sql: with grant option/grant option for

Release note (sql change): If the WITH GRANT OPTION flag is present when granting privileges to a user, then that user is able to grant those same privileges to subsequent users; otherwise, they cannot. If the GRANT OPTION FOR flag is present when revoking privileges from a user, then only the ability the grant those privileges is revoked from that user, not the privileges themselves (otherwise both the privileges and the ability to grant those privileges are revoked). This behavior is consistent with Postgres. For example, let's say we have a user named Alice who is the admin of a database that contains a table named t. If she wanted to give read access to Bob on t but did not want him to be able to give that privilege to anyone else, she could do this with the command 'GRANT SELECT ON TABLE t TO bob'. However, if she wanted Bob to be able to give the SELECT privilege on table t to other users, she would grant him the ability to do so with the command 'GRANT SELECT ON TABLE t TO bob WITH GRANT OPTION'. If Alice changed her mind and decided she did not want Bob to have the ability to grant read access on table t to other users (but she still wanted Bob himself to have read access on table t), she could revoke his ability to do so with the command 'REVOKE GRANT OPTION FOR SELECT ON TABLE t FROM bob'. Alternatively, she could omit the flag and do 'REVOKE SELECT ON TABLE t FROM bob' to remove Bob's read access on table t in addition to his ability to grant read access to other users.
cockroachdb · Dec 2, 2021 · 9e32d08 · 9e32d08
1 parent d039849
commit 9e32d08
Show file tree

