-
Notifications
You must be signed in to change notification settings - Fork 456
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v24.3.0-alpha.1 release notes #18985
Conversation
Files changed:
|
✅ Deploy Preview for cockroachdb-interactivetutorials-docs canceled.
|
✅ Deploy Preview for cockroachdb-api-docs canceled.
|
✅ Netlify Preview
To edit notification comments on pull requests, go to your Netlify site configuration. |
09b973f
to
eefc2c3
Compare
|
||
- [Events]({% link v24.3/eventlog.md %}) `DiskSlownessDetected` and `DiskSlownessCleared` are now logged when disk slowness is detected and cleared on a store. [#127025][#127025] | ||
- Several [cluster settings]({% link v24.3/cluster-settings.md %}) allow you to configure rate-limiting traffic to cloud storage over various protocols. These settings begin with `cloudstorage`. [#127207][#127207] | ||
- The new [cluster setting]({% link v24.3/cluster-settings.md %}) `kv.range.range_size_hard_cap` allows you to limit how large a [range]({% link v24.3/architecture/overview.md %}#architecture-range) can grow before [backpressure]({% link v24.3/common-errors.md %}#split-failed-while-applying-backpressure-are-rows-updated-in-a-tight-loop) is applied. This can help to mitigate against a situation where a range cannot be split, such as when a range is comprised of a single key due to an issue with the schema or workload pattern or a bug in client application code. The default is 8 GiB, which is 16 times the default max range size. If you have changed the max range size, you may need to adjust this cluster setting or reduce the range size. [#129450][#129450] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@arulajmani PTAL
- Added a LDAP authentication method to complement password-based login for the DB Console if HBA configuration has an entry for LDAP for the user attempting login, along with other matching criteria (like the requests originating IP address) for authentication to the DB Console. [#130418][#130418] | ||
- Added timers around key parts of the [changefeed]({% link v24.3/change-data-capture-overview.md %}) pipeline to help debug feeds experiencing issues. The `changefeed.stage.<stage>.latency` metrics now emit latency histograms for each stage. The metric respects the [changefeed `scope` label]({% link v24.3/monitor-and-debug-changefeeds.md %}#using-metrics-labels) for debugging specific feeds. [#128794][#128794] | ||
- For [enterprise changefeeds]({% link v24.3/how-does-an-enterprise-changefeed-work.md %}), [events]({% link v24.3/eventlog.md %}) `changefeed_failed` and `create_changefeed` now include a `JobId` field. [#131396][#131396] | ||
- The new [metric]({% link v24.3/metrics.md %}) `seconds_until_enterprise_license_expiry` allows you to monitor the status of a cluster's Enterprise license. [#129052][#129052]. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@angles-n-daemons PTAL
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perfect, thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@angles-n-daemons isn't the new metric seconds_until_license_expiry
?
- Changed the license `cockroach` is distributed under to the new CockroachDB Software License (CSL). [#131690][#131690] | ||
- Changed the license `cockroach` is distributed under to the new CockroachDB Software License (CSL). [#131686][#131686] | ||
- Changed the license `cockroach` is distributed under to the new CockroachDB Software License (CSL). [#131688][#131688] | ||
- Changed the license `cockroach` is distributed under to the new CockroachDB Software License (CSL). [#131687][#131687] | ||
- Changed the license `cockroach` is distributed under to the new CockroachDB Software License (CSL). [#131717][#131717] | ||
- Changed the license `cockroach` is distributed under to the new CockroachDB Software License (CSL). [#131689][#131689] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rmloveland For each of these, should we update which license it was changed from as per the PR description?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good question, I don't know why there are so many of these. One idea: since they're all about basically the same thing conceptually, collapse them all to one line followed by the multiple PR #'s, e.g.
- Changed the license `cockroach` is distributed under to the new [CockroachDB Software License](https://www.cockroachlabs.com/cockroachdb-software-license/) [123] [456] [789] ....
Then folks who care a lot can go read all those PRs if they want to, but the notes give the high-level gist
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK cool, thanks Rich. It looked like there were a number of existing licenses. Your idea makes sense I will do this!
