sql: include current user in EXPLAIN bundle

spilchen · spilchen · commit a52913114f89 · 2025-03-31T12:43:04.000-03:00
Include the current user in the env.sql file of the EXPLAIN bundle. This information is useful for debugging issues related to row-level security (RLS), as the user determines which policies are applied to a query. This change also verifies the presence of other relevant RLS metadata in the bundle, including: - the list of existing policies, - whether RLS is enabled on the target table, - the policies enforced in the query plan (with EXPLAIN (VERBOSE)), and - modifications to the plan such as injected filters that enforce RLS policies. Includes a new test to validate these additions. Informs #139329 Epic: CRDB-11724 Release note: none
diff --git a/pkg/acceptance/generated_cli_test.go b/pkg/acceptance/generated_cli_test.go
diff --git a/pkg/cli/interactive_tests/test_sb_recreate_rls.tcl b/pkg/cli/interactive_tests/test_sb_recreate_rls.tcl
@@ -0,0 +1,56 @@
+#! /usr/bin/env expect -f
+
+source [file join [file dirname $argv0] common.tcl]
+
+proc file_exists {filepath} {
+  if {! [ file exist $filepath]} {
+    report "MISSING EXPECTED FILE: $filepath"
+    exit 1
+  }
+}
+
+start_test "Ensure that 'debug sb recreate' works with row-level security"
+
+spawn $argv demo --no-line-editor --empty --log-dir=logs
+eexpect "defaultdb>"
+
+send "CREATE TABLE rls1 (pk INT PRIMARY KEY, comment TEXT);\r"
+send "ALTER TABLE rls1 ENABLE ROW LEVEL SECURITY, FORCE ROW LEVEL SECURITY;\r"
+send "CREATE POLICY pol1 ON rls1 USING (comment = 'visible');\r"
+send "CREATE USER rls_user;\r"
+send "ALTER TABLE rls1 OWNER TO rls_user;\r"
+send "GRANT SYSTEM VIEWCLUSTERSETTING TO rls_user;\r"
+send "GRANT SYSTEM VIEWACTIVITY to rls_user;\r"
+send "GRANT SYSTEM VIEWSYSTEMTABLE to rls_user;\r"
+send "SET ROLE rls_user;\r"
+eexpect "defaultdb>"
+
+send "EXPLAIN ANALYZE (DEBUG) SELECT * FROM rls1;\r"
+eexpect "Statement diagnostics bundle generated."
+expect -re "SQL shell: \\\\statement-diag download (\\d+)" {
+  set id1 $expect_out(1,string)
+}
+
+send "\\statement-diag download $id1\r"
+eexpect "Bundle saved to"
+eexpect root@
+
+file_exists "stmt-bundle-$id1.zip"
+
+send_eof
+eexpect eof
+
+set python "python2.7"
+set pyfile [file join [file dirname $argv0] unzip.py]
+system "mkdir bundle"
+system "$python $pyfile stmt-bundle-$id1.zip bundle"
+
+spawn $argv debug sb recreate bundle
+eexpect "Statement was:"
+eexpect "SELECT"
+eexpect "defaultdb>"
+
+send_eof
+eexpect eof
+
+end_test
diff --git a/pkg/sql/explain_bundle.go b/pkg/sql/explain_bundle.go
@@ -553,6 +553,9 @@ func (b *stmtBundleBuilder) addEnv(ctx context.Context) {
 	}
 	fmt.Fprintf(&buf, "\n")
 
+	c.PrintUser(&buf)
+	fmt.Fprintf(&buf, "\n")
+
 	// Show the values of session variables and cluster settings that have
 	// values different from their defaults.
 	if err := c.PrintSessionSettings(&buf, b.sv, false /* all */); err != nil {
@@ -1010,6 +1013,12 @@ func (c *stmtEnvCollector) PrintVersion(w io.Writer) error {
 	return err
 }
 
