sql: update SHOW GRANTS ON DATABASE to include grant options

refs #73394

Release note (sql): SHOW GRANTS ON DATABASE includes is_grantable column

pkg/ccl/backupccl/restore_old_versions_test.go

@@ -439,9 +439,9 @@ func restoreV201ZoneconfigPrivilegeTest(exportDir string) func(t *testing.T) {
 		require.NoError(t, err)
 		sqlDB.Exec(t, `RESTORE FROM $1`, LocalFoo)
 		testDBGrants := [][]string{
-			{"test", "admin", "ALL"},
-			{"test", "root", "ALL"},
-			{"test", "testuser", "ZONECONFIG"},
+			{"test", "admin", "ALL", "true"},
+			{"test", "root", "ALL", "true"},
+			{"test", "testuser", "ZONECONFIG", "false"},
 		}
 		sqlDB.CheckQueryResults(t, `show grants on database test`, testDBGrants)
 

pkg/ccl/backupccl/testdata/backup-restore/restore-grants

@@ -51,7 +51,7 @@ CREATE TABLE testdb.testtable_greeting_owner (a testdb.greeting_owner);
 query-sql
 SHOW GRANTS ON DATABASE testdb FOR user1;
 ----
-testdb user1 ALL
+testdb user1 ALL true
 
 query-sql
 SHOW GRANTS ON SCHEMA public FOR user1;
@@ -76,7 +76,7 @@ SHOW GRANTS ON TABLE testdb.testtable_simple FOR user1;
 query-sql
 SHOW GRANTS ON DATABASE testdb FOR testuser;
 ----
-testdb testuser ALL
+testdb testuser ALL true
 
 query-sql
 SHOW GRANTS ON SCHEMA public FOR testuser;
@@ -155,10 +155,10 @@ RESTORE testdb.sc.othertable, testdb.testtable_greeting_usage FROM 'nodelocal://
 query-sql
 SHOW GRANTS ON DATABASE testuser_db;
 ----
-testuser_db admin ALL
-testuser_db public CONNECT
-testuser_db root ALL
-testuser_db testuser CREATE
+testuser_db admin ALL true
+testuser_db public CONNECT false
+testuser_db root ALL true
+testuser_db testuser CREATE false
 
 query-sql
 SHOW GRANTS ON SCHEMA public;
@@ -296,7 +296,7 @@ SHOW GRANTS ON testdb.sc.othertable FOR testuser;
 query-sql
 SHOW GRANTS ON DATABASE testdb FOR admin;
 ----
-testdb admin ALL
+testdb admin ALL true
 
 query-sql
 SHOW GRANTS ON SCHEMA testdb.public FOR admin;
@@ -387,7 +387,7 @@ SHOW GRANTS ON testdb.sc.othertable FOR testuser;
 query-sql
 SHOW GRANTS ON DATABASE testdb FOR admin;
 ----
-testdb admin ALL
+testdb admin ALL true
 
 query-sql
 SHOW GRANTS ON SCHEMA testdb.public FOR admin;
@@ -433,7 +433,7 @@ RESTORE FROM 'nodelocal://0/test/';
 query-sql
 SHOW GRANTS ON DATABASE testdb FOR user1;
 ----
-testdb user1 ALL
+testdb user1 ALL true
 
 query-sql
 SHOW GRANTS ON SCHEMA testdb.public FOR user1;
@@ -458,7 +458,7 @@ SHOW GRANTS ON TABLE testdb.testtable_simple FOR user1;
 query-sql
 SHOW GRANTS ON DATABASE testdb FOR testuser;
 ----
-testdb testuser ALL
+testdb testuser ALL true
 
 query-sql
 SHOW GRANTS ON SCHEMA testdb.public FOR testuser;
@@ -496,7 +496,7 @@ ALTER TYPE testdb.greeting_owner ADD VALUE 'new' BEFORE 'howdy';
 query-sql
 SHOW GRANTS ON DATABASE testdb FOR admin;
 ----
-testdb admin ALL
+testdb admin ALL true
 
 query-sql
 SHOW GRANTS ON SCHEMA testdb.public FOR admin;

