Page MenuHomePhabricator
Create Task
Maniphest T157651

sql.php must not run LoadExtensionSchemaUpdates
Closed, ResolvedPublic
Actions

Assigned To
daniel
Authored By
Tgr
Feb 9 2017, 3:02 AM
Tags
Referenced Files
None
Subscribers
aaron
Addshore
Aklapper
alaa_wmde
Catrope
daniel
gerritbot
View All 16 Subscribers
Tokens
"Orange Medal" token, awarded by chasemp."The World Burns" token, awarded by Addshore."Burninate" token, awarded by Ladsgroup.

Description

tgr@deployment-tin:~$ mwscript sql.php --wiki=enwiki
...vote_ip in table securepoll_votes already modified by patch /srv/mediawiki-staging/php-master/extensions/SecurePoll/patches/patch-vote_ip-extend.sql.
...echo_subscription doesn't exist.
>

That sounds like sql.php somehow triggered the update process, which really shouldn't be happening.

Details

Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Krinkle moved this task from Doing (old) to Blocked (old) on the Performance-Team board.Aug 6 2019, 1:14 AM
aaron added a comment.Sep 9 2019, 9:42 PM

So, getting this test merged depends on redoing the wikibase schema hook application order for update.php. In CI, there seems to be a problem when it interacts with Flow hooks trying to make pages.

aaron removed aaron as the assignee of this task.Sep 9 2019, 9:42 PM
aaron added a project: Platform Team Workboards (Clinic Duty Team).
WDoranWMF moved this task from Inbox to Ready (WIP:5) on the Platform Team Workboards (Clinic Duty Team) board.Sep 11 2019, 6:00 PM
kchapman subscribed.Sep 30 2019, 5:57 PM

@aaron are you requesting code review from Core Platform or do you need something else?

aaron added a comment.Sep 30 2019, 8:05 PM
In T157651#5535315, @kchapman wrote:

@aaron are you requesting code review from Core Platform or do you need something else?

It would need some debugging and code changes to work with Wikibase+Flow

daniel added subscribers: Pablo-WMDE, Ladsgroup, daniel.Oct 8 2019, 9:46 AM
In T157651#5476780, @aaron wrote:

So, getting this test merged depends on redoing the wikibase schema hook application order for update.php. In CI, there seems to be a problem when it interacts with Flow hooks trying to make pages.

Tagging Wikidata and pinging @Pablo-WMDE and @Ladsgroup for the Wikibase issue.

Pablo-WMDE added a subscriber: alaa_wmde.Oct 8 2019, 9:55 AM
WDoranWMF moved this task from Ready (WIP:5) to Backlog on the Platform Team Workboards (Clinic Duty Team) board.Oct 23 2019, 8:48 PM
WDoranWMF moved this task from Backlog to External Code Review Needed on the Platform Team Workboards (Clinic Duty Team) board.Oct 23 2019, 8:56 PM
Anomie moved this task from External Code Review Needed to External Code Review In Progress on the Platform Team Workboards (Clinic Duty Team) board.Nov 6 2019, 4:36 PM
Anomie subscribed.

Long term, this sort of thing should wind up being fixed by T191231: RFC: Abstract schemas and schema changes.

Short term, Wikibase changes are unlikely to be in scope for CPT. Looked at the core structure test patch.

WDoranWMF moved this task from External Code Review In Progress to External Code Review Completed on the Platform Team Workboards (Clinic Duty Team) board.Mar 3 2020, 8:39 PM
Addshore subscribed.Apr 6 2020, 11:44 PM
Tgr mentioned this in T249565: Wikidata's wb_items_per_site table has suddenly disappeared, creating DBQueryErrors on page views.Apr 6 2020, 11:44 PM
gerritbot added a comment.Apr 6 2020, 11:46 PM

Change 586473 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[mediawiki/core@master] maintenance: Remove sql.php temporarily

https://gerrit.wikimedia.org/r/586473

gerritbot added a comment.Apr 6 2020, 11:47 PM

Change 586474 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[mediawiki/core@wmf/1.35.0-wmf.26] maintenance: Remove sql.php temporarily

https://gerrit.wikimedia.org/r/586474

Krinkle added a project: Wikimedia-Incident.Apr 6 2020, 11:47 PM
Krinkle moved this task from Active investigation to Follow-up prevention on the Wikimedia-Incident board.
Ladsgroup awarded a token.Apr 6 2020, 11:50 PM
Addshore awarded a token.Apr 7 2020, 12:04 AM
Krinkle added a comment.Apr 7 2020, 12:23 AM
In T249565#6034809, @Krinkle wrote:

This is merely to show that the code path involving Wikibase\…\DatabaseSchemaUpdater->doSchemaUpdate was in fact called by sql.php. The fatal error itself below is harmless in this context.

