From fb679c480d9f4654998c621f73b19db19a2c33ed Mon Sep 17 00:00:00 2001 From: Santamaura Date: Thu, 28 Jul 2022 16:53:06 -0400 Subject: [PATCH] sql, server: add new builtin roles and system privileges for observability This patch introduces 2 new system privileges VIEWDEBUG and VIEWCLUSTERMETADATA. VIEWDEBUG will now be used to gate taking traces and viewing debug endpoints. VIEWCLUSTERMETADATA will now be used to gate the node and range reports. The patch also introduces 3 new builtin roles: crdb_internal_cluster_activity_reader which has the system privilege VIEWACTIVITY. crdb_internal_cluster_activity_writer which has the system privilege CANCELQUERY. crdb_internal_cluster_metadata_reader which has the system privileges VIEWCLUSTERMETADATA, VIEWCLUSTERSETTINGS, and VIEWDEBUG. Resolves #17301, #17302, #17312, #17313, #17316 Release note (sql change): add VIEWDEBUG and VIEWCLUSTERMETADATA system privileges. Add cluster_activity_reader, cluster_activity_writer, cluster_metadata_operator builtin roles. --- docs/generated/sql/bnf/stmt_block.bnf | 2 + pkg/ccl/backupccl/backup_test.go | 28 + pkg/server/admin.go | 63 +- pkg/server/admin_test.go | 22 + pkg/server/server_http.go | 10 +- pkg/server/status.go | 24 +- pkg/sql/create_role.go | 3 +- .../crdb_internal_default_privileges | 1982 ++++++++++------- .../logictest/testdata/logic_test/drop_table | 6 + .../logictest/testdata/logic_test/drop_user | 108 +- .../logictest/testdata/logic_test/event_log | 3 + .../testdata/logic_test/information_schema | 4 +- pkg/sql/logictest/testdata/logic_test/jobs | 12 + .../logictest/testdata/logic_test/pg_catalog | 22 +- pkg/sql/logictest/testdata/logic_test/role | 65 +- .../logictest/testdata/logic_test/show_source | 11 +- .../testdata/logic_test/system_privileges | 81 +- pkg/sql/logictest/testdata/logic_test/user | 58 +- pkg/sql/opt/exec/execbuilder/testdata/explain | 22 +- pkg/sql/parser/sql.y | 6 +- pkg/sql/pgwire/pgwire_test.go | 3 + pkg/sql/privilege/kind_string.go | 6 +- pkg/sql/privilege/privilege.go | 9 +- pkg/sql/schemachanger/schemachanger_test.go | 24 + pkg/startupmigrations/migrations.go | 85 + pkg/startupmigrations/migrations_test.go | 40 + 26 files changed, 1771 insertions(+), 928 deletions(-) diff --git a/docs/generated/sql/bnf/stmt_block.bnf b/docs/generated/sql/bnf/stmt_block.bnf index c7bf3339aeee..56e6b86441fc 100644 --- a/docs/generated/sql/bnf/stmt_block.bnf +++ b/docs/generated/sql/bnf/stmt_block.bnf @@ -1355,7 +1355,9 @@ unreserved_keyword ::= | 'VIEW' | 'VIEWACTIVITY' | 'VIEWACTIVITYREDACTED' + | 'VIEWCLUSTERMETADATA' | 'VIEWCLUSTERSETTING' + | 'VIEWDEBUG' | 'VISIBLE' | 'VOLATILE' | 'VOTERS' diff --git a/pkg/ccl/backupccl/backup_test.go b/pkg/ccl/backupccl/backup_test.go index 44f34c938df8..8f1a9ea05921 100644 --- a/pkg/ccl/backupccl/backup_test.go +++ b/pkg/ccl/backupccl/backup_test.go @@ -712,9 +712,17 @@ func TestBackupAndRestoreJobDescription(t *testing.T) { full1 := strings.TrimPrefix(matches[0], "/full") asOf1 := strings.TrimPrefix(matches[1], "/full") + updatingUsersString := "updating version for users table" + updatingRoleOptionsString := "updating version for role options table" sqlDB.CheckQueryResults( t, "SELECT description FROM [SHOW JOBS] WHERE status != 'failed'", [][]string{ + {updatingUsersString}, + {updatingRoleOptionsString}, + {updatingUsersString}, + {updatingRoleOptionsString}, + {updatingUsersString}, + {updatingRoleOptionsString}, {fmt.Sprintf("BACKUP TO ('%s', '%s', '%s')", backups[0].(string), backups[1].(string), backups[2].(string))}, {fmt.Sprintf("BACKUP TO ('%s', '%s', '%s') INCREMENTAL FROM '%s'", incrementals[0], @@ -5604,11 +5612,19 @@ func TestBackupRestoreShowJob(t *testing.T) { // run by an unrelated startup migration. // TODO (lucy): Update this if/when we decide to change how these jobs queued by // the startup migration are handled. + updatingUsersString := "updating version for users table" + updatingRoleOptionsString := "updating version for role options table" sqlDB.CheckQueryResults( t, "SELECT description FROM [SHOW JOBS] WHERE description != 'updating privileges' ORDER BY description", [][]string{ {"BACKUP DATABASE data TO 'nodelocal://0/foo' WITH revision_history = true"}, {"RESTORE TABLE data.bank FROM 'nodelocal://0/foo' WITH into_db = 'data 2', skip_missing_foreign_keys"}, + {updatingRoleOptionsString}, + {updatingRoleOptionsString}, + {updatingRoleOptionsString}, + {updatingUsersString}, + {updatingUsersString}, + {updatingUsersString}, }, ) } @@ -9580,6 +9596,9 @@ func TestBackupRestoreSystemUsers(t *testing.T) { {"admin", "", "true"}, {"app", "NULL", "false"}, {"app_role", "NULL", "true"}, + {"crdb_internal_cluster_activity_reader", "NULL", "true"}, + {"crdb_internal_cluster_activity_writer", "NULL", "true"}, + {"crdb_internal_cluster_metadata_reader", "NULL", "true"}, {"root", "", "false"}, {"test", "NULL", "false"}, {"test_role", "NULL", "true"}, @@ -9594,6 +9613,9 @@ func TestBackupRestoreSystemUsers(t *testing.T) { {"admin", "", "{}"}, {"app", "", "{admin,app_role}"}, {"app_role", "", "{}"}, + {"crdb_internal_cluster_activity_reader", "NOLOGIN", "{}"}, + {"crdb_internal_cluster_activity_writer", "NOLOGIN", "{}"}, + {"crdb_internal_cluster_metadata_reader", "NOLOGIN", "{}"}, {"root", "", "{admin}"}, {"test", "", "{}"}, {"test_role", "", "{app_role}"}, @@ -9614,6 +9636,9 @@ func TestBackupRestoreSystemUsers(t *testing.T) { {"admin", "", "true"}, {"app", "NULL", "false"}, {"app_role", "NULL", "true"}, + {"crdb_internal_cluster_activity_reader", "NULL", "true"}, + {"crdb_internal_cluster_activity_writer", "NULL", "true"}, + {"crdb_internal_cluster_metadata_reader", "NULL", "true"}, {"root", "", "false"}, {"test", "NULL", "false"}, {"test_role", "NULL", "true"}, @@ -9625,6 +9650,9 @@ func TestBackupRestoreSystemUsers(t *testing.T) { {"admin", "", "{}"}, {"app", "", "{}"}, {"app_role", "", "{}"}, + {"crdb_internal_cluster_activity_reader", "NOLOGIN", "{}"}, + {"crdb_internal_cluster_activity_writer", "NOLOGIN", "{}"}, + {"crdb_internal_cluster_metadata_reader", "NOLOGIN", "{}"}, {"root", "", "{admin}"}, {"test", "", "{}"}, {"test_role", "", "{}"}, diff --git a/pkg/server/admin.go b/pkg/server/admin.go index 0f10702fa5dc..48e8300e52d8 100644 --- a/pkg/server/admin.go +++ b/pkg/server/admin.go @@ -1513,14 +1513,17 @@ func (s *adminServer) RangeLog( ctx = s.server.AnnotateCtx(ctx) // Range keys, even when pretty-printed, contain PII. - userName, err := s.requireAdminUser(ctx) + user, _, err := s.getUserAndRole(ctx) if err != nil { - // NB: not using serverError() here since the priv checker - // already returns a proper gRPC error status. return nil, err } - r, err := s.rangeLogHelper(ctx, req, userName) + err = s.requireViewClusterMetadataPermission(ctx) + if err != nil { + return nil, err + } + + r, err := s.rangeLogHelper(ctx, req, user) if err != nil { return nil, serverError(ctx, err) } @@ -3535,6 +3538,50 @@ func (c *adminPrivilegeChecker) requireViewActivityAndNoViewActivityRedactedPerm return nil } +// requireViewClusterMetadataPermission requires the user have the VIEWCLUSTERMETADATA +// system privilege and returns an error if the user does not have it. +func (c *adminPrivilegeChecker) requireViewClusterMetadataPermission( + ctx context.Context, +) (err error) { + userName, isAdmin, err := c.getUserAndRole(ctx) + if err != nil { + return serverError(ctx, err) + } + if !isAdmin { + hasViewClusterMetadata := false + if c.st.Version.IsActive(ctx, clusterversion.SystemPrivilegesTable) { + hasViewClusterMetadata = c.checkHasSystemPrivilege(ctx, userName, privilege.VIEWCLUSTERMETADATA) + } + if !hasViewClusterMetadata { + return status.Errorf( + codes.PermissionDenied, "this operation requires the %s system privilege", + privilege.VIEWCLUSTERMETADATA) + } + } + return nil +} + +// requireViewDebugPermission requires the user have the VIEWDEBUG system privilege +// and returns an error if the user does not have it. +func (c *adminPrivilegeChecker) requireViewDebugPermission(ctx context.Context) (err error) { + userName, isAdmin, err := c.getUserAndRole(ctx) + if err != nil { + return serverError(ctx, err) + } + if !isAdmin { + hasViewDebug := false + if c.st.Version.IsActive(ctx, clusterversion.SystemPrivilegesTable) { + hasViewDebug = c.checkHasSystemPrivilege(ctx, userName, privilege.VIEWDEBUG) + } + if !hasViewDebug { + return status.Errorf( + codes.PermissionDenied, "this operation requires the %s system privilege", + privilege.VIEWCLUSTERMETADATA) + } + } + return nil +} + // Note that the function returns plain errors, and it is the caller's // responsibility to convert them to serverErrors. func (c *adminPrivilegeChecker) getUserAndRole( @@ -3630,7 +3677,7 @@ func (s *adminServer) ListTracingSnapshots( ctx context.Context, req *serverpb.ListTracingSnapshotsRequest, ) (*serverpb.ListTracingSnapshotsResponse, error) { ctx = s.server.AnnotateCtx(ctx) - _, err := s.requireAdminUser(ctx) + err := s.requireViewDebugPermission(ctx) if err != nil { return nil, err } @@ -3657,7 +3704,7 @@ func (s *adminServer) TakeTracingSnapshot( ctx context.Context, req *serverpb.TakeTracingSnapshotRequest, ) (*serverpb.TakeTracingSnapshotResponse, error) { ctx = s.server.AnnotateCtx(ctx) - _, err := s.requireAdminUser(ctx) + err := s.requireViewDebugPermission(ctx) if err != nil { return nil, err } @@ -3701,7 +3748,7 @@ func (s *adminServer) GetTracingSnapshot( ctx context.Context, req *serverpb.GetTracingSnapshotRequest, ) (*serverpb.GetTracingSnapshotResponse, error) { ctx = s.server.AnnotateCtx(ctx) - _, err := s.requireAdminUser(ctx) + err := s.requireViewDebugPermission(ctx) if err != nil { return nil, err } @@ -3760,7 +3807,7 @@ func (s *adminServer) GetTrace( ctx context.Context, req *serverpb.GetTraceRequest, ) (*serverpb.GetTraceResponse, error) { ctx = s.server.AnnotateCtx(ctx) - _, err := s.requireAdminUser(ctx) + err := s.requireViewDebugPermission(ctx) if err != nil { return nil, err } diff --git a/pkg/server/admin_test.go b/pkg/server/admin_test.go index 2927e5f76b7f..a10a9385c56c 100644 --- a/pkg/server/admin_test.go +++ b/pkg/server/admin_test.go @@ -2828,6 +2828,20 @@ func TestAdminPrivilegeChecker(t *testing.T) { withAdmin: false, withVa: false, withVaRedacted: true, withVaAndRedacted: true, withoutPrivs: true, }, }, + { + "requireViewClusterMetadataPermission", + underTest.requireViewClusterMetadataPermission, + map[username.SQLUsername]bool{ + withAdmin: false, withoutPrivs: true, + }, + }, + { + "requireViewDebugPermission", + underTest.requireViewDebugPermission, + map[username.SQLUsername]bool{ + withAdmin: false, withoutPrivs: true, + }, + }, } // test system privileges if valid version if s.ClusterSettings().Version.IsActive(ctx, clusterversion.SystemPrivilegesTable) { @@ -2838,10 +2852,16 @@ func TestAdminPrivilegeChecker(t *testing.T) { sqlDB.Exec(t, "CREATE USER withvaandredactedsystemprivilege") sqlDB.Exec(t, "GRANT SYSTEM VIEWACTIVITY TO withvaandredactedsystemprivilege") sqlDB.Exec(t, "GRANT SYSTEM VIEWACTIVITYREDACTED TO withvaandredactedsystemprivilege") + sqlDB.Exec(t, "CREATE USER withviewclustermetadata") + sqlDB.Exec(t, "GRANT SYSTEM VIEWCLUSTERMETADATA TO withviewclustermetadata") + sqlDB.Exec(t, "CREATE USER withviewdebug") + sqlDB.Exec(t, "GRANT SYSTEM VIEWDEBUG TO withviewdebug") withVaSystemPrivilege := username.MakeSQLUsernameFromPreNormalizedString("withvasystemprivilege") withVaRedactedSystemPrivilege := username.MakeSQLUsernameFromPreNormalizedString("withvaredactedsystemprivilege") withVaAndRedactedSystemPrivilege := username.MakeSQLUsernameFromPreNormalizedString("withvaandredactedsystemprivilege") + withviewclustermetadata := username.MakeSQLUsernameFromPreNormalizedString("withviewclustermetadata") + withViewDebug := username.MakeSQLUsernameFromPreNormalizedString("withviewdebug") tests[0].usernameWantErr[withVaSystemPrivilege] = false tests[1].usernameWantErr[withVaSystemPrivilege] = false @@ -2852,6 +2872,8 @@ func TestAdminPrivilegeChecker(t *testing.T) { tests[0].usernameWantErr[withVaAndRedactedSystemPrivilege] = false tests[1].usernameWantErr[withVaAndRedactedSystemPrivilege] = false tests[2].usernameWantErr[withVaAndRedactedSystemPrivilege] = true + tests[3].usernameWantErr[withviewclustermetadata] = false + tests[4].usernameWantErr[withViewDebug] = false } for _, tt := range tests { diff --git a/pkg/server/server_http.go b/pkg/server/server_http.go index f417eec4daa6..43a87e677ef2 100644 --- a/pkg/server/server_http.go +++ b/pkg/server/server_http.go @@ -185,13 +185,9 @@ func makeAdminAuthzCheckHandler( md := forwardAuthenticationMetadata(req.Context(), req) authCtx := metadata.NewIncomingContext(req.Context(), md) // Check the privileges of the requester. - _, err := adminAuthzCheck.requireAdminUser(authCtx) - if errors.Is(err, errRequiresAdmin) { - http.Error(w, "admin privilege required", http.StatusUnauthorized) - return - } else if err != nil { - log.Ops.Infof(authCtx, "web session error: %s", err) - http.Error(w, "error checking authentication", http.StatusInternalServerError) + err := adminAuthzCheck.requireViewDebugPermission(authCtx) + if err != nil { + http.Error(w, "admin privilege or VIEWDEBUG system privilege required", http.StatusUnauthorized) return } // Forward the request to the inner handler. diff --git a/pkg/server/status.go b/pkg/server/status.go index e7d385dd4f71..026bea2bdafc 100644 --- a/pkg/server/status.go +++ b/pkg/server/status.go @@ -800,9 +800,8 @@ func (s *statusServer) AllocatorRange( ctx = propagateGatewayMetadata(ctx) ctx = s.AnnotateCtx(ctx) - if _, err := s.privilegeChecker.requireAdminUser(ctx); err != nil { - // NB: not using serverError() here since the priv checker - // already returns a proper gRPC error status. + err := s.privilegeChecker.requireViewClusterMetadataPermission(ctx) + if err != nil { return nil, err } @@ -1453,7 +1452,7 @@ func (s *statusServer) Nodes( ctx = propagateGatewayMetadata(ctx) ctx = s.AnnotateCtx(ctx) - err := s.privilegeChecker.requireViewActivityPermission(ctx) + err := s.privilegeChecker.requireViewClusterMetadataPermission(ctx) if err != nil { return nil, err } @@ -1471,14 +1470,14 @@ func (s *statusServer) NodesUI( ctx = propagateGatewayMetadata(ctx) ctx = s.AnnotateCtx(ctx) - hasViewActivity := false - err := s.privilegeChecker.requireViewActivityPermission(ctx) + hasViewClusterMetadata := false + err := s.privilegeChecker.requireViewClusterMetadataPermission(ctx) if err != nil { if !grpcutil.IsAuthError(err) { return nil, err } } else { - hasViewActivity = true + hasViewClusterMetadata = true } internalResp, _, err := s.nodesHelper(ctx, 0 /* limit */, 0 /* offset */) @@ -1490,13 +1489,13 @@ func (s *statusServer) NodesUI( LivenessByNodeID: internalResp.LivenessByNodeID, } for i, nodeStatus := range internalResp.Nodes { - resp.Nodes[i] = nodeStatusToResp(&nodeStatus, hasViewActivity) + resp.Nodes[i] = nodeStatusToResp(&nodeStatus, hasViewClusterMetadata) } return resp, nil } -func nodeStatusToResp(n *statuspb.NodeStatus, hasViewActivity bool) serverpb.NodeResponse { +func nodeStatusToResp(n *statuspb.NodeStatus, hasViewClusterMetadata bool) serverpb.NodeResponse { tiers := make([]serverpb.Tier, len(n.Desc.Locality.Tiers)) for j, t := range n.Desc.Locality.Tiers { tiers[j] = serverpb.Tier{ @@ -1552,7 +1551,7 @@ func nodeStatusToResp(n *statuspb.NodeStatus, hasViewActivity bool) serverpb.Nod sfsprops := &roachpb.FileStoreProperties{ FsType: fsprops.FsType, } - if hasViewActivity { + if hasViewClusterMetadata { sfsprops.Path = fsprops.Path sfsprops.BlockDevice = fsprops.BlockDevice sfsprops.MountPoint = fsprops.MountPoint @@ -1577,7 +1576,7 @@ func nodeStatusToResp(n *statuspb.NodeStatus, hasViewActivity bool) serverpb.Nod NumCpus: n.NumCpus, } - if hasViewActivity { + if hasViewClusterMetadata { resp.Args = n.Args resp.Env = n.Env resp.Desc.Attrs = n.Desc.Attrs @@ -1916,7 +1915,8 @@ func (s *statusServer) rangesHelper( ctx = propagateGatewayMetadata(ctx) ctx = s.AnnotateCtx(ctx) - if _, err := s.privilegeChecker.requireAdminUser(ctx); err != nil { + err := s.privilegeChecker.requireViewClusterMetadataPermission(ctx) + if err != nil { return nil, 0, err } diff --git a/pkg/sql/create_role.go b/pkg/sql/create_role.go index 5f33766a32cf..dd4059efc159 100644 --- a/pkg/sql/create_role.go +++ b/pkg/sql/create_role.go @@ -98,7 +98,8 @@ func (p *planner) CreateRoleNode( return nil, err } // Reject the reserved roles. - if roleName.IsReserved() { + user := p.SessionData().User() + if roleName.IsReserved() && !user.IsNodeUser() { return nil, pgerror.Newf( pgcode.ReservedName, "role name %q is reserved", diff --git a/pkg/sql/logictest/testdata/logic_test/crdb_internal_default_privileges b/pkg/sql/logictest/testdata/logic_test/crdb_internal_default_privileges index e93d35af652e..80280eae3f65 100644 --- a/pkg/sql/logictest/testdata/logic_test/crdb_internal_default_privileges +++ b/pkg/sql/logictest/testdata/logic_test/crdb_internal_default_privileges @@ -7,86 +7,158 @@ ALTER DEFAULT PRIVILEGES GRANT SELECT ON SEQUENCES TO PUBLIC; query TTTBTTTB colnames,rowsort SELECT * FROM crdb_internal.default_privileges ---- -database_name schema_name role for_all_roles object_type grantee privilege_type is_grantable -defaultdb NULL admin false tables admin ALL true -defaultdb NULL admin false sequences admin ALL true -defaultdb NULL admin false types admin ALL true -defaultdb NULL admin false schemas admin ALL true -defaultdb NULL admin false functions admin ALL true -defaultdb NULL admin false types public USAGE false -defaultdb NULL root false tables root ALL true -defaultdb NULL root false sequences root ALL true -defaultdb NULL root false types root ALL true -defaultdb NULL root false schemas root ALL true -defaultdb NULL root false functions root ALL true -defaultdb NULL root false types public USAGE false -defaultdb NULL testuser false tables testuser ALL true -defaultdb NULL testuser false sequences testuser ALL true -defaultdb NULL testuser false types testuser ALL true -defaultdb NULL testuser false schemas testuser ALL true -defaultdb NULL testuser false functions testuser ALL true -defaultdb NULL testuser false types public USAGE false -defaultdb NULL NULL true types public USAGE false -postgres NULL admin false tables admin ALL true -postgres NULL admin false sequences admin ALL true -postgres NULL admin false types admin ALL true -postgres NULL admin false schemas admin ALL true -postgres NULL admin false functions admin ALL true -postgres NULL admin false types public USAGE false -postgres NULL root false tables root ALL true -postgres NULL root false sequences root ALL true -postgres NULL root false types root ALL true -postgres NULL root false schemas root ALL true -postgres NULL root false functions root ALL true -postgres NULL root false types public USAGE false -postgres NULL testuser false tables testuser ALL true -postgres NULL testuser false sequences testuser ALL true -postgres NULL testuser false types testuser ALL true -postgres NULL testuser false schemas testuser ALL true -postgres NULL testuser false functions testuser ALL true -postgres NULL testuser false types public USAGE false -postgres NULL NULL true types public USAGE false -system NULL admin false tables admin ALL true -system NULL admin false sequences admin ALL true -system NULL admin false types admin ALL true -system NULL admin false schemas admin ALL true -system NULL admin false functions admin ALL true -system NULL admin false types public USAGE false -system NULL root false tables root ALL true -system NULL root false sequences root ALL true -system NULL root false types root ALL true -system NULL root false schemas root ALL true -system NULL root false functions root ALL true -system NULL root false types public USAGE false -system NULL testuser false tables testuser ALL true -system NULL testuser false sequences testuser ALL true -system NULL testuser false types testuser ALL true -system NULL testuser false schemas testuser ALL true -system NULL testuser false functions testuser ALL true -system NULL testuser false types public USAGE false -system NULL NULL true types public USAGE false -test NULL admin false tables admin ALL true -test NULL admin false sequences admin ALL true -test NULL admin false types admin ALL true -test NULL admin false schemas admin ALL true -test NULL admin false functions admin ALL true -test NULL admin false types public USAGE false -test NULL root false tables public SELECT false -test NULL root false sequences public SELECT false -test NULL root false schemas public USAGE false -test NULL root false tables root ALL true -test NULL root false sequences root ALL true -test NULL root false types root ALL true -test NULL root false schemas root ALL true -test NULL root false functions root ALL true -test NULL root false types public USAGE false -test NULL testuser false tables testuser ALL true -test NULL testuser