feat(workbench): support PostgreSQL + fix AuditMiddleware fail-open (issue #850)#630
Merged
Conversation
PR Reviewer Guide 🔍(Review updated until commit 0a2a8ca)
|
PR Code Suggestions ✨Explore these optional code suggestions:
|
…issue #850, compat-RISK-2) Refs: dms-ee#850 Risk: compat-RISK-2 把 DBTypePostgreSQL 加入 SqlWorkbenchService.SupportDBType 白名单,使 PG 数据源 与 MySQL / Oracle / OceanBaseMySQL 等已支持类型一致走 ResetDbServiceByAuth 临时 账号路径进入 ODC 工作台(设计文档 §3.1 / §8.3)。 同步更新 sql_workbench_service_test.go::Test_SupportDBType 的 map case: - 9 项 expected=true:MySQL / Oracle / OceanBaseMySQL / DM / TiDB / TDSQLForInnoDB / GoldenDB / PolarDBForMySQL / PostgreSQL - 3 项 expected=false:SQL Server / 空字符串 / 未知类型字符串 (cherry picked from commit ba55d54f5d52adf9a85929a48958a1e334a67885)
…#850, compat-RISK-4)
Refs: #850
Risk: compat-RISK-4
在 dms-ee 部署流程中加入 sqle-pg-plugin 二进制拷贝,保证 SQLE plugin_path
在部署后包含 PG 审核插件二进制,闭环 compat-RISK-4 决策 B(必补覆盖)。
1) Makefile dms_sqle_provision_rpm_pre target
- 新增 mkdir -p ./builddir/plugins,与既有 bin/config/static/scripts/
neo4j-community/lib mkdir 行同级
- 新增 cp ${PRE_DIR}sqle-pg-plugin/bin/sqle-pg-plugin
./builddir/plugins/sqle-pg-plugin,复用 sqle-pg-plugin Makefile install
target 默认产物路径 $(GOBIN)/sqle-pg-plugin(GOBIN=$(shell pwd)/bin),
模式与 sqle/bin/sqled、provision/bin/provision 等同仓 plugin 上游拷贝一致
2) build/dms_sqle_provision.spec %install 阶段
- 新增 cp builddir/plugins/sqle-pg-plugin -> $RPM_BUILD_ROOT/usr/local/
%{name}/plugins/sqle-pg-plugin
- 走单文件 cp 而非 cp -R 整目录,避免与已有
mkdir -p $RPM_BUILD_ROOT/usr/local/%{name}/plugins(行 40)冲突产生
plugins/plugins/ 嵌套;语义与 sqle-ee/build/sqled.spec 的 plugin 拷贝模式
等价,落地路径仍为 SQLE plugin_path 根
- 不动 %files / %pre / %post / %preun / %postun;既有
find $RPM_INSTALL_PREFIX/plugins -type f -exec chmod 0750 自然覆盖新二进制
设计依据:design.md §3.2 行 130-136 / §3.3 行 138-143 / §9.4 行 406
风险登记:docs/dev/compat_risks.md §1 compat-RISK-4 决策 B + case_ids
关联用例:case-pg-compat-010 / 011 / sqlaudit-002 / sqlaudit-003 /
deploy-001 / deploy-002
不动:sqle-ee / sqle / sqle-pg-plugin 代码;vendor / go.mod / go.sum;
skills/dms/script/**;任何 _ee.go / _ce.go;odc / odc-client;CE 仓库
(cherry picked from commit 12c0128b09fa0685a66dd7530eb44abba2657382)
… (issue #850, bug) streamExecute 反代到 ODC 时,AuditMiddleware 在以下辅助路径异常时直接 `return errors.New(...)`,被 dms 的 HTTPErrorHandler 默认映射为 HTTP 400 BadRequest,导致 ODC SQL Console 完全无法执行 SQL: - 解析用户 ID 失败 - 缓存表 sql_workbench_datasource_caches 查询失败 - 缓存中找不到 dms_db_service_id(用户首次走工作台 / 数据源未经 DMS 加载路径时缓存为空) - 获取 DBService 元数据失败 - 该 DBService 未启用 SQL 审核(最常见命中分支) - SQLE 审核服务调用失败(网络 / 超时 / 5xx) 修复:把上述 6 个分支统一改为 `return next(c)`(fail-open)— 审核能力是 增强项,未启用 / 缓存缺失 / SQLE 故障时应按裸 ODC 反代行为透传,而不应 阻塞用户的 SQL 执行。read body err 与「审核结果要求拦截」两条强约束分支 仍保留 fail-closed。同时把 Errorf / Debugf 调整为 Warnf 以便后续排障。 不影响: - 已启用 SQL 审核 + SQLE 调用成功 + 命中需审批规则的路径仍走 buildAuditResponseWithoutExecution,行为不变; - MySQL/PG/Oracle/OB-Mysql 等所有数据源类型均一致受益; - 不动 odc / odc-client / vendor / go.mod / pnpm-lock。 证据:docs/dev/fix-task-004-odc-streamExecute-400.md (cherry picked from commit fd802f139ec88ff33e26d21814039677092d9de0 of dms-ee, adapted to CE's sidInfo-based parseStreamExecuteRequest signature)
Seechi-Yolo
force-pushed
the
dms/feature-850
branch
from
269bef3 to
0a2a8ca
Compare
|
Persistent review updated to latest commit 0a2a8ca |
PR Code Suggestions ✨No code suggestions found for the PR. |
Seechi-Yolo
approved these changes
Jun 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User description
Summary
postgresql(compat-RISK-2),打开工作台对 PG 数据源的入口。关联 issue: actiontech/dms-ee#850
关联文档: docs/dev/compat_risks.md §compat-RISK-2 / §compat-RISK-4 / docs/dev/fix-task-004-odc-streamExecute-400.md
Test plan
Description
调整 AuditMiddleware 错误处理为 fail-open
支持 PostgreSQL 白名单校验更新
添加 sqle-pg-plugin 文件拷贝至 RPM 包
扩充 DBType 单元测试用例
Diagram Walkthrough
File Walkthrough
sql_workbench_service.go
更新 AuditMiddleware 错误处理逻辑internal/sql_workbench/service/sql_workbench_service.go
Makefile
更新 Makefile 添加 plugin 拷贝Makefile
dms_sqle_provision.spec
更新 spec 文件拷贝插件二进制build/dms_sqle_provision.spec
sql_workbench_service_test.go
更新 DBType 单元测试用例internal/sql_workbench/service/sql_workbench_service_test.go