Merge #86700 #87081

86700: sql: support SHOW SYSTEM GRANTS r=rafiss a=RichardJCai fixes #85549 Release justification: Observability only command Release note (sql change): SHOW SYSTEM GRANTS [FOR ROLE ...] allows you to see the grants done by GRANT SYSTEM ... 87081: sql: add catid.RoleID type for role ids r=rafiss a=RichardJCai Release justification: Tiny change, no functional change Release note: None Fixes #85241 Co-authored-by: richardjcai <[email protected]>
cockroachdb · Aug 30, 2022 · d676dcb · d676dcb
3 parents d35c174 + 863d0de + bf75f1d
commit d676dcb
Show file tree

Hide file tree

Showing 22 changed files with 353 additions and 10 deletions.
diff --git a/docs/generated/sql/bnf/show_grants_stmt.bnf b/docs/generated/sql/bnf/show_grants_stmt.bnf
@@ -11,3 +11,5 @@ show_grants_stmt ::=
 	| 'SHOW' 'GRANTS' 'ON' ( | 'TABLE' table_name ( ( ',' table_name ) )* | 'DATABASE' database_name ( ( ',' database_name ) )* ) 
 	| 'SHOW' 'GRANTS'  'FOR' role_spec_list
 	| 'SHOW' 'GRANTS'  
+	| 'SHOW' 'SYSTEM' 'GRANTS' 'FOR' role_spec_list
+	| 'SHOW' 'SYSTEM' 'GRANTS' 
diff --git a/docs/generated/sql/bnf/stmt_block.bnf b/docs/generated/sql/bnf/stmt_block.bnf
@@ -801,6 +801,7 @@ show_types_stmt ::=
 
 show_grants_stmt ::=
 	'SHOW' 'GRANTS' opt_on_targets_roles for_grantee_clause
+	| 'SHOW' 'SYSTEM' 'GRANTS' for_grantee_clause
 
 show_indexes_stmt ::=
 	'SHOW' 'INDEX' 'FROM' table_name with_comment

diff --git a/pkg/ccl/backupccl/BUILD.bazel b/pkg/ccl/backupccl/BUILD.bazel
@@ -106,6 +106,7 @@ go_library(
         "//pkg/sql/schemachanger/scbackup",
         "//pkg/sql/sem/builtins",
         "//pkg/sql/sem/catconstants",
+        "//pkg/sql/sem/catid",
         "//pkg/sql/sem/eval",
         "//pkg/sql/sem/tree",
         "//pkg/sql/sessiondata",

diff --git a/pkg/ccl/backupccl/system_schema.go b/pkg/ccl/backupccl/system_schema.go
@@ -25,6 +25,7 @@ import (
 	descpb "github.com/cockroachdb/cockroach/pkg/sql/catalog/descpb"
 	"github.com/cockroachdb/cockroach/pkg/sql/catalog/descs"
 	"github.com/cockroachdb/cockroach/pkg/sql/catalog/systemschema"
+	"github.com/cockroachdb/cockroach/pkg/sql/sem/catid"
 	"github.com/cockroachdb/cockroach/pkg/sql/sem/tree"
 	"github.com/cockroachdb/cockroach/pkg/sql/sessiondata"
 	"github.com/cockroachdb/cockroach/pkg/util/log"
@@ -218,7 +219,7 @@ func usersRestoreFunc(
 		password := it.Cur()[1]
 		isRole := tree.MustBeDBool(it.Cur()[2])
 
-		var id int64
+		var id catid.RoleID
 		if username == "root" {
 			id = 1
 		} else if username == "admin" {

diff --git a/pkg/ccl/logictestccl/tests/3node-tenant/generated_test.go b/pkg/ccl/logictestccl/tests/3node-tenant/generated_test.go
diff --git a/pkg/security/username/BUILD.bazel b/pkg/security/username/BUILD.bazel
@@ -9,6 +9,7 @@ go_library(
     visibility = ["//visibility:public"],
     deps = [
         "//pkg/sql/lexbase",
+        "//pkg/sql/sem/catid",
         "@com_github_cockroachdb_errors//:errors",
         "@com_github_cockroachdb_redact//:redact",
     ],

diff --git a/pkg/security/username/username.go b/pkg/security/username/username.go
@@ -17,6 +17,7 @@ import (
 	"strings"
 
 	"github.com/cockroachdb/cockroach/pkg/sql/lexbase"
+	"github.com/cockroachdb/cockroach/pkg/sql/sem/catid"
 	"github.com/cockroachdb/errors"
 	"github.com/cockroachdb/redact"
 )
@@ -111,15 +112,15 @@ const PublicRoleID = 4
 // Right now this should always hold as we cannot rename any of the
 // roles defined in this map.
 // TODO(richardjcai): Add checks to ensure that this mapping always holds.
-var roleNameToID = map[SQLUsername]int{
+var roleNameToID = map[SQLUsername]catid.RoleID{
 	RootUserName():   RootUserID,
 	AdminRoleName():  AdminRoleID,
 	NodeUserName():   NodeUserID,
 	PublicRoleName(): PublicRoleID,
 }
 
