externalconn: support SHOW CREATE EXTERNAL CONNECTION

This change adds support for `SHOW CREATE EXTERNAL CONNECTION`
and `SHOW CREATE ALL EXTERNAL CONNECTIONS` that displays the
connection name and the statement used to create the external
connection. This displays unredacted information of the underlying
resource and is therefore restricted to admin only or by the
owner of the external connection object.

Note, synthetic privileges do not have a concept of external
connections at the moment. So, the operations are limited to
admin only until that functionality is added.

Informs: #85905

Release note (sql change): Add support for `SHOW CREATE EXTERNAL CONNECTION`
and `SHOW CREATE ALL EXTERNAL CONNECTIONS` that displays the
connection name and the unredacted query used to create the external
connection. This can only be run by users of the admin role today.

docs/generated/sql/bnf/BUILD.bazel

@@ -211,6 +211,7 @@ FILES = [
     "show_constraints_stmt",
     "show_create_stmt",
     "show_create_schedules_stmt",
+    "show_create_external_connections_stmt",
     "show_databases_stmt",
     "show_default_privileges_stmt",
     "show_enums",

docs/generated/sql/bnf/show_create_external_connections_stmt.bnf

@@ -0,0 +1,3 @@
+show_create_external_connections_stmt ::=
+	'SHOW' 'CREATE' 'ALL' 'EXTERNAL' 'CONNECTIONS'
+	| 'SHOW' 'CREATE' 'EXTERNAL' 'CONNECTION' string_or_placeholder

docs/generated/sql/bnf/show_var.bnf

@@ -4,6 +4,7 @@ show_stmt ::=
 	| show_constraints_stmt
 	| show_create_stmt
 	| show_create_schedules_stmt
+	| show_create_external_connections_stmt
 	| show_local_or_tenant_csettings_stmt
 	| show_databases_stmt
 	| show_enums_stmt

docs/generated/sql/bnf/stmt_block.bnf

@@ -257,6 +257,7 @@ show_stmt ::=
 	| show_constraints_stmt
 	| show_create_stmt
 	| show_create_schedules_stmt
+	| show_create_external_connections_stmt
 	| show_local_or_tenant_csettings_stmt
 	| show_databases_stmt
 	| show_enums_stmt
@@ -777,6 +778,10 @@ show_create_schedules_stmt ::=
 	'SHOW' 'CREATE' 'ALL' 'SCHEDULES'
 	| 'SHOW' 'CREATE' 'SCHEDULE' a_expr
 
+show_create_external_connections_stmt ::=
+	'SHOW' 'CREATE' 'ALL' 'EXTERNAL' 'CONNECTIONS'
+	| 'SHOW' 'CREATE' 'EXTERNAL' 'CONNECTION' string_or_placeholder
+
 show_local_or_tenant_csettings_stmt ::=
 	show_csettings_stmt
 	| show_csettings_stmt 'FOR' 'TENANT' d_expr
@@ -1008,6 +1013,7 @@ unreserved_keyword ::=
 	| 'CONFIGURATIONS'
 	| 'CONFIGURE'
 	| 'CONNECTION'
+	| 'CONNECTIONS'
 	| 'CONSTRAINTS'
 	| 'CONTROLCHANGEFEED'
 	| 'CONTROLJOB'

pkg/ccl/cloudccl/externalconn/datadriven_test.go

@@ -104,6 +104,12 @@ func TestDataDriven(t *testing.T) {
 				}
 
 			case "query-sql":
+				if d.HasArg("user") {
+					var user string
+					d.ScanArgs(t, "user", &user)
+					resetToRootUser := externalConnTestCluster.SetSQLDBForUser(tenantID, user)
+					defer resetToRootUser()
+				}
 				var rows *gosql.Rows
 				var err error
 				if rows, err = tenant.QueryWithErr(d.Input); err != nil {

pkg/ccl/cloudccl/externalconn/testdata/multi-tenant/show_create_external_connections

@@ -0,0 +1,96 @@
+subtest basic-show-create-ec
+
+initialize tenant=10
+----
+
+disable-check-external-storage
+----
+
+disable-check-kms
+----
+
+exec-sql
+CREATE EXTERNAL CONNECTION nodelocal AS 'nodelocal://1/foo';
+----
+
+exec-sql
+CREATE EXTERNAL CONNECTION kms AS 'gs:///cmk?AUTH=implicit&CREDENTIALS=wont-be-redacted';
+----
+
+exec-sql
+CREATE EXTERNAL CONNECTION kafka AS 'kafka://broker.address.com:9092';
+----
+
+query-sql
+SHOW CREATE ALL EXTERNAL CONNECTIONS
+----
+kafka CREATE EXTERNAL CONNECTION 'kafka' AS 'kafka://broker.address.com:9092'
+kms CREATE EXTERNAL CONNECTION 'kms' AS 'gs:///cmk?AUTH=implicit&CREDENTIALS=wont-be-redacted'
+nodelocal CREATE EXTERNAL CONNECTION 'nodelocal' AS 'nodelocal://1/foo'
+
+query-sql
+SHOW CREATE EXTERNAL CONNECTION nodelocal
+----
+nodelocal CREATE EXTERNAL CONNECTION 'nodelocal' AS 'nodelocal://1/foo'
+
+query-sql
+SHOW CREATE EXTERNAL CONNECTION kms
+----
+kms CREATE EXTERNAL CONNECTION 'kms' AS 'gs:///cmk?AUTH=implicit&CREDENTIALS=wont-be-redacted'
+
+query-sql
+SHOW CREATE EXTERNAL CONNECTION kafka
+----
+kafka CREATE EXTERNAL CONNECTION 'kafka' AS 'kafka://broker.address.com:9092'
+
+
+enable-check-external-storage
+----
+
+enable-check-kms
+----
+
+subtest end
+
+subtest owner-or-admin
+
+# Create an external connection as root, only root should be able to SHOW this object.
+exec-sql
+CREATE EXTERNAL CONNECTION foo AS 'nodelocal://1/foo'
+----
+
+exec-sql
+CREATE USER testuser
+----
+
+exec-sql
+GRANT SYSTEM EXTERNALCONNECTION TO testuser
+----
+
+query-sql user=testuser
+SHOW CREATE ALL EXTERNAL CONNECTIONS
+----
+pq: must be admin to run `SHOW CREATE ALL EXTERNAL CONNECTIONS
+
+query-sql user=testuser
+SHOW CREATE EXTERNAL CONNECTION foo
+----
+pq: must be admin or owner of the External Connection "foo"
+
+# Create External Connection where testuser is the owner, they should be able to SHOW this object.
+exec-sql user=testuser
+CREATE EXTERNAL CONNECTION bar AS 'nodelocal://1/foo'
+----
+
+query-sql user=testuser
+SHOW CREATE ALL EXTERNAL CONNECTIONS
+----
+pq: must be admin to run `SHOW CREATE ALL EXTERNAL CONNECTIONS
+
+# TODO(aditymaru): Synthetic privileges do not have a concept of owners. Once they do, testuser will
+# be able to run this query successfully since they are the owner of the External Connection object.
+# query-sql user=testuser
+# SHOW CREATE EXTERNAL CONNECTION bar
+# ----
+
+subtest end

