Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pre create anon ext #6272

Merged
merged 1 commit into from
Feb 9, 2024
Merged

Pre create anon ext #6272

merged 1 commit into from
Feb 9, 2024

Conversation

lubennikovaav
Copy link
Contributor

@lubennikovaav lubennikovaav commented Jan 4, 2024
edited
Loading

Problem

It is not possible to create anon extension, because it requires superuser to install the extension:

From extension docs:

pg_catalog is always owned by the initial superuser role.
So in practice, you need to be superuser to run the SECURITY LABEL command, 
which means that you need to be superuser to install the extension.

https://gitlab.com/dalibo/postgresql_anonymizer/-/blob/master/anon.sql#L30

--
-- By default, masking filter functions must be trusted
-- and we only trust functions from `pg_catalog` and `anon` namespaces
-- This can be bypassed by setting `anon.restrict_to_trusted_schemas` to false
--
SECURITY LABEL FOR anon ON SCHEMA pg_catalog IS 'TRUSTED';

Summary of changes

  • Add anon extension to compute image.

  • If anon is in shared_preload_libraries and feature flag anon_extension is set in control-plane,
    pre-create extension from superuser at compute start. Run anon.init() and adjust grants to allow db_owner to use the extension.

  • Some functions in anon.sql that access these GUCs are SECURITY DEFINER (called with owner privileges).
    So, I change their ownership to db_owner. As well as ownership of other objects in the schema.

Since we don't have any good concept of superuser yet, I decided that db_owner is a good candidate for "superuser-like" role in the context of anon extension.

I've tested it in preview with commands from this script.
https://gist.github.com/lubennikovaav/33e3fe1acafed9be452fc32261683dad

@lubennikovaav lubennikovaav requested review from a team as code owners January 4, 2024 12:40
@lubennikovaav lubennikovaav requested review from ololobus, knizhnik and vadim2404 and removed request for a team January 4, 2024 12:40
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 4, 2024
edited
Loading

2394 tests run: 2278 passed, 0 failed, 116 skipped (full report)

Flaky tests (3)

Postgres 15

  • test_timeline_deletion_with_files_stuck_in_upload_queue: release

Postgres 14

  • test_empty_branch_remote_storage_upload: debug
  • test_empty_tenant_size: debug

Code coverage (full report)

  • functions: 54.1% (11287 of 20861 functions)
  • lines: 81.2% (63479 of 78167 lines)
The comment gets automatically updated with the latest test results
d97db42 at 2024-02-08T11:18:13.381Z :recycle:

vadim2404
vadim2404 reviewed Jan 4, 2024
View reviewed changes
compute_tools/src/spec.rs Outdated Show resolved Hide resolved
@lubennikovaav lubennikovaav mentioned this pull request Jan 4, 2024
Closed
@knizhnik
Copy link
Contributor

knizhnik commented Jan 4, 2024

Should we first merge neondatabase/postgres#339 (na similar PRs for other Postgres versions) before enabling anon. Because as far as I understand without this patch anon extension still can not be used for Neon users.

@lubennikovaav lubennikovaav marked this pull request as draft January 5, 2024 16:27
@lubennikovaav lubennikovaav mentioned this pull request Jan 5, 2024
Closed
@lubennikovaav lubennikovaav marked this pull request as ready for review January 30, 2024 16:23
@lubennikovaav
Pre-install anon extension from compute_ctl
d97db42 
if anon is in shared_preload_libraries.
Users cannot install it themselves, because superuser is required.

GRANT all priveleged needed to use it to db_owner

We use the neon fork of the extension, because small change to sql file
is needed to allow db_owner to use it.

This feature is behind a feature flag AnonExtension,
so it is not enabled by default.
@lubennikovaav lubennikovaav merged commit eec1e1a into main Feb 9, 2024
50 checks passed
@lubennikovaav lubennikovaav deleted the pre_create_anon_ext branch February 9, 2024 12:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vadim2404 vadim2404 vadim2404 approved these changes

@ololobus ololobus Awaiting requested review from ololobus ololobus is a code owner automatically assigned from neondatabase/control-plane

@knizhnik knizhnik Awaiting requested review from knizhnik knizhnik is a code owner automatically assigned from neondatabase/compute

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lubennikovaav @knizhnik @vadim2404