2020-04-06T23:02:13 snapshot1008  /srv/mediawiki/multiversion/MWScript.php maintenance/sql.php --wiki wikidatawiki --json --query SELECT MAX(page_id) AS max_page_id FROM page
…
Fatal error: Call to undefined method setUser()
…
#0 /srv/mediawiki/php-1.35.0-wmf.26/extensions/GlobalPreferences/includes/Hooks.php(43): GlobalPreferences\Hooks::getPreferencesFactory(User)
#1 /srv/mediawiki/php-1.35.0-wmf.26/includes/Hooks.php(174): GlobalPreferences\Hooks::onUserLoadOptions(User, array)
#2 /srv/mediawiki/php-1.35.0-wmf.26/includes/Hooks.php(202): Hooks::callHook(string, array, array, NULL)
#3 /srv/mediawiki/php-1.35.0-wmf.26/includes/user/User.php(5135): Hooks::run(string, array)
#4 /srv/mediawiki/php-1.35.0-wmf.26/includes/user/User.php(2889): User->loadOptions()
#5 /srv/mediawiki/php-1.35.0-wmf.26/includes/parser/ParserOptions.php(1177): User->getOption(string)
#6 /srv/mediawiki/php-1.35.0-wmf.26/includes/parser/ParserOptions.php(986): ParserOptions->initialiseFromUser(User, LanguageEn)
#7 /srv/mediawiki/php-1.35.0-wmf.26/includes/parser/ParserOptions.php(1011): ParserOptions->__construct(User)
#8 /srv/mediawiki/php-1.35.0-wmf.26/includes/Storage/DerivedPageDataUpdater.php(1433): ParserOptions::newFromUser(User)
#9 /srv/mediawiki/php-1.35.0-wmf.26/includes/page/WikiPage.php(2068): MediaWiki\Storage\DerivedPageDataUpdater->doUpdates()
#10 /srv/mediawiki/php-1.35.0-wmf.26/extensions/Wikibase/repo/includes/Store/Sql/SqlStore.php(336): WikiPage->doEditUpdates(MediaWiki\Revision\RevisionStoreRecord, User)
#11 /srv/mediawiki/php-1.35.0-wmf.26/extensions/Wikibase/repo/includes/Store/Sql/DatabaseSchemaUpdater.php(89): Wikibase\Repo\Store\Sql\SqlStore->rebuild()
#12 /srv/mediawiki/php-1.35.0-wmf.26/extensions/Wikibase/repo/includes/Store/Sql/DatabaseSchemaUpdater.php(61): Wikibase\Repo\Store\Sql\DatabaseSchemaUpdater->doSchemaUpdate(MysqlUpdater)
#13 /srv/mediawiki/php-1.35.0-wmf.26/includes/Hooks.php(174): Wikibase\Repo\Store\Sql\DatabaseSchemaUpdater::onSchemaUpdate(MysqlUpdater)
#14 /srv/mediawiki/php-1.35.0-wmf.26/includes/Hooks.php(202): Hooks::callHook(string, array, array, NULL)
#15 /srv/mediawiki/php-1.35.0-wmf.26/includes/installer/DatabaseUpdater.php(129): Hooks::run(string, array)
#16 /srv/mediawiki/php-1.35.0-wmf.26/includes/installer/DatabaseUpdater.php(195): DatabaseUpdater->__construct(Wikimedia\Rdbms\MaintainableDBConnRef, boolean, MwSql)
#17 /srv/mediawiki/php-1.35.0-wmf.26/maintenance/sql.php(92): DatabaseUpdater::newForDB(Wikimedia\Rdbms\MaintainableDBConnRef, boolean, MwSql)
#18 /srv/mediawiki/php-1.35.0-wmf.26/maintenance/doMaintenance.php(99): MwSql->execute()
#19 /srv/mediawiki/php-1.35.0-wmf.26/maintenance/sql.php(230): require_once(string)
#20 /srv/mediawiki/multiversion/MWScript.php(101): require_once(string)
#21 {main}
gerritbot added a comment.Apr 7 2020, 12:42 AM

Change 586473 merged by jenkins-bot:
[mediawiki/core@master] maintenance: Remove sql.php temporarily

https://gerrit.wikimedia.org/r/586473

Ladsgroup added a comment.Apr 7 2020, 12:55 AM
In T157651#3018942, @Tgr wrote:

This is a very, very ugly accident waiting to happen.