false sequences testuser ALL true -test NULL testuser false types testuser ALL true -test NULL testuser false schemas testuser ALL true -test NULL testuser false functions testuser ALL true -test NULL testuser false types public USAGE false -test NULL NULL true types public USAGE false +database_name schema_name role for_all_roles object_type grantee privilege_type is_grantable +defaultdb NULL admin false tables admin ALL true +defaultdb NULL admin false sequences admin ALL true +defaultdb NULL admin false types admin ALL true +defaultdb NULL admin false schemas admin ALL true +defaultdb NULL admin false functions admin ALL true +defaultdb NULL admin false types public USAGE false +defaultdb NULL crdb_internal_cluster_activity_reader false tables crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false sequences crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false types crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false schemas crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false functions crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false types public USAGE false +defaultdb NULL crdb_internal_cluster_activity_writer false tables crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false sequences crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false types crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false schemas crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false functions crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false types public USAGE false +defaultdb NULL crdb_internal_cluster_metadata_reader false tables crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false sequences crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false types crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false schemas crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false functions crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false types public USAGE false +defaultdb NULL root false tables root ALL true +defaultdb NULL root false sequences root ALL true +defaultdb NULL root false types root ALL true +defaultdb NULL root false schemas root ALL true +defaultdb NULL root false functions root ALL true +defaultdb NULL root false types public USAGE false +defaultdb NULL testuser false tables testuser ALL true +defaultdb NULL testuser false sequences testuser ALL true +defaultdb NULL testuser false types testuser ALL true +defaultdb NULL testuser false schemas testuser ALL true +defaultdb NULL testuser false functions testuser ALL true +defaultdb NULL testuser false types public USAGE false +defaultdb NULL NULL true types public USAGE false +postgres NULL admin false tables admin ALL true +postgres NULL admin false sequences admin ALL true +postgres NULL admin false types admin ALL true +postgres NULL admin false schemas admin ALL true +postgres NULL admin false functions admin ALL true +postgres NULL admin false types public USAGE false +postgres NULL crdb_internal_cluster_activity_reader false tables crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false sequences crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false types crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false schemas crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false functions crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false types public USAGE false +postgres NULL crdb_internal_cluster_activity_writer false tables crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false sequences crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false types crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false schemas crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false functions crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false types public USAGE false +postgres NULL crdb_internal_cluster_metadata_reader false tables crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false sequences crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false types crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false schemas crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false functions crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false types public USAGE false +postgres NULL root false tables root ALL true +postgres NULL root false sequences root ALL true +postgres NULL root false types root ALL true +postgres NULL root false schemas root ALL true +postgres NULL root false functions root ALL true +postgres NULL root false types public USAGE false +postgres NULL testuser false tables testuser ALL true +postgres NULL testuser false sequences testuser ALL true +postgres NULL testuser false types testuser ALL true +postgres NULL testuser false schemas testuser ALL true +postgres NULL testuser false functions testuser ALL true +postgres NULL testuser false types public USAGE false +postgres NULL NULL true types public USAGE false +system NULL admin false tables admin ALL true +system NULL admin false sequences admin ALL true +system NULL admin false types admin ALL true +system NULL admin false schemas admin ALL true +system NULL admin false functions admin ALL true +system NULL admin false types public USAGE false +system NULL crdb_internal_cluster_activity_reader false tables crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false sequences crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false types crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false schemas crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false functions crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false types public USAGE false +system NULL crdb_internal_cluster_activity_writer false tables crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false sequences crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false types crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false schemas crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false functions crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false types public USAGE false +system NULL crdb_internal_cluster_metadata_reader false tables crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false sequences crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false types crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false schemas crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false functions crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false types public USAGE false +system NULL root false tables root ALL true +system NULL root false sequences root ALL true +system NULL root false types root ALL true +system NULL root false schemas root ALL true +system NULL root false functions root ALL true +system NULL root false types public USAGE false +system NULL testuser false tables testuser ALL true +system NULL testuser false sequences testuser ALL true +system NULL testuser false types testuser ALL true +system NULL testuser false schemas testuser ALL true +system NULL testuser false functions testuser ALL true +system NULL testuser false types public USAGE false +system NULL NULL true types public USAGE false +test NULL admin false tables admin ALL true +test NULL admin false sequences admin ALL true +test NULL admin false types admin ALL true +test NULL admin false schemas admin ALL true +test NULL admin false functions admin ALL true +test NULL admin false types public USAGE false +test NULL crdb_internal_cluster_activity_reader false tables crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false sequences crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false types crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false schemas crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false functions crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false types public USAGE false +test NULL crdb_internal_cluster_activity_writer false tables crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false sequences crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false types crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false schemas crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false functions crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false types public USAGE false +test NULL crdb_internal_cluster_metadata_reader false tables crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false sequences crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false types crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false schemas crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false functions crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false types public USAGE false +test NULL root false schemas public USAGE false +test NULL root false tables public SELECT false +test NULL root false sequences public SELECT false +test NULL root false tables root ALL true +test NULL root false sequences root ALL true +test NULL root false types root ALL true +test NULL root false schemas root ALL true +test NULL root false functions root ALL true +test NULL root false types public USAGE false +test NULL testuser false tables testuser ALL true +test NULL testuser false sequences testuser ALL true +test NULL testuser false types testuser ALL true +test NULL testuser false schemas testuser ALL true +test NULL testuser false functions testuser ALL true +test NULL testuser false types public USAGE false +test NULL NULL true types public USAGE false statement ok CREATE USER foo @@ -232,134 +304,206 @@ ALTER DEFAULT PRIVILEGES FOR ROLE foo, bar REVOKE ALL ON SEQUENCES FROM foo, bar query TTTBTTTB colnames,rowsort SELECT * FROM crdb_internal.default_privileges ---- -database_name schema_name role for_all_roles object_type grantee privilege_type is_grantable -defaultdb NULL admin false tables admin ALL true -defaultdb NULL admin false sequences admin ALL true -defaultdb NULL admin false types admin ALL true -defaultdb NULL admin false schemas admin ALL true -defaultdb NULL admin false functions admin ALL true -defaultdb NULL admin false types public USAGE false -defaultdb NULL bar false tables bar ALL true -defaultdb NULL bar false sequences bar ALL true -defaultdb NULL bar false types bar ALL true -defaultdb NULL bar false schemas bar ALL true -defaultdb NULL bar false functions bar ALL true -defaultdb NULL bar false types public USAGE false -defaultdb NULL foo false tables foo ALL true -defaultdb NULL foo false sequences foo ALL true -defaultdb NULL foo false types foo ALL true -defaultdb NULL foo false schemas foo ALL true -defaultdb NULL foo false functions foo ALL true -defaultdb NULL foo false types public USAGE false -defaultdb NULL root false tables root ALL true -defaultdb NULL root false sequences root ALL true -defaultdb NULL root false types root ALL true -defaultdb NULL root false schemas root ALL true -defaultdb NULL root false functions root ALL true -defaultdb NULL root false types public USAGE false -defaultdb NULL testuser false tables testuser ALL true -defaultdb NULL testuser false sequences testuser ALL true -defaultdb NULL testuser false types testuser ALL true -defaultdb NULL testuser false schemas testuser ALL true -defaultdb NULL testuser false functions testuser ALL true -defaultdb NULL testuser false types public USAGE false -defaultdb NULL NULL true types public USAGE false -postgres NULL admin false tables admin ALL true -postgres NULL admin false sequences admin ALL true -postgres NULL admin false types admin ALL true -postgres NULL admin false schemas admin ALL true -postgres NULL admin false functions admin ALL true -postgres NULL admin false types public USAGE false -postgres NULL bar false tables bar ALL true -postgres NULL bar false sequences bar ALL true -postgres NULL bar false types bar ALL true -postgres NULL bar false schemas bar ALL true -postgres NULL bar false functions bar ALL true -postgres NULL bar false types public USAGE false -postgres NULL foo false tables foo ALL true -postgres NULL foo false sequences foo ALL true -postgres NULL foo false types foo ALL true -postgres NULL foo false schemas foo ALL true -postgres NULL foo false functions foo ALL true -postgres NULL foo false types public USAGE false -postgres NULL root false tables root ALL true -postgres NULL root false sequences root ALL true -postgres NULL root false types root ALL true -postgres NULL root false schemas root ALL true -postgres NULL root false functions root ALL true -postgres NULL root false types public USAGE false -postgres NULL testuser false tables testuser ALL true -postgres NULL testuser false sequences testuser ALL true -postgres NULL testuser false types testuser ALL true -postgres NULL testuser false schemas testuser ALL true -postgres NULL testuser false functions testuser ALL true -postgres NULL testuser false types public USAGE false -postgres NULL NULL true types public USAGE false -system NULL admin false tables admin ALL true -system NULL admin false sequences admin ALL true -system NULL admin false types admin ALL true -system NULL admin false schemas admin ALL true -system NULL admin false functions admin ALL true -system NULL admin false types public USAGE false -system NULL bar false tables bar ALL true -system NULL bar false sequences bar ALL true -system NULL bar false types bar ALL true -system NULL bar false schemas bar ALL true -system NULL bar false functions bar ALL true -system NULL bar false types public USAGE false -system NULL foo false tables foo ALL true -system NULL foo false sequences foo ALL true -system NULL foo false types foo ALL true -system NULL foo false schemas foo ALL true -system NULL foo false functions foo ALL true -system NULL foo false types public USAGE false -system NULL root false tables root ALL true -system NULL root false sequences root ALL true -system NULL root false types root ALL true -system NULL root false schemas root ALL true -system NULL root false functions root ALL true -system NULL root false types public USAGE false -system NULL testuser false tables testuser ALL true -system NULL testuser false sequences testuser ALL true -system NULL testuser false types testuser ALL true -system NULL testuser false schemas testuser ALL true -system NULL testuser false functions testuser ALL true -system NULL testuser false types public USAGE false -system NULL NULL true types public USAGE false -test NULL admin false tables admin ALL true -test NULL admin false sequences admin ALL true -test NULL admin false types admin ALL true -test NULL admin false schemas admin ALL true -test NULL admin false functions admin ALL true -test NULL admin false types public USAGE false -test NULL bar false functions bar ALL true -test NULL bar false types public USAGE false -test NULL foo false functions foo ALL true -test NULL foo false types public USAGE false -test NULL root false tables bar ALL false -test NULL root false tables foo ALL false -test NULL root false tables public SELECT false -test NULL root false sequences bar ALL false -test NULL root false sequences foo ALL false -test NULL root false sequences public SELECT false -test NULL root false types bar ALL false -test NULL root false types foo ALL false -test NULL root false schemas bar ALL false -test NULL root false schemas foo ALL false -test NULL root false schemas public USAGE false -test NULL root false tables root ALL true -test NULL root false sequences root ALL true -test NULL root false types root ALL true -test NULL root false schemas root ALL true -test NULL root false functions root ALL true -test NULL root false types public USAGE false -test NULL testuser false tables testuser ALL true -test NULL testuser false sequences testuser ALL true -test NULL testuser false types testuser ALL true -test NULL testuser false schemas testuser ALL true -test NULL testuser false functions testuser ALL true -test NULL testuser false types public USAGE false -test NULL NULL true types public USAGE false +database_name schema_name role for_all_roles object_type grantee privilege_type is_grantable +defaultdb NULL admin false tables admin ALL true +defaultdb NULL admin false sequences admin ALL true +defaultdb NULL admin false types admin ALL true +defaultdb NULL admin false schemas admin ALL true +defaultdb NULL admin false functions admin ALL true +defaultdb NULL admin false types public USAGE false +defaultdb NULL bar false tables bar ALL true +defaultdb NULL bar false sequences bar ALL true +defaultdb NULL bar false types bar ALL true +defaultdb NULL bar false schemas bar ALL true +defaultdb NULL bar false functions bar ALL true +defaultdb NULL bar false types public USAGE false +defaultdb NULL crdb_internal_cluster_activity_reader false tables crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false sequences crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false types crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false schemas crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false functions crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false types public USAGE false +defaultdb NULL crdb_internal_cluster_activity_writer false tables crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false sequences crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false types crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false schemas crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false functions crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false types public USAGE false +defaultdb NULL crdb_internal_cluster_metadata_reader false tables crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false sequences crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false types crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false schemas crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false functions crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false types public USAGE false +defaultdb NULL foo false tables foo ALL true +defaultdb NULL foo false sequences foo ALL true +defaultdb NULL foo false types foo ALL true +defaultdb NULL foo false schemas foo ALL true +defaultdb NULL foo false functions foo ALL true +defaultdb NULL foo false types public USAGE false +defaultdb NULL root false tables root ALL true +defaultdb NULL root false sequences root ALL true +defaultdb NULL root false types root ALL true +defaultdb NULL root false schemas root ALL true +defaultdb NULL root false functions root ALL true +defaultdb NULL root false types public USAGE false +defaultdb NULL testuser false tables testuser ALL true +defaultdb NULL testuser false sequences testuser ALL true +defaultdb NULL testuser false types testuser ALL true +defaultdb NULL testuser false schemas testuser ALL true +defaultdb NULL testuser false functions testuser ALL true +defaultdb NULL testuser false types public USAGE false +defaultdb NULL NULL true types public USAGE false +postgres NULL admin false tables admin ALL true +postgres NULL admin false sequences admin ALL true +postgres NULL admin false types admin ALL true +postgres NULL admin false schemas admin ALL true +postgres NULL admin false functions admin ALL true +postgres NULL admin false types public USAGE false +postgres NULL bar false tables bar ALL true +postgres NULL bar false sequences bar ALL true +postgres NULL bar false types bar ALL true +postgres NULL bar false schemas bar ALL true +postgres NULL bar false functions bar ALL true +postgres NULL bar false types public USAGE false +postgres NULL crdb_internal_cluster_activity_reader false tables crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false sequences crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false types crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false schemas crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false functions crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false types public USAGE false +postgres NULL crdb_internal_cluster_activity_writer false tables crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false sequences crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false types crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false schemas crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false functions crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false types public USAGE false +postgres NULL crdb_internal_cluster_metadata_reader false tables crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false sequences crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false types crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false schemas crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false functions crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false types public USAGE false +postgres NULL foo false tables foo ALL true +postgres NULL foo false sequences foo ALL true +postgres NULL foo false types foo ALL true +postgres NULL foo false schemas foo ALL true +postgres NULL foo false functions foo ALL true +postgres NULL foo false types public USAGE false +postgres NULL root false tables root ALL true +postgres NULL root false sequences root ALL true +postgres NULL root false types root ALL true +postgres NULL root false schemas root ALL true +postgres NULL root false functions root ALL true +postgres NULL root false types public USAGE false +postgres NULL testuser false tables testuser ALL true +postgres NULL testuser false sequences testuser ALL true +postgres NULL testuser false types testuser ALL true +postgres NULL testuser false schemas testuser ALL true +postgres NULL testuser false functions testuser ALL true +postgres NULL testuser false types public USAGE false +postgres NULL NULL true types public USAGE false +system NULL admin false tables admin ALL true +system NULL admin false sequences admin ALL true +system NULL admin false types admin ALL true +system NULL admin false schemas admin ALL true +system NULL admin false functions admin ALL true +system NULL admin false types public USAGE false +system NULL bar false tables bar ALL true +system NULL bar false sequences bar ALL true +system NULL bar false types bar ALL true +system NULL bar false schemas bar ALL true +system NULL bar false functions bar ALL true +system NULL bar false types public USAGE false +system NULL crdb_internal_cluster_activity_reader false tables crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false sequences crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false types crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false schemas crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false functions crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false types public USAGE false +system NULL crdb_internal_cluster_activity_writer false tables crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false sequences crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false types crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false schemas crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false functions crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false types public USAGE false +system NULL crdb_internal_cluster_metadata_reader false tables crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false sequences crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false types crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false schemas crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false functions crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false types public USAGE false +system NULL foo false tables foo ALL true +system NULL foo false sequences foo ALL true +system NULL foo false types foo ALL true +system NULL foo false schemas foo ALL true +system NULL foo false functions foo ALL true +system NULL foo false types public USAGE false +system NULL root false tables root ALL true +system NULL root false sequences root ALL true +system NULL root false types root ALL true +system NULL root false schemas root ALL true +system NULL root false functions root ALL true +system NULL root false types public USAGE false +system NULL testuser false tables testuser ALL true +system NULL testuser false sequences testuser ALL true +system NULL testuser false types testuser ALL true +system NULL testuser false schemas testuser ALL true +system NULL testuser false functions testuser ALL true +system NULL testuser false types public USAGE false +system NULL NULL true types public USAGE false +test NULL admin false tables admin ALL true +test NULL admin false sequences admin ALL true +test NULL admin false types admin ALL true +test NULL admin false schemas admin ALL true +test NULL admin false functions admin ALL true +test NULL admin false types public USAGE false +test NULL bar false functions bar ALL true +test NULL bar false types public USAGE false +test NULL crdb_internal_cluster_activity_reader false tables crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false sequences crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false types crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false schemas crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false functions crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false types public USAGE false +test NULL crdb_internal_cluster_activity_writer false tables crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false sequences crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false types crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false schemas crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false functions crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false types public USAGE false +test NULL crdb_internal_cluster_metadata_reader false tables crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false sequences crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false types crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false schemas crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false functions crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false types public USAGE false +test NULL foo false functions foo ALL true +test NULL foo false types public USAGE false +test NULL root false tables bar ALL false +test NULL root false tables foo ALL false +test NULL root false tables public SELECT false +test NULL root false sequences bar ALL false +test NULL root false sequences foo ALL false +test NULL root false sequences public SELECT false +test NULL root false types bar ALL false +test NULL root false types foo ALL false +test NULL root false schemas bar ALL false +test NULL root false schemas foo ALL false +test NULL root false schemas public USAGE false +test NULL root false tables root ALL true +test NULL root false sequences root ALL true +test NULL root false types root ALL true +test NULL root false schemas root ALL true +test NULL root false functions root ALL true +test NULL root false types public USAGE false +test NULL testuser false tables testuser ALL true +test NULL testuser false sequences testuser ALL true +test NULL testuser false types testuser ALL true +test NULL testuser false schemas testuser ALL true +test NULL testuser false functions testuser ALL true +test NULL testuser false types public USAGE false +test NULL NULL true types public USAGE false statement ok ALTER DEFAULT PRIVILEGES REVOKE SELECT ON TABLES FROM foo, bar, public; @@ -370,134 +514,206 @@ ALTER DEFAULT PRIVILEGES REVOKE ALL ON SEQUENCES FROM foo, bar, public; query TTTBTTTB colnames,rowsort SELECT * FROM crdb_internal.default_privileges ---- -database_name schema_name role for_all_roles object_type grantee privilege_type is_grantable -defaultdb NULL admin false tables admin ALL true -defaultdb NULL admin false sequences admin ALL true -defaultdb NULL admin false types admin ALL true -defaultdb NULL admin false schemas admin ALL true -defaultdb NULL admin false functions admin ALL true -defaultdb NULL admin false types public USAGE false -defaultdb NULL bar false tables bar ALL true -defaultdb NULL bar false sequences bar ALL true -defaultdb NULL bar false types bar ALL true -defaultdb NULL bar false schemas bar ALL true -defaultdb NULL bar false functions bar ALL true -defaultdb NULL bar false types public USAGE false -defaultdb NULL foo false tables foo ALL true -defaultdb NULL foo false sequences foo ALL true -defaultdb NULL foo false types foo ALL true -defaultdb NULL foo false schemas foo ALL true -defaultdb NULL foo false functions foo ALL true -defaultdb NULL foo false types public USAGE false -defaultdb NULL root false tables root ALL true -defaultdb NULL root false sequences root ALL true -defaultdb NULL root false types root ALL true -defaultdb NULL root false schemas root ALL true -defaultdb NULL root false functions root ALL true -defaultdb NULL root false types public USAGE false -defaultdb NULL testuser false tables testuser ALL true -defaultdb NULL testuser false sequences testuser ALL true -defaultdb NULL testuser false types testuser ALL true -defaultdb NULL testuser false schemas testuser ALL true -defaultdb NULL testuser false functions testuser ALL true -defaultdb NULL testuser false types public USAGE false -defaultdb NULL NULL true types public USAGE false -postgres NULL admin false tables admin ALL true -postgres NULL admin false sequences admin ALL true -postgres NULL admin false types admin ALL true -postgres NULL admin false schemas admin ALL true -postgres NULL admin false functions admin ALL true -postgres NULL admin false types public USAGE false -postgres NULL bar false tables bar ALL true -postgres NULL bar false sequences bar ALL true -postgres NULL bar false types bar ALL true -postgres NULL bar false schemas bar ALL true -postgres NULL bar false functions bar ALL true -postgres NULL bar false types public USAGE false -postgres NULL foo false tables foo ALL true -postgres NULL foo false sequences foo ALL true -postgres NULL foo false types foo ALL true -postgres NULL foo false schemas foo ALL true -postgres NULL foo false functions foo ALL true -postgres NULL foo false types public USAGE false -postgres NULL root false tables root ALL true -postgres NULL root false sequences root ALL true -postgres NULL root false types root ALL true -postgres NULL root false schemas root ALL true -postgres NULL root false functions root ALL true -postgres NULL root false types public USAGE false -postgres NULL testuser false tables testuser ALL true -postgres NULL testuser false sequences testuser ALL true -postgres NULL testuser false types testuser ALL true -postgres NULL testuser false schemas testuser ALL true -postgres NULL testuser false functions testuser ALL true -postgres NULL testuser false types public USAGE false -postgres NULL NULL true types public USAGE false -system NULL admin false tables admin ALL true -system NULL admin false sequences admin ALL true -system NULL admin false types admin ALL true -system NULL admin false schemas admin ALL true -system NULL admin false functions admin ALL true -system NULL admin false types public USAGE false -system NULL bar false tables bar ALL true -system NULL bar false sequences bar ALL true -system NULL bar false types bar ALL true -system NULL bar false schemas bar ALL true -system NULL bar false functions bar ALL true -system NULL bar false types public USAGE false -system NULL foo false tables foo ALL true -system NULL foo false sequences foo ALL true -system NULL foo false types foo ALL true -system NULL foo false schemas foo ALL true -system NULL foo false functions foo ALL true -system NULL foo false types public USAGE false -system NULL root false tables root ALL true -system NULL root false sequences root ALL true -system NULL root false types root ALL true -system NULL root false schemas root ALL true -system NULL root false functions root ALL true -system NULL root false types public USAGE false -system NULL testuser false tables testuser ALL true -system NULL testuser false sequences testuser ALL true -system NULL testuser false types testuser ALL true -system NULL testuser false schemas testuser ALL true -system NULL testuser false functions testuser ALL true -system NULL testuser false types public USAGE false -system NULL NULL true types public USAGE false -test NULL admin false tables admin ALL true -test NULL admin false sequences admin ALL true -test NULL admin false types admin ALL true -test NULL admin false schemas admin ALL true -test NULL admin false functions admin ALL true -test NULL admin false types public USAGE false -test NULL bar false functions bar ALL true -test NULL bar false types public USAGE false -test NULL foo false functions foo ALL true -test NULL foo false types public USAGE false -test NULL root false tables bar CREATE false -test NULL root false tables bar DROP false -test NULL root false tables bar INSERT false -test NULL root false tables bar DELETE false -test NULL root false tables bar UPDATE false -test NULL root false tables bar ZONECONFIG false -test NULL root false tables foo CREATE false -test NULL root false tables foo DROP false -test NULL root false tables foo INSERT false -test NULL root false tables foo DELETE false -test NULL root false tables foo UPDATE false -test NULL root false tables foo ZONECONFIG false -test NULL root false tables root ALL true -test NULL root false sequences root ALL true -test NULL root false types root ALL true -test NULL root false schemas root ALL true -test NULL root false functions root ALL true -test NULL testuser false tables testuser ALL true -test NULL testuser false sequences testuser ALL true -test NULL testuser false types testuser ALL true -test NULL testuser false schemas testuser ALL true -test NULL testuser false functions testuser ALL true -test NULL testuser false types public USAGE false -test NULL NULL true types public USAGE false +database_name schema_name role for_all_roles object_type grantee privilege_type is_grantable +defaultdb NULL admin false tables admin ALL true +defaultdb NULL admin false sequences admin ALL true +defaultdb NULL admin false types admin ALL true +defaultdb NULL admin false schemas admin ALL true +defaultdb NULL admin false functions admin ALL true +defaultdb NULL admin false types public USAGE false +defaultdb NULL bar false tables bar ALL true +defaultdb NULL bar false sequences bar ALL true +defaultdb NULL bar false types bar ALL true +defaultdb NULL bar false schemas bar ALL true +defaultdb NULL bar false functions bar ALL true +defaultdb NULL bar false types public USAGE false +defaultdb NULL crdb_internal_cluster_activity_reader false tables crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false sequences crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false types crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false schemas crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false functions crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false types public USAGE false +defaultdb NULL crdb_internal_cluster_activity_writer false tables crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false sequences crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false types crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false schemas crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false functions crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false types public USAGE false +defaultdb NULL crdb_internal_cluster_metadata_reader false tables crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false sequences crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false types crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false schemas crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false functions crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false types public USAGE false +defaultdb NULL foo false tables foo ALL true +defaultdb NULL foo false sequences foo ALL true +defaultdb NULL foo false types foo ALL true +defaultdb NULL foo false schemas foo ALL true +defaultdb NULL foo false functions foo ALL true +defaultdb NULL foo false types public USAGE false +defaultdb NULL root false tables root ALL true +defaultdb NULL root false sequences root ALL true +defaultdb NULL root false types root ALL true +defaultdb NULL root false schemas root ALL true +defaultdb NULL root false functions root ALL true +defaultdb NULL root false types public USAGE false +defaultdb NULL testuser false tables testuser ALL true +defaultdb NULL testuser false sequences testuser ALL true +defaultdb NULL testuser false types testuser ALL true +defaultdb NULL testuser false schemas testuser ALL true +defaultdb NULL testuser false functions testuser ALL true +defaultdb NULL testuser false types public USAGE false +defaultdb NULL NULL true types public USAGE false +postgres NULL admin false tables admin ALL true +postgres NULL admin false sequences admin ALL true +postgres NULL admin false types admin ALL true +postgres NULL admin false schemas admin ALL true +postgres NULL admin false functions admin ALL true +postgres NULL admin false types public USAGE false +postgres NULL bar false tables bar ALL true +postgres NULL bar false sequences bar ALL true +postgres NULL bar false types bar ALL true +postgres NULL bar false schemas bar ALL true +postgres NULL bar false functions bar ALL true +postgres NULL bar false types public USAGE false +postgres NULL crdb_internal_cluster_activity_reader false tables crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false sequences crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false types crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false schemas crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false functions crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false types public USAGE false +postgres NULL crdb_internal_cluster_activity_writer false tables crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false sequences crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false types crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false schemas crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false functions crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false types public USAGE false +postgres NULL crdb_internal_cluster_metadata_reader false tables crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false sequences crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false types crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false schemas crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false functions crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false types public USAGE false +postgres NULL foo false tables foo ALL true +postgres NULL foo false sequences foo ALL true +postgres NULL foo false types foo ALL true +postgres NULL foo false schemas foo ALL true +postgres NULL foo false functions foo ALL true +postgres NULL foo false types public USAGE false +postgres NULL root false tables root ALL true +postgres NULL root false sequences root ALL true +postgres NULL root false types root ALL true +postgres NULL root false schemas root ALL true +postgres NULL root false functions root ALL true +postgres NULL root false types public USAGE false +postgres NULL testuser false tables testuser ALL true +postgres NULL testuser false sequences testuser ALL true +postgres NULL testuser false types testuser ALL true +postgres NULL testuser false schemas testuser ALL true +postgres NULL testuser false functions testuser ALL true +postgres NULL testuser false types public USAGE false +postgres NULL NULL true types public USAGE false +system NULL admin false tables admin ALL true +system NULL admin false sequences admin ALL true +system NULL admin false types admin ALL true +system NULL admin false schemas admin ALL true +system NULL admin false functions admin ALL true +system NULL admin false types public USAGE false +system NULL bar false tables bar ALL true +system NULL bar false sequences bar ALL true +system NULL bar false types bar ALL true +system NULL bar false schemas bar ALL true +system NULL bar false functions bar ALL true +system NULL bar false types public USAGE false +system NULL crdb_internal_cluster_activity_reader false tables crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false sequences crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false types crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false schemas crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false functions crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false types public USAGE false +system NULL crdb_internal_cluster_activity_writer false tables crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false sequences crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false types crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false schemas crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false functions crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false types public USAGE false +system NULL crdb_internal_cluster_metadata_reader false tables crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false sequences crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false types crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false schemas crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false functions crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false types public USAGE false +system NULL foo false tables foo ALL true +system NULL foo false sequences foo ALL true +system NULL foo false types foo ALL true +system NULL foo