builtins: add crdb_internal.can_view_job

This builtin determines if the current user can view a job owned by the specified user.

Release note: none.
Epic: none.

Author: dt

pkg/sql/faketreeeval/evalctx.go

@@ -647,6 +647,14 @@ func (ep *DummySessionAccessor) HasViewActivityOrViewActivityRedactedRole(
 	return false, false, errors.WithStack(errEvalSessionVar)
 }
 
+// HasViewAccessToJob implements SessionAccessor.
+func (ep *DummySessionAccessor) HasViewAccessToJob(
+	ctx context.Context, owner username.SQLUsername,
+) bool {
+	// This is a no-op in the dummy implementation.
+	return false
+}
+
 func (ep *DummySessionAccessor) ForEachSessionPendingJob(
 	_ func(job jobspb.PendingJob) error,
 ) error {

pkg/sql/jobs_collection.go

@@ -6,8 +6,12 @@
 package sql
 
 import (
+	"context"
+
 	"github.com/cockroachdb/cockroach/pkg/jobs"
+	"github.com/cockroachdb/cockroach/pkg/jobs/jobsauth"
 	"github.com/cockroachdb/cockroach/pkg/jobs/jobspb"
+	"github.com/cockroachdb/cockroach/pkg/security/username"
 	"github.com/cockroachdb/cockroach/pkg/sql/catalog/descpb"
 )
 
@@ -100,3 +104,11 @@ func (p *planner) ForEachSessionPendingJob(fn func(job jobspb.PendingJob) error)
 		})
 	})
 }
+
+func (p *planner) HasViewAccessToJob(ctx context.Context, owner username.SQLUsername) bool {
+	privs, err := jobsauth.GetGlobalJobPrivileges(ctx, p)
+	if err != nil {
+		return false
+	}
+	return jobsauth.Authorize(ctx, p, jobspb.InvalidJobID, owner, jobsauth.ViewAccess, privs) == nil
+}

pkg/sql/sem/builtins/builtins.go

@@ -4631,6 +4631,24 @@ value if you rely on the HLC for accuracy.`,
 			Volatility: volatility.Volatile,
 		}),
 
+	"crdb_internal.can_view_job": makeBuiltin(
+		tree.FunctionProperties{Category: builtinconstants.CategorySystemInfo, DistsqlBlocklist: true},
+		tree.Overload{
+			Types: tree.ParamTypes{
+				{Name: "owner", Typ: types.String},
+			},
+			ReturnType: tree.FixedReturnType(types.Bool),
+			Fn: func(ctx context.Context, evalCtx *eval.Context, args tree.Datums) (tree.Datum, error) {
+				ownerStr := string(tree.MustBeDString(args[0]))
+				owner := username.MakeSQLUsernameFromPreNormalizedString(ownerStr)
+				ok := evalCtx.SessionAccessor.HasViewAccessToJob(ctx, owner)
+				return tree.MakeDBool(tree.DBool(ok)), nil
+			},
+			Info:       "Returns true if the current user can view a job owned by the specified owner.",
+			Volatility: volatility.Stable,
+		},
+	),
+
 	"crdb_internal.read_file": makeBuiltin(
 		tree.FunctionProperties{
 			Category:         builtinconstants.CategorySystemInfo,

pkg/sql/sem/builtins/fixed_oids.go

@@ -2666,6 +2666,7 @@ var builtinOidsArray = []string{
 	2703: `crdb_internal.show_create_all_routines(database_name: string) -> string`,
 	2704: `crdb_internal.show_create_all_triggers(database_name: string) -> string`,
 	2705: `crdb_internal.session_pending_jobs() -> tuple{int AS job_id, string AS job_type, string AS description, string AS user_name}`,
+	2706: `crdb_internal.can_view_job(owner: string) -> bool`,
 }
 
 var builtinOidsBySignature map[string]oid.Oid

pkg/sql/sem/eval/deps.go

@@ -527,6 +527,9 @@ type SessionAccessor interface {
 	// CheckPrivilege verifies that the current user has `privilege` on `descriptor`.
 	CheckPrivilege(ctx context.Context, privilegeObject privilege.Object, privilege privilege.Kind) error
 
+	// HasViewAccessToJob checks if the current user has access to a job owned by the specified owner.
+	HasViewAccessToJob(ctx context.Context, owner username.SQLUsername) bool
+
 	// HasViewActivityOrViewActivityRedactedRole returns true iff the current session user has the
 	// VIEWACTIVITY or VIEWACTIVITYREDACTED permission.
 	HasViewActivityOrViewActivityRedactedRole(ctx context.Context) (bool, bool, error)