This bug brought down everything for twenty minutes and caused an important table to vanish in production today.

ReleaseTaggerBot added a project: MW-1.35-notes (1.35.0-wmf.27; 2020-04-07).Apr 7 2020, 1:00 AM
gerritbot added a comment.Apr 7 2020, 1:01 AM

Change 586474 merged by jenkins-bot:
[mediawiki/core@wmf/1.35.0-wmf.26] maintenance: Remove sql.php temporarily

https://gerrit.wikimedia.org/r/586474

Stashbot added a comment.Apr 7 2020, 1:06 AM

Mentioned in SAL (#wikimedia-operations) [2020-04-07T01:06:52Z] <jforrester@deploy1001> Synchronized php-1.35.0-wmf.26/autoload.php: T157651 Remove sql.php from autoloader (duration: 00m 58s)

Stashbot added a comment.Apr 7 2020, 1:08 AM

Mentioned in SAL (#wikimedia-operations) [2020-04-07T01:08:26Z] <jforrester@deploy1001> Synchronized php-1.35.0-wmf.26/maintenance/: T157651 Remove sql.php from maintenance/ (duration: 00m 58s)

ReleaseTaggerBot edited projects, added MW-1.35-notes (1.35.0-wmf.26; 2020-03-31); removed MW-1.35-notes (1.35.0-wmf.27; 2020-04-07).Apr 7 2020, 2:00 AM
WMDE-leszek subscribed.Apr 7 2020, 5:37 AM
tstarling mentioned this in T249584: Call LoadExtensionSchemaUpdates later.Apr 7 2020, 6:31 AM
gerritbot added a comment.Apr 7 2020, 6:48 AM

Change 587010 had a related patch set uploaded (by Jcrespo; owner: Jcrespo):
[operations/puppet@production] restore: Add s8 instance to db1095

https://gerrit.wikimedia.org/r/587010

gerritbot added a comment.Apr 7 2020, 7:17 AM

Change 587010 merged by Jcrespo:
[operations/puppet@production] restore: Add s8 instance to db1095

https://gerrit.wikimedia.org/r/587010

kostajh edited projects, added StructuredDiscussions, Growth-Team; removed Platform Team Legacy (Watching / External).Apr 7 2020, 8:04 AM
kostajh subscribed.

Flow was mentioned in the comments as a blocker to this work. I rebased the structure test patch to see if the error still comes up.

daniel added a comment.EditedApr 7 2020, 9:02 AM

Looking at the code, there seems to be a whole set of dubious things going on which all together caused the disaster above:

  • sql.php connects to master per default. Slightly dubious, but ok, if you want to be bale to make modifications, you'd want that.
  • if connecting to master, sql.php constructs a DatabaseUpdater just so it can do $db->setSchemaVars( $updater->getSchemaVars() ). We could just have the logic that is currently in MysqlUpdater::getSchemaVars() in MysqlDatabase::getDefaultSchemaVars(), or introduce Database::getUpdateSchemaVars().
  • also, the only thing this does is add support for /*$wgDBTableOptions*/. Is that really needed in sql.php?
  • Anyway. DatabaseUpdater does a hole lot of scary things in the constructor which should probably be done later, probably in doUpdates(). The constructor calls $this->initOldGlobals() to modify a bunch of global variables (!), $this->loadExtensions() in case extensions are not yet loaded (why is this needed?), and Hooks::run( 'LoadExtensionSchemaUpdates', [ $this ] ) to allow extensions to inject stuff into the updater.
  • Wikibase registered DatabaseSchemaUpdater::onSchemaUpdate as a handler for the LoadExtensionSchemaUpdates hook. onSchemaUpdate() calls doSchemaUpdate(), which calls methods like dropTable() which directly drops a table, instead of dropExtensionTable, which only marks a table for being dropped later when DatabaseUpdater::doUpdates() is run. The wikibase DatabaseSchemaUpdater class seems to be a scary mix of "do it now" and "do litlater". Which is understandable, because:
  • DatabaseUpdater doesn't document the semantic different between e.g. dropTable and dropExtensionTable. It doesn't say which should be used when.
  • The documentation for the LoadExtensionSchemaUpdates hook doesn't mention that handlers for this hook should only register updates, not directly perform them. The example given in the docs uses modifyExtensionField(), but nothing there mentions that methods that directly modify the database must not be used. The documentation states ambiguously: "Fired when MediaWiki is updated to allow extensions to update the database".

