feat(admin): Skip experimental analyzer for sudo-mode queries (#7696)

When validating sudo-mode queries in snuba admin, the `EXPLAIN QUERY
TREE` command no longer appends `SETTINGS allow_experimental_analyzer =
1`.

The SETTINGS clause can break syntax for certain sudo-mode queries,
specifically CREATE/DROP WORKLOAD commands. By skipping the experimental
analyzer setting for sudo-mode queries, we prevent validation failures
for these commands.

## Changes

- Added `sudo_mode` parameter to `is_query_using_only_system_tables()`
- Added `sudo_mode` parameter to `is_valid_system_query()`
- Conditionally skip the experimental analyzer setting when
`sudo_mode=True`
- Added test to verify the experimental analyzer is skipped for sudo
queries

## Test plan

- All existing tests pass: `python -m pytest
tests/admin/test_system_queries.py -v`
- New test added to verify experimental analyzer is not used for
sudo-mode queries
- No mypy errors in changed files

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: onewland

snuba/admin/clickhouse/system_queries.py

@@ -151,15 +151,15 @@ def is_query_using_only_system_tables(
     storage_name: str,
     sql_query: str,
     clusterless_mode: bool,
+    sudo_mode: bool = False,
 ) -> bool:
     """
     Run the EXPLAIN QUERY TREE on the given sql_query and check that the only tables
     in the query are system tables.
     """
     sql_query = sql_query.strip().rstrip(";") if sql_query.endswith(";") else sql_query
-    explain_query_tree_query = (
-        f"EXPLAIN QUERY TREE {sql_query} SETTINGS allow_experimental_analyzer = 1"
-    )
+    settings_clause = "" if sudo_mode else " SETTINGS allow_experimental_analyzer = 1"
+    explain_query_tree_query = f"EXPLAIN QUERY TREE {sql_query}{settings_clause}"
     explain_query_tree_result = _run_sql_query_on_host(
         clickhouse_host,
         clickhouse_port,
@@ -194,6 +194,7 @@ def is_valid_system_query(
     storage_name: str,
     sql_query: str,
     clusterless_mode: bool,
+    sudo_mode: bool = False,
 ) -> bool:
     """
     Validation based on Query Tree and AST to ensure the query is a valid select query.
@@ -209,7 +210,7 @@ def is_valid_system_query(
             return False
 
     return is_query_using_only_system_tables(
-        clickhouse_host, clickhouse_port, storage_name, sql_query, clusterless_mode
+        clickhouse_host, clickhouse_port, storage_name, sql_query, clusterless_mode, sudo_mode
     )
 
 
@@ -280,7 +281,12 @@ def validate_query(
         return
 
     if is_valid_system_query(
-        clickhouse_host, clickhouse_port, storage_name, system_query_sql, clusterless_mode
+        clickhouse_host,
+        clickhouse_port,
+        storage_name,
+        system_query_sql,
+        clusterless_mode,
+        sudo_mode,
     ):
         if sudo_mode:
             raise InvalidCustomQuery("Query is valid but sudo is not allowed")

tests/admin/test_system_queries.py

@@ -215,3 +215,55 @@ def run_query() -> None:
             run_query()
     else:
         run_query()
+
+
+@pytest.mark.parametrize(
+    "sql_query, sudo_mode",
+    [
+        ("SELECT * FROM system.clusters;", True),
+        ("SELECT * FROM system.clusters;", False),
+    ],
+)
+@pytest.mark.clickhouse_db
+def test_sudo_mode_skips_experimental_analyzer(sql_query: str, sudo_mode: bool) -> None:
+    """
+    Test that when sudo_mode=True, the experimental analyzer setting is not
+    appended to the EXPLAIN QUERY TREE command.
+    """
+    from unittest.mock import patch
+
+    with patch("snuba.admin.clickhouse.system_queries._run_sql_query_on_host") as mock_run:
+        # Mock the response to simulate successful validation
+        mock_result = type("MockResult", (), {"results": []})()
+        mock_run.return_value = mock_result
+
+        try:
+            is_valid_system_query(
+                settings.CLUSTERS[0]["host"],
+                int(settings.CLUSTERS[0]["port"]),
+                "errors",
+                sql_query,
+                False,
+                sudo_mode,
+            )
+        except Exception:
+            pass  # We don't care if validation fails, we just want to check the query
+
+        # Check that the EXPLAIN QUERY TREE was called
+        calls = [call for call in mock_run.call_args_list if "EXPLAIN QUERY TREE" in str(call)]
+        assert len(calls) > 0, "Expected EXPLAIN QUERY TREE to be called"
+
+        # Get the explain query from the call - it's the 4th positional argument (index 3)
+        # call signature: _run_sql_query_on_host(host, port, storage, sql, sudo, clusterless)
+        explain_query = calls[0][0][3]  # Fourth argument is the SQL query
+
+        if sudo_mode:
+            # Should NOT contain the experimental analyzer setting
+            assert "allow_experimental_analyzer" not in explain_query, (
+                f"Sudo mode should not use experimental analyzer, but got: {explain_query}"
+            )
+        else:
+            # Should contain the experimental analyzer setting
+            assert "allow_experimental_analyzer" in explain_query, (
+                f"Non-sudo mode should use experimental analyzer, but got: {explain_query}"
+            )