cockroachdb · craig · Dec 23, 2021 · Dec 15, 2021
diff --git a/pkg/ccl/backupccl/testdata/backup-restore/restore-grants b/pkg/ccl/backupccl/testdata/backup-restore/restore-grants
@@ -25,17 +25,17 @@ CREATE TABLE testdb.sc.othertable (a INT);
 # Give some grants to user1.
 # User1 has access to testdb.sc.othertable.
 exec-sql
-GRANT ALL ON DATABASE testdb TO user1;
-GRANT ALL ON SCHEMA public TO user1;
-GRANT ALL ON SCHEMA public TO testuser;
+GRANT ALL ON DATABASE testdb TO user1 WITH GRANT OPTION;
+GRANT ALL ON SCHEMA public TO user1 WITH GRANT OPTION;
+GRANT ALL ON SCHEMA public TO testuser WITH GRANT OPTION;
 GRANT USAGE ON SCHEMA sc TO user1;
 GRANT SELECT ON testdb.sc.othertable TO user1;
 ----
 
 # Grant privs to testuser.
 # Test user has access to testdb.testtable_greeting_usage and testtable_greeting_owner.
 exec-sql
-GRANT ALL ON DATABASE testdb TO testuser;
+GRANT ALL ON DATABASE testdb TO testuser WITH GRANT OPTION;
 GRANT USAGE ON TYPE testdb.greeting_usage TO testuser;
 GRANT UPDATE ON testdb.testtable_greeting_usage TO testuser;
 ----

@@ -21,6 +21,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/sql/catalog/schemadesc"
 	"github.com/cockroachdb/cockroach/pkg/sql/pgwire/pgcode"
 	"github.com/cockroachdb/cockroach/pkg/sql/pgwire/pgerror"
+	"github.com/cockroachdb/cockroach/pkg/sql/pgwire/pgnotice"
 	"github.com/cockroachdb/cockroach/pkg/sql/privilege"
 	"github.com/cockroachdb/cockroach/pkg/sql/sem/tree"
 	"github.com/cockroachdb/cockroach/pkg/util/log/eventpb"
@@ -197,14 +198,41 @@ func (n *alterDefaultPrivilegesNode) alterDefaultPrivilegesForSchemas(
 		if err != nil {
 			return err
 		}
+
+		grantPresent, allPresent := false, false
+		if params.ExecCfg().Settings.Version.IsActive(params.ctx, clusterversion.ValidateGrantOption) {
+			for _, priv := range privileges {
+				grantPresent = grantPresent || priv == privilege.GRANT
+				allPresent = allPresent || priv == privilege.ALL
+			}
+
+			noticeMessage := ""
+			// we only output the message for ALL privilege if it is being granted without the WITH GRANT OPTION flag
+			// if GRANT privilege is involved, we must always output the message
+			if allPresent && n.n.IsGrant && !grantOption {
+				noticeMessage = "grant options were automatically applied but this behavior is deprecated"
+			} else if grantPresent {
+				noticeMessage = "the GRANT privilege is deprecated"
+			}
+
+			if len(noticeMessage) > 0 {
+				params.p.noticeSender.BufferNotice(
+					errors.WithHint(
+						pgnotice.Newf("%s", noticeMessage),
+						"please use WITH GRANT OPTION",
+					),
+				)
+			}
+		}
+
 		for _, role := range roles {
 			if n.n.IsGrant {
 				defaultPrivs.GrantDefaultPrivileges(
-					role, privileges, granteeSQLUsernames, objectType, grantOption,
+					role, privileges, granteeSQLUsernames, objectType, grantOption, grantPresent || allPresent,
 				)
 			} else {
 				defaultPrivs.RevokeDefaultPrivileges(
-					role, privileges, granteeSQLUsernames, objectType, grantOption,
+					role, privileges, granteeSQLUsernames, objectType, grantOption, grantPresent || allPresent,
 				)
 			}
 
@@ -273,14 +301,41 @@ func (n *alterDefaultPrivilegesNode) alterDefaultPrivilegesForDatabase(
 	if err != nil {
 		return err
 	}
+
+	grantPresent, allPresent := false, false
+	if params.ExecCfg().Settings.Version.IsActive(params.ctx, clusterversion.ValidateGrantOption) {
+		for _, priv := range privileges {
+			grantPresent = grantPresent || priv == privilege.GRANT
+			allPresent = allPresent || priv == privilege.ALL
+		}
+
+		noticeMessage := ""
+		// we only output the message for ALL privilege if it is being granted without the WITH GRANT OPTION flag
+		// if GRANT privilege is involved, we must always output the message
+		if allPresent && n.n.IsGrant && !grantOption {
+			noticeMessage = "grant options were automatically applied but this behavior is deprecated"
+		} else if grantPresent {
+			noticeMessage = "the GRANT privilege is deprecated"
+		}
+
+		if len(noticeMessage) > 0 {
+			params.p.noticeSender.BufferNotice(
+				errors.WithHint(
+					pgnotice.Newf("%s", noticeMessage),
+					"please use WITH GRANT OPTION",
+				),
+			)
+		}
+	}
+
 	for _, role := range roles {
 		if n.n.IsGrant {
 			defaultPrivs.GrantDefaultPrivileges(
-				role, privileges, granteeSQLUsernames, objectType, grantOption,
+				role, privileges, granteeSQLUsernames, objectType, grantOption, grantPresent || allPresent,
 			)
 		} else {
 			defaultPrivs.RevokeDefaultPrivileges(
-				role, privileges, granteeSQLUsernames, objectType, grantOption,
+				role, privileges, granteeSQLUsernames, objectType, grantOption, grantPresent || allPresent,
 			)
 		}
 

@@ -82,6 +82,7 @@ func (d *immutable) grantOrRevokeDefaultPrivilegesHelper(
 	privList privilege.List,
 	withGrantOption bool,
 	isGrant bool,
+	deprecateGrant bool,
 ) {
 	defaultPrivileges := defaultPrivilegesForRole.DefaultPrivilegesPerObject[targetObject]
 	// expandPrivileges turns flags on the DefaultPrivilegesForRole representing
@@ -97,6 +98,11 @@ func (d *immutable) grantOrRevokeDefaultPrivilegesHelper(
 	} else {
 		defaultPrivileges.Revoke(grantee, privList, targetObject.ToPrivilegeObjectType(), withGrantOption)
 	}
+
+	if deprecateGrant {
+		defaultPrivileges.GrantPrivilegeToGrantOptions(grantee, isGrant)
+	}
+
 	if d.IsDatabaseDefaultPrivilege() {
 		foldPrivileges(defaultPrivilegesForRole, role, &defaultPrivileges, targetObject)
 	}
@@ -110,10 +116,11 @@ func (d *Mutable) GrantDefaultPrivileges(
 	grantees []security.SQLUsername,
 	targetObject tree.AlterDefaultPrivilegesTargetObject,
 	withGrantOption bool,
+	deprecateGrant bool,
 ) {
 	defaultPrivilegesForRole := d.defaultPrivilegeDescriptor.FindOrCreateUser(role)
 	for _, grantee := range grantees {
-		d.grantOrRevokeDefaultPrivilegesHelper(defaultPrivilegesForRole, role, targetObject, grantee, privileges, withGrantOption, true /* isGrant */)
+		d.grantOrRevokeDefaultPrivilegesHelper(defaultPrivilegesForRole, role, targetObject, grantee, privileges, withGrantOption, true /* isGrant */, deprecateGrant)
 	}
 }
 
@@ -124,10 +131,11 @@ func (d *Mutable) RevokeDefaultPrivileges(
 	grantees []security.SQLUsername,
 	targetObject tree.AlterDefaultPrivilegesTargetObject,
 	grantOptionFor bool,
+	deprecateGrant bool,
 ) {
 	defaultPrivilegesForRole := d.defaultPrivilegeDescriptor.FindOrCreateUser(role)
 	for _, grantee := range grantees {
-		d.grantOrRevokeDefaultPrivilegesHelper(defaultPrivilegesForRole, role, targetObject, grantee, privileges, grantOptionFor, false /* isGrant */)
+		d.grantOrRevokeDefaultPrivilegesHelper(defaultPrivilegesForRole, role, targetObject, grantee, privileges, grantOptionFor, false /* isGrant */, deprecateGrant)
 	}
 
 	defaultPrivilegesPerObject := defaultPrivilegesForRole.DefaultPrivilegesPerObject

@@ -165,7 +165,7 @@ func TestGrantDefaultPrivileges(t *testing.T) {
 		defaultPrivilegeDescriptor := MakeDefaultPrivilegeDescriptor(descpb.DefaultPrivilegeDescriptor_DATABASE)
 		defaultPrivileges := NewMutableDefaultPrivileges(defaultPrivilegeDescriptor)
 
-		defaultPrivileges.GrantDefaultPrivileges(tc.defaultPrivilegesRole, tc.privileges, tc.grantees, tc.targetObject, false /* withGrantOption */)
+		defaultPrivileges.GrantDefaultPrivileges(tc.defaultPrivilegesRole, tc.privileges, tc.grantees, tc.targetObject, false /* withGrantOption */, false /*deprecateGrant*/)
 
 		newPrivileges := CreatePrivilegesFromDefaultPrivileges(
 			defaultPrivileges, nil, /* schemaDefaultPrivilegeDescriptor */
@@ -284,8 +284,8 @@ func TestRevokeDefaultPrivileges(t *testing.T) {
 		defaultPrivilegeDescriptor := MakeDefaultPrivilegeDescriptor(descpb.DefaultPrivilegeDescriptor_DATABASE)
 		defaultPrivileges := NewMutableDefaultPrivileges(defaultPrivilegeDescriptor)
 
