diff --git a/pkg/ccl/backupccl/restore_old_versions_test.go b/pkg/ccl/backupccl/restore_old_versions_test.go
index c90682667297..ba705e601443 100644
--- a/pkg/ccl/backupccl/restore_old_versions_test.go
+++ b/pkg/ccl/backupccl/restore_old_versions_test.go
@@ -439,9 +439,9 @@ func restoreV201ZoneconfigPrivilegeTest(exportDir string) func(t *testing.T) {
require.NoError(t, err)
sqlDB.Exec(t, `RESTORE FROM $1`, LocalFoo)
testDBGrants := [][]string{
- {"test", "admin", "ALL"},
- {"test", "root", "ALL"},
- {"test", "testuser", "ZONECONFIG"},
+ {"test", "admin", "ALL", "true"},
+ {"test", "root", "ALL", "true"},
+ {"test", "testuser", "ZONECONFIG", "false"},
}
sqlDB.CheckQueryResults(t, `show grants on database test`, testDBGrants)
diff --git a/pkg/ccl/backupccl/testdata/backup-restore/restore-grants b/pkg/ccl/backupccl/testdata/backup-restore/restore-grants
index 0f43ad92868f..78abdc998274 100644
--- a/pkg/ccl/backupccl/testdata/backup-restore/restore-grants
+++ b/pkg/ccl/backupccl/testdata/backup-restore/restore-grants
@@ -51,7 +51,7 @@ CREATE TABLE testdb.testtable_greeting_owner (a testdb.greeting_owner);
query-sql
SHOW GRANTS ON DATABASE testdb FOR user1;
----
-testdb user1 ALL
+testdb user1 ALL true
query-sql
SHOW GRANTS ON SCHEMA public FOR user1;
@@ -76,7 +76,7 @@ SHOW GRANTS ON TABLE testdb.testtable_simple FOR user1;
query-sql
SHOW GRANTS ON DATABASE testdb FOR testuser;
----
-testdb testuser ALL
+testdb testuser ALL true
query-sql
SHOW GRANTS ON SCHEMA public FOR testuser;
@@ -155,10 +155,10 @@ RESTORE testdb.sc.othertable, testdb.testtable_greeting_usage FROM 'nodelocal://
query-sql
SHOW GRANTS ON DATABASE testuser_db;
----
-testuser_db admin ALL
-testuser_db public CONNECT
-testuser_db root ALL
-testuser_db testuser CREATE
+testuser_db admin ALL true
+testuser_db public CONNECT false
+testuser_db root ALL true
+testuser_db testuser CREATE false
query-sql
SHOW GRANTS ON SCHEMA public;
@@ -296,7 +296,7 @@ SHOW GRANTS ON testdb.sc.othertable FOR testuser;
query-sql
SHOW GRANTS ON DATABASE testdb FOR admin;
----
-testdb admin ALL
+testdb admin ALL true
query-sql
SHOW GRANTS ON SCHEMA testdb.public FOR admin;
@@ -387,7 +387,7 @@ SHOW GRANTS ON testdb.sc.othertable FOR testuser;
query-sql
SHOW GRANTS ON DATABASE testdb FOR admin;
----
-testdb admin ALL
+testdb admin ALL true
query-sql
SHOW GRANTS ON SCHEMA testdb.public FOR admin;
@@ -433,7 +433,7 @@ RESTORE FROM 'nodelocal://0/test/';
query-sql
SHOW GRANTS ON DATABASE testdb FOR user1;
----
-testdb user1 ALL
+testdb user1 ALL true
query-sql
SHOW GRANTS ON SCHEMA testdb.public FOR user1;
@@ -458,7 +458,7 @@ SHOW GRANTS ON TABLE testdb.testtable_simple FOR user1;
query-sql
SHOW GRANTS ON DATABASE testdb FOR testuser;
----
-testdb testuser ALL
+testdb testuser ALL true
query-sql
SHOW GRANTS ON SCHEMA testdb.public FOR testuser;
@@ -496,7 +496,7 @@ ALTER TYPE testdb.greeting_owner ADD VALUE 'new' BEFORE 'howdy';
query-sql
SHOW GRANTS ON DATABASE testdb FOR admin;
----
-testdb admin ALL
+testdb admin ALL true
query-sql
SHOW GRANTS ON SCHEMA testdb.public FOR admin;
