jobs: remove deprecated custom per-job auth

dt · dt · commit 1a490cb9800f · 2025-06-23T19:41:18.000Z
This was deprecated a couple releases ago in favor of using more standard approaches of either a) telling users to grant or revoke membership in a role that has ownership of a job to manage access to that job or b) features built on top of jobs can have their own control statements that perform their own auth checks before modifying or creating jobs if they so choose. With this having been deprecated for a couple of major releases now with the public docs suggesting using role membership instead, it can now be deleted to simplify the auth checks the jobs system needs to perform, paving the way for replacing the complex logic in the vtable for SHOW JOBS with a simple view instead. Release note (ops change): Non-admin users no longer have access to changefeed jobs they do not own and which are not owned by a role of which they are a member, regardless of whether they have the CHANGEFEED privilege on the table or tables those jobs may be watching. Admin users, or those with global SHOWJOB / CONTROLJOB privileges can still interact with all jobs, regardless of ownership. Epic: CRDB-48791.
diff --git a/pkg/ccl/changefeedccl/alter_changefeed_stmt.go b/pkg/ccl/changefeedccl/alter_changefeed_stmt.go
@@ -113,11 +113,8 @@ func alterChangefeedPlanHook(
 		if err != nil {
 			return err
 		}
-		getLegacyPayload := func(ctx context.Context) (*jobspb.Payload, error) {
-			return &jobPayload, nil
-		}
-		err = jobsauth.AuthorizeAllowLegacyAuth(
-			ctx, p, jobID, getLegacyPayload, jobPayload.UsernameProto.Decode(), jobPayload.Type(), jobsauth.ControlAccess, globalPrivileges,
+		err = jobsauth.Authorize(
+			ctx, p, jobID, jobPayload.UsernameProto.Decode(), jobsauth.ControlAccess, globalPrivileges,
 		)
 		if err != nil {
 			return err
diff --git a/pkg/ccl/changefeedccl/alter_changefeed_test.go b/pkg/ccl/changefeedccl/alter_changefeed_test.go
@@ -82,6 +82,8 @@ func TestAlterChangefeedAddTargetPrivileges(t *testing.T) {
 		`CREATE TABLE table_b (id int, type type_a)`,
 		`CREATE TABLE table_c (id int, type type_a)`,
 		`CREATE USER feedCreator`,
+		`CREATE ROLE feedowner`,
+		`GRANT feedowner TO feedCreator`,
 		`GRANT SELECT ON table_a TO feedCreator`,
 		`GRANT CHANGEFEED ON table_a TO feedCreator`,
 		`CREATE EXTERNAL CONNECTION "first" AS 'kafka://nope'`,
@@ -123,22 +125,24 @@ func TestAlterChangefeedAddTargetPrivileges(t *testing.T) {
 			row.Scan(&jobID)
 			userDB.Exec(t, `PAUSE JOB $1`, jobID)
 			waitForJobState(userDB, t, catpb.JobID(jobID), `paused`)
+			userDB.Exec(t, `ALTER JOB $1 OWNER TO feedowner`, jobID)
 		})
 
 		// user1 is missing the CHANGEFEED privilege on table_b and table_c.
 		withUser(t, "user1", func(userDB *sqlutils.SQLRunner) {
 			userDB.ExpectErr(t,
-				"user user1 requires the CHANGEFEED privilege on all target tables to be able to run an enterprise changefeed",
+				"user user1 does not have privileges for job",
 				fmt.Sprintf("ALTER CHANGEFEED %d ADD table_b, table_c set sink='external://second'", jobID),
 			)
 		})
 		rootDB.Exec(t, `GRANT CHANGEFEED ON table_b TO user1`)
 		withUser(t, "user1", func(userDB *sqlutils.SQLRunner) {
 			userDB.ExpectErr(t,
-				"user user1 requires the CHANGEFEED privilege on all target tables to be able to run an enterprise changefeed",
+				"user user1 does not have privileges for job",
 				fmt.Sprintf("ALTER CHANGEFEED %d ADD table_b, table_c set sink='external://second'", jobID),
 			)
 		})
+		rootDB.Exec(t, `GRANT feedowner TO user1`)
 		rootDB.Exec(t, `GRANT CHANGEFEED ON table_c TO user1`)
 		withUser(t, "user1", func(userDB *sqlutils.SQLRunner) {
 			userDB.Exec(t,
@@ -175,19 +179,27 @@ func TestAlterChangefeedAddTargetPrivileges(t *testing.T) {
 			row.Scan(&jobID)
 			userDB.Exec(t, `PAUSE JOB $1`, jobID)
 			waitForJobState(userDB, t, catpb.JobID(jobID), `paused`)
+			userDB.Exec(t, `ALTER JOB $1 OWNER TO feedowner`, jobID)
 		})
 
 		// user2 is missing the SELECT privilege on table_b and table_c.
 		withUser(t, "user2", func(userDB *sqlutils.SQLRunner) {
 			userDB.ExpectErr(t,
-				"pq: user user2 with CONTROLCHANGEFEED role option requires the SELECT privilege on all target tables to be able to run an enterprise changefeed",
+				"pq: user user2 does not have privileges for job",
 				fmt.Sprintf("ALTER CHANGEFEED %d ADD table_b, table_c set sink='kafka://bar'", jobID),
 			)
 		})
 		rootDB.Exec(t, `GRANT SELECT ON table_b TO user2`)
 		withUser(t, "user2", func(userDB *sqlutils.SQLRunner) {
 			userDB.ExpectErr(t,
-				"pq: user user2 with CONTROLCHANGEFEED role option requires the SELECT privilege on all target tables to be able to run an enterprise changefeed",
+				"pq: user user2 does not have privileges for job",
+				fmt.Sprintf("ALTER CHANGEFEED %d ADD table_b, table_c set sink='kafka://bar'", jobID),
+			)
+		})
+		rootDB.Exec(t, `GRANT feedowner TO user2`)
+		withUser(t, "user2", func(userDB *sqlutils.SQLRunner) {
+			userDB.ExpectErr(t,
+				"requires the SELECT privilege on all target tables",
 				fmt.Sprintf("ALTER CHANGEFEED %d ADD table_b, table_c set sink='kafka://bar'", jobID),
 			)
 		})
@@ -1859,6 +1871,7 @@ func TestAlterChangefeedAccessControl(t *testing.T) {
 		})
 		rootDB.Exec(t, "PAUSE job $1", currentFeed.JobID())
 		waitForJobState(rootDB, t, currentFeed.JobID(), `paused`)
+		rootDB.Exec(t, "ALTER JOB $1 OWNER TO feedowner", currentFeed.JobID())
 
 		// Verify who can modify the existing changefeed.
 		asUser(t, f, `userWithAllGrants`, func(userDB *sqlutils.SQLRunner) {
@@ -1872,10 +1885,10 @@ func TestAlterChangefeedAccessControl(t *testing.T) {
 			userDB.ExpectErr(t, "pq: user jobcontroller requires the CHANGEFEED privilege on all target tables to be able to run an enterprise changefeed", fmt.Sprintf(`ALTER CHANGEFEED %d DROP table_b`, currentFeed.JobID()))
 		})
 		asUser(t, f, `userWithSomeGrants`, func(userDB *sqlutils.SQLRunner) {
-			userDB.ExpectErr(t, "pq: user userwithsomegrants does not have CHANGEFEED privilege on relation table_b", fmt.Sprintf(`ALTER CHANGEFEED %d ADD table_b`, currentFeed.JobID()))
+			userDB.ExpectErr(t, "does not have privileges for job", fmt.Sprintf(`ALTER CHANGEFEED %d ADD table_b`, currentFeed.JobID()))
 		})
 		asUser(t, f, `regularUser`, func(userDB *sqlutils.SQLRunner) {
-			userDB.ExpectErr(t, "pq: user regularuser does not have CHANGEFEED privilege on relation (table_a|table_b)", fmt.Sprintf(`ALTER CHANGEFEED %d ADD table_b`, currentFeed.JobID()))
+			userDB.ExpectErr(t, "does not have privileges for job", fmt.Sprintf(`ALTER CHANGEFEED %d ADD table_b`, currentFeed.JobID()))
 		})
 		closeCf()
 
diff --git a/pkg/ccl/changefeedccl/authorization.go b/pkg/ccl/changefeedccl/authorization.go
@@ -11,8 +11,6 @@ import (
 
 	"github.com/cockroachdb/cockroach/pkg/ccl/changefeedccl/changefeedbase"
 	"github.com/cockroachdb/cockroach/pkg/cloud/externalconn"
-	"github.com/cockroachdb/cockroach/pkg/jobs/jobsauth"
-	"github.com/cockroachdb/cockroach/pkg/jobs/jobspb"
 	"github.com/cockroachdb/cockroach/pkg/sql"
 	"github.com/cockroachdb/cockroach/pkg/sql/catalog"
 	"github.com/cockroachdb/cockroach/pkg/sql/pgwire/pgcode"
@@ -135,45 +133,3 @@ func authorizeUserToCreateChangefeed(
 
 	return nil
 }
-
-// AuthorizeChangefeedJobAccess determines if a user has access to the changefeed job denoted
-// by the supplied jobID and payload.
-func AuthorizeChangefeedJobAccess(
-	ctx context.Context,
-	a jobsauth.AuthorizationAccessor,
-	jobID jobspb.JobID,
-	getLegacyPayload func(ctx context.Context) (*jobspb.Payload, error),
-) error {
-	payload, err := getLegacyPayload(ctx)
-	if err != nil {
-		return err
-	}
-	specs, ok := payload.UnwrapDetails().(jobspb.ChangefeedDetails)
-	if !ok {
-		return errors.Newf("could not unwrap details from the payload of job %d", jobID)
-	}
-
-	if len(specs.TargetSpecifications) == 0 {
-		return pgerror.Newf(pgcode.InsufficientPrivilege, "job contains no tables on which the user has %s privilege", privilege.CHANGEFEED)
-	}
-
-	for _, spec := range specs.TargetSpecifications {
-		err := a.CheckPrivilegeForTableID(ctx, spec.TableID, privilege.CHANGEFEED)
-		if err != nil {
-			// When performing SHOW JOBS or SHOW CHANGEFEED JOBS, there may be old changefeed
-			// records that reference tables which have been dropped or are being
-			// dropped. In this case, we would prefer to skip the permissions check on
-			// the dropped descriptor.
-			if pgerror.GetPGCode(err) == pgcode.UndefinedTable || errors.Is(err, catalog.ErrDescriptorDropped) {
-				continue
-			}
-
-			return err
-		}
-	}
-	return nil
-}
-
-func init() {
-	jobsauth.RegisterAuthorizer(jobspb.TypeChangefeed, AuthorizeChangefeedJobAccess)
-}
diff --git a/pkg/ccl/changefeedccl/changefeed_test.go b/pkg/ccl/changefeedccl/changefeed_test.go
@@ -3740,6 +3740,7 @@ func TestChangefeedJobControl(t *testing.T) {
 		asUser(t, f, `adminUser`, func(userDB *sqlutils.SQLRunner) {
 			userDB.Exec(t, "PAUSE job $1", currentFeed.JobID())
 			waitForJobState(userDB, t, currentFeed.JobID(), "paused")
+			userDB.Exec(t, "ALTER JOB $1 OWNER TO feedowner", currentFeed.JobID())
 		})
 		asUser(t, f, `userWithAllGrants`, func(userDB *sqlutils.SQLRunner) {
 			userDB.Exec(t, "RESUME job $1", currentFeed.JobID())
@@ -3750,10 +3751,10 @@ func TestChangefeedJobControl(t *testing.T) {
 			waitForJobState(userDB, t, currentFeed.JobID(), "running")
 		})
 		asUser(t, f, `userWithSomeGrants`, func(userDB *sqlutils.SQLRunner) {
-			userDB.ExpectErr(t, "user userwithsomegrants does not have CHANGEFEED privilege on relation table_b", "PAUSE job $1", currentFeed.JobID())
+			userDB.ExpectErr(t, "does not have privileges for job", "PAUSE job $1", currentFeed.JobID())
 		})
 		asUser(t, f, `regularUser`, func(userDB *sqlutils.SQLRunner) {
-			userDB.ExpectErr(t, "user regularuser does not have CHANGEFEED privilege on relation (table_a|table_b)", "PAUSE job $1", currentFeed.JobID())
+			userDB.ExpectErr(t, "does not have privileges for job", "PAUSE job $1", currentFeed.JobID())
 		})
 		closeCf()
 
diff --git a/pkg/ccl/changefeedccl/helpers_test.go b/pkg/ccl/changefeedccl/helpers_test.go
@@ -1736,6 +1736,7 @@ func ChangefeedJobPermissionsTestSetup(t *testing.T, s TestServer) {
 
 		`CREATE USER adminUser`,
 		`GRANT ADMIN TO adminUser`,
+		`CREATE ROLE feedowner`,
 
 		`CREATE USER otherAdminUser`,
 		`GRANT ADMIN TO otherAdminUser`,
@@ -1747,6 +1748,7 @@ func ChangefeedJobPermissionsTestSetup(t *testing.T, s TestServer) {
 		`CREATE USER jobController with CONTROLJOB`,
 
 		`CREATE USER userWithAllGrants`,
+		`GRANT feedowner TO userWithAllGrants`,
 		`GRANT CHANGEFEED ON table_a TO userWithAllGrants`,
 		`GRANT CHANGEFEED ON table_b TO userWithAllGrants`,
 
diff --git a/pkg/ccl/changefeedccl/show_changefeed_jobs_test.go b/pkg/ccl/changefeedccl/show_changefeed_jobs_test.go
@@ -568,7 +568,6 @@ func TestShowChangefeedJobsAuthorization(t *testing.T) {
 			require.NoError(t, err)
 			jobID = successfulFeed.(cdctest.EnterpriseTestFeed).JobID()
 		}
-		rootDB := sqlutils.MakeSQLRunner(s.DB)
 
 		// Create a changefeed and assert who can see it.
 		asUser(t, f, `feedCreator`, func(userDB *sqlutils.SQLRunner) {
@@ -579,7 +578,7 @@ func TestShowChangefeedJobsAuthorization(t *testing.T) {
 			userDB.CheckQueryResults(t, `SELECT job_id FROM [SHOW CHANGEFEED JOBS]`, [][]string{{expectedJobIDStr}})
 		})
 		asUser(t, f, `userWithAllGrants`, func(userDB *sqlutils.SQLRunner) {
-			userDB.CheckQueryResults(t, `SELECT job_id FROM [SHOW CHANGEFEED JOBS]`, [][]string{{expectedJobIDStr}})
+			userDB.CheckQueryResults(t, `SELECT job_id FROM [SHOW CHANGEFEED JOBS]`, [][]string{})
 		})
 		asUser(t, f, `userWithSomeGrants`, func(userDB *sqlutils.SQLRunner) {
 			userDB.CheckQueryResults(t, `SELECT job_id FROM [SHOW CHANGEFEED JOBS]`, [][]string{})
@@ -590,16 +589,6 @@ func TestShowChangefeedJobsAuthorization(t *testing.T) {
 		asUser(t, f, `regularUser`, func(userDB *sqlutils.SQLRunner) {
 			userDB.CheckQueryResults(t, `SELECT job_id FROM [SHOW CHANGEFEED JOBS]`, [][]string{})
 		})
-
-		// Assert behavior when one of the tables is dropped.
-		rootDB.Exec(t, "DROP TABLE table_b")
-		// Having CHANGEFEED on only table_a is now sufficient.
-		asUser(t, f, `userWithSomeGrants`, func(userDB *sqlutils.SQLRunner) {
-			userDB.CheckQueryResults(t, `SELECT job_id FROM [SHOW CHANGEFEED JOBS]`, [][]string{{expectedJobIDStr}})
-		})
-		asUser(t, f, `regularUser`, func(userDB *sqlutils.SQLRunner) {
-			userDB.CheckQueryResults(t, `SELECT job_id FROM [SHOW CHANGEFEED JOBS]`, [][]string{})
-		})
 	}
 
