Converting database to schema leaves the schema in an unusable state

[charsleysa]

Describe the problem

Converting database to schema "succeeds" but is missing the USAGE permission for user appuser and adding the USAGE permission to the schema fails with the following error

ERROR: user appuser must not have DROP, SELECT, INSERT, DELETE, UPDATE privileges on system schema with ID=174

To Reproduce

Run the following script

---
CREATE USER appuser;

CREATE DATABASE maindb;
GRANT CREATE, DROP, SELECT, INSERT, DELETE, UPDATE ON DATABASE maindb TO appuser;
SET DATABASE TO maindb;

CREATE DATABASE test2;
GRANT CREATE, DROP, SELECT, INSERT, DELETE, UPDATE ON DATABASE test2 TO appuser;
CREATE TABLE test2.test_table(hello int);

ALTER DATABASE test2 CONVERT TO SCHEMA WITH PARENT maindb;
GRANT USAGE ON SCHEMA test2 TO appuser; -- fails here

Expected behavior
All statements should execute successfully.
The final result should be a database maindb with a schema test2 and a table test2.test_table that is usable by user appuser.

Environment:

• CockroachDB: v20.2.7
• Server OS: Amazon Linux 2
• Client app: cockroach sql

Additional context
Since the issue occurs after the database is converted to a schema, all tables under that schema are left in an unusable state as only admin users can access the tables and app users cannot be granted access.

[blathers-crl]

Hello, I am Blathers. I am here to help you get the issue triaged.

Hoot - a bug! Though bugs are the bane of my existence, rest assured the wretched thing will get the best of care here.

I have CC'd a few people who may be able to assist you:

• @ajwerner (found keywords: ALTER DATABASE)
• @jordanlewis (found keywords: ALTER DATABASE)

If we have not gotten back to your issue within a few business days, you can try the following:

• Join our community slack channel and ask on #cockroachdb.
• Try find someone from here if you know they worked closely on the area and CC them.

_{🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is otan.}

[ajwerner]

Thanks for the report! Looking into it.

[ajwerner]

@RichardJCai I'd love to get your take on this. This is bumping up against some real rough edges of our privilege model. I think I misunderstood how some pieces work. We allow the setting of various non-sensical privileges on the database descriptor to stand in for not having DEFAULT PRIVILEGES (see #16790 (comment)).

cockroach/pkg/sql/privilege/privilege.go

Lines 66 to 67 in 34f6472

	DBTablePrivileges = List{ALL, CREATE, DROP, GRANT, SELECT, INSERT, DELETE, UPDATE, ZONECONFIG}
	SchemaPrivileges = List{ALL, GRANT, CREATE, USAGE}

We then inherit these privileges here:

cockroach/pkg/sql/create_table.go

Lines 2153 to 2155 in 34f6472

	// CreateInheritedPrivilegesFromDBDesc creates privileges with the appropriate
	// owner (node for system, the restoring user otherwise.)
	func CreateInheritedPrivilegesFromDBDesc(

Where this all went off the rails is I, mistakenly, assumed we passed on this behavior of allowing and inheriting privileges on schemas and thus it would be "fine" to just maintain those and, in fact, my (and Lucy's for that matter) hope was that they would have the same behavior for new tables within the user-defined schema.

We need to do something about this in the both short and long term -- we're in a bad spot. Here's a proposal:

1. For backport, strip these privileges in a read-time repair upgrade.
2. Add a long-running migration to fix them.
3. Fix default privileges etc.

[RichardJCai]

Yeah this isn't great, I'll quickly fix this issue when copying the privilege descriptor and add a read-time repair.

Will likely get to the long-running migration for this next month when I do #65012.

[RichardJCai]

Currently on master, it errors when converting they database to a schema which is good - it won't succeed. Either way we'll still need a read-time repair and a backport to ALTER DATABASE CONVERT TO SCHEMA

On master

demo@127.0.0.1:26257/maindb> ALTER DATABASE test2 CONVERT TO SCHEMA WITH PARENT maindb;

ERROR: schema "test2" (62): user appuser must not have DROP, SELECT, INSERT, DELETE, UPDATE privileges on schema with ID=62