diff --git a/pkg/sql/crdb_internal.go b/pkg/sql/crdb_internal.go
index 7856ebb28026..773a01374b7f 100644
--- a/pkg/sql/crdb_internal.go
+++ b/pkg/sql/crdb_internal.go
@@ -23,6 +23,7 @@ import (
"github.com/cockroachdb/cockroach/pkg/base"
"github.com/cockroachdb/cockroach/pkg/build"
+ "github.com/cockroachdb/cockroach/pkg/clusterversion"
"github.com/cockroachdb/cockroach/pkg/config/zonepb"
"github.com/cockroachdb/cockroach/pkg/gossip"
"github.com/cockroachdb/cockroach/pkg/jobs"
@@ -4569,7 +4570,8 @@ var crdbInternalClusterDatabasePrivilegesTable = virtualSchemaTable{
CREATE TABLE crdb_internal.cluster_database_privileges (
database_name STRING NOT NULL,
grantee STRING NOT NULL,
- privilege_type STRING NOT NULL
+ privilege_type STRING NOT NULL,
+ is_grantable STRING
)`,
populate: func(ctx context.Context, p *planner, dbContext catalog.DatabaseDescriptor, addRow func(...tree.Datum) error) error {
return forEachDatabaseDesc(ctx, p, dbContext, true, /* requiresPrivileges */
@@ -4578,13 +4580,21 @@ CREATE TABLE crdb_internal.cluster_database_privileges (
dbNameStr := tree.NewDString(db.GetName())
// TODO(knz): This should filter for the current user, see
// https://github.com/cockroachdb/cockroach/issues/35572
+ populateGrantOption := p.ExecCfg().Settings.Version.IsActive(ctx, clusterversion.ValidateGrantOption)
for _, u := range privs {
userNameStr := tree.NewDString(u.User.Normalized())
for _, priv := range u.Privileges {
+ var isGrantable tree.Datum
+ if populateGrantOption {
+ isGrantable = yesOrNoDatum(priv.GrantOption)
+ } else {
+ isGrantable = tree.DNull
+ }
if err := addRow(
dbNameStr, // database_name
userNameStr, // grantee
tree.NewDString(priv.Kind.String()), // privilege_type
+ isGrantable, // is_grantable
); err != nil {
return err
}
diff --git a/pkg/sql/delegate/show_grants.go b/pkg/sql/delegate/show_grants.go
index 989e5116bc3e..1b9bdd08be2e 100644
--- a/pkg/sql/delegate/show_grants.go
+++ b/pkg/sql/delegate/show_grants.go
@@ -34,7 +34,8 @@ func (d *delegator) delegateShowGrants(n *tree.ShowGrants) (tree.Statement, erro
const dbPrivQuery = `
SELECT database_name,
grantee,
- privilege_type
+ privilege_type,
+ is_grantable::boolean
FROM "".crdb_internal.cluster_database_privileges`
const schemaPrivQuery = `
SELECT table_catalog AS database_name,
diff --git a/pkg/sql/logictest/testdata/logic_test/crdb_internal b/pkg/sql/logictest/testdata/logic_test/crdb_internal
index b9ebff8fecd8..228aaac9941a 100644
--- a/pkg/sql/logictest/testdata/logic_test/crdb_internal
+++ b/pkg/sql/logictest/testdata/logic_test/crdb_internal
@@ -951,27 +951,27 @@ subtest cluster_database_privileges
statement ok
CREATE DATABASE other_db; SET DATABASE = other_db
-query TTT colnames
+query TTTT colnames
SELECT * FROM crdb_internal.cluster_database_privileges
----
-database_name grantee privilege_type
-other_db admin ALL
-other_db public CONNECT
-other_db root ALL
+database_name grantee privilege_type is_grantable
+other_db admin ALL YES
+other_db public CONNECT NO
+other_db root ALL YES
statement ok
GRANT CONNECT ON DATABASE other_db TO testuser;
GRANT DROP ON DATABASE other_db TO testuser
-query TTT colnames
+query TTTT colnames
SELECT * FROM crdb_internal.cluster_database_privileges
----
-database_name grantee privilege_type
-other_db admin ALL
-other_db public CONNECT
-other_db root ALL
-other_db testuser CONNECT
-other_db testuser DROP
+database_name grantee privilege_type is_grantable
+other_db admin ALL YES
+other_db public CONNECT NO
+other_db root ALL YES
+other_db testuser CONNECT NO
+other_db testuser DROP NO
statement ok
SET DATABASE = test
@@ -980,56 +980,56 @@ SET DATABASE = test
# It should show information across all databases.
subtest anonymous_database
-query TTT colnames
+query TTTT colnames
SELECT * FROM "".crdb_internal.cluster_database_privileges ORDER BY 1,2,3
----
-database_name grantee privilege_type
-defaultdb admin ALL
-defaultdb public CONNECT
-defaultdb root ALL
-other_db admin ALL
-other_db public CONNECT
-other_db root ALL
-other_db testuser CONNECT
-other_db testuser DROP
-postgres admin ALL
-postgres public CONNECT
-postgres root ALL
-system admin GRANT
-system root GRANT
-test admin ALL
-test public CONNECT
-test root ALL
-testdb admin ALL
-testdb public CONNECT
-testdb root ALL
+database_name grantee privilege_type is_grantable
+defaultdb admin ALL YES
+defaultdb public CONNECT NO
+defaultdb root ALL YES
+other_db admin ALL YES
+other_db public CONNECT NO
+other_db root ALL YES
+other_db testuser CONNECT NO
+other_db testuser DROP NO
+postgres admin ALL YES
+postgres public CONNECT NO
+postgres root ALL YES
+system admin GRANT YES
+system root GRANT YES
+test admin ALL YES
+test public CONNECT NO
+test root ALL YES
+testdb admin ALL YES
+testdb public CONNECT NO
+testdb root ALL YES
statement ok
SET DATABASE = "";
-query TTT colnames
+query TTTT colnames
SELECT * FROM crdb_internal.cluster_database_privileges ORDER BY 1,2,3
----
-database_name grantee privilege_type
-defaultdb admin ALL
-defaultdb public CONNECT
-defaultdb root ALL
-other_db admin ALL
-other_db public CONNECT
-other_db root ALL
-other_db testuser CONNECT
-other_db testuser DROP
-postgres admin ALL
-postgres public CONNECT
-postgres root ALL
-system admin GRANT
-system root GRANT
-test admin ALL
-test public CONNECT
-test root ALL
-testdb admin ALL
-testdb public CONNECT
-testdb root ALL
+database_name grantee privilege_type is_grantable
+defaultdb admin ALL YES
+defaultdb public CONNECT NO
+defaultdb root ALL YES
+other_db admin ALL YES
+other_db public CONNECT NO
+other_db root ALL YES
+other_db testuser CONNECT NO
+other_db testuser DROP NO
+postgres admin ALL YES
+postgres public CONNECT NO
+postgres root ALL YES
+system admin GRANT YES
+system root GRANT YES
+test admin ALL YES
+test public CONNECT NO
+test root ALL YES
+testdb admin ALL YES
+testdb public CONNECT NO
+testdb root ALL YES
statement ok
SET DATABASE = test
diff --git a/pkg/sql/logictest/testdata/logic_test/create_statements b/pkg/sql/logictest/testdata/logic_test/create_statements
index 19488cb1fd2e..afb15e8b3657 100644
--- a/pkg/sql/logictest/testdata/logic_test/create_statements
+++ b/pkg/sql/logictest/testdata/logic_test/create_statements
@@ -212,11 +212,13 @@ CREATE TABLE crdb_internal.cluster_contention_events (
CREATE TABLE crdb_internal.cluster_database_privileges (
database_name STRING NOT NULL,
grantee STRING NOT NULL,
- privilege_type STRING NOT NULL
+ privilege_type STRING NOT NULL,
+ is_grantable STRING NULL
) CREATE TABLE crdb_internal.cluster_database_privileges (