@mdlinville There seems to be one final link breaking, looks like some missing anchor |
<h3 id="v24-3-0-alpha-1-security-updates">Security updates</h3> | ||
|
||
- URLs in the [`CREATE CHANGEFEED`]({% link v24.3/create-changefeed.md %}) and [`CREATE SCHEDULE FOR CHANGEFEED`]({% link v24.3/create-schedule-for-changefeed.md %}) SQL statements are now sanitized of any secrets before being written to unredacted [logs]({% link v24.3/logging.md %}). [#126970][#126970] | ||
- The LDAP [cluster settings]({% link v24.3/cluster-settings.md %}) `server.ldap_authentication.client.tls_certificate` and `server.ldap_authentication.client.tls_key` do not have callbacks installed to reload the settings value for LDAP authManager. This change fixes this by adding the necessary callbacks. [#131151][#131151] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- The LDAP [cluster settings]({% link v24.3/cluster-settings.md %}) `server.ldap_authentication.client.tls_certificate` and `server.ldap_authentication.client.tls_key` do not have callbacks installed to reload the settings value for LDAP authManager. This change fixes this by adding the necessary callbacks. [#131151][#131151] | |
- The LDAP [cluster settings]({% link v24.3/cluster-settings.md %}) `server.ldap_authentication.client.tls_certificate` and `server.ldap_authentication.client.tls_key` did not have callbacks installed to reload the settings value for LDAP authManager. This change fixed this by adding the necessary callbacks. [#131151][#131151] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm pending suggestions.
|
||
- URLs in the [`CREATE CHANGEFEED`]({% link v24.3/create-changefeed.md %}) and [`CREATE SCHEDULE FOR CHANGEFEED`]({% link v24.3/create-schedule-for-changefeed.md %}) SQL statements are now sanitized of any secrets before being written to unredacted [logs]({% link v24.3/logging.md %}). [#126970][#126970] | ||
- The LDAP [cluster settings]({% link v24.3/cluster-settings.md %}) `server.ldap_authentication.client.tls_certificate` and `server.ldap_authentication.client.tls_key` do not have callbacks installed to reload the settings value for LDAP authManager. This change fixes this by adding the necessary callbacks. [#131151][#131151] | ||
- [Cluster settings]({% link v24.3/cluster-settings.md %}) for [host-based authentication]({% link v24.3/security-reference/authentication.md %}#authentication-configuration) configuration ([`server.host_based_authentication.configuration`]({% link v24.3/cluster-settings.md %}#setting-server-host-based-authentication-configuration)) and identity map configuration ([`server.identity_map.configuration`]({% link v24.3/cluster-settings.md %})) need to be redacted as they can be configured to contain LDAP bind usernames, passwords, and mapping of external identities to SQL users that are sensitive and should be configurable for redaction via the `server.redact_sensitive_settings.enabled` cluster setting. [#131150][#131150] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- [Cluster settings]({% link v24.3/cluster-settings.md %}) for [host-based authentication]({% link v24.3/security-reference/authentication.md %}#authentication-configuration) configuration ([`server.host_based_authentication.configuration`]({% link v24.3/cluster-settings.md %}#setting-server-host-based-authentication-configuration)) and identity map configuration ([`server.identity_map.configuration`]({% link v24.3/cluster-settings.md %})) need to be redacted as they can be configured to contain LDAP bind usernames, passwords, and mapping of external identities to SQL users that are sensitive and should be configurable for redaction via the `server.redact_sensitive_settings.enabled` cluster setting. [#131150][#131150] | |
- [Cluster settings]({% link v24.3/cluster-settings.md %}) for [host-based authentication]({% link v24.3/security-reference/authentication.md %}#authentication-configuration) configuration ([`server.host_based_authentication.configuration`]({% link v24.3/cluster-settings.md %}#setting-server-host-based-authentication-configuration)) and identity map configuration ([`server.identity_map.configuration`]({% link v24.3/cluster-settings.md %})) need to be able to be redacted as they can be configured to contain LDAP bind usernames, passwords, and mapping of external identities to SQL users that are sensitive. These cluster settings can be configured for redaction via the `server.redact_sensitive_settings.enabled` cluster setting. [#131150][#131150] |
