LindaSummer commented on issue #2862: URL: https://github.com/apache/kvrocks/issues/2862#issuecomment-2804879099
Hi @git-hulk , I have read through redis code and kvrocks code and found the difference. Kvrocks checks the script command `EVALSHA/EVAL` and `EVALSHA_RO/EVAL_RO` before script execution. Redis discards the command's read or write attribution and check the command invoked by lua script in runtime. Here is [redis logic](https://github.com/redis/redis/blob/d3a0d95dabe05a9473454b28b3a4fbcf32c16f9d/src/script.c#L618-L640). It is called by `lua_pcall` in lua runtime. ```c struct redisCommand *cmd = lookupCommand(c->argv, c->argc); ...... ...... if (scriptVerifyWriteCommandAllow(run_ctx, err) != C_OK) { goto error; } ``` It checks the command which are called by lua script in runtime. In kvrocks, I plan to add logic [here](https://github.com/apache/kvrocks/blob/unstable/src/storage/scripting.cc#L750) and add a new option `restrict-script`. If it is enabled, we will check the script command like `EVAL` and `EVAL_RO` before executing the script. If it is disabled, we will bypass the `EVAL_RO` to `EVAL` and pass the node's role to lua context and check the command's behavior in runtime. Before implementation, I would like to share my draft proposal and please let me know if this idea has any problem. Wish you a good day! 😊 Best Regards, Edward -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