database_name STRING NOT NULL,
grantee STRING NOT NULL,
- privilege_type STRING NOT NULL
+ privilege_type STRING NOT NULL,
+ is_grantable STRING NULL
) {} {}
CREATE TABLE crdb_internal.cluster_distsql_flows (
flow_id UUID NOT NULL,
diff --git a/pkg/sql/logictest/testdata/logic_test/grant_database b/pkg/sql/logictest/testdata/logic_test/grant_database
index 48d18813e4cd..8d442add136e 100644
--- a/pkg/sql/logictest/testdata/logic_test/grant_database
+++ b/pkg/sql/logictest/testdata/logic_test/grant_database
@@ -1,13 +1,13 @@
statement ok
CREATE DATABASE a
-query TTT colnames
+query TTTB colnames
SHOW GRANTS ON DATABASE a
----
-database_name grantee privilege_type
-a admin ALL
-a public CONNECT
-a root ALL
+database_name grantee privilege_type is_grantable
+a admin ALL true
+a public CONNECT false
+a root ALL true
statement error user root must have exactly ALL privileges on database "a"
REVOKE CONNECT ON DATABASE a FROM root
@@ -33,14 +33,14 @@ GRANT SELECT,ALL ON DATABASE a TO readwrite
statement error syntax error
REVOKE SELECT,ALL ON DATABASE a FROM readwrite
-query TTT
+query TTTB
SHOW GRANTS ON DATABASE a
----
-a admin ALL
-a public CONNECT
-a readwrite ALL
-a root ALL
-a test-user ALL
+a admin ALL true
+a public CONNECT false
+a readwrite ALL true
+a root ALL true
+a test-user ALL true
# Create table to inherit DB permissions.
statement ok
@@ -55,81 +55,81 @@ a public t readwrite ALL true
a public t root ALL true
a public t test-user ALL true
-query TTT
+query TTTB
SHOW GRANTS ON DATABASE a FOR readwrite, "test-user"
----
-a readwrite ALL
-a test-user ALL
+a readwrite ALL true
+a test-user ALL true
statement ok
REVOKE CONNECT ON DATABASE a FROM "test-user",readwrite
-query TTT
+query TTTB
SHOW GRANTS ON DATABASE a
----
-a admin ALL
-a public CONNECT
-a readwrite CREATE
-a readwrite DROP
-a readwrite GRANT
-a readwrite ZONECONFIG
-a root ALL
-a test-user CREATE
-a test-user DROP
-a test-user GRANT
-a test-user ZONECONFIG
-
-query TTT
+a admin ALL true
+a public CONNECT false
+a readwrite CREATE true
+a readwrite DROP true
+a readwrite GRANT true
+a readwrite ZONECONFIG true
+a root ALL true
+a test-user CREATE true
+a test-user DROP true
+a test-user GRANT true
+a test-user ZONECONFIG true
+
+query TTTB
SHOW GRANTS ON DATABASE a FOR readwrite, "test-user"
----
-a readwrite CREATE
-a readwrite DROP
-a readwrite GRANT
-a readwrite ZONECONFIG
-a test-user CREATE
-a test-user DROP
-a test-user GRANT
-a test-user ZONECONFIG
+a readwrite CREATE true
+a readwrite DROP true
+a readwrite GRANT true
+a readwrite ZONECONFIG true
+a test-user CREATE true
+a test-user DROP true
+a test-user GRANT true
+a test-user ZONECONFIG true
statement ok
REVOKE CREATE ON DATABASE a FROM "test-user"
-query TTT
+query TTTB
SHOW GRANTS ON DATABASE a
----
-a admin ALL
-a public CONNECT
-a readwrite CREATE
-a readwrite DROP
-a readwrite GRANT
-a readwrite ZONECONFIG
-a root ALL
-a test-user DROP
-a test-user GRANT
-a test-user ZONECONFIG
+a admin ALL true
+a public CONNECT false
+a readwrite CREATE true
+a readwrite DROP true
+a readwrite GRANT true
+a readwrite ZONECONFIG true
+a root ALL true
+a test-user DROP true
+a test-user GRANT true
+a test-user ZONECONFIG true
statement ok
REVOKE ALL PRIVILEGES ON DATABASE a FROM "test-user"
-query TTT
+query TTTB
SHOW GRANTS ON DATABASE a FOR readwrite, "test-user"
----
-a readwrite CREATE
-a readwrite DROP
-a readwrite GRANT
