Skip to content

importinto: forbid set external-id explicitly and set it to keyspace name when sem enabled on nextgen#61315

Merged
ti-chi-bot[bot] merged 3 commits into
pingcap:masterfrom
D3Hunter:sem-external-id
May 26, 2025
Merged

importinto: forbid set external-id explicitly and set it to keyspace name when sem enabled on nextgen#61315
ti-chi-bot[bot] merged 3 commits into
pingcap:masterfrom
D3Hunter:sem-external-id

Conversation

@D3Hunter

@D3Hunter D3Hunter commented May 26, 2025

Copy link
Copy Markdown
Contributor

What problem does this PR solve?

Issue Number: ref #60418

Problem Summary:

What changed and how does it work?

for import into on nextgen with sem enabled:

  • forbid user set external-id explicitly in the data source S3 url
  • set external-id to keyspace name for S3

for a nextgen cluster, multiple tenants might share the same role ARN, so when one tenant grant access to its import-into source data bucket, other tenant might also able to see and import it, so we use above strategy to make sure the privileges must be granted to only the specific tenant, by set some expression inside S3 policy, like external-id = keyspace-name, and we automatically set the external-id to the keyspace name

Check List

Tests

  • Unit test
  • Integration test
  • Manual test (add detailed scripts or steps below)

with nextgen and SEM

mysql> import into t from 's3://mybucket/a.csv?access-key=minioadmin&secret-access-key=minioadmin&endpoint=http%3a%2f%2flocalhost%3a9000&force-path-style=true&external-id=aaa';
ERROR 8132 (HY000): Feature 'IMPORT INTO with S3 external ID' is not supported when security enhanced mode is enabled


mysql> import into t from 's3://mybucket/a.csv?access-key=minioadmin&secret-access-key=minioadmin&endpoint=http%3a%2f%2flocalhost%3a9000&force-path-style=true';
+--------+----------------------------------------------------------------------------------------------------------------------------------------------------+--------------+----------+-------+----------+------------------+---------------+----------------+----------------------------+----------------------------+----------------------------+------------+
| Job_ID | Data_Source                                                                                                                                        | Target_Table | Table_ID | Phase | Status   | Source_File_Size | Imported_Rows | Result_Message | Create_Time                | Start_Time                 | End_Time                   | Created_By |
+--------+----------------------------------------------------------------------------------------------------------------------------------------------------+--------------+----------+-------+----------+------------------+---------------+----------------+----------------------------+----------------------------+----------------------------+------------+
|  60001 | s3://mybucket/a.csv?access-key=xxxxxx&endpoint=http%3A%2F%2Flocalhost%3A9000&external-id=mykeyspace&force-path-style=true&secret-access-key=xxxxxx | `test`.`t`   |      114 |       | finished | 4B               |             1 |                | 2025-05-26 12:22:59.181178 | 2025-05-26 12:22:59.727514 | 2025-05-26 12:23:01.751417 | root@%     |
+--------+----------------------------------------------------------------------------------------------------------------------------------------------------+--------------+----------+-------+----------+------------------+---------------+----------------+----------------------------+----------------------------+----------------------------+------------+
  • No need to test
    • I checked and no code files have been changed.

Side effects

  • Performance regression: Consumes more CPU
  • Performance regression: Consumes more Memory
  • Breaking backward compatibility

Documentation

  • Affects user behaviors
  • Contains syntax changes
  • Contains variable changes
  • Contains experimental features
  • Changes MySQL compatibility

Release note

Please refer to Release Notes Language Style Guide to write a quality release note.

None

@ti-chi-bot ti-chi-bot Bot added release-note-none Denotes a PR that doesn't merit a release note. sig/planner SIG: Planner size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels May 26, 2025
@tiprow

tiprow Bot commented May 26, 2025

Copy link
Copy Markdown

Hi @D3Hunter. Thanks for your PR.

PRs from untrusted users cannot be marked as trusted with /ok-to-test in this repo meaning untrusted PR authors can never trigger tests themselves. Collaborators can still trigger tests on the PR using /test all.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@codecov

codecov Bot commented May 26, 2025

Copy link
Copy Markdown

Codecov Report

Attention: Patch coverage is 71.42857% with 8 lines in your changes missing coverage. Please review.

Project coverage is 75.0479%. Comparing base (7702f73) to head (a9bf2a6).
Report is 4 commits behind head on master.

Additional details and impacted files
@@               Coverage Diff                @@
##             master     #61315        +/-   ##
================================================
+ Coverage   73.1677%   75.0479%   +1.8801%     
================================================
  Files          1726       1749        +23     
  Lines        478503     487611      +9108     
================================================
+ Hits         350110     365942     +15832     
+ Misses       106921      98832      -8089     
- Partials      21472      22837      +1365     
Flag Coverage Δ
integration 48.7086% <10.7142%> (?)
unit 72.5142% <71.4285%> (+0.0765%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
dumpling 52.7804% <ø> (ø)
parser ∅ <ø> (∅)
br 62.7172% <0.0000%> (+15.1796%) ⬆️
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@ti-chi-bot ti-chi-bot Bot added the needs-1-more-lgtm Indicates a PR needs 1 more LGTM. label May 26, 2025
@ti-chi-bot ti-chi-bot Bot added lgtm and removed needs-1-more-lgtm Indicates a PR needs 1 more LGTM. labels May 26, 2025
@ti-chi-bot

ti-chi-bot Bot commented May 26, 2025

Copy link
Copy Markdown

[LGTM Timeline notifier]

Timeline:

  • 2025-05-26 06:40:43.234450438 +0000 UTC m=+251173.606237899: ☑️ agreed by GMHDBJD.
  • 2025-05-26 07:38:41.082664326 +0000 UTC m=+254651.454451787: ☑️ agreed by tangenta.

@ti-chi-bot

ti-chi-bot Bot commented May 26, 2025

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: GMHDBJD, hawkingrei, tangenta

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved lgtm release-note-none Denotes a PR that doesn't merit a release note. sig/planner SIG: Planner size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants