From 4c725707feb9ff31b207098d4f8afd80364a4a39 Mon Sep 17 00:00:00 2001 From: Jack Wu Date: Wed, 15 Dec 2021 14:47:13 -0500 Subject: [PATCH] sql: deprecate GRANT privilege Release note (sql change): We will be deprecating the GRANT privilege in 22.1 before eventually removing it in 22.2 in favor of grant options. To promote backwards compatibility for users with code still using GRANT, we will give grant options on every privilege a user has when they are granted GRANT and remove all their grant options when GRANT is revoked, in addition to the existing grant option behavior. --- .../testdata/backup-restore/restore-grants | 8 +- pkg/sql/alter_default_privileges.go | 63 ++- .../catalog/catprivilege/default_privilege.go | 12 +- .../catprivilege/default_privilege_test.go | 17 +- pkg/sql/catalog/descpb/privilege.go | 21 + pkg/sql/grant_revoke.go | 32 ++ ...alter_default_privileges_with_grant_option | 453 ++++++++++-------- .../logic_test/grant_revoke_with_grant_option | 347 ++++++++++---- pkg/sql/logictest/testdata/logic_test/owner | 4 + .../logic_test/pg_catalog_pg_default_acl | 175 +++++-- ...g_catalog_pg_default_acl_with_grant_option | 11 + 11 files changed, 801 insertions(+), 342 deletions(-) diff --git a/pkg/ccl/backupccl/testdata/backup-restore/restore-grants b/pkg/ccl/backupccl/testdata/backup-restore/restore-grants index be4ad65e8c3f..b95cd4e4aefb 100644 --- a/pkg/ccl/backupccl/testdata/backup-restore/restore-grants +++ b/pkg/ccl/backupccl/testdata/backup-restore/restore-grants @@ -25,9 +25,9 @@ CREATE TABLE testdb.sc.othertable (a INT); # Give some grants to user1. # User1 has access to testdb.sc.othertable. exec-sql -GRANT ALL ON DATABASE testdb TO user1; -GRANT ALL ON SCHEMA public TO user1; -GRANT ALL ON SCHEMA public TO testuser; +GRANT ALL ON DATABASE testdb TO user1 WITH GRANT OPTION; +GRANT ALL ON SCHEMA public TO user1 WITH GRANT OPTION; +GRANT ALL ON SCHEMA public TO testuser WITH GRANT OPTION; GRANT USAGE ON SCHEMA sc TO user1; GRANT SELECT ON testdb.sc.othertable TO user1; ---- @@ -35,7 +35,7 @@ GRANT SELECT ON testdb.sc.othertable TO user1; # Grant privs to testuser. # Test user has access to testdb.testtable_greeting_usage and testtable_greeting_owner. exec-sql -GRANT ALL ON DATABASE testdb TO testuser; +GRANT ALL ON DATABASE testdb TO testuser WITH GRANT OPTION; GRANT USAGE ON TYPE testdb.greeting_usage TO testuser; GRANT UPDATE ON testdb.testtable_greeting_usage TO testuser; ---- diff --git a/pkg/sql/alter_default_privileges.go b/pkg/sql/alter_default_privileges.go index e695e6a3e0db..60bcff904c6e 100644 --- a/pkg/sql/alter_default_privileges.go +++ b/pkg/sql/alter_default_privileges.go @@ -21,6 +21,7 @@ import ( "github.com/cockroachdb/cockroach/pkg/sql/catalog/schemadesc" "github.com/cockroachdb/cockroach/pkg/sql/pgwire/pgcode" "github.com/cockroachdb/cockroach/pkg/sql/pgwire/pgerror" + "github.com/cockroachdb/cockroach/pkg/sql/pgwire/pgnotice" "github.com/cockroachdb/cockroach/pkg/sql/privilege" "github.com/cockroachdb/cockroach/pkg/sql/sem/tree" "github.com/cockroachdb/cockroach/pkg/util/log/eventpb" @@ -197,14 +198,41 @@ func (n *alterDefaultPrivilegesNode) alterDefaultPrivilegesForSchemas( if err != nil { return err } + + grantPresent, allPresent := false, false + if params.ExecCfg().Settings.Version.IsActive(params.ctx, clusterversion.ValidateGrantOption) { + for _, priv := range privileges { + grantPresent = grantPresent || priv == privilege.GRANT + allPresent = allPresent || priv == privilege.ALL + } + + noticeMessage := "" + // we only output the message for ALL privilege if it is being granted without the WITH GRANT OPTION flag + // if GRANT privilege is involved, we must always output the message + if allPresent && n.n.IsGrant && !grantOption { + noticeMessage = "grant options were automatically applied but this behavior is deprecated" + } else if grantPresent { + noticeMessage = "the GRANT privilege is deprecated" + } + + if len(noticeMessage) > 0 { + params.p.noticeSender.BufferNotice( + errors.WithHint( + pgnotice.Newf("%s", noticeMessage), + "please use WITH GRANT OPTION", + ), + ) + } + } + for _, role := range roles { if n.n.IsGrant { defaultPrivs.GrantDefaultPrivileges( - role, privileges, granteeSQLUsernames, objectType, grantOption, + role, privileges, granteeSQLUsernames, objectType, grantOption, grantPresent || allPresent, ) } else { defaultPrivs.RevokeDefaultPrivileges( - role, privileges, granteeSQLUsernames, objectType, grantOption, + role, privileges, granteeSQLUsernames, objectType, grantOption, grantPresent || allPresent, ) } @@ -273,14 +301,41 @@ func (n *alterDefaultPrivilegesNode) alterDefaultPrivilegesForDatabase( if err != nil { return err } + + grantPresent, allPresent := false, false + if params.ExecCfg().Settings.Version.IsActive(params.ctx, clusterversion.ValidateGrantOption) { + for _, priv := range privileges { + grantPresent = grantPresent || priv == privilege.GRANT + allPresent = allPresent || priv == privilege.ALL + } + + noticeMessage := "" + // we only output the message for ALL privilege if it is being granted without the WITH GRANT OPTION flag + // if GRANT privilege is involved, we must always output the message + if allPresent && n.n.IsGrant && !grantOption { + noticeMessage = "grant options were automatically applied but this behavior is deprecated" + } else if grantPresent { + noticeMessage = "the GRANT privilege is deprecated" + } + + if len(noticeMessage) > 0 { + params.p.noticeSender.BufferNotice( + errors.WithHint( + pgnotice.Newf("%s", noticeMessage), + "please use WITH GRANT OPTION", + ), + ) + } + } + for _, role := range roles { if n.n.IsGrant { defaultPrivs.GrantDefaultPrivileges( - role, privileges, granteeSQLUsernames, objectType, grantOption, + role, privileges, granteeSQLUsernames, objectType, grantOption, grantPresent || allPresent, ) } else { defaultPrivs.RevokeDefaultPrivileges( - role, privileges, granteeSQLUsernames, objectType, grantOption, + role, privileges, granteeSQLUsernames, objectType, grantOption, grantPresent || allPresent, ) } diff --git a/pkg/sql/catalog/catprivilege/default_privilege.go b/pkg/sql/catalog/catprivilege/default_privilege.go index 1e672c2732ea..140562d00b6c 100644 --- a/pkg/sql/catalog/catprivilege/default_privilege.go +++ b/pkg/sql/catalog/catprivilege/default_privilege.go @@ -82,6 +82,7 @@ func (d *immutable) grantOrRevokeDefaultPrivilegesHelper( privList privilege.List, withGrantOption bool, isGrant bool, + deprecateGrant bool, ) { defaultPrivileges := defaultPrivilegesForRole.DefaultPrivilegesPerObject[targetObject] // expandPrivileges turns flags on the DefaultPrivilegesForRole representing @@ -97,6 +98,11 @@ func (d *immutable) grantOrRevokeDefaultPrivilegesHelper( } else { defaultPrivileges.Revoke(grantee, privList, targetObject.ToPrivilegeObjectType(), withGrantOption) } + + if deprecateGrant { + defaultPrivileges.GrantPrivilegeToGrantOptions(grantee, isGrant) + } + if d.IsDatabaseDefaultPrivilege() { foldPrivileges(defaultPrivilegesForRole, role, &defaultPrivileges, targetObject) } @@ -110,10 +116,11 @@ func (d *Mutable) GrantDefaultPrivileges( grantees []security.SQLUsername, targetObject tree.AlterDefaultPrivilegesTargetObject, withGrantOption bool, + deprecateGrant bool, ) { defaultPrivilegesForRole := d.defaultPrivilegeDescriptor.FindOrCreateUser(role) for _, grantee := range grantees { - d.grantOrRevokeDefaultPrivilegesHelper(defaultPrivilegesForRole, role, targetObject, grantee, privileges, withGrantOption, true /* isGrant */) + d.grantOrRevokeDefaultPrivilegesHelper(defaultPrivilegesForRole, role, targetObject, grantee, privileges, withGrantOption, true /* isGrant */, deprecateGrant) } } @@ -124,10 +131,11 @@ func (d *Mutable) RevokeDefaultPrivileges( grantees []security.SQLUsername, targetObject tree.AlterDefaultPrivilegesTargetObject, grantOptionFor bool, + deprecateGrant bool, ) { defaultPrivilegesForRole := d.defaultPrivilegeDescriptor.FindOrCreateUser(role) for _, grantee := range grantees { - d.grantOrRevokeDefaultPrivilegesHelper(defaultPrivilegesForRole, role, targetObject, grantee, privileges, grantOptionFor, false /* isGrant */) + d.grantOrRevokeDefaultPrivilegesHelper(defaultPrivilegesForRole, role, targetObject, grantee, privileges, grantOptionFor, false /* isGrant */, deprecateGrant) } defaultPrivilegesPerObject := defaultPrivilegesForRole.DefaultPrivilegesPerObject diff --git a/pkg/sql/catalog/catprivilege/default_privilege_test.go b/pkg/sql/catalog/catprivilege/default_privilege_test.go index dd0c1c41d753..3c9cae8c1b24 100644 --- a/pkg/sql/catalog/catprivilege/default_privilege_test.go +++ b/pkg/sql/catalog/catprivilege/default_privilege_test.go @@ -165,7 +165,7 @@ func TestGrantDefaultPrivileges(t *testing.T) { defaultPrivilegeDescriptor := MakeDefaultPrivilegeDescriptor(descpb.DefaultPrivilegeDescriptor_DATABASE) defaultPrivileges := NewMutableDefaultPrivileges(defaultPrivilegeDescriptor) - defaultPrivileges.GrantDefaultPrivileges(tc.defaultPrivilegesRole, tc.privileges, tc.grantees, tc.targetObject, false /* withGrantOption */) + defaultPrivileges.GrantDefaultPrivileges(tc.defaultPrivilegesRole, tc.privileges, tc.grantees, tc.targetObject, false /* withGrantOption */, false /*deprecateGrant*/) newPrivileges := CreatePrivilegesFromDefaultPrivileges( defaultPrivileges, nil, /* schemaDefaultPrivilegeDescriptor */ @@ -284,8 +284,8 @@ func TestRevokeDefaultPrivileges(t *testing.T) { defaultPrivilegeDescriptor := MakeDefaultPrivilegeDescriptor(descpb.DefaultPrivilegeDescriptor_DATABASE) defaultPrivileges := NewMutableDefaultPrivileges(defaultPrivilegeDescriptor) - defaultPrivileges.GrantDefaultPrivileges(tc.defaultPrivilegesRole, tc.grantPrivileges, tc.grantees, tc.targetObject, false /* withGrantOption */) - defaultPrivileges.RevokeDefaultPrivileges(tc.defaultPrivilegesRole, tc.revokePrivileges, tc.grantees, tc.targetObject, false /* grantOptionFor */) + defaultPrivileges.GrantDefaultPrivileges(tc.defaultPrivilegesRole, tc.grantPrivileges, tc.grantees, tc.targetObject, false /* withGrantOption */, false /*deprecateGrant*/) + defaultPrivileges.RevokeDefaultPrivileges(tc.defaultPrivilegesRole, tc.revokePrivileges, tc.grantees, tc.targetObject, false /* grantOptionFor */, false /*deprecateGrant*/) newPrivileges := CreatePrivilegesFromDefaultPrivileges( defaultPrivileges, nil, /* schemaDefaultPrivilegeDescriptor */ @@ -311,7 +311,7 @@ func TestRevokeDefaultPrivilegesFromEmptyList(t *testing.T) { fooUser := security.MakeSQLUsernameFromPreNormalizedString("foo") defaultPrivileges.RevokeDefaultPrivileges(descpb.DefaultPrivilegesRole{ Role: creatorUser, - }, privilege.List{privilege.ALL}, []security.SQLUsername{fooUser}, tree.Tables, false /* grantOptionFor */) + }, privilege.List{privilege.ALL}, []security.SQLUsername{fooUser}, tree.Tables, false /* grantOptionFor */, false /*deprecateGrant*/) newPrivileges := CreatePrivilegesFromDefaultPrivileges( defaultPrivileges, nil, /* schemaDefaultPrivilegeDescriptor */ @@ -673,6 +673,7 @@ func TestDefaultPrivileges(t *testing.T) { userAndGrant.grants, []security.SQLUsername{userAndGrant.user}, tc.targetObject, false, /* withGrantOption */ + false, /*deprecateGrant*/ ) } @@ -683,6 +684,7 @@ func TestDefaultPrivileges(t *testing.T) { []security.SQLUsername{userAndGrant.user}, tc.targetObject, false, /* withGrantOption */ + false, /*deprecateGrant*/ ) } @@ -745,6 +747,7 @@ func TestModifyDefaultDefaultPrivileges(t *testing.T) { tc.revokeAndGrantPrivileges, []security.SQLUsername{creatorUser}, tc.targetObject, false, /* grantOptionFor */ + false, /*deprecateGrant*/ ) if GetRoleHasAllPrivilegesOnTargetObject(defaultPrivilegesForCreator, tc.targetObject) { t.Errorf("expected role to not have ALL privileges on %s", tc.targetObject) @@ -754,6 +757,7 @@ func TestModifyDefaultDefaultPrivileges(t *testing.T) { tc.revokeAndGrantPrivileges, []security.SQLUsername{creatorUser}, tc.targetObject, false, /* withGrantOption */ + false, /*deprecateGrant*/ ) if !GetRoleHasAllPrivilegesOnTargetObject(defaultPrivilegesForCreator, tc.targetObject) { t.Errorf("expected role to have ALL privileges on %s", tc.targetObject) @@ -778,6 +782,7 @@ func TestModifyDefaultDefaultPrivilegesForPublic(t *testing.T) { privilege.List{privilege.USAGE}, []security.SQLUsername{security.PublicRoleName()}, tree.Types, false, /* grantOptionFor */ + false, /*deprecateGrant*/ ) if GetPublicHasUsageOnTypes(defaultPrivilegesForCreator) { t.Errorf("expected public to not have USAGE privilege on types") @@ -787,6 +792,7 @@ func TestModifyDefaultDefaultPrivilegesForPublic(t *testing.T) { privilege.List{privilege.USAGE}, []security.SQLUsername{security.PublicRoleName()}, tree.Types, false, /* withGrantOption */ + false, /*deprecateGrant*/ ) if !GetPublicHasUsageOnTypes(defaultPrivilegesForCreator) { t.Errorf("expected public to have USAGE privilege on types") @@ -798,6 +804,7 @@ func TestModifyDefaultDefaultPrivilegesForPublic(t *testing.T) { privilege.List{privilege.USAGE}, []security.SQLUsername{security.PublicRoleName()}, tree.Types, true, /* withGrantOption */ + false, /*deprecateGrant*/ ) privDesc := defaultPrivilegesForCreator.DefaultPrivilegesPerObject[tree.Types] @@ -820,6 +827,7 @@ func TestModifyDefaultDefaultPrivilegesForPublic(t *testing.T) { privilege.List{privilege.USAGE}, []security.SQLUsername{security.PublicRoleName()}, tree.Types, true, /* grantOptionFor */ + false, /*deprecateGrant*/ ) privDesc = defaultPrivilegesForCreator.DefaultPrivilegesPerObject[tree.Types] @@ -838,6 +846,7 @@ func TestModifyDefaultDefaultPrivilegesForPublic(t *testing.T) { privilege.List{privilege.USAGE}, []security.SQLUsername{security.PublicRoleName()}, tree.Types, false, /* grantOptionFor */ + false, /*deprecateGrant*/ ) if GetPublicHasUsageOnTypes(defaultPrivilegesForCreator) { t.Errorf("expected public to not have USAGE privilege on types") diff --git a/pkg/sql/catalog/descpb/privilege.go b/pkg/sql/catalog/descpb/privilege.go index 15ee7826ff94..c2e4779b70d3 100644 --- a/pkg/sql/catalog/descpb/privilege.go +++ b/pkg/sql/catalog/descpb/privilege.go @@ -298,6 +298,27 @@ func (p *PrivilegeDescriptor) Revoke( } +// GrantPrivilegeToGrantOptions adjusts a user's grant option bits based on whether the GRANT or ALL +// privilege was just granted or revoked. If GRANT/ALL was just granted, the user should obtain grant +// options for each privilege it currently has. If GRANT/ALL was just revoked, the user should lose +// grant options for each privilege it has +// TODO(jackcwu): delete this function once the GRANT privilege is finally removed +func (p *PrivilegeDescriptor) GrantPrivilegeToGrantOptions( + user security.SQLUsername, isGrant bool, +) { + if isGrant { + userPriv := p.FindOrCreateUser(user) + userPriv.WithGrantOption = userPriv.Privileges + } else { + userPriv, ok := p.FindUser(user) + if !ok || userPriv.Privileges == 0 { + // Removing privileges from a user without privileges is a no-op. + return + } + userPriv.WithGrantOption = 0 + } +} + // ValidateSuperuserPrivileges ensures that superusers have exactly the maximum // allowed privilege set for the object. // It requires the ID of the descriptor it is applied on to determine whether diff --git a/pkg/sql/grant_revoke.go b/pkg/sql/grant_revoke.go index d3be1beabb46..b5a13928b27a 100644 --- a/pkg/sql/grant_revoke.go +++ b/pkg/sql/grant_revoke.go @@ -192,10 +192,14 @@ func (n *changePrivilegesNode) startExec(params runParams) error { if len(n.desiredprivs) > 0 { // Only allow granting/revoking privileges that the requesting // user themselves have on the descriptor. + + grantPresent, allPresent := false, false for _, priv := range n.desiredprivs { if err := p.CheckPrivilege(ctx, descriptor, priv); err != nil { return err } + grantPresent = grantPresent || priv == privilege.GRANT + allPresent = allPresent || priv == privilege.ALL } privileges := descriptor.GetPrivileges() @@ -204,10 +208,38 @@ func (n *changePrivilegesNode) startExec(params runParams) error { if err != nil { return err } + + noticeMessage := "" + // we only output the message for ALL privilege if it is being granted without the WITH GRANT OPTION flag + // if GRANT privilege is involved, we must always output the message + if allPresent && n.isGrant && !n.withGrantOption { + noticeMessage = "grant options were automatically applied but this behavior is deprecated" + } else if grantPresent { + noticeMessage = "the GRANT privilege is deprecated" + } + + if len(noticeMessage) > 0 { + params.p.noticeSender.BufferNotice( + errors.WithHint( + pgnotice.Newf("%s", noticeMessage), + "please use WITH GRANT OPTION", + ), + ) + } } for _, grantee := range n.grantees { n.changePrivilege(privileges, n.desiredprivs, grantee) + + if p.ExecCfg().Settings.Version.IsActive(ctx, clusterversion.ValidateGrantOption) { + if grantPresent || allPresent { + if n.isGrant { + privileges.GrantPrivilegeToGrantOptions(grantee, true /*isGrant*/) + } else if !n.isGrant && !n.withGrantOption { + privileges.GrantPrivilegeToGrantOptions(grantee, false /*isGrant*/) + } + } + } } // Ensure superusers have exactly the allowed privilege set. diff --git a/pkg/sql/logictest/testdata/logic_test/alter_default_privileges_with_grant_option b/pkg/sql/logictest/testdata/logic_test/alter_default_privileges_with_grant_option index 6e7cc2ca604b..d252e7b51c03 100644 --- a/pkg/sql/logictest/testdata/logic_test/alter_default_privileges_with_grant_option +++ b/pkg/sql/logictest/testdata/logic_test/alter_default_privileges_with_grant_option @@ -1,4 +1,13 @@ +# TODO(jack.wu): Replace these tests once the GRANT privilege is removed in 22.2 +# (look in the file history to the version before this for inspiration) +# Currently, this file has been rewritten to accommodate giving grant options to +# all a user's privileges when granted the GRANT privilege and removing all of them +# when GRANT is revoked as part of the backwards compatibility plan for GRANT in +# 22.1 (https://github.com/cockroachdb/cockroach/issues/73065) + +# # Should error when a role that does not exist is provided. +# statement error pq: user or role who does not exist ALTER DEFAULT PRIVILEGES FOR ROLE who GRANT SELECT ON TABLES to testuser WITH GRANT OPTION @@ -24,8 +33,14 @@ CREATE USER testuser2 statement ok CREATE USER target -statement ok +# +# table with default GRANT will have grant options on all privileges present +# +query T noticetrace ALTER DEFAULT PRIVILEGES FOR ROLE root GRANT GRANT, SELECT ON TABLES TO testuser; +---- +NOTICE: the GRANT privilege is deprecated +HINT: please use WITH GRANT OPTION statement ok CREATE TABLE t1() @@ -45,13 +60,36 @@ user testuser statement ok SELECT * FROM t1 -statement error user testuser missing WITH GRANT OPTION privilege on one or more of GRANT, SELECT -GRANT GRANT, SELECT ON TABLE t1 to target +statement ok +GRANT GRANT, SELECT ON TABLE t1 TO target user root +# +# no GRANT and no grant options cannot grant to others +# +query T noticetrace +ALTER DEFAULT PRIVILEGES FOR ROLE root REVOKE GRANT ON TABLES FROM testuser; +---- +NOTICE: the GRANT privilege is deprecated +HINT: please use WITH GRANT OPTION + statement ok -ALTER DEFAULT PRIVILEGES GRANT GRANT, SELECT, INSERT ON TABLES TO testuser WITH GRANT OPTION +CREATE TABLE t1_1() + +user testuser + +# no grant options since GRANT was just revoked +statement error user testuser missing WITH GRANT OPTION privilege on SELECT +GRANT SELECT ON TABLE t1_1 TO target + +# +# Test default with grant option flag +# +user root + +statement ok +ALTER DEFAULT PRIVILEGES GRANT SELECT, INSERT ON TABLES TO testuser WITH GRANT OPTION statement ok CREATE TABLE t2() @@ -64,6 +102,8 @@ SHOW GRANTS ON TABLE t1; database_name schema_name table_name grantee privilege_type test public t1 admin ALL test public t1 root ALL +test public t1 target GRANT +test public t1 target SELECT test public t1 testuser CREATE test public t1 testuser GRANT test public t1 testuser SELECT @@ -75,20 +115,22 @@ database_name schema_name table_name grantee privilege_type test public t2 admin ALL test public t2 root ALL test public t2 testuser CREATE -test public t2 testuser GRANT test public t2 testuser INSERT test public t2 testuser SELECT -statement error user testuser missing WITH GRANT OPTION privilege on one or more of GRANT, SELECT -GRANT GRANT, SELECT ON TABLE t1 to target - statement ok -GRANT GRANT, SELECT, INSERT ON TABLE t2 to target +GRANT SELECT, INSERT ON TABLE t2 to target user root -statement ok -ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO testuser WITH GRANT OPTION +# +# default all privileges will have grant options +# +query T noticetrace +ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO testuser +---- +NOTICE: grant options were automatically applied but this behavior is deprecated +HINT: please use WITH GRANT OPTION statement ok CREATE TABLE t3() @@ -106,6 +148,9 @@ user testuser statement ok GRANT INSERT, DELETE on table t3 to target +# +# Revoking grant option for default privileges +# user root statement ok @@ -124,13 +169,17 @@ test public t4 testuser ALL user testuser -statement error user missing WITH GRANT OPTION privilege on one or more of INSERT, DELETE +statement error user testuser missing WITH GRANT OPTION privilege on one or more of INSERT, DELETE GRANT INSERT, DELETE ON TABLE t4 TO target +# +# Revoke grant option for all privileges +# user root -statement ok +query T noticetrace ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL PRIVILEGES ON TABLES FROM testuser +---- statement ok CREATE TABLE t5() @@ -145,9 +194,15 @@ test public t5 testuser ALL user testuser -statement error user testuser missing WITH GRANT OPTION privilege on one or more of GRANT, SELECT -GRANT GRANT, SELECT ON TABLE t5 TO target +statement error user testuser missing WITH GRANT OPTION privilege on SELECT +GRANT SELECT ON TABLE t5 TO target + +statement error user testuser missing WITH GRANT OPTION privilege on ALL +GRANT ALL PRIVILEGES ON TABLE t5 TO target +# +# Revoke all privileges from a user +# user root statement ok @@ -164,13 +219,15 @@ test public t6 admin ALL test public t6 root ALL test public t6 testuser CREATE -# testuser alters default privileges on itself +# +# non-superuser owner of an object can do whatever it wants +# user testuser statement ok CREATE TABLE t7() -# since testuser created the table, it automatically has ALL PRIVILEGES ON IT +# since testuser created the table, it automatically has ALL PRIVILEGES on it query TTTTT colnames SHOW GRANTS ON TABLE t7; ---- @@ -182,8 +239,12 @@ test public t7 testuser ALL statement ok GRANT SELECT ON TABLE t7 TO testuser +# +# owner of an object can revoke grant options from itself +# and still grant +# statement ok -ALTER DEFAULT PRIVILEGES GRANT GRANT ON TABLES TO testuser +ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL PRIVILEGES ON TABLES FROM testuser statement ok CREATE TABLE t8() @@ -197,7 +258,14 @@ test public t8 root ALL test public t8 testuser ALL statement ok -ALTER DEFAULT PRIVILEGES GRANT GRANT, SELECT ON TABLES TO testuser WITH GRANT OPTION +GRANT SELECT ON TABLE t8 TO testuser + +# +# owner of an object can revoke from itself and still grant even +# though it doesn't hold privileges +# +statement ok +ALTER DEFAULT PRIVILEGES REVOKE ALL PRIVILEGES ON TABLES FROM testuser statement ok CREATE TABLE t9() @@ -208,213 +276,144 @@ SHOW GRANTS ON TABLE t9; database_name schema_name table_name grantee privilege_type test public t9 admin ALL test public t9 root ALL -test public t9 testuser ALL - -statement ok -GRANT INSERT, DELETE ON TABLE t9 to testuser +test public t9 testuser CREATE statement ok -GRANT GRANT, SELECT ON TABLE t9 to testuser +GRANT DELETE ON TABLE t9 TO testuser -statement ok +# +# owner of an object can regrant privileges on itself even if +# if doesn't hold them +# +query T noticetrace ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO testuser WITH GRANT OPTION +---- statement ok CREATE TABLE t10() -statement ok -GRANT INSERT, DELETE ON TABLE t10 to testuser - -statement ok -ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR SELECT ON TABLES FROM testuser - -statement ok -CREATE TABLE t11() - -statement ok -GRANT SELECT ON TABLE t11 TO testuser - -statement ok -GRANT GRANT, INSERT, DELETE ON TABLE t11 TO testuser - -statement ok -ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL PRIVILEGES ON TABLES FROM testuser - -statement ok -CREATE TABLE t12() - query TTTTT colnames -SHOW GRANTS ON TABLE t12; +SHOW GRANTS ON TABLE t10 ---- database_name schema_name table_name grantee privilege_type -test public t12 admin ALL -test public t12 root ALL -test public t12 testuser ALL - -statement ok -GRANT INSERT, DELETE ON TABLE t12 TO testuser +test public t10 admin ALL +test public t10 root ALL +test public t10 testuser ALL +# +# two non-superuser and non-object-owning users +# statement ok ALTER DEFAULT PRIVILEGES REVOKE ALL PRIVILEGES ON TABLES FROM testuser +# Postgres does not seem to validate whether the user granting/revoking privileges +# on another user holds those privileges themselves (testuser has no default +# privs but can revoke from testuser2) statement ok -CREATE TABLE t13() - -query TTTTT colnames -SHOW GRANTS ON TABLE t13 ----- -database_name schema_name table_name grantee privilege_type -test public t13 admin ALL -test public t13 root ALL -test public t13 testuser CREATE - -statement ok -GRANT ALL PRIVILEGES ON TABLE t13 TO testuser - -query TTTTT colnames -SHOW GRANTS ON TABLE t13 ----- -database_name schema_name table_name grantee privilege_type -test public t13 admin ALL -test public t13 root ALL -test public t13 testuser ALL - -# one created user to another (testuser to testuser2) -user testuser - -# Postgres does not seem to validate whether the user revoking privileges on another user holds those privileges themselves -statement ok -ALTER DEFAULT PRIVILEGES GRANT GRANT, SELECT, INSERT ON TABLES TO testuser2 +ALTER DEFAULT PRIVILEGES GRANT SELECT ON TABLES TO testuser2 user root statement ok -ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO testuser WITH GRANT OPTION +ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO testuser user testuser statement ok -ALTER DEFAULT PRIVILEGES GRANT GRANT, SELECT ON TABLES TO testuser2 - -statement ok -CREATE TABLE t14() +CREATE TABLE t11() -# The reason testuser does not have ALL despite creating the table is that we granted "FOR ROLE root", but testuser is creating -# the table so when testuser creates a table, it's still going off the previous alter default privs which was to revoke everything +# The reason testuser does not have ALL despite creating the table is that the previous statement defaults to if root +# creates the table but testuser is creating in this case; it's still going off the previous alter default privs which +# was to revoke everything query TTTTT colnames -SHOW GRANTS ON TABLE t14; +SHOW GRANTS ON TABLE t11; ---- database_name schema_name table_name grantee privilege_type -test public t14 admin ALL -test public t14 root ALL -test public t14 testuser CREATE -test public t14 testuser2 GRANT -test public t14 testuser2 INSERT -test public t14 testuser2 SELECT - -statement ok -GRANT GRANT, INSERT, DELETE ON TABLE t12 TO target - -statement ok -ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO testuser WITH GRANT OPTION +test public t11 admin ALL +test public t11 root ALL +test public t11 testuser CREATE +test public t11 testuser2 SELECT user testuser2 statement error user testuser2 missing WITH GRANT OPTION privilege on SELECT -GRANT SELECT ON TABLE t14 TO target +GRANT SELECT ON TABLE t11 TO target user testuser +# +# two non-superuser and non-object-owning users granting with grant options +# statement ok -ALTER DEFAULT PRIVILEGES GRANT GRANT, SELECT ON TABLES TO testuser2 WITH GRANT OPTION +ALTER DEFAULT PRIVILEGES GRANT INSERT, SELECT ON TABLES TO testuser2 WITH GRANT OPTION statement ok -CREATE TABLE t15() +CREATE TABLE t12() query TTTTT colnames -SHOW GRANTS ON TABLE t15; +SHOW GRANTS ON TABLE t12; ---- database_name schema_name table_name grantee privilege_type -test public t15 admin ALL -test public t15 root ALL -test public t15 testuser ALL -test public t15 testuser2 GRANT -test public t15 testuser2 INSERT -test public t15 testuser2 SELECT +test public t12 admin ALL +test public t12 root ALL +test public t12 testuser CREATE +test public t12 testuser2 INSERT +test public t12 testuser2 SELECT user testuser2 statement ok -GRANT SELECT, GRANT ON TABLE t15 TO target - -statement error user testuser2 missing WITH GRANT OPTION privilege on INSERT -GRANT INSERT ON TABLE t15 TO target +GRANT SELECT, INSERT ON TABLE t12 TO target user testuser +# +# two non-superuser and non-object-owning users granting with grant options +# statement ok ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO testuser2 WITH GRANT OPTION statement ok -CREATE TABLE t16() +CREATE TABLE t13() query TTTTT colnames -SHOW GRANTS ON TABLE t16; +SHOW GRANTS ON TABLE t13; ---- database_name schema_name table_name grantee privilege_type -test public t16 admin ALL -test public t16 root ALL -test public t16 testuser ALL -test public t16 testuser2 ALL +test public t13 admin ALL +test public t13 root ALL +test public t13 testuser CREATE +test public t13 testuser2 ALL user testuser2 statement ok -GRANT INSERT ON TABLE t16 TO target - -user testuser - -statement ok -ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR SELECT, INSERT ON TABLES FROM testuser2 - -statement ok -CREATE TABLE t17() - -query TTTTT colnames -SHOW GRANTS ON TABLE t17; ----- -database_name schema_name table_name grantee privilege_type -test public t17 admin ALL -test public t17 root ALL -test public t17 testuser ALL -test public t17 testuser2 ALL - -user testuser2 - -statement error user testuser2 missing WITH GRANT OPTION privilege on one or more of SELECT, INSERT -GRANT SELECT, INSERT ON TABLE t17 TO target +GRANT INSERT ON TABLE t13 TO target user testuser +# +# two non-superuser and non-object-owning users revoking grant option for +# statement ok ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL PRIVILEGES ON TABLES FROM testuser2 statement ok -CREATE TABLE t18() +CREATE TABLE t14() query TTTTT colnames -SHOW GRANTS ON TABLE t18; +SHOW GRANTS ON TABLE t14; ---- database_name schema_name table_name grantee privilege_type -test public t18 admin ALL -test public t18 root ALL -test public t18 testuser ALL -test public t18 testuser2 ALL +test public t14 admin ALL +test public t14 root ALL +test public t14 testuser CREATE +test public t14 testuser2 ALL user testuser2 statement error user testuser2 missing WITH GRANT OPTION privilege on SELECT -GRANT SELECT ON TABLE t18 TO target +GRANT SELECT ON TABLE t14 TO target user testuser @@ -422,21 +421,23 @@ statement ok ALTER DEFAULT PRIVILEGES REVOKE ALL PRIVILEGES ON TABLES FROM testuser2 statement ok -CREATE TABLE t19() +CREATE TABLE t15() query TTTTT colnames -SHOW GRANTS ON TABLE t19; +SHOW GRANTS ON TABLE t15; ---- database_name schema_name table_name grantee privilege_type -test public t19 admin ALL -test public t19 root ALL -test public t19 testuser ALL +test public t15 admin ALL +test public t15 root ALL +test public t15 testuser CREATE -# Test Schemas +# +# Test schemas +# user root statement ok -ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON SCHEMAS TO testuser, testuser2 WITH GRANT OPTION +ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON SCHEMAS TO testuser, testuser2 statement ok CREATE SCHEMA s1 @@ -450,8 +451,20 @@ test s1 root ALL test s1 testuser ALL test s1 testuser2 ALL +user testuser + statement ok -ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL PRIVILEGES ON SCHEMAS FROM testuser, testuser2 +GRANT ALL PRIVILEGES ON SCHEMA s1 TO target + +user testuser2 + +statement ok +GRANT ALL PRIVILEGES ON SCHEMA s1 TO target + +user root + +statement ok +ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL PRIVILEGES ON SCHEMAS FROM testuser statement ok CREATE SCHEMA s2 @@ -482,6 +495,8 @@ GRANT ALL PRIVILEGES ON SCHEMA s2 TO target statement ok ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO testuser WITH GRANT OPTION +user root + statement ok CREATE TABLE s1.t1() @@ -503,7 +518,49 @@ CREATE TABLE s1.t2() statement ok GRANT ALL PRIVILEGES ON TABLE s1.t2 TO target -# Test Sequences +statement ok +ALTER DEFAULT PRIVILEGES REVOKE ALL PRIVILEGES ON SCHEMAS FROM testuser + +statement ok +ALTER DEFAULT PRIVILEGES REVOKE GRANT ON SCHEMAS FROM testuser2 + +statement ok +CREATE SCHEMA s3 + +query TTTT colnames +SHOW GRANTS ON SCHEMA s3 +---- +database_name schema_name grantee privilege_type +test s3 admin ALL +test s3 root ALL +test s3 testuser CREATE +test s3 testuser2 CREATE +test s3 testuser2 USAGE + +user testuser2 + +# removing grant removes all grant options for testuser2's current privileges +statement error user testuser2 missing WITH GRANT OPTION privilege on one or more of CREATE, USAGE +GRANT CREATE, USAGE ON SCHEMA s3 TO target + +user root + +statement ok +ALTER DEFAULT PRIVILEGES GRANT CREATE, USAGE ON SCHEMAS TO testuser2 WITH GRANT OPTION + +statement ok +CREATE SCHEMA s4 + +user testuser2 + +statement ok +GRANT CREATE, USAGE ON SCHEMA s4 TO target + +# +# Test Sequences (much of it is currently unimplemented, can't grant or revoke) +# +user root + statement ok ALTER DEFAULT PRIVILEGES GRANT CREATE ON SEQUENCES TO testuser2 WITH GRANT OPTION @@ -519,47 +576,49 @@ SHOW GRANTS ON seq1 database_name schema_name table_name grantee privilege_type test public seq1 admin ALL test public seq1 root ALL -test public seq1 testuser ALL +test public seq1 testuser CREATE test public seq1 testuser2 CREATE -# TODO: implement the grant/revoke for sequence? Can't do much more that this in terms of testing otherwise -# Test Types -user testuser - -statement ok -ALTER DEFAULT PRIVILEGES GRANT GRANT, USAGE ON TYPES TO testuser2 WITH GRANT OPTION +# +# Test types +# +user root statement ok -ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL PRIVILEGES ON TYPES FROM testuser +ALTER DEFAULT PRIVILEGES REVOKE ALL PRIVILEGES ON TYPES FROM testuser statement ok CREATE TYPE type1 AS ENUM() -query TTTTT colnames -SHOW GRANTS ON TYPE type1 ----- -database_name schema_name type_name grantee privilege_type -test public type1 admin ALL -test public type1 public USAGE -test public type1 root ALL -test public type1 testuser ALL -test public type1 testuser2 GRANT -test public type1 testuser2 USAGE +user testuser +# USAGE on types is defined on the public role, in which every user is a member of, +# so revoking will not take away the ability to use it statement ok -GRANT ALL PRIVILEGES ON TYPE type1 TO target +CREATE TABLE type_table(input type1) -statement ok -GRANT USAGE ON TYPE type1 TO target +statement error user testuser missing WITH GRANT OPTION privilege on USAGE +GRANT USAGE ON TYPE type1 TO testuser2 -user testuser2 +user root statement ok -GRANT USAGE ON TYPE type1 TO target +ALTER DEFAULT PRIVILEGES GRANT USAGE ON TYPES TO testuser WITH GRANT OPTION + +statement ok +CREATE TYPE type2 AS ENUM() -# Test Roles user testuser +statement error user testuser missing WITH GRANT OPTION privilege on USAGE +GRANT USAGE ON TYPE type1 TO testuser2 + +statement ok +GRANT USAGE ON TYPE type2 TO testuser2 + +# +# Test roles +# statement ok ALTER DEFAULT PRIVILEGES REVOKE ALL PRIVILEGES ON TABLES FROM testuser @@ -579,17 +638,17 @@ ALTER DEFAULT PRIVILEGES FOR ROLE testuser, testuser2 GRANT ALL PRIVILEGES ON TA user testuser statement ok -CREATE TABLE t20() +CREATE TABLE t16() # testuser2 will have ALL privileges because the ALTER statement made from root specifies it happens when testuser does it query TTTTT colnames -SHOW GRANTS ON TABLE t20; +SHOW GRANTS ON TABLE t16; ---- database_name schema_name table_name grantee privilege_type -test public t20 admin ALL -test public t20 root ALL -test public t20 testuser ALL -test public t20 testuser2 ALL +test public t16 admin ALL +test public t16 root ALL +test public t16 testuser ALL +test public t16 testuser2 ALL user root @@ -599,21 +658,21 @@ ALTER DEFAULT PRIVILEGES FOR ROLE testuser, testuser2 REVOKE GRANT OPTION FOR AL user testuser statement ok -CREATE TABLE t21() +CREATE TABLE t17() query TTTTT colnames -SHOW GRANTS ON TABLE t21; +SHOW GRANTS ON TABLE t17; ---- database_name schema_name table_name grantee privilege_type -test public t21 admin ALL -test public t21 root ALL -test public t21 testuser ALL -test public t21 testuser2 ALL +test public t17 admin ALL +test public t17 root ALL +test public t17 testuser ALL +test public t17 testuser2 ALL user testuser2 statement error user testuser2 missing WITH GRANT OPTION privilege on ALL -GRANT ALL PRIVILEGES ON TABLE t21 TO target +GRANT ALL PRIVILEGES ON TABLE t17 TO target statement error user testuser2 missing WITH GRANT OPTION privilege on one or more of SELECT, INSERT -GRANT SELECT, INSERT ON TABLE t21 TO target +GRANT SELECT, INSERT ON TABLE t17 TO target diff --git a/pkg/sql/logictest/testdata/logic_test/grant_revoke_with_grant_option b/pkg/sql/logictest/testdata/logic_test/grant_revoke_with_grant_option index 9ea593572c16..12553c7d8226 100644 --- a/pkg/sql/logictest/testdata/logic_test/grant_revoke_with_grant_option +++ b/pkg/sql/logictest/testdata/logic_test/grant_revoke_with_grant_option @@ -1,3 +1,10 @@ +# TODO(jack.wu): Replace these tests once the GRANT privilege is removed in 22.2 +# (look in the file history to the version before this for inspiration) +# Currently, this file has been rewritten to accommodate giving grant options to +# all a user's privileges when granted the GRANT privilege and removing all of them +# when GRANT is revoked as part of the backwards compatibility plan for GRANT in +# 22.1 (https://github.com/cockroachdb/cockroach/issues/73065) + statement ok CREATE TABLE t(row INT) @@ -7,29 +14,73 @@ CREATE USER testuser2 statement ok CREATE USER target +statement error grant options cannot be granted to "public" role +GRANT ALL PRIVILEGES ON TABLE t TO public WITH GRANT OPTION + +# +# Granting ALL in 22.1 will give grant options automatically since it includes GRANT +# statement ok GRANT ALL PRIVILEGES ON TABLE t TO testuser -# switch to testuser user testuser -statement error user testuser missing WITH GRANT OPTION privilege on ALL -GRANT ALL PRIVILEGES ON table t to testuser2 +query T noticetrace +GRANT ALL PRIVILEGES ON TABLE t TO target +---- +NOTICE: grant options were automatically applied but this behavior is deprecated +HINT: please use WITH GRANT OPTION + +statement ok +GRANT SELECT ON TABLE t TO target -# switch to root user root -statement error grant options cannot be granted to "public" role -GRANT ALL PRIVILEGES ON TABLE t TO public WITH GRANT OPTION +query T noticetrace +REVOKE GRANT OPTION FOR ALL PRIVILEGES ON TABLE t FROM testuser +---- -statement ok +user testuser + +statement error user testuser missing WITH GRANT OPTION privilege on ALL +GRANT ALL PRIVILEGES ON TABLE t TO target + +statement error user testuser missing WITH GRANT OPTION privilege on SELECT +GRANT SELECT ON TABLE t TO target + +# +# Test granting grant options +# +user root + +query T noticetrace GRANT ALL PRIVILEGES ON TABLE t TO testuser WITH GRANT OPTION +---- -# switch to testuser user testuser statement ok -GRANT SELECT, GRANT, INSERT ON TABLE t TO testuser2 WITH GRANT OPTION +GRANT SELECT, INSERT ON TABLE t TO testuser2 + +query TTTTT colnames +SHOW GRANTS FOR testuser2 +---- +database_name schema_name relation_name grantee privilege_type +test public t testuser2 INSERT +test public t testuser2 SELECT + +user testuser2 + +statement error user testuser2 missing WITH GRANT OPTION privilege on one or more of INSERT, SELECT +GRANT INSERT, SELECT ON TABLE t TO target + +user testuser + +query T noticetrace +GRANT GRANT ON TABLE t TO testuser2 +---- +NOTICE: the GRANT privilege is deprecated +HINT: please use WITH GRANT OPTION query TTTTT colnames SHOW GRANTS FOR testuser2 @@ -39,6 +90,30 @@ test public t testuser2 GRANT test public t testuser2 INSERT test public t testuser2 SELECT +user testuser2 + +# in version 22.1, granting GRANT to a user means they now have grant options on all their privileges. +# This is to promote backwards compatibility as we deprecate GRANT +statement ok +GRANT INSERT, SELECT ON TABLE t TO target + +# however, future privileges do not automatically get grant options just because the user currently +# holds GRANT - you would need to either specify grant options or grant GRANT again +user root + +statement ok +GRANT DELETE ON TABLE t TO testuser2 + +user testuser2 + +statement error user testuser2 missing WITH GRANT OPTION privilege on DELETE +GRANT DELETE ON TABLE t TO target + +user testuser + +statement ok +GRANT DELETE, UPDATE ON TABLE t TO testuser2 WITH GRANT OPTION + statement ok REVOKE INSERT ON TABLE t FROM testuser2 @@ -46,28 +121,101 @@ query TTTTT colnames SHOW GRANTS FOR testuser2 ---- database_name schema_name relation_name grantee privilege_type +test public t testuser2 DELETE test public t testuser2 GRANT test public t testuser2 SELECT +test public t testuser2 UPDATE statement ok REVOKE GRANT OPTION FOR SELECT ON TABLE t FROM testuser2 +# revoking GRANT OPTION FOR does not take away the privilege for the user query TTTTT colnames SHOW GRANTS FOR testuser2 ---- database_name schema_name relation_name grantee privilege_type +test public t testuser2 DELETE test public t testuser2 GRANT test public t testuser2 SELECT +test public t testuser2 UPDATE -# switch to testuser2 user testuser2 statement error user testuser2 missing WITH GRANT OPTION privilege on SELECT GRANT SELECT ON TABLE t TO target -# switch to root +statement ok +GRANT DELETE, UPDATE ON TABLE t TO target + +user testuser + +query T noticetrace +REVOKE GRANT ON TABLE t FROM testuser2 +---- +NOTICE: the GRANT privilege is deprecated +HINT: please use WITH GRANT OPTION + +user testuser2 + +# in version 22.1, revoking GRANT from a user means they lose grant options +# on all of their privileges +statement error user testuser2 missing WITH GRANT OPTION privilege on