-a readwrite ZONECONFIG
+a readwrite CREATE true
+a readwrite DROP true
+a readwrite GRANT true
+a readwrite ZONECONFIG true
statement ok
REVOKE ALL ON DATABASE a FROM readwrite,"test-user"
-query TTT
+query TTTB
SHOW GRANTS ON DATABASE a
----
-a admin ALL
-a public CONNECT
-a root ALL
+a admin ALL true
+a public CONNECT false
+a root ALL true
-query TTT
+query TTTB
SHOW GRANTS ON DATABASE a FOR readwrite, "test-user"
----
diff --git a/pkg/sql/logictest/testdata/logic_test/grant_revoke_with_grant_option b/pkg/sql/logictest/testdata/logic_test/grant_revoke_with_grant_option
index a7fe4b2191d4..a4b1155b79eb 100644
--- a/pkg/sql/logictest/testdata/logic_test/grant_revoke_with_grant_option
+++ b/pkg/sql/logictest/testdata/logic_test/grant_revoke_with_grant_option
@@ -491,14 +491,14 @@ CREATE DATABASE d
statement ok
GRANT ALL PRIVILEGES ON DATABASE d TO testuser WITH GRANT OPTION
-query TTT colnames
+query TTTB colnames
SHOW GRANTS ON DATABASE d
----
-database_name grantee privilege_type
-d admin ALL
-d public CONNECT
-d root ALL
-d testuser ALL
+database_name grantee privilege_type is_grantable
+d admin ALL true
+d public CONNECT false
+d root ALL true
+d testuser ALL true
#
# Make testuser2 a member of testuser; it should inherit grant options
@@ -512,15 +512,15 @@ user testuser2
statement ok
GRANT CONNECT ON DATABASE d TO TARGET
-query TTT colnames
+query TTTB colnames
SHOW GRANTS ON DATABASE d
----
-database_name grantee privilege_type
-d admin ALL
-d public CONNECT
-d root ALL
-d target CONNECT
-d testuser ALL
+database_name grantee privilege_type is_grantable
+d admin ALL true
+d public CONNECT false
+d root ALL true
+d target CONNECT false
+d testuser ALL true
user root
@@ -546,30 +546,30 @@ GRANT CREATE ON DATABASE d TO target WITH GRANT OPTION
user root
-query TTT colnames
+query TTTB colnames
SHOW GRANTS ON DATABASE d
----
-database_name grantee privilege_type
-d admin ALL
-d public CONNECT
-d root ALL
-d target CONNECT
-d testuser ALL
-d testuser2 CONNECT
-d testuser2 CREATE
+database_name grantee privilege_type is_grantable
+d admin ALL true
+d public CONNECT false
+d root ALL true
+d target CONNECT true
+d testuser ALL true
+d testuser2 CONNECT true
+d testuser2 CREATE false
statement ok
REVOKE ALL PRIVILEGES ON DATABASE d FROM testuser2
-query TTT colnames
+query TTTB colnames
SHOW GRANTS ON DATABASE d
----
-database_name grantee privilege_type
-d admin ALL
-d public CONNECT
-d root ALL
-d target CONNECT
-d testuser ALL
+database_name grantee privilege_type is_grantable
+d admin ALL true
+d public CONNECT false
+d root ALL true
+d target CONNECT true
+d testuser ALL true
user testuser2
diff --git a/pkg/sql/logictest/testdata/logic_test/grant_table b/pkg/sql/logictest/testdata/logic_test/grant_table
index 734feb83cc3a..44c76de818cf 100644
--- a/pkg/sql/logictest/testdata/logic_test/grant_table
+++ b/pkg/sql/logictest/testdata/logic_test/grant_table
@@ -9,14 +9,14 @@ CREATE USER readwrite
statement ok
GRANT ALL ON DATABASE a TO readwrite
-query TTT colnames
+query TTTB colnames
SHOW GRANTS ON DATABASE a
----
-database_name grantee privilege_type
-a admin ALL
-a public CONNECT
-a readwrite ALL
-a root ALL
+database_name grantee privilege_type is_grantable
+a admin ALL true
+a public CONNECT false
+a readwrite ALL true
+a root ALL true
# Show that by default GRANT is restricted to the current database
query TTTTT colnames
@@ -1855,14 +1855,14 @@ SHOW GRANTS FOR readwrite, "test-user"