-		defaultPrivileges.GrantDefaultPrivileges(tc.defaultPrivilegesRole, tc.grantPrivileges, tc.grantees, tc.targetObject, false /* withGrantOption */)
-		defaultPrivileges.RevokeDefaultPrivileges(tc.defaultPrivilegesRole, tc.revokePrivileges, tc.grantees, tc.targetObject, false /* grantOptionFor */)
+		defaultPrivileges.GrantDefaultPrivileges(tc.defaultPrivilegesRole, tc.grantPrivileges, tc.grantees, tc.targetObject, false /* withGrantOption */, false /*deprecateGrant*/)
+		defaultPrivileges.RevokeDefaultPrivileges(tc.defaultPrivilegesRole, tc.revokePrivileges, tc.grantees, tc.targetObject, false /* grantOptionFor */, false /*deprecateGrant*/)
 
 		newPrivileges := CreatePrivilegesFromDefaultPrivileges(
 			defaultPrivileges, nil, /* schemaDefaultPrivilegeDescriptor */
@@ -311,7 +311,7 @@ func TestRevokeDefaultPrivilegesFromEmptyList(t *testing.T) {
 	fooUser := security.MakeSQLUsernameFromPreNormalizedString("foo")
 	defaultPrivileges.RevokeDefaultPrivileges(descpb.DefaultPrivilegesRole{
 		Role: creatorUser,
-	}, privilege.List{privilege.ALL}, []security.SQLUsername{fooUser}, tree.Tables, false /* grantOptionFor */)
+	}, privilege.List{privilege.ALL}, []security.SQLUsername{fooUser}, tree.Tables, false /* grantOptionFor */, false /*deprecateGrant*/)
 
 	newPrivileges := CreatePrivilegesFromDefaultPrivileges(
 		defaultPrivileges, nil, /* schemaDefaultPrivilegeDescriptor */
@@ -673,6 +673,7 @@ func TestDefaultPrivileges(t *testing.T) {
 				userAndGrant.grants,
 				[]security.SQLUsername{userAndGrant.user},
 				tc.targetObject, false, /* withGrantOption */
+				false, /*deprecateGrant*/
 			)
 		}
 
@@ -683,6 +684,7 @@ func TestDefaultPrivileges(t *testing.T) {
 				[]security.SQLUsername{userAndGrant.user},
 				tc.targetObject,
 				false, /* withGrantOption */
+				false, /*deprecateGrant*/
 			)
 		}
 
@@ -745,6 +747,7 @@ func TestModifyDefaultDefaultPrivileges(t *testing.T) {
 			tc.revokeAndGrantPrivileges,
 			[]security.SQLUsername{creatorUser},
 			tc.targetObject, false, /* grantOptionFor */
+			false, /*deprecateGrant*/
 		)
 		if GetRoleHasAllPrivilegesOnTargetObject(defaultPrivilegesForCreator, tc.targetObject) {
 			t.Errorf("expected role to not have ALL privileges on %s", tc.targetObject)
@@ -754,6 +757,7 @@ func TestModifyDefaultDefaultPrivileges(t *testing.T) {
 			tc.revokeAndGrantPrivileges,
 			[]security.SQLUsername{creatorUser},
 			tc.targetObject, false, /* withGrantOption */
+			false, /*deprecateGrant*/
 		)
 		if !GetRoleHasAllPrivilegesOnTargetObject(defaultPrivilegesForCreator, tc.targetObject) {
 			t.Errorf("expected role to have ALL privileges on %s", tc.targetObject)
@@ -778,6 +782,7 @@ func TestModifyDefaultDefaultPrivilegesForPublic(t *testing.T) {
 		privilege.List{privilege.USAGE},
 		[]security.SQLUsername{security.PublicRoleName()},
 		tree.Types, false, /* grantOptionFor */
+		false, /*deprecateGrant*/
 	)
 	if GetPublicHasUsageOnTypes(defaultPrivilegesForCreator) {
 		t.Errorf("expected public to not have USAGE privilege on types")
@@ -787,6 +792,7 @@ func TestModifyDefaultDefaultPrivilegesForPublic(t *testing.T) {
 		privilege.List{privilege.USAGE},
 		[]security.SQLUsername{security.PublicRoleName()},
 		tree.Types, false, /* withGrantOption */
+		false, /*deprecateGrant*/
 	)
 	if !GetPublicHasUsageOnTypes(defaultPrivilegesForCreator) {
 		t.Errorf("expected public to have USAGE privilege on types")
@@ -798,6 +804,7 @@ func TestModifyDefaultDefaultPrivilegesForPublic(t *testing.T) {
 		privilege.List{privilege.USAGE},
 		[]security.SQLUsername{security.PublicRoleName()},
 		tree.Types, true, /* withGrantOption */
+		false, /*deprecateGrant*/
 	)
 
