Merge #150364

craig[bot] · kyle-a-wong · craig[bot] · commit 96bc36eca6d7 · 2025-07-18T19:55:42.000Z
150364: sql, settings, cli: Add sensitive, reportable columns to cluster_settings and update debug zip setting redaction logic r=kyle-a-wong a=kyle-a-wong

commit 1/2:

sql,settings: add sensitive, reportable to cluster_settings VTable
updates the crdb_internal.cluster_settings VTable to include 2 new
columns: sensitive and reportable. These two new columns expose the
isSensitive and isReportable attributes from settings objects.

Epic: None
Release note: None

---

commit 2/2:

cli: updates redaction policy for cluster settings in debug zip
Previously, debug zip always exposed all settings values for
unredacted debug zips, and redacted all string setting types
for redacted debug zips.

Now, "sensitive" cluster settings will always be redacted
in debug zip, and "sensitive" and "non-reportable" cluster
settings will be redacted for redacted debug zips.

Release note (cli change): debug zips will now always redact
"sensitive" cluster settings, whether or not a redacted debug
zip is requested. For redacted debug zips, both "sensitive"
and "non-reportable" cluster settings are redacted. This
replaces the old logic where string-type cluster settings
were always redacted for redacted debug-zips.

Co-authored-by: Kyle Wong &lt;37189875+kyle-a-wong@users.noreply.github.com&gt;
diff --git a/pkg/ccl/logictestccl/testdata/logic_test/crdb_internal_tenant b/pkg/ccl/logictestccl/testdata/logic_test/crdb_internal_tenant
@@ -127,10 +127,10 @@ SELECT * FROM crdb_internal.session_trace WHERE span_idx < 0
 ----
 span_idx  message_idx  timestamp  duration  operation  loc  tag  message age
 
-query TTTBTTTT colnames
+query TTTBBBTTTT colnames
 SELECT * FROM crdb_internal.cluster_settings WHERE variable = ''
 ----
-variable  value  type  public  description default_value origin key
+variable  value  type  public  sensitive  reportable  description  default_value  origin  key
 
 query TI colnames
 SELECT * FROM crdb_internal.feature_usage WHERE feature_name = ''
diff --git a/pkg/cli/zip_table_registry.go b/pkg/cli/zip_table_registry.go
@@ -222,11 +222,31 @@ var zipInternalTablesPerCluster = DebugZipTableRegistry{
 		},
 	},
 	"crdb_internal.cluster_settings": {
+		customQueryUnredacted: `SELECT
+			variable,
+			CASE 
+			  WHEN sensitive THEN '<redacted>'
+			  ELSE value 
+			END value,
+			type,
+			public,
+			sensitive,
+			reportable,
+			description,
+			default_value,
+			origin
+		FROM crdb_internal.cluster_settings`,
 		customQueryRedacted: `SELECT
 			variable,
-			CASE WHEN type = 's' AND value != default_value THEN '<redacted>' ELSE value END value,
+			CASE 
+			  WHEN NOT reportable AND value != default_value THEN '<redacted>'
+			  WHEN sensitive THEN '<redacted>'
+			  ELSE value 
+			END value,
 			type,
 			public,
+			sensitive,
+			reportable,
 			description,
 			default_value,
 			origin
@@ -1384,18 +1404,29 @@ var zipSystemTables = DebugZipTableRegistry{
 		},
 	},
 	"system.settings": {
-		customQueryUnredacted: `SELECT * FROM system.settings`,
-		customQueryRedacted: `SELECT * FROM (
-				SELECT *
-				FROM system.settings
-				WHERE "valueType" <> 's'
-    	) UNION (
-				SELECT name, '<redacted>' as value,
-				"lastUpdated",
-				"valueType"
-				FROM system.settings
-				WHERE "valueType"  = 's'
-    	)`,
+		customQueryUnredacted: `
+SELECT 
+     name,
+     CASE
+          WHEN cs.sensitive THEN '<redacted>'
+          ELSE s.value
+     END value,
+	s."lastUpdated",
+	s."valueType"
+FROM system.settings s
+JOIN crdb_internal.cluster_settings cs ON cs.variable = s.name`,
+		customQueryRedacted: `
+SELECT 
+     name,
+     CASE
+          WHEN cs.sensitive THEN '<redacted>'
+          WHEN NOT cs.reportable THEN '<redacted>'
+          ELSE s.value
+     END value,
+	s."lastUpdated",
+	s."valueType"
+FROM system.settings s
+JOIN crdb_internal.cluster_settings cs ON cs.variable = s.name`,
 	},
 	"system.span_configurations": {
 		nonSensitiveCols: NonSensitiveColumns{
diff --git a/pkg/settings/common.go b/pkg/settings/common.go
@@ -67,15 +67,15 @@ func (c common) Visibility() Visibility {
 	return c.visibility
 }
 