pkg/sql/crdb_internal.go

@@ -23,6 +23,7 @@ import (
 
 	"github.com/cockroachdb/cockroach/pkg/base"
 	"github.com/cockroachdb/cockroach/pkg/build"
+	"github.com/cockroachdb/cockroach/pkg/clusterversion"
 	"github.com/cockroachdb/cockroach/pkg/config/zonepb"
 	"github.com/cockroachdb/cockroach/pkg/gossip"
 	"github.com/cockroachdb/cockroach/pkg/jobs"
@@ -4569,7 +4570,8 @@ var crdbInternalClusterDatabasePrivilegesTable = virtualSchemaTable{
 CREATE TABLE crdb_internal.cluster_database_privileges (
 	database_name   STRING NOT NULL,
 	grantee         STRING NOT NULL,
-	privilege_type  STRING NOT NULL
+	privilege_type  STRING NOT NULL,
+	is_grantable 		STRING
 )`,
 	populate: func(ctx context.Context, p *planner, dbContext catalog.DatabaseDescriptor, addRow func(...tree.Datum) error) error {
 		return forEachDatabaseDesc(ctx, p, dbContext, true, /* requiresPrivileges */
@@ -4578,13 +4580,21 @@ CREATE TABLE crdb_internal.cluster_database_privileges (
 				dbNameStr := tree.NewDString(db.GetName())
 				// TODO(knz): This should filter for the current user, see
 				// https://github.com/cockroachdb/cockroach/issues/35572
+				populateGrantOption := p.ExecCfg().Settings.Version.IsActive(ctx, clusterversion.ValidateGrantOption)
 				for _, u := range privs {
 					userNameStr := tree.NewDString(u.User.Normalized())
 					for _, priv := range u.Privileges {
+						var isGrantable tree.Datum
+						if populateGrantOption {
+							isGrantable = yesOrNoDatum(priv.GrantOption)
+						} else {
+							isGrantable = tree.DNull
+						}
 						if err := addRow(
 							dbNameStr,                           // database_name
 							userNameStr,                         // grantee
 							tree.NewDString(priv.Kind.String()), // privilege_type
+							isGrantable,                         // is_grantable
 						); err != nil {
 							return err
 						}

pkg/sql/delegate/show_grants.go

@@ -34,7 +34,8 @@ func (d *delegator) delegateShowGrants(n *tree.ShowGrants) (tree.Statement, erro
 	const dbPrivQuery = `
 SELECT database_name,
        grantee,
-       privilege_type
+       privilege_type,
+			 is_grantable::boolean
   FROM "".crdb_internal.cluster_database_privileges`
 	const schemaPrivQuery = `
 SELECT table_catalog AS database_name,

pkg/sql/logictest/testdata/logic_test/crdb_internal

@@ -951,27 +951,27 @@ subtest cluster_database_privileges
 statement ok
 CREATE DATABASE other_db; SET DATABASE = other_db
 
-query TTT colnames
+query TTTT colnames
 SELECT * FROM crdb_internal.cluster_database_privileges
 ----
-database_name  grantee  privilege_type
-other_db       admin    ALL
-other_db       public   CONNECT
-other_db       root     ALL
+database_name  grantee  privilege_type  is_grantable
+other_db       admin    ALL             YES
+other_db       public   CONNECT         NO
+other_db       root     ALL             YES
 
 statement ok
 GRANT CONNECT ON DATABASE other_db TO testuser;
 GRANT DROP ON DATABASE other_db TO testuser
 
-query TTT colnames
+query TTTT colnames
 SELECT * FROM crdb_internal.cluster_database_privileges
 ----
-database_name  grantee   privilege_type
-other_db       admin     ALL
-other_db       public    CONNECT
-other_db       root      ALL
-other_db       testuser  CONNECT
-other_db       testuser  DROP
+database_name  grantee   privilege_type  is_grantable
+other_db       admin     ALL             YES
+other_db       public    CONNECT         NO
+other_db       root      ALL             YES
+other_db       testuser  CONNECT         NO
+other_db       testuser  DROP            NO
 
 statement ok
 SET DATABASE = test
@@ -980,56 +980,56 @@ SET DATABASE = test
 # It should show information across all databases.
 subtest anonymous_database
 