DELETE +GRANT DELETE ON TABLE t TO target + +statement error user testuser2 missing WITH GRANT OPTION privilege on UPDATE +GRANT UPDATE ON TABLE t TO target + +statement error user testuser2 missing WITH GRANT OPTION privilege on SELECT +GRANT SELECT ON TABLE t TO target + +# revoking grant option for on GRANT should not take away grant options +# from other privileges +user root + +statement ok +GRANT GRANT ON TABLE t TO testuser2 + +statement ok +REVOKE GRANT OPTION FOR GRANT ON TABLE t FROM testuser2 + +user testuser2 + +statement ok +GRANT DELETE ON TABLE t TO target + +statement ok +GRANT UPDATE ON TABLE t TO target + +statement ok +GRANT SELECT ON TABLE t TO target + +user root + +statement ok +REVOKE GRANT ON TABLE t FROM testuser2 + +# +# test whether granting back GRANT with another privilege in the same statement +# gives grant options for that privilege too +# +user root + +statement ok +GRANT INSERT, GRANT ON TABLE t TO testuser2 + +user testuser2 + +statement ok +GRANT INSERT ON TABLE t TO target + +# +# try revoking ALL PRIVILEGES on various existing privilege states +# user root +statement ok +REVOKE GRANT OPTION FOR ALL PRIVILEGES ON TABLE t FROM testuser2 + statement ok REVOKE GRANT OPTION FOR ALL PRIVILEGES ON TABLE t FROM testuser @@ -77,13 +225,11 @@ SHOW GRANTS FOR testuser database_name schema_name relation_name grantee privilege_type test public t testuser ALL -# switch to testuser user testuser statement error user testuser missing WITH GRANT OPTION privilege on one or more of SELECT, GRANT, INSERT, DELETE GRANT SELECT, GRANT, INSERT, DELETE ON TABLE t TO testuser2 WITH GRANT OPTION -# switch to root user root statement ok @@ -95,16 +241,16 @@ SHOW GRANTS FOR testuser database_name schema_name relation_name grantee privilege_type statement ok -GRANT GRANT, UPDATE, DELETE ON TABLE t to testuser WITH GRANT OPTION +GRANT UPDATE, DELETE ON TABLE t to testuser WITH GRANT OPTION query TTTTT colnames SHOW GRANTS FOR testuser ---- database_name schema_name relation_name grantee privilege_type test public t testuser DELETE -test public t testuser GRANT test public t testuser UPDATE +# test applying repeat privileges (ALL replaces individual privileges) statement ok GRANT ALL PRIVILEGES ON TABLE t to testuser WITH GRANT OPTION @@ -114,13 +260,11 @@ SHOW GRANTS FOR testuser database_name schema_name relation_name grantee privilege_type test public t testuser ALL -# switch to testuser user testuser statement ok GRANT DELETE ON TABLE t to target -# switch to root user root statement ok @@ -132,13 +276,12 @@ SHOW GRANTS FOR testuser database_name schema_name relation_name grantee privilege_type test public t testuser ALL -# switch to testuser user testuser statement ok GRANT SELECT ON TABLE t TO testuser2 WITH GRANT OPTION -statement error testuser missing WITH GRANT OPTION privilege on UPDATE +statement error user testuser missing WITH GRANT OPTION privilege on UPDATE GRANT UPDATE ON TABLE t TO testuser2 WITH GRANT OPTION statement error user testuser missing WITH GRANT OPTION privilege on DELETE @@ -148,23 +291,33 @@ query TTTTT colnames SHOW GRANTS FOR testuser2 ---- database_name schema_name relation_name grantee privilege_type +test public t testuser2 DELETE test public t testuser2 GRANT +test public t testuser2 INSERT test public t testuser2 SELECT +test public t testuser2 UPDATE -# switch to testuser2 user testuser2 statement ok GRANT SELECT ON TABLE t TO target -# test revoking from oneself (non-owner of an object) +# +# Test granting to and revoking from oneself (non-owner of an object) +# user root statement ok GRANT ALL PRIVILEGES ON TABLE t TO testuser +statement ok +REVOKE GRANT OPTION FOR ALL PRIVILEGES ON TABLE t FROM testuser + user testuser +statement error user testuser missing WITH GRANT OPTION privilege on DELETE +GRANT DELETE ON TABLE t TO testuser + statement error user testuser missing WITH GRANT OPTION privilege on DELETE REVOKE DELETE ON TABLE t FROM testuser @@ -175,6 +328,9 @@ GRANT ALL PRIVILEGES ON TABLE t TO testuser WITH GRANT OPTION user testuser +statement ok +GRANT DELETE ON TABLE t TO testuser + statement ok REVOKE DELETE ON TABLE t FROM testuser @@ -199,8 +355,63 @@ REVOKE GRANT OPTION FOR SELECT ON TABLE t FROM testuser statement error user testuser missing WITH GRANT OPTION privilege on SELECT GRANT SELECT ON TABLE t TO target -# briefly test databases, schemas, types etc since the code is the same as with tables tested above -# switch to root +user root + +statement ok +GRANT ALL PRIVILEGES ON TABLE t TO testuser WITH GRANT OPTION + +user testuser + +statement ok +REVOKE GRANT OPTION FOR ALL PRIVILEGES ON TABLE t FROM testuser + +statement error user testuser missing WITH GRANT OPTION privilege on one or more of INSERT, DELETE +GRANT INSERT, DELETE ON TABLE t TO target + +user root + +statement ok +GRANT ALL PRIVILEGES ON TABLE t TO testuser WITH GRANT OPTION + +statement ok +REVOKE ALL PRIVILEGES ON TABLE t FROM testuser + +query TTTTT colnames +SHOW GRANTS FOR testuser +---- +database_name schema_name relation_name grantee privilege_type + +# revoking grant from ALL privileges means you lose grant options on +# all the other privileges +user root + +statement ok +GRANT ALL PRIVILEGES ON TABLE t TO testuser + +statement ok +REVOKE GRANT ON TABLE t FROM testuser + +query TTTTT colnames +SHOW GRANTS FOR testuser +---- +database_name schema_name relation_name grantee privilege_type +test public t testuser CREATE +test public t testuser DELETE +test public t testuser DROP +test public t testuser INSERT +test public t testuser SELECT +test public t testuser UPDATE +test public t testuser ZONECONFIG + +user testuser + +statement error user testuser missing WITH GRANT OPTION privilege on INSERT +GRANT INSERT ON TABLE t TO target + +# +# Wipe everything so far and briefly test databases, schemas, types +# etc since the code is the same as with tables tested above +# user root statement ok @@ -223,22 +434,19 @@ statement ok CREATE SCHEMA s statement ok -GRANT GRANT, CREATE ON SCHEMA s TO testuser WITH GRANT OPTION +GRANT ALL PRIVILEGES ON SCHEMA s TO testuser WITH GRANT OPTION query TTTTT colnames SHOW GRANTS FOR testuser ---- database_name schema_name relation_name grantee privilege_type -test s NULL testuser CREATE -test s NULL testuser GRANT +test s NULL testuser ALL -# switch to testuser user testuser statement ok GRANT CREATE ON SCHEMA s TO testuser2 WITH GRANT OPTION -# switch to root user root query TTTTT colnames @@ -254,16 +462,24 @@ query TTTTT colnames SHOW GRANTS FOR testuser ---- database_name schema_name relation_name grantee privilege_type -test s NULL testuser CREATE -test s NULL testuser GRANT +test s NULL testuser ALL -# switch to testuser user testuser statement error user testuser missing WITH GRANT OPTION privilege on CREATE GRANT CREATE ON SCHEMA s TO target -# switch to root +user root + +statement ok +GRANT GRANT ON SCHEMA s TO testuser + +# granting GRANT here will give grant options on ALL privileges for testuser +user testuser + +statement ok +GRANT CREATE ON SCHEMA s TO target + user root statement ok @@ -281,9 +497,10 @@ d public CONNECT d root ALL d testuser ALL +# # Make testuser2 a member of testuser; it should inherit grant options # from testuser. - +# statement ok GRANT testuser TO testuser2 @@ -308,28 +525,22 @@ statement ok REVOKE testuser FROM testuser2; REVOKE CONNECT ON DATABASE d FROM target -# switch to testuser user testuser statement ok -GRANT GRANT, CREATE, CONNECT ON DATABASE d TO testuser2 WITH GRANT OPTION +GRANT CREATE, CONNECT ON DATABASE d TO testuser2 WITH GRANT OPTION statement ok REVOKE GRANT OPTION FOR CREATE ON DATABASE d FROM testuser2 -# switch to testuser2 user testuser2 -statement ok -GRANT GRANT ON DATABASE d TO target WITH GRANT OPTION - statement ok GRANT CONNECT ON DATABASE d TO target WITH GRANT OPTION statement error user testuser2 missing WITH GRANT OPTION privilege on CREATE GRANT CREATE ON DATABASE d TO target WITH GRANT OPTION -# switch to root user root query TTT colnames @@ -340,11 +551,9 @@ d admin ALL d public CONNECT d root ALL d target CONNECT -d target GRANT d testuser ALL d testuser2 CONNECT d testuser2 CREATE -d testuser2 GRANT statement ok REVOKE ALL PRIVILEGES ON DATABASE d FROM testuser2 @@ -357,10 +566,8 @@ d admin ALL d public CONNECT d root ALL d target CONNECT -d target GRANT d testuser ALL -# switch to testuser2 