 	privDesc := defaultPrivilegesForCreator.DefaultPrivilegesPerObject[tree.Types]
@@ -820,6 +827,7 @@ func TestModifyDefaultDefaultPrivilegesForPublic(t *testing.T) {
 		privilege.List{privilege.USAGE},
 		[]security.SQLUsername{security.PublicRoleName()},
 		tree.Types, true, /* grantOptionFor */
+		false, /*deprecateGrant*/
 	)
 
 	privDesc = defaultPrivilegesForCreator.DefaultPrivilegesPerObject[tree.Types]
@@ -838,6 +846,7 @@ func TestModifyDefaultDefaultPrivilegesForPublic(t *testing.T) {
 		privilege.List{privilege.USAGE},
 		[]security.SQLUsername{security.PublicRoleName()},
 		tree.Types, false, /* grantOptionFor */
+		false, /*deprecateGrant*/
 	)
 	if GetPublicHasUsageOnTypes(defaultPrivilegesForCreator) {
 		t.Errorf("expected public to not have USAGE privilege on types")

@@ -298,6 +298,27 @@ func (p *PrivilegeDescriptor) Revoke(
 
 }
 
+// GrantPrivilegeToGrantOptions adjusts a user's grant option bits based on whether the GRANT or ALL
+// privilege was just granted or revoked. If GRANT/ALL was just granted, the user should obtain grant
+// options for each privilege it currently has. If GRANT/ALL was just revoked, the user should lose
+// grant options for each privilege it has
+// TODO(jackcwu): delete this function once the GRANT privilege is finally removed
+func (p *PrivilegeDescriptor) GrantPrivilegeToGrantOptions(
+	user security.SQLUsername, isGrant bool,
+) {
+	if isGrant {
+		userPriv := p.FindOrCreateUser(user)
+		userPriv.WithGrantOption = userPriv.Privileges
+	} else {
+		userPriv, ok := p.FindUser(user)
+		if !ok || userPriv.Privileges == 0 {
+			// Removing privileges from a user without privileges is a no-op.
+			return
+		}
+		userPriv.WithGrantOption = 0
+	}
+}
+
 // ValidateSuperuserPrivileges ensures that superusers have exactly the maximum
 // allowed privilege set for the object.
 // It requires the ID of the descriptor it is applied on to determine whether

@@ -192,10 +192,14 @@ func (n *changePrivilegesNode) startExec(params runParams) error {
 		if len(n.desiredprivs) > 0 {
 			// Only allow granting/revoking privileges that the requesting
 			// user themselves have on the descriptor.
+
+			grantPresent, allPresent := false, false
 			for _, priv := range n.desiredprivs {
 				if err := p.CheckPrivilege(ctx, descriptor, priv); err != nil {
 					return err
 				}
+				grantPresent = grantPresent || priv == privilege.GRANT
+				allPresent = allPresent || priv == privilege.ALL
 			}
 			privileges := descriptor.GetPrivileges()
 
@@ -204,10 +208,38 @@ func (n *changePrivilegesNode) startExec(params runParams) error {
 				if err != nil {
 					return err
 				}
+
+				noticeMessage := ""
+				// we only output the message for ALL privilege if it is being granted without the WITH GRANT OPTION flag
+				// if GRANT privilege is involved, we must always output the message
+				if allPresent && n.isGrant && !n.withGrantOption {
+					noticeMessage = "grant options were automatically applied but this behavior is deprecated"
+				} else if grantPresent {
+					noticeMessage = "the GRANT privilege is deprecated"
+				}
+
+				if len(noticeMessage) > 0 {
+					params.p.noticeSender.BufferNotice(
+						errors.WithHint(
+							pgnotice.Newf("%s", noticeMessage),
+							"please use WITH GRANT OPTION",
+						),
+					)
+				}
 			}
 
 			for _, grantee := range n.grantees {
 				n.changePrivilege(privileges, n.desiredprivs, grantee)
+
+				if p.ExecCfg().Settings.Version.IsActive(ctx, clusterversion.ValidateGrantOption) {
+					if grantPresent || allPresent {
+						if n.isGrant {
+							privileges.GrantPrivilegeToGrantOptions(grantee, true /*isGrant*/)
+						} else if !n.isGrant && !n.withGrantOption {
+							privileges.GrantPrivilegeToGrantOptions(grantee, false /*isGrant*/)
+						}
+					}
+				}
 			}
 
 			// Ensure superusers have exactly the allowed privilege set.