From 4fb65fb7b8d3561309525ab3c4c7d99fcc1b0011 Mon Sep 17 00:00:00 2001 From: Rafi Shamim Date: Fri, 19 Apr 2024 17:36:53 -0400 Subject: [PATCH] sql/delegate: don't include external connections in SHOW SYSTEM GRANTS Release note (bug fix): Privileges granted for external connections were incorrectly showing up in SHOW SYSTEM GRANTS, but were not useful since there is no associated object name. Now they do not appear there. Instead, the SHOW GRANTS ON EXTERNAL CONNECTION should be used. --- pkg/sql/delegate/show_grants.go | 1 + .../logic_test/grant_revoke_with_grant_option | 30 +++++++++++++++++++ pkg/sql/logictest/testdata/logic_test/role | 18 ----------- 3 files changed, 31 insertions(+), 18 deletions(-) diff --git a/pkg/sql/delegate/show_grants.go b/pkg/sql/delegate/show_grants.go index 6c52cc266da2..3fc7eac9ecb1 100644 --- a/pkg/sql/delegate/show_grants.go +++ b/pkg/sql/delegate/show_grants.go @@ -88,6 +88,7 @@ SELECT a.username AS grantee, FROM ( SELECT username, unnest(privileges) AS privilege FROM crdb_internal.kv_system_privileges + WHERE path LIKE '/global%' ) AS a` const externalConnectionPrivilegeQuery = ` SELECT * diff --git a/pkg/sql/logictest/testdata/logic_test/grant_revoke_with_grant_option b/pkg/sql/logictest/testdata/logic_test/grant_revoke_with_grant_option index b765463e0750..0236ce623ae8 100644 --- a/pkg/sql/logictest/testdata/logic_test/grant_revoke_with_grant_option +++ b/pkg/sql/logictest/testdata/logic_test/grant_revoke_with_grant_option @@ -677,3 +677,33 @@ test public owner_grant_option admin ALL test public owner_grant_option other_owner ALL true test public owner_grant_option owner_grant_option_child SELECT false test public owner_grant_option root ALL true + +statement ok +CREATE USER roach; +CREATE TYPE mood AS enum ('sad','happy'); +GRANT USAGE ON TYPE mood TO roach; +CREATE SEQUENCE test_sequence; +GRANT SELECT ON SEQUENCE test_sequence TO roach; +CREATE EXTERNAL CONNECTION connection1 AS 'nodelocal://1/foo'; +GRANT USAGE ON EXTERNAL CONNECTION connection1 TO roach WITH GRANT OPTION; +GRANT SYSTEM VIEWCLUSTERSETTING TO roach WITH GRANT OPTION; +GRANT SYSTEM VIEWACTIVITY TO roach; + +# The purpose of this test is to verify the object_type column. +query TTTTTTB colnames,rowsort +SHOW GRANTS FOR roach +---- +database_name schema_name object_name object_type grantee privilege_type is_grantable +NULL NULL connection1 external_connection roach USAGE true +test public mood type roach USAGE false +test public test_sequence sequence roach SELECT false + +# Verify that only system grants appear in SHOW SYSTEM GRANTS. Previously, +# there was a bug that would cause external connection privileges to appear +# also, since those privileges are also implemented with synthetic privileges. +query TTB colnames,rowsort +SHOW SYSTEM GRANTS FOR roach +---- +grantee privilege_type is_grantable +roach VIEWACTIVITY false +roach VIEWCLUSTERSETTING true diff --git a/pkg/sql/logictest/testdata/logic_test/role b/pkg/sql/logictest/testdata/logic_test/role index 0500fe88a5bd..c596ccdc83da 100644 --- a/pkg/sql/logictest/testdata/logic_test/role +++ b/pkg/sql/logictest/testdata/logic_test/role @@ -1881,21 +1881,3 @@ statement error SUBJECT role option is only supported after v24.1 upgrade is fin ALTER ROLE testuser SUBJECT 'foo' subtest end - -# The purpose of this test is to verify the object_type column -statement ok -create user roach; -create type mood as enum ('sad','happy'); -grant usage on type mood to roach; -create sequence test_sequence; -grant usage on sequence test_sequence to roach; -CREATE EXTERNAL CONNECTION connection1 AS 'nodelocal://1/foo'; -grant usage on EXTERNAL CONNECTION connection1 to roach; - -query TTTTTTB colnames,rowsort -show grants for roach ----- -database_name schema_name object_name object_type grantee privilege_type is_grantable -NULL NULL connection1 external_connection roach USAGE false -test public mood type roach USAGE false -test public test_sequence sequence roach USAGE false