sql: add show default privileges for grantee

annrpom · annrpom · commit 4f41f5e20baa · 2023-08-03T15:46:58.000-04:00
Previously, `SHOW DEFAULT PRIVILEGES [FOR <ROLE|USER|ALL ROLES>]` statements were supported. However, support for finding default privileges for a grantee did not exist. This patch adds a new syntax for showing the default privileges that a grantee received. Fixes: cockroachdb#107741 Epic: CRDB-25481 Release note (sql change): This adds a new syntax to `SHOW DEFAULT PRIVILEGES`, `SHOW DEFAULT PRIVILEGES FOR GRANTEE <grantee>`, that shows the default privileges that a grantee received.
diff --git a/docs/generated/sql/bnf/show_default_privileges_stmt.bnf b/docs/generated/sql/bnf/show_default_privileges_stmt.bnf
@@ -2,4 +2,5 @@ show_default_privileges_stmt ::=
 	'SHOW' 'DEFAULT' 'PRIVILEGES' 'FOR' 'ROLE' role_spec_list ( 'IN' 'SCHEMA' ( ( qualifiable_schema_name ) ( ( ',' qualifiable_schema_name ) )* ) | )
 	| 'SHOW' 'DEFAULT' 'PRIVILEGES' 'FOR' 'USER' role_spec_list ( 'IN' 'SCHEMA' ( ( qualifiable_schema_name ) ( ( ',' qualifiable_schema_name ) )* ) | )
 	| 'SHOW' 'DEFAULT' 'PRIVILEGES'  ( 'IN' 'SCHEMA' ( ( qualifiable_schema_name ) ( ( ',' qualifiable_schema_name ) )* ) | )
+	| 'SHOW' 'DEFAULT' 'PRIVILEGES' 'FOR' 'GRANTEE' role_spec_list ( 'IN' 'SCHEMA' ( ( qualifiable_schema_name ) ( ( ',' qualifiable_schema_name ) )* ) | )
 	| 'SHOW' 'DEFAULT' 'PRIVILEGES' 'FOR' 'ALL' 'ROLES' ( 'IN' 'SCHEMA' ( ( qualifiable_schema_name ) ( ( ',' qualifiable_schema_name ) )* ) | )
diff --git a/docs/generated/sql/bnf/stmt_block.bnf b/docs/generated/sql/bnf/stmt_block.bnf
@@ -954,6 +954,7 @@ show_full_scans_stmt ::=
 
 show_default_privileges_stmt ::=
 	'SHOW' 'DEFAULT' 'PRIVILEGES' opt_for_roles opt_in_schema
+	| 'SHOW' 'DEFAULT' 'PRIVILEGES' 'FOR' 'GRANTEE' role_spec_list opt_in_schema
 	| 'SHOW' 'DEFAULT' 'PRIVILEGES' 'FOR' 'ALL' 'ROLES' opt_in_schema
 
 opt_table ::=
@@ -1145,6 +1146,7 @@ unreserved_keyword ::=
 	| 'GEOMETRYCOLLECTIONZM'
 	| 'GLOBAL'
 	| 'GOAL'
+	| 'GRANTEE'
 	| 'GRANTS'
 	| 'GROUPS'
 	| 'HASH'
@@ -3667,6 +3669,7 @@ bare_label_keywords ::=
 	| 'GEOMETRYZM'
 	| 'GLOBAL'
 	| 'GOAL'
+	| 'GRANTEE'
 	| 'GRANTS'
 	| 'GREATEST'
 	| 'GROUPING'
diff --git a/pkg/sql/delegate/show_default_privileges.go b/pkg/sql/delegate/show_default_privileges.go
@@ -44,14 +44,20 @@ func (d *delegator) delegateShowDefaultPrivileges(
 	if n.ForAllRoles {
 		query += " AND for_all_roles=true"
 	} else if len(n.Roles) > 0 {
+		targetCol := "grantee"
+		if !n.ForGrantee {
+			targetCol = "role"
+			query += " AND for_all_roles=false"
+		}
+
 		targetRoles, err := decodeusername.FromRoleSpecList(
 			d.evalCtx.SessionData(), username.PurposeValidation, n.Roles,
 		)
 		if err != nil {
 			return nil, err
 		}
 
