diff --git a/pkg/sql/catalog/catprivilege/default_privilege.go b/pkg/sql/catalog/catprivilege/default_privilege.go index a75ce64c7b0f..cec03ad71a5d 100644 --- a/pkg/sql/catalog/catprivilege/default_privilege.go +++ b/pkg/sql/catalog/catprivilege/default_privilege.go @@ -148,7 +148,7 @@ func (d *immutable) CreatePrivilegesFromDefaultPrivileges( // If default privileges are not defined for the creator role, we handle // it as the default case where the user has all privileges. role := descpb.DefaultPrivilegesRole{Role: user} - if _, found := d.GetDefaultPrivilegesForRole(role); !found { + if defaultPrivilegesForRole, found := d.GetDefaultPrivilegesForRole(role); !found { defaultPrivilegesForCreatorRole := descpb.InitDefaultPrivilegesForRole(role) for _, user := range GetUserPrivilegesForObject(defaultPrivilegesForCreatorRole, targetObject) { newPrivs.Grant( @@ -156,20 +156,27 @@ func (d *immutable) CreatePrivilegesFromDefaultPrivileges( privilege.ListFromBitField(user.Privileges, targetObject.ToPrivilegeObjectType()), ) } + } else { + for _, user := range GetUserPrivilegesForObject(*defaultPrivilegesForRole, targetObject) { + newPrivs.Grant( + user.UserProto.Decode(), + privilege.ListFromBitField(user.Privileges, targetObject.ToPrivilegeObjectType()), + ) + } } // The privileges for the object are the union of the default privileges // defined for the object for the object creator and the default privileges // defined for all roles. - _ = d.ForEachDefaultPrivilegeForRole(func(defaultPrivilegesForRole descpb.DefaultPrivilegesForRole) error { - for _, user := range GetUserPrivilegesForObject(defaultPrivilegesForRole, targetObject) { + defaultPrivilegesForAllRoles, found := d.GetDefaultPrivilegesForRole(descpb.DefaultPrivilegesRole{ForAllRoles: true}) + if found { + for _, user := range GetUserPrivilegesForObject(*defaultPrivilegesForAllRoles, targetObject) { newPrivs.Grant( user.UserProto.Decode(), privilege.ListFromBitField(user.Privileges, targetObject.ToPrivilegeObjectType()), ) } - return nil - }) + } newPrivs.SetOwner(user) newPrivs.Version = descpb.Version21_2 diff --git a/pkg/sql/logictest/testdata/logic_test/alter_default_privileges_for_schema b/pkg/sql/logictest/testdata/logic_test/alter_default_privileges_for_schema index 79224be816af..c6bd6ad5ac2d 100644 --- a/pkg/sql/logictest/testdata/logic_test/alter_default_privileges_for_schema +++ b/pkg/sql/logictest/testdata/logic_test/alter_default_privileges_for_schema @@ -137,3 +137,20 @@ database_name schema_name grantee privilege_type d s5 admin ALL d s5 root ALL d s5 testuser CREATE + +statement ok +ALTER DEFAULT PRIVILEGES GRANT ALL ON SCHEMAS TO testuser, testuser2 + +user root + +statement ok +CREATE SCHEMA s_72322 + +# When root creates the table, testuser and testuser2 should not get privileges. +query TTTT colnames +SHOW GRANTS ON SCHEMA s_72322 +---- +database_name schema_name grantee privilege_type +d s_72322 admin ALL +d s_72322 root ALL +d s_72322 testuser CREATE