Skip to content

feat(cloudsqlmysql): add native read-only session locking#3618

Open
anubhav756 wants to merge 3 commits into
anubhav-readonly-corefrom
anubhav-readonly-cloudsqlmysql
Open

feat(cloudsqlmysql): add native read-only session locking#3618
anubhav756 wants to merge 3 commits into
anubhav-readonly-corefrom
anubhav-readonly-cloudsqlmysql

Conversation

@anubhav756

@anubhav756 anubhav756 commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Overview

This PR implements native read-only session locking for Cloud SQL MySQL.

Changes

  • Updates the connection logic to automatically append session_variables=cloudsql_session_read_only=locked to the connection DSN when the source is marked as read-only.
  • Includes a new vulnerability test to ensure that the MySQL database kernel successfully intercepts and blocks destructive queries.

@anubhav756 anubhav756 self-assigned this Jul 14, 2026

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces read-only mode support for the Cloud SQL MySQL source. It adds a readonly configuration option, configures the database connection pool to enforce read-only sessions via cloudsql_session_read_only=locked when enabled, introduces a prebuilt execute_sql_readonly tool, and adds an integration test to verify the read-only enforcement. The feedback recommends renaming the environment variable CLOUDSQL_MYSQL_READONLY to CLOUD_SQL_MYSQL_READONLY in both the documentation and configuration files to maintain naming consistency with existing environment variables.

Comment thread docs/CLOUDSQLMYSQL_README.md Outdated
Comment thread internal/prebuiltconfigs/tools/cloud-sql-mysql.yaml Outdated
@anubhav756 anubhav756 force-pushed the anubhav-readonly-core branch 2 times, most recently from a975dc7 to efeaaa2 Compare July 14, 2026 07:31
@anubhav756 anubhav756 force-pushed the anubhav-readonly-cloudsqlmysql branch from 9a2c11a to 67c5006 Compare July 14, 2026 07:32
@anubhav756 anubhav756 force-pushed the anubhav-readonly-core branch from efeaaa2 to c638838 Compare July 14, 2026 07:36
@anubhav756 anubhav756 force-pushed the anubhav-readonly-cloudsqlmysql branch from 67c5006 to 1440fd2 Compare July 14, 2026 08:14
@anubhav756

Copy link
Copy Markdown
Contributor Author

/gemini review

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a read-only mode for Cloud SQL MySQL sources, enforcing read-only session locking on the database connection via DSN parameters when enabled. It adds a new execute_sql_readonly tool, updates the configuration and source initialization, and includes an integration test to verify that write operations are rejected in read-only mode. Feedback suggests correcting the README documentation to accurately describe that the readonly option enforces session locking on the connection rather than routing queries to a read-only endpoint.

Comment thread docs/CLOUDSQLMYSQL_README.md Outdated
export CLOUD_SQL_MYSQL_USER="<your-database-user>" # Optional
export CLOUD_SQL_MYSQL_PASSWORD="<your-database-password>" # Optional
export CLOUD_SQL_MYSQL_IP_TYPE="PUBLIC" # Optional: `PUBLIC`, `PRIVATE`, `PSC`. Defaults to `PUBLIC`.
export CLOUD_SQL_MYSQL_READONLY="true" # Optional: Restricts tools and executes queries on read-only endpoints.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The description # Optional: Restricts tools and executes queries on read-only endpoints. is technically inaccurate. The readonly configuration actually appends session_variables=cloudsql_session_read_only=locked to the connection DSN, which enforces read-only session locking on the database connection itself. It does not route queries to a different "read-only endpoint" (such as a read replica).

Let's update the description to be more accurate.

Suggested change
export CLOUD_SQL_MYSQL_READONLY="true" # Optional: Restricts tools and executes queries on read-only endpoints.
export CLOUD_SQL_MYSQL_READONLY="true" # Optional: Restricts tools and enforces read-only session locking on the database connection.

@anubhav756 anubhav756 marked this pull request as ready for review July 14, 2026 13:30
@anubhav756 anubhav756 requested review from a team as code owners July 14, 2026 13:30
@anubhav756 anubhav756 assigned Yuan325 and unassigned anubhav756 Jul 14, 2026
@anubhav756 anubhav756 requested review from Yuan325, averikitsch and kurtisvg and removed request for a team July 14, 2026 13:32
@anubhav756 anubhav756 force-pushed the anubhav-readonly-cloudsqlmysql branch from 02e3dd9 to 502e5f9 Compare July 15, 2026 07:56
@anubhav756 anubhav756 force-pushed the anubhav-readonly-cloudsqlmysql branch from 502e5f9 to 8f59ae2 Compare July 15, 2026 08:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants