Skip to content

sql: update SHOW GRANTS to include grant options #73394

Closed
#75560
Closed
sql: update SHOW GRANTS to include grant options#73394
#75560
Assignees
ecwall
Labels
A-sql-privilegesSQL privilege handling and permission checks.C-enhancementSolution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)T-sql-foundationsSQL Foundations Team (formerly SQL Schema + SQL Sessions)
@rafiss

Description

@rafiss
rafiss
opened on Dec 2, 2021

Once #67410 is completed, we will need to provide a way for users to see which GRANT options they have.

As the RFC describes (#72512), we will do this by adding a new column to SHOW GRANTS:

For example:

root@:26257/defaultdb> create table t (a int);
CREATE TABLE

root@:26257/defaultdb> create user u1;
CREATE ROLE

root@:26257/defaultdb> create user u2;
CREATE ROLE

root@:26257/defaultdb> create user u3;
CREATE ROLE

root@:26257/defaultdb> grant select on t to u1 with grant option;
GRANT

root@:26257/defaultdb> grant insert on t to u1;
GRANT

root@:26257/defaultdb> grant all on t to u2 with grant option;
GRANT

root@:26257/defaultdb> grant all on t to u3;
GRANT

root@:26257/defaultdb> grant select on t to u3 with grant option;
GRANT

root@:26257/defaultdb> grant insert on t to u3 with grant option;
GRANT

root@:26257/defaultdb> show grants on table t;
  database_name | schema_name | table_name | grantee | privilege_type | is_grantable
----------------+-------------+------------+---------+----------------+------------------
  defaultdb     | public      | t          | admin   | ALL            | True
  defaultdb     | public      | t          | root    | ALL            | True
  defaultdb     | public      | t          | u1      | INSERT         | False
  defaultdb     | public      | t          | u1      | SELECT         | True
  defaultdb     | public      | t          | u2      | ALL            | True
  defaultdb     | public      | t          | u3      | ALL            | False
  defaultdb     | public      | t          | u3      | INSERT         | True
  defaultdb     | public      | t          | u3      | SELECT         | True

Code to update:

  • The delegate queries in [show_grants.go(https://github.com/cockroachdb/cockroach/blob/master/pkg/sql/delegate/show_grants.go).
  • Fill in the is_grantable column for information_schema.table_privileges and `information_schema.schema_privileges in information_schema.go. The column should be based on the grant option, and the code to populate it should be behind a version gate.
  • Add is_grantable column (or similar name) to information_schema.type_privileges and crdb_internal.cluster_database_privileges (also version gated).
  • NOTE: For the is_grantable column we'll need to update the logic around the ALL privilege a little. If the user does not have the ALL grant option, but they do have grant options on other privileges, we'll start showing a separate row for each grant option.

Epic CRDB-2587

Metadata

Metadata

Assignees

Labels

A-sql-privilegesSQL privilege handling and permission checks.C-enhancementSolution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)T-sql-foundationsSQL Foundations Team (formerly SQL Schema + SQL Sessions)

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions