sql: avoid dangling role reference in default privileges

rafiss · rafiss · commit 53de337c1e3a · 2025-03-21T14:45:21.000-04:00
Release note (bug fix): Fixed a bug that could leave behind a dangling
reference to a dropped role if that role had default privileges granted
to itself. The bug was caused by defining privileges such as: `ALTER DEFAULT
PRIVILEGES FOR ROLE self_referencing_role GRANT INSERT ON TABLES TO self_referencing_role`
diff --git a/pkg/sql/catalog/catprivilege/default_privilege.go b/pkg/sql/catalog/catprivilege/default_privilege.go
@@ -118,6 +118,7 @@ func (d *Mutable) GrantDefaultPrivileges(
 			return err
 		}
 	}
+	d.removeRoleIfEmptyPrivileges(role, defaultPrivilegesForRole)
 	return nil
 }
 
@@ -135,14 +136,20 @@ func (d *Mutable) RevokeDefaultPrivileges(
 			return err
 		}
 	}
+	d.removeRoleIfEmptyPrivileges(role, defaultPrivilegesForRole)
+	return nil
+}
 
+// removeRoleIfEmptyPrivilegesc checks if there are any default privileges for
+// the given role remaining on the descriptor. If there are no privileges left
+// remaining and the descriptor is in the default state, the role is removed.
+func (d *Mutable) removeRoleIfEmptyPrivileges(
+	role catpb.DefaultPrivilegesRole, defaultPrivilegesForRole *catpb.DefaultPrivilegesForRole,
+) {
 	defaultPrivilegesPerObject := defaultPrivilegesForRole.DefaultPrivilegesPerObject
-	// Check if there are any default privileges remaining on the descriptor.
-	// If there are no privileges left remaining and the descriptor is in the
-	// default state, we can remove it.
 	for _, defaultPrivs := range defaultPrivilegesPerObject {
 		if len(defaultPrivs.Users) != 0 {
-			return nil
+			return
 		}
 	}
 
@@ -155,12 +162,11 @@ func (d *Mutable) RevokeDefaultPrivileges(
 			!GetRoleHasAllPrivilegesOnTargetObject(defaultPrivilegesForRole, privilege.Schemas) ||
 			!GetPublicHasUsageOnTypes(defaultPrivilegesForRole) ||
 			!GetPublicHasExecuteOnFunctions(defaultPrivilegesForRole)) {
-		return nil
+		return
 	}
 
 	// There no entries remaining, remove the entry for the role.
 	d.defaultPrivilegeDescriptor.RemoveUser(role)
-	return nil
 }
 
 // CreatePrivilegesFromDefaultPrivileges creates privileges for a
diff --git a/pkg/sql/logictest/testdata/logic_test/drop_role_with_default_privileges b/pkg/sql/logictest/testdata/logic_test/drop_role_with_default_privileges
@@ -183,3 +183,23 @@ statement ok
 DROP USER IF EXISTS a_user_that_does_not_exist;
 
 subtest end
+
+# Verify that a granting default privileges to the same role the defaults are
+# being defined for has no undesirable side effect.
+subtest default_priv_granted_to_self
+
+statement ok
+CREATE ROLE self_referencing_role
+
+statement ok
+ALTER DEFAULT PRIVILEGES FOR ROLE self_referencing_role GRANT INSERT ON TABLES TO self_referencing_role
+
+statement ok
+DROP ROLE self_referencing_role
+
+query I
+SELECT count(*) FROM crdb_internal.invalid_objects
+----
+0
+
+subtest end

Original file line number	Diff line number	Diff line change
`@@ -118,6 +118,7 @@ func (d *Mutable) GrantDefaultPrivileges(`
`118`	`118`	`return err`
`119`	`119`	`}`
`120`	`120`	`}`
	`121`	`+ d.removeRoleIfEmptyPrivileges(role, defaultPrivilegesForRole)`
`121`	`122`	`return nil`
`122`	`123`	`}`
`123`	`124`
`@@ -135,14 +136,20 @@ func (d *Mutable) RevokeDefaultPrivileges(`
`135`	`136`	`return err`
`136`	`137`	`}`
`137`	`138`	`}`
	`139`	`+ d.removeRoleIfEmptyPrivileges(role, defaultPrivilegesForRole)`
	`140`	`+ return nil`
	`141`	`+}`
`138`	`142`
	`143`	`+// removeRoleIfEmptyPrivilegesc checks if there are any default privileges for`
	`144`	`+// the given role remaining on the descriptor. If there are no privileges left`
	`145`	`+// remaining and the descriptor is in the default state, the role is removed.`
	`146`	`+func (d *Mutable) removeRoleIfEmptyPrivileges(`
	`147`	`+ role catpb.DefaultPrivilegesRole, defaultPrivilegesForRole *catpb.DefaultPrivilegesForRole,`
	`148`	`+) {`
`139`	`149`	`defaultPrivilegesPerObject := defaultPrivilegesForRole.DefaultPrivilegesPerObject`
`140`		`- // Check if there are any default privileges remaining on the descriptor.`
`141`		`- // If there are no privileges left remaining and the descriptor is in the`
`142`		`- // default state, we can remove it.`
`143`	`150`	`for _, defaultPrivs := range defaultPrivilegesPerObject {`
`144`	`151`	`if len(defaultPrivs.Users) != 0 {`
`145`		`- return nil`
	`152`	`+ return`
`146`	`153`	`}`
`147`	`154`	`}`
`148`	`155`
`@@ -155,12 +162,11 @@ func (d *Mutable) RevokeDefaultPrivileges(`
`155`	`162`	`!GetRoleHasAllPrivilegesOnTargetObject(defaultPrivilegesForRole, privilege.Schemas) \|\|`
`156`	`163`	`!GetPublicHasUsageOnTypes(defaultPrivilegesForRole) \|\|`
`157`	`164`	`!GetPublicHasExecuteOnFunctions(defaultPrivilegesForRole)) {`
`158`		`- return nil`
	`165`	`+ return`
`159`	`166`	`}`
`160`	`167`
`161`	`168`	`// There no entries remaining, remove the entry for the role.`
`162`	`169`	`d.defaultPrivilegeDescriptor.RemoveUser(role)`
`163`		`- return nil`
`164`	`170`	`}`
`165`	`171`
`166`	`172`	`// CreatePrivilegesFromDefaultPrivileges creates privileges for a`