Skip to content

add the concept of "path names reserved for system use" #11673

@ijon

Description

@ijon

There are a few schema/path names that ydb already uses for its own purposes:

  • .sys
  • .metadata
  • (also .sys_health, that is employed not by ydb itself but by the SLO probing process)

These names are considered being "system", so a user shouldn't mess with them. But internally ydb doesn't really have a notion of reserved path names. So there is nothing that could prevent a user from:

  • creating those (or similar) names
  • or creating user objects inside those directories

For example, unfortunate (re)use of .metadata name for a user table would suppress important functionality of the database (or even make it unusable).

How it should be:

  1. YDB should have:
    • the whitelist of reserved system names
    • the list of reserved name prefixes
  2. A user should not be able to:
    • create an schema object with a reserved name or with a reserved name prefix
    • create or manage objects inside any system directory (or a system directory itself)
  3. The system should continue to be able to manage system directory
  4. An admin user should continue be able to manage system directory and its content (for the purpose of making amends)
  5. Neither the system, nor an admin should be able to:
    • create names with a reserved name prefix but not whitelisted by the reserved names list

Ticks:

  • introduce whitelist of reserved names:
    • .metadata
    • .sys
  • evaluate candidates:
    • .tmp -- is used for temporary objects bound to kqp sessions -- included to the reserved list
    • .backups -- proposed place for backup collections -- included to the reserved list
    • .Queues, .RemovedQueues, .Settings, .AtomicCounter, .Events, .Quoter, .STD, .FIFO -- used by YMQ/SQS -- added to the temporary not-under-protection list of exceptions
  • introduce reserved name prefixes:
    • .
    • __ydb
  • forbid creation of reserved names (2, 5)
  • forbid ordinary user the creation of system directory by using it as an intermediate directory in the object path (2)
  • update tests that use now forbidden names
  • legitimize an exception for .sys_health or think about another place for SLO probes -- yes, .sys_health added to the temporary not-under-protection list of exceptions
  • may be allow system to create table indexes with reserved names
  • decide if restore operation must bypass reserved names protection, to allow recreation of names that were legitimate somewhere else or at different point in time -- yes, no protection for restore, until we decide otherwise
  • move of compound object (table) should not allow a main object to get a reserved name, but should allow any child objects (indexes, sequences, cdc-streams) to keep their unlegitimate names if they had happen to have ones
  • may be add config parameter to influence "not-under-protection list of exceptions" without changing the code

Sideline:

  • decide if . should be forbidden in the names entirely, not only as prefix
  • decide if yql keywords should also be forbidden as a path names

Follow-ups:

  • document protection rules and behavior in the user documentation
  • create changelog entry

PRs:

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions