sql: make inspect a system privilege

bghal · bghal · commit 755d9e808d76 · 2025-09-19T09:30:05.000-04:00
Previously the inspect privilege was tied to specific objects (tables and databases). For simplicity, it has been changed to a system privilege. This has no user impact as the commands associated with the privilege are as yet unimplemented. Epic: CRDB-30356 Part of: #148925 Release note: None
diff --git a/pkg/sql/catalog/catpb/privilege_test.go b/pkg/sql/catalog/catpb/privilege_test.go
@@ -87,7 +87,6 @@ func TestPrivilege(t *testing.T) {
 					{Kind: privilege.CREATE},
 					{Kind: privilege.DELETE},
 					{Kind: privilege.DROP},
-					{Kind: privilege.INSPECT},
 					{Kind: privilege.REPLICATIONDEST},
 					{Kind: privilege.REPLICATIONSOURCE},
 					{Kind: privilege.TRIGGER},
@@ -616,7 +615,7 @@ func TestRevokeWithGrantOption(t *testing.T) {
 			true,
 			privilege.List{privilege.CREATE},
 			privilege.List{privilege.ALL},
-			privilege.List{privilege.BACKUP, privilege.CHANGEFEED, privilege.DELETE, privilege.DROP, privilege.INSERT, privilege.INSPECT, privilege.REPLICATIONDEST, privilege.REPLICATIONSOURCE, privilege.SELECT, privilege.TRIGGER, privilege.UPDATE, privilege.ZONECONFIG},
+			privilege.List{privilege.BACKUP, privilege.CHANGEFEED, privilege.DELETE, privilege.DROP, privilege.INSERT, privilege.REPLICATIONDEST, privilege.REPLICATIONSOURCE, privilege.SELECT, privilege.TRIGGER, privilege.UPDATE, privilege.ZONECONFIG},
 			false},
 		{catpb.NewPrivilegeDescriptor(testUser, privilege.List{privilege.ALL}, privilege.List{privilege.ALL}, username.AdminRoleName()),
 			testUser, privilege.Table,
@@ -650,8 +649,8 @@ func TestRevokeWithGrantOption(t *testing.T) {
 			testUser, privilege.Table,
 			false,
 			privilege.List{privilege.CREATE},
-			privilege.List{privilege.BACKUP, privilege.CHANGEFEED, privilege.DELETE, privilege.DROP, privilege.INSERT, privilege.INSPECT, privilege.REPLICATIONDEST, privilege.REPLICATIONSOURCE, privilege.SELECT, privilege.TRIGGER, privilege.UPDATE, privilege.ZONECONFIG},
-			privilege.List{privilege.BACKUP, privilege.CHANGEFEED, privilege.DELETE, privilege.DROP, privilege.INSERT, privilege.INSPECT, privilege.REPLICATIONDEST, privilege.REPLICATIONSOURCE, privilege.SELECT, privilege.TRIGGER, privilege.UPDATE, privilege.ZONECONFIG},
+			privilege.List{privilege.BACKUP, privilege.CHANGEFEED, privilege.DELETE, privilege.DROP, privilege.INSERT, privilege.REPLICATIONDEST, privilege.REPLICATIONSOURCE, privilege.SELECT, privilege.TRIGGER, privilege.UPDATE, privilege.ZONECONFIG},
+			privilege.List{privilege.BACKUP, privilege.CHANGEFEED, privilege.DELETE, privilege.DROP, privilege.INSERT, privilege.REPLICATIONDEST, privilege.REPLICATIONSOURCE, privilege.SELECT, privilege.TRIGGER, privilege.UPDATE, privilege.ZONECONFIG},
 			false},
 		{catpb.NewPrivilegeDescriptor(testUser, privilege.List{privilege.SELECT, privilege.INSERT}, privilege.List{privilege.INSERT}, username.AdminRoleName()),
 			testUser, privilege.Table,
diff --git a/pkg/sql/inspect_node.go b/pkg/sql/inspect_node.go
@@ -8,7 +8,6 @@ package sql
 import (
 	"context"
 
-	"github.com/cockroachdb/cockroach/pkg/sql/catalog"
 	"github.com/cockroachdb/cockroach/pkg/sql/privilege"
 	"github.com/cockroachdb/cockroach/pkg/sql/sem/tree"
 	"github.com/cockroachdb/cockroach/pkg/util/errorutil/unimplemented"
@@ -22,30 +21,25 @@ type inspectNode struct {
 }
 
 // Inspect checks the database.
-// Privileges: INSPECT on table or database.
+// Privileges: INSPECT.
 func (p *planner) Inspect(ctx context.Context, n *tree.Inspect) (planNode, error) {
-	var desc catalog.Descriptor
 	switch n.Typ {
 	case tree.InspectTable:
 		tableName := n.Table.ToTableName()
-		_, tableDesc, err := p.ResolveMutableTableDescriptor(ctx, &tableName, true /* required */, tree.ResolveRequireTableDesc)
+		_, _, err := p.ResolveMutableTableDescriptor(ctx, &tableName, true /* required */, tree.ResolveRequireTableDesc)
 		if err != nil {
 			return nil, err
 		}
-
-		desc = tableDesc
 	case tree.InspectDatabase:
-		dbDesc, err := p.Descriptors().ByName(p.txn).Get().Database(ctx, n.Database.ToUnresolvedName().String())
+		_, err := p.Descriptors().ByName(p.txn).Get().Database(ctx, n.Database.ToUnresolvedName().String())
 		if err != nil {
 			return nil, err
 		}
-
-		desc = dbDesc
 	default:
 		return nil, errors.AssertionFailedf("unexpected INSPECT type received, got: %v", n.Typ)
 	}
 
-	if err := p.CheckPrivilege(ctx, desc, privilege.INSPECT); err != nil {
+	if err := p.CheckGlobalPrivilegeOrRoleOption(ctx, privilege.INSPECT); err != nil {
 		return nil, err
 	}
 
diff --git a/pkg/sql/logictest/testdata/logic_test/alter_default_privileges_for_table b/pkg/sql/logictest/testdata/logic_test/alter_default_privileges_for_table
@@ -266,7 +266,6 @@ d              public       t8          testuser   CREATE             false
 d              public       t8          testuser   DELETE             false
 d              public       t8          testuser   DROP               false
 d              public       t8          testuser   INSERT             false
-d              public       t8          testuser   INSPECT            false
 d              public       t8          testuser   REPLICATIONDEST    false
 d              public       t8          testuser   REPLICATIONSOURCE  false
 d              public       t8          testuser   TRIGGER            false
@@ -278,7 +277,6 @@ d              public       t8          testuser2  CREATE             false
 d              public       t8          testuser2  DELETE             false
 d              public       t8          testuser2  DROP               false
 d              public       t8          testuser2  INSERT             false
-d              public       t8          testuser2  INSPECT            false
 d              public       t8          testuser2  REPLICATIONDEST    false
 d              public       t8          testuser2  REPLICATIONSOURCE  false
 d              public       t8          testuser2  TRIGGER            false
diff --git a/pkg/sql/logictest/testdata/logic_test/crdb_internal_default_privileges b/pkg/sql/logictest/testdata/logic_test/crdb_internal_default_privileges
@@ -554,7 +554,6 @@ test           NULL         root      false          tables       bar       ZONE
 test           NULL         root      false          tables       bar       TRIGGER            false
 test           NULL         root      false          tables       bar       REPLICATIONDEST    false
 test           NULL         root      false          tables       bar       REPLICATIONSOURCE  false
-test           NULL         root      false          tables       bar       INSPECT            false
 test           NULL         root      false          tables       foo       BACKUP             false
 test           NULL         root      false          tables       foo       CHANGEFEED         false
 test           NULL         root      false          tables       foo       CREATE             false
@@ -566,7 +565,6 @@ test           NULL         root      false          tables       foo       ZONE
 test           NULL         root      false          tables       foo       TRIGGER            false
 test           NULL         root      false          tables       foo       REPLICATIONDEST    false
 test           NULL         root      false          tables       foo       REPLICATIONSOURCE  false
-test           NULL         root      false          tables       foo       INSPECT            false
 test           NULL         root      false          tables       root      ALL                true
 test           NULL         root      false          sequences    root      ALL                true
 test           NULL         root      false          types        root      ALL                true
diff --git a/pkg/sql/logictest/testdata/logic_test/grant_database b/pkg/sql/logictest/testdata/logic_test/grant_database
@@ -61,15 +61,13 @@ a  readwrite  BACKUP      true
 a  readwrite  CHANGEFEED  true
 a  readwrite  CREATE      true
 a  readwrite  DROP        true
-a  readwrite  INSPECT     true
 a  readwrite  RESTORE     true
 a  readwrite  ZONECONFIG  true
 a  root       ALL         true
 a  test-user  BACKUP      true
 a  test-user  CHANGEFEED  true
 a  test-user  CREATE      true
 a  test-user  DROP        true
-a  test-user  INSPECT     true
 a  test-user  RESTORE     true
 a  test-user  ZONECONFIG  true
 