Hide file tree

Showing 33 changed files with 2,053 additions and 233 deletions.
diff --git a/docs/generated/settings/settings-for-tenants.txt b/docs/generated/settings/settings-for-tenants.txt
@@ -168,4 +168,4 @@ trace.debug.enable	boolean	false	if set, traces for recent requests can be seen
 trace.jaeger.agent	string		the address of a Jaeger agent to receive traces using the Jaeger UDP Thrift protocol, as <host>:<port>. If no port is specified, 6381 will be used.
 trace.opentelemetry.collector	string		address of an OpenTelemetry trace collector to receive traces using the otel gRPC protocol, as <host>:<port>. If no port is specified, 4317 will be used.
 trace.zipkin.collector	string		the address of a Zipkin instance to receive traces, as <host>:<port>. If no port is specified, 9411 will be used.
-version	version	21.2-20	set the active cluster version in the format '<major>.<minor>'
+version	version	21.2-22	set the active cluster version in the format '<major>.<minor>'
diff --git a/docs/generated/settings/settings.html b/docs/generated/settings/settings.html
@@ -173,6 +173,6 @@
 <tr><td><code>trace.jaeger.agent</code></td><td>string</td><td><code></code></td><td>the address of a Jaeger agent to receive traces using the Jaeger UDP Thrift protocol, as <host>:<port>. If no port is specified, 6381 will be used.</td></tr>
 <tr><td><code>trace.opentelemetry.collector</code></td><td>string</td><td><code></code></td><td>address of an OpenTelemetry trace collector to receive traces using the otel gRPC protocol, as <host>:<port>. If no port is specified, 4317 will be used.</td></tr>
 <tr><td><code>trace.zipkin.collector</code></td><td>string</td><td><code></code></td><td>the address of a Zipkin instance to receive traces, as <host>:<port>. If no port is specified, 9411 will be used.</td></tr>
-<tr><td><code>version</code></td><td>version</td><td><code>21.2-20</code></td><td>set the active cluster version in the format '<major>.<minor>'</td></tr>
+<tr><td><code>version</code></td><td>version</td><td><code>21.2-22</code></td><td>set the active cluster version in the format '<major>.<minor>'</td></tr>
 </tbody>
 </table>
diff --git a/docs/generated/sql/bnf/grant_stmt.bnf b/docs/generated/sql/bnf/grant_stmt.bnf
@@ -1,15 +1,15 @@
 grant_stmt ::=
-	'GRANT' 'ALL' 'PRIVILEGES' 'ON' targets 'TO' role_spec_list
-	| 'GRANT' 'ALL'  'ON' targets 'TO' role_spec_list
-	| 'GRANT' privilege_list 'ON' targets 'TO' role_spec_list
+	'GRANT' 'ALL' 'PRIVILEGES' 'ON' targets 'TO' role_spec_list opt_with_grant_option
+	| 'GRANT' 'ALL'  'ON' targets 'TO' role_spec_list opt_with_grant_option
+	| 'GRANT' privilege_list 'ON' targets 'TO' role_spec_list opt_with_grant_option
 	| 'GRANT' privilege_list 'TO' role_spec_list
 	| 'GRANT' privilege_list 'TO' role_spec_list 'WITH' 'ADMIN' 'OPTION'
-	| 'GRANT' 'ALL' 'PRIVILEGES' 'ON' 'TYPE' target_types 'TO' role_spec_list
-	| 'GRANT' 'ALL'  'ON' 'TYPE' target_types 'TO' role_spec_list
-	| 'GRANT' privilege_list 'ON' 'TYPE' target_types 'TO' role_spec_list
-	| 'GRANT' 'ALL' 'PRIVILEGES' 'ON' 'SCHEMA' schema_name_list 'TO' role_spec_list
-	| 'GRANT' 'ALL'  'ON' 'SCHEMA' schema_name_list 'TO' role_spec_list
-	| 'GRANT' privilege_list 'ON' 'SCHEMA' schema_name_list 'TO' role_spec_list
-	| 'GRANT' 'ALL' 'PRIVILEGES' 'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'TO' role_spec_list
-	| 'GRANT' 'ALL'  'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'TO' role_spec_list
-	| 'GRANT' privilege_list 'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'TO' role_spec_list
+	| 'GRANT' 'ALL' 'PRIVILEGES' 'ON' 'TYPE' target_types 'TO' role_spec_list opt_with_grant_option
+	| 'GRANT' 'ALL'  'ON' 'TYPE' target_types 'TO' role_spec_list opt_with_grant_option
+	| 'GRANT' privilege_list 'ON' 'TYPE' target_types 'TO' role_spec_list opt_with_grant_option
+	| 'GRANT' 'ALL' 'PRIVILEGES' 'ON' 'SCHEMA' schema_name_list 'TO' role_spec_list opt_with_grant_option
+	| 'GRANT' 'ALL'  'ON' 'SCHEMA' schema_name_list 'TO' role_spec_list opt_with_grant_option
+	| 'GRANT' privilege_list 'ON' 'SCHEMA' schema_name_list 'TO' role_spec_list opt_with_grant_option
+	| 'GRANT' 'ALL' 'PRIVILEGES' 'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'TO' role_spec_list opt_with_grant_option
+	| 'GRANT' 'ALL'  'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'TO' role_spec_list opt_with_grant_option
+	| 'GRANT' privilege_list 'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'TO' role_spec_list opt_with_grant_option
diff --git a/docs/generated/sql/bnf/revoke_stmt.bnf b/docs/generated/sql/bnf/revoke_stmt.bnf
@@ -2,14 +2,26 @@ revoke_stmt ::=
 	'REVOKE' 'ALL' 'PRIVILEGES' 'ON' targets 'FROM' role_spec_list
 	| 'REVOKE' 'ALL'  'ON' targets 'FROM' role_spec_list
 	| 'REVOKE' privilege_list 'ON' targets 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' 'ALL' 'PRIVILEGES' 'ON' targets 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' 'ALL'  'ON' targets 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' privilege_list 'ON' targets 'FROM' role_spec_list
 	| 'REVOKE' privilege_list 'FROM' role_spec_list
 	| 'REVOKE' 'ADMIN' 'OPTION' 'FOR' privilege_list 'FROM' role_spec_list
 	| 'REVOKE' 'ALL' 'PRIVILEGES' 'ON' 'TYPE' target_types 'FROM' role_spec_list
 	| 'REVOKE' 'ALL'  'ON' 'TYPE' target_types 'FROM' role_spec_list
 	| 'REVOKE' privilege_list 'ON' 'TYPE' target_types 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' 'ALL' 'PRIVILEGES' 'ON' 'TYPE' target_types 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' 'ALL'  'ON' 'TYPE' target_types 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' privilege_list 'ON' 'TYPE' target_types 'FROM' role_spec_list
 	| 'REVOKE' 'ALL' 'PRIVILEGES' 'ON' 'SCHEMA' schema_name_list 'FROM' role_spec_list
 	| 'REVOKE' 'ALL'  'ON' 'SCHEMA' schema_name_list 'FROM' role_spec_list
 	| 'REVOKE' privilege_list 'ON' 'SCHEMA' schema_name_list 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' 'ALL' 'PRIVILEGES' 'ON' 'SCHEMA' schema_name_list 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' 'ALL'  'ON' 'SCHEMA' schema_name_list 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' privilege_list 'ON' 'SCHEMA' schema_name_list 'FROM' role_spec_list
 	| 'REVOKE' 'ALL' 'PRIVILEGES' 'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'FROM' role_spec_list
 	| 'REVOKE' 'ALL'  'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'FROM' role_spec_list
 	| 'REVOKE' privilege_list 'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' 'ALL' 'PRIVILEGES' 'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' 'ALL'  'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' privilege_list 'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'FROM' role_spec_list
diff --git a/docs/generated/sql/bnf/stmt_block.bnf b/docs/generated/sql/bnf/stmt_block.bnf
@@ -74,23 +74,27 @@ discard_stmt ::=
 	'DISCARD' 'ALL'
 
