From 9fc58193cd70fbff317824af9b143ae8ca6f5282 Mon Sep 17 00:00:00 2001
From: richardjcai <caioftherichard@gmail.com>
Date: Tue, 11 May 2021 11:15:36 -0400
Subject: [PATCH 1/2] sql: fix Usage privilege on Tables/DBs after upgrading
 from 20.1

In 20.2, I made a mistake when introducing USAGE privilege by
adding it before ZONECONFIG privilege in the bitfield.
Due to this, when updating from 20.1 to 20.2, ZONECONFIG privilege will be
interpretted as USAGE.

Fortunately, ZONECONFIG was only a valid privilege on tables and databases
while USAGE is invalid on both those objects. Due to this, whenever we encounter
USAGE on a privilege descriptor versioned 20.1 (InitialVersion) we can fix
this by removing the bit for USAGE and adding the bit for ZONECONFIG on the
privilege descriptor.

Release note: None
---
 .../catalog/dbdesc/database_desc_builder.go   |   1 +
 pkg/sql/catalog/descpb/privilege.go           |  41 ++++
 pkg/sql/catalog/descpb/privilege_test.go      | 225 ++++++++++++++++++
 .../catalog/tabledesc/table_desc_builder.go   |   4 +
 4 files changed, 271 insertions(+)

diff --git a/pkg/sql/catalog/dbdesc/database_desc_builder.go b/pkg/sql/catalog/dbdesc/database_desc_builder.go
index af087e51c90a..840e37c5c534 100644
--- a/pkg/sql/catalog/dbdesc/database_desc_builder.go
+++ b/pkg/sql/catalog/dbdesc/database_desc_builder.go
@@ -59,6 +59,7 @@ func (ddb *databaseDescriptorBuilder) RunPostDeserializationChanges(
 	// run again and mixed-version clusters always write "good" descriptors.
 	ddb.maybeModified = protoutil.Clone(ddb.original).(*descpb.DatabaseDescriptor)
 	descpb.MaybeFixPrivileges(ddb.maybeModified.ID, &ddb.maybeModified.Privileges)
+	descpb.MaybeFixUsagePrivForTablesAndDBs(&ddb.maybeModified.Privileges)
 	return nil
 }
 
diff --git a/pkg/sql/catalog/descpb/privilege.go b/pkg/sql/catalog/descpb/privilege.go
index ae835d49c71c..1b741e7802c4 100644
--- a/pkg/sql/catalog/descpb/privilege.go
+++ b/pkg/sql/catalog/descpb/privilege.go
@@ -208,6 +208,47 @@ func (p *PrivilegeDescriptor) Revoke(
 	}
 }
 