-query TTT colnames
+query TTTT colnames
 SELECT * FROM "".crdb_internal.cluster_database_privileges ORDER BY 1,2,3
 ----
-database_name  grantee   privilege_type
-defaultdb      admin     ALL
-defaultdb      public    CONNECT
-defaultdb      root      ALL
-other_db       admin     ALL
-other_db       public    CONNECT
-other_db       root      ALL
-other_db       testuser  CONNECT
-other_db       testuser  DROP
-postgres       admin     ALL
-postgres       public    CONNECT
-postgres       root      ALL
-system         admin     GRANT
-system         root      GRANT
-test           admin     ALL
-test           public    CONNECT
-test           root      ALL
-testdb         admin     ALL
-testdb         public    CONNECT
-testdb         root      ALL
+database_name  grantee   privilege_type  is_grantable
+defaultdb      admin     ALL             YES
+defaultdb      public    CONNECT         NO
+defaultdb      root      ALL             YES
+other_db       admin     ALL             YES
+other_db       public    CONNECT         NO
+other_db       root      ALL             YES
+other_db       testuser  CONNECT         NO
+other_db       testuser  DROP            NO
+postgres       admin     ALL             YES
+postgres       public    CONNECT         NO
+postgres       root      ALL             YES
+system         admin     GRANT           YES
+system         root      GRANT           YES
+test           admin     ALL             YES
+test           public    CONNECT         NO
+test           root      ALL             YES
+testdb         admin     ALL             YES
+testdb         public    CONNECT         NO
+testdb         root      ALL             YES
 
 statement ok
 SET DATABASE = "";
 
-query TTT colnames
+query TTTT colnames
 SELECT * FROM crdb_internal.cluster_database_privileges ORDER BY 1,2,3
 ----
-database_name  grantee   privilege_type
-defaultdb      admin     ALL
-defaultdb      public    CONNECT
-defaultdb      root      ALL
-other_db       admin     ALL
-other_db       public    CONNECT
-other_db       root      ALL
-other_db       testuser  CONNECT
-other_db       testuser  DROP
-postgres       admin     ALL
-postgres       public    CONNECT
-postgres       root      ALL
-system         admin     GRANT
-system         root      GRANT
-test           admin     ALL
-test           public    CONNECT
-test           root      ALL
-testdb         admin     ALL
-testdb         public    CONNECT
-testdb         root      ALL
+database_name  grantee   privilege_type  is_grantable
+defaultdb      admin     ALL             YES
+defaultdb      public    CONNECT         NO
+defaultdb      root      ALL             YES
+other_db       admin     ALL             YES
+other_db       public    CONNECT         NO
+other_db       root      ALL             YES
+other_db       testuser  CONNECT         NO
+other_db       testuser  DROP            NO
+postgres       admin     ALL             YES
+postgres       public    CONNECT         NO
+postgres       root      ALL             YES
+system         admin     GRANT           YES
+system         root      GRANT           YES
+test           admin     ALL             YES
+test           public    CONNECT         NO
+test           root      ALL             YES
+testdb         admin     ALL             YES
+testdb         public    CONNECT         NO
+testdb         root      ALL             YES
 
 statement ok
 SET DATABASE = test

pkg/sql/logictest/testdata/logic_test/create_statements

@@ -212,11 +212,13 @@ CREATE TABLE crdb_internal.cluster_contention_events (
 CREATE TABLE crdb_internal.cluster_database_privileges (
    database_name STRING NOT NULL,
    grantee STRING NOT NULL,
-   privilege_type STRING NOT NULL
+   privilege_type STRING NOT NULL,
+   is_grantable STRING NULL
 )  CREATE TABLE crdb_internal.cluster_database_privileges (
    database_name STRING NOT NULL,
    grantee STRING NOT NULL,
-   privilege_type STRING NOT NULL
+   privilege_type STRING NOT NULL,
+   is_grantable STRING NULL
 )  {}  {}
 CREATE TABLE crdb_internal.cluster_distsql_flows (
    flow_id UUID NOT NULL,