 	// Only enterprise sinks create jobs.
diff --git a/pkg/crosscluster/producer/replication_manager.go b/pkg/crosscluster/producer/replication_manager.go
@@ -442,7 +442,7 @@ func (r *replicationStreamManagerImpl) AuthorizeViaJob(
 	}
 
 	if err := jobsauth.Authorize(
-		ctx, planHook, jobspb.JobID(streamID), planHook.User(), jobspb.TypeReplicationStreamProducer, jobsauth.ControlAccess, globalPrivileges,
+		ctx, planHook, jobspb.JobID(streamID), planHook.User(), jobsauth.ControlAccess, globalPrivileges,
 	); err != nil {
 		return err
 	}
diff --git a/pkg/jobs/jobsauth/BUILD.bazel b/pkg/jobs/jobsauth/BUILD.bazel
@@ -13,7 +13,6 @@ go_library(
         "//pkg/sql/pgwire/pgerror",
         "//pkg/sql/privilege",
         "//pkg/sql/roleoption",
-        "@com_github_cockroachdb_errors//:errors",
     ],
 )
 
diff --git a/pkg/jobs/jobsauth/authorization.go b/pkg/jobs/jobsauth/authorization.go
@@ -7,7 +7,6 @@ package jobsauth
 
 import (
 	"context"
-	"fmt"
 
 	"github.com/cockroachdb/cockroach/pkg/jobs/jobspb"
 	"github.com/cockroachdb/cockroach/pkg/security/username"
@@ -16,7 +15,6 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/sql/pgwire/pgerror"
 	"github.com/cockroachdb/cockroach/pkg/sql/privilege"
 	"github.com/cockroachdb/cockroach/pkg/sql/roleoption"
-	"github.com/cockroachdb/errors"
 )
 
 // An AccessLevel is used to indicate how strict an authorization check should
@@ -31,23 +29,6 @@ const (
 	ControlAccess
 )
 
-var authorizers = make(map[jobspb.Type]Authorizer)
-
-// Authorizer is a function which returns a pgcode.InsufficientPrivilege error if
-// authorization for the job denoted by jobID and payload fails.
-type Authorizer func(
-	ctx context.Context, a AuthorizationAccessor, jobID jobspb.JobID, getLegacyPayload func(ctx context.Context) (*jobspb.Payload, error),
-) error
-
-// RegisterAuthorizer registers a AuthorizationCheck for a certain job type.
-func RegisterAuthorizer(typ jobspb.Type, fn Authorizer) {
-	if _, ok := authorizers[typ]; ok {
-		panic(fmt.Sprintf("cannot register two authorizers for the type %s", typ))
-	}
-
-	authorizers[typ] = fn
-}
-
 // AuthorizationAccessor is an interface for checking authorization on jobs.
 type AuthorizationAccessor interface {
 	// CheckPrivilegeForTableID mirrors sql.AuthorizationAccessor.
@@ -118,26 +99,6 @@ func Authorize(
 	a AuthorizationAccessor,
 	jobID jobspb.JobID,
 	owner username.SQLUsername,
-	typ jobspb.Type,
-	accessLevel AccessLevel,
-	global GlobalJobPrivileges,
-) error {
-
-	legacyAuthErrFunc := func(ctx context.Context) (*jobspb.Payload, error) {
-		return nil, errors.New("legacy authorization check not implemented")
-	}
-	return AuthorizeAllowLegacyAuth(ctx, a, jobID, legacyAuthErrFunc, owner, typ, accessLevel, global)
-}
-
-// AutherizeAllowLegacyAuth functions like Authorize, and also provides
-// the deprecated job-specific custom authorization check allows access.
-func AuthorizeAllowLegacyAuth(
-	ctx context.Context,
-	a AuthorizationAccessor,
-	jobID jobspb.JobID,
-	getLegacyPayload func(ctx context.Context) (*jobspb.Payload, error),
-	owner username.SQLUsername,
-	typ jobspb.Type,
 	accessLevel AccessLevel,
 	global GlobalJobPrivileges,
 ) error {
@@ -186,9 +147,6 @@ func AuthorizeAllowLegacyAuth(
 		return nil
 	}
 
-	if check, ok := authorizers[typ]; ok {
-		return check(ctx, a, jobID, getLegacyPayload)
-	}
 	return pgerror.Newf(pgcode.InsufficientPrivilege,
 		"user %s does not have privileges for job %d",
 		a.User(), jobID)
diff --git a/pkg/jobs/jobsauth/authorization_test.go b/pkg/jobs/jobsauth/authorization_test.go
@@ -149,21 +149,6 @@ func (a *testAuthAccessor) User() username.SQLUsername {
 	return a.user
 }
 
-func makeChangefeedPayload(owner string, tableIDs []descpb.ID) *jobspb.Payload {
-	specs := make([]jobspb.ChangefeedTargetSpecification, len(tableIDs))
-	for i, tableID := range tableIDs {
-		specs[i] = jobspb.ChangefeedTargetSpecification{
-			TableID: tableID,
-		}
-	}
-	return &jobspb.Payload{
-		Details: jobspb.WrapPayloadDetails(jobspb.ChangefeedDetails{
-			TargetSpecifications: specs,
-		}),
-		UsernameProto: username.MakeSQLUsernameFromPreNormalizedString(owner).EncodeProto(),
-	}
-}
-
 func makeBackupPayload(owner string) *jobspb.Payload {
 	return &jobspb.Payload{
 		Details:       jobspb.WrapPayloadDetails(jobspb.BackupDetails{}),
@@ -246,38 +231,6 @@ func TestAuthorization(t *testing.T) {
 			payload:     makeBackupPayload("user2"),
 			accessLevel: jobsauth.ControlAccess,
 		},
-		{
-			name:                 "changefeed-privilege-on-all-tables",
-			user:                 username.MakeSQLUsernameFromPreNormalizedString("user1"),
-			roleOptions:          map[roleoption.Option]struct{}{},
-			admins:               map[string]struct{}{},
-			changeFeedPrivileges: map[descpb.ID]struct{}{0: {}, 1: {}, 2: {}},
-
-			payload:     makeChangefeedPayload("user2", []descpb.ID{0, 1, 2}),
-			accessLevel: jobsauth.ControlAccess,
-		},
-		{
-			name:                 "changefeed-privilege-on-some-tables",
-			user:                 username.MakeSQLUsernameFromPreNormalizedString("user1"),
-			roleOptions:          map[roleoption.Option]struct{}{},
-			admins:               map[string]struct{}{},
-			changeFeedPrivileges: map[descpb.ID]struct{}{0: {}, 1: {}},
-
-			payload:     makeChangefeedPayload("user2", []descpb.ID{0, 1, 2}),
-			accessLevel: jobsauth.ControlAccess,
-			userErr:     pgerror.New(pgcode.InsufficientPrivilege, "foo"),
-		},
-		{
-			name:                 "changefeed-priv-on-some-tables-with-dropped",
-			user:                 username.MakeSQLUsernameFromPreNormalizedString("user1"),
-			roleOptions:          map[roleoption.Option]struct{}{},
-			admins:               map[string]struct{}{},
-			changeFeedPrivileges: map[descpb.ID]struct{}{0: {}, 1: {}},
-			droppedDescriptors:   map[descpb.ID]struct{}{2: {}},
-
-			payload:     makeChangefeedPayload("user2", []descpb.ID{0, 1, 2}),
-			accessLevel: jobsauth.ControlAccess,
-		},
 		{
 			name:   "viewjob-required-for-read-access",
 			user:   username.MakeSQLUsernameFromPreNormalizedString("user1"),
@@ -354,10 +307,9 @@ func TestAuthorization(t *testing.T) {
 			ctx := context.Background()
 			globalPrivileges, err := jobsauth.GetGlobalJobPrivileges(ctx, testAuth)
 			assert.NoError(t, err)
-			err = jobsauth.AuthorizeAllowLegacyAuth(
+			err = jobsauth.Authorize(
 				ctx, testAuth, 0,
-				func(ctx context.Context) (*jobspb.Payload, error) { return tc.payload, nil },
-				tc.payload.UsernameProto.Decode(), tc.payload.Type(), tc.accessLevel, globalPrivileges,
+				tc.payload.UsernameProto.Decode(), tc.accessLevel, globalPrivileges,
 			)
 			assert.Equal(t, pgerror.GetPGCode(tc.userErr), pgerror.GetPGCode(err))
 		})
diff --git a/pkg/settings/registry.go b/pkg/settings/registry.go
diff --git a/pkg/sql/control_jobs.go b/pkg/sql/control_jobs.go
diff --git a/pkg/sql/crdb_internal.go b/pkg/sql/crdb_internal.go