-func (c common) isReportable() bool {
+func (c common) IsReportable() bool {
 	return !c.nonReportable
 }
 
 func (c *common) isRetired() bool {
 	return c.retired
 }
 
-func (c *common) isSensitive() bool {
+func (c *common) IsSensitive() bool {
 	return c.sensitive
 }
 
@@ -150,17 +150,17 @@ type internalSetting interface {
 
 	init(class Class, key InternalKey, description string, slot slotIdx)
 	isRetired() bool
-	isSensitive() bool
+	IsSensitive() bool
 	getSlot() slotIdx
 
-	// isReportable indicates whether the value of the setting can be
+	// IsReportable indicates whether the value of the setting can be
 	// included in user-facing reports such as that produced by SHOW ALL
 	// CLUSTER SETTINGS.
 	// This only affects reports though; direct access is unconstrained.
 	// For example, `enterprise.license` is non-reportable:
 	// it cannot be listed, but can be accessed with `SHOW CLUSTER
 	// SETTING enterprise.license` or SET CLUSTER SETTING.
-	isReportable() bool
+	IsReportable() bool
 
 	setToDefault(ctx context.Context, sv *Values)
 
@@ -179,15 +179,15 @@ func TestingIsReportable(s Setting) bool {
 		return false
 	}
 	if e, ok := s.(internalSetting); ok {
-		return e.isReportable()
+		return e.IsReportable()
 	}
 	return true
 }
 
 // TestingIsSensitive is used in testing for sensitivity.
 func TestingIsSensitive(s Setting) bool {
 	if e, ok := s.(internalSetting); ok {
-		return e.isSensitive()
+		return e.IsSensitive()
 	}
 	return false
 }
diff --git a/pkg/settings/internal_test.go b/pkg/settings/internal_test.go
@@ -45,7 +45,7 @@ func TestSensitiveSetting(t *testing.T) {
 	sv := &Values{}
 	sv.Init(ctx, TestOpaque)
 
-	require.True(t, sensitiveSetting.isSensitive())
+	require.True(t, sensitiveSetting.IsSensitive())
 	u := NewUpdater(sv)
 	require.NoError(t, u.Set(ctx, sensitiveSetting.InternalKey(), EncodedValue{Value: "foo", Type: "s"}))
 
diff --git a/pkg/settings/masked.go b/pkg/settings/masked.go
@@ -35,7 +35,7 @@ func (s *MaskedSetting) String(sv *Values) string {
 	}
 	isSensitive := false
 	if st, ok := s.setting.(internalSetting); ok {
-		isSensitive = st.isSensitive()
+		isSensitive = st.IsSensitive()
 	}
 	sensitiveRedactionEnabled := redactSensitiveSettingsEnabled.Get(sv)
 	// Non-reportable settings are always redacted. Sensitive settings are
@@ -56,6 +56,16 @@ func (s *MaskedSetting) Visibility() Visibility {
 	return s.setting.Visibility()
 }
 
+// IsSensitive returns whether the underlying setting is sensitive.
+func (s *MaskedSetting) IsSensitive() bool {
+	return s.setting.IsSensitive()
+}
+
+// IsReportable returns whether the underlying setting is reportable.
+func (s *MaskedSetting) IsReportable() bool {
+	return s.setting.IsReportable()
+}
+
 // InternalKey returns the key string for the underlying setting.
 func (s *MaskedSetting) InternalKey() InternalKey {
 	return s.setting.InternalKey()
diff --git a/pkg/settings/protobuf.go b/pkg/settings/protobuf.go
@@ -109,6 +109,10 @@ func (s *ProtobufSetting) Validate(sv *Values, p protoutil.Message) error {
 	return s.validateFn(sv, p)
 }
 
+func (s *ProtobufSetting) IsSensitive() bool {
+	return s.sensitive
+}
+
 // Override sets the setting to the given value, assuming it passes validation.
 func (s *ProtobufSetting) Override(ctx context.Context, sv *Values, p protoutil.Message) {
 	sv.setValueOrigin(ctx, s.slot, OriginOverride)
diff --git a/pkg/settings/registry.go b/pkg/settings/registry.go
@@ -494,7 +494,7 @@ func LookupForReportingByKey(key InternalKey, forSystemTenant bool) (Setting, bo
 	if !forSystemTenant && s.Class() == SystemOnly {
 		return nil, false
 	}
-	if !s.isReportable() {
+	if !s.IsReportable() {
 		return &MaskedSetting{setting: s}, true
 	}
 	return s, true
@@ -531,7 +531,7 @@ func LookupForDisplayByKey(
 	if !forSystemTenant && s.Class() == SystemOnly {
 		return nil, false
 	}
-	if s.isSensitive() && !canViewSensitive {
+	if s.IsSensitive() && !canViewSensitive {
 		return &MaskedSetting{setting: s}, true
 	}
 	return s, true
@@ -565,7 +565,7 @@ var ReadableTypes = map[string]string{
 //   - "<unknown>" if there is no setting with this name.
 func RedactedValue(key InternalKey, values *Values, forSystemTenant bool) string {
 	if k, ok := registry[key]; ok {
-		if k.Typ() == "s" || k.isSensitive() || !k.isReportable() {
+		if k.Typ() == "s" || k.IsSensitive() || !k.IsReportable() {
 			return "<redacted>"
 		}
 	}
diff --git a/pkg/settings/setting.go b/pkg/settings/setting.go
@@ -77,6 +77,10 @@ type Setting interface {
 	// retrieving all settings.
 	Visibility() Visibility
 