Changing any of the above might have prevented the problem. I think most if not all of these things should be fixed.

daniel added a comment.EditedApr 7 2020, 9:15 AM
In T157651#6035371, @kostajh wrote:

Flow was mentioned in the comments as a blocker to this work. I rebased the structure test patch to see if the error still comes up.

I see violations from Wikibase:

  • /workspace/src/extensions/Wikibase/repo/includes/Store/Sql/ChangesSubscriptionSchemaUpdater.php:48
  • /workspace/src/extensions/Wikibase/repo/includes/Store/Sql/DatabaseSchemaUpdater.php:78
In T157651#6034856, @Ladsgroup wrote:
In T157651#3018942, @Tgr wrote:

This is a very, very ugly accident waiting to happen.

This bug brought down everything for twenty minutes and caused an important table to vanish in production today.

This is technically a wikibase bug, caused by the hook handler doing direct schema modifications, rather than registering them. But there isn't any documentation that would have made it clear that this was a bad idea (tm)...

gerritbot added a comment.Apr 7 2020, 9:30 AM

Change 587213 had a related patch set uploaded (by Daniel Kinzler; owner: Daniel Kinzler):
[mediawiki/core@master] DatabaseUpdate: warn extensions about direct modification

https://gerrit.wikimedia.org/r/587213

daniel moved this task from External Code Review Completed to Waiting for Review on the Platform Team Workboards (Clinic Duty Team) board.Apr 7 2020, 9:31 AM
daniel added a project: Wikidata-Campsite.

Tagging Wikidata-Campsite for the issues with the wikibase schema updater.

Restricted Application added a project: Wikidata. · View Herald TranscriptApr 7 2020, 9:33 AM
Ladsgroup added a comment.Apr 7 2020, 9:41 AM
In T157651#6035601, @daniel wrote:

Tagging Wikidata-Campsite for the issues with the wikibase schema updater.

I think this task will explode. What do you think of creating a subtask for Wikibase?

daniel mentioned this in T249598: Wikibase schema updaters must not modify database directly.Apr 7 2020, 9:47 AM
daniel removed a project: Wikidata-Campsite.
In T157651#6035615, @Ladsgroup wrote:
In T157651#6035601, @daniel wrote:

Tagging Wikidata-Campsite for the issues with the wikibase schema updater.

I think this task will explode. What do you think of creating a subtask for Wikibase?

Done, see T249598: Wikibase schema updaters must not modify database directly.

daniel mentioned this in T249599: DatabaseUpdater should not call hooks in the constructor.Apr 7 2020, 9:57 AM
chasemp awarded a token.Apr 7 2020, 9:59 AM
daniel added a comment.Apr 7 2020, 10:22 AM

T249599: DatabaseUpdater should not call hooks in the constructor should address the original issue in this task's title.

mark added a project: DBA.Apr 7 2020, 12:11 PM
daniel added a subtask: T249584: Call LoadExtensionSchemaUpdates later.Apr 7 2020, 3:07 PM
Krinkle added a comment.Apr 7 2020, 6:23 PM
In T157651#6035533, @daniel wrote:

Looking at the code, there seems to be a whole set of dubious things going on which all together caused the disaster above

  • the only thing this does is add support for /*$wgDBTableOptions*/. Is that really needed in sql.php?

I believe the main purpose of sql.php is to apply schema patches in a way you can control as an administrator, e.g. instead of update.php. The way you do that is by passing the patch file to sql.php. For that to work, it must expand table prefixes and table options, just like update.php would.

Having a maintenance script that can do this, is important to have and keep.

But, that also gets us to a number of other problems:

  • For the use case of patching the schema, we also have maintenance/patchSql.php which makes this use case even easier. But maybe that is too abstract currently? (It lets you omit the patch- file name prefix, and the .sql suffix, and the relevant subdirectory for the current rdbms). I think for someone who doesn't use update.php their entry point is presumably the list of patch files since the previous release and wanting to apply them. Not sure what's best, but we shouldn't have both.
  • For the use case of running ad-hoc queries while debugging something in production, we also have maintenance/mysql.php which is better suited for this purpose.

