sql: support SHOW GRANTS for user-defined functions

Backport resolves cockroachdb#88495

Release note (sql change): Previously `SHOW GRANTS` only supports
db, schema, table and types. This commit add supports for UDFs,
so that `SHOW GRANTS` returns UDFs privileges infos, and statements
like `SHOW GRANTS ON FUNCTION <udf name/signatures>` are now supported
Full function signature must be provided if the function name is
not unique.
Release justification: low risk GA blocker.

pkg/sql/delegate/BUILD.bazel

@@ -58,6 +58,7 @@ go_library(
         "//pkg/sql/sem/eval",
         "//pkg/sql/sem/tree",
         "//pkg/sql/sqltelemetry",
+        "//pkg/util",
         "//pkg/util/errorutil/unimplemented",
         "@com_github_cockroachdb_errors//:errors",
     ],

pkg/sql/delegate/show_grants.go

@@ -13,6 +13,7 @@ package delegate
 import (
 	"bytes"
 	"fmt"
+	"strconv"
 	"strings"
 
 	"github.com/cockroachdb/cockroach/pkg/security/username"
@@ -22,6 +23,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/sql/pgwire/pgcode"
 	"github.com/cockroachdb/cockroach/pkg/sql/pgwire/pgerror"
 	"github.com/cockroachdb/cockroach/pkg/sql/sem/tree"
+	"github.com/cockroachdb/cockroach/pkg/util"
 )
 
 // delegateShowGrants implements SHOW GRANTS which returns grant details for the
@@ -100,6 +102,33 @@ SELECT *
                ) AS a
        )
 `
+	//
+	const udfQuery = `
+WITH fn_grants AS (
+  SELECT routine_catalog as database_name,
+         routine_schema as schema_name,
+         reverse(split_part(reverse(specific_name), '_', 1))::OID as function_id,
+         routine_name as function_name,
+         grantee,
+         privilege_type,
+         is_grantable::boolean
+  FROM "".information_schema.role_routine_grants
+  WHERE reverse(split_part(reverse(specific_name), '_', 1))::INT > 100000
+)
+SELECT database_name,
+       schema_name,
+       function_id,
+       concat(
+				 function_name,
+         '(',
+				 pg_get_function_identity_arguments(function_id),
+         ')'
+			 ) as function_signature,
+       grantee,
+       privilege_type,
+       is_grantable
+  FROM fn_grants
+`
 
 	var source bytes.Buffer
 	var cond bytes.Buffer
@@ -217,6 +246,31 @@ SELECT *
 				strings.Join(params, ","),
 			)
 		}
+	} else if n.Targets != nil && len(n.Targets.Functions) > 0 {
+		fmt.Fprint(&source, udfQuery)
+		orderBy = "1,2,3,4,5,6"
+		fnResolved := util.MakeFastIntSet()
+		for _, fn := range n.Targets.Functions {
+			un := fn.FuncName.ToUnresolvedObjectName().ToUnresolvedName()
+			fd, err := d.catalog.ResolveFunction(d.ctx, un, &d.evalCtx.SessionData().SearchPath)
+			if err != nil {
+				return nil, err
+			}
+			argTypes, err := fn.InputArgTypes(d.ctx, d.catalog)
+			if err != nil {
+				return nil, err
+			}
+			ol, err := fd.MatchOverload(argTypes, fn.FuncName.Schema(), &d.evalCtx.SessionData().SearchPath)
+			if err != nil {
+				return nil, err
+			}
+			fnResolved.Add(int(ol.Oid))
+		}
+		params = make([]string, fnResolved.Len())
+		for i, fnID := range fnResolved.Ordered() {
+			params[i] = strconv.Itoa(fnID)
+		}
+		fmt.Fprintf(&cond, `WHERE function_id IN (%s)`, strings.Join(params, ","))
 	} else if n.Targets != nil && n.Targets.System {
 		orderBy = "1,2,3"
 		fmt.Fprint(&source, systemPrivilegeQuery)
@@ -284,6 +338,10 @@ SELECT *
 				`SELECT database_name, schema_name, type_name AS relation_name, grantee, privilege_type, is_grantable FROM (`)
 			source.WriteString(typePrivQuery)
 			source.WriteByte(')')
+			source.WriteString(` UNION ALL ` +
+				`SELECT database_name, schema_name, function_signature AS relation_name, grantee, privilege_type, is_grantable FROM (`)
+			source.WriteString(udfQuery)
+			source.WriteByte(')')
 			// If the current database is set, restrict the command to it.
 			if currDB := d.evalCtx.SessionData().Database; currDB != "" {
 				fmt.Fprintf(&cond, ` WHERE database_name = %s`, lexbase.EscapeSQLString(currDB))