December 16, 2019

Get future release notes emailed to you:

Downloads

Docker image

copy
icon/buttons/copy
$ docker pull cockroachdb/cockroach-unstable:v19.1.6

Security updates

  • CockroachDB previously allowed non-authenticated access to privileged HTTP endpoints like /_admin/v1/events, which operate using root user permissions and can thus access (and sometimes modify) any and all data in the cluster. This security vulnerability has been patched by disallowing non-authenticated access to these endpoints and restricting access to admin users only.

    Note:

    Users who have built monitoring automation using these HTTP endpoints must modify their automation to work using an HTTP session token for an admin user.

  • Some Admin UI screens (e.g., Jobs) were previously incorrectly displayed using root user permissions, regardless of the logged-in user's credentials. This enabled insufficiently privileged users to access privileged information. This security vulnerability has been patched by using the credentials of the logged-in user to display all Admin UI screens.

  • Privileged HTTP endpoints and certain Admin UI screens require an admin user. However, root is disallowed from logging in via HTTP and it is not possible to create additional admin accounts without an Enterprise license. This is further discussed here and will be addressed in an upcoming patch revision.

    Note:

    Users without an Enterprise license can create an additional admin user using a temporary evaluation license, until an alternative is available. A user created this way will persist beyond the license expiry.

  • Some Admin UI screens currently display an error or a blank page when viewed by a non-admin user (e.g., Table Details). This is a known limitation mistakenly introduced by the changes described above. This situation is discussed further here and will be addressed in an upcoming patch revision. The list of UI pages affected includes but is not limited to:

    • Job details
    • Database details
    • Table details
    • Zone configurations
    Note:

    Users can access these Admin UI screens using an admin user until a fix is available.

The list of HTTP endpoints affected by the first change above includes:

HTTP Endpoint Description Sensitive information revealed Special (see below)
/_admin/v1/data_distribution Database-table-node mapping Database and table names
/_admin/v1/databases/{database}/tables/{table}/stats Table stats histograms Stored table data via PK values
/_admin/v1/drain API to shut down a node Can cause DoS on cluster
/_admin/v1/enqueue_range Force range rebalancing Can cause DoS on cluster
/_admin/v1/events Event log Usernames, stored object names, privilege mappings
/_admin/v1/nontablestats Non-table statistics Stored table data via PK values
/_admin/v1/rangelog Range log Stored table data via PK values
/_admin/v1/settings Cluster settings Organization name
/_status/allocator/node/{node_id} Rebalance simulator Can cause DoS on cluster yes
/_status/allocator/range/{range_id} Rebalance simulatoor Can cause DoS on cluster yes
/_status/certificates/{node_id} Node and user certificates Credentials
/_status/details/{node_id} Node details Internal IP addresses
/_status/enginestats/{node_id} Storage statistics Operational details
/_status/files/{node_id} Retrieve heap and goroutine dumps Operational details yes
/_status/gossip/{node_id} Gossip details Internal IP addresses yes
/_status/hotranges Ranges with active requests Stored table data via PK values
/_status/local_sessions SQL sessions Cleartext SQL queries yes
/_status/logfiles/{node_id} List of log files Operational details yes
/_status/logfiles/{node_id}/{file} Server logs + entries Many: names, application data, credentials, etc. yes
/_status/logs/{node_id} Log entries Many: names, application data, credentials, etc. yes
/_status/profile/{node_id} Profiling data Operational details
/_status/raft Raft details Stored table data via PK values
/_status/range/{range_id} Range details Stored table data via PK values
/_status/ranges/{node_id} Range details Stored table data via PK values
/_status/sessions SQL sessions Cleartext SQL queries yes
/_status/span Statistics per key span Whether certain table rows exist
/_status/stacks/{node_id} Stack traces Application data, stored table data
/_status/stores/{node_id} Store details Operational details
Note:

"Special" endpoints are subject to the cluster setting server.remote_debugging.mode. Unless the setting was customized, clients are only able to connect from the same machine as the node.

