-
Notifications
You must be signed in to change notification settings - Fork 701
Open
Description
There are a few schema/path names that ydb already uses for its own purposes:
.sys
.metadata
- (also
.sys_health
, that is employed not by ydb itself but by the SLO probing process)
These names are considered being "system", so a user shouldn't mess with them. But internally ydb doesn't really have a notion of reserved path names. So there is nothing that could prevent a user from:
- creating those (or similar) names
- or creating user objects inside those directories
For example, unfortunate (re)use of .metadata
name for a user table would suppress important functionality of the database (or even make it unusable).
How it should be:
- YDB should have:
- the whitelist of reserved system names
- the list of reserved name prefixes
- A user should not be able to:
- create an schema object with a reserved name or with a reserved name prefix
- create or manage objects inside any system directory (or a system directory itself)
- The system should continue to be able to manage system directory
- An admin user should continue be able to manage system directory and its content (for the purpose of making amends)
- Neither the system, nor an admin should be able to:
- create names with a reserved name prefix but not whitelisted by the reserved names list
Ticks:
- introduce whitelist of reserved names:
.metadata
.sys
- evaluate candidates:
.tmp
-- is used for temporary objects bound to kqp sessions -- included to the reserved list.backups
-- proposed place for backup collections -- included to the reserved list.Queues
,.RemovedQueues
,.Settings
,.AtomicCounter
,.Events
,.Quoter
,.STD
,.FIFO
-- used by YMQ/SQS -- added to the temporary not-under-protection list of exceptions
- introduce reserved name prefixes:
.
__ydb
- forbid creation of reserved names (2, 5)
- forbid ordinary user the creation of system directory by using it as an intermediate directory in the object path (2)
- update tests that use now forbidden names
- legitimize an exception for
.sys_health
or think about another place for SLO probes -- yes,.sys_health
added to the temporary not-under-protection list of exceptions - may be allow system to create table indexes with reserved names
- decide if restore operation must bypass reserved names protection, to allow recreation of names that were legitimate somewhere else or at different point in time -- yes, no protection for restore, until we decide otherwise
- move of compound object (table) should not allow a main object to get a reserved name, but should allow any child objects (indexes, sequences, cdc-streams) to keep their unlegitimate names if they had happen to have ones
- may be add config parameter to influence "not-under-protection list of exceptions" without changing the code
Sideline:
- decide if
.
should be forbidden in the names entirely, not only as prefix - decide if yql keywords should also be forbidden as a path names
Follow-ups:
- document protection rules and behavior in the user documentation
- create changelog entry
PRs:
Metadata
Metadata
Assignees
Labels
No labels