In fact: the maintenance/mysql.php script says:

* Note that this will not do table prefixing or variable substitution.
* To safely run schema patches, use sql.php.

I suggest that we:

  • Keep patchSql.php and to the extent not already the case make it only support running queries from a patch file (not arbitrary input), and carry over any relevant features or conveniences from sql.php.
  • Keep mysql.php which is what I believe most developers use already for ad-hoc querying. For example, the sql <dbname> utility that we have in WMF production uses mwscript mysql.php --wiki <dbname> underneath. For other db-backends we support in core a similar thing could be created if there is demand for it.
  • Remove sql.php. Or, if there is demand for it, strip it down to just the bare minimum for an interactive shell that sends read queries and nothing else (no file paths, no programmatic use, no schema options, no master/write queries).
Jdforrester-WMF subscribed.Apr 7 2020, 6:27 PM
In T157651#6037432, @Krinkle wrote:

I suggest that we:

  • Keep patchSql.php and to the extent not already the case make it only support running queries from a patch file (not arbitrary input), and carry over any relevant features or conveniences from sql.php.
  • Keep mysql.php which is what I believe most developers use already for ad-hoc querying. For example, the sql <dbname> utility that we have in WMF production uses mwscript mysql.php --wiki <dbname> underneath. For other db-backends we support in core a similar thing could be created if there is demand for it.
  • Remove sql.php. Or, if there is demand for it, strip it down to just the bare minimum for an interactive shell that sends read queries and nothing else (no file paths, no programmatic use, no schema options, no master/write queries).

This feels like a good set of choices (including removing sql.php and pointing users to the other two alternatives.

(Do we have an equivalent of mysql.php for sqlite and postgress?).

Marostegui mentioned this in T249683: Redefine mysql GRANTs for wikiadmin.Apr 8 2020, 6:22 AM
Marostegui moved this task from Triage to In progress on the DBA board.Apr 8 2020, 6:25 AM
Marostegui added a subtask: T249683: Redefine mysql GRANTs for wikiadmin.
daniel closed subtask T249584: Call LoadExtensionSchemaUpdates later as Resolved.Apr 8 2020, 9:04 AM
Tgr added a comment.Apr 8 2020, 10:26 AM

I would suggest the opposite: keep sql.php, drop patchSql.php. I don't think many people are familiar with the latter (compare patchSql vs sql docs for example) and I don't think it's terribly useful - passing a file path is more user-friendly than passing a patch name. And it does not even replace the schema vars, meaning it's actively harmful to anyone who uses table prefixes or non-default table settings.

So, IMO

  • keep mysql.php which is indeed widely used at least in Wikimedia production for debugging, more user-friendly than sql.php (which channels query output through PHP which does weird things to it) and not problematic (it already requires a write flag for performing any changes - although that relies on a master/slave distinction so that could be improved, cf T249683#6039238 - and does not accidentally run updares).
  • kill patchSql.php which is IMO pretty useless. (Probably worth a wikitech question to ensure it is indeed not used.)
  • keep sql.php manual debugging mode, which is the only way to debug a non-MySQL server, but require an explicit --debug flag used. Do not invoke the updater (not even for variable transformations) when that's used, it seems pointless and just extra code path exposure (cf the fatal error it gave during the incident).
  • keep sql.php for running scripts but require a --write flag like mysql.php does for scripts that change data. (I would even separate an admin mode for schema changes and a write mode for data changes via a restricted user.)
  • if sql.php is invoked with no script file and --debug flag just exit with an error (and without creating a DatabaseUpdater or doing anything else nontrivial).
Krinkle added a comment.EditedApr 9 2020, 12:40 AM

As said, I don't mind keeping sql.php as a cross-rdbms debug tool if there's interest for that.

However, I think use in production is problematic and should not be allowed for the same reason that echo <something> | mwscript eval.php shouldn't be used as part of production workflows. Such code will likely be untested, not reviewed by relevant maintainers, and not seen when change are made to the underlying code. We don't index the Puppet repository as part of "WMF-deployed MediaWiki code" and I don't think we should start. Data from a db table should generally be read via a PHP class that abstracts it. But short of that, at the very least with a minimal WMF-specific script in the WikimediaMaintenance extension.