pkg/ccl/cloudccl/externalconn/testdata/show_create_external_connections

@@ -0,0 +1,92 @@
+subtest basic-show-create-ec
+
+disable-check-external-storage
+----
+
+disable-check-kms
+----
+
+exec-sql
+CREATE EXTERNAL CONNECTION nodelocal AS 'nodelocal://1/foo';
+----
+
+exec-sql
+CREATE EXTERNAL CONNECTION kms AS 'gs:///cmk?AUTH=implicit&CREDENTIALS=wont-be-redacted';
+----
+
+exec-sql
+CREATE EXTERNAL CONNECTION kafka AS 'kafka://broker.address.com:9092';
+----
+
+query-sql
+SHOW CREATE ALL EXTERNAL CONNECTIONS
+----
+kafka CREATE EXTERNAL CONNECTION 'kafka' AS 'kafka://broker.address.com:9092'
+kms CREATE EXTERNAL CONNECTION 'kms' AS 'gs:///cmk?AUTH=implicit&CREDENTIALS=wont-be-redacted'
+nodelocal CREATE EXTERNAL CONNECTION 'nodelocal' AS 'nodelocal://1/foo'
+
+query-sql
+SHOW CREATE EXTERNAL CONNECTION nodelocal
+----
+nodelocal CREATE EXTERNAL CONNECTION 'nodelocal' AS 'nodelocal://1/foo'
+
+query-sql
+SHOW CREATE EXTERNAL CONNECTION kms
+----
+kms CREATE EXTERNAL CONNECTION 'kms' AS 'gs:///cmk?AUTH=implicit&CREDENTIALS=wont-be-redacted'
+
+query-sql
+SHOW CREATE EXTERNAL CONNECTION kafka
+----
+kafka CREATE EXTERNAL CONNECTION 'kafka' AS 'kafka://broker.address.com:9092'
+
+enable-check-external-storage
+----
+
+enable-check-kms
+----
+
+subtest end
+
+subtest owner-or-admin
+
+# Create an external connection as root, only root should be able to SHOW this object.
+exec-sql
+CREATE EXTERNAL CONNECTION foo AS 'nodelocal://1/foo'
+----
+
+exec-sql
+CREATE USER testuser
+----
+
+exec-sql
+GRANT SYSTEM EXTERNALCONNECTION TO testuser
+----
+
+query-sql user=testuser
+SHOW CREATE ALL EXTERNAL CONNECTIONS
+----
+pq: must be admin to run `SHOW CREATE ALL EXTERNAL CONNECTIONS
+
+query-sql user=testuser
+SHOW CREATE EXTERNAL CONNECTION foo
+----
+pq: must be admin or owner of the External Connection "foo"
+
+# Create External Connection where testuser is the owner, they should be able to SHOW this object.
+exec-sql user=testuser
+CREATE EXTERNAL CONNECTION bar AS 'nodelocal://1/foo'
+----
+
+query-sql user=testuser
+SHOW CREATE ALL EXTERNAL CONNECTIONS
+----
+pq: must be admin to run `SHOW CREATE ALL EXTERNAL CONNECTIONS
+
+# TODO(aditymaru): Synthetic privileges do not have a concept of owners. Once they do, testuser will
+# be able to run this query successfully since they are the owner of the External Connection object.
+# query-sql user=testuser
+# SHOW CREATE EXTERNAL CONNECTION bar
+# ----
+
+subtest end

pkg/cloud/externalconn/connection.go

@@ -22,6 +22,15 @@ import (
 // an External Connection object. This interface should expose read-only
 // methods that are required to interact with the External Connection object.
 type ExternalConnection interface {
+	// UnredactedConnectionStatement returns a `CREATE EXTERNAL CONNECTION`
+	// statement that is functionally equivalent to the statement that created the
+	// external connection in the first place.
+	//
+	// NB: The returned string will contain unredacted secrets and should not be
+	// persisted.
+	UnredactedConnectionStatement() string
+	// ConnectionName returns the label of the connection.
+	ConnectionName() string
 	// ConnectionType returns the type of the connection.
 	ConnectionType() connectionpb.ConnectionType
 	// ConnectionProto returns an in-memory representation of the

pkg/cloud/externalconn/connectionpb/connection.go

@@ -22,6 +22,17 @@ func (d *ConnectionDetails) Type() ConnectionType {
 	case ConnectionProvider_kafka:
 		return TypeStorage
 	default:
-		panic(errors.AssertionFailedf("ConnectionDetails.Type called on a details with an unknown type: %T", d.Provider.String()))
+		panic(errors.AssertionFailedf("ConnectionDetails.Type called on a details with an unknown type: %s", d.Provider.String()))
+	}
+}
+
+// UnredactedURI returns the unredacted URI of the resource represented by the
+// External Connection.
+func (d *ConnectionDetails) UnredactedURI() string {
+	switch c := d.Details.(type) {
+	case *ConnectionDetails_SimpleURI:
+		return c.SimpleURI.URI
+	default:
+		panic(errors.AssertionFailedf("ConnectionDetails.UnredactedURI called on details with an unknown type: %s", d.Provider.String()))
 	}
 }

pkg/cloud/externalconn/record.go

@@ -140,6 +140,22 @@ func (e *MutableExternalConnection) SetConnectionDetails(details connectionpb.Co
 	e.markDirty("connection_details")
 }
 
+// ConnectionName returns the connection_name.
+func (e *MutableExternalConnection) ConnectionName() string {
+	return e.rec.ConnectionName
+}
+
+// UnredactedConnectionStatement implements the External Connection interface.
+func (e *MutableExternalConnection) UnredactedConnectionStatement() string {
+	ecNode := &tree.CreateExternalConnection{
+		ConnectionLabelSpec: tree.LabelSpec{
+			Label: tree.NewDString(e.rec.ConnectionName),
+		},
+		As: tree.NewDString(e.rec.ConnectionDetails.UnredactedURI()),
+	}
+	return tree.AsString(ecNode)
+}
+
 // datumToNative is a helper to convert tree.Datum into Go native types.  We
 // only care about types stored in the system.external_connections table.
 func datumToNative(datum tree.Datum) (interface{}, error) {

pkg/gen/bnf.bzl

@@ -209,6 +209,7 @@ BNF_SRCS = [
   "//docs/generated/sql/bnf:show_cluster_setting.bnf",
   "//docs/generated/sql/bnf:show_columns_stmt.bnf",
   "//docs/generated/sql/bnf:show_constraints_stmt.bnf",
+  "//docs/generated/sql/bnf:show_create_external_connections_stmt.bnf",
   "//docs/generated/sql/bnf:show_create_schedules_stmt.bnf",
   "//docs/generated/sql/bnf:show_create_stmt.bnf",
   "//docs/generated/sql/bnf:show_databases_stmt.bnf",

pkg/gen/diagrams.bzl

@@ -208,6 +208,7 @@ DIAGRAMS_SRCS = [
   "//docs/generated/sql/bnf:show_columns.html",
   "//docs/generated/sql/bnf:show_constraints.html",
   "//docs/generated/sql/bnf:show_create.html",
+  "//docs/generated/sql/bnf:show_create_external_connections.html",
   "//docs/generated/sql/bnf:show_create_schedules.html",
   "//docs/generated/sql/bnf:show_databases.html",
   "//docs/generated/sql/bnf:show_default_privileges.html",

pkg/gen/docs.bzl

@@ -221,6 +221,7 @@ DOCS_SRCS = [
   "//docs/generated/sql/bnf:show_cluster_setting.bnf",
   "//docs/generated/sql/bnf:show_columns_stmt.bnf",
   "//docs/generated/sql/bnf:show_constraints_stmt.bnf",
+  "//docs/generated/sql/bnf:show_create_external_connections_stmt.bnf",
   "//docs/generated/sql/bnf:show_create_schedules_stmt.bnf",
   "//docs/generated/sql/bnf:show_create_stmt.bnf",
   "//docs/generated/sql/bnf:show_databases_stmt.bnf",

pkg/sql/BUILD.bazel

@@ -209,6 +209,7 @@ go_library(
         "show_cluster_setting.go",
         "show_create.go",
         "show_create_clauses.go",
+        "show_create_external_connection.go",
         "show_create_schedule.go",
         "show_fingerprints.go",
         "show_histogram.go",

pkg/sql/opaque.go

@@ -244,6 +244,8 @@ func planOpaque(ctx context.Context, p *planner, stmt tree.Statement) (planNode,
 		return p.ShowTenantClusterSetting(ctx, n)
 	case *tree.ShowCreateSchedules:
 		return p.ShowCreateSchedule(ctx, n)
+	case *tree.ShowCreateExternalConnections:
+		return p.ShowCreateExternalConnection(ctx, n)
 	case *tree.ShowHistogram:
 		return p.ShowHistogram(ctx, n)
 	case *tree.ShowTableStats:
@@ -358,6 +360,7 @@ func init() {
 		&tree.ShowClusterSetting{},
 		&tree.ShowTenantClusterSetting{},
 		&tree.ShowCreateSchedules{},
+		&tree.ShowCreateExternalConnections{},
 		&tree.ShowHistogram{},
 		&tree.ShowTableStats{},
 		&tree.ShowTraceForSession{},

pkg/sql/parser/help_test.go

@@ -360,6 +360,9 @@ func TestContextualHelp(t *testing.T) {
 		{`SHOW CREATE SCHEDULE blah ??`, `SHOW CREATE SCHEDULES`},
 		{`SHOW CREATE ALL SCHEDULES ??`, `SHOW CREATE SCHEDULES`},
 
+		{`SHOW CREATE EXTERNAL CONNECTION blah ??`, `SHOW CREATE EXTERNAL CONNECTIONS`},
+		{`SHOW CREATE ALL EXTERNAL CONNECTIONS ??`, `SHOW CREATE EXTERNAL CONNECTIONS`},
+
 		{`SHOW DATABASES ??`, `SHOW DATABASES`},
 
 		{`SHOW DEFAULT PRIVILEGES ??`, `SHOW DEFAULT PRIVILEGES`},