+// MaybeFixUsagePrivForTablesAndDBs fixes cases where privilege descriptors
+// with ZONECONFIG were corrupted after upgrading from 20.1 to 20.2.
+// USAGE was mistakenly added in the privilege bitfield above ZONECONFIG
+// causing privilege descriptors with ZONECONFIG in 20.1 to have USAGE privilege
+// instead of ZONECONFIG.
+// Fortunately ZONECONFIG was only valid on TABLES/DB while USAGE is not valid
+// on either so we know if the descriptor was corrupted.
+func MaybeFixUsagePrivForTablesAndDBs(ptr **PrivilegeDescriptor) bool {
+	if *ptr == nil {
+		*ptr = &PrivilegeDescriptor{}
+	}
+	p := *ptr
+	modified := false
+
+	if p.Version > InitialVersion {
+		// InitialVersion is for descriptors that were created in versions 20.1 and
+		// earlier. If the privilege descriptor was created after 20.1, then we
+		// do not have to fix it. Furthermore privilege descriptor versions are
+		// currently never updated so we're guaranteed to only have this issue
+		// on privilege descriptors that are on "InitialVersion".
+		return false
+	}
+
+	for i := range p.Users {
+		// Users is a slice of values, we need pointers to make them mutable.
+		userPrivileges := &p.Users[i]
+		// Tables and Database should not have USAGE privilege in 20.2 onwards.
+		// The only reason they would have USAGE privilege is because they had
+		// ZoneConfig in 20.1 and upgrading to 20.2 where USAGE was added
+		// in the privilege bitfield where ZONECONFIG previously was.
+		if privilege.USAGE.Mask()&userPrivileges.Privileges != 0 {
+			// Remove USAGE privilege and add ZONECONFIG. The privilege was
+			// originally ZONECONFIG in 20.1 but got changed to USAGE in 20.2
+			// due to changing the bitfield values.
+			userPrivileges.Privileges = (userPrivileges.Privileges - privilege.USAGE.Mask()) | privilege.ZONECONFIG.Mask()
+			modified = true
+		}
+	}
+	return modified
+}
+
 // MaybeFixPrivileges fixes the privilege descriptor if needed, including:
 // * adding default privileges for the "admin" role
 // * fixing default privileges for the "root" user
diff --git a/pkg/sql/catalog/descpb/privilege_test.go b/pkg/sql/catalog/descpb/privilege_test.go
index e5192c7d3f48..c89e81cb8c9c 100644
--- a/pkg/sql/catalog/descpb/privilege_test.go
+++ b/pkg/sql/catalog/descpb/privilege_test.go
@@ -651,3 +651,228 @@ func TestValidateOwnership(t *testing.T) {
 		t.Fatal(err)
 	}
 }
+
+// TestMaybeFixUsageAndZoneConfigPrivilege checks that Table and DB descriptors
+// on created on v20.1 or prior (PrivilegeDescVersion InitialVersion) with
+// USAGE privilege have its privilege correctly updated.
+// The bit representing USAGE privilege in 20.2 for Tables/DBs should actually
+// be ZONECONFIG privilege and should be updated.
+func TestMaybeFixUsageAndZoneConfigPrivilege(t *testing.T) {
+
+	fooUser := security.MakeSQLUsernameFromPreNormalizedString("foo")
+	barUser := security.MakeSQLUsernameFromPreNormalizedString("bar")
+	bazUser := security.MakeSQLUsernameFromPreNormalizedString("baz")
+
+	type userPrivileges map[security.SQLUsername]privilege.List
+
+	testCases := []struct {
+		input           userPrivileges
+		modified        bool
+		output          userPrivileges
+		objectType      privilege.ObjectType
+		privDescVersion PrivilegeDescVersion
+		description     string
+		isValid         bool
+	}{
+		// Cases for Tables and Databases.
+		{
+			userPrivileges{
+				fooUser: privilege.List{privilege.USAGE},
+			},
+			true,
+			userPrivileges{
+				fooUser: privilege.List{privilege.ZONECONFIG},
+			},
+			privilege.Table,
+			InitialVersion,
+			"A privilege descriptor from a table created in v20.1 or prior " +
+				"(InitialVersion) with USAGE should have the privilege converted to ZONECONFIG.",
+			true,
+		},
+		{
+			userPrivileges{
+				fooUser: privilege.List{privilege.USAGE},
+			},
+			true,
+			userPrivileges{
+				fooUser: privilege.List{privilege.ZONECONFIG},
+			},
+			privilege.Database,
+			InitialVersion,
+			"A privilege descriptor from a database created in v20.1 or prior " +
+				"(InitialVersion) with USAGE should have the privilege converted to ZONECONFIG.",
+			true,
+		},
+		{
+			userPrivileges{
+				fooUser: privilege.List{privilege.USAGE},
+			},
+			false,
+			userPrivileges{
+				fooUser: privilege.List{privilege.USAGE},
+			},
+			privilege.Table,
+			OwnerVersion,
+			"A privilege descriptor from a table created in v20.2 onwards " +
+				"(OwnerVersion) should not be modified.",
+			false,
+		},
+		{
+			userPrivileges{
+				fooUser: privilege.List{privilege.USAGE},
+			},
+			false,
+			userPrivileges{
+				fooUser: privilege.List{privilege.USAGE},
+			},
+			privilege.Database,
+			OwnerVersion,
+			"A privilege descriptor from a Database created in v20.2 onwards " +
+				"(OwnerVersion) should not be modified.",
+			false,
+		},
+		{
+			userPrivileges{
+				fooUser: privilege.List{privilege.ZONECONFIG},
+			},
+			false,
+			userPrivileges{
+				fooUser: privilege.List{privilege.ZONECONFIG},
+			},
+			privilege.Table,
+			OwnerVersion,
+			"A privilege descriptor from a table created in v20.2 onwards " +
+				"(OwnerVersion) should not be modified.",
+			true,
+		},
+		{
+			userPrivileges{
+				fooUser: privilege.List{privilege.ZONECONFIG},
+			},
+			false,
+			userPrivileges{
+				fooUser: privilege.List{privilege.ZONECONFIG},
+			},
+			privilege.Database,
+			OwnerVersion,
+			"A privilege descriptor from a Database created in v20.2 onwards " +
+				"(OwnerVersion) should not be modified.",
+			true,
+		},
+		// Fix privileges for multiple users.
+		{
+			userPrivileges{
+				fooUser: privilege.List{privilege.USAGE},
+				barUser: privilege.List{privilege.USAGE, privilege.CREATE, privilege.SELECT},
+			},
+			true,
+			userPrivileges{
+				fooUser: privilege.List{privilege.ZONECONFIG},
+				barUser: privilege.List{privilege.ZONECONFIG, privilege.CREATE, privilege.SELECT},
+			},
+			privilege.Table,
+			InitialVersion,
+			"A privilege descriptor from a table created in v20.1 or prior " +
+				"(InitialVersion) with USAGE should have the privilege converted to ZONECONFIG.",
+			true,
+		},
+		{
+			userPrivileges{
+				fooUser: privilege.List{privilege.USAGE},
+				barUser: privilege.List{privilege.USAGE, privilege.CREATE, privilege.SELECT},
+			},
+			true,
+			userPrivileges{
+				fooUser: privilege.List{privilege.ZONECONFIG},
+				barUser: privilege.List{privilege.ZONECONFIG, privilege.CREATE, privilege.SELECT},
+			},
+			privilege.Database,
+			InitialVersion,
+			"A privilege descriptor from a table created in v20.1 or prior " +
+				"(InitialVersion) with USAGE should have the privilege converted to ZONECONFIG.",
+			true,
+		},
+		{
+			userPrivileges{
+				fooUser: privilege.List{privilege.USAGE},
+				barUser: privilege.List{privilege.USAGE, privilege.CREATE, privilege.GRANT},
+			},
+			true,
+			userPrivileges{
+				fooUser: privilege.List{privilege.ZONECONFIG},
+				barUser: privilege.List{privilege.ZONECONFIG, privilege.CREATE, privilege.GRANT},
+			},
+			privilege.Database,
+			InitialVersion,
+			"A privilege descriptor from a database created in v20.1 or prior " +
+				"(InitialVersion) with USAGE should have the privilege converted to ZONECONFIG.",
+			true,
+		},
+		{
+			userPrivileges{
+				fooUser: privilege.List{privilege.USAGE},
+				barUser: privilege.List{privilege.USAGE, privilege.CREATE, privilege.SELECT},
+				bazUser: privilege.List{privilege.ALL, privilege.USAGE},
+			},
+			true,
+			userPrivileges{
+				fooUser: privilege.List{privilege.ZONECONFIG},
+				barUser: privilege.List{privilege.ZONECONFIG, privilege.CREATE, privilege.SELECT},
+				bazUser: privilege.List{privilege.ALL},
+			},
+			privilege.Database,
+			InitialVersion,
+			"A privilege descriptor from a table created in v20.1 or prior " +
+				"(InitialVersion) with USAGE should have the privilege converted to ZONECONFIG.",
+			true,
+		},
+		// Test case where the privilege descriptor has ZONECONFIG and USAGE.
+		{
+			userPrivileges{
+				fooUser: privilege.List{privilege.USAGE, privilege.ZONECONFIG},
+			},
+			true,
+			userPrivileges{
+				fooUser: privilege.List{privilege.ZONECONFIG},
+			},
+			privilege.Table,
+			InitialVersion,
+			"If the descriptor has USAGE and ZONECONFIG, it should become just " +
+				"ZONECONFIG",
+			true,
+		},
+	}
+
+	for num, tc := range testCases {
+		desc := &PrivilegeDescriptor{Version: tc.privDescVersion}
+		for u, p := range tc.input {
+			desc.Grant(u, p)
+		}
+		modified := MaybeFixUsagePrivForTablesAndDBs(&desc)
+
+		if tc.modified != modified {
+			t.Errorf("expected modifed to be %v, was %v", tc.modified, modified)
+		}
+
+		for u, p := range tc.output {
+			outputUser, ok := desc.findUser(u)
+			if !ok {
+				t.Errorf("#%d: expected user %s in output, but not found (%v)\n%s",
+					num, u, desc.Users, tc.description,
+				)
+			}
+			if a, e := privilege.ListFromBitField(outputUser.Privileges, privilege.Any), p; a.ToBitField() != e.ToBitField() {
+				t.Errorf("#%d: user %s: expected privileges %v, got %v\n%s",
+					num, u, e, a, tc.description,
+				)
+			}
+
+			err := privilege.ValidatePrivileges(p, tc.objectType)
+			if tc.isValid && err != nil {
+				t.Errorf("%s\n%s", err.Error(), tc.description)
+			}
+		}
+
+	}
+
+}
diff --git a/pkg/sql/catalog/tabledesc/table_desc_builder.go b/pkg/sql/catalog/tabledesc/table_desc_builder.go
index 91844111e4c0..91d017bc1a27 100644
--- a/pkg/sql/catalog/tabledesc/table_desc_builder.go
+++ b/pkg/sql/catalog/tabledesc/table_desc_builder.go
@@ -190,6 +190,10 @@ func maybeFillInDescriptor(
 	// run again and mixed-version clusters always write "good" descriptors.
 	changes.FixedPrivileges = descpb.MaybeFixPrivileges(desc.ID, &desc.Privileges)
 
+	fixedUsagePrivilege := descpb.MaybeFixUsagePrivForTablesAndDBs(&desc.Privileges)
+
+	changes.FixedPrivileges = changes.FixedPrivileges || fixedUsagePrivilege
+
 	if dg != nil {
 		changes.UpgradedForeignKeyRepresentation, err = maybeUpgradeForeignKeyRepresentation(
 			ctx, dg, skipFKsWithNoMatchingTable /* skipFKsWithNoMatchingTable*/, desc)

From 1e42b0defe5ceab2041199004e917fe2f9d0989e Mon Sep 17 00:00:00 2001
From: richardjcai <caioftherichard@gmail.com>
Date: Wed, 12 May 2021 17:02:20 -0400
Subject: [PATCH 2/2] restore: fix ZONECONFIG privilege when restoring from
 20.1 version or prior.

This is needed in addition to the previous commit to fix ZONECONFIG privilege
when restoring from a version from 20.1 or prior.

Release note: None
---
 pkg/ccl/backupccl/restore_job.go              |   4 ++
 .../backupccl/restore_old_versions_test.go    |  52 ++++++++++++++++++
 .../create_with_privileges.sql                |  20 +++++++
 .../privileges/v20.1.6/657900117481816066.sst | Bin 0 -> 1118 bytes
 .../privileges/v20.1.6/657900117481848836.sst | Bin 0 -> 938 bytes
 .../privileges/v20.1.6/657900117481881604.sst | Bin 0 -> 952 bytes
 .../privileges/v20.1.6/657900117481914372.sst | Bin 0 -> 1063 bytes
 .../privileges/v20.1.6/657900117482045442.sst | Bin 0 -> 968 bytes
 .../privileges/v20.1.6/657900117482078210.sst | Bin 0 -> 2475 bytes
 .../privileges/v20.1.6/657900117485420546.sst | Bin 0 -> 1138 bytes
 .../privileges/v20.1.6/657900117485879300.sst | Bin 0 -> 1356 bytes
 .../privileges/v20.1.6/657900117486469124.sst | Bin 0 -> 938 bytes
 .../privileges/v20.1.6/657900117486829572.sst | Bin 0 -> 1062 bytes
 .../privileges/v20.1.6/BACKUP                 | Bin 0 -> 6218 bytes
 pkg/sql/catalog/descpb/privilege.go           |   2 +-
 pkg/sql/catalog/descpb/privilege_test.go      |  13 +++++
 16 files changed, 90 insertions(+), 1 deletion(-)
 create mode 100644 pkg/ccl/backupccl/testdata/restore_old_versions/create_with_privileges.sql
 create mode 100644 pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117481816066.sst
 create mode 100644 pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117481848836.sst
 create mode 100644 pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117481881604.sst
 create mode 100644 pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117481914372.sst
 create mode 100644 pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117482045442.sst
 create mode 100644 pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117482078210.sst
 create mode 100644 pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117485420546.sst
 create mode 100644 pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117485879300.sst
 create mode 100644 pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117486469124.sst
 create mode 100644 pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117486829572.sst
 create mode 100644 pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/BACKUP

diff --git a/pkg/ccl/backupccl/restore_job.go b/pkg/ccl/backupccl/restore_job.go
index da7097138370..8c9e6c999ef6 100644
--- a/pkg/ccl/backupccl/restore_job.go
+++ b/pkg/ccl/backupccl/restore_job.go
@@ -329,6 +329,8 @@ func WriteDescriptors(
 						desc.GetID(), desc)
 				}
 			}
+			privilegeDesc := desc.GetPrivileges()
+			descpb.MaybeFixUsagePrivForTablesAndDBs(&privilegeDesc)
 			wroteDBs[desc.GetID()] = desc
 			if err := descsCol.WriteDescToBatch(
 				ctx, false /* kvTrace */, desc.(catalog.MutableDescriptor), b,
@@ -380,6 +382,8 @@ func WriteDescriptors(
 						table.GetID(), table)
 				}
 			}
+			privilegeDesc := table.GetPrivileges()
+			descpb.MaybeFixUsagePrivForTablesAndDBs(&privilegeDesc)
 			// If the table descriptor is being written to a multi-region database and
 			// the table does not have a locality config setup, set one up here. The
 			// table's locality config will be set to the default locality - REGIONAL
diff --git a/pkg/ccl/backupccl/restore_old_versions_test.go b/pkg/ccl/backupccl/restore_old_versions_test.go
index e3e51bf80f89..431c7bd51dbc 100644
--- a/pkg/ccl/backupccl/restore_old_versions_test.go
+++ b/pkg/ccl/backupccl/restore_old_versions_test.go
@@ -57,6 +57,7 @@ func TestRestoreOldVersions(t *testing.T) {
 		fkRevDirs       = testdataBase + "/fk-rev-history"
 		clusterDirs     = testdataBase + "/cluster"
 		exceptionalDirs = testdataBase + "/exceptional"
+		privilegeDirs   = testdataBase + "/privileges"
 	)
 
 	t.Run("table-restore", func(t *testing.T) {
@@ -150,6 +151,17 @@ ORDER BY object_type, object_name`, [][]string{
 			})
 		})
 	})
+
+	t.Run("zoneconfig_privilege_restore", func(t *testing.T) {
+		dirs, err := ioutil.ReadDir(privilegeDirs)
+		require.NoError(t, err)
+		for _, dir := range dirs {
+			require.True(t, dir.IsDir())
+			exportDir, err := filepath.Abs(filepath.Join(privilegeDirs, dir.Name()))
+			require.NoError(t, err)
+			t.Run(dir.Name(), restoreV201ZoneconfigPrivilegeTest(exportDir))
+		}
+	})
 }
 
 func restoreOldVersionTest(exportDir string) func(t *testing.T) {
@@ -182,6 +194,46 @@ func restoreOldVersionTest(exportDir string) func(t *testing.T) {
 	}
 }
 
