+	statement Statement, annotations *Annotations, sv *settings.Values,
+) redact.RedactableString {
+	fs := FmtSimple | FmtAlwaysQualifyTableNames | FmtMarkRedactionNode
+	if !redactNamesInSQLStatementLog.Get(sv) {
+		fs = fs | FmtOmitNameRedaction
+	}
+	return formatStmtKeyAsRedactableString(statement, annotations, fs)
+}
+
+// formatStmtKeyAsRedactableString given an AST node this function will fully
+// qualify names using annotations to format it out into a redactable string.
+// Object names are not redacted, but constants and datums are.
+func formatStmtKeyAsRedactableString(
+	rootAST Statement, ann *Annotations, fs FmtFlags,
+) redact.RedactableString {
+	f := NewFmtCtx(
+		fs,
+		FmtAnnotations(ann),
+	)
+	f.FormatNode(rootAST)
+	formattedRedactableStatementString := f.CloseAndGetString()
+	return redact.RedactableString(formattedRedactableStatementString)
+}
diff --git a/pkg/sql/unsafesql/BUILD.bazel b/pkg/sql/unsafesql/BUILD.bazel
@@ -6,8 +6,14 @@ go_library(
     importpath = "github.com/cockroachdb/cockroach/pkg/sql/unsafesql",
     visibility = ["//visibility:public"],
     deps = [
+        "//pkg/settings",
+        "//pkg/sql/sem/tree",
         "//pkg/sql/sessiondata",
         "//pkg/sql/sqlerrors",
+        "//pkg/util/log",
+        "//pkg/util/log/eventpb",
+        "//pkg/util/log/severity",
+        "//pkg/util/timeutil",
     ],
 )
 
@@ -21,12 +27,13 @@ go_test(
         "//pkg/security/securitytest",
         "//pkg/server",
         "//pkg/sql/isql",
-        "//pkg/sql/sessiondata",
-        "//pkg/sql/sessiondatapb",
         "//pkg/sql/sqlerrors",
         "//pkg/testutils/serverutils",
         "//pkg/util/leaktest",
         "//pkg/util/log",
+        "//pkg/util/log/eventpb",
+        "//pkg/util/log/logpb",
+        "//pkg/util/log/logtestutils",
         "//pkg/util/randutil",
         "@com_github_cockroachdb_errors//:errors",
         "@com_github_lib_pq//:pq",
diff --git a/pkg/sql/unsafesql/unsafesql.go b/pkg/sql/unsafesql/unsafesql.go
@@ -6,23 +6,66 @@
 package unsafesql
 
 import (
+	"context"
+	"time"
+
+	"github.com/cockroachdb/cockroach/pkg/settings"
+	"github.com/cockroachdb/cockroach/pkg/sql/sem/tree"
 	"github.com/cockroachdb/cockroach/pkg/sql/sessiondata"
 	"github.com/cockroachdb/cockroach/pkg/sql/sqlerrors"
+	"github.com/cockroachdb/cockroach/pkg/util/log"
+	"github.com/cockroachdb/cockroach/pkg/util/log/eventpb"
+	"github.com/cockroachdb/cockroach/pkg/util/log/severity"
+	"github.com/cockroachdb/cockroach/pkg/util/timeutil"
 )
 
+// The accessedLogLimiter is used to limit the rate of logging unsafe internal access
+// events. It is set to allow ten events per second.
+var accessedLogLimiter = log.Every(time.Millisecond * 100)
+
+// The deniedLogLimiter is used to limit the rate of logging unsafe internal access
+// events. It is set to allow ten events per second.
+var deniedLogLimiter = log.Every(time.Millisecond * 100)
+
+// TestRemoveLimiter overrides the logLimiter so that all logs will
+// be emitted, so that the tests can be run in short sequence with each other.
+func TestRemoveLimiters() func() {
+	accessedLogLimiter = log.Every(0)
+	deniedLogLimiter = log.Every(0)
+	return func() {
+		accessedLogLimiter = log.Every(time.Millisecond * 100)
+		deniedLogLimiter = log.Every(time.Millisecond * 100)
+	}
+}
+
 // CheckInternalsAccess checks if the current session has permission to access
 // unsafe internal tables and functionality. This includes system tables and
 // virtual tables / builtins in the crdb_internal schema.
-func CheckInternalsAccess(sd *sessiondata.SessionData) error {
+func CheckInternalsAccess(
+	ctx context.Context,
+	sd *sessiondata.SessionData,
+	stmt tree.Statement,
+	ann *tree.Annotations,
+	sv *settings.Values,
+) error {
 	// If the querier is internal, we should allow it.
 	if sd.Internal {
 		return nil
 	}
 
+	q := tree.FormatAstAsRedactableString(stmt, ann, sv)
 	// If an override is set, allow access to this virtual table.
 	if sd.AllowUnsafeInternals {
+		// Log this access to the SENSITIVE_ACCESS channel since the override condition bypassed normal access controls.
+		if accessedLogLimiter.ShouldProcess(timeutil.Now()) {
+			log.StructuredEvent(ctx, severity.WARNING, &eventpb.UnsafeInternalsAccessed{Query: q})
+		}
 		return nil
 	}
 
