Update LDR privileges for v25.2 #19518
Conversation
✅ Deploy Preview for cockroachdb-interactivetutorials-docs canceled.
|
✅ Deploy Preview for cockroachdb-api-docs canceled.
|
|
|
||
| <image src="{{ 'images/v25.2/bidirectional-stream.svg' | relative_url }}" alt="Diagram showing bidirectional LDR from cluster A to B and back again from cluster B to A." style="width:70%" /> | ||
|
|
||
| For more details on use cases, refer to the [Logical Data Replication Overview]({% link {{ page.version.version }}/logical-data-replication-overview.md %}). | ||
|
|
||
| ## Syntax |
There was a problem hiding this comment.
This is not new content, I moved this up from one of the steps. Since the privilege instructions would have preceded these syntax descriptions, it made sense to pull this Syntax section up to the introduction.
✅ Netlify Preview
To edit notification comments on pull requests, go to your Netlify site configuration. |
| Use the [`GRANT SYSTEM`]({% link {{ page.version.version }}/grant.md %}) statement: | ||
| - The table-level `REPLICATIONSOURCE` privilege on the source table(s). | ||
|
|
||
| This is the user provided in the source URI when you start a LDR stream. |
There was a problem hiding this comment.
Do you mean that the user provided in the source must have this privilege? This line doesn't have a bullet point on it so it was a bit confusing to read.
|
|
||
| On the destination cluster: | ||
|
|
||
| - The table-level `REPLICATIONDEST` privilege on the destination table(s). |
There was a problem hiding this comment.
do we also need to call out that the user here should have the privilege?
|
|
||
| For bidirectional LDR: | ||
|
|
||
| - The user in the original source URI, who begins the reverse LDR stream, requires the table-level `REPLICATIONDEST` privilege. |
There was a problem hiding this comment.
the CREATE LOGICAL REPLICATION STREAM syntax does not automatically set up a reverse stream. so i think this line can be rephrased. For "manually set up" bidi replication, the user essentially has to do the same auth exercises on both sides. E.g.
For setting up the stream from A to B, the user passed in for the URI to A must have the REPLICATIONSOURCE priv, and the user executing the command from B, needs to have the REPLICATIONDEST priv.
For setting up the stream from B to A, the user passed in for the URI to B must have the REPLICATIONSOURCE priv, and the user executing the command from A, needs to have the REPLICATIONDEST priv.
|
|
||
| For bidirectional LDR: | ||
|
|
||
| - The user in the original source URI, who begins the reverse LDR stream, requires the table-level `REPLICATIONDEST` privilege. |
There was a problem hiding this comment.
we should also document that the user provided in the Dest URI must be the same user executing the CREATE LOGICALLY REPLICATED table cmd. For example, in this unit test:
https://github.com/jeffswenson/cockroach/blob/jeffswenson-workload-generate-decimals/pkg/crosscluster/logical/logical_replication_job_test.go#L2180
CREATE LOGICALLY REPLICATED TABLES (tab_clone_2, tab2_clone_2) FROM TABLES (tab, tab2) ON $1 WITH BIDIRECTIONAL ON $2
the user in the URI supplied at $2 must be the same user executing the CREATE LOGICALLY REPLICATED table cmd.
(I need to add a quick patch to assert this but higher priority things have gotten in the way)
| For details on which syntax to use, refer to the [Syntax](#syntax) section at the beginning of this tutorial. | ||
|
|
||
| {{site.data.alerts.callout_info}} | ||
| If you are setting up bidirectional LDR, each cluster must **authorize both stream directions** using the table-level privileges. Ensure that you also grant privileges to users running the LDR stream in the reverse direction (from the original destination to the original source). |
There was a problem hiding this comment.
given my comments above on the slightly different reverse stream auth stories for bidi replication, I think this callout could be rephrased.
katmayb
force-pushed
the
ldr-privileges-25.2
branch
4 times, most recently
from
f5b0559 to
29b7b42
Compare
| B ➔ A | B | User in the LDR connection string. | `REPLICATIONSOURCE` | ||
| B ➔ A | A | User running the command. | `REPLICATIONDEST` | ||
|
|
||
| Grant a table-level privilege with the [`GRANT`]({% link {{ page.version.version }}/grant.md %}) statement to a [user or a role]({% link {{ page.version.version }}/security-reference/authorization.md %}#users-and-roles): |
There was a problem hiding this comment.
nit: a user can still grant these privs at the system level if they'd like. If a user was running LDR over a 1000 tables, perhaps they'd rather use the system level priv as oppose to granting the priv on each table.
| ----------------------+---------+-----------+------------------- | ||
| A ➔ B | A | User in source connection string. | `REPLICATIONSOURCE` on A's tables. | ||
| A ➔ B | B | User running `CREATE LOGICALLY REPLICATED` from the destination cluster. The destination table will be created and the user given the `REPLICATIONDEST` privilege on the new table automatically.<br>**Note:** Must match the user in the destination connection string for bidirectional LDR. | `CREATE` on B's parent database. | ||
| B ➔ A (reverse stream) | B | User in the new source connection string. | `REPLICATIONSOURCE` on B's tables. |
There was a problem hiding this comment.
this isn't necessary. Becuase the user in the reverse stream is the user that ran the CREATE LDR stmt, it has CREATE on the database and is implicitly granted REPLICATIONSOURCE on B's tables.
There was a problem hiding this comment.
Got it, removed that line!
| Use the [`GRANT SYSTEM`]({% link {{ page.version.version }}/grant.md %}) statement: | ||
| LDR from cluster A to B represents a _unidirectional_ setup from a source to a destination cluster. LDR from cluster B to A is the reverse stream for a _bidirectional_ setup: | ||
|
|
||
| Replication direction | Cluster | User role | Required privileges |
There was a problem hiding this comment.
i think this table explains things really well, and I wonder if it should be supplemented with a toy command, especially for the bidi case:
user baz executes the following statement
CREATE LOGICALLY REPLICATED TABLES B.tab FROM TABLES A.tab ON 'uriToA/user=foo' WITH BIDIRECTIONAL ON 'uriToB/user=baz
For this to work
- baz requires
CREATEon database B, implicitly gets REPLICATIONDEST and REPLICATIONSOURCE on b.tab - foo requires
REPLICATIONSOURCEandREPLICATIONDESTon A.tab - baz must be the user in the BIDIRECTIONAL ON uri.
There was a problem hiding this comment.
Added this example under the table
katmayb
force-pushed
the
ldr-privileges-25.2
branch
from
29b7b42 to
a9b2d1c
Compare
katmayb
force-pushed
the
ldr-privileges-25.2
branch
from
a9b2d1c to
76b77c7
Compare
Fixes DOC-12962, DOC-12786
This PR updates the LDR privileges for v25.2.
Adds the
REPLICATIONDESTandREPLICATIONSOURCEprivilege. Deprecates theREPLICATIONprivilege.Updates the SQL ref pages, tutorial for LDR, and general Auth page of privileges.
The tutorial content required some shuffling round to ensure the privilege instructions made logical sense.
Preview
Tutorial
Create logical replication stream
Create logically replicated