+// restoreV201ZoneconfigPrivilegeTest checks that privilege descriptors with
+// ZONECONFIG from tables and databases are correctly restored.
+// The ZONECONFIG bit was overwritten to be USAGE in 20.2 onwards.
+// We only need to test restoring with full cluster backup / restore as
+// it is the only form of restore that restores privileges.
+func restoreV201ZoneconfigPrivilegeTest(exportDir string) func(t *testing.T) {
+	return func(t *testing.T) {
+		const numAccounts = 1000
+		_, _, _, tmpDir, cleanupFn := BackupRestoreTestSetup(t, MultiNode, numAccounts, InitManualReplication)
+		defer cleanupFn()
+
+		_, _, sqlDB, cleanup := backupRestoreTestSetupEmpty(t, singleNode, tmpDir,
+			InitManualReplication, base.TestClusterArgs{})
+		defer cleanup()
+		err := os.Symlink(exportDir, filepath.Join(tmpDir, "foo"))
+		require.NoError(t, err)
+		sqlDB.Exec(t, `RESTORE FROM $1`, LocalFoo)
+		testDBGrants := [][]string{
+			{"test", "admin", "ALL"},
+			{"test", "root", "ALL"},
+			{"test", "testuser", "ZONECONFIG"},
+		}
+		sqlDB.CheckQueryResults(t, `show grants on database test`, testDBGrants)
+
+		testTableGrants := [][]string{
+			{"test", "public", "test_table", "admin", "ALL"},
+			{"test", "public", "test_table", "root", "ALL"},
+			{"test", "public", "test_table", "testuser", "ZONECONFIG"},
+		}
+		sqlDB.CheckQueryResults(t, `show grants on test.test_table`, testTableGrants)
+
+		testTable2Grants := [][]string{
+			{"test", "public", "test_table2", "admin", "ALL"},
+			{"test", "public", "test_table2", "root", "ALL"},
+			{"test", "public", "test_table2", "testuser", "ALL"},
+		}
+		sqlDB.CheckQueryResults(t, `show grants on test.test_table2`, testTable2Grants)
+	}
+}
+
 func restoreOldVersionFKRevTest(exportDir string) func(t *testing.T) {
 	return func(t *testing.T) {
 		params := base.TestServerArgs{}
diff --git a/pkg/ccl/backupccl/testdata/restore_old_versions/create_with_privileges.sql b/pkg/ccl/backupccl/testdata/restore_old_versions/create_with_privileges.sql
new file mode 100644
index 000000000000..da39f0dede03
--- /dev/null
+++ b/pkg/ccl/backupccl/testdata/restore_old_versions/create_with_privileges.sql
@@ -0,0 +1,20 @@
+-- The below SQL is used to create the data that is then exported with BACKUP.
+-- This should be run on a v20.1 cluster, the ZONECONFIG bit is incorrectly
+-- updated to be interpreted as USAGE in versions of 20.2 and onward.
+-- The restore test should ensure that ZONECONFIG stays as ZONECONFIG.
+
+CREATE DATABASE test;
+
+SET database = test;
+
+CREATE USER testuser;
+
+CREATE TABLE test_table();
+
+CREATE TABLE test_table2();
+
+GRANT ZONECONFIG ON DATABASE test TO testuser;
+
+GRANT ZONECONFIG ON test_table TO testuser;
+
+GRANT ALL ON test_table2 TO testuser;
diff --git a/pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117481816066.sst b/pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117481816066.sst
new file mode 100644
index 0000000000000000000000000000000000000000..a9878518f0971a27bb468a705dc2c8109048088d
GIT binary patch
literal 1118
zcmaJ=O>7%Q6rNdo>s@D^I!+v+NUa=`LrKz60)|+G^gu{Rkt$Fd1Qn{b>)jV;)!Er)
zW*plEwW)+4P!JLapaS)bxN_lu=m7++)B``awyHRAXfLRj9;_-UGwY;qfp^;X=DqKI
z?|W}A8CTKM=4T(2M9cR90tgTu>7D*!=hxo+k#DYU+vD}c`V$Cmq0w`vu3zh1JZ58r
zOruu)<;ZqsxN82^%PiAx%}HnRk4<b(I@cet?eb(joUN{BN{^clM|%g1QXNlO?e<@V
zSBtm4t8Knro|-;>dv+&Nu9%gdUMiZ0vhOSvP84rlxpCok`Oxbh6<&TeGc;j-nZ47i
zUpTs=NIZAv(pUECh&%V=`<F}QY3Kg(jd6UwX4ZQ7oon}0!a^0T6sC$tS3dr9sXR6F
z!xe@zNSPvwaCP~upHV*ZIU0J{H}t2Dr;q6CW50ib1}vWk4I%}Jyw2!3H^s3HD`b0P
zqlqk!{WC&kHK_U^4NpKoq}QN8LKZ-W$Zi4}cC3gK4r^hDtc6qp4_R|&Y#6uKW0iUa
zy8jAWMbnRID`I5Li$dBZVW1i2^43U{c-)gQ_f<0<d;YrX$9pj+w~vDmVa!f2FG;$?
zmg~leRK92{E^*s!gi<UVo~_MSC~N>-c<RZyXXfTBLMlvXb{A&mD{4|V2z}``x)Owr
zoE0)~by#JE?4LL=J!PO%YzK4jbSEOi2#{qPfhRp8!n1G}+XEOVNTrJ!Qy}Z01sx>-
z^QbF?bd?-Hnlx@`AKqlKR!iGhF1rC-&toXh8o+(wQdE>5#GO7Op}?AQ9oYpO^T?BA
zw+LBf++TrKHx#5LfNKh9FpD*_1B0V@!=o*=DM13DiZC!g*4J(g;s|&XNSpxoSRl}F
zCZ}X)ElLx~t^Js_B9hLS?p<Ifhk;2Rg4pNm$Ev0YhZQEI@*`Cc(*T4_H{I8$oZGzz
zr3UwWg-)0k!ETHE(30*gyF{G=1^q1ESXJUaAGcVr+MuuSI9c3#T2AY`(=Vh#AJ^Ug
zBjuFk7~E^8JhTYk8%};#1??Wx!l%DM<?_~hsPyQ(6V*=9QS-fPY@3g=PJVdr{FXI-
T7eA&$|8K87*t|H=dhzDp$DwO!

literal 0
HcmV?d00001

diff --git a/pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117481848836.sst b/pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117481848836.sst
new file mode 100644
index 0000000000000000000000000000000000000000..571ed1380a27ce2c48af312092b6488c9ae4571f
GIT binary patch
literal 938
zcmah|OK%e~5Vo7N*`y(T(IOQDIpj#K0u@z>df_Q?;Z@WFs#f0JX=>GLFSfVI_JH67
zQYB6Zj`SxW@mqT0(*Mx|j5kTk1u-Yjc;=h=zOhMX^83-e(b^F@&y!RrLO+qEcROEC
zPd{$gDH+<;YWG9MAIregXD{xN#>6q1`#m(Wc7FFWJNZJUgV-bybC#uia1J&R2sL&{
zr)qS(Z!s&9cwiB?kTAz12~4O22Fw*1c-ZAxni<#?1GX!q10z&#b$NmI_cW&NL-AKQ
zn4OHZ%u~g7c`9VVMB)dmHG<1&#tnDc#MsPe9`A**9><!sDFfCDtzIdfWyL}ehB|ZT
z+dj^s`(Y%U-CVh~)@@5T0J(YR_WIrRZreJ<gkG_^+HE7#FcGl}qr!ppkwfc}(1$Tg
zsEar#&oc2T^(HmIeJAEb3M8o0ggefxIE0P*GzAF`WkHsf1lI!?Ab-VWXsruT4PZT~
zBk#jorM+0*mTT1mFrLl?dciau>Q;i1MvD%Hh)ja&xjj<9M72q|W1}JxEYjfyytu-$
z+=B5VkXDuY!LGHI=mD2GF3Pe5B+d&e)(IpeXwei*517utaFtlHP^qEnDwi^ICYYfr
zPgzN^T)U;s8U^Ky06fl6tm(lDVnV4t!2&H4u&!M6P@=`!=sBPohR2A`6i;E)qA~Z#
z_jU!tmmtAk+c#UN?R}lAWGj--jm{p7uO656#m$GM&@X-Wf28aLxGLT+=kOwQnvIbN
z-kbEgmw)5OjS406mGR@wup3T;^j@D`B+Y$0{(Lgk-nin+{$tx`?~gk9lV5)TC@m*s

literal 0
HcmV?d00001

diff --git a/pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117481881604.sst b/pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117481881604.sst
new file mode 100644
index 0000000000000000000000000000000000000000..fa68149d7e22c7fb9e1fd1748b2eb73772a54dac
GIT binary patch
literal 952
zcmah|J8u**5VkLm+k0@y<pqi&bj67@oE0ESiYQHhL{RaFlmeoacRjgS@!E^+%iX3x
z=^%<kNgE0}8bn9UPoP1fiNs%^O9A%YU7$gXw9?La=9_Q6u^%6!=GfWE6lDpQ2v2FH
zEW)qR+{@j!=jX3>N*I-J^W(!CAIkNa@zayd1+@I_=d~qVK+drLT3^&BR4%+j^<RBM
z8^bg7_5ET6Rf1Tvh*(1s+PefU1Y8as)Ew0+J}@pT67GjY)Bq!vMgj<z40^<7DR|iV
zNt|lf<2|y+g$2!Jdue_eclVV`J%H@5a4<O*E73_L*`o;;8R5(mES7_rB&C{KrDNAj
zD;n>Iu^Psz#c>VBa3!Bgnx@%w5QZwX&Np4hMRmi7TeIG}wY=64a0p`k&h6Ee)wPDP
z4innh`qEm%O&T&D+c3&37#}$@mW4j-vbg*c2kEC|KBZK}8mR9?EKdLhCCsR$#PB27
zDpfEDuuc{?r9r{<0D5kINkwRk4V@Z5+CoL%hZj<LvAoR}M-M^!as0}H3hwKcgQ9W`
z_xgxLfNa}+RJwwdPN*e=A{5Nx{sz3b+>nj|?J1zzDE7n_YIFFIijG^9Aq<4$3o=#=
z7z%1Q0o?|oQqWW~gQiD{PIcK4BDFf0z_OE&e8hb123Lz1q}3cup*n$GO&eMc6LR&D
zD^P-gvH7C=63rF|*TJcwY3$I6qzMdKl<W6>Z<`T!69o8U^K9E`yP-OgZAapfR_Wd0
z(Pmzs-Mp6z{ls_wN6K#CRz<rx4==)lYIz`n_bOg@|29y4<xLAsjSMe$>bf~LZoK$n
b>@w;3*=O}*ys>rFNB(0w7ssc~&er$eT+}W-