+	IsSensitive() bool
+
+	IsReportable() bool
+
 	// IsUnsafe returns whether the setting is unsafe, and thus requires
 	// a special interlock to set.
 	IsUnsafe() bool
diff --git a/pkg/settings/settings_test.go b/pkg/settings/settings_test.go
@@ -718,12 +718,12 @@ func TestIsReportable(t *testing.T) {
 	if v, ok, _ := settings.LookupForLocalAccess(
 		"bool.t", settings.ForSystemTenant,
 	); !ok || !settings.TestingIsReportable(v) {
-		t.Errorf("expected 'bool.t' to be marked as isReportable() = true")
+		t.Errorf("expected 'bool.t' to be marked as IsReportable() = true")
 	}
 	if v, ok, _ := settings.LookupForLocalAccess(
 		"sekretz", settings.ForSystemTenant,
 	); !ok || settings.TestingIsReportable(v) {
-		t.Errorf("expected 'sekretz' to be marked as isReportable() = false")
+		t.Errorf("expected 'sekretz' to be marked as IsReportable() = false")
 	}
 }
 
diff --git a/pkg/sql/crdb_internal.go b/pkg/sql/crdb_internal.go
@@ -2025,6 +2025,8 @@ CREATE TABLE crdb_internal.cluster_settings (
   value         STRING NOT NULL,
   type          STRING NOT NULL,
   public        BOOL NOT NULL, -- whether the setting is documented, which implies the user can expect support.
+  sensitive     BOOL NOT NULL, -- whether the setting is sensitive and should not be exposed to users without the appropriate privileges
+  reportable    BOOL NOT NULL, -- whether the setting is reportable
   description   STRING NOT NULL,
   default_value STRING NOT NULL,
   origin        STRING NOT NULL, -- the origin of the value: 'default' , 'override' or 'external-override'
@@ -2070,6 +2072,8 @@ CREATE TABLE crdb_internal.cluster_settings (
 				tree.NewDString(strVal),
 				tree.NewDString(setting.Typ()),
 				tree.MakeDBool(tree.DBool(isPublic)),
+				tree.MakeDBool(tree.DBool(setting.IsSensitive())),
+				tree.MakeDBool(tree.DBool(setting.IsReportable())),
 				tree.NewDString(desc),
 				tree.NewDString(defaultVal),
 				tree.NewDString(origin),
diff --git a/pkg/sql/logictest/testdata/logic_test/crdb_internal b/pkg/sql/logictest/testdata/logic_test/crdb_internal
@@ -261,10 +261,10 @@ SELECT * FROM crdb_internal.session_trace WHERE span_idx < 0
 ----
 span_idx  message_idx  timestamp  duration  operation  loc  tag  message age
 
-query TTTBTTTT colnames
+query TTTBBBTTTT colnames
 SELECT * FROM crdb_internal.cluster_settings WHERE variable = ''
 ----
-variable  value  type  public  description  default_value  origin  key
+variable  value  type  public  sensitive  reportable  description  default_value  origin  key
 
 query TI colnames
 SELECT * FROM crdb_internal.feature_usage WHERE feature_name = ''