host all all all ldap ldapserver=ldap.example.com ldapport=636 ldapbasedn="ou=users,dc=example,dc=com" ldapbinddn="cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid ldapsearchfilter="(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" | ||
~~~ | ||
|
||
The HBA parser failed after determining `ldapbinddn="cn=readonly,dc=example,dc=com" as 2 separate options(ldapbinddn=and cn=readonly,dc=example,dc=com)`. Now, the 2 tokens can be set as key and value respectively for the same HBA configuration option. [#131480][#131480] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The HBA parser failed after determining `ldapbinddn="cn=readonly,dc=example,dc=com" as 2 separate options(ldapbinddn=and cn=readonly,dc=example,dc=com)`. Now, the 2 tokens can be set as key and value respectively for the same HBA configuration option. [#131480][#131480] | |
The HBA parser would fail after incorrectly determining `ldapbinddn="cn=readonly,dc=example,dc=com"` as 2 separate options (`ldapbinddn=` and `cn=readonly,dc=example,dc=com`). Now, the 2 tokens are set as key and value respectively for the same HBA configuration option. [#131480][#131480] |
- The LDAP [cluster settings]({% link v24.3/cluster-settings.md %}) `server.ldap_authentication.client.tls_certificate` and `server.ldap_authentication.client.tls_key` do not have callbacks installed to reload the settings value for LDAP authManager. This change fixes this by adding the necessary callbacks. [#131151][#131151] | ||
- [Cluster settings]({% link v24.3/cluster-settings.md %}) for [host-based authentication]({% link v24.3/security-reference/authentication.md %}#authentication-configuration) configuration ([`server.host_based_authentication.configuration`]({% link v24.3/cluster-settings.md %}#setting-server-host-based-authentication-configuration)) and identity map configuration ([`server.identity_map.configuration`]({% link v24.3/cluster-settings.md %})) need to be redacted as they can be configured to contain LDAP bind usernames, passwords, and mapping of external identities to SQL users that are sensitive and should be configurable for redaction via the `server.redact_sensitive_settings.enabled` cluster setting. [#131150][#131150] | ||
- Added support for configuring authorization using LDAP. During login, the list of groups that a user belongs to are fetched from the LDAP server. These groups are mapped to [SQL roles]({% link v24.3/create-role.md %}) by extracting the common name (CN) from the group. After authenticating the user, the login flow grants these roles to the user, and revokes any other roles that are not returned by the LDAP server. The groups given by the LDAP server are treated as the sole source of truth for role memberships, so any roles that were manually granted to the user will not remain in place. [#131043][#131043] | ||
- Previously, the HBA configuration cluster setting `server.host_based_authentication.configuration` was unable to handle double quotes in authentication method option values. For example, for the following entry: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Previously, the HBA configuration cluster setting `server.host_based_authentication.configuration` was unable to handle double quotes in authentication method option values. For example, for the following entry: | |
- Previously, the [host-based authentication]({% link v24.3/security-reference/authentication.md %}#authentication-configuration) (HBA) configuration cluster setting [`server.host_based_authentication.configuration`]({% link v24.3/cluster-settings.md %}#setting-server-host-based-authentication-configuration) was unable to handle double quotes in authentication method option values. For example, for the following entry: |
<h3 id="v24-3-0-alpha-1-general-changes">General changes</h3> | ||
|
||
- CockroachDB will now avoid [logging]({% link v24.3/logging.md %}) unnecessary stack traces while executing [scheduled jobs]({% link v24.3/show-jobs.md %}). [#129846][#129846] | ||
- Upgrading to 24.3 is blocked if no license is installed, or if a trial/free license is installed with telemetry disabled. [#130576][#130576] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Upgrading to 24.3 is blocked if no license is installed, or if a trial/free license is installed with telemetry disabled. [#130576][#130576] | |