literal 0
HcmV?d00001

diff --git a/pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117481914372.sst b/pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117481914372.sst
new file mode 100644
index 0000000000000000000000000000000000000000..f521799b4946c241d424eb7e7f4339d4e5ad6978
GIT binary patch
literal 1063
zcmaJ=J8u**5Vr4f-0tSMyzUT02?Ugqm;g~Iq7=Ll6>p>fS$ylsWr^2bY+vq<0+48U
z7En+j8YHMlL4^c}iUuJe3K}TjFVG<n0(&n68kl0`8PDVUKF{9IF*IDbd99zaBo+u?
zMQbjex%>I-(jy-uACG>zvUE2HDuwIU_6?ztop&nbd{9|+<KPe)KYVH8IL_tQ6_k{w
zI^#{hu2*L&-}wD2fxm8s457;Aa~t00JLdyS!w(5Y`Qd^AZ5kRB!iA^3Z(gnc{<S(=
ziJJFL1graICvDY-gPU&VJLie#r{!*poVhQ)HHT+WkiUices&B!&Tg~MrY{d(pl&Zx
ztVWC`32j*_*#JN1#UkTnF{05fC8GsxvufNPNR4V>#LyZC5(@?`V%jOVnS;GJRWKK~
z$Xv_~s94m;2M2I-UfR?JX#W-VdJB={jYN<+n#8<KV&)JQ1Fw>#R8b>UWQQq9qxmqB
zzhkB1Dg|1{QXCaDP1^%r7|PUGUpFll*$iv3(bHpFC#FU?ECQe2zHP_kj;RrCY)`1S
zr^ly8EYpz1kqK*UE3S)N(1wLBY_nqVCl11~WG=-oVFlDpA|_4%d47&jLy3+rz!U6u
zW8h${E|#W7-g*yORscbHsI>{L96;(^)|?OLg>-5;8!UD$f^vLv*7Le?N4Tsj3d*?E
z=}0(;x|v7*YAjVk4OuQiUKMwqz^NN+;ugh0K;<s%kPVmD;6=(C_N6poz%5`9kz~M-
zSH=mbIuMzHqJn8OkS|)<MT7IyD6a>LMnW=<*}H38Dq;{u#i0FC54JUR7_&VglONdv
z$(dc&?4>&zRg25}VAW7GvfYWG2`rBY`u4inrcLZBaB$c9)G;gWF4++5SdAZ2GTr_A
zYF}30-n=Ih`iPtUkCZcBDW_;N!{J1@oht>)DmZuC37`D|XAeJniTYR8JGJ919Lw)5
f{!v)T8f06V?}{6r;I%IFe>?g8@{Q5P{*S)^u>4H@

literal 0
HcmV?d00001

diff --git a/pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117482045442.sst b/pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117482045442.sst
new file mode 100644
index 0000000000000000000000000000000000000000..7b2f468a506c9e11d3a45ebe199ccdb5472bd6e1
GIT binary patch
literal 968
zcmah|zi$&U6t>f*xuhZeMT=A+$WSq$)`TCTLzMwa+64)eM(u#Alke^|vFfw0w)3k(
zh!MmBLSkkG2H0Uhh?T#f8_Z0VSUP}xNq`06>E82u-}k-m`C2d0#q6ucvowmCKzMe&
zUc1q#)$iP{A^Zp}JlK8l^~3v(JVprN%<`LO-y4Oo3t1(l*(RuX^r@4dA(i9LA2$oO
z0;Of&E^Sv)A@dr|{2UxqAKjrJmHSW8q!+3vAV!mz_EHLmlku1s@u8)0CBuDfs{(F6
zNI*42#L$2PVIqPaG5rJ_?BX;|6zs7c*<;**Vxn1DoWtFgw59vd|10fHXG6)`u^@Xi
zX1q^W<OJpl-sw1@iW;dxOQs|ZTYe}<xngcYf!0ilEkTo{Kj-<rOpJ|n*J_bnKVU{z
zS1w;$D|6@ouU@^fdVO`Rtc}HlX1`ilE89u^h=s-v`UbSi9BLE!E^Vur_>%|Wri@%k
zzK9i2$3zT^0eN{GQA3Glhp>~M#K6H=TkMn?dFMRn+4%+KzShRKZUAX=8Mqh@gmh-P
zvzQz2fO6wxY~)Sifo~}&DwJ?<fJiuqrfH%4DJ)e?4H-5eZypae;LK&3v^6Lv0hPwF
z6Lz+=fIF18?V>b^fLpyFLK#7Xyb_K<HG#+k6cv$1b7MK{x@dEr80Af2(T+(vV!C#X
zi#ZI!C<Z!HoWi!J2`d&8QumQ<kURoy(nSv}n$HcNgLOmE(4rGTV;E8tW@?Vx^oe~5
z9Ne|O*RbB+lx-0;0)AJ?WPNnCk@okOZ>2`p9s55@c0Ic)+D&yh6Sj(lp$RVf{coV^
vm!o%Rc5L*x6U%1R*zxp9)-A{VK<Mqk^Yh0O<()Gw_|MrndH7_hy?OKt4*ND;

