Skip to content

RFC 697: Prevent permanent application of `-noop-privileged`

Created by: efritz

See RFC 697: Multiple version upgrades.

A follow-up from #38687. Make it difficult for users to supply -noop-privileged on all migrations. This will stop the user from accidentally skipping a new migration containing privileged commands without having manually run the migrations.

In order to do this, we should change the flow of this particular flag to the following:

  1. If the user supplied only the -noop-privileged flag, we should print a failure message with instructions on how to run the next instruction.
  2. If the user supplies the -noop-privileged flag AND a -privileged-token={hash from previous command} flag, then the flag will take effect and the privileged migrations will be no-op'd correctly.

The hash should be something that is deterministically resolvable from the set of migration we can run, so that a previous value will not be usable by a future invocation of the migrator.