fix(frontend): harden SHOW object visibility#25585
Conversation
github-actions
Bot
added
type/fix
Make SHOW object lists and known-name metadata probes honor object visibility, and redact hidden secret refs in connection output. Move connector-backed SHOW visibility coverage into source/sink/connection e2e suites so the DDL metadata-only test does not depend on external schema registry validation or madsim secret materialization. Constraint: User requested the approved SHOW object visibility hardening plan. Confidence: high Scope-risk: narrow Directive: Avoid leaking unauthorized object and secret names through SHOW commands. Tested: git diff --check -- e2e_test/ddl/show_object_privilege.slt e2e_test/source_inline/connection/schema_registry.slt e2e_test/source_inline/kafka/secret_dep.slt e2e_test/sink/blackhole_sink.slt Tested: cargo fmt --all -- --check Tested: cargo check -p risingwave_frontend Not-tested: local SLT because no RisingWave server is running on 127.0.0.1:4566. Co-authored-by: OmX <omx@oh-my-codex.dev>
tabVersion
force-pushed
the
ralph/show-object-visibility-hardening-v3
branch
from
2a3a6da to
e4159b0
Compare
tabVersion
added
user-facing-changes
tabVersion
requested review from
chenzl25,
hzxa21,
wenym1,
xiangjinwu and
yuhao-su
|
Current CI blocker is checkout/ref generation, not a product/test failure. Evidence at the time of this comment:
The code branch itself is present and the PR API head is correct; this likely needs GitHub/ref-generation or Buildkite checkout-source intervention rather than another code change. |
|
Additional ref-generation probes:
So this is no longer isolated to the original |
|
@tabVersion Could you STOP SPAMMING? Add reviewers when you are ready |
The pr is ready for review, just had some trouble debuging buildkite |
tabVersion
left a comment
tabVersion
left a comment
There was a problem hiding this comment.
Thanks for the SHOW visibility hardening work. I checked the current CI for buildkite/pull-request build 95735 and the red jobs are not showing a product regression yet; they fail before the intended SHOW assertions run because the new system ok commands invoke raw psql without the RisingWave frontend host/port. I left one inline note with the concrete blocker. The frontend code changes otherwise look aligned with the intended ACL filtering/redaction approach from my pass.
Make the new SHOW visibility system-command probes pass the SLT-provided RisingWave frontend host, port, and database to psql. This avoids psql falling back to the local PostgreSQL Unix socket in Buildkite. Tested: git diff --check -- e2e_test/ddl/show_object_privilege.slt e2e_test/sink/blackhole_sink.slt e2e_test/source_inline/connection/schema_registry.slt e2e_test/source_inline/kafka/secret_dep.slt Tested: bash -n over all 20 changed psql system commands Tested: cargo fmt --all -- --check Not-tested: targeted local SLT because no RisingWave server is running on 127.0.0.1:4566.
tabVersion
force-pushed
the
ralph/show-object-visibility-hardening-v3
branch
4 times, most recently
from
b3459f0 to
92ea2e3
Compare
tabVersion
force-pushed
the
ralph/show-object-visibility-hardening-v3
branch
from
92ea2e3 to
660ff23
Compare
|
This PR seems roughly align with the mysql behavior except the column privilage, which RW doesn't support. Have you also checked if the PG stype \d \l is using correct visibility? |
3 participants
I hereby agree to the terms of the RisingWave Labs, Inc. Contributor License Agreement.
Replacement PR for #25571 and #25584. The previous PR #25571 had a stale GitHub synthetic ref
refs/pull/25571/head, so Buildkite could only fetch the old head ref and could not checkout the branch/PR API head. The first replacement #25584 was created while #25571 was still in that bad state and GitHub did not createrefs/pull/25584/head. This PR uses the same final code/tree on a fresh branch after closing #25571, so Buildkite should be able to fetch the correct PR head ref.What's changed and what's your intention?
This PR hardens user-visible
SHOWmetadata surfaces so a user with schema visibility alone cannot enumerate object names or secret references that they do not have object-level privilege for.Changes:
SHOWobject-list handlers to ACL-aware schema iterators:SHOW TABLESSHOW INTERNAL TABLESSHOW VIEWSSHOW MATERIALIZED VIEWSSHOW SOURCESSHOW SINKSSHOW SUBSCRIPTIONSSHOW SECRETSSHOW CONNECTIONSSHOW FUNCTIONSSHOW COLUMNS FROM <table/source>andSHOW INDEXES FROM <table>use the normal batch binder path instead of the system binder path, avoiding known-name metadata probing for hidden relations.SHOW COLUMNS FROM <sink/view>while preserving system-view column introspection.SECRET <redacted>instead ofSECRET schema.secret_name.rw_catalog.rw_connections.Current limitation / follow-up:
rw_catalog.rw_sourceswas identified as a separate system-catalog surface that can still need visibility/secret-reference hardening. Iceberg-related catalog views should also be triaged in a follow-up pass.Checklist
Documentation
Release note
RisingWave now avoids exposing unauthorized object names through
SHOWobject-list commands and known-nameSHOW COLUMNS/SHOW INDEXESprobes. Visible connection metadata also redacts referenced secret names when the user cannot independently see the secret.Local verification
Passed:
git diff --check -- e2e_test/ddl/show_object_privilege.slt e2e_test/source_inline/connection/schema_registry.slt e2e_test/source_inline/kafka/secret_dep.slt e2e_test/sink/blackhole_sink.sltcargo fmt --all -- --checkcargo check -p risingwave_frontendAttempted but blocked locally:
./risedev psql -c "select 1"failed because no RisingWave server was running on127.0.0.1:4566, so local SLT was not run.