+func (c *stmtEnvCollector) PrintUser(w io.Writer) {
+	// Show the connected user. If the bundle includes a statement for a table
+	// with RLS enabled, this helps to explain why certain policies were enforced.
+	fmt.Fprintf(w, "-- User: %s\n", c.p.User())
+}
+
 // makeSingleLine replaces all control characters with a single space. This is
 // needed so that session variables and cluster settings would fit on a single
 // line.
@@ -1098,20 +1107,22 @@ func (c *stmtEnvCollector) PrintSessionSettings(w io.Writer, sv *settings.Values
 		// We'll skip this variable only if its value matches both of the
 		// defaults.
 		skip := value == binaryDefault && value == clusterDefault
-		if buildutil.CrdbTestBuild {
+		commentOut := false // If skip is true, should we leave a commented out version of the var?
+		switch varName {
+		case "direct_columnar_scans_enabled":
 			// In test builds we might randomize some setting defaults, so
 			// we need to ignore them to make the tests deterministic.
-			switch varName {
-			case "direct_columnar_scans_enabled":
-				// This variable's default is randomized in test builds.
+			skip = buildutil.CrdbTestBuild
+		case "role":
+			// If a role is set, we comment it out in env.sql. Otherwise, running
+			// 'debug sb recreate' will fail with a non-existent user/role error.
+			if !skip {
 				skip = true
+				commentOut = true
 			}
 		}
 		// Use the "binary default" as the value that we will set to.
 		defaultValue := binaryDefault
-		if skip && !all {
-			continue
-		}
 		if _, ok := sessionVarNeedsEscaping[varName]; ok || anyWhitespace.MatchString(value) {
 			value = lexbase.EscapeSQLString(value)
 		}
@@ -1120,6 +1131,14 @@ func (c *stmtEnvCollector) PrintSessionSettings(w io.Writer, sv *settings.Values
 			// parsable.
 			value = "''"
 		}
+		if skip && !all {
+			if commentOut {
+				// When commenting it out, keep the SET command mostly intact
+				// so it can be easily uncommented later if needed.
+				fmt.Fprintf(w, "-- SET %s = %s; -- skip\n", varName, value)
+			}
+			continue
+		}
 		fmt.Fprintf(w, "SET %s = %s;  -- default value: %s\n", varName, value, defaultValue)
 	}
 	return nil
diff --git a/pkg/sql/explain_bundle_test.go b/pkg/sql/explain_bundle_test.go
@@ -944,6 +944,46 @@ CREATE TABLE users(id UUID DEFAULT gen_random_uuid() PRIMARY KEY, promo_id INT R
 			base, plans, "distsql.html vec.txt vec-v.txt stats-defaultdb.public.gist.sql",
 		)
 	})
+
+	t.Run("row-level security", func(t *testing.T) {
+		r.Exec(t, "CREATE TABLE rls1 (pk INT PRIMARY KEY, u TEXT, val SMALLINT)")
+		alterTableDDL := "ALTER TABLE public.rls1 ENABLE ROW LEVEL SECURITY, FORCE ROW LEVEL SECURITY"
+		r.Exec(t, alterTableDDL)
+		r.Exec(t, "CREATE POLICY policy1 ON rls1 USING (u = 'hal')")
+		r.Exec(t, "CREATE USER rls_user")
+		r.Exec(t, "GRANT SYSTEM VIEWCLUSTERSETTING TO rls_user")
+		r.Exec(t, "ALTER TABLE rls1 OWNER TO rls_user")
+		r.Exec(t, "SET ROLE rls_user")
+		defer r.Exec(t, "SET ROLE root")
+
+		rows := r.QueryStr(t, "EXPLAIN ANALYZE (DEBUG,VERBOSE) SELECT * FROM rls1")
+		checkBundle(
+			t, fmt.Sprint(rows), "public.rls1", func(name, contents string) error {
+				if name == "env.sql" {
+					if !strings.Contains(contents, `-- User: rls_user`) {
+						return errors.Errorf("could not find user 'rls_user' in env.sql:\n%s", contents)
+					}
+				}
+				if name == "plan.txt" {
+					if !strings.Contains(contents, `policies: policy1`) {
+						return errors.Errorf("could not find policy information in the plan.txt:\n%s", contents)
+					}
+					if !strings.Contains(contents, "filter: ((u)[string] = ('hal')[string])[bool]") {
+						return errors.Errorf("could not find injected filter from policy in the plan.txt:\n%s", contents)
+					}
+				}
+				if name == "schema.sql" {
+					for _, ddl := range []string{alterTableDDL, "CREATE POLICY policy1 ON public.rls1"} {
+						if !strings.Contains(contents, ddl) {
+							return errors.Errorf("could not find ddl %q in schema.sql:\n%s", ddl, contents)
+						}
+					}
+				}
+				return nil
+			}, false, /* expectErrors */
+			base, plans, "stats-defaultdb.public.rls1.sql", "distsql.html vec.txt vec-v.txt",
+		)
+	})
 }
 
 func getBundleDownloadURL(t *testing.T, text string) string {