@@ -81,14 +79,12 @@ a  readwrite  BACKUP      true
 a  readwrite  CHANGEFEED  true
 a  readwrite  CREATE      true
 a  readwrite  DROP        true
-a  readwrite  INSPECT     true
 a  readwrite  RESTORE     true
 a  readwrite  ZONECONFIG  true
 a  test-user  BACKUP      true
 a  test-user  CHANGEFEED  true
 a  test-user  CREATE      true
 a  test-user  DROP        true
-a  test-user  INSPECT     true
 a  test-user  RESTORE     true
 a  test-user  ZONECONFIG  true
 
@@ -104,14 +100,12 @@ a  readwrite  BACKUP      true
 a  readwrite  CHANGEFEED  true
 a  readwrite  CREATE      true
 a  readwrite  DROP        true
-a  readwrite  INSPECT     true
 a  readwrite  RESTORE     true
 a  readwrite  ZONECONFIG  true
 a  root       ALL         true
 a  test-user  BACKUP      true
 a  test-user  CHANGEFEED  true
 a  test-user  DROP        true
-a  test-user  INSPECT     true
 a  test-user  RESTORE     true
 a  test-user  ZONECONFIG  true
 
@@ -126,7 +120,6 @@ a  readwrite  BACKUP      true
 a  readwrite  CHANGEFEED  true
 a  readwrite  CREATE      true
 a  readwrite  DROP        true
-a  readwrite  INSPECT     true
 a  readwrite  RESTORE     true
 a  readwrite  ZONECONFIG  true
 