literal 0
HcmV?d00001

diff --git a/pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117482078210.sst b/pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117482078210.sst
new file mode 100644
index 0000000000000000000000000000000000000000..400956ef6afe2db5d032cbfcd398b0769045b98f
GIT binary patch
literal 2475
zcma)8eQ*=U72iFd(CK^z;Sa_3kmT&T*cg14Wm*0t_yajM!PvFMB)}MPr(27I)17j6
z@>dgT5;L()nV7GHG>mOX-O?5s>P!*{B%xTQ4MQN)l!O3nftjYxOv|`*k}?>a?#V#=
zPdnXN-R!=7@9lfP_x3%#_V`Bd*qT@S@7Xd+YDyLX*asY2TF-sdxxK*#felWrKW$_#
zq!-%sNFacah{V)`(|_t`1}}X5meo-~Cq=>{Z%9gz4Qo=nB%>hG6G=@~jnvzdJ(JPs
z6v6gh+!|ZBV9^Saf_5m7IYlKfJ~^eoA5@2d^HTh~jd2M8^enUg`IN16fdH(JJX3S6
zCt;X5H?7=D8MZe{cgtyR7=RzcVP<OVEqD76U?z_DPFjYjqa)iaHp&G(DMOT}1f~tS
zRKT2h{Q261A@ao?wo+CAb5du>j*gpo%j{QAx_h2W8DUZm9q)6EfT^0pcd<89za9J}
z&e6MpcKdiiMyzgNpL9bC=&Xj?G^B52+f<D;kZy3{h#*S=&RqKqliQWJh+lGN`qRD%
z)7hD^&n!0Esk-hXaWv)k^ASV!`x6HVI^IYtzm)1>-8n=VO^rm4UOadF)ejxji)o9d
zc1WTfrZX6v%2eP4P01So3v%a16zSOr@@tUw<t%c-I-<Fbwql?|yw+uhsW8)4F(o-+
zC0JpnfE}b`p&Tq;0xH2;&`nUF2ZBBb1|ir7!9h5O0*N3M9D-m2vFSUsjkfS&NK)(s
zP0_KK;T1zurfU%$X?CIq!af*>WyhccU!3rL5~SO@Dp;5UjzM@Df=LK&K@zU7ybVDQ
z0d^7KM_AeQLwAl^CI`m|aEt(_h)2^cG{j-gTvOBRt@3%<7GIUGzQtEx)57}mJX0&#
z+UCXvc3qLXm3_M2SI0Is`RW^2wXnXr=0=}yW&NrrStnP@R<*E=wQS3p7N56)_0>0c
z+3dVRr=FclQ`4`X{PN0s7*5wC8Cw8XI{~TEkIzBK{B_w2aAp9s4S>~WJbMYIKR@TQ
zhBM?p_t#e}=*DSwm+bY1kp1e1m$&|L^#n7_&;Ld31d%mzXzYiiqjx=Bcy@vSiS<!x
z?E2^46AU}B^RmU(5Cw<Jq6DBbYJuPTEty)>FwSf{@snfUy)rXS+#Dy!EV>zg6X-SL
zR1ewnO_X4IM&CVb`RY8DD!dUT>}Nmy{kE&#C~#zKsf`lvj1!mp!J2W`Zi4w<%JN9V
zIJIl~3vYQ=H?XAbp(-X{JM^=GWPfqAe<%@KNxi=PglmE@KG}T@zr@jjKC9!UcABfM
zs(EU46T7_1S5;lr;vIcnWPOcnwxWtiRs+0TmY-jcFYtlQk#KgyDf{1k_2z}M2YRWy
ze;>2h7+0LT=;Qjj<`F9m5^3tl(GxS%Ut&PhlUF?jsLa32Da!^dl}^0hpGmww0O=(k
z;Kc_6xz0q6CNo~5?C$hk29cb*o1h1YnbNq2^NG^9JjYCu_2Dc_vQB+oMkeBPt%NJ=
z@7zfH&Ax@z&f$}{y|?d8e9;8g9)UC!R13I*LasECYIiv~y!NCgxty+od}mR9fs-vL
zEpvIwoX*Ug0^TWj+IW|%v@L)FsHDJC%DbGN;-X@=Qw)g3&JrgoEfPy|ZNWf*^>Brp
z(-kjEN~DwJL!!rB7FScVvf8R48Sy$=F;8u4lL8Vi=LwR6pILKiXNkw}apy&p&5GKg
z<i$kuf=Xnq^*%`e8gvgpunXFO<20QDmzUY6zAnF>y{>xy=$TuWU*7P{{++F5i%I6d
z8?EAwR&wU5bSbMDhjxfsnhEN5wA$<IUVg>9x0ShYVf!XmD_JtR2S@hWPrrE+I{E-z
zIMzx6KR>xsVD9W4{>L_fdLw$!V&eo7jP?u3r~7Xo*z?s^0i>-GNK4bsVA>Ku%>>E+
zX9_{G;>EPn{hP+>lSb=4iZ%#0e!e&8DI%Ht?%ZGR2$HvcDg6Q4Y7S`ro;d%?4*(sv
z56u5|c7UVIgF~?Ry~;Bno(gE9z!^Fh;yWE%{4w8b1SKgCIt$3c)h4i6$6Nx=%*~vD
zkr%mGHRU8lM4g<`6-K7obUO^=5-fFcZIWyt4R;!6dJ^o|sLF`jjJp1VOxY~~RgQ!d
zu8j{#au+9wriE6TN)Cm2jW<*+fG^WjKCsarP#@43>l|F*bxBoP6h0j8O2SoJ4I6l`
zcVJu84!<B7`qI1tcR4Ggb|fz?bQODw%W;#yI#IA|sk5BLp87>8VEBbDTs=)nw{D1j
zlZ?3}<==Fqm_0)@S!@i{5N<T8!WmKs0m??;UdnU2)Q#R|Z1E7Mq=9k4Zt8$~j6$6l
z0EL(RI&M7}4#WjzRWSGHSw%I`GDo_VY)6{u4}o`7Je&nCrWMe0VdtzyPDV=5*a&P1
zP}M@b!QB@ER0^C8fr+l9b7m(nO#pLAXj=B@TnB9D<p?qlab>{<BPD=qj0mW?Fod)q
z;?ywGctzAfQk)gTu0&)xY-rRxs6;|s%*R;Vb;wvDQVdN(I>XF^SSE<_uuc?%A7BAh
z7R{z>+A@n#3hsZge86aEd;n|b6h4IRUqR3Jns*yr98LupnaBD%9|pHtjVPi|kef6$
zT=U?lHYVS-WO)qeX7l#{!qQ4HgvNKo>@Y#NNiZ}qi-NhmvcN>%d>>%d+KK0Y`44C|
pzr*-GY!7zucg&3CA=mkt;hPr|Gu~!WP164!Pfz!3&x$;G<zEZ5GbsQ7

literal 0
HcmV?d00001

diff --git a/pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117485420546.sst b/pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117485420546.sst
new file mode 100644
index 0000000000000000000000000000000000000000..72119886c1ee4f02cea4a6bfbe42863572e7ae25
GIT binary patch
literal 1138
zcmaJ>UuYaf7@xW3yxGe(X_IVPt}$LEN*}zTvANVVB#3{iP#;Q7E23qc-TiX6&Ft(t
zGn>0>QS_l;8=)$wh*oQ*t)L=QUj)TI)CWP|d=Xzn6hsi8q@YEe*-Kkr^n2RxoA2-M
z_kH_G>0Q*=cKXDKgjSpighwEkX$FlBC_Rnvb7=hO!>{~scFV60MyOmm^ThV?^VOy^
zbMm7-2Vd~-MxHZsV&jYRZ-0Ila_bYhYJ?!PWPI9NBu}km-lBWTeej*~;^QwbU5;*f
z9(mQ;N&Hafmml4|Xt*{3jCK$?$Y1s5TyOv6$K|=PZu8SiyR<X6qyFe0UmZJyM#m>+
zJVB0pxYcXA&;CAjq}&`ketT=*Z)ct6*zoE1>MxC8G0*`j5IJ?>Ta#$^_^pS^bM4pP
zI&*BtMO$$VzrU|N`{f>F#ms^5_rb-_P<6wbX!GBFL07E3ctn-ku53YrB$QD=wW0~@
zUI(E>Vo@ljWi&M)({M!@uYj8m8ZZSB)hysZV-Z1@>RtvmZEX|IBrL~Wx*T&2G8V0!
zwNcz@r^a;!djB$$P317<c_QdCOJd%mab!EJRLNM9G0Ai)LsLwqENuH>dd=omZjzvs
z;qYO>vaB~sd_T>!(N)Lvl6L$c)@q?KJu_eDunK%(*PXj(chA?AVM{}+x3F`*ZYK4k
zIMja7)1a*7sM3*d&BiMhH|!wnl#z9DTr7dvN>s-QAmWrFrWsZ7QMihoK@1$U!NrWJ
z5Sb*<H2?_4eWkQ--~ig<X<&7DQlu6wE49kNDo8s|$!KH{_kk<2qUsRt_A^orqNUr&
z*@#n_FiqEk5b<!I0*h{}Xs$ro7SPZDww>KPG>%sp&ka+GM!-$OAi^|)2$3P2fNTLZ
zcOaRF6dK)7F|doA^Gr)Jj76T%V#b1Zh209aTOWfeyTjPTw4h;fLIFQA0V$8nJrzv%
zG4d+w`(V(JEHv4vU<s_3sBXUB*4900R)K?kR*x+iaPLWT5iJFLzq!$SuRZN8;(K@8
zR{(v$R{sx|!^AB~)+ze1Abf+}YN?NcRo8Buz~oQczCa___dB!y1gXt{ua*8PTYd`H
c4}Sjo+#6*3RlL=j{$C#X^O?1&{DJTO0asaS=Kufz