- Upgrading to 24.3 is blocked if no [license]({% link v24.3/licensing-faqs.md %}) is installed, or if a trial/free license is installed with telemetry disabled. [#130576][#130576] |
- The JWT authentication [cluster settings]({% link v24.3/cluster-settings.md %}) have been made `public`. [#128170][#128170] | ||
- Updated certain error messages to refer to the `stable` docs tree rather than an explicit version. [#128842][#128842] | ||
- Disambiguated [metrics]({% link v24.3/essential-metrics-self-hosted.md %}) and logs for the two buffers used by the KV feed. The affected metrics now have a suffix indicating which buffer they correspond to: `changefeed.buffer_entries.*`, `changefeed.buffer_entries_mem.*`, `changefeed.buffer_pushback_nanos.*`. The previous versions are still supported for backward compatibility, though using the new format is recommended. [#128813][#128813] | ||
- Added support for authorization to a CockroachDB cluster via LDAP, retrieving AD groups membership information for LDAP user. The new HBA configuration cluster setting option `ldapgrouplistfilter` performs filtered search query on LDAP for matching groups. An example HBA configuration entry to support LDAP authZ configuration: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Added support for authorization to a CockroachDB cluster via LDAP, retrieving AD groups membership information for LDAP user. The new HBA configuration cluster setting option `ldapgrouplistfilter` performs filtered search query on LDAP for matching groups. An example HBA configuration entry to support LDAP authZ configuration: | |
- Added support for authorization to a CockroachDB cluster via LDAP, retrieving AD groups membership information for LDAP user. The new [HBA configuration]]({% link v24.3/security-reference/authentication.md %}#authentication-configuration) cluster setting option `ldapgrouplistfilter` performs filtered search query on LDAP for matching groups. | |
An example HBA configuration entry to support LDAP authZ configuration: |
[#130167][#130167] | ||
|
||
- The new `ranges.decommissioning` [metric]({% link v24.3/metrics.md %}) shows the number of ranges with a replica on a [decommissioning]({% link v24.3/node-shutdown.md %}) node. [#130117][#130117] | ||
- New [cluster settings]({% link v24.3/cluster-settings.md %}) have been added which control the refresh behavior for the cached data in Databases pages of the [DB Console](): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here is the href error cause:
- New [cluster settings]({% link v24.3/cluster-settings.md %}) have been added which control the refresh behavior for the cached data in Databases pages of the [DB Console](): | |
- New [cluster settings]({% link v24.3/cluster-settings.md %}) have been added which control the refresh behavior for the cached data in the **Databases** page of the [DB Console]({% link v24.3/ui-overview.md %}): |
|
||
[#130198][#130198] | ||
- New gauge [metrics]({% link v24.3/metrics.md %}) `security.certificate.expiration.{cert-type}` and `security.certificate.ttl.{cert-type}` show the expiration and TTL for a certificate. [#130110][#130110] | ||
- To set the logging format for `stderr`, you can now set the `format` field to any valid format, rather than only `crdb-v2-tty`. [#131529][#131529] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- To set the logging format for `stderr`, you can now set the `format` field to any valid format, rather than only `crdb-v2-tty`. [#131529][#131529] | |
- To set the [logging format]({% link v24.3/log-formats.md %}) for `stderr`, you can now set the `format` field to any valid format, rather than only `crdb-v2-tty`. [#131529][#131529] |
[#131578][#131578] | ||
|
||
- Verbose logging of slow [Pebble]({% link v24.3/architecture/storage-layer.md %}#pebble) reads can no longer be enabled via the shorthand flag `--vmodule=pebble_logger_and_tracer=2`, where `pebble_logger_and_tracer` contains the CockroachDB implementation of the logger needed by Pebble. Instead, you must list the Pebble files that contain the log statements. For example `--vmodule=reader=2,table=2`. [#127066][#127066] | ||
- The lowest admission control priority for the storage layer has been renamed from `ttl-low-pri` to `bulk-low-pri`. [#129564][#129564] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- The lowest admission control priority for the storage layer has been renamed from `ttl-low-pri` to `bulk-low-pri`. [#129564][#129564] | |