 // GetDefaultRoleNameToID returns a role id for default roles.
-func GetDefaultRoleNameToID(username SQLUsername) int {
+func GetDefaultRoleNameToID(username SQLUsername) catid.RoleID {
 	return roleNameToID[username]
 }
 

diff --git a/pkg/sql/catalog/descidgen/generate_id.go b/pkg/sql/catalog/descidgen/generate_id.go
@@ -87,7 +87,9 @@ func PeekNextUniqueDescID(ctx context.Context, db *kv.DB, codec keys.SQLCodec) (
 // GenerateUniqueRoleID returns the next available Role ID and increments
 // the counter. The incrementing is non-transactional, and the counter could be
 // incremented multiple times because of retries.
-func GenerateUniqueRoleID(ctx context.Context, db *kv.DB, codec keys.SQLCodec) (int64, error) {
+func GenerateUniqueRoleID(
+	ctx context.Context, db *kv.DB, codec keys.SQLCodec,
+) (catid.RoleID, error) {
 	return IncrementUniqueRoleID(ctx, db, codec, 1)
 }
 
@@ -96,10 +98,10 @@ func GenerateUniqueRoleID(ctx context.Context, db *kv.DB, codec keys.SQLCodec) (
 // could be incremented multiple times because of retries.
 func IncrementUniqueRoleID(
 	ctx context.Context, db *kv.DB, codec keys.SQLCodec, inc int64,
-) (int64, error) {
+) (catid.RoleID, error) {
 	newVal, err := kv.IncrementValRetryable(ctx, db, codec.SequenceKey(keys.RoleIDSequenceID), inc)
 	if err != nil {
 		return 0, err
 	}
-	return newVal - inc, nil
+	return catid.RoleID(newVal - inc), nil
 }
diff --git a/pkg/sql/delegate/show_grants.go b/pkg/sql/delegate/show_grants.go
@@ -61,6 +61,44 @@ SELECT type_catalog AS database_name,
        privilege_type,
        is_grantable::boolean
 FROM "".information_schema.type_privileges`
+	const systemPrivilegeQuery = `
+SELECT a.username AS grantee,
+       privilege,
+       a.privilege
+       IN (
+          SELECT unnest(grant_options)
+            FROM system.privileges
+           WHERE username = a.username
+        ) AS is_grantable
+  FROM (
+        SELECT username, unnest(privileges) AS privilege
+          FROM system.privileges
+       ) AS a
+`
+	const externalConnectionPrivilegeQuery = `
+SELECT *
+  FROM (
+        SELECT name,
+               a.username AS grantee,
+               privilege,
+               a.privilege
+               IN (
+                  SELECT unnest(grant_options)
+                    FROM system.privileges
+                   WHERE username = a.username
+                ) AS grantable
+          FROM (
+                SELECT regexp_extract(
+                        path,
+                        e'/externalconn/(\\S+)'
+                       ) AS name,
+                       username,
+                       unnest(privileges) AS privilege
+                  FROM system.privileges
+                 WHERE path ~* '^/externalconn/'
+               ) AS a
+       )
+`
 
 	var source bytes.Buffer
 	var cond bytes.Buffer
@@ -178,6 +216,14 @@ FROM "".information_schema.type_privileges`
 				strings.Join(params, ","),
 			)
 		}
+	} else if n.Targets != nil && n.Targets.System {
+		orderBy = "1,2,3"
+		fmt.Fprint(&source, systemPrivilegeQuery)
+		cond.WriteString(`WHERE true`)
+	} else if n.Targets != nil && len(n.Targets.ExternalConnections) > 0 {
+		orderBy = "1,2,3, 4"
+		fmt.Fprint(&source, externalConnectionPrivilegeQuery)
+		cond.WriteString(`WHERE true`)
 	} else {
 		orderBy = "1,2,3,4,5"
 
@@ -262,7 +308,6 @@ FROM "".information_schema.type_privileges`
 	query := fmt.Sprintf(`
 		SELECT * FROM (%s) %s ORDER BY %s
 	`, source.String(), cond.String(), orderBy)
-
 	// Terminate on invalid users.
 	for _, p := range n.Grantees {
 

diff --git a/pkg/sql/logictest/testdata/logic_test/external_connection_privileges b/pkg/sql/logictest/testdata/logic_test/external_connection_privileges
@@ -74,3 +74,30 @@ GRANT SELECT ON EXTERNAL CONNECTION foo TO testuser
 