user testuser2 # Make sure that non-admin roles do not have CONNECT grant option inherited @@ -372,10 +579,7 @@ GRANT CONNECT ON DATABASE d TO target WITH GRANT OPTION user root statement ok -CREATE type type1 as ENUM() - -statement ok -GRANT GRANT ON TYPE type1 TO testuser +CREATE TYPE type1 as ENUM() user testuser @@ -393,7 +597,9 @@ user testuser statement ok GRANT USAGE ON TYPE type1 TO target -# Test owner status - should be able to always grant/revoke on the object it owns, regardless of its own privileges +# +# Test owner status - one should always be able to grant/revoke on the object it owns, regardless of its own privileges +# user root statement ok @@ -431,19 +637,11 @@ test public t1 root ALL test public t1 testuser2 CREATE test public t1 testuser2 SELECT +# even though testuser doesn't have privileges on table t1, it can still grant +# because it is the owner statement ok GRANT INSERT ON TABLE t1 TO testuser2 -statement ok -GRANT GRANT ON TABLE t1 TO testuser2 - -user testuser2 - -statement error user testuser2 missing WITH GRANT OPTION privilege on SELECT -GRANT SELECT ON TABLE t1 TO target - -user testuser - statement ok GRANT ALL PRIVILEGES ON TABLE t1 TO testuser2 WITH GRANT OPTION @@ -455,40 +653,15 @@ test public t1 admin ALL test public t1 root ALL test public t1 testuser2 ALL -user testuser2 - -statement ok -GRANT SELECT ON TABLE t1 TO TARGET - -statement ok -REVOKE GRANT OPTION FOR ALL PRIVILEGES ON TABLE t1 FROM testuser2 - -statement error user testuser2 missing WITH GRANT OPTION privilege on INSERT -GRANT INSERT ON TABLE t1 TO target - -user testuser - -statement ok -GRANT ALL PRIVILEGES ON TABLE t1 TO testuser2 WITH GRANT OPTION - -user testuser2 - -statement ok -REVOKE ALL PRIVILEGES ON TABLE t1 FROM testuser2 - -statement error pq: user testuser2 does not have INSERT privilege on relation t1 -GRANT INSERT ON TABLE t1 TO target - -user testuser - query TTTTT colnames SHOW GRANTS ON TABLE t1; ---- database_name schema_name table_name grantee privilege_type test public t1 admin ALL test public t1 root ALL -test public t1 target SELECT +test public t1 testuser2 ALL +# owner can give privileges back to themself statement ok GRANT ALL PRIVILEGES ON TABLE t1 TO testuser @@ -498,5 +671,5 @@ SHOW GRANTS ON TABLE t1; database_name schema_name table_name grantee privilege_type test public t1 admin ALL test public t1 root ALL -test public t1 target SELECT test public t1 testuser ALL +test public t1 testuser2 ALL diff --git a/pkg/sql/logictest/testdata/logic_test/owner b/pkg/sql/logictest/testdata/logic_test/owner index 9689f900d089..0deab28e9435 100644 --- a/pkg/sql/logictest/testdata/logic_test/owner +++ b/pkg/sql/logictest/testdata/logic_test/owner @@ -135,6 +135,10 @@ statement ok REVOKE admin FROM testuser; GRANT ALL ON DATABASE d to testuser2 +# Remove the following two lines once the GRANT privilege is removed in 22.2 +statement ok +REVOKE GRANT OPTION FOR ALL PRIVILEGES ON DATABASE d FROM testuser2 + user testuser2 # testuser2 has ALL privileges, no grant options, and is not a member of a role, diff --git a/pkg/sql/logictest/testdata/logic_test/pg_catalog_pg_default_acl b/pkg/sql/logictest/testdata/logic_test/pg_catalog_pg_default_acl index 2375ef495476..e37d5be041eb 100644 --- a/pkg/sql/logictest/testdata/logic_test/pg_catalog_pg_default_acl +++ b/pkg/sql/logictest/testdata/logic_test/pg_catalog_pg_default_acl @@ -28,10 +28,10 @@ query OOOTT colnames,rowsort SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL ---- oid defaclrole defaclnamespace defaclobjtype defaclacl -1221463063 1546506610 0 r {bar=Cadrw/,foo=Cadrw/,=r/} -1221463063 1546506610 0 S {bar=Cadrw/,foo=Cadrw/,=r/} -1221463063 1546506610 0 T {bar=U/,foo=U/} -1221463063 1546506610 0 n {bar=CU/,foo=CU/,=U/} +1221463063 1546506610 0 r {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/,=r/} +1221463063 1546506610 0 S {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/,=r/} +1221463063 1546506610 0 T {bar=U*/,foo=U*/} +1221463063 1546506610 0 n {bar=C*U*/,foo=C*U*/,=U/} statement ok GRANT foo, bar TO root; @@ -47,18 +47,18 @@ query OOOTT colnames,rowsort SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL ---- oid defaclrole defaclnamespace defaclobjtype defaclacl -4119266190 1791217281 0 r {foo=Cadrw/} -4119266190 1791217281 0 S {foo=Cadrw/} -4119266190 1791217281 0 T {foo=U/} -4119266190 1791217281 0 n {foo=CU/} -3682459869 2026795574 0 r {bar=Cadrw/} -3682459869 2026795574 0 S {bar=Cadrw/} -3682459869 2026795574 0 T {bar=U/} -3682459869 2026795574 0 n {bar=CU/} -1221463063 1546506610 0 r {bar=Cadrw/,foo=Cadrw/,=r/} -1221463063 1546506610 0 S {bar=Cadrw/,foo=Cadrw/,=r/} -1221463063 1546506610 0 T {bar=U/,foo=U/} -1221463063 1546506610 0 n {bar=CU/,foo=CU/,=U/} +4119266190 1791217281 0 r {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/} +4119266190 1791217281 0 S {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/} +4119266190 1791217281 0 T {bar=U*/,foo=U*/,=U/} +4119266190 1791217281 0 n {bar=C*U*/,foo=C*U*/} +3682459869 2026795574 0 r {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/} +3682459869 2026795574 0 S {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/} +3682459869 2026795574 0 T {bar=U*/,foo=U*/,=U/} +3682459869 2026795574 0 n {bar=C*U*/,foo=C*U*/} +1221463063 1546506610 0 r {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/,=r/} +1221463063 1546506610 0 S {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/,=r/} +1221463063 1546506610 0 T {bar=U*/,foo=U*/} +1221463063 1546506610 0 n {bar=C*U*/,foo=C*U*/,=U/} statement ok ALTER DEFAULT PRIVILEGES FOR ROLE foo, bar REVOKE ALL ON TABLES FROM foo, bar; @@ -80,10 +80,10 @@ oid defaclrole defaclnamespace defaclobjtype defaclacl 3682459869 2026795574 0 S {} 3682459869 2026795574 0 T {=U/} 3682459869 2026795574 0 n {} -1221463063 1546506610 0 r {bar=Cadrw/,foo=Cadrw/,=r/} -1221463063 1546506610 0 S {bar=Cadrw/,foo=Cadrw/,=r/} -1221463063 1546506610 0 T {bar=U/,foo=U/} -1221463063 1546506610 0 n {bar=CU/,foo=CU/,=U/} +1221463063 1546506610 0 r {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/,=r/} +1221463063 1546506610 0 S {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/,=r/} +1221463063 1546506610 0 T {bar=U*/,foo=U*/} +1221463063 1546506610 0 n {bar=C*U*/,foo=C*U*/,=U/} statement ok ALTER DEFAULT PRIVILEGES FOR ROLE foo GRANT ALL ON TABLES TO foo; @@ -101,10 +101,18 @@ query OOOTT colnames,rowsort SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL ---- oid defaclrole defaclnamespace defaclobjtype defaclacl -1221463063 1546506610 0 r {bar=Cadrw/,foo=Cadrw/,=r/} -1221463063 1546506610 0 S {bar=Cadrw/,foo=Cadrw/,=r/} -1221463063 1546506610 0 T {bar=U/,foo=U/} -1221463063 1546506610 0 n {bar=CU/,foo=CU/,=U/} +4119266190 1791217281 0 r {bar=C*a*d*r*w*/} +4119266190 1791217281 0 S {bar=C*a*d*r*w*/} +4119266190 1791217281 0 T {bar=U*/,=U/} +4119266190 1791217281 0 n {bar=C*U*/} +3682459869 2026795574 0 r {foo=C*a*d*r*w*/} +3682459869 2026795574 0 S {foo=C*a*d*r*w*/} +3682459869 2026795574 0 T {foo=U*/,=U/} +3682459869 2026795574 0 n {foo=C*U*/} +1221463063 1546506610 0 r {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/,=r/} +1221463063 1546506610 0 S {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/,=r/} +1221463063 1546506610 0 T {bar=U*/,foo=U*/} +1221463063 1546506610 0 n {bar=C*U*/,foo=C*U*/,=U/} # Revoke SELECT from foo and GRANT it back with foo being the creator role. # Ensure revoking a single privilege reflects correctly. @@ -115,11 +123,18 @@ query OOOTT colnames,rowsort SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL ---- oid defaclrole defaclnamespace defaclobjtype defaclacl -3682459869 2026795574 0 r {foo=Cadw/} -1221463063 1546506610 0 r {bar=Cadrw/,foo=Cadrw/,=r/} -1221463063 1546506610 0 S {bar=Cadrw/,foo=Cadrw/,=r/} -1221463063 1546506610 0 T {bar=U/,foo=U/} -1221463063 1546506610 0 n {bar=CU/,foo=CU/,=U/} +4119266190 1791217281 0 r {bar=C*a*d*r*w*/} +4119266190 1791217281 0 S {bar=C*a*d*r*w*/} +4119266190 1791217281 0 T {bar=U*/,=U/} +4119266190 1791217281 0 n {bar=C*U*/} +3682459869 2026795574 0 r {foo=C*a*d*w*/} +3682459869 2026795574 0 S {foo=C*a*d*r*w*/} +3682459869 2026795574 0 T {foo=U*/,=U/} +3682459869 2026795574 0 n {foo=C*U*/} +1221463063 1546506610 0 r {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/,=r/} +1221463063 1546506610 0 S {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/,=r/} +1221463063 