Merge pull request #56117 from solongordon/backport20.2-54712

release-20.2: sql: schemas only inherit valid privileges from db
cockroachdb · Oct 30, 2020 · 150c591 · 150c591
2 parents d67a35e + d882a51
commit 150c591
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 1 deletion.
diff --git a/pkg/sql/create_schema.go b/pkg/sql/create_schema.go
@@ -95,8 +95,12 @@ func (p *planner) createUserDefinedSchema(params runParams, n *tree.CreateSchema
 		return err
 	}
 
-	// Inherit the parent privileges.
+	// Inherit the parent privileges and filter out those which are not valid for
+	// schemas.
 	privs := protoutil.Clone(db.GetPrivileges()).(*descpb.PrivilegeDescriptor)
+	for i := range privs.Users {
+		privs.Users[i].Privileges &= privilege.SchemaPrivileges.ToBitField()
+	}
 
 	if n.AuthRole != "" {
 		exists, err := p.RoleExists(params.ctx, n.AuthRole)

diff --git a/pkg/sql/logictest/testdata/logic_test/schema b/pkg/sql/logictest/testdata/logic_test/schema
@@ -543,3 +543,29 @@ query I colnames
 SELECT * FROM testuser.test_table
 ----
 a
+
+# Ensure that when we create a schema, it inherits privileges from its parent
+# database, but only those which are valid for schemas.
+subtest create_schema_inherits_db_privileges
+
+user root
+
+statement ok
+CREATE DATABASE d54662;
+GRANT CREATE, SELECT ON DATABASE d54662 TO testuser;
+USE d54662;
+CREATE SCHEMA s
+
+query T
+SELECT privilege_type FROM [SHOW GRANTS ON schema s FOR testuser]
+----
+CREATE
+
+statement ok
+GRANT USAGE ON SCHEMA s TO testuser
+
+query T rowsort
+SELECT privilege_type FROM [SHOW GRANTS ON schema s FOR testuser]
+----
+CREATE
+USAGE