- The lowest [admission control]]({% link v24.3/admission-control.md %}) priority for the storage layer has been renamed from `ttl-low-pri` to `bulk-low-pri`. [#129564][#129564] |
|
||
- Verbose logging of slow [Pebble]({% link v24.3/architecture/storage-layer.md %}#pebble) reads can no longer be enabled via the shorthand flag `--vmodule=pebble_logger_and_tracer=2`, where `pebble_logger_and_tracer` contains the CockroachDB implementation of the logger needed by Pebble. Instead, you must list the Pebble files that contain the log statements. For example `--vmodule=reader=2,table=2`. [#127066][#127066] | ||
- The lowest admission control priority for the storage layer has been renamed from `ttl-low-pri` to `bulk-low-pri`. [#129564][#129564] | ||
- New clusters will now have a zone config defined for the `timeseries` range, which specifies `gc.ttlseconds` and inherits all other attributes from the zone config of the `default` range. This zone config will also be added to a cluster that is [upgraded]({% link v24.3/upgrade-cockroach-version.md %}) to v24.3 if it does not already have a zone config defined.[#128032][#128032] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- New clusters will now have a zone config defined for the `timeseries` range, which specifies `gc.ttlseconds` and inherits all other attributes from the zone config of the `default` range. This zone config will also be added to a cluster that is [upgraded]({% link v24.3/upgrade-cockroach-version.md %}) to v24.3 if it does not already have a zone config defined.[#128032][#128032] | |
- New clusters will now have a [zone configuration](]({% link v24.3/show-zone-configuration.md %}) defined for the `timeseries` range, which specifies `gc.ttlseconds` and inherits all other attributes from the zone config of the `default` range. This zone config will also be added to a cluster that is [upgraded]({% link v24.3/upgrade-cockroach-version.md %}) to v24.3 if it does not already have a zone config defined.[#128032][#128032] |
- Added new database pages that are available from the side navigation **Databases** link. [#131594][#131594] | ||
- The [DB Console]({% link v24.3/ui-overview.md %}) will reflect any throttling behavior from the cluster due to an expired license or missing telemetry data. Enterprise licenses are not affected. [#131326][#131326] | ||
- Users can hover over the node/region cell in multi-region deployments to view a list of nodes the database or table is on. [#130704][#130704] | ||
- The [**Databases** pages]({% link v24.3/ui-databases-page.md %}) in the DB console have been updated to read cached metadata about database and table storage statistics. The cache update time is now displayed in the top right-hand corner of the database and tables list pages. Users may trigger a cache refresh with the **refresh** icon next to the last updated time. The cache will also update automatically when users visit a **Databases** page and the cache is >= 20m old. [#131463][#131463] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- The [**Databases** pages]({% link v24.3/ui-databases-page.md %}) in the DB console have been updated to read cached metadata about database and table storage statistics. The cache update time is now displayed in the top right-hand corner of the database and tables list pages. Users may trigger a cache refresh with the **refresh** icon next to the last updated time. The cache will also update automatically when users visit a **Databases** page and the cache is >= 20m old. [#131463][#131463] | |
- The [**Databases** pages]({% link v24.3/ui-databases-page.md %}) in the DB console have been updated to read cached metadata about database and table storage statistics. The cache update time is now displayed in the top right-hand corner of the database and tables list pages. Users may trigger a cache refresh with the **refresh** icon next to the last updated time. The cache will also update automatically when users visit a **Databases** page and the cache is older than or equal to 20 minutes. [#131463][#131463] |
It seems like this is good now? Let me run a local linkcheck just to be sure. |
Co-authored-by: Florence Morris <[email protected]>
5da9627
to
1604815
Compare
Current state of this PR has no broken links locally (or in the PR checks). I think we are good on this bit. |
Fixes REL-1511