false schemas foo ALL true +system NULL foo false functions foo ALL true +system NULL foo false types public USAGE false +system NULL root false tables root ALL true +system NULL root false sequences root ALL true +system NULL root false types root ALL true +system NULL root false schemas root ALL true +system NULL root false functions root ALL true +system NULL root false types public USAGE false +system NULL testuser false tables testuser ALL true +system NULL testuser false sequences testuser ALL true +system NULL testuser false types testuser ALL true +system NULL testuser false schemas testuser ALL true +system NULL testuser false functions testuser ALL true +system NULL testuser false types public USAGE false +system NULL NULL true types public USAGE false +test NULL admin false tables admin ALL true +test NULL admin false sequences admin ALL true +test NULL admin false types admin ALL true +test NULL admin false schemas admin ALL true +test NULL admin false functions admin ALL true +test NULL admin false types public USAGE false +test NULL bar false functions bar ALL true +test NULL bar false types public USAGE false +test NULL crdb_internal_cluster_activity_reader false tables crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false sequences crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false types crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false schemas crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false functions crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false types public USAGE false +test NULL crdb_internal_cluster_activity_writer false tables crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false sequences crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false types crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false schemas crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false functions crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false types public USAGE false +test NULL crdb_internal_cluster_metadata_reader false tables crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false sequences crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false types crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false schemas crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false functions crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false types public USAGE false +test NULL foo false functions foo ALL true +test NULL foo false types public USAGE false +test NULL root false tables bar CREATE false +test NULL root false tables bar DROP false +test NULL root false tables bar INSERT false +test NULL root false tables bar DELETE false +test NULL root false tables bar UPDATE false +test NULL root false tables bar ZONECONFIG false +test NULL root false tables foo CREATE false +test NULL root false tables foo DROP false +test NULL root false tables foo INSERT false +test NULL root false tables foo DELETE false +test NULL root false tables foo UPDATE false +test NULL root false tables foo ZONECONFIG false +test NULL root false tables root ALL true +test NULL root false sequences root ALL true +test NULL root false types root ALL true +test NULL root false schemas root ALL true +test NULL root false functions root ALL true +test NULL testuser false tables testuser ALL true +test NULL testuser false sequences testuser ALL true +test NULL testuser false types testuser ALL true +test NULL testuser false schemas testuser ALL true +test NULL testuser false functions testuser ALL true +test NULL testuser false types public USAGE false +test NULL NULL true types public USAGE false statement ok ALTER DEFAULT PRIVILEGES REVOKE ALL ON TABLES FROM foo, bar, public; @@ -506,124 +722,196 @@ ALTER DEFAULT PRIVILEGES GRANT DROP, ZONECONFIG ON TABLES TO foo WITH GRANT OPTI query TTTBTTTB colnames,rowsort SELECT * FROM crdb_internal.default_privileges ---- -database_name schema_name role for_all_roles object_type grantee privilege_type is_grantable -defaultdb NULL admin false tables admin ALL true -defaultdb NULL admin false sequences admin ALL true -defaultdb NULL admin false types admin ALL true -defaultdb NULL admin false schemas admin ALL true -defaultdb NULL admin false functions admin ALL true -defaultdb NULL admin false types public USAGE false -defaultdb NULL bar false tables bar ALL true -defaultdb NULL bar false sequences bar ALL true -defaultdb NULL bar false types bar ALL true -defaultdb NULL bar false schemas bar ALL true -defaultdb NULL bar false functions bar ALL true -defaultdb NULL bar false types public USAGE false -defaultdb NULL foo false tables foo ALL true -defaultdb NULL foo false sequences foo ALL true -defaultdb NULL foo false types foo ALL true -defaultdb NULL foo false schemas foo ALL true -defaultdb NULL foo false functions foo ALL true -defaultdb NULL foo false types public USAGE false -defaultdb NULL root false tables root ALL true -defaultdb NULL root false sequences root ALL true -defaultdb NULL root false types root ALL true -defaultdb NULL root false schemas root ALL true -defaultdb NULL root false functions root ALL true -defaultdb NULL root false types public USAGE false -defaultdb NULL testuser false tables testuser ALL true -defaultdb NULL testuser false sequences testuser ALL true -defaultdb NULL testuser false types testuser ALL true -defaultdb NULL testuser false schemas testuser ALL true -defaultdb NULL testuser false functions testuser ALL true -defaultdb NULL testuser false types public USAGE false -defaultdb NULL NULL true types public USAGE false -postgres NULL admin false tables admin ALL true -postgres NULL admin false sequences admin ALL true -postgres NULL admin false types admin ALL true -postgres NULL admin false schemas admin ALL true -postgres NULL admin false functions admin ALL true -postgres NULL admin false types public USAGE false -postgres NULL bar false tables bar ALL true -postgres NULL bar false sequences bar ALL true -postgres NULL bar false types bar ALL true -postgres NULL bar false schemas bar ALL true -postgres NULL bar false functions bar ALL true -postgres NULL bar false types public USAGE false -postgres NULL foo false tables foo ALL true -postgres NULL foo false sequences foo ALL true -postgres NULL foo false types foo ALL true -postgres NULL foo false schemas foo ALL true -postgres NULL foo false functions foo ALL true -postgres NULL foo false types public USAGE false -postgres NULL root false tables root ALL true -postgres NULL root false sequences root ALL true -postgres NULL root false types root ALL true -postgres NULL root false schemas root ALL true -postgres NULL root false functions root ALL true -postgres NULL root false types public USAGE false -postgres NULL testuser false tables testuser ALL true -postgres NULL testuser false sequences testuser ALL true -postgres NULL testuser false types testuser ALL true -postgres NULL testuser false schemas testuser ALL true -postgres NULL testuser false functions testuser ALL true -postgres NULL testuser false types public USAGE false -postgres NULL NULL true types public USAGE false -system NULL admin false tables admin ALL true -system NULL admin false sequences admin ALL true -system NULL admin false types admin ALL true -system NULL admin false schemas admin ALL true -system NULL admin false functions admin ALL true -system NULL admin false types public USAGE false -system NULL bar false tables bar ALL true -system NULL bar false sequences bar ALL true -system NULL bar false types bar ALL true -system NULL bar false schemas bar ALL true -system NULL bar false functions bar ALL true -system NULL bar false types public USAGE false -system NULL foo false tables foo ALL true -system NULL foo false sequences foo ALL true -system NULL foo false types foo ALL true -system NULL foo false schemas foo ALL true -system NULL foo false functions foo ALL true -system NULL foo false types public USAGE false -system NULL root false tables root ALL true -system NULL root false sequences root ALL true -system NULL root false types root ALL true -system NULL root false schemas root ALL true -system NULL root false functions root ALL true -system NULL root false types public USAGE false -system NULL testuser false tables testuser ALL true -system NULL testuser false sequences testuser ALL true -system NULL testuser false types testuser ALL true -system NULL testuser false schemas testuser ALL true -system NULL testuser false functions testuser ALL true -system NULL testuser false types public USAGE false -system NULL NULL true types public USAGE false -test NULL admin false tables admin ALL true -test NULL admin false sequences admin ALL true -test NULL admin false types admin ALL true -test NULL admin false schemas admin ALL true -test NULL admin false functions admin ALL true -test NULL admin false types public USAGE false -test NULL bar false functions bar ALL true -test NULL bar false types public USAGE false -test NULL foo false functions foo ALL true -test NULL foo false types public USAGE false -test NULL root false tables foo DROP true -test NULL root false tables foo ZONECONFIG true -test NULL root false tables root ALL true -test NULL root false sequences root ALL true -test NULL root false types root ALL true -test NULL root false schemas root ALL true -test NULL root false functions root ALL true -test NULL testuser false tables testuser ALL true -test NULL testuser false sequences testuser ALL true -test NULL testuser false types testuser ALL true -test NULL testuser false schemas testuser ALL true -test NULL testuser false functions testuser ALL true -test NULL testuser false types public USAGE false -test NULL NULL true types public USAGE false +database_name schema_name role for_all_roles object_type grantee privilege_type is_grantable +defaultdb NULL admin false tables admin ALL true +defaultdb NULL admin false sequences admin ALL true +defaultdb NULL admin false types admin ALL true +defaultdb NULL admin false schemas admin ALL true +defaultdb NULL admin false functions admin ALL true +defaultdb NULL admin false types public USAGE false +defaultdb NULL bar false tables bar ALL true +defaultdb NULL bar false sequences bar ALL true +defaultdb NULL bar false types bar ALL true +defaultdb NULL bar false schemas bar ALL true +defaultdb NULL bar false functions bar ALL true +defaultdb NULL bar false types public USAGE false +defaultdb NULL crdb_internal_cluster_activity_reader false tables crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false sequences crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false types crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false schemas crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false functions crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false types public USAGE false +defaultdb NULL crdb_internal_cluster_activity_writer false tables crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false sequences crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false types crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false schemas crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false functions crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false types public USAGE false +defaultdb NULL crdb_internal_cluster_metadata_reader false tables crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false sequences crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false types crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false schemas crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false functions crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false types public USAGE false +defaultdb NULL foo false tables foo ALL true +defaultdb NULL foo false sequences foo ALL true +defaultdb NULL foo false types foo ALL true +defaultdb NULL foo false schemas foo ALL true +defaultdb NULL foo false functions foo ALL true +defaultdb NULL foo false types public USAGE false +defaultdb NULL root false tables root ALL true +defaultdb NULL root false sequences root ALL true +defaultdb NULL root false types root ALL true +defaultdb NULL root false schemas root ALL true +defaultdb NULL root false functions root ALL true +defaultdb NULL root false types public USAGE false +defaultdb NULL testuser false tables testuser ALL true +defaultdb NULL testuser false sequences testuser ALL true +defaultdb NULL testuser false types testuser ALL true +defaultdb NULL testuser false schemas testuser ALL true +defaultdb NULL testuser false functions testuser ALL true +defaultdb NULL testuser false types public USAGE false +defaultdb NULL NULL true types public USAGE false +postgres NULL admin false tables admin ALL true +postgres NULL admin false sequences admin ALL true +postgres NULL admin false types admin ALL true +postgres NULL admin false schemas admin ALL true +postgres NULL admin false functions admin ALL true +postgres NULL admin false types public USAGE false +postgres NULL bar false tables bar ALL true +postgres NULL bar false sequences bar ALL true +postgres NULL bar false types bar ALL true +postgres NULL bar false schemas bar ALL true +postgres NULL bar false functions bar ALL true +postgres NULL bar false types public USAGE false +postgres NULL crdb_internal_cluster_activity_reader false tables crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false sequences crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false types crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false schemas crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false functions crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false types public USAGE false +postgres NULL crdb_internal_cluster_activity_writer false tables crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false sequences crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false types crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false schemas crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false functions crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false types public USAGE false +postgres NULL crdb_internal_cluster_metadata_reader false tables crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false sequences crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false types crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false schemas crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false functions crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false types public USAGE false +postgres NULL foo false tables foo ALL true +postgres NULL foo false sequences foo ALL true +postgres NULL foo false types foo ALL true +postgres NULL foo false schemas foo ALL true +postgres NULL foo false functions foo ALL true +postgres NULL foo false types public USAGE false +postgres NULL root false tables root ALL true +postgres NULL root false sequences root ALL true +postgres NULL root false types root ALL true +postgres NULL root false schemas root ALL true +postgres NULL root false functions root ALL true +postgres NULL root false types public USAGE false +postgres NULL testuser false tables testuser ALL true +postgres NULL testuser false sequences testuser ALL true +postgres NULL testuser false types testuser ALL true +postgres NULL testuser false schemas testuser ALL true +postgres NULL testuser false functions testuser ALL true +postgres NULL testuser false types public USAGE false +postgres NULL NULL true types public USAGE false +system NULL admin false tables admin ALL true +system NULL admin false sequences admin ALL true +system NULL admin false types admin ALL true +system NULL admin false schemas admin ALL true +system NULL admin false functions admin ALL true +system NULL admin false types public USAGE false +system NULL bar false tables bar ALL true +system NULL bar false sequences bar ALL true +system NULL bar false types bar ALL true +system NULL bar false schemas bar ALL true +system NULL bar false functions bar ALL true +system NULL bar false types public USAGE false +system NULL crdb_internal_cluster_activity_reader false tables crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false sequences crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false types crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false schemas crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false functions crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false types public USAGE false +system NULL crdb_internal_cluster_activity_writer false tables crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false sequences crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false types crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false schemas crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false functions crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false types public USAGE false +system NULL crdb_internal_cluster_metadata_reader false tables crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false sequences crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false types crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false schemas crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false functions crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false types public USAGE false +system NULL foo false tables foo ALL true +system NULL foo false sequences foo ALL true +system NULL foo false types foo ALL true +system NULL foo false schemas foo ALL true +system NULL foo false functions foo ALL true +system NULL foo false types public USAGE false +system NULL root false tables root ALL true +system NULL root false sequences root ALL true +system NULL root false types root ALL true +system NULL root false schemas root ALL true +system NULL root false functions root ALL true +system NULL root false types public USAGE false +system NULL testuser false tables testuser ALL true +system NULL testuser false sequences testuser ALL true +system NULL testuser false types testuser ALL true +system NULL testuser false schemas testuser ALL true +system NULL testuser false functions testuser ALL true +system NULL testuser false types public USAGE false +system NULL NULL true types public USAGE false +test NULL admin false tables admin ALL true +test NULL admin false sequences admin ALL true +test NULL admin false types admin ALL true +test NULL admin false schemas admin ALL true +test NULL admin false functions admin ALL true +test NULL admin false types public USAGE false +test NULL bar false functions bar ALL true +test NULL bar false types public USAGE false +test NULL crdb_internal_cluster_activity_reader false tables crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false sequences crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false types crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false schemas crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false functions crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false types public USAGE false +test NULL crdb_internal_cluster_activity_writer false tables crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false sequences crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false types crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false schemas crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false functions crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false types public USAGE false +test NULL crdb_internal_cluster_metadata_reader false tables crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false sequences crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false types crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false schemas crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false functions crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false types public USAGE false +test NULL foo false functions foo ALL true +test NULL foo false types public USAGE false +test NULL root false tables foo DROP true +test NULL root false tables foo ZONECONFIG true +test NULL root false tables root ALL true +test NULL root false sequences root ALL true +test NULL root false types root ALL true +test NULL root false schemas root ALL true +test NULL root false functions root ALL true +test NULL testuser false tables testuser ALL true +test NULL testuser false sequences testuser ALL true +test NULL testuser false types testuser ALL true +test NULL testuser false schemas testuser ALL true +test NULL testuser false functions testuser ALL true +test NULL testuser false types public USAGE false +test NULL NULL true types public USAGE false # Create a second database. statement ok @@ -636,157 +924,247 @@ ALTER DEFAULT PRIVILEGES GRANT DROP, ZONECONFIG ON TABLES TO foo WITH GRANT OPTI query TTTBTTTB colnames,rowsort SELECT * FROM crdb_internal.default_privileges ---- -database_name schema_name role for_all_roles object_type grantee privilege_type is_grantable -defaultdb NULL admin false tables admin ALL true -defaultdb NULL admin false sequences admin ALL true -defaultdb NULL admin false types admin ALL true -defaultdb NULL admin false schemas admin ALL true -defaultdb NULL admin false functions admin ALL true -defaultdb NULL admin false types public USAGE false -defaultdb NULL bar false tables bar ALL true -defaultdb NULL bar false sequences bar ALL true -defaultdb NULL bar false types bar ALL true -defaultdb NULL bar false schemas bar ALL true -defaultdb NULL bar false functions bar ALL true -defaultdb NULL bar false types public USAGE false -defaultdb NULL foo false tables foo ALL true -defaultdb NULL foo false sequences foo ALL true -defaultdb NULL foo false types foo ALL true -defaultdb NULL foo false schemas foo ALL true -defaultdb NULL foo false functions foo ALL true -defaultdb NULL foo false types public USAGE false -defaultdb NULL root false tables root ALL true -defaultdb NULL root false sequences root ALL true -defaultdb NULL root false types root ALL true -defaultdb NULL root false schemas root ALL true -defaultdb NULL root false functions root ALL true -defaultdb NULL root false types public USAGE false -defaultdb NULL testuser false tables testuser ALL true -defaultdb NULL testuser false sequences testuser ALL true -defaultdb NULL testuser false types testuser ALL true -defaultdb NULL testuser false schemas testuser ALL true -defaultdb NULL testuser false functions testuser ALL true -defaultdb NULL testuser false types public USAGE false -defaultdb NULL NULL true types public USAGE false -postgres NULL admin false tables admin ALL true -postgres NULL admin false sequences admin ALL true -postgres NULL admin false types admin ALL true -postgres NULL admin false schemas admin ALL true -postgres NULL admin false functions admin ALL true -postgres NULL admin false types public USAGE false -postgres NULL bar false tables bar ALL true -postgres NULL bar false sequences bar ALL true -postgres NULL bar false types bar ALL true -postgres NULL bar false schemas bar ALL true -postgres NULL bar false functions bar ALL true -postgres NULL bar false types public USAGE false -postgres NULL foo false tables foo ALL true -postgres NULL foo false sequences foo ALL true -postgres NULL foo false types foo ALL true -postgres NULL foo false schemas foo ALL true -postgres NULL foo false functions foo ALL true -postgres NULL foo false types public USAGE false -postgres NULL root false tables root ALL true -postgres NULL root false sequences root ALL true -postgres NULL root false types root ALL true -postgres NULL root false schemas root ALL true -postgres NULL root false functions root ALL true -postgres NULL root false types public USAGE false -postgres NULL testuser false tables testuser ALL true -postgres NULL testuser false sequences testuser ALL true -postgres NULL testuser false types testuser ALL true -postgres NULL testuser false schemas testuser ALL true -postgres NULL testuser false functions testuser ALL true -postgres NULL testuser false types public USAGE false -postgres NULL NULL true types public USAGE false -system NULL admin false tables admin ALL true -system NULL admin false sequences admin ALL true -system NULL admin false types admin ALL true -system NULL admin false schemas admin ALL true -system NULL admin false functions admin ALL true -system NULL admin false types public USAGE false -system NULL bar false tables bar ALL true -system NULL bar false sequences bar ALL true -system NULL bar false types bar ALL true -system NULL bar false schemas bar ALL true -system NULL bar false functions bar ALL true -system NULL bar false types public USAGE false -system NULL foo false tables foo ALL true -system NULL foo false sequences foo ALL true -system NULL foo false types foo ALL true -system NULL foo false schemas foo ALL true -system NULL foo false functions foo ALL true -system NULL foo false types public USAGE false -system NULL root false tables root ALL true -system NULL root false sequences root ALL true -system NULL root false types root ALL true -system NULL root false schemas root ALL true -system NULL root false functions root ALL true -system NULL root false types public USAGE false -system NULL testuser false tables testuser ALL true -system NULL testuser false sequences testuser ALL true -system NULL testuser false types testuser ALL true -system NULL testuser false schemas testuser ALL true -system NULL testuser false functions testuser ALL true -system NULL testuser false types public USAGE false -system NULL NULL true types public USAGE false -test NULL admin false tables admin ALL true -test NULL admin false sequences admin ALL true -test NULL admin false types admin ALL true -test NULL admin false schemas admin ALL true -test NULL admin false functions admin ALL true -test NULL admin false types public USAGE false -test NULL bar false functions bar ALL true -test NULL bar false types public USAGE false -test NULL foo false functions foo ALL true -test NULL foo false types public USAGE false -test NULL root false tables foo DROP true -test NULL root false tables foo ZONECONFIG true -test NULL root false tables root ALL true -test NULL root false sequences root ALL true -test NULL root false types root ALL true -test NULL root false schemas root ALL true -test NULL root false functions root ALL true -test NULL testuser false tables testuser ALL true -test NULL testuser false sequences testuser ALL true -test NULL testuser false types testuser ALL true -test NULL testuser false schemas testuser ALL true -test NULL testuser false functions testuser ALL true -test NULL testuser false types public USAGE false -test NULL NULL true types public USAGE false -test2 NULL admin false tables admin ALL true -test2 NULL admin false sequences admin ALL true -test2 NULL admin false types admin ALL true -test2 NULL admin false schemas admin ALL true -test2 NULL admin false functions admin ALL true -test2 NULL admin false types public USAGE false -test2 NULL bar false tables bar ALL true -test2 NULL bar false sequences bar ALL true -test2 NULL bar false types bar ALL true -test2 NULL bar false schemas bar ALL true -test2 NULL bar false functions bar ALL true -test2 NULL bar false types public USAGE false -test2 NULL foo false tables foo ALL true -test2 NULL foo false sequences foo ALL true -test2 NULL foo false types foo ALL true -test2 NULL foo false schemas foo ALL true -test2 NULL foo false functions foo ALL true -test2 NULL foo false types public USAGE false -test2 NULL root false tables foo DROP true -test2 NULL root false tables foo ZONECONFIG true -test2 NULL root false tables root ALL true -test2 NULL root false sequences root ALL true -test2 NULL root false types root ALL true -test2 NULL root false schemas root ALL true -test2 NULL root false functions root ALL true -test2 NULL root false types public USAGE false -test2 NULL testuser false tables testuser ALL true -test2 NULL testuser false sequences testuser ALL true -test2 NULL testuser false types testuser ALL true -test2 NULL testuser false schemas testuser ALL true -test2 NULL testuser false functions testuser ALL true -test2 NULL testuser false types public USAGE false -test2 NULL NULL true types public USAGE false +database_name schema_name role for_all_roles object_type grantee privilege_type is_grantable +defaultdb NULL admin false tables admin ALL true +defaultdb NULL admin false sequences admin ALL true +defaultdb NULL admin false types admin ALL true +defaultdb NULL admin false schemas admin ALL true +defaultdb NULL admin false functions admin ALL true +defaultdb NULL admin false types public USAGE false +defaultdb NULL bar false tables bar ALL true +defaultdb NULL bar false sequences bar ALL true +defaultdb NULL bar false types bar ALL true +defaultdb NULL bar false schemas bar ALL true +defaultdb NULL bar false functions bar ALL true +defaultdb NULL bar false types public USAGE false +defaultdb NULL crdb_internal_cluster_activity_reader false tables crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false sequences crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false types crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false schemas crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false functions crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false types public USAGE false +defaultdb NULL crdb_internal_cluster_activity_writer false tables crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false sequences crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false types crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false schemas crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false functions crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false types public USAGE false +defaultdb NULL crdb_internal_cluster_metadata_reader false tables crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false sequences crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false types crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false schemas crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false functions crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false types public USAGE false +defaultdb NULL foo false tables foo ALL true +defaultdb NULL foo false sequences foo ALL true +defaultdb NULL foo false types foo ALL true +defaultdb NULL foo false schemas foo ALL true +defaultdb NULL foo false functions foo ALL true +defaultdb NULL foo false types public USAGE false +defaultdb NULL root false tables root ALL true +defaultdb NULL root false sequences root ALL true +defaultdb NULL root false types root ALL true +defaultdb NULL root false schemas root ALL true +defaultdb NULL root false functions root ALL true +defaultdb NULL root false types public USAGE false +defaultdb NULL testuser false tables testuser ALL true +defaultdb NULL testuser false sequences testuser ALL true +defaultdb NULL testuser false types testuser ALL true +defaultdb NULL testuser false schemas testuser ALL true +defaultdb NULL testuser false functions testuser ALL true +defaultdb NULL testuser false types public USAGE false +defaultdb NULL NULL true types public USAGE false +postgres NULL admin false tables admin ALL true +postgres NULL admin false sequences admin ALL true +postgres NULL admin false types admin ALL true +postgres NULL admin false schemas admin ALL true +postgres NULL admin false functions admin ALL true +postgres NULL admin false types public USAGE false +postgres NULL bar false tables bar ALL true +postgres NULL bar false sequences bar ALL true +postgres NULL bar false types bar ALL true +postgres NULL bar false schemas bar ALL true +postgres NULL bar false functions bar ALL true +postgres NULL bar false types public USAGE false +postgres NULL crdb_internal_cluster_activity_reader false tables crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false sequences crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false types crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false schemas crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false functions crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false types public USAGE false +postgres NULL crdb_internal_cluster_activity_writer false tables crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false sequences crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false types crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false schemas crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false functions crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false types public USAGE false +postgres NULL crdb_internal_cluster_metadata_reader false tables crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false sequences crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false types crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false schemas crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false functions crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false types public USAGE false +postgres NULL foo false tables foo ALL true +postgres NULL foo false sequences foo ALL true +postgres NULL foo false types foo ALL true +postgres NULL foo false schemas foo ALL true +postgres NULL foo false functions foo ALL true +postgres NULL foo false types public USAGE false +postgres NULL root false tables root ALL true +postgres NULL root false sequences root ALL true +postgres NULL root false types root ALL true +postgres NULL root false schemas root ALL true +postgres NULL root false functions root ALL true +postgres NULL root false types public USAGE false +postgres NULL testuser false tables testuser ALL true +postgres NULL testuser false sequences testuser ALL true +postgres NULL testuser false types testuser ALL true +postgres NULL testuser false schemas testuser ALL true +postgres NULL testuser false functions testuser ALL true +postgres NULL testuser false types public USAGE false +postgres NULL NULL true types public USAGE false +system NULL admin false tables admin ALL true +system NULL admin false sequences admin ALL true +system NULL admin false types admin ALL true +system NULL admin false schemas admin ALL true +system NULL admin false functions admin ALL true +system NULL admin false types public USAGE false +system NULL bar false tables bar ALL true +system NULL bar false sequences bar ALL true +system NULL bar false types bar ALL true +system NULL bar false schemas bar ALL true +system NULL bar false functions bar ALL true +system NULL bar false types public USAGE false +system NULL crdb_internal_cluster_activity_reader false tables crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false sequences crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false types crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false schemas crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false functions crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false types public USAGE false +system NULL crdb_internal_cluster_activity_writer false tables crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false sequences crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false types crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false schemas crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false functions crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false types public USAGE false +system NULL crdb_internal_cluster_metadata_reader false tables crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false sequences crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false types crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false schemas crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false functions crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false types public USAGE false +system NULL foo false tables foo ALL true +system NULL foo false sequences foo ALL true +system NULL foo false types foo ALL true +system NULL foo false schemas foo ALL true +system NULL foo false functions foo ALL true +system NULL foo false types public USAGE false +system NULL root false tables root ALL true +system NULL root false sequences root ALL true +system NULL root false types root ALL true +system NULL root false schemas root ALL true +system NULL root false functions root ALL true +system NULL root false types public USAGE false +system NULL testuser false tables testuser ALL true +system NULL testuser false sequences testuser ALL true +system NULL testuser false types testuser ALL true +system NULL testuser false schemas testuser ALL true +system NULL testuser false functions testuser ALL true +system NULL testuser false types public USAGE false +system NULL NULL true types public USAGE false +test NULL admin false tables admin ALL true +test NULL admin false sequences admin ALL true +test NULL admin false types admin ALL true +test NULL admin false schemas admin ALL true +test NULL admin false functions admin ALL true +test NULL admin false types public USAGE false +test NULL bar false functions bar ALL true +test NULL bar false types public USAGE false +test NULL crdb_internal_cluster_activity_reader false tables crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false sequences crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false types crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false schemas crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false functions crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false types public USAGE false +test NULL crdb_internal_cluster_activity_writer false tables crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false sequences crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false types crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false schemas crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false functions crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false types public USAGE false +test NULL crdb_internal_cluster_metadata_reader false tables crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false sequences crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false types crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false schemas crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false functions crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false types public USAGE false +test NULL foo false functions foo ALL true +test NULL foo false types public USAGE false +test NULL root false tables foo DROP true +test NULL root false tables foo ZONECONFIG true +test NULL root false tables root ALL true +test NULL root false sequences root ALL true +test NULL root false types root ALL true +test NULL root false schemas root ALL true +test NULL root false functions root ALL true +test NULL testuser false tables testuser ALL true +test NULL testuser false sequences testuser ALL true +test NULL testuser false types testuser ALL true +test NULL testuser false schemas testuser ALL true +test NULL testuser false functions testuser ALL true +test NULL testuser false types public USAGE false +test NULL NULL true types public USAGE false +test2 NULL admin false tables admin ALL true +test2 NULL admin false sequences admin ALL true +test2 NULL admin false types admin ALL true +test2 NULL admin false schemas admin ALL true +test2 NULL admin false functions admin ALL true +test2 NULL admin false types public USAGE false +test2 NULL bar false tables bar ALL true +test2 NULL bar false sequences bar ALL true +test2 NULL bar false types bar ALL true +test2 NULL bar false schemas bar ALL true +test2 NULL bar false functions bar ALL true +test2 NULL bar false types public USAGE false +test2 NULL crdb_internal_cluster_activity_reader false tables crdb_internal_cluster_activity_reader ALL true +test2 NULL crdb_internal_cluster_activity_reader false sequences crdb_internal_cluster_activity_reader ALL true +test2 NULL crdb_internal_cluster_activity_reader false types crdb_internal_cluster_activity_reader ALL true +test2 NULL crdb_internal_cluster_activity_reader false schemas crdb_internal_cluster_activity_reader ALL true +test2 NULL crdb_internal_cluster_activity_reader false functions crdb_internal_cluster_activity_reader ALL true +test2 NULL crdb_internal_cluster_activity_reader false types public USAGE false +test2 NULL crdb_internal_cluster_activity_writer false tables crdb_internal_cluster_activity_writer ALL true +test2 NULL crdb_internal_cluster_activity_writer false sequences crdb_internal_cluster_activity_writer ALL true +test2 NULL crdb_internal_cluster_activity_writer false types crdb_internal_cluster_activity_writer ALL true +test2 NULL crdb_internal_cluster_activity_writer false schemas crdb_internal_cluster_activity_writer ALL true +test2 NULL crdb_internal_cluster_activity_writer false functions crdb_internal_cluster_activity_writer ALL true +test2 NULL crdb_internal_cluster_activity_writer false types public USAGE false +test2 NULL crdb_internal_cluster_metadata_reader false tables crdb_internal_cluster_metadata_reader ALL true +test2 NULL crdb_internal_cluster_metadata_reader false sequences crdb_internal_cluster_metadata_reader ALL true +test2 NULL crdb_internal_cluster_metadata_reader false types crdb_internal_cluster_metadata_reader ALL true +test2 NULL crdb_internal_cluster_metadata_reader false schemas crdb_internal_cluster_metadata_reader ALL true +test2 NULL crdb_internal_cluster_metadata_reader false functions crdb_internal_cluster_metadata_reader ALL true +test2 NULL crdb_internal_cluster_metadata_reader false types public USAGE false +test2 NULL foo false tables foo ALL true +test2 NULL foo false sequences foo ALL true +test2 NULL foo false types foo ALL true +test2 NULL foo false schemas foo ALL true +test2 NULL foo false functions foo ALL true +test2 NULL foo false types public USAGE false +test2 NULL root false tables foo DROP true +test2 NULL root false tables foo ZONECONFIG true +test2 NULL root false tables root ALL true +test2 NULL root false sequences root ALL true +test2 NULL root false types root ALL true +test2 NULL root false schemas root ALL true +test2 NULL root false functions root ALL true +test2 NULL root false types public USAGE false +test2 NULL testuser false tables testuser ALL true +test2 NULL testuser false sequences testuser ALL true +test2 NULL testuser false types testuser ALL true +test2 NULL testuser false schemas testuser ALL true +test2 NULL testuser false functions testuser ALL true +test2 NULL testuser false types public USAGE false +test2 NULL NULL true types public USAGE false statement ok ALTER DEFAULT PRIVILEGES FOR ALL ROLES GRANT SELECT ON TABLES TO foo; @@ -794,155 +1172,245 @@ ALTER DEFAULT PRIVILEGES FOR ALL ROLES GRANT SELECT ON TABLES TO foo; query TTTBTTTB colnames,rowsort SELECT * FROM crdb_internal.default_privileges ---- -database_name schema_name role for_all_roles object_type grantee privilege_type is_grantable -defaultdb NULL admin false tables admin ALL true -defaultdb NULL admin false sequences admin ALL true -defaultdb NULL admin false types admin ALL true -defaultdb NULL admin false schemas admin ALL true -defaultdb NULL admin false functions admin ALL true -defaultdb NULL admin false types public USAGE false -defaultdb NULL bar false tables bar ALL true -defaultdb NULL bar false sequences bar ALL true -defaultdb NULL bar false types bar ALL true -defaultdb NULL bar false schemas bar ALL true -defaultdb NULL bar false functions bar ALL true -defaultdb NULL bar false types public USAGE false -defaultdb NULL foo false tables foo ALL true -defaultdb NULL foo false sequences foo ALL true -defaultdb NULL foo false types foo ALL true -defaultdb NULL foo false schemas foo ALL true -defaultdb NULL foo false functions foo ALL true -defaultdb NULL foo false types public USAGE false -defaultdb NULL root false tables root ALL true -defaultdb NULL root false sequences root ALL true -defaultdb NULL root false types root ALL true -defaultdb NULL root false schemas root ALL true -defaultdb NULL root false functions root ALL true -defaultdb NULL root false types public USAGE false -defaultdb NULL testuser false tables testuser ALL true -defaultdb NULL testuser false sequences testuser ALL true -defaultdb NULL testuser false types testuser ALL true -defaultdb NULL testuser false schemas testuser ALL true -defaultdb NULL testuser false functions testuser ALL true -defaultdb NULL testuser false types public USAGE false -defaultdb NULL NULL true types public USAGE false -postgres NULL admin false tables admin ALL true -postgres NULL admin false sequences admin ALL true -postgres NULL admin false types admin ALL true -postgres NULL admin false schemas admin ALL true -postgres NULL admin false functions admin ALL true -postgres NULL admin false types public USAGE false -postgres NULL bar false tables bar ALL true -postgres NULL bar false sequences bar ALL true -postgres NULL bar false types bar ALL true -postgres NULL bar false schemas bar ALL true -postgres NULL bar false functions bar ALL true -postgres NULL bar false types public USAGE false -postgres NULL foo false tables foo ALL true -postgres NULL foo false sequences foo ALL true -postgres NULL foo false types foo ALL true -postgres NULL foo false schemas foo ALL true -postgres NULL foo false functions foo ALL true -postgres NULL foo false types public USAGE false -postgres NULL root false tables root ALL true -postgres NULL root false sequences root ALL true -postgres NULL root false types root ALL true -postgres NULL root false schemas root ALL true -postgres NULL root false functions root ALL true -postgres NULL root false types public USAGE false -postgres NULL testuser false tables testuser ALL true -postgres NULL testuser false sequences testuser ALL true -postgres NULL testuser false types testuser ALL true -postgres NULL testuser false schemas testuser ALL true -postgres NULL testuser false functions testuser ALL true -postgres NULL testuser false types public USAGE false -postgres NULL NULL true types public USAGE false -system NULL admin false tables admin ALL true -system NULL admin false sequences admin ALL true -system NULL admin false types admin ALL true -system NULL admin false schemas admin ALL true -system NULL admin false functions admin ALL true -system NULL admin false types public USAGE false -system NULL bar false tables bar ALL true -system NULL bar false sequences bar ALL true -system NULL bar false types bar ALL true -system NULL bar false schemas bar ALL true -system NULL bar false functions bar ALL true -system NULL bar false types public USAGE false -system NULL foo false tables foo ALL true -system NULL foo false sequences foo ALL true -system NULL foo false types foo ALL true -system NULL foo false schemas foo ALL true -system NULL foo false functions foo ALL true -system NULL foo false types public USAGE false -system NULL root false tables root ALL true -system NULL root false sequences root ALL true -system NULL root false types root ALL true -system NULL root false schemas root ALL true -system NULL root false functions root ALL true -system NULL root false types public USAGE false -system NULL testuser false tables testuser ALL true -system NULL testuser false sequences testuser ALL true -system NULL testuser false types testuser ALL true -system NULL testuser false schemas testuser ALL true -system NULL testuser false functions testuser ALL true -system NULL testuser false types public USAGE false -system NULL NULL true types public USAGE false -test NULL admin false tables admin ALL true -test NULL admin false sequences admin ALL true -test NULL admin false types admin ALL true -test NULL admin false schemas admin ALL true -test NULL admin false functions admin ALL true -test NULL admin false types public USAGE false -test NULL bar false functions bar ALL true -test NULL bar false types public USAGE false -test NULL foo false functions foo ALL true -test NULL foo false types public USAGE false -test NULL root false tables foo DROP true -test NULL root false tables foo ZONECONFIG true -test NULL root false tables root ALL true -test NULL root false sequences root ALL true -test NULL root false types root ALL true -test NULL root false schemas root ALL true -test NULL root false functions root ALL true -test NULL testuser false tables testuser ALL true -test NULL testuser false sequences testuser ALL true -test NULL testuser false types testuser ALL true -test NULL testuser false schemas testuser ALL true -test NULL testuser false functions testuser ALL true -test NULL testuser false types public USAGE false -test NULL NULL true types public USAGE false -test2 NULL admin false tables admin ALL true -test2 NULL admin false sequences admin ALL true -test2 NULL admin false types admin ALL true -test2 NULL admin false schemas admin ALL true -test2 NULL admin false functions admin ALL true -test2 NULL admin false types public USAGE false -test2 NULL bar false tables bar ALL true -test2 NULL bar false sequences bar ALL true -test2 NULL bar false types bar ALL true -test2 NULL bar false schemas bar ALL true -test2 NULL bar false functions bar ALL true -test2 NULL bar false types public USAGE false -test2 NULL foo false tables foo ALL true -test2 NULL foo false sequences foo ALL true -test2 NULL foo false types foo ALL true -test2 NULL foo false schemas foo ALL true -test2 NULL foo false functions foo ALL true -test2 NULL foo false types public USAGE false -test2 NULL root false tables foo DROP true -test2 NULL root false tables foo ZONECONFIG true -test2 NULL root false tables root ALL true -test2 NULL root false sequences root ALL true -test2 NULL root false types root ALL true -test2 NULL root false schemas root ALL true -test2 NULL root false functions root ALL true -test2 NULL root false types public USAGE false -test2 NULL testuser false tables testuser ALL true -test2 NULL testuser false sequences testuser ALL true -test2 NULL testuser false types testuser ALL true -test2 NULL testuser false schemas testuser ALL true -test2 NULL testuser false functions testuser ALL true -test2 NULL testuser false types public USAGE false -test2 NULL NULL true tables foo SELECT false -test2 NULL NULL true types public USAGE false +database_name schema_name role for_all_roles object_type grantee privilege_type is_grantable +defaultdb NULL admin false tables admin ALL true +defaultdb NULL admin false sequences admin ALL true +defaultdb NULL admin false types admin ALL true +defaultdb NULL admin false schemas admin ALL true +defaultdb NULL admin false functions admin ALL true +defaultdb NULL admin false types public USAGE false +defaultdb NULL bar false tables bar ALL true +defaultdb NULL bar false sequences bar ALL true +defaultdb NULL bar false types bar ALL true +defaultdb NULL bar false schemas bar ALL true +defaultdb NULL bar false functions bar ALL true +defaultdb NULL bar false types public USAGE false +defaultdb NULL crdb_internal_cluster_activity_reader false tables crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false sequences crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false types crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false schemas crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false functions crdb_internal_cluster_activity_reader ALL true +defaultdb NULL crdb_internal_cluster_activity_reader false types public USAGE false +defaultdb NULL crdb_internal_cluster_activity_writer false tables crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false sequences crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false types crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false schemas crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false functions crdb_internal_cluster_activity_writer ALL true +defaultdb NULL crdb_internal_cluster_activity_writer false types public USAGE false +defaultdb NULL crdb_internal_cluster_metadata_reader false tables crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false sequences crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false types crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false schemas crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false functions crdb_internal_cluster_metadata_reader ALL true +defaultdb NULL crdb_internal_cluster_metadata_reader false types public USAGE false +defaultdb NULL foo false tables foo ALL true +defaultdb NULL foo false sequences foo ALL true +defaultdb NULL foo false types foo ALL true +defaultdb NULL foo false schemas foo ALL true +defaultdb NULL foo false functions foo ALL true +defaultdb NULL foo false types public USAGE false +defaultdb NULL root false tables root ALL true +defaultdb NULL root false sequences root ALL true +defaultdb NULL root false types root ALL true +defaultdb NULL root false schemas root ALL true +defaultdb NULL root false functions root ALL true +defaultdb NULL root false types public USAGE false +defaultdb NULL testuser false tables testuser ALL true +defaultdb NULL testuser false sequences testuser ALL true +defaultdb NULL testuser false types testuser ALL true +defaultdb NULL testuser false schemas testuser ALL true +defaultdb NULL testuser false functions testuser ALL true +defaultdb NULL testuser false types public USAGE false +defaultdb NULL NULL true types public USAGE false +postgres NULL admin false tables admin ALL true +postgres NULL admin false sequences admin ALL true +postgres NULL admin false types admin ALL true +postgres NULL admin false schemas admin ALL true +postgres NULL admin false functions admin ALL true +postgres NULL admin false types public USAGE false +postgres NULL bar false tables bar ALL true +postgres NULL bar false sequences bar ALL true +postgres NULL bar false types bar ALL true +postgres NULL bar false schemas bar ALL true +postgres NULL bar false functions bar ALL true +postgres NULL bar false types public USAGE false +postgres NULL crdb_internal_cluster_activity_reader false tables crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false sequences crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false types crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false schemas crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false functions crdb_internal_cluster_activity_reader ALL true +postgres NULL crdb_internal_cluster_activity_reader false types public USAGE false +postgres NULL crdb_internal_cluster_activity_writer false tables crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false sequences crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false types crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false schemas crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false functions crdb_internal_cluster_activity_writer ALL true +postgres NULL crdb_internal_cluster_activity_writer false types public USAGE false +postgres NULL crdb_internal_cluster_metadata_reader false tables crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false sequences crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false types crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false schemas crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false functions crdb_internal_cluster_metadata_reader ALL true +postgres NULL crdb_internal_cluster_metadata_reader false types public USAGE false +postgres NULL foo false tables foo ALL true +postgres NULL foo false sequences foo ALL true +postgres NULL foo false types foo ALL true +postgres NULL foo false schemas foo ALL true +postgres NULL foo false functions foo ALL true +postgres NULL foo false types public USAGE false +postgres NULL root false tables root ALL true +postgres NULL root false sequences root ALL true +postgres NULL root false types root ALL true +postgres NULL root false schemas root ALL true +postgres NULL root false functions root ALL true +postgres NULL root false types public USAGE false +postgres NULL testuser false tables testuser ALL true +postgres NULL testuser false sequences testuser ALL true +postgres NULL testuser false types testuser ALL true +postgres NULL testuser false schemas testuser ALL true +postgres NULL testuser false functions testuser ALL true +postgres NULL testuser false types public USAGE false +postgres NULL NULL true types public USAGE false +system NULL admin false tables admin ALL true +system NULL admin false sequences admin ALL true +system NULL admin false types admin ALL true +system NULL admin false schemas admin ALL true +system NULL admin false functions admin ALL true +system NULL admin false types public USAGE false +system NULL bar false tables bar ALL true +system NULL bar false sequences bar ALL true +system NULL bar false types bar ALL true +system NULL bar false schemas bar ALL true +system NULL bar false functions bar ALL true +system NULL bar false types public USAGE false +system NULL crdb_internal_cluster_activity_reader false tables crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false sequences crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false types crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false schemas crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false functions crdb_internal_cluster_activity_reader ALL true +system NULL crdb_internal_cluster_activity_reader false types public USAGE false +system NULL crdb_internal_cluster_activity_writer false tables crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false sequences crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false types crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false schemas crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false functions crdb_internal_cluster_activity_writer ALL true +system NULL crdb_internal_cluster_activity_writer false types public USAGE false +system NULL crdb_internal_cluster_metadata_reader false tables crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false sequences crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false types crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false schemas crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false functions crdb_internal_cluster_metadata_reader ALL true +system NULL crdb_internal_cluster_metadata_reader false types public USAGE false +system NULL foo false tables foo ALL true +system NULL foo false sequences foo ALL true +system NULL foo false types foo ALL true +system NULL foo false schemas foo ALL true +system NULL foo false functions foo ALL true +system NULL foo false types public USAGE false +system NULL root false tables root ALL true +system NULL root false sequences root ALL true +system NULL root false types root ALL true +system NULL root false schemas root ALL true +system NULL root false functions root ALL true +system NULL root false types public USAGE false +system NULL testuser false tables testuser ALL true +system NULL testuser false sequences testuser ALL true +system NULL testuser false types testuser ALL true +system NULL testuser false schemas testuser ALL true +system NULL testuser false functions testuser ALL true +system NULL testuser false types public USAGE false +system NULL NULL true types public USAGE false +test NULL admin false tables admin ALL true +test NULL admin false sequences admin ALL true +test NULL admin false types admin ALL true +test NULL admin false schemas admin ALL true +test NULL admin false functions admin ALL true +test NULL admin false types public USAGE false +test NULL bar false functions bar ALL true +test NULL bar false types public USAGE false +test NULL crdb_internal_cluster_activity_reader false tables crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false sequences crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false types crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false schemas crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false functions crdb_internal_cluster_activity_reader ALL true +test NULL crdb_internal_cluster_activity_reader false types public USAGE false +test NULL crdb_internal_cluster_activity_writer false tables crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false sequences crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false types crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false schemas crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false functions crdb_internal_cluster_activity_writer ALL true +test NULL crdb_internal_cluster_activity_writer false types public USAGE false +test NULL crdb_internal_cluster_metadata_reader false tables crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false sequences crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false types crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false schemas crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false functions crdb_internal_cluster_metadata_reader ALL true +test NULL crdb_internal_cluster_metadata_reader false types public USAGE false +test NULL foo false functions foo ALL true +test NULL foo false types public USAGE false +test NULL root false tables foo DROP true +test NULL root false tables foo ZONECONFIG true +test NULL root false tables root ALL true +test NULL root false sequences root ALL true +test NULL root false types root ALL true +test NULL root false schemas root ALL true +test NULL root false functions root ALL true +test NULL testuser false tables testuser ALL true +test NULL testuser false sequences testuser ALL true +test NULL testuser false types testuser ALL true +test NULL testuser false schemas testuser ALL true +test NULL testuser false functions testuser ALL true +test NULL testuser false types public USAGE false +test NULL NULL true types public USAGE false +test2 NULL admin false tables admin ALL true +test2 NULL admin false sequences admin ALL true +test2 NULL admin false types admin ALL true +test2 NULL admin false schemas admin ALL true +test2 NULL admin false functions admin ALL true +test2 NULL admin false types public USAGE false +test2 NULL bar false tables bar ALL true +test2 NULL bar false sequences bar ALL true +test2 NULL bar false types bar ALL true +test2 NULL bar false schemas bar ALL true +test2 NULL bar false functions bar ALL true +test2 NULL bar false types public USAGE false +test2 NULL crdb_internal_cluster_activity_reader false tables crdb_internal_cluster_activity_reader ALL true +test2 NULL crdb_internal_cluster_activity_reader false sequences crdb_internal_cluster_activity_reader