Original file line number	Diff line number	Diff line change
`@@ -113,11 +113,8 @@ func alterChangefeedPlanHook(`
`113`	`113`	`if err != nil {`
`114`	`114`	`return err`
`115`	`115`	`}`
`116`		`- getLegacyPayload := func(ctx context.Context) (*jobspb.Payload, error) {`
`117`		`- return &jobPayload, nil`
`118`		`- }`
`119`		`- err = jobsauth.AuthorizeAllowLegacyAuth(`
`120`		`- ctx, p, jobID, getLegacyPayload, jobPayload.UsernameProto.Decode(), jobPayload.Type(), jobsauth.ControlAccess, globalPrivileges,`
	`116`	`+ err = jobsauth.Authorize(`
	`117`	`+ ctx, p, jobID, jobPayload.UsernameProto.Decode(), jobsauth.ControlAccess, globalPrivileges,`
`121`	`118`	`)`
`122`	`119`	`if err != nil {`
`123`	`120`	`return err`
Original file line number	Diff line number	Diff line change
`@@ -442,7 +442,7 @@ func (r *replicationStreamManagerImpl) AuthorizeViaJob(`
`442`	`442`	`}`
`443`	`443`
`444`	`444`	`if err := jobsauth.Authorize(`
`445`		`- ctx, planHook, jobspb.JobID(streamID), planHook.User(), jobspb.TypeReplicationStreamProducer, jobsauth.ControlAccess, globalPrivileges,`
	`445`	`+ ctx, planHook, jobspb.JobID(streamID), planHook.User(), jobsauth.ControlAccess, globalPrivileges,`
`446`	`446`	`); err != nil {`
`447`	`447`	`return err`
`448`	`448`	`}`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,6 @@ go_library(`
`13`	`13`	`"//pkg/sql/pgwire/pgerror",`
`14`	`14`	`"//pkg/sql/privilege",`
`15`	`15`	`"//pkg/sql/roleoption",`
`16`		`- "@com_github_cockroachdb_errors//:errors",`
`17`	`16`	`],`
`18`	`17`	`)`
`19`	`18`