Feature/network policy sql #30172
Feature/network policy sql #30172
Conversation
jubrad
force-pushed
the
feature/network-policy-sql
branch
8 times, most recently
from
dee5cb3 to
bf15d75
Compare
jubrad
force-pushed
the
feature/network-policy-sql
branch
from
bf15d75 to
b91df2d
Compare
|
MitigationsCompleting required mitigations increases Resilience Coverage.
Risk Summary:The pull request presents a high risk with a score of 80, driven by the predictors "Sum Bug Reports Of Files" and "Delta of Executable Lines." Historically, PRs with these predictors are 116% more likely to cause a bug than the repository baseline. Additionally, seven modified files are recent hotspots for bug fixes. The observed bug trend in the repository is increasing, indicating a need for careful review. Note: The risk score is not based on semantic analysis but on historical predictors of bug occurrence in the repository. The attributes above were deemed the strongest predictors based on that history. Predictors and the score may change as the PR evolves in code, time, and review activity. Bug Hotspots:
|
jubrad
force-pushed
the
feature/network-policy-sql
branch
from
b91df2d to
0596606
Compare
|
@jkosh44 I can review this one since I have the context paged in, feel free to unassign yourself! |
Works for me. |
jubrad
force-pushed
the
feature/network-policy-sql
branch
from
0596606 to
f9e585d
Compare
jubrad
force-pushed
the
feature/network-policy-sql
branch
2 times, most recently
from
9a1519a to
427bc66
Compare
There was a problem hiding this comment.
By and large looks good to me, just some smaller changes I'd love to see before merging.
Btw I looked into the massive diff on the Persist stats snapshot, it's because you added a new variant to the AclMode struct which changed the proptest strategy for generating Datums. So no worries about that!
src/repr/src/adt/mz_acl_item.rs
Outdated
| // compute Network Policy | ||
| const CREATE_NETWORK_POLICY_CHAR: char = 'P'; |
There was a problem hiding this comment.
how did you select P, feels like something we should run by the sql council? Also note the comment on the other consts capitalizes the letter in the resource that we're using here, e.g. this comment should be // network Policy if we use P
There was a problem hiding this comment.
yeah, well it is the P in network Policy, whether that's good enough justification IDK, but it seems as reasonable as anything I can think of.
There was a problem hiding this comment.
Yeah it seems quite reasonable, we could also do n but that might confuse users with N, sticking with P sounds good to me
test/sqllogictest/network_policy.slt
Outdated
| SHOW NETWORK POLICIES | ||
| ---- | ||
| np | ||
| (empty) |
There was a problem hiding this comment.
should SHOW NETWORK POLICIES include more info? maybe the rules that are in the policy?
There was a problem hiding this comment.
I updated this to include rules, for better or worse, I went with a similar model to how we display replicas on clusters. The downside to this is that one could create a policy with 25 rules, leading to a rather long value.
jubrad
force-pushed
the
feature/network-policy-sql
branch
3 times, most recently
from
c74e4e5 to
4851fc5
Compare
jubrad
force-pushed
the
feature/network-policy-sql
branch
from
4851fc5 to
d15206a
Compare
jubrad
force-pushed
the
feature/network-policy-sql
branch
5 times, most recently
from
e360c89 to
5bfe9cd
Compare
jubrad
force-pushed
the
feature/network-policy-sql
branch
from
5bfe9cd to
8b132fb
Compare
<!-- Describe the contents of the PR briefly but completely. If you write detailed commit messages, it is acceptable to copy/paste them here, or write "see commit messages for details." If there is only one commit in the PR, GitHub will have already added its commit message above. --> ### Motivation - adds a new predefined network policy - removes the allow list based policy system var in favor of a new `network_policy` system var - swaps policy enforcement to use the default policy. stacked on #30172 part of MaterializeInc/database-issues#4637 <!-- Which of the following best describes the motivation behind this PR? * This PR fixes a recognized bug. [Ensure issue is linked somewhere.] * This PR adds a known-desirable feature. [Ensure issue is linked somewhere.] * This PR fixes a previously unreported bug. [Describe the bug in detail, as if you were filing a bug report.] * This PR adds a feature that has not yet been specified. [Write a brief specification for the feature, including justification for its inclusion in Materialize, as if you were writing the original feature specification.] * This PR refactors existing code. [Describe what was wrong with the existing code, if it is not obvious.] --> ### Tips for reviewer If you are reviewing this prior to #30172 going in, you should only look at the `add predefined network policy and system var` commit. <!-- Leave some tips for your reviewer, like: * The diff is much smaller if viewed with whitespace hidden. * [Some function/module/file] deserves extra attention. * [Some function/module/file] is pure code movement and only needs a skim. Delete this section if no tips. --> ### Checklist - [ ] This PR has adequate test coverage / QA involvement has been duly considered. ([trigger-ci for additional test/nightly runs](https://trigger-ci.dev.materialize.com/)) - [ ] This PR has an associated up-to-date [design doc](https://github.com/MaterializeInc/materialize/blob/main/doc/developer/design/README.md), is a design doc ([template](https://github.com/MaterializeInc/materialize/blob/main/doc/developer/design/00000000_template.md)), or is sufficiently small to not require a design. <!-- Reference the design in the description. --> - [ ] If this PR evolves [an existing `$T ⇔ Proto$T` mapping](https://github.com/MaterializeInc/materialize/blob/main/doc/developer/command-and-response-binary-encoding.md) (possibly in a backwards-incompatible way), then it is tagged with a `T-proto` label. - [ ] If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label ([example](MaterializeInc/cloud#5021)). <!-- Ask in #team-cloud on Slack if you need help preparing the cloud PR. --> - [ ] If this PR includes major [user-facing behavior changes](https://github.com/MaterializeInc/materialize/blob/main/doc/developer/guide-changes.md#what-changes-require-a-release-note), I have pinged the relevant PM to schedule a changelog post. --------- Co-authored-by: Parker Timmerman <[email protected]>
Motivation
Adds SQL for managing network policies
Part of https://github.com/MaterializeInc/database-issues/issues/4637
Tips for reviewer
syntax discussed here #29814
Checklist
$T ⇔ Proto$Tmapping (possibly in a backwards-incompatible way), then it is tagged with aT-protolabel.