The fact that that a Wikibase cron job is the only thing in production not following that, I think means this is something we generally follow but just didn't enforce or document in a way that new developers would have learned.

  • keep sql.php for running scripts but require a --write flag like mysql.php does for scripts that change data. (I would even separate an admin mode for schema changes and a write mode for data changes via a restricted user.)

Also, when invoking sql.php in this way, it should always fatal in wmf production in the same way that update.php are disabled. Possibly by levering the same feature flag.

For the use case of patching, I think either of sql.php --write --admin --patch <filename> or patchSql.php <filename> would work. I do still prefer tha latter as it would make sql.php much easier to reason about.

We'd have a script that on the one side:

  • Uses the regular wiki user.
  • Can do read or --write.
  • Only works in an interative shell.

And on the other side:

  • Is disabled by $wgAllowSchemaUpdates.
  • Uses the administrative user and can execute schema changes.
  • Invokers Installer classes.
  • Takes a patch file as parameter.

Having the same maintenance script responsible for both seems like it could very well cause another outage in the future. Because so long as sql.php contains code that engages administrator credentials and initialises Installer classes, all it takes is one bad typo in a commit that changes sql.php and then the next person invoking it could be facing similar problems in the future. This is essentially Murphey's Law, which we've seen up close in T249565 where half a dozen edge cases lined up in just the right way to make it happen. Leaving this unplugged by itself likely won't cause any problems, but it's just something that could easily regress and we'd not know for many months until sometimes else ends up using it by mistake.

It also seems in terms of developer ergonimics that a separate endpoint would be easier to explain in documentation and make use of. I do agree that the current patchSql.php script is too hard to use, we'd model in after sql.php instead.

gerritbot added a comment.Apr 9 2020, 12:46 AM

Change 587389 had a related patch set uploaded (by Krinkle; owner: Tim Starling):
[mediawiki/core@master] Revert "maintenance: Remove sql.php temporarily"

https://gerrit.wikimedia.org/r/587389

gerritbot added a comment.Apr 9 2020, 7:00 PM

Change 587389 merged by jenkins-bot:
[mediawiki/core@master] Revert "maintenance: Remove sql.php temporarily"

https://gerrit.wikimedia.org/r/587389

ReleaseTaggerBot edited projects, added MW-1.35-notes (1.35.0-wmf.28; 2020-04-14); removed MW-1.35-notes (1.35.0-wmf.26; 2020-03-31).Apr 9 2020, 8:00 PM
Krinkle removed projects: DBA, Wikimedia-database-issue, Beta-Cluster-reproducible.Apr 9 2020, 11:51 PM
aaron added a comment.Apr 11 2020, 12:18 AM
In T157651#6039302, @Tgr wrote:

I would suggest the opposite: keep sql.php, drop patchSql.php. I don't think many people are familiar with the latter (compare patchSql vs sql docs for example) and I don't think it's terribly useful - passing a file path is more user-friendly than passing a patch name. And it does not even replace the schema vars, meaning it's actively harmful to anyone who uses table prefixes or non-default table settings.

So, IMO

  • keep mysql.php which is indeed widely used at least in Wikimedia production for debugging, more user-friendly than sql.php (which channels query output through PHP which does weird things to it) and not problematic (it already requires a write flag for performing any changes - although that relies on a master/slave distinction so that could be improved, cf T249683#6039238 - and does not accidentally run updares).
  • kill patchSql.php which is IMO pretty useless. (Probably worth a wikitech question to ensure it is indeed not used.)
  • keep sql.php manual debugging mode, which is the only way to debug a non-MySQL server, but require an explicit --debug flag used. Do not invoke the updater (not even for variable transformations) when that's used, it seems pointless and just extra code path exposure (cf the fatal error it gave during the incident).
  • keep sql.php for running scripts but require a --write flag like mysql.php does for scripts that change data. (I would even separate an admin mode for schema changes and a write mode for data changes via a restricted user.)
  • if sql.php is invoked with no script file and --debug flag just exit with an error (and without creating a DatabaseUpdater or doing anything else nontrivial).

This all makes sense to me. Since DDLs are not transactional in mariadb and so on, it adds an extra layer of disruption over "DELETE WHERE 1=1". Permissions with temp tables could get annoying though (Database.php read-only enforcement already has to look out for them). Starting off with a --write flag seems doable for now. It would be nice to make it use a replica DB by default (if --write is missing and --replicadb is not already set to a host or *).