literal 0
HcmV?d00001

diff --git a/pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117485879300.sst b/pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117485879300.sst
new file mode 100644
index 0000000000000000000000000000000000000000..3adfb047113fed3a02c15358a0a6c5a2cac70dcc
GIT binary patch
literal 1356
zcmaJ>UuYaf7~i=|yuHntrb!xN{C8rwfb@pTCD-H#c`z|a8)8wL8rxFN+1>9h+sw|c
zGqac5Ad)AsNEL-fP#?tNqfijB;-fE06%`~t6bS|KQN)5i6pS-_$<-H~hvVj(Z+_qJ
z`~ALI<M{L&m-`(W2?-nryg`_^MWh!n1HEPpy>juLC(1uv$s(h@9{BuKWECEt51b7i
z5NAEVLTr&Q=AYq#8#($~eielDSYvqiuf5B;@2}nbta}KFo(HP}91ijTb?0{9nUxOe
z_~1uhS%uNc^aQEY%hlpUwGPF}(v)4S68l840?ss4%GElVo*w>D!+vn%%3fN*rpMNR
zDdHjb1Yqhpzyx%NM_1qKl-Pdvn{BHw=Wtpq6&IFQN|VvX;?k1~-l@{*=DD(r?egL!
zGC%k9xwYl3Q}d<9*^|r7^CzFb<Sx;s?aiG%|HA1KS*x&iU)SHe{e|u;Jw7aeH<ff8
z{6Ip@1v_dqRR7oy+zyq($De%Lp>oH%`?6I?6Bf6zws$_<@6uQgJ*t4jJ?VG$Zk4|7
zT>JIsFE3aHtKT#S`_QnFH`-EM|MZueN(x{5lelzs?2q3JEB&T%bicifAJUz}8}Zv?
zMvv)m*Tzy{pR^K-wNfe5V``HWHAcI*vRJ4ro2oz9CIVb6iA@1}%!L+~aR?fAqz{E0
z>Rt=iJ*uowt(Qgy(B^ueQa2#}SJ>?9b^;pt4A+V8(HMKKW|*<eK|ds%$bdVCgH>~a
z!&okJ9|xgzIm1X8#sg-p7KD1%#HQjBY}RZ~irM1$<V>DI6X@(jdFsT}OkPNZ35|HR
zG?Q1I)?Ck#H9M9dbYx3Nx2D4?%VYQAz;u_cPRZsFhvYF}>G@!o*_2Bp!NS{u-E_7G
z0R^daQEdvte8hy75`Ym}6GGOM9Do}%u=O5ZVu4mmuaQjGfzK(mGkZ{5xCGU(dQq#5
zh$*m!TsN}!qk#KF;=|!EkD;~&T3t`zNKK%oVDxq&&FtacA=D%^Qcel%0#$^8IcgeR
z!|X*q@CM)@1WuSMjDd7U$<885L&?n}h($h5dQ5y5D3?L%g>er=ckT#McN$Psn2^YC
zs0#sg)q_u*ZfkTbb1)A|4Ne?|jv4XcpoDdFLD!ZsR--^cABzjCO5C|1V(zL<)t4lk
zKRjAY?#IWUN`!t+SO1Tci)Jpx$!5Ysi|`%FS*f-Pdb^)IjpXOq-(76<cjh}(^%Nh~
k;GOi}-P)fdt6F{k#Xqx;?WTuy=>ON+-R;*$qorH_0G>Rx6951J

literal 0
HcmV?d00001

diff --git a/pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117486469124.sst b/pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117486469124.sst
new file mode 100644
index 0000000000000000000000000000000000000000..780aa8a82a06032ec05cfbc2c40deb027b089262
GIT binary patch
literal 938
zcmah|O>Yx15Vf1O*`y);qD86@L?Q<c)D)<ws;U>t#}z?Q52#vs*VELh*IsO=$@YM_
zfk5Jb5FF`GK;pOb1c&~Q9$>slS}uq=dB!tu=Do2=d*a*sIW97(37xaXctYQi#n-!E
zPEX(N)F>I)jhU^i5{_ly=Iu|vNPX;>%>Eu2Sv|k|k)M1fQ&DO~!n|V{@1KK>MN*F(
z(jK=aJ#d(nC_J!)I}ptCL;;gpK%e;{hXA`YLvsszvd{LU@?fRztSrsb-oC-q11SCq
zM>7+tQQb_lJ)TKbFe$=-)p~R}%em#=*c6*t!_)mZHKSOgI%&Z<Y4mf=^Sqdk;@IRK
zeb>WTOfOEPcbm(1RySG-4nb|+ySsLOZKLHpVnV0bT-j(L(^$yV$4TMAg~*ZfA`W59
zlKLVJI<OQWrPiPpc<98u%z#8SD!Av&$s<^=O;J$bQ5IzBNOUcNKJwRG#m@N{)d1E}
zCJ8>g(k6%%Y^gea2sY3eLob@51KmncQg71!0Ff!s9luX%m#DEB_iR{1q6IqGKoD0t
z)^%XR2&6eq!(dmNi}aAIE-uP30Se~@of-jxL`|B3?Eo`5SgwU5^OY*9uDeR*-bT|@
zcQaN}EZ6R6qe?-0D*=zw6l*%LjF?cWPq4r!0nV3;9!RuM9X<zC!}1i-ndTV`ThwPC
zh2Fkk_!1O^Yxi;+wS8c^T5KoksWti5=<0D<U)*|F3jHi}|3}JhgsbAca*iNEyHOvC
z5WI<?d-*rMU$0OyR~bF-9J}E(NbkkjMbhlo<Bunkt@SIR>_4`1_U1#o`{d^zYc?nh