-		query = fmt.Sprintf("%s AND for_all_roles=false AND role IN (", query)
+		query = fmt.Sprintf("%s AND %s IN (", query, targetCol)
 		for i, role := range targetRoles {
 			if i != 0 {
 				query += fmt.Sprintf(", '%s'", role.Normalized())
diff --git a/pkg/sql/logictest/testdata/logic_test/show_default_privileges b/pkg/sql/logictest/testdata/logic_test/show_default_privileges
diff --git a/pkg/sql/parser/sql.y b/pkg/sql/parser/sql.y
@@ -935,7 +935,7 @@ func (u *sqlSymUnion) showCreateFormatOption() tree.ShowCreateFormatOption {
 
 %token <str> GENERATED GEOGRAPHY GEOMETRY GEOMETRYM GEOMETRYZ GEOMETRYZM
 %token <str> GEOMETRYCOLLECTION GEOMETRYCOLLECTIONM GEOMETRYCOLLECTIONZ GEOMETRYCOLLECTIONZM
-%token <str> GLOBAL GOAL GRANT GRANTS GREATEST GROUP GROUPING GROUPS
+%token <str> GLOBAL GOAL GRANT GRANTEE GRANTS GREATEST GROUP GROUPING GROUPS
 
 %token <str> HAVING HASH HEADER HIGH HISTOGRAM HOLD HOUR
 
@@ -7824,13 +7824,21 @@ show_databases_stmt:
 // %Help: SHOW DEFAULT PRIVILEGES - list default privileges
 // %Category: DDL
 // %Text: SHOW DEFAULT PRIVILEGES
+// %SeeAlso: WEBDOCS/show-default-privileges
 show_default_privileges_stmt:
   SHOW DEFAULT PRIVILEGES opt_for_roles opt_in_schema {
     $$.val = &tree.ShowDefaultPrivileges{
       Roles: $4.roleSpecList(),
       Schema: tree.Name($5),
     }
   }
+| SHOW DEFAULT PRIVILEGES FOR GRANTEE role_spec_list opt_in_schema {
+    $$.val = &tree.ShowDefaultPrivileges{
+      Roles: $6.roleSpecList(),
+      ForGrantee: true,
+      Schema: tree.Name($7),
+    }
+  }
 | SHOW DEFAULT PRIVILEGES FOR ALL ROLES opt_in_schema {
     $$.val = &tree.ShowDefaultPrivileges{
       ForAllRoles: true,
@@ -9117,7 +9125,6 @@ for_grantee_clause:
     $$.val = tree.RoleSpecList(nil)
   }
 
-
 // %Help: PAUSE - pause background tasks
 // %Category: Group
 // %Text: PAUSE JOBS, PAUSE SCHEDULES, PAUSE ALL JOBS
@@ -16655,6 +16662,7 @@ unreserved_keyword:
 | GEOMETRYCOLLECTIONZM
 | GLOBAL
 | GOAL
+| GRANTEE
 | GRANTS
 | GROUPS
 | HASH
@@ -17166,6 +17174,7 @@ bare_label_keywords:
 | GEOMETRYZM
 | GLOBAL
 | GOAL
+| GRANTEE
 | GRANTS
 | GREATEST
 | GROUPING
diff --git a/pkg/sql/parser/testdata/show_default_privileges b/pkg/sql/parser/testdata/show_default_privileges
@@ -46,6 +46,38 @@ SHOW DEFAULT PRIVILEGES FOR ALL ROLES  -- fully parenthesized
 SHOW DEFAULT PRIVILEGES FOR ALL ROLES  -- literals removed
 SHOW DEFAULT PRIVILEGES FOR ALL ROLES  -- identifiers removed
 