Demian subscribed.Apr 13 2020, 5:58 PM
daniel claimed this task.Apr 15 2020, 4:09 PM
gerritbot added a comment.Apr 16 2020, 6:38 PM

Change 587213 merged by jenkins-bot:
[mediawiki/core@master] DatabaseUpdate: warn extensions about direct modification

https://gerrit.wikimedia.org/r/587213

ReleaseTaggerBot edited projects, added MW-1.35-notes (1.35.0-wmf.30; 2020-04-28); removed MW-1.35-notes (1.35.0-wmf.28; 2020-04-14).Apr 16 2020, 8:00 PM
daniel closed subtask T249603: DatabaseUpdater: protect methods for direct database modification as Resolved.Apr 20 2020, 9:24 PM
gerritbot added a comment.Apr 20 2020, 9:31 PM

Change 511778 abandoned by Daniel Kinzler:
[DNM] Register schema updates as callbacks during DatabaseUpdater construction

Reason:
Superceeded by I84f5fe6836a89352c3ff19c9a985ca359a5bf74d

https://gerrit.wikimedia.org/r/511778

daniel added a comment.Apr 21 2020, 9:39 AM

It seems like all essential patches are merged. Can this be closed now?

daniel moved this task from Waiting for Review to Waiting for deployment on the Platform Team Workboards (Clinic Duty Team) board.Apr 21 2020, 9:40 AM
Krinkle renamed this task from sql.php runs LoadExtensionSchemaUpdates to sql.php must not run LoadExtensionSchemaUpdates.EditedApr 21 2020, 4:17 PM
In T157651#4765173, @gerritbot wrote:

[mediawiki/core@master] Structure test for wrong calls in LoadExtensionSchemaUpdates
https://gerrit.wikimedia.org/r/475065

@daniel I noticed a patch that makes some methods inaccesible to extensions. Does that mean this structure test is no longer needed? Or are there some dangerous methods exposed still?

Also, does the sql.php script now never run this hook?

daniel added a comment.Apr 21 2020, 4:56 PM
In T157651#6075764, @Krinkle wrote:

@daniel I noticed a patch that makes some methods inaccesible to extensions. Does that mean this structure test is no longer needed? Or are there some dangerous methods exposed still?

See my comment on the patch: the structure test could still ensure that no dangerous methods are called on the Database object (rather than on DatabaseUpdater). The dangerous methods on DatabaseUpdater are no longer accessible to extensions, but they could still call Database::dropTable() directly.

Also, does the sql.php script now never run this hook?

The hook call was removed from the constructor of DatabaseUpdater, and is now triggered from doUpdates(). I see no way for sql.php to trigger it.

Krinkle closed this task as Resolved.Apr 21 2020, 4:58 PM
daniel moved this task from Waiting for deployment to Done on the Platform Team Workboards (Clinic Duty Team) board.Apr 21 2020, 5:01 PM
Krinkle mentioned this in T250835: Determine fate of sql.php/patchSql.php.Apr 21 2020, 5:06 PM
gerritbot added a comment.Apr 21 2020, 7:05 PM

Change 507898 abandoned by Aaron Schulz:
Register schema update callbacks rather than running them on DatabaseUpdater construction

Reason:
obsolete

https://gerrit.wikimedia.org/r/507898

Demian unsubscribed.Apr 21 2020, 7:12 PM
Krinkle edited projects, added Sustainability (Incident Followup); removed Wikimedia-Incident.Apr 28 2020, 9:50 PM
Addshore closed subtask T249598: Wikibase schema updaters must not modify database directly as Resolved.Jul 6 2020, 9:06 PM
Ladsgroup mentioned this in T259771: RFC: Drop support for older database upgrades.Aug 6 2020, 1:49 AM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:40 PM
Ladsgroup changed the status of subtask T249683: Redefine mysql GRANTs for wikiadmin from Open to Stalled.Nov 23 2021, 10:08 AM
Ladsgroup changed the status of subtask T249683: Redefine mysql GRANTs for wikiadmin from Stalled to Open.Nov 26 2021, 10:55 AM
Ladsgroup closed subtask T249683: Redefine mysql GRANTs for wikiadmin as Resolved.May 11 2022, 8:38 AM
Tgr mentioned this in T322143: Can't DROP FOREIGN KEY `echo_push_subscription_ibfk_2`; check that it exists.Nov 22 2022, 5:47 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits