sql: reject DDL in PL/pgSQL procedure bodies when late binding is off#170902
Draft
spilchen wants to merge 2 commits into
Draft
sql: reject DDL in PL/pgSQL procedure bodies when late binding is off#170902spilchen wants to merge 2 commits into
spilchen wants to merge 2 commits into
Conversation
Previously, PL/pgSQL procedure bodies were always analyzed at CREATE PROCEDURE time, recording back-references on referenced descriptors. References had to exist at CREATE time. This commit adds a new public cluster setting `sql.procedures.plpgsql.late_binding.enabled` (default false). When enabled, PL/pgSQL procedure bodies are parsed but not analyzed; references are resolved at CALL time, matching PostgreSQL PL/pgSQL semantics. LANGUAGE SQL procedures and UDFs always use early binding regardless of the setting. The gate is centralized in PLpgSQLProcedureLateBindingEnabled (which also checks clusterversion.V26_3) and applied at the three CREATE / CREATE OR REPLACE entry points: the legacy planner, the declarative schema changer, and the optbuilder. Improving the CREATE-time error message when a PL/pgSQL procedure body contains DDL but late binding is off is left to a follow-up; this commit preserves the existing V26_3 DDL-in-procedure behavior unchanged. Epic: CRDB-31256 Informs: cockroachdb#170651 Release note (sql change): Added public cluster setting `sql.procedures.plpgsql.late_binding.enabled` (default false). When enabled, PL/pgSQL procedure bodies are not resolved at CREATE PROCEDURE time; references are resolved at CALL time instead, matching PostgreSQL PL/pgSQL semantics. LANGUAGE SQL procedures and functions are unaffected. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Previously, when late binding is disabled, a PL/pgSQL procedure body
containing allowlisted DDL (CREATE TABLE, DROP TABLE, CREATE SCHEMA,
DROP SCHEMA, CREATE ROLE, DROP ROLE) was built by the optbuilder. If
subsequent body statements referenced the just-created object, the
early-bound build could not resolve them and the user saw a confusing
"relation does not exist" error.
This commit adds a pre-build pass (ddlVisitor) that walks the PL/pgSQL
body to classify DDL statements before the optbuilder attempts to build
them. The classifier drives two new error paths in CREATE PROCEDURE:
1. Allowlisted DDL with late binding off (and V26_3 active) is
rejected with a hint pointing at the late-binding cluster setting.
2. Unsupported DDL (e.g. ALTER TABLE, CREATE INDEX) is rejected with
an "unimplemented" error before the optbuilder reaches its
existing per-statement DDL gate.
The allowlist is also expanded to include CREATE SCHEMA, DROP SCHEMA,
CREATE ROLE, and DROP ROLE in stored procedure bodies, factored into a
shared isAllowlistedProcedureDDL helper used by both ddlVisitor and the
optbuilder's existing buildStmtAtRoot gate.
Epic: CRDB-31256
Resolves: cockroachdb#170651
Release note (sql change): A PL/pgSQL procedure body containing DDL is
now rejected at CREATE PROCEDURE time with a hint suggesting the
`sql.procedures.plpgsql.late_binding.enabled` cluster setting be
enabled. Additionally, CREATE SCHEMA, DROP SCHEMA, CREATE ROLE, and
DROP ROLE are now allowed inside stored procedure bodies (subject to
the same late-binding requirement).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
|
Merging to
After your PR is submitted to the merge queue, this comment will be automatically updated with its status. If the PR fails, failure details will also be posted here |
|
Your pull request contains more than 1000 changes. It is strongly encouraged to split big PRs into smaller chunks. 🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf. |
Member
|
This change is |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stacked PR, only look at the last commit
Previously, when late binding is disabled, a PL/pgSQL procedure body containing allowlisted DDL (CREATE TABLE, DROP TABLE, CREATE SCHEMA, DROP SCHEMA, CREATE ROLE, DROP ROLE) was built by the optbuilder. If subsequent body statements referenced the just-created object, the early-bound build could not resolve them and the user saw a confusing
"relation does not exist" error.
This commit adds a pre-build pass (ddlVisitor) that walks the PL/pgSQL body to classify DDL statements before the optbuilder attempts to build them. The classifier drives two new error paths in CREATE PROCEDURE:
The allowlist is also expanded to include CREATE SCHEMA, DROP SCHEMA, CREATE ROLE, and DROP ROLE in stored procedure bodies, factored into a shared isAllowlistedProcedureDDL helper used by both ddlVisitor and the
optbuilder's existing buildStmtAtRoot gate.
Epic: CRDB-31256
Resolves: #170651
Release note (sql change): A PL/pgSQL procedure body containing DDL is
now rejected at CREATE PROCEDURE time with a hint suggesting the
sql.procedures.plpgsql.late_binding.enabledcluster setting beenabled. Additionally, CREATE SCHEMA, DROP SCHEMA, CREATE ROLE, and
DROP ROLE are now allowed inside stored procedure bodies (subject to
the same late-binding requirement).