diff --git a/pkg/sql/logictest/testdata/logic_test/grant_on_all_tables_in_schema b/pkg/sql/logictest/testdata/logic_test/grant_on_all_tables_in_schema
@@ -74,7 +74,6 @@ test           s            t            table        testuser   CREATE
 test           s            t            table        testuser   DELETE             false
 test           s            t            table        testuser   DROP               false
 test           s            t            table        testuser   INSERT             false
-test           s            t            table        testuser   INSPECT            false
 test           s            t            table        testuser   REPLICATIONDEST    false
 test           s            t            table        testuser   REPLICATIONSOURCE  false
 test           s            t            table        testuser   TRIGGER            false
@@ -86,7 +85,6 @@ test           s            t            table        testuser2  CREATE
 test           s            t            table        testuser2  DELETE             false
 test           s            t            table        testuser2  DROP               false
 test           s            t            table        testuser2  INSERT             false
-test           s            t            table        testuser2  INSPECT            false
 test           s            t            table        testuser2  REPLICATIONDEST    false
 test           s            t            table        testuser2  REPLICATIONSOURCE  false
 test           s            t            table        testuser2  TRIGGER            false
@@ -98,7 +96,6 @@ test           s2           t            table        testuser   CREATE
 test           s2           t            table        testuser   DELETE             false
 test           s2           t            table        testuser   DROP               false
 test           s2           t            table        testuser   INSERT             false
-test           s2           t            table        testuser   INSPECT            false
 test           s2           t            table        testuser   REPLICATIONDEST    false
 test           s2           t            table        testuser   REPLICATIONSOURCE  false
 test           s2           t            table        testuser   TRIGGER            false
@@ -110,7 +107,6 @@ test           s2           t            table        testuser2  CREATE
 test           s2           t            table        testuser2  DELETE             false
 test           s2           t            table        testuser2  DROP               false
 test           s2           t            table        testuser2  INSERT             false
-test           s2           t            table        testuser2  INSPECT            false
 test           s2           t            table        testuser2  REPLICATIONDEST    false
 test           s2           t            table        testuser2  REPLICATIONSOURCE  false
 test           s2           t            table        testuser2  TRIGGER            false
diff --git a/pkg/sql/logictest/testdata/logic_test/grant_revoke_with_grant_option b/pkg/sql/logictest/testdata/logic_test/grant_revoke_with_grant_option
@@ -307,7 +307,6 @@ test           public       t            table        testuser  CHANGEFEED
 test           public       t            table        testuser  CREATE             true
 test           public       t            table        testuser  DROP               true
 test           public       t            table        testuser  INSERT             true
-test           public       t            table        testuser  INSPECT            true
 test           public       t            table        testuser  REPLICATIONDEST    true
 test           public       t            table        testuser  REPLICATIONSOURCE  true
 test           public       t            table        testuser  SELECT             true
diff --git a/pkg/sql/logictest/testdata/logic_test/grant_table b/pkg/sql/logictest/testdata/logic_test/grant_table
@@ -1671,7 +1671,6 @@ a  public  t  readwrite  BACKUP             false
 a  public  t  readwrite  CHANGEFEED         false
 a  public  t  readwrite  CREATE             false
 a  public  t  readwrite  DROP               false
-a  public  t  readwrite  INSPECT            false
 a  public  t  readwrite  REPLICATIONDEST    false
 a  public  t  readwrite  REPLICATIONSOURCE  false
 a  public  t  readwrite  SELECT             false
@@ -1683,7 +1682,6 @@ a  public  t  test-user  BACKUP             false
 a  public  t  test-user  CHANGEFEED         false
 a  public  t  test-user  CREATE             false
 a  public  t  test-user  DROP               false
-a  public  t  test-user  INSPECT            false
 a  public  t  test-user  REPLICATIONDEST    false
 a  public  t  test-user  REPLICATIONSOURCE  false
 a  public  t  test-user  SELECT             false
@@ -1698,7 +1696,6 @@ a  public  t  readwrite  BACKUP             false
 a  public  t  readwrite  CHANGEFEED         false
 a  public  t  readwrite  CREATE             false
 a  public  t  readwrite  DROP               false
-a  public  t  readwrite  INSPECT            false
 a  public  t  readwrite  REPLICATIONDEST    false
 a  public  t  readwrite  REPLICATIONSOURCE  false
 a  public  t  readwrite  SELECT             false
@@ -1709,7 +1706,6 @@ a  public  t  test-user  BACKUP             false
 a  public  t  test-user  CHANGEFEED         false
 a  public  t  test-user  CREATE             false
 a  public  t  test-user  DROP               false
-a  public  t  test-user  INSPECT            false
 a  public  t  test-user  REPLICATIONDEST    false
 a  public  t  test-user  REPLICATIONSOURCE  false
 a  public  t  test-user  SELECT             false
@@ -1728,7 +1724,6 @@ a  public  t  readwrite  BACKUP             false
 a  public  t  readwrite  CHANGEFEED         false
 a  public  t  readwrite  CREATE             false
 a  public  t  readwrite  DROP               false
-a  public  t  readwrite  INSPECT            false
 a  public  t  readwrite  REPLICATIONDEST    false
 a  public  t  readwrite  REPLICATIONSOURCE  false
 a  public  t  readwrite  SELECT             false
@@ -1740,7 +1735,6 @@ a  public  t  test-user  BACKUP             false
 a  public  t  test-user  CHANGEFEED         false
 a  public  t  test-user  CREATE             false
 a  public  t  test-user  DROP               false
-a  public  t  test-user  INSPECT            false
 a  public  t  test-user  REPLICATIONDEST    false
 a  public  t  test-user  REPLICATIONSOURCE  false
 a  public  t  test-user  TRIGGER            false
@@ -1754,7 +1748,6 @@ a  public  t  readwrite  BACKUP             false
 a  public  t  readwrite  CHANGEFEED         false
 a  public  t  readwrite  CREATE             false
 a  public  t  readwrite  DROP               false
-a  public  t  readwrite  INSPECT            false
 a  public  t  readwrite  REPLICATIONDEST    false
 a  public  t  readwrite  REPLICATIONSOURCE  false
 a  public  t  readwrite  SELECT             false
@@ -1765,7 +1758,6 @@ a  public  t  test-user  BACKUP             false
 a  public  t  test-user  CHANGEFEED         false
 a  public  t  test-user  CREATE             false
 a  public  t  test-user  DROP               false
-a  public  t  test-user  INSPECT            false
 a  public  t  test-user  REPLICATIONDEST    false
 a  public  t  test-user  REPLICATIONSOURCE  false
 a  public  t  test-user  TRIGGER            false
@@ -1832,7 +1824,6 @@ a  public  v  readwrite  BACKUP             false
 a  public  v  readwrite  CHANGEFEED         false
 a  public  v  readwrite  CREATE             false
 a  public  v  readwrite  DROP               false
-a  public  v  readwrite  INSPECT            false
 a  public  v  readwrite  REPLICATIONDEST    false
 a  public  v  readwrite  REPLICATIONSOURCE  false
 a  public  v  readwrite  SELECT             false
@@ -1844,7 +1835,6 @@ a  public  v  test-user  BACKUP             false
 a  public  v  test-user  CHANGEFEED         false
 a  public  v  test-user  CREATE             false
 a  public  v  test-user  DROP               false
-a  public  v  test-user  INSPECT            false
 a  public  v  test-user  REPLICATIONDEST    false
 a  public  v  test-user  REPLICATIONSOURCE  false
 a  public  v  test-user  SELECT             false
@@ -1859,7 +1849,6 @@ a  public  v  readwrite  BACKUP             false
 a  public  v  readwrite  CHANGEFEED         false
 a  public  v  readwrite  CREATE             false
 a  public  v  readwrite  DROP               false
-a  public  v  readwrite  INSPECT            false
 a  public  v  readwrite  REPLICATIONDEST    false
 a  public  v  readwrite  REPLICATIONSOURCE  false
 a  public  v  readwrite  SELECT             false
@@ -1870,7 +1859,6 @@ a  public  v  test-user  BACKUP             false
 a  public  v  test-user  CHANGEFEED         false
 a  public  v  test-user  CREATE             false
 a  public  v  test-user  DROP               false
-a  public  v  test-user  INSPECT            false
 a  public  v  test-user  REPLICATIONDEST    false
 a  public  v  test-user  REPLICATIONSOURCE  false
 a  public  v  test-user  SELECT             false
@@ -1889,7 +1877,6 @@ a  public  v  readwrite  BACKUP             false
 a  public  v  readwrite  CHANGEFEED         false
 a  public  v  readwrite  CREATE             false
 a  public  v  readwrite  DROP               false
-a  public  v  readwrite  INSPECT            false
 a  public  v  readwrite  REPLICATIONDEST    false
 a  public  v  readwrite  REPLICATIONSOURCE  false
 a  public  v  readwrite  SELECT             false
@@ -1901,7 +1888,6 @@ a  public  v  test-user  BACKUP             false
 a  public  v  test-user  CHANGEFEED         false
 a  public  v  test-user  CREATE             false
 a  public  v  test-user  DROP               false
-a  public  v  test-user  INSPECT            false
 a  public  v  test-user  REPLICATIONDEST    false
 a  public  v  test-user  REPLICATIONSOURCE  false
 a  public  v  test-user  TRIGGER            false
@@ -1915,7 +1901,6 @@ a  public  v  readwrite  BACKUP             false
 a  public  v  readwrite  CHANGEFEED         false
 a  public  v  readwrite  CREATE             false
 a  public  v  readwrite  DROP               false
-a  public  v  readwrite  INSPECT            false
 a  public  v  readwrite  REPLICATIONDEST    false
 a  public  v  readwrite  REPLICATIONSOURCE  false
 a  public  v  readwrite  SELECT             false
@@ -1926,7 +1911,6 @@ a  public  v  test-user  BACKUP             false
 a  public  v  test-user  CHANGEFEED         false
 a  public  v  test-user  CREATE             false
 a  public  v  test-user  DROP               false
-a  public  v  test-user  INSPECT            false
 a  public  v  test-user  REPLICATIONDEST    false
 a  public  v  test-user  REPLICATIONSOURCE  false
 a  public  v  test-user  TRIGGER            false
@@ -1943,7 +1927,6 @@ a  public  v     table     readwrite  BACKUP             false
 a  public  v     table     readwrite  CHANGEFEED         false
 a  public  v     table     readwrite  CREATE             false
 a  public  v     table     readwrite  DROP               false
-a  public  v     table     readwrite  INSPECT            false
 a  public  v     table     readwrite  REPLICATIONDEST    false
 a  public  v     table     readwrite  REPLICATIONSOURCE  false
 a  public  v     table     readwrite  SELECT             false
@@ -1954,7 +1937,6 @@ a  public  v     table     test-user  BACKUP             false
 a  public  v     table     test-user  CHANGEFEED         false
 a  public  v     table     test-user  CREATE             false
 a  public  v     table     test-user  DROP               false
-a  public  v     table     test-user  INSPECT            false
 a  public  v     table     test-user  REPLICATIONDEST    false
 a  public  v     table     test-user  REPLICATIONSOURCE  false
 a  public  v     table     test-user  TRIGGER            false
diff --git a/pkg/sql/logictest/testdata/logic_test/information_schema b/pkg/sql/logictest/testdata/logic_test/information_schema
diff --git a/pkg/sql/logictest/testdata/logic_test/inspect b/pkg/sql/logictest/testdata/logic_test/inspect
diff --git a/pkg/sql/logictest/testdata/logic_test/show_default_privileges b/pkg/sql/logictest/testdata/logic_test/show_default_privileges
diff --git a/pkg/sql/privilege/privilege.go b/pkg/sql/privilege/privilege.go