Original file line number	Diff line number	Diff line change
`@@ -67,15 +67,15 @@ func (c common) Visibility() Visibility {`
`67`	`67`	`return c.visibility`
`68`	`68`	`}`
`69`	`69`
`70`		`-func (c common) isReportable() bool {`
	`70`	`+func (c common) IsReportable() bool {`
`71`	`71`	`return !c.nonReportable`
`72`	`72`	`}`
`73`	`73`
`74`	`74`	`func (c *common) isRetired() bool {`
`75`	`75`	`return c.retired`
`76`	`76`	`}`
`77`	`77`
`78`		`-func (c *common) isSensitive() bool {`
	`78`	`+func (c *common) IsSensitive() bool {`
`79`	`79`	`return c.sensitive`
`80`	`80`	`}`
`81`	`81`
`@@ -150,17 +150,17 @@ type internalSetting interface {`
`150`	`150`
`151`	`151`	`init(class Class, key InternalKey, description string, slot slotIdx)`
`152`	`152`	`isRetired() bool`
`153`		`- isSensitive() bool`
	`153`	`+ IsSensitive() bool`
`154`	`154`	`getSlot() slotIdx`
`155`	`155`
`156`		`- // isReportable indicates whether the value of the setting can be`
	`156`	`+ // IsReportable indicates whether the value of the setting can be`
`157`	`157`	`// included in user-facing reports such as that produced by SHOW ALL`
`158`	`158`	`// CLUSTER SETTINGS.`
`159`	`159`	`// This only affects reports though; direct access is unconstrained.`
`160`	`160`	// For example, `enterprise.license` is non-reportable:
`161`	`161`	// it cannot be listed, but can be accessed with `SHOW CLUSTER
`162`	`162`	// SETTING enterprise.license` or SET CLUSTER SETTING.
`163`		`- isReportable() bool`
	`163`	`+ IsReportable() bool`
`164`	`164`
`165`	`165`	`setToDefault(ctx context.Context, sv *Values)`
`166`	`166`
`@@ -179,15 +179,15 @@ func TestingIsReportable(s Setting) bool {`
`179`	`179`	`return false`
`180`	`180`	`}`
`181`	`181`	`if e, ok := s.(internalSetting); ok {`
`182`		`- return e.isReportable()`
	`182`	`+ return e.IsReportable()`
`183`	`183`	`}`
`184`	`184`	`return true`
`185`	`185`	`}`
`186`	`186`
`187`	`187`	`// TestingIsSensitive is used in testing for sensitivity.`
`188`	`188`	`func TestingIsSensitive(s Setting) bool {`
`189`	`189`	`if e, ok := s.(internalSetting); ok {`
`190`		`- return e.isSensitive()`
	`190`	`+ return e.IsSensitive()`
`191`	`191`	`}`
`192`	`192`	`return false`
`193`	`193`	`}`
Original file line number	Diff line number	Diff line change
`@@ -494,7 +494,7 @@ func LookupForReportingByKey(key InternalKey, forSystemTenant bool) (Setting, bo`
`494`	`494`	`if !forSystemTenant && s.Class() == SystemOnly {`
`495`	`495`	`return nil, false`
`496`	`496`	`}`
`497`		`- if !s.isReportable() {`
	`497`	`+ if !s.IsReportable() {`
`498`	`498`	`return &MaskedSetting{setting: s}, true`
`499`	`499`	`}`
`500`	`500`	`return s, true`
`@@ -531,7 +531,7 @@ func LookupForDisplayByKey(`
`531`	`531`	`if !forSystemTenant && s.Class() == SystemOnly {`
`532`	`532`	`return nil, false`
`533`	`533`	`}`
`534`		`- if s.isSensitive() && !canViewSensitive {`
	`534`	`+ if s.IsSensitive() && !canViewSensitive {`
`535`	`535`	`return &MaskedSetting{setting: s}, true`
`536`	`536`	`}`
`537`	`537`	`return s, true`
`@@ -565,7 +565,7 @@ var ReadableTypes = map[string]string{`
`565`	`565`	`// - "<unknown>" if there is no setting with this name.`
`566`	`566`	`func RedactedValue(key InternalKey, values *Values, forSystemTenant bool) string {`
`567`	`567`	`if k, ok := registry[key]; ok {`
`568`		`- if k.Typ() == "s" \|\| k.isSensitive() \|\| !k.isReportable() {`
	`568`	`+ if k.Typ() == "s" \|\| k.IsSensitive() \|\| !k.IsReportable() {`
`569`	`569`	`return "<redacted>"`
`570`	`570`	`}`
`571`	`571`	`}`
Original file line number	Diff line number	Diff line change
`@@ -718,12 +718,12 @@ func TestIsReportable(t *testing.T) {`
`718`	`718`	`if v, ok, _ := settings.LookupForLocalAccess(`
`719`	`719`	`"bool.t", settings.ForSystemTenant,`
`720`	`720`	`); !ok \|\| !settings.TestingIsReportable(v) {`
`721`		`- t.Errorf("expected 'bool.t' to be marked as isReportable() = true")`
	`721`	`+ t.Errorf("expected 'bool.t' to be marked as IsReportable() = true")`
`722`	`722`	`}`
`723`	`723`	`if v, ok, _ := settings.LookupForLocalAccess(`
`724`	`724`	`"sekretz", settings.ForSystemTenant,`
`725`	`725`	`); !ok \|\| settings.TestingIsReportable(v) {`
`726`		`- t.Errorf("expected 'sekretz' to be marked as isReportable() = false")`
	`726`	`+ t.Errorf("expected 'sekretz' to be marked as IsReportable() = false")`
`727`	`727`	`}`
`728`	`728`	`}`
`729`	`729`