 statement error pq: invalid privilege type INSERT for external_connection
 GRANT INSERT ON EXTERNAL CONNECTION foo TO testuser
+
+statement ok
+CREATE ROLE testuser2
+
+statement ok
+GRANT DROP, USAGE ON EXTERNAL CONNECTION foo TO testuser2 WITH GRANT OPTION
+
+query TTTB colnames
+SHOW GRANTS ON EXTERNAL CONNECTION foo
+----
+name  grantee    privilege  grantable
+foo   bar        DROP       false
+foo   bar        USAGE      false
+foo   root       ALL        false
+foo   testuser   DROP       true
+foo   testuser   USAGE      true
+foo   testuser2  DROP       true
+foo   testuser2  USAGE      true
+
+query TTTB colnames
+SHOW GRANTS ON EXTERNAL CONNECTION foo FOR testuser, testuser2
+----
+name  grantee    privilege  grantable
+foo   testuser   DROP       true
+foo   testuser   USAGE      true
+foo   testuser2  DROP       true
+foo   testuser2  USAGE      true
diff --git a/pkg/sql/logictest/testdata/logic_test/show_grants_on_virtual_table b/pkg/sql/logictest/testdata/logic_test/show_grants_on_virtual_table
@@ -0,0 +1,32 @@
+query TTTTTB colnames
+SHOW GRANTS ON crdb_internal.tables
+----
+database_name  schema_name    table_name  grantee  privilege_type  is_grantable
+test           crdb_internal  tables      public   SELECT          false
+
+statement ok
+GRANT SELECT ON crdb_internal.tables TO testuser
+
+query TTTTTB colnames
+SHOW GRANTS ON crdb_internal.tables
+----
+database_name  schema_name    table_name  grantee   privilege_type  is_grantable
+test           crdb_internal  tables      public    SELECT          false
+test           crdb_internal  tables      testuser  SELECT          false
+
+statement ok
+GRANT ALL ON crdb_internal.tables TO testuser
+
+statement ok
+CREATE USER testuser2
+
+statement ok
+GRANT SELECT ON crdb_internal.tables TO testuser2 WITH GRANT OPTION
+
+query TTTTTB colnames
+SHOW GRANTS ON crdb_internal.tables
+----
+database_name  schema_name    table_name  grantee    privilege_type  is_grantable
+test           crdb_internal  tables      public     SELECT          false
+test           crdb_internal  tables      testuser   ALL             false
+test           crdb_internal  tables      testuser2  SELECT          true
diff --git a/pkg/sql/logictest/testdata/logic_test/show_grants_synthetic b/pkg/sql/logictest/testdata/logic_test/show_grants_synthetic
@@ -0,0 +1,68 @@
+statement ok
+GRANT SYSTEM MODIFYCLUSTERSETTING TO testuser
+
+statement ok
+GRANT SYSTEM VIEWACTIVITY TO testuser
+
+statement ok
+GRANT SYSTEM EXTERNALCONNECTION TO testuser WITH GRANT OPTION
+
+query TTB colnames
+SHOW SYSTEM GRANTS
+----
+grantee   privilege             is_grantable
+testuser  EXTERNALCONNECTION    true
+testuser  MODIFYCLUSTERSETTING  false
+testuser  VIEWACTIVITY          false
+
+query TTB colnames
+SHOW SYSTEM GRANTS FOR testuser
+----
+grantee   privilege             is_grantable
+testuser  EXTERNALCONNECTION    true
+testuser  MODIFYCLUSTERSETTING  false
+testuser  VIEWACTIVITY          false
+
+statement ok
+REVOKE SYSTEM VIEWACTIVITY FROM testuser
+
+query TTB colnames
+SHOW SYSTEM GRANTS
+----
+grantee   privilege             is_grantable
+testuser  EXTERNALCONNECTION    true
+testuser  MODIFYCLUSTERSETTING  false
+
+statement ok
+CREATE USER testuser2
+
+statement ok
+GRANT SYSTEM VIEWACTIVITY TO testuser2 WITH GRANT OPTION
+
+statement ok
+GRANT SYSTEM EXTERNALCONNECTION TO testuser2
+
+query TTB colnames
+SHOW SYSTEM GRANTS
+----
+grantee    privilege             is_grantable
+testuser   EXTERNALCONNECTION    true
+testuser   MODIFYCLUSTERSETTING  false
+testuser2  EXTERNALCONNECTION    false
+testuser2  VIEWACTIVITY          true
+
+query TTB colnames
+SHOW SYSTEM GRANTS FOR testuser2
+----
+grantee    privilege           is_grantable
+testuser2  EXTERNALCONNECTION  false
+testuser2  VIEWACTIVITY        true
+
+query TTB colnames
+SHOW SYSTEM GRANTS FOR testuser, testuser2
+----
+grantee    privilege             is_grantable
+testuser   EXTERNALCONNECTION    true
+testuser   MODIFYCLUSTERSETTING  false
+testuser2  EXTERNALCONNECTION    false
+testuser2  VIEWACTIVITY          true
diff --git a/pkg/sql/logictest/tests/fakedist-disk/generated_test.go b/pkg/sql/logictest/tests/fakedist-disk/generated_test.go
diff --git a/pkg/sql/logictest/tests/fakedist-vec-off/generated_test.go b/pkg/sql/logictest/tests/fakedist-vec-off/generated_test.go
diff --git a/pkg/sql/logictest/tests/fakedist/generated_test.go b/pkg/sql/logictest/tests/fakedist/generated_test.go