1546506610 0 T {bar=U*/,foo=U*/} +1221463063 1546506610 0 n {bar=C*U*/,foo=C*U*/,=U/} statement ok ALTER DEFAULT PRIVILEGES FOR ROLE foo GRANT SELECT ON TABLES TO foo; @@ -128,10 +143,18 @@ query OOOTT colnames,rowsort SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL ---- oid defaclrole defaclnamespace defaclobjtype defaclacl -1221463063 1546506610 0 r {bar=Cadrw/,foo=Cadrw/,=r/} -1221463063 1546506610 0 S {bar=Cadrw/,foo=Cadrw/,=r/} -1221463063 1546506610 0 T {bar=U/,foo=U/} -1221463063 1546506610 0 n {bar=CU/,foo=CU/,=U/} +4119266190 1791217281 0 r {bar=C*a*d*r*w*/} +4119266190 1791217281 0 S {bar=C*a*d*r*w*/} +4119266190 1791217281 0 T {bar=U*/,=U/} +4119266190 1791217281 0 n {bar=C*U*/} +3682459869 2026795574 0 r {foo=C*a*d*rw*/} +3682459869 2026795574 0 S {foo=C*a*d*r*w*/} +3682459869 2026795574 0 T {foo=U*/,=U/} +3682459869 2026795574 0 n {foo=C*U*/} +1221463063 1546506610 0 r {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/,=r/} +1221463063 1546506610 0 S {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/,=r/} +1221463063 1546506610 0 T {bar=U*/,foo=U*/} +1221463063 1546506610 0 n {bar=C*U*/,foo=C*U*/,=U/} statement ok ALTER DEFAULT PRIVILEGES REVOKE SELECT ON TABLES FROM foo, bar, public; @@ -145,7 +168,15 @@ query OOOTT colnames,rowsort SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL ---- oid defaclrole defaclnamespace defaclobjtype defaclacl -1221463063 1546506610 0 r {bar=Cadw/,foo=Cadw/} +4119266190 1791217281 0 r {bar=C*a*d*r*w*/} +4119266190 1791217281 0 S {bar=C*a*d*r*w*/} +4119266190 1791217281 0 T {bar=U*/,=U/} +4119266190 1791217281 0 n {bar=C*U*/} +3682459869 2026795574 0 r {foo=C*a*d*rw*/} +3682459869 2026795574 0 S {foo=C*a*d*r*w*/} +3682459869 2026795574 0 T {foo=U*/,=U/} +3682459869 2026795574 0 n {foo=C*U*/} +1221463063 1546506610 0 r {bar=C*a*d*w*/,foo=C*a*d*w*/} # GRANT, DROP and ZONECONFIG should not show up in defaclacl. statement ok @@ -156,6 +187,14 @@ query OOOTT colnames,rowsort SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL ---- oid defaclrole defaclnamespace defaclobjtype defaclacl +4119266190 1791217281 0 r {bar=C*a*d*r*w*/} +4119266190 1791217281 0 S {bar=C*a*d*r*w*/} +4119266190 1791217281 0 T {bar=U*/,=U/} +4119266190 1791217281 0 n {bar=C*U*/} +3682459869 2026795574 0 r {foo=C*a*d*rw*/} +3682459869 2026795574 0 S {foo=C*a*d*r*w*/} +3682459869 2026795574 0 T {foo=U*/,=U/} +3682459869 2026795574 0 n {foo=C*U*/} 1221463063 1546506610 0 r {foo=/} statement ok @@ -173,10 +212,18 @@ query OOOTT colnames,rowsort SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL ---- oid defaclrole defaclnamespace defaclobjtype defaclacl -2946850071 0 0 r {bar=Cadrw/,foo=Cadrw/} -2946850071 0 0 S {bar=Cadrw/,foo=Cadrw/} -2946850071 0 0 T {bar=U/,foo=U/} -2946850071 0 0 n {bar=CU/,foo=CU/} +4119266190 1791217281 0 r {bar=C*a*d*r*w*/} +4119266190 1791217281 0 S {bar=C*a*d*r*w*/} +4119266190 1791217281 0 T {bar=U*/,=U/} +4119266190 1791217281 0 n {bar=C*U*/} +3682459869 2026795574 0 r {foo=C*a*d*rw*/} +3682459869 2026795574 0 S {foo=C*a*d*r*w*/} +3682459869 2026795574 0 T {foo=U*/,=U/} +3682459869 2026795574 0 n {foo=C*U*/} +2946850071 0 0 r {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/} +2946850071 0 0 S {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/} +2946850071 0 0 T {bar=U*/,foo=U*/} +2946850071 0 0 n {bar=C*U*/,foo=C*U*/} statement ok ALTER DEFAULT PRIVILEGES FOR ALL ROLES REVOKE ALL ON TABLES FROM foo, bar; @@ -187,7 +234,15 @@ ALTER DEFAULT PRIVILEGES FOR ALL ROLES REVOKE ALL ON SEQUENCES FROM foo, bar; query OOOTT colnames,rowsort SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL ---- -oid defaclrole defaclnamespace defaclobjtype defaclacl +oid defaclrole defaclnamespace defaclobjtype defaclacl +4119266190 1791217281 0 r {bar=C*a*d*r*w*/} +4119266190 1791217281 0 S {bar=C*a*d*r*w*/} +4119266190 1791217281 0 T {bar=U*/,=U/} +4119266190 1791217281 0 n {bar=C*U*/} +3682459869 2026795574 0 r {foo=C*a*d*rw*/} +3682459869 2026795574 0 S {foo=C*a*d*r*w*/} +3682459869 2026795574 0 T {foo=U*/,=U/} +3682459869 2026795574 0 n {foo=C*U*/} user testuser @@ -203,6 +258,14 @@ query OOOTT colnames,rowsort SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL ---- oid defaclrole defaclnamespace defaclobjtype defaclacl +4119266190 1791217281 0 r {bar=C*a*d*r*w*/} +4119266190 1791217281 0 S {bar=C*a*d*r*w*/} +4119266190 1791217281 0 T {bar=U*/,=U/} +4119266190 1791217281 0 n {bar=C*U*/} +3682459869 2026795574 0 r {foo=C*a*d*rw*/} +3682459869 2026795574 0 S {foo=C*a*d*r*w*/} +3682459869 2026795574 0 T {foo=U*/,=U/} +3682459869 2026795574 0 n {foo=C*U*/} 4278550838 2264919399 0 r {} 4278550838 2264919399 0 S {} 4278550838 2264919399 0 T {=U/} @@ -216,6 +279,14 @@ query OOOTT colnames,rowsort SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL ---- oid defaclrole defaclnamespace defaclobjtype defaclacl +4119266190 1791217281 0 r {bar=C*a*d*r*w*/} +4119266190 1791217281 0 S {bar=C*a*d*r*w*/} +4119266190 1791217281 0 T {bar=U*/,=U/} +4119266190 1791217281 0 n {bar=C*U*/} +3682459869 2026795574 0 r {foo=C*a*d*rw*/} +3682459869 2026795574 0 S {foo=C*a*d*r*w*/} +3682459869 2026795574 0 T {foo=U*/,=U/} +3682459869 2026795574 0 n {foo=C*U*/} 4278550838 2264919399 0 r {} 4278550838 2264919399 0 S {} 4278550838 2264919399 0 T {} @@ -231,9 +302,17 @@ query OOOTT colnames,rowsort SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL ---- oid defaclrole defaclnamespace defaclobjtype defaclacl +4119266190 1791217281 0 r {bar=C*a*d*r*w*/} +4119266190 1791217281 0 S {bar=C*a*d*r*w*/} +4119266190 1791217281 0 T {bar=U*/,=U/} +4119266190 1791217281 0 n {bar=C*U*/} +3682459869 2026795574 0 r {foo=C*a*d*rw*/} +3682459869 2026795574 0 S {foo=C*a*d*r*w*/} +3682459869 2026795574 0 T {foo=U*/,=U/} +3682459869 2026795574 0 n {foo=C*U*/} 4278550838 2264919399 0 r {} 4278550838 2264919399 0 S {} -4278550838 2264919399 0 T {testuser=U/} +4278550838 2264919399 0 T {testuser=U*/} 4278550838 2264919399 0 n {} statement ok @@ -248,7 +327,15 @@ query OOOTT colnames,rowsort SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL ---- oid defaclrole defaclnamespace defaclobjtype defaclacl -4278550838 2264919399 0 r {foo=Cadrw/} -4278550838 2264919399 0 S {foo=Cadrw/} -4278550838 2264919399 0 T {foo=U/,testuser=U/} -4278550838 2264919399 0 n {foo=CU/} +4119266190 1791217281 0 r {bar=C*a*d*r*w*/} +4119266190 1791217281 0 S {bar=C*a*d*r*w*/} +4119266190 1791217281 0 T {bar=U*/,=U/} +4119266190 1791217281 0 n {bar=C*U*/} +3682459869 2026795574 0 r {foo=C*a*d*rw*/} +3682459869 2026795574 0 S {foo=C*a*d*r*w*/} +3682459869 2026795574 0 T {foo=U*/,=U/} +3682459869 2026795574 0 n {foo=C*U*/} +4278550838 2264919399 0 r {foo=C*a*d*r*w*/} +4278550838 2264919399 0 S {foo=C*a*d*r*w*/} +4278550838 2264919399 0 T {foo=U*/,testuser=U*/} +4278550838 2264919399 0 n {foo=C*U*/} diff --git a/pkg/sql/logictest/testdata/logic_test/pg_catalog_pg_default_acl_with_grant_option b/pkg/sql/logictest/testdata/logic_test/pg_catalog_pg_default_acl_with_grant_option index 2c679a0b91f5..89d1b6bb818b 100644 --- a/pkg/sql/logictest/testdata/logic_test/pg_catalog_pg_default_acl_with_grant_option +++ b/pkg/sql/logictest/testdata/logic_test/pg_catalog_pg_default_acl_with_grant_option @@ -125,6 +125,17 @@ ALTER DEFAULT PRIVILEGES FOR ROLE bar GRANT ALL ON SEQUENCES TO bar; ALTER DEFAULT PRIVILEGES FOR ROLE bar GRANT ALL ON SCHEMAS TO bar; ALTER DEFAULT PRIVILEGES FOR ROLE bar GRANT ALL ON TYPES TO bar; +# remove this block once the GRANT privilege is removed in 22.2 +statement ok +ALTER DEFAULT PRIVILEGES FOR ROLE foo REVOKE GRANT OPTION FOR ALL ON TABLES FROM foo; +ALTER DEFAULT PRIVILEGES FOR ROLE foo REVOKE GRANT OPTION FOR ALL ON SEQUENCES FROM foo; +ALTER DEFAULT PRIVILEGES FOR ROLE foo REVOKE GRANT OPTION FOR ALL ON SCHEMAS FROM foo; +ALTER DEFAULT PRIVILEGES FOR ROLE foo REVOKE GRANT OPTION FOR ALL ON TYPES FROM foo; +ALTER DEFAULT PRIVILEGES FOR ROLE bar REVOKE GRANT OPTION FOR ALL ON TABLES FROM bar; +ALTER DEFAULT PRIVILEGES FOR ROLE bar REVOKE GRANT OPTION FOR ALL ON SEQUENCES FROM bar; +ALTER DEFAULT PRIVILEGES FOR ROLE bar REVOKE GRANT OPTION FOR ALL ON SCHEMAS FROM bar; +ALTER DEFAULT PRIVILEGES FOR ROLE bar REVOKE GRANT OPTION FOR ALL ON TYPES FROM bar; + # Entries should disappear since the previous ALTER DEFAULT PRIVILEGE commands # revert the default privileges to the default state. query OOOTT colnames,rowsort