diff --git a/pkg/sql/logictest/testdata/logic_test/set_role b/pkg/sql/logictest/testdata/logic_test/set_role index 9efa32fb2848..28c60c2d859e 100644 --- a/pkg/sql/logictest/testdata/logic_test/set_role +++ b/pkg/sql/logictest/testdata/logic_test/set_role @@ -374,5 +374,11 @@ WHERE active_queries LIKE 'SELECT user_name%' ---- root +# Verify that SET SESSION AUTHORIZATION *does* reset the role. statement ok -RESET ROLE +SET SESSION AUTHORIZATION DEFAULT + +query TTTT +SELECT current_user(), current_user, session_user(), session_user +---- +root root root root diff --git a/pkg/sql/sessiondatapb/local_only_session_data.proto b/pkg/sql/sessiondatapb/local_only_session_data.proto index 89c8234ed670..f4c9a3677a35 100644 --- a/pkg/sql/sessiondatapb/local_only_session_data.proto +++ b/pkg/sql/sessiondatapb/local_only_session_data.proto @@ -169,6 +169,8 @@ message LocalOnlySessionData { // established the connection before SET ROLE was first performed. // This is only populated when SET ROLE is used, otherwise the session_user // is the same as the UserProto in SessionData. + // Postgres allows the SessionUser to be changed with SET SESSION AUTHORIZATION + // but CockroachDB doesn't allow that at the time of this writing. string session_user_proto = 46 [(gogoproto.casttype) = "github.com/cockroachdb/cockroach/pkg/security/username.SQLUsernameProto"]; // TxnRowsWrittenLog is the threshold for the number of rows written by a SQL // transaction which - once exceeded - will trigger a logging event to SQL_PERF diff --git a/pkg/sql/set_session_authorization.go b/pkg/sql/set_session_authorization.go index ed61801eabae..b4d704e97d46 100644 --- a/pkg/sql/set_session_authorization.go +++ b/pkg/sql/set_session_authorization.go @@ -10,8 +10,26 @@ package sql +import ( + "context" + + "github.com/cockroachdb/cockroach/pkg/sql/sem/tree" +) + func (p *planner) SetSessionAuthorizationDefault() (planNode, error) { - // This is currently a no-op - we don't support changing the session - // authorization, and the parser only accepts DEFAULT. - return newZeroNode(nil /* columns */), nil + return &setSessionAuthorizationDefaultNode{}, nil +} + +type setSessionAuthorizationDefaultNode struct{} + +func (n *setSessionAuthorizationDefaultNode) Next(_ runParams) (bool, error) { return false, nil } +func (n *setSessionAuthorizationDefaultNode) Values() tree.Datums { return nil } +func (n *setSessionAuthorizationDefaultNode) Close(_ context.Context) {} +func (n *setSessionAuthorizationDefaultNode) startExec(params runParams) error { + // This is currently the same as `SET ROLE = DEFAULT`, which means that it + // only changes the "current user." In Postgres, `SET SESSION AUTHORIZATION` + // also changes the "session user," but since the session user cannot be + // modified in CockroachDB (at the time of writing), we just need to change + // the current user here. + return params.p.setRole(params.ctx, false /* local */, params.p.SessionData().SessionUser()) } diff --git a/pkg/sql/walk.go b/pkg/sql/walk.go index 4135902f0a58..de6bd221537a 100644 --- a/pkg/sql/walk.go +++ b/pkg/sql/walk.go @@ -449,6 +449,7 @@ var planNodeNames = map[reflect.Type]string{ reflect.TypeOf(&sequenceSelectNode{}): "sequence select", reflect.TypeOf(&serializeNode{}): "run", reflect.TypeOf(&setClusterSettingNode{}): "set cluster setting", + reflect.TypeOf(&setSessionAuthorizationDefaultNode{}): "set session authorization", reflect.TypeOf(&setVarNode{}): "set", reflect.TypeOf(&setZoneConfigNode{}): "configure zone", reflect.TypeOf(&showFingerprintsNode{}): "show fingerprints",