ALL true +test2 NULL crdb_internal_cluster_activity_reader false types crdb_internal_cluster_activity_reader ALL true +test2 NULL crdb_internal_cluster_activity_reader false schemas crdb_internal_cluster_activity_reader ALL true +test2 NULL crdb_internal_cluster_activity_reader false functions crdb_internal_cluster_activity_reader ALL true +test2 NULL crdb_internal_cluster_activity_reader false types public USAGE false +test2 NULL crdb_internal_cluster_activity_writer false tables crdb_internal_cluster_activity_writer ALL true +test2 NULL crdb_internal_cluster_activity_writer false sequences crdb_internal_cluster_activity_writer ALL true +test2 NULL crdb_internal_cluster_activity_writer false types crdb_internal_cluster_activity_writer ALL true +test2 NULL crdb_internal_cluster_activity_writer false schemas crdb_internal_cluster_activity_writer ALL true +test2 NULL crdb_internal_cluster_activity_writer false functions crdb_internal_cluster_activity_writer ALL true +test2 NULL crdb_internal_cluster_activity_writer false types public USAGE false +test2 NULL crdb_internal_cluster_metadata_reader false tables crdb_internal_cluster_metadata_reader ALL true +test2 NULL crdb_internal_cluster_metadata_reader false sequences crdb_internal_cluster_metadata_reader ALL true +test2 NULL crdb_internal_cluster_metadata_reader false types crdb_internal_cluster_metadata_reader ALL true +test2 NULL crdb_internal_cluster_metadata_reader false schemas crdb_internal_cluster_metadata_reader ALL true +test2 NULL crdb_internal_cluster_metadata_reader false functions crdb_internal_cluster_metadata_reader ALL true +test2 NULL crdb_internal_cluster_metadata_reader false types public USAGE false +test2 NULL foo false tables foo ALL true +test2 NULL foo false sequences foo ALL true +test2 NULL foo false types foo ALL true +test2 NULL foo false schemas foo ALL true +test2 NULL foo false functions foo ALL true +test2 NULL foo false types public USAGE false +test2 NULL root false tables foo DROP true +test2 NULL root false tables foo ZONECONFIG true +test2 NULL root false tables root ALL true +test2 NULL root false sequences root ALL true +test2 NULL root false types root ALL true +test2 NULL root false schemas root ALL true +test2 NULL root false functions root ALL true +test2 NULL root false types public USAGE false +test2 NULL testuser false tables testuser ALL true +test2 NULL testuser false sequences testuser ALL true +test2 NULL testuser false types testuser ALL true +test2 NULL testuser false schemas testuser ALL true +test2 NULL testuser false functions testuser ALL true +test2 NULL testuser false types public USAGE false +test2 NULL NULL true tables foo SELECT false +test2 NULL NULL true types public USAGE false diff --git a/pkg/sql/logictest/testdata/logic_test/drop_table b/pkg/sql/logictest/testdata/logic_test/drop_table index 121a71f8ce3e..dbaee3dd0e30 100644 --- a/pkg/sql/logictest/testdata/logic_test/drop_table +++ b/pkg/sql/logictest/testdata/logic_test/drop_table @@ -46,6 +46,12 @@ SELECT replace(job_type, 'NEW SCHEMA CHANGE', 'SCHEMA CHANGE'), status SCHEMA CHANGE succeeded SCHEMA CHANGE succeeded SCHEMA CHANGE succeeded +SCHEMA CHANGE succeeded +SCHEMA CHANGE succeeded +SCHEMA CHANGE succeeded +SCHEMA CHANGE succeeded +SCHEMA CHANGE succeeded +SCHEMA CHANGE succeeded SCHEMA CHANGE GC running query TTTTIT diff --git a/pkg/sql/logictest/testdata/logic_test/drop_user b/pkg/sql/logictest/testdata/logic_test/drop_user index 51758cbcbda6..6ca6f68ae640 100644 --- a/pkg/sql/logictest/testdata/logic_test/drop_user +++ b/pkg/sql/logictest/testdata/logic_test/drop_user @@ -4,11 +4,14 @@ CREATE USER user1 query TTT colnames SHOW USERS ---- -username options member_of -admin · {} -root · {admin} -testuser · {} -user1 · {} +username options member_of +admin · {} +crdb_internal_cluster_activity_reader NOLOGIN {} +crdb_internal_cluster_activity_writer NOLOGIN {} +crdb_internal_cluster_metadata_reader NOLOGIN {} +root · {admin} +testuser · {} +user1 · {} statement ok DROP USER user1 @@ -16,10 +19,13 @@ DROP USER user1 query TTT colnames SHOW USERS ---- -username options member_of -admin · {} -root · {admin} -testuser · {} +username options member_of +admin · {} +crdb_internal_cluster_activity_reader NOLOGIN {} +crdb_internal_cluster_activity_writer NOLOGIN {} +crdb_internal_cluster_metadata_reader NOLOGIN {} +root · {admin} +testuser · {} statement ok CREATE USER user1 @@ -27,11 +33,14 @@ CREATE USER user1 query TTT colnames SHOW USERS ---- -username options member_of -admin · {} -root · {admin} -testuser · {} -user1 · {} +username options member_of +admin · {} +crdb_internal_cluster_activity_reader NOLOGIN {} +crdb_internal_cluster_activity_writer NOLOGIN {} +crdb_internal_cluster_metadata_reader NOLOGIN {} +root · {admin} +testuser · {} +user1 · {} statement ok DROP USER USEr1 @@ -39,10 +48,13 @@ DROP USER USEr1 query TTT colnames SHOW USERS ---- -username options member_of -admin · {} -root · {admin} -testuser · {} +username options member_of +admin · {} +crdb_internal_cluster_activity_reader NOLOGIN {} +crdb_internal_cluster_activity_writer NOLOGIN {} +crdb_internal_cluster_metadata_reader NOLOGIN {} +root · {admin} +testuser · {} statement error user user1 does not exist DROP USER user1 @@ -86,14 +98,17 @@ CREATE USER user4 query TTT colnames SHOW USERS ---- -username options member_of -admin · {} -root · {admin} -testuser · {} -user1 · {} -user2 · {} -user3 · {} -user4 · {} +username options member_of +admin · {} +crdb_internal_cluster_activity_reader NOLOGIN {} +crdb_internal_cluster_activity_writer NOLOGIN {} +crdb_internal_cluster_metadata_reader NOLOGIN {} +root · {admin} +testuser · {} +user1 · {} +user2 · {} +user3 · {} +user4 · {} statement ok DROP USER user1,user2 @@ -101,12 +116,15 @@ DROP USER user1,user2 query TTT colnames SHOW USERS ---- -username options member_of -admin · {} -root · {admin} -testuser · {} -user3 · {} -user4 · {} +username options member_of +admin · {} +crdb_internal_cluster_activity_reader NOLOGIN {} +crdb_internal_cluster_activity_writer NOLOGIN {} +crdb_internal_cluster_metadata_reader NOLOGIN {} +root · {admin} +testuser · {} +user3 · {} +user4 · {} statement error user user1 does not exist DROP USER user1,user3 @@ -114,12 +132,15 @@ DROP USER user1,user3 query TTT colnames SHOW USERS ---- -username options member_of -admin · {} -root · {admin} -testuser · {} -user3 · {} -user4 · {} +username options member_of +admin · {} +crdb_internal_cluster_activity_reader NOLOGIN {} +crdb_internal_cluster_activity_writer NOLOGIN {} +crdb_internal_cluster_metadata_reader NOLOGIN {} +root · {admin} +testuser · {} +user3 · {} +user4 · {} statement ok CREATE USER user1 @@ -151,10 +172,13 @@ EXECUTE du query TTT colnames SHOW USERS ---- -username options member_of -admin · {} -root · {admin} -testuser · {} +username options member_of +admin · {} +crdb_internal_cluster_activity_reader NOLOGIN {} +crdb_internal_cluster_activity_writer NOLOGIN {} +crdb_internal_cluster_metadata_reader NOLOGIN {} +root · {admin} +testuser · {} user testuser diff --git a/pkg/sql/logictest/testdata/logic_test/event_log b/pkg/sql/logictest/testdata/logic_test/event_log index 9ebdd516988b..162184eb58d0 100644 --- a/pkg/sql/logictest/testdata/logic_test/event_log +++ b/pkg/sql/logictest/testdata/logic_test/event_log @@ -34,6 +34,9 @@ FROM system.eventlog WHERE "eventType" IN ('create_role', 'drop_role', 'alter_role') ORDER BY "timestamp", info ---- +1 create_role {"ApplicationName": "$ internal-addClusterActivityReaderRole", "EventType": "create_role", "RoleName": "crdb_internal_cluster_activity_reader", "Statement": "CREATE ROLE IF NOT EXISTS crdb_internal_cluster_activity_reader", "Tag": "CREATE ROLE", "User": "node"} +1 create_role {"ApplicationName": "$ internal-addClusterActivityWriterRole", "EventType": "create_role", "RoleName": "crdb_internal_cluster_activity_writer", "Statement": "CREATE ROLE IF NOT EXISTS crdb_internal_cluster_activity_writer", "Tag": "CREATE ROLE", "User": "node"} +1 create_role {"ApplicationName": "$ internal-addClusterMetadataReaderRole", "EventType": "create_role", "RoleName": "crdb_internal_cluster_metadata_reader", "Statement": "CREATE ROLE IF NOT EXISTS crdb_internal_cluster_metadata_reader", "Tag": "CREATE ROLE", "User": "node"} 1 create_role {"EventType": "create_role", "RoleName": "testuser", "Statement": "CREATE USER testuser", "Tag": "CREATE ROLE", "User": "root"} 1 create_role {"EventType": "create_role", "RoleName": "r", "Statement": "CREATE ROLE r", "Tag": "CREATE ROLE", "User": "root"} 1 create_role {"EventType": "create_role", "RoleName": "r2", "Statement": "CREATE ROLE IF NOT EXISTS r2", "Tag": "CREATE ROLE", "User": "root"} diff --git a/pkg/sql/logictest/testdata/logic_test/information_schema b/pkg/sql/logictest/testdata/logic_test/information_schema index 15544fefeda2..2f26999966c9 100644 --- a/pkg/sql/logictest/testdata/logic_test/information_schema +++ b/pkg/sql/logictest/testdata/logic_test/information_schema @@ -1374,7 +1374,7 @@ system pg_extension geography_columns SYSTEM system pg_extension geometry_columns SYSTEM VIEW NO 1 system pg_extension spatial_ref_sys SYSTEM VIEW NO 1 system public descriptor BASE TABLE YES 1 -system public users BASE TABLE YES 2 +system public users BASE TABLE YES 5 system public zones BASE TABLE YES 1 system public settings BASE TABLE YES 1 system public tenants BASE TABLE YES 1 @@ -1395,7 +1395,7 @@ system public reports_meta BASE T system public namespace BASE TABLE YES 1 system public protected_ts_meta BASE TABLE YES 1 system public protected_ts_records BASE TABLE YES 1 -system public role_options BASE TABLE YES 2 +system public role_options BASE TABLE YES 5 system public statement_bundle_chunks BASE TABLE YES 1 system public statement_diagnostics_requests BASE TABLE YES 1 system public statement_diagnostics BASE TABLE YES 1 diff --git a/pkg/sql/logictest/testdata/logic_test/jobs b/pkg/sql/logictest/testdata/logic_test/jobs index b88a951e1892..ea5508ee928b 100644 --- a/pkg/sql/logictest/testdata/logic_test/jobs +++ b/pkg/sql/logictest/testdata/logic_test/jobs @@ -89,6 +89,12 @@ query TTT SELECT job_type, description, user_name FROM [SHOW JOBS] WHERE user_name IN ('root', 'testuser', 'node') AND job_type LIKE 'SCHEMA CHANGE%' ---- +SCHEMA CHANGE updating version for users table node +SCHEMA CHANGE updating version for role options table node +SCHEMA CHANGE updating version for users table node +SCHEMA CHANGE updating version for role options table node +SCHEMA CHANGE updating version for users table node +SCHEMA CHANGE updating version for role options table node SCHEMA CHANGE updating version for users table root SCHEMA CHANGE updating version for role options table root SCHEMA CHANGE updating privileges for database 104 root @@ -102,6 +108,12 @@ SELECT job_type, description, user_name FROM crdb_internal.jobs WHERE user_name AND (job_type LIKE 'AUTO SPAN%' OR job_type LIKE 'SCHEMA CHANGE%') ---- AUTO SPAN CONFIG RECONCILIATION reconciling span configurations node +SCHEMA CHANGE updating version for users table node +SCHEMA CHANGE updating version for role options table node +SCHEMA CHANGE updating version for users table node +SCHEMA CHANGE updating version for role options table node +SCHEMA CHANGE updating version for users table node +SCHEMA CHANGE updating version for role options table node SCHEMA CHANGE updating version for users table root SCHEMA CHANGE updating version for role options table root SCHEMA CHANGE updating privileges for database 104 root diff --git a/pkg/sql/logictest/testdata/logic_test/pg_catalog b/pkg/sql/logictest/testdata/logic_test/pg_catalog index 31e048603616..ce36ebaed6b9 100644 --- a/pkg/sql/logictest/testdata/logic_test/pg_catalog +++ b/pkg/sql/logictest/testdata/logic_test/pg_catalog @@ -3742,20 +3742,26 @@ SELECT oid, rolname, rolsuper, rolinherit, rolcreaterole, rolcreatedb, rolcatupd FROM pg_catalog.pg_roles ORDER BY rolname ---- -oid rolname rolsuper rolinherit rolcreaterole rolcreatedb rolcatupdate rolcanlogin rolreplication -2310524507 admin true true true true false true false -1546506610 root true true true true false true false -2264919399 testuser false true false false false true false +oid rolname rolsuper rolinherit rolcreaterole rolcreatedb rolcatupdate rolcanlogin rolreplication +2310524507 admin true true true true false true false +3369175408 crdb_internal_cluster_activity_reader false true false false false false false +218157440 crdb_internal_cluster_activity_writer false true false false false false false +915075748 crdb_internal_cluster_metadata_reader false true false false false false false +1546506610 root true true true true false true false +2264919399 testuser false true false false false true false query OTITTBT colnames SELECT oid, rolname, rolconnlimit, rolpassword, rolvaliduntil, rolbypassrls, rolconfig FROM pg_catalog.pg_roles ORDER BY rolname ---- -oid rolname rolconnlimit rolpassword rolvaliduntil rolbypassrls rolconfig -2310524507 admin -1 ******** NULL false NULL -1546506610 root -1 ******** NULL false NULL -2264919399 testuser -1 ******** NULL false NULL +oid rolname rolconnlimit rolpassword rolvaliduntil rolbypassrls rolconfig +2310524507 admin -1 ******** NULL false NULL +3369175408 crdb_internal_cluster_activity_reader -1 ******** NULL false NULL +218157440 crdb_internal_cluster_activity_writer -1 ******** NULL false NULL +915075748 crdb_internal_cluster_metadata_reader -1 ******** NULL false NULL +1546506610 root -1 ******** NULL false NULL +2264919399 testuser -1 ******** NULL false NULL ## pg_catalog.pg_auth_members diff --git a/pkg/sql/logictest/testdata/logic_test/role b/pkg/sql/logictest/testdata/logic_test/role index eba6f53189e1..b958fce93330 100644 --- a/pkg/sql/logictest/testdata/logic_test/role +++ b/pkg/sql/logictest/testdata/logic_test/role @@ -27,11 +27,14 @@ CREATE ROLE myrole query TTT colnames SHOW ROLES ---- -username options member_of -admin · {} -myrole NOLOGIN {} -root · {admin} -testuser · {} +username options member_of +admin · {} +crdb_internal_cluster_activity_reader NOLOGIN {} +crdb_internal_cluster_activity_writer NOLOGIN {} +crdb_internal_cluster_metadata_reader NOLOGIN {} +myrole NOLOGIN {} +root · {admin} +testuser · {} statement error a role/user named myrole already exists CREATE ROLE myrole @@ -57,11 +60,14 @@ DROP ROLE admin, myrole query TTT colnames SHOW ROLES ---- -username options member_of -admin · {} -myrole NOLOGIN {} -root · {admin} -testuser · {} +username options member_of +admin · {} +crdb_internal_cluster_activity_reader NOLOGIN {} +crdb_internal_cluster_activity_writer NOLOGIN {} +crdb_internal_cluster_metadata_reader NOLOGIN {} +myrole NOLOGIN {} +root · {admin} +testuser · {} statement ok DROP ROLE myrole @@ -69,10 +75,13 @@ DROP ROLE myrole query TTT colnames SHOW ROLES ---- -username options member_of -admin · {} -root · {admin} -testuser · {} +username options member_of +admin · {} +crdb_internal_cluster_activity_reader NOLOGIN {} +crdb_internal_cluster_activity_writer NOLOGIN {} +crdb_internal_cluster_metadata_reader NOLOGIN {} +root · {admin} +testuser · {} statement error pq: role/user myrole does not exist DROP ROLE myrole @@ -104,10 +113,13 @@ DROP ROLE rolea, roleb query TTT colnames SHOW ROLES ---- -username options member_of -admin · {} -root · {admin} -testuser · {} +username options member_of +admin · {} +crdb_internal_cluster_activity_reader NOLOGIN {} +crdb_internal_cluster_activity_writer NOLOGIN {} +crdb_internal_cluster_metadata_reader NOLOGIN {} +root · {admin} +testuser · {} statement ok CREATE USER testuser2 @@ -479,13 +491,16 @@ roled testuser false query TTT SHOW ROLES ---- -admin · {} -roleb NOLOGIN {} -roled NOLOGIN {} -rolee NOLOGIN {} -root · {admin} -testuser · {roled} -testuser2 · {} +admin · {} +crdb_internal_cluster_activity_reader NOLOGIN {} +crdb_internal_cluster_activity_writer NOLOGIN {} +crdb_internal_cluster_metadata_reader NOLOGIN {} +roleb NOLOGIN {} +roled NOLOGIN {} +rolee NOLOGIN {} +root · {admin} +testuser · {roled} +testuser2 · {} statement ok DROP ROLE roleb diff --git a/pkg/sql/logictest/testdata/logic_test/show_source b/pkg/sql/logictest/testdata/logic_test/show_source index c066430c5309..2e0b6a2f8957 100644 --- a/pkg/sql/logictest/testdata/logic_test/show_source +++ b/pkg/sql/logictest/testdata/logic_test/show_source @@ -421,10 +421,13 @@ v CREATE VIEW public.v ( query TTT colnames SELECT * FROM [SHOW USERS] ORDER BY 1 ---- -username options member_of -admin · {} -root · {admin} -testuser · {} +username options member_of +admin · {} +crdb_internal_cluster_activity_reader NOLOGIN {} +crdb_internal_cluster_activity_writer NOLOGIN {} +crdb_internal_cluster_metadata_reader NOLOGIN {} +root · {admin} +testuser · {} query TTTI colnames diff --git a/pkg/sql/logictest/testdata/logic_test/system_privileges b/pkg/sql/logictest/testdata/logic_test/system_privileges index 69a47a0f5a63..92dc2b8b0de7 100644 --- a/pkg/sql/logictest/testdata/logic_test/system_privileges +++ b/pkg/sql/logictest/testdata/logic_test/system_privileges @@ -39,7 +39,10 @@ user root query TTTT SELECT * FROM system.privileges ORDER BY 1, 2 ---- -testuser /global/ {EXTERNALCONNECTION,MODIFYCLUSTERSETTING} {} +crdb_internal_cluster_activity_reader /global/ {VIEWACTIVITY} {} +crdb_internal_cluster_activity_writer /global/ {CANCELQUERY} {} +crdb_internal_cluster_metadata_reader /global/ {VIEWCLUSTERMETADATA,VIEWCLUSTERSETTING,VIEWDEBUG} {} +testuser /global/ {EXTERNALCONNECTION,MODIFYCLUSTERSETTING} {} query TT SELECT connection_name, connection_type FROM system.external_connections @@ -65,6 +68,9 @@ user root query TTTT SELECT * FROM system.privileges ORDER BY 1, 2 ---- +crdb_internal_cluster_activity_reader /global/ {VIEWACTIVITY} {} +crdb_internal_cluster_activity_writer /global/ {CANCELQUERY} {} +crdb_internal_cluster_metadata_reader /global/ {VIEWCLUSTERMETADATA,VIEWCLUSTERSETTING,VIEWDEBUG} {} user root @@ -84,8 +90,11 @@ user root query TTTT SELECT * FROM system.privileges ORDER BY 1, 2 ---- -root /global/ {MODIFYCLUSTERSETTING} {} -testuser /global/ {MODIFYCLUSTERSETTING} {MODIFYCLUSTERSETTING} +crdb_internal_cluster_activity_reader /global/ {VIEWACTIVITY} {} +crdb_internal_cluster_activity_writer /global/ {CANCELQUERY} {} +crdb_internal_cluster_metadata_reader /global/ {VIEWCLUSTERMETADATA,VIEWCLUSTERSETTING,VIEWDEBUG} {} +root /global/ {MODIFYCLUSTERSETTING} {} +testuser /global/ {MODIFYCLUSTERSETTING} {MODIFYCLUSTERSETTING} statement ok REVOKE GRANT OPTION FOR SYSTEM MODIFYCLUSTERSETTING FROM testuser @@ -93,8 +102,11 @@ REVOKE GRANT OPTION FOR SYSTEM MODIFYCLUSTERSETTING FROM testuser query TTTT SELECT * FROM system.privileges ORDER BY 1, 2 ---- -root /global/ {MODIFYCLUSTERSETTING} {} -testuser /global/ {MODIFYCLUSTERSETTING} {} +crdb_internal_cluster_activity_reader /global/ {VIEWACTIVITY} {} +crdb_internal_cluster_activity_writer /global/ {CANCELQUERY} {} +crdb_internal_cluster_metadata_reader /global/ {VIEWCLUSTERMETADATA,VIEWCLUSTERSETTING,VIEWDEBUG} {} +root /global/ {MODIFYCLUSTERSETTING} {} +testuser /global/ {MODIFYCLUSTERSETTING} {} statement ok REVOKE SYSTEM MODIFYCLUSTERSETTING FROM testuser @@ -102,7 +114,10 @@ REVOKE SYSTEM MODIFYCLUSTERSETTING FROM testuser query TTTT SELECT * FROM system.privileges ORDER BY 1, 2 ---- -root /global/ {MODIFYCLUSTERSETTING} {} +crdb_internal_cluster_activity_reader /global/ {VIEWACTIVITY} {} +crdb_internal_cluster_activity_writer /global/ {CANCELQUERY} {} +crdb_internal_cluster_metadata_reader /global/ {VIEWCLUSTERMETADATA,VIEWCLUSTERSETTING,VIEWDEBUG} {} +root /global/ {MODIFYCLUSTERSETTING} {} statement ok GRANT SYSTEM MODIFYCLUSTERSETTING TO testuser WITH GRANT OPTION @@ -110,8 +125,11 @@ GRANT SYSTEM MODIFYCLUSTERSETTING TO testuser WITH GRANT OPTION query TTTT SELECT * FROM system.privileges ORDER BY 1, 2 ---- -root /global/ {MODIFYCLUSTERSETTING} {} -testuser /global/ {MODIFYCLUSTERSETTING} {MODIFYCLUSTERSETTING} +crdb_internal_cluster_activity_reader /global/ {VIEWACTIVITY} {} +crdb_internal_cluster_activity_writer /global/ {CANCELQUERY} {} +crdb_internal_cluster_metadata_reader /global/ {VIEWCLUSTERMETADATA,VIEWCLUSTERSETTING,VIEWDEBUG} {} +root /global/ {MODIFYCLUSTERSETTING} {} +testuser /global/ {MODIFYCLUSTERSETTING} {MODIFYCLUSTERSETTING} statement ok REVOKE SYSTEM MODIFYCLUSTERSETTING FROM testuser @@ -119,7 +137,10 @@ REVOKE SYSTEM MODIFYCLUSTERSETTING FROM testuser query TTTT SELECT * FROM system.privileges ORDER BY 1, 2 ---- -root /global/ {MODIFYCLUSTERSETTING} {} +crdb_internal_cluster_activity_reader /global/ {VIEWACTIVITY} {} +crdb_internal_cluster_activity_writer /global/ {CANCELQUERY} {} +crdb_internal_cluster_metadata_reader /global/ {VIEWCLUSTERMETADATA,VIEWCLUSTERSETTING,VIEWDEBUG} {} +root /global/ {MODIFYCLUSTERSETTING} {} # test VIEWCLUSTERSETTING user testuser @@ -142,8 +163,11 @@ user root query TTTT SELECT * FROM system.privileges ORDER BY 1, 2 ---- -root /global/ {MODIFYCLUSTERSETTING} {} -testuser /global/ {VIEWCLUSTERSETTING} {} +crdb_internal_cluster_activity_reader /global/ {VIEWACTIVITY} {} +crdb_internal_cluster_activity_writer /global/ {CANCELQUERY} {} +crdb_internal_cluster_metadata_reader /global/ {VIEWCLUSTERMETADATA,VIEWCLUSTERSETTING,VIEWDEBUG} {} +root /global/ {MODIFYCLUSTERSETTING} {} +testuser /global/ {VIEWCLUSTERSETTING} {} statement ok REVOKE SYSTEM VIEWCLUSTERSETTING FROM testuser @@ -156,9 +180,12 @@ SELECT * FROM crdb_internal.cluster_settings; user root query TTTT -SELECT * FROM system.privileges +SELECT * FROM system.privileges ORDER BY 1, 2 ---- -root /global/ {MODIFYCLUSTERSETTING} {} +crdb_internal_cluster_activity_reader /global/ {VIEWACTIVITY} {} +crdb_internal_cluster_activity_writer /global/ {CANCELQUERY} {} +crdb_internal_cluster_metadata_reader /global/ {VIEWCLUSTERMETADATA,VIEWCLUSTERSETTING,VIEWDEBUG} {} +root /global/ {MODIFYCLUSTERSETTING} {} # test VIEWACTIVITY user testuser @@ -181,8 +208,11 @@ user root query TTTT SELECT * FROM system.privileges ORDER BY 1, 2 ---- -root /global/ {MODIFYCLUSTERSETTING} {} -testuser /global/ {VIEWACTIVITY} {} +crdb_internal_cluster_activity_reader /global/ {VIEWACTIVITY} {} +crdb_internal_cluster_activity_writer /global/ {CANCELQUERY} {} +crdb_internal_cluster_metadata_reader /global/ {VIEWCLUSTERMETADATA,VIEWCLUSTERSETTING,VIEWDEBUG} {} +root /global/ {MODIFYCLUSTERSETTING} {} +testuser /global/ {VIEWACTIVITY} {} statement ok REVOKE SYSTEM VIEWACTIVITY FROM testuser @@ -195,9 +225,12 @@ SELECT * FROM crdb_internal.node_statement_statistics; user root query TTTT -SELECT * FROM system.privileges +SELECT * FROM system.privileges ORDER BY 1, 2 ---- -root /global/ {MODIFYCLUSTERSETTING} {} +crdb_internal_cluster_activity_reader /global/ {VIEWACTIVITY} {} +crdb_internal_cluster_activity_writer /global/ {CANCELQUERY} {} +crdb_internal_cluster_metadata_reader /global/ {VIEWCLUSTERMETADATA,VIEWCLUSTERSETTING,VIEWDEBUG} {} +root /global/ {MODIFYCLUSTERSETTING} {} # test VIEWACTIVITYREDACTED user testuser @@ -220,8 +253,11 @@ user root query TTTT SELECT * FROM system.privileges ORDER BY 1, 2 ---- -root /global/ {MODIFYCLUSTERSETTING} {} -testuser /global/ {VIEWACTIVITYREDACTED} {} +crdb_internal_cluster_activity_reader /global/ {VIEWACTIVITY} {} +crdb_internal_cluster_activity_writer /global/ {CANCELQUERY} {} +crdb_internal_cluster_metadata_reader /global/ {VIEWCLUSTERMETADATA,VIEWCLUSTERSETTING,VIEWDEBUG} {} +root /global/ {MODIFYCLUSTERSETTING} {} +testuser /global/ {VIEWACTIVITYREDACTED} {} statement ok REVOKE SYSTEM VIEWACTIVITYREDACTED FROM testuser @@ -234,6 +270,9 @@ SELECT * FROM crdb_internal.node_statement_statistics; user root query TTTT -SELECT * FROM system.privileges +SELECT * FROM system.privileges ORDER BY 1, 2 ---- -root /global/ {MODIFYCLUSTERSETTING} {} +crdb_internal_cluster_activity_reader /global/ {VIEWACTIVITY} {} +crdb_internal_cluster_activity_writer /global/ {CANCELQUERY} {} +crdb_internal_cluster_metadata_reader /global/ {VIEWCLUSTERMETADATA,VIEWCLUSTERSETTING,VIEWDEBUG} {} +root /global/ {MODIFYCLUSTERSETTING} {} diff --git a/pkg/sql/logictest/testdata/logic_test/user b/pkg/sql/logictest/testdata/logic_test/user index a0856dff7b82..c1a5c8389e40 100644 --- a/pkg/sql/logictest/testdata/logic_test/user +++ b/pkg/sql/logictest/testdata/logic_test/user @@ -8,10 +8,13 @@ on query TTT colnames SHOW USERS ---- -username options member_of -admin · {} -root · {admin} -testuser · {} +username options member_of +admin · {} +crdb_internal_cluster_activity_reader NOLOGIN {} +crdb_internal_cluster_activity_writer NOLOGIN {} +crdb_internal_cluster_metadata_reader NOLOGIN {} +root · {admin} +testuser · {} statement ok CREATE USER user1 @@ -19,11 +22,14 @@ CREATE USER user1 query TTT colnames SHOW USERS ---- -username options member_of -admin · {} -root · {admin} -testuser · {} -user1 · {} +username options member_of +admin · {} +crdb_internal_cluster_activity_reader NOLOGIN {} +crdb_internal_cluster_activity_writer NOLOGIN {} +crdb_internal_cluster_metadata_reader NOLOGIN {} +root · {admin} +testuser · {} +user1 · {} statement error pgcode 42710 a role/user named admin already exists CREATE USER admin @@ -91,16 +97,19 @@ PREPARE chpw2 AS ALTER USER blix WITH PASSWORD $1; query TTT colnames SHOW USERS ---- -username options member_of -admin · {} -foo · {} -foo-bar · {} -root · {admin} -testuser · {} -user1 · {} -user2 · {} -user3 · {} -ομηρος · {} +username options member_of +admin · {} +crdb_internal_cluster_activity_reader NOLOGIN {} +crdb_internal_cluster_activity_writer NOLOGIN {} +crdb_internal_cluster_metadata_reader NOLOGIN {} +foo · {} +foo-bar · {} +root · {admin} +testuser · {} +user1 · {} +user2 · {} +user3 · {} +ομηρος · {} statement error "": username is empty CREATE USER "" @@ -178,10 +187,13 @@ user root query TTT SELECT * FROM system.role_options ---- -testuser CREATEROLE NULL -user4 CREATEROLE NULL -user4 NOLOGIN NULL -user5 NOLOGIN NULL +crdb_internal_cluster_activity_reader NOLOGIN NULL +crdb_internal_cluster_activity_writer NOLOGIN NULL +crdb_internal_cluster_metadata_reader NOLOGIN NULL +testuser CREATEROLE NULL +user4 CREATEROLE NULL +user4 NOLOGIN NULL +user5 NOLOGIN NULL user testuser diff --git a/pkg/sql/opt/exec/execbuilder/testdata/explain b/pkg/sql/opt/exec/execbuilder/testdata/explain index 6386f823c4b8..604c61eeb3aa 100644 --- a/pkg/sql/opt/exec/execbuilder/testdata/explain +++ b/pkg/sql/opt/exec/execbuilder/testdata/explain @@ -669,47 +669,47 @@ distribution: local vectorized: true · • sort -│ estimated row count: 3 +│ estimated row count: 6 │ order: +username │ └── • render - │ estimated row count: 3 + │ estimated row count: 6 │ └── • group (hash) - │ estimated row count: 3 + │ estimated row count: 6 │ group by: username │ └── • sort - │ estimated row count: 3 + │ estimated row count: 6 │ order: +"role" │ └── • hash join (left outer) - │ estimated row count: 3 + │ estimated row count: 6 │ equality: (username) = (member) │ left cols are key │ ├── • group (hash) - │ │ estimated row count: 3 + │ │ estimated row count: 6 │ │ group by: username │ │ │ └── • window - │ │ estimated row count: 3 + │ │ estimated row count: 6 │ │ │ └── • render - │ │ estimated row count: 3 + │ │ estimated row count: 6 │ │ │ └── • merge join (left outer) - │ │ estimated row count: 3 + │ │ estimated row count: 6 │ │ equality: (username) = (username) │ │ left cols are key │ │ │ ├── • scan - │ │ estimated row count: 3 (100% of the table; stats collected ago) + │ │ estimated row count: 6 (100% of the table; stats collected ago) │ │ table: users@primary │ │ spans: FULL SCAN │ │ │ └── • scan - │ estimated row count: 1 (100% of the table; stats collected ago) + │ estimated row count: 3 (100% of the table; stats collected ago) │ table: role_options@primary │ spans: FULL SCAN │ diff --git a/pkg/sql/parser/sql.y b/pkg/sql/parser/sql.y index 03351e83b417..688677aa841c 100644 --- a/pkg/sql/parser/sql.y +++ b/pkg/sql/parser/sql.y @@ -926,8 +926,8 @@ func (u *sqlSymUnion) routineBody() *tree.RoutineBody { %token UNBOUNDED UNCOMMITTED UNION UNIQUE UNKNOWN UNLOGGED UNSPLIT %token UPDATE UPSERT UNSET UNTIL USE USER USERS USING UUID -%token VALID VALIDATE VALUE VALUES VARBIT VARCHAR VARIADIC VIEW VARYING VIEWACTIVITY VIEWACTIVITYREDACTED -%token VIEWCLUSTERSETTING VIRTUAL VISIBLE VOLATILE VOTERS +%token VALID VALIDATE VALUE VALUES VARBIT VARCHAR VARIADIC VIEW VARYING VIEWACTIVITY VIEWACTIVITYREDACTED VIEWDEBUG +%token VIEWCLUSTERMETADATA VIEWCLUSTERSETTING VIRTUAL VISIBLE VOLATILE VOTERS %token WHEN WHERE WINDOW WITH WITHIN WITHOUT WORK WRITE @@ -14980,7 +14980,9 @@ unreserved_keyword: | VIEW | VIEWACTIVITY | VIEWACTIVITYREDACTED +| VIEWCLUSTERMETADATA | VIEWCLUSTERSETTING +| VIEWDEBUG | VISIBLE | VOLATILE | VOTERS diff --git a/pkg/sql/pgwire/pgwire_test.go b/pkg/sql/pgwire/pgwire_test.go index 2e4ee5a77bca..30878edafcf3 100644 --- a/pkg/sql/pgwire/pgwire_test.go +++ b/pkg/sql/pgwire/pgwire_test.go @@ -589,6 +589,9 @@ func TestPGPreparedQuery(t *testing.T) { {"SHOW USERS", []preparedQueryTest{ baseTest.Results("abc", "", "{}"). Results("admin", "", "{}"). + Results("crdb_internal_cluster_activity_reader", "NOLOGIN", "{}"). + Results("crdb_internal_cluster_activity_writer", "NOLOGIN", "{}"). + Results("crdb_internal_cluster_metadata_reader", "NOLOGIN", "{}"). Results("root", "", "{admin}"). Results("woo", "", "{}"), }}, diff --git a/pkg/sql/privilege/kind_string.go b/pkg/sql/privilege/kind_string.go index 396cfe3c3e68..67157a8514f8 100644 --- a/pkg/sql/privilege/kind_string.go +++ b/pkg/sql/privilege/kind_string.go @@ -28,11 +28,13 @@ func _() { _ = x[CANCELQUERY-18] _ = x[NOSQLLOGIN-19] _ = x[EXECUTE-20] + _ = x[VIEWCLUSTERMETADATA-21] + _ = x[VIEWDEBUG-22] } -const _Kind_name = "ALLCREATEDROPGRANTSELECTINSERTDELETEUPDATEUSAGEZONECONFIGCONNECTRULEMODIFYCLUSTERSETTINGEXTERNALCONNECTIONVIEWACTIVITYVIEWACTIVITYREDACTEDVIEWCLUSTERSETTINGCANCELQUERYNOSQLLOGINEXECUTE" +const _Kind_name = "ALLCREATEDROPGRANTSELECTINSERTDELETEUPDATEUSAGEZONECONFIGCONNECTRULEMODIFYCLUSTERSETTINGEXTERNALCONNECTIONVIEWACTIVITYVIEWACTIVITYREDACTEDVIEWCLUSTERSETTINGCANCELQUERYNOSQLLOGINEXECUTEVIEWCLUSTERMETADATAVIEWDEBUG" -var _Kind_index = [...]uint8{0, 3, 9, 13, 18, 24, 30, 36, 42, 47, 57, 64, 68, 88, 106, 118, 138, 156, 167, 177, 184} +var _Kind_index = [...]uint8{0, 3, 9, 13, 18, 24, 30, 36, 42, 47, 57, 64, 68, 88, 106, 118, 138, 156, 167, 177, 184, 203, 212} func (i Kind) String() string { i -= 1 diff --git a/pkg/sql/privilege/privilege.go b/pkg/sql/privilege/privilege.go index 7d798da6196e..c4b720a61d4d 100644 --- a/pkg/sql/privilege/privilege.go +++ b/pkg/sql/privilege/privilege.go @@ -53,6 +53,8 @@ const ( CANCELQUERY Kind = 18 NOSQLLOGIN Kind = 19 EXECUTE Kind = 20 + VIEWCLUSTERMETADATA Kind = 21 + VIEWDEBUG Kind = 22 ) // Privilege represents a privilege parsed from an Access Privilege Inquiry @@ -113,7 +115,7 @@ var ( // certain privileges unavailable after upgrade migration. // Note that "CREATE, INSERT, DELETE, ZONECONFIG" are no-op privileges on sequences. SequencePrivileges = List{ALL, USAGE, SELECT, UPDATE, CREATE, DROP, INSERT, DELETE, ZONECONFIG} - SystemPrivileges = List{ALL, MODIFYCLUSTERSETTING, EXTERNALCONNECTION, VIEWACTIVITY, VIEWACTIVITYREDACTED, VIEWCLUSTERSETTING, CANCELQUERY, NOSQLLOGIN} + SystemPrivileges = List{ALL, MODIFYCLUSTERSETTING, EXTERNALCONNECTION, VIEWACTIVITY, VIEWACTIVITYREDACTED, VIEWCLUSTERSETTING, CANCELQUERY, NOSQLLOGIN, VIEWCLUSTERMETADATA, VIEWDEBUG} ) // Mask returns the bitmask for a given privilege. @@ -128,8 +130,7 @@ func (k Kind) IsSetIn(bits uint32) bool { // ByValue is just an array of privilege kinds sorted by value. var ByValue = [...]Kind{ - ALL, CREATE, DROP, SELECT, INSERT, DELETE, UPDATE, USAGE, ZONECONFIG, CONNECT, RULE, MODIFYCLUSTERSETTING, - EXTERNALCONNECTION, VIEWACTIVITY, VIEWACTIVITYREDACTED, VIEWCLUSTERSETTING, CANCELQUERY, NOSQLLOGIN, EXECUTE, + ALL, CREATE, DROP, SELECT, INSERT, DELETE, UPDATE, USAGE, ZONECONFIG, CONNECT, RULE, MODIFYCLUSTERSETTING, EXTERNALCONNECTION, VIEWACTIVITY, VIEWACTIVITYREDACTED, VIEWCLUSTERSETTING, CANCELQUERY, NOSQLLOGIN, EXECUTE, VIEWCLUSTERMETADATA, VIEWDEBUG, } // ByName is a map of string -> kind value. @@ -153,6 +154,8 @@ var ByName = map[string]Kind{ "CANCELQUERY": CANCELQUERY, "NOSQLLOGIN": NOSQLLOGIN, "EXECUTE": EXECUTE, + "VIEWCLUSTERMETADATA": VIEWCLUSTERMETADATA, + "VIEWDEBUG": VIEWDEBUG, } // List is a list of privileges. diff --git a/pkg/sql/schemachanger/schemachanger_test.go b/pkg/sql/schemachanger/schemachanger_test.go index 191e8690b3f0..8dc07b2893a6 100644 --- a/pkg/sql/schemachanger/schemachanger_test.go +++ b/pkg/sql/schemachanger/schemachanger_test.go @@ -183,6 +183,12 @@ func TestSchemaChangeWaitsForOtherSchemaChanges(t *testing.T) { jobspb.TypeSchemaChange.String(), jobspb.TypeNewSchemaChange.String(), ), [][]string{ + {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded), "updating version for users table"}, + {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded), "updating version for role options table"}, + {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded), "updating version for users table"}, + {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded), "updating version for role options table"}, + {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded), "updating version for users table"}, + {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded), "updating version for role options table"}, {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded), `CREATE INDEX idx ON db.public.t (a)`}, {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded), `CREATE INDEX idx2 ON db.public.t (a)`}, {jobspb.TypeNewSchemaChange.String(), string(jobs.StatusSucceeded), `ALTER TABLE db.public.t ADD COLUMN b INT8 DEFAULT 1`}, @@ -306,6 +312,12 @@ func TestSchemaChangeWaitsForOtherSchemaChanges(t *testing.T) { jobspb.TypeSchemaChange.String(), jobspb.TypeNewSchemaChange.String(), ), [][]string{ + {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded)}, + {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded)}, + {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded)}, + {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded)}, + {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded)}, + {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded)}, {jobspb.TypeNewSchemaChange.String(), string(jobs.StatusSucceeded)}, {jobspb.TypeNewSchemaChange.String(), string(jobs.StatusSucceeded)}, }, @@ -396,6 +408,12 @@ func TestSchemaChangeWaitsForOtherSchemaChanges(t *testing.T) { jobspb.TypeSchemaChange.String(), jobspb.TypeNewSchemaChange.String(), ), [][]string{ + {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded)}, + {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded)}, + {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded)}, + {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded)}, + {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded)}, + {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded)}, {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded)}, {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded)}, {jobspb.TypeNewSchemaChange.String(), string(jobs.StatusSucceeded)}, @@ -490,6 +508,12 @@ func TestSchemaChangeWaitsForOtherSchemaChanges(t *testing.T) { jobspb.TypeSchemaChange.String(), jobspb.TypeNewSchemaChange.String(), ), [][]string{ + {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded)}, + {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded)}, + {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded)}, + {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded)}, + {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded)}, + {jobspb.TypeSchemaChange.String(), string(jobs.StatusSucceeded)}, {jobspb.TypeNewSchemaChange.String(), string(jobs.StatusSucceeded)}, {jobspb.TypeNewSchemaChange.String(), string(jobs.StatusSucceeded)}, }, diff --git a/pkg/startupmigrations/migrations.go b/pkg/startupmigrations/migrations.go index cea7ef0d2474..618f674c768a 100644 --- a/pkg/startupmigrations/migrations.go +++ b/pkg/startupmigrations/migrations.go @@ -299,6 +299,21 @@ var backwardCompatibleMigrations = []migrationDescriptor{ // Introduced in v20.2. name: "mark non-terminal schema change jobs with a pre-20.1 format version as failed", }, + { + // Introduced in v22.2. + name: "add crdb_internal_cluster_activity_reader role", + workFn: addClusterActivityReaderRole, + }, + { + // Introduced in v22.2. + name: "add crdb_internal_cluster_activity_writer role", + workFn: addClusterActivityWriterRole, + }, + { + // Introduced in v22.2. + name: "add crdb_internal_cluster_metadata_reader role", + workFn: addClusterMetadataReaderRole, + }, } func staticIDs( @@ -406,6 +421,35 @@ func (r runner) execAsRootWithRetry( return err } +// execAsNode executes a SQL statement as the node user. This should +// only be used internally when the operation is not started by a normal +// user. +func (r runner) execAsNode(ctx context.Context, opName, stmt string, qargs ...interface{}) error { + _, err := r.sqlExecutor.ExecEx(ctx, opName, nil, /* txn */ + sessiondata.InternalExecutorOverride{ + User: username.NodeUserName(), + }, + stmt, qargs...) + return err +} + +func (r runner) execAsNodeWithRetry( + ctx context.Context, opName string, stmt string, qargs ...interface{}, +) error { + // Retry a limited number of times because returning an error and letting + // the node kill itself is better than holding the migration lease for an + // arbitrarily long time. + var err error + for retry := retry.Start(retry.Options{MaxRetries: 5}); retry.Next(); { + err := r.execAsNode(ctx, opName, stmt, qargs...) + if err == nil { + break + } + log.Warningf(ctx, "failed to run %s: %v", stmt, err) + } + return err +} + // leaseManager is defined just to allow us to use a fake client.LeaseManager // when testing this package. type leaseManager interface { @@ -841,6 +885,47 @@ func disallowPublicUserOrRole(ctx context.Context, r runner) error { return nil } +func addClusterActivityReaderRole(ctx context.Context, r runner) error { + if !r.settings.Version.IsActive(ctx, clusterversion.SystemPrivilegesTable) { + return nil + } + const createRoleStmt = `CREATE ROLE IF NOT EXISTS crdb_internal_cluster_activity_reader;` + const grantStmt = `GRANT SYSTEM VIEWACTIVITY TO crdb_internal_cluster_activity_reader;` + + err := r.execAsNodeWithRetry(ctx, "addClusterActivityReaderRole", createRoleStmt) + if err != nil { + return err + } + return r.execAsNodeWithRetry(ctx, "grantSystemPrivilegeToClusterActivityReader", grantStmt) +} + +func addClusterActivityWriterRole(ctx context.Context, r runner) error { + if !r.settings.Version.IsActive(ctx, clusterversion.SystemPrivilegesTable) { + return nil + } + const createRoleStmt = `CREATE ROLE IF NOT EXISTS crdb_internal_cluster_activity_writer;` + const grantStmt = `GRANT SYSTEM CANCELQUERY TO crdb_internal_cluster_activity_writer;` + + err := r.execAsNodeWithRetry(ctx, "addClusterActivityWriterRole", createRoleStmt) + if err != nil { + return err + } + return r.execAsNodeWithRetry(ctx, "grantSystemprivilegeToClusterActivityWriter", grantStmt) +} + +func addClusterMetadataReaderRole(ctx context.Context, r runner) error { + if !r.settings.Version.IsActive(ctx, clusterversion.SystemPrivilegesTable) { + return nil + } + const createRoleStmt = `CREATE ROLE IF NOT EXISTS crdb_internal_cluster_metadata_reader;` + const grantStmt = `GRANT SYSTEM VIEWCLUSTERMETADATA, VIEWCLUSTERSETTING, VIEWDEBUG TO crdb_internal_cluster_metadata_reader;` + err := r.execAsNodeWithRetry(ctx, "addClusterMetadataReaderRole", createRoleStmt) + if err != nil { + return err + } + return r.execAsNodeWithRetry(ctx, "grantSystemPrivilegesToClusterMetadataReaderRole", grantStmt) +} + func createDefaultDbs(ctx context.Context, r runner) error { // Create the default databases. These are plain databases with // default permissions. Nothing special happens if they exist diff --git a/pkg/startupmigrations/migrations_test.go b/pkg/startupmigrations/migrations_test.go index 8b322678da4d..63d6449ba4fd 100644 --- a/pkg/startupmigrations/migrations_test.go +++ b/pkg/startupmigrations/migrations_test.go @@ -689,3 +689,43 @@ func TestUpdateSystemLocationData(t *testing.T) { t.Fatalf("Exected to find 0 rows in system.locations. Found %d instead", count) } } + +func TestBuiltinRolesExist(t *testing.T) { + defer leaktest.AfterTest(t)() + ctx := context.Background() + + mt := makeMigrationTest(ctx, t) + defer mt.close(ctx) + + readerMigration := mt.pop(t, "add crdb_internal_cluster_activity_reader role") + writerMigration := mt.pop(t, "add crdb_internal_cluster_activity_writer role") + metadataMigration := mt.pop(t, "add crdb_internal_cluster_metadata_reader role") + mt.start(t, base.TestServerArgs{}) + + var count int + readerRole := "crdb_internal_cluster_activity_reader" + writerRole := "crdb_internal_cluster_activity_writer" + metadataRole := "crdb_internal_cluster_metadata_reader" + tests := map[string]migrationDescriptor{ + readerRole: readerMigration, + writerRole: writerMigration, + metadataRole: metadataMigration, + } + for role, migration := range tests { + // Verify the roles don't exist in system.users + mt.sqlDB.QueryRow(t, `SELECT count(*) FROM system.users WHERE username = $1`, role).Scan(&count) + require.Equal(t, 0, count) + + if err := mt.runMigration(ctx, migration); err != nil { + t.Errorf("expected success, got %q", err) + } + + // Verify the roles now exist in system.users + mt.sqlDB.QueryRow(t, `SELECT count(*) FROM system.users WHERE username = $1`, role).Scan(&count) + require.Equal(t, 1, count) + + // Verify the roles have system privileges + mt.sqlDB.QueryRow(t, `SELECT count(*) FROM system.privileges WHERE username = $1`, role).Scan(&count) + require.Equal(t, 1, count) + } +}