SQL language changes

  • EXPLAIN (OPT,ENV) now returns a URL with the data encoded in the fragment portion. Opening the URL shows a page with the decoded data. Note that the data is processed in the local browser session and is never sent out. #41092
  • EXPLAIN ANALYSE can now be used as an alias to EXPLAIN ANALYZE. #41093
  • Mutations under UNION or UNION ALL are now disallowed. This restriction is temporary and will be lifted in a future release. #41496

Admin UI changes

  • Certain web UI pages (like the list of databases or tables) now restrict their content to match the privileges of the logged-in user. #42727
  • The event log now presents all cluster settings changes, unredacted, when an admin user uses the page. #42727
  • Customization of the UI by users is now only properly saved if the user has write privilege to system.ui (i.e., is an admin user). Also, all authenticated users share the same customizations. This is a known limitation and should be lifted in a future version. #42727
  • Access to table statistics are temporarily blocked from access by non-admin users until further notice, for security reasons. #42727
  • Certain debug pages have been blocked from non-admin users for security reasons. #42727

Bug fixes

  • The experimental cloud storage changefeed sink previously violated some of the changefeed invariants under rare conditions. A number of these have been fixed, but some fixes require changes to the format of the filenames output by the cloud storage changefeed. This is unsuitable for inclusion in a patch release, so users of cloud storage changefeed sinks are highly encouraged to upgrade to CockroachDB 19.2 or later. #42907
  • Fixed a crash that occurs when a suboperator with a LIKE comparison has a NULL left-hand side. #41073
  • Reduced write amplification by avoiding forcing files through compactions unnecessarily. #41301
  • Fixed a rare data corruption bug in RocksDB caused by newer Linux kernel's handling of i_generation on certain file systems. #41393
  • Fixed a bug causing the cluster_logical_timestamp() function to sometimes return incorrect results. #41441
  • Fixed internal errors generated during the execution of some complicated cases of correlated subqueries. #41667
  • Fixed a bug causing zone configuration changes on tables with existing index zone configurations to not take effect unless the num_replicas field was also set. #41682
  • Fixed bug causing zone configuration application on indexes to leak into configurations on partitions. #41679
  • Fixed multiple bugs relating to zone configurations and COPY FROM PARENT. Previously, COPY FROM PARENT was ignored when using it on partitions and indexes, and when using it on a zone that had an existing value for the field that was being changed. #41699
  • Fixed a bug causing rapid network disconnections to lead to cluster unavailability because goroutines waited for a connection which will never be initialized to send its first heartbeat. #42165
  • Fixed an internal error in a rare case involving UNION and tuples inside VALUES clauses. #42266
  • CockroachDB now permits planning of window functions within mutation statements, and other statements that can't be distributed. #42617
  • Fixed a bug that would produce a spurious failure with the error message "incompatible COALESCE expressions" when adding or validating MATCH FULL foreign key constraints involving composite keys with columns of differing types. #42652
  • Fixed a case where we incorrectly determine that a query (or part of a query) which contains an IS NULL constraint on a unique index column returns at most one row, possibly ignoring a LIMIT 1 clause. #42792
  • It is now possible to transfer range leases to lagging replicas. #42764
  • ALTER INDEX IF EXISTS no longer fails when using an unqualified index name that does not match any existing index. Now it is a no-op. #42839
  • CockroachDB now prevents a number of panics from the SQL layer caused by an invalid range split. These would usually manifest with messages mentioning encoding errors ("found null on not null column" but also possibly various others). #42860
  • Other callers to acquireNodeLease will not get erroneously cancelled just because the context of the first caller was cancelled. #43028
  • Fixed a bug in poller causing it to emit row updates at a timestamp less than or equal to an already forwarded resolved timestamp. #43027
  • Fixed a bug in cloud storage sink file naming that violates ordering in presence of a schema changes. #43027
  • Fixed a bug causing disk stalls to allow a node to continue heartbeating its liveness record and prevent other nodes from taking over its leases, despite being completely unresponsive. #41765
  • CockroachDB now properly removes excess secondary log files (SQL audit logging, statement execution logging, and RocksDB events). #41034
  • cockroach debug zip, cockroach node and cockroach user now work properly if the defaultdb database has been manually dropped and the connection URL does not specify a database. #41131

Contributors

This release includes 34 merged PRs by 19 authors.



Yes No