+	// Log this access to the SENSITIVE_ACCESS channel to show where failing internals accesses are happening.
+	if deniedLogLimiter.ShouldProcess(timeutil.Now()) {
+		log.StructuredEvent(ctx, severity.WARNING, &eventpb.UnsafeInternalsDenied{Query: q})
+	}
 	return sqlerrors.ErrUnsafeTableAccess
 }
diff --git a/pkg/sql/unsafesql/unsafesql_test.go b/pkg/sql/unsafesql/unsafesql_test.go
diff --git a/pkg/util/log/eventpb/eventlog_channels_generated.go b/pkg/util/log/eventpb/eventlog_channels_generated.go
diff --git a/pkg/util/log/eventpb/json_encode_generated.go b/pkg/util/log/eventpb/json_encode_generated.go
diff --git a/pkg/util/log/eventpb/sql_audit_events.proto b/pkg/util/log/eventpb/sql_audit_events.proto

Original file line number	Diff line number	Diff line change
`@@ -125,7 +125,7 @@ func (p *planner) HasPrivilege(`
`125`	`125`	`// Do a safety check on the object, if it is considered unsafe`
`126`	`126`	`// does the caller have the appropriate session data to access it?`
`127`	`127`	`if p.objectIsUnsafe(ctx, privilegeObject) {`
`128`		`- if err := unsafesql.CheckInternalsAccess(p.SessionData()); err != nil {`
	`128`	`+ if err := unsafesql.CheckInternalsAccess(ctx, p.SessionData(), p.stmt.AST, p.extendedEvalCtx.Annotations, &p.ExecCfg().Settings.SV); err != nil {`
`129`	`129`	`return false, err`
`130`	`130`	`}`
`131`	`131`	`}`
Original file line number	Diff line number	Diff line change
`@@ -504,7 +504,7 @@ func (b *Builder) buildStmt(`
`504`	`504`	`// invalidation). We don't care about caching plans for these statements.`
`505`	`505`	`b.DisableMemoReuse = true`
`506`	`506`	`// It's considered acceptable when we delegate to unsafe internals.`
`507`		`- defer b.disableUnsafeInternalCheck()()`
	`507`	`+ defer b.DisableUnsafeInternalCheck()()`
`508`	`508`	`return b.buildStmt(newStmt, desiredTypes, inScope)`
`509`	`509`	`}`
`510`	`510`
`@@ -590,15 +590,20 @@ func (b *Builder) maybeTrackUserDefinedTypeDepsForViews(texpr tree.TypedExpr) {`
`590`	`590`	`}`
`591`	`591`	`}`
`592`	`592`
`593`		`-// disableUnsafeInternalCheck is used to disable the check that the`
	`593`	`+// DisableUnsafeInternalCheck is used to disable the check that the`
`594`	`594`	`// prevents external users from accessing unsafe internals.`
`595`		`-func (b *Builder) disableUnsafeInternalCheck() func() {`
	`595`	`+func (b *Builder) DisableUnsafeInternalCheck() func() {`
`596`	`596`	`b.skipUnsafeInternalsCheck = true`
`597`		`- cleanup := b.catalog.DisableUnsafeInternalCheck()`
	`597`	`+ var cleanup func()`
	`598`	`+ if b.catalog != nil {`
	`599`	`+ cleanup = b.catalog.DisableUnsafeInternalCheck()`
	`600`	`+ }`
`598`	`601`
`599`	`602`	`return func() {`
`600`	`603`	`b.skipUnsafeInternalsCheck = false`
`601`		`- cleanup()`
	`604`	`+ if cleanup != nil {`
	`605`	`+ cleanup()`
	`606`	`+ }`
`602`	`607`	`}`
`603`	`608`	`}`
`604`	`609`
Original file line number	Diff line number	Diff line change
`@@ -550,7 +550,7 @@ func (b *Builder) buildFunction(`
`550`	`550`	`return b.buildUDF(f, def, inScope, outScope, outCol, colRefs)`
`551`	`551`	`}`
`552`	`552`	`if b.isUnsafeBuiltin(overload, def) {`
`553`		`- if err := unsafesql.CheckInternalsAccess(b.evalCtx.SessionData()); err != nil {`
	`553`	`+ if err := unsafesql.CheckInternalsAccess(b.ctx, b.evalCtx.SessionData(), b.stmt, b.evalCtx.Annotations, &b.evalCtx.Settings.SV); err != nil {`
`554`	`554`	`panic(err)`
`555`	`555`	`}`
`556`	`556`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2316,6 +2316,7 @@ func (ot OptTester) buildExpr(factory norm.Factory) error {`
`2316`	`2316`	`ot.semaCtx.Placeholders.Init(stmt.NumPlaceholders, nil /* typeHints */)`
`2317`	`2317`	`ot.semaCtx.Annotations = tree.MakeAnnotations(stmt.NumAnnotations)`
`2318`	`2318`	`ot.semaCtx.TypeResolver = ot.catalog`
	`2319`	`+ ot.evalCtx.Annotations = &ot.semaCtx.Annotations`
`2319`	`2320`	`b := optbuilder.New(ot.ctx, &ot.semaCtx, &ot.evalCtx, ot.catalog, factory, stmt.AST)`
`2320`	`2321`	`return b.Build()`
`2321`	`2322`	`}`