+parse
+SHOW DEFAULT PRIVILEGES FOR GRANTEE foo
+----
+SHOW DEFAULT PRIVILEGES FOR GRANTEE foo  -- normalized!
+SHOW DEFAULT PRIVILEGES FOR GRANTEE foo  -- fully parenthesized
+SHOW DEFAULT PRIVILEGES FOR GRANTEE foo  -- literals removed
+SHOW DEFAULT PRIVILEGES FOR GRANTEE _  -- identifiers removed
+
+parse
+SHOW DEFAULT PRIVILEGES FOR GRANTEE foo, bar
+----
+SHOW DEFAULT PRIVILEGES FOR GRANTEE foo, bar  -- normalized!
+SHOW DEFAULT PRIVILEGES FOR GRANTEE foo, bar  -- fully parenthesized
+SHOW DEFAULT PRIVILEGES FOR GRANTEE foo, bar  -- literals removed
+SHOW DEFAULT PRIVILEGES FOR GRANTEE _, _  -- identifiers removed
+
+parse
+SHOW DEFAULT PRIVILEGES FOR GRANTEE fOo, baR
+----
+SHOW DEFAULT PRIVILEGES FOR GRANTEE foo, bar  -- normalized!
+SHOW DEFAULT PRIVILEGES FOR GRANTEE foo, bar  -- fully parenthesized
+SHOW DEFAULT PRIVILEGES FOR GRANTEE foo, bar  -- literals removed
+SHOW DEFAULT PRIVILEGES FOR GRANTEE _, _  -- identifiers removed
+
+parse
+SHOW DEFAULT PRIVILEGES FOR GRANTEE "fOo", "baR"
+----
+SHOW DEFAULT PRIVILEGES FOR GRANTEE "fOo", "baR"  -- normalized!
+SHOW DEFAULT PRIVILEGES FOR GRANTEE "fOo", "baR"  -- fully parenthesized
+SHOW DEFAULT PRIVILEGES FOR GRANTEE "fOo", "baR"  -- literals removed
+SHOW DEFAULT PRIVILEGES FOR GRANTEE _, _  -- identifiers removed
+
 parse
 SHOW DEFAULT PRIVILEGES IN SCHEMA s
 ----
@@ -69,3 +101,11 @@ SHOW DEFAULT PRIVILEGES FOR ALL ROLES IN SCHEMA s
 SHOW DEFAULT PRIVILEGES FOR ALL ROLES IN SCHEMA s -- fully parenthesized
 SHOW DEFAULT PRIVILEGES FOR ALL ROLES IN SCHEMA s -- literals removed
 SHOW DEFAULT PRIVILEGES FOR ALL ROLES IN SCHEMA _ -- identifiers removed
+
+parse
+SHOW DEFAULT PRIVILEGES FOR GRANTEE foo, bar IN SCHEMA s
+----
+SHOW DEFAULT PRIVILEGES FOR GRANTEE foo, bar IN SCHEMA s
+SHOW DEFAULT PRIVILEGES FOR GRANTEE foo, bar IN SCHEMA s -- fully parenthesized
+SHOW DEFAULT PRIVILEGES FOR GRANTEE foo, bar IN SCHEMA s -- literals removed
+SHOW DEFAULT PRIVILEGES FOR GRANTEE _, _ IN SCHEMA _ -- identifiers removed
diff --git a/pkg/sql/sem/tree/show.go b/pkg/sql/sem/tree/show.go
@@ -1322,6 +1322,7 @@ func (n *ShowSchedules) Format(ctx *FmtCtx) {
 type ShowDefaultPrivileges struct {
 	Roles       RoleSpecList
 	ForAllRoles bool
+	ForGrantee  bool
 	// If Schema is not specified, SHOW DEFAULT PRIVILEGES is being
 	// run on the current database.
 	Schema Name
@@ -1333,7 +1334,12 @@ var _ Statement = &ShowDefaultPrivileges{}
 func (n *ShowDefaultPrivileges) Format(ctx *FmtCtx) {
 	ctx.WriteString("SHOW DEFAULT PRIVILEGES ")
 	if len(n.Roles) > 0 {
-		ctx.WriteString("FOR ROLE ")
+		if n.ForGrantee {
+			ctx.WriteString("FOR GRANTEE ")
+		} else {
+			ctx.WriteString("FOR ROLE ")
+		}
+
 		for i := range n.Roles {
 			if i > 0 {
 				ctx.WriteString(", ")