a NULL NULL readwrite ALL
# Verify that the DB privileges have not changed.
-query TTT colnames
+query TTTB colnames
SHOW GRANTS ON DATABASE a
----
-database_name grantee privilege_type
-a admin ALL
-a public CONNECT
-a readwrite ALL
-a root ALL
+database_name grantee privilege_type is_grantable
+a admin ALL true
+a public CONNECT false
+a readwrite ALL true
+a root ALL true
# Errors due to invalid targets.
diff --git a/pkg/sql/logictest/testdata/logic_test/rename_database b/pkg/sql/logictest/testdata/logic_test/rename_database
index 1a5dfad677d2..e46a4a69e58d 100644
--- a/pkg/sql/logictest/testdata/logic_test/rename_database
+++ b/pkg/sql/logictest/testdata/logic_test/rename_database
@@ -14,12 +14,12 @@ postgres root NULL {} NULL
system node NULL {} NULL
test root NULL {} NULL
-query TTT
+query TTTB
SHOW GRANTS ON DATABASE test
----
-test admin ALL
-test public CONNECT
-test root ALL
+test admin ALL true
+test public CONNECT false
+test root ALL true
statement ok
CREATE TABLE kv (
@@ -63,12 +63,12 @@ system node NULL {} NULL
u root NULL {} NULL
# check the name in descriptor is also changed
-query TTT
+query TTTB
SHOW GRANTS ON DATABASE u
----
-u admin ALL
-u public CONNECT
-u root ALL
+u admin ALL true
+u public CONNECT false
+u root ALL true
statement ok
SET DATABASE = u
diff --git a/pkg/sql/logictest/testdata/logic_test/role b/pkg/sql/logictest/testdata/logic_test/role
index 264446cf7726..d79be7639646 100644
--- a/pkg/sql/logictest/testdata/logic_test/role
+++ b/pkg/sql/logictest/testdata/logic_test/role
@@ -699,14 +699,14 @@ GRANT ALL ON DATABASE db2 TO newgroup
user testuser
-query TTT colnames
+query TTTB colnames
SHOW GRANTS ON DATABASE db2
----
-database_name grantee privilege_type
-db2 admin ALL
-db2 newgroup ALL
-db2 public CONNECT
-db2 root ALL
+database_name grantee privilege_type is_grantable
+db2 admin ALL true
+db2 newgroup ALL true
+db2 public CONNECT false
+db2 root ALL true
statement ok
INSERT INTO db2.foo VALUES (1),(2),(3);
diff --git a/pkg/sql/logictest/testdata/logic_test/system b/pkg/sql/logictest/testdata/logic_test/system
index 2e3c12c0bf02..6a67dae8d61f 100644
--- a/pkg/sql/logictest/testdata/logic_test/system
+++ b/pkg/sql/logictest/testdata/logic_test/system
@@ -289,11 +289,11 @@ isAdmin BOOL false NULL ยท {primary}
# Verify default privileges on system tables.
-query TTT
+query TTTB
SHOW GRANTS ON DATABASE system
----
-system admin GRANT
-system root GRANT
+system admin GRANT true
+system root GRANT true
# The test expectations are different on tenants because of
# descriptor_id_sq, tenant, tenant_usage, and span_configurations.