 grant_stmt ::=
-	'GRANT' privileges 'ON' targets 'TO' role_spec_list
+	'GRANT' privileges 'ON' targets 'TO' role_spec_list opt_with_grant_option
 	| 'GRANT' privilege_list 'TO' role_spec_list
 	| 'GRANT' privilege_list 'TO' role_spec_list 'WITH' 'ADMIN' 'OPTION'
-	| 'GRANT' privileges 'ON' 'TYPE' target_types 'TO' role_spec_list
-	| 'GRANT' privileges 'ON' 'SCHEMA' schema_name_list 'TO' role_spec_list
-	| 'GRANT' privileges 'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'TO' role_spec_list
+	| 'GRANT' privileges 'ON' 'TYPE' target_types 'TO' role_spec_list opt_with_grant_option
+	| 'GRANT' privileges 'ON' 'SCHEMA' schema_name_list 'TO' role_spec_list opt_with_grant_option
+	| 'GRANT' privileges 'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'TO' role_spec_list opt_with_grant_option
 
 prepare_stmt ::=
 	'PREPARE' table_alias_name prep_type_clause 'AS' preparable_stmt
 
 revoke_stmt ::=
 	'REVOKE' privileges 'ON' targets 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' privileges 'ON' targets 'FROM' role_spec_list
 	| 'REVOKE' privilege_list 'FROM' role_spec_list
 	| 'REVOKE' 'ADMIN' 'OPTION' 'FOR' privilege_list 'FROM' role_spec_list
 	| 'REVOKE' privileges 'ON' 'TYPE' target_types 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' privileges 'ON' 'TYPE' target_types 'FROM' role_spec_list
 	| 'REVOKE' privileges 'ON' 'SCHEMA' schema_name_list 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' privileges 'ON' 'SCHEMA' schema_name_list 'FROM' role_spec_list
 	| 'REVOKE' privileges 'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' privileges 'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'FROM' role_spec_list
 
 savepoint_stmt ::=
 	'SAVEPOINT' name
@@ -321,6 +325,10 @@ targets ::=
 role_spec_list ::=
 	( role_spec ) ( ( ',' role_spec ) )*
 
+opt_with_grant_option ::=
+	'WITH' 'GRANT' 'OPTION'
+	| 
+
 privilege_list ::=
 	( privilege ) ( ( ',' privilege ) )*
 
@@ -2338,10 +2346,6 @@ alter_default_privileges_target_object ::=
 	| 'TYPES'
 	| 'SCHEMAS'
 
-opt_with_grant_option ::=
-	'WITH' 'GRANT' 'OPTION'
-	| 
-
 role_option ::=
 	'CREATEROLE'
 	| 'NOCREATEROLE'

diff --git a/pkg/ccl/backupccl/restore_job.go b/pkg/ccl/backupccl/restore_job.go
@@ -1561,7 +1561,7 @@ func remapPublicSchemas(
 		// In CockroachDB, root is our substitute for the postgres user.
 		publicSchemaPrivileges := descpb.NewBasePrivilegeDescriptor(security.AdminRoleName())
 		// By default, everyone has USAGE and CREATE on the public schema.
-		publicSchemaPrivileges.Grant(security.PublicRoleName(), privilege.List{privilege.CREATE, privilege.USAGE})
+		publicSchemaPrivileges.Grant(security.PublicRoleName(), privilege.List{privilege.CREATE, privilege.USAGE}, false)
 		publicSchemaDesc := schemadesc.NewBuilder(&descpb.SchemaDescriptor{
 			ParentID:   db.GetID(),
 			Name:       tree.PublicSchema,

diff --git a/pkg/ccl/importccl/import_table_creation.go b/pkg/ccl/importccl/import_table_creation.go
@@ -75,6 +75,7 @@ func MakeTestingSimpleTableDescriptor(
 		Privileges: descpb.NewPrivilegeDescriptor(
 			security.PublicRoleName(),
 			privilege.SchemaPrivileges,
+			privilege.List{},
 			security.RootUserName(),
 		),
 	}).BuildCreatedMutableSchema()