From 2d485fb5d904aeeeb7947fb867459104a065b76e Mon Sep 17 00:00:00 2001
From: richardjcai <caioftherichard@gmail.com>
Date: Wed, 24 Aug 2022 15:51:33 -0700
Subject: [PATCH] backupccl, restoreccl: include system.privileges in full
 cluster restore

Release justification: Minor enhancement to not yet released feature

Release note: None
---
 .../full_cluster_backup_restore_test.go       |  2 +
 pkg/ccl/backupccl/system_schema.go            |  2 +-
 .../external-connections-nodelocal            |  1 +
 .../external-connections-userfile             |  1 +
 .../backup-restore/system-privileges-table    | 49 +++++++++++++++++++
 5 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 pkg/ccl/backupccl/testdata/backup-restore/system-privileges-table

diff --git a/pkg/ccl/backupccl/full_cluster_backup_restore_test.go b/pkg/ccl/backupccl/full_cluster_backup_restore_test.go
index 5d209a3cf9ae..eca4f676fe5d 100644
--- a/pkg/ccl/backupccl/full_cluster_backup_restore_test.go
+++ b/pkg/ccl/backupccl/full_cluster_backup_restore_test.go
@@ -643,6 +643,7 @@ func TestClusterRestoreFailCleanup(t *testing.T) {
 				{"database_role_settings"},
 				{"external_connections"},
 				{"locations"},
+				{"privileges"},
 				{"role_id_seq"},
 				{"role_members"},
 				{"role_options"},
@@ -735,6 +736,7 @@ func TestClusterRestoreFailCleanup(t *testing.T) {
 				{"database_role_settings"},
 				{"external_connections"},
 				{"locations"},
+				{"privileges"},
 				{"role_id_seq"},
 				{"role_members"},
 				{"role_options"},
diff --git a/pkg/ccl/backupccl/system_schema.go b/pkg/ccl/backupccl/system_schema.go
index 1e9564199680..7a6100d42443 100644
--- a/pkg/ccl/backupccl/system_schema.go
+++ b/pkg/ccl/backupccl/system_schema.go
@@ -538,7 +538,7 @@ var systemTableBackupConfiguration = map[string]systemBackupConfiguration{
 		expectMissingInSystemTenant:  true,
 	},
 	systemschema.SystemPrivilegeTable.GetName(): {
-		shouldIncludeInClusterBackup: optOutOfClusterBackup,
+		shouldIncludeInClusterBackup: optInToClusterBackup, // No desc ID columns.
 	},
 	systemschema.SystemExternalConnectionsTable.GetName(): {
 		shouldIncludeInClusterBackup: optInToClusterBackup, // No desc ID columns.
diff --git a/pkg/ccl/backupccl/testdata/backup-restore/external-connections-nodelocal b/pkg/ccl/backupccl/testdata/backup-restore/external-connections-nodelocal
index 46c572330efa..73f1e1c55cde 100644
--- a/pkg/ccl/backupccl/testdata/backup-restore/external-connections-nodelocal
+++ b/pkg/ccl/backupccl/testdata/backup-restore/external-connections-nodelocal
@@ -33,6 +33,7 @@ external_connections table full
 foo table full
 locations table full
 postgres database full
+privileges table full
 public schema full
 public schema full
 public schema full
diff --git a/pkg/ccl/backupccl/testdata/backup-restore/external-connections-userfile b/pkg/ccl/backupccl/testdata/backup-restore/external-connections-userfile
index 838360575e5b..c7fdf073bbd8 100644
--- a/pkg/ccl/backupccl/testdata/backup-restore/external-connections-userfile
+++ b/pkg/ccl/backupccl/testdata/backup-restore/external-connections-userfile
@@ -33,6 +33,7 @@ external_connections table full
 foo table full
 locations table full
 postgres database full
+privileges table full
 public schema full
 public schema full
 public schema full
diff --git a/pkg/ccl/backupccl/testdata/backup-restore/system-privileges-table b/pkg/ccl/backupccl/testdata/backup-restore/system-privileges-table
new file mode 100644
index 000000000000..4589f30f9ebd
--- /dev/null
+++ b/pkg/ccl/backupccl/testdata/backup-restore/system-privileges-table
@@ -0,0 +1,49 @@
+new-server name=s1
+----
+
+exec-sql
+CREATE USER testuser;
+CREATE USER testuser2;
+GRANT SYSTEM MODIFYCLUSTERSETTING, VIEWACTIVITY TO testuser;
+GRANT SELECT ON crdb_internal.tables TO testuser;
+CREATE EXTERNAL CONNECTION foo AS 'nodelocal://0/foo';
+GRANT USAGE ON EXTERNAL CONNECTION foo TO testuser2;
+GRANT SYSTEM VIEWACTIVITYREDACTED TO testuser2;
+GRANT SELECT ON crdb_internal.databases, crdb_internal.tables TO testuser2;
+GRANT ALL ON EXTERNAL CONNECTION foo TO testuser2;
+----
+
+query-sql
+SELECT * FROM system.privileges
+----
+root /externalconn/foo {ALL} {}
+testuser /global/ {MODIFYCLUSTERSETTING,VIEWACTIVITY} {}
+testuser /vtable/crdb_internal/tables {SELECT} {}
+testuser2 /externalconn/foo {ALL} {}
+testuser2 /global/ {VIEWACTIVITYREDACTED} {}
+testuser2 /vtable/crdb_internal/databases {SELECT} {}
+testuser2 /vtable/crdb_internal/tables {SELECT} {}
+
+exec-sql
+BACKUP INTO 'nodelocal://0/test/'
+----
+
+# Start a new cluster with the same IO dir.
+new-server name=s2 share-io-dir=s1
+----
+
+# Restore into the new cluster.
+exec-sql server=s2
+RESTORE FROM LATEST IN 'nodelocal://0/test/'
+----
+
+query-sql server=s2
+SELECT * FROM system.privileges
+----
+root /externalconn/foo {ALL} {}
+testuser /global/ {MODIFYCLUSTERSETTING,VIEWACTIVITY} {}
+testuser /vtable/crdb_internal/tables {SELECT} {}
+testuser2 /externalconn/foo {ALL} {}
+testuser2 /global/ {VIEWACTIVITYREDACTED} {}
+testuser2 /vtable/crdb_internal/databases {SELECT} {}
+testuser2 /vtable/crdb_internal/tables {SELECT} {}