literal 0
HcmV?d00001

diff --git a/pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117486829572.sst b/pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/657900117486829572.sst
new file mode 100644
index 0000000000000000000000000000000000000000..cad6a9ec293b0ee3c844512a2e0296a7c111f94d
GIT binary patch
literal 1062
zcmaJ=&5IOA6t9|(O!sU%&bqE2>qOQdG6yYncXbcTf|$ezhDD5EAV^cw{dTsox~i?J
z*_{!QIpmNvL_A1HFcBn>97GU2coCvEFN(RTAz=Oh5poeCsIPi<HJA9Hd*=P>_r89w
z`cdI?va#{q@;B#~$%b<$zyIs!=1rdxpPq&6r%tin@AnUE!dJiWQOUdbd%0OWO1>n8
z(Z=%J6sdoGTVE<3nj)m^PnEX(fKc$qiRoJt_*?WYHijoljUVSGN$}*}<GT}+#J@b;
zCRZHmz@5Ke3|Nm!$f{jMR{gM9_pn%Q`gcmTU*>j@pt<|E%bRyJ2pV-y^TM-#Nws)^
z48I;2x#sZvkUZbI?*SR|A|1DwH7w=bx8oGNM6Nnydr7P4ltETY;2+lF24ZG;O8`q`
z3|(e>8Mw4#b((3IPr7VA5f*eJ+k3`F=+c5h>M7{`2lndaNQq7=**s4Z(PK&MI;>Q^
z^=Za6w@OD?Oe-EOgppdsg31RPj7gOILh>x@jd)?GGK;=h!d}!;*h;LK-L-dWW?aA`
zh}p@B>HX6)<Hll6X!mCK%#7otVVp!ZZ1pS{hnz7s4jqiFM83m8x+!Bv@dK)XyGqO^
zDG<*u#N2Xbk~46F`a={1Skwi_G{oELK^Fy(T!hBh5aj^Y7OLfZI4zY^%h_0^v<TYG
zQ$Wufq66XbtfX3_-9bhsK(_4y@z+qLQ*PNx5b;LoU<FRy#ITM5?OGtU5_O$@Sld7s
zx#-}g42wZv!yqFSLrlCHO+mMTsSGriu^}VH3d$}!LS$BZYpLv{ET1voyP-jag0wmT
zQwi2mjA_Fz%n7;t1Ot?a!PtD$1C2&2EB67_&^*HIO!5>~N>qnGb+v7e;Z+dej?Guc
zQQU*7Bje*Oaa619<JF@>d3<l@C%MqaT=oB<ob-Z%=1X}WPK2v8s1^n)IQQ3gpTNQ8
vBma<fZ|`@8^{^it@IHN2cKgYx53WBw|FE*{2HoVK_uGk={cpE-KKt_x_qk4$

literal 0
HcmV?d00001

diff --git a/pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/BACKUP b/pkg/ccl/backupccl/testdata/restore_old_versions/privileges/v20.1.6/BACKUP
new file mode 100644
index 0000000000000000000000000000000000000000..37904764a85a2b5cd7b6a411dea0981f370f183c
GIT binary patch
literal 6218
zcmc&&dw3I77N0vaX@^T6L!mSb(1w5z3zW$;P1DM*wSd&3f)zyy5~i7HNl7y$lTgZs
zP!$wt#fsXZAJBdX3nD63!KzRY1eZl{@rla%S|5Chf?ANp1^3P)P0|#l-SykQdOG*<
zJLh*E_nbg12~wZzc<`5d-h6CNe}-c4x)o-;ZlxkUfTRahX%&)IsZs-y8dRwfNsXGc
z5=phniFN4PI`vx<lA1ILtv0EvO|?j>Q}#8Z)n;||NhCd~O1qJ?Tb0_7)V9(r!47Sb
z`rEUzb6D1D&9*tLIaXU{HkTpGesi9G!K^l>aN90C+vQ?@Nj>+E$->xakEMP+zgD<q
z@z27E*kzAy%xKtG*yNsmluuq%xBiE|Uw;4hb3>M}i=X-;!Lyt*P)&d)a<P0&1JsO;
z0JJ-}oU9<A(KvgMwDxpMYC+$bTd!+hdv0=h%KBk14*b&%x4%<*eBX1uH%@p+U=QAV
z&bMI9{-Zm_-&j)6+}6Hi^Tltsu9^JxE29wLAwb8505xtS0J9v~Ihic0S@`RUkJrCF
z^2ETI7w%bf2-|dI_no`8yw(5k>gSnJr-V(*PQ!&8!Il#j-@EYPQR2YJ!uXm+xjUZ9
z-?_}*wm9MAn+<yrU^`A5LV%j%A^<ry+re3Nz|{-Oo_WIYaNH{XQR}56H}Bu~;e^+Z
z-dz2udDCZGSKoDD+n;Bp&%5+sZe9G$rDvtroZsF(@{UK^kG;QtR?CckH|-6yBfuX9
z(=lOyYJ5ZhS{+t9Yqx6_zTDh;DDX*5)rPkcuNmnX@iRUD{!x!F7-zaO@fOGI7bgC)
z^NmT5SQ?y@uikj<s)xSI7}@aNSILQnm*TFHDwf)guaXep8DI<p)WR?VFw4fVSvDQ8
zt-h%C&FTH?rEx3r8_P!|+&g<%-n63p)0@iAzPhc}a3(eBo5SC{%{8vJ^cz3t%M;fo
z3UjDN$D`j(eDW*H;wPT{0Rb)xQtDNrREzcqK&wMB(WY5A@Bnwf5wl|RY2qV3b+?7Q
z@X3Z11Ln1Rmh5RuYi-_pEi>()=Sba5VqJTce_7)o-?N9vljg;bXTGsyTP)TTIM0z3
zO9Pcr4NuLf2t2#Zo@3>7yleQnXZIeTu|BP85#Ddi$;xE!v8CsmcdY&TqQC0PA?ucI
zChvMTE#|hfuNQticFN)Ww)$kRbK|d7eQPYm_h-&{xevliF^1!*nHzy;b=Vw^Or6k)
zMv1%squRB#U){2<zVPH*KNdAEdSQ8K-VS@p;yc!F|26(^@2#Bosg;@e<`)TjE?w`r
zi>e}xo>99_&Py17c<IZpb;i@GLIfVi+OljmJ?js?^Wwm>^Pfu`dr0`{nYrJL-8N^)
zwYAc$_!0lCb4`C52ovL{wmf&|Pc7fSI@f*A-pTfrH^o)g9-aHHee|&VW}O<p2I1w<
zxWZ@p(4-+SMy{6qVg(JDWY`NDc%j1WrCCTp(kDrNnoWP0fb|441Z2@C8%YzefLusD
zf2{q~cP)*3`sb%YN?G#q6(YJLj*6u*BgSG=2F%7x=x_com@tQz=ZL}-UY4sQpFrbi
z7p3p&gLVP5YbcCy%SDn$qzSZ&>8rGIN4lYu_sAlP6_7=fU~Hw&UBUaRX<!8A4rCVO
zVTH7EjzK3Z2-kt-Va3=&oWg1Vwj5yf0IUJn1`tDGNl3vh0Go}Mr$89A_zZ!p*GxV`
z)Bvy?5NLl37!X3lm<~L|0$Ljd`<3z)PR<!+U?-DJxCL(kgJ7JpJ=57?scy50un?_)
z+y}6e0Q(V;ii+m}R)b@!aqMwCjO`X2YsIm>_~7(SINX3k!$Qd`%0@$!SBwyM3#vZ=
zou~SvpYD%AFvcZ$OWkE%`JsR)nh-Krp%`8B$C2ANgoQB(NuyQgiF0=7scWpz*b0bl
z@wAnIn+ZtCqTlcKmdVDLD5@ApUN(3KLc@IC6A)FdI!AUE?Cs%Y|8125?-vCWxbc)h
z58MwaHFEoSr7FwSxw*MhZ@6i~ty8bNX$lJUG}ueMb82;^NRyp12IWG5p=e@=7sUsv
zet(=7ro-V%T(VAu2B)f<Gt4mUi>fWgsH!j;DNMNeOvoq`FySV`L|U*`0J`O@(>OeZ
zLp<O%CPcYu03_y$DD68Drj(cnFLkag=HK&@T3D`+WL$yz;|T8;0>c;uN{f32_SVWt
zFyu6vwc;@x_R)$*m}gMPg}b09W#k|U_mhw;mr7(~Vif0=uB%9TLcr^u7Z9C3smd)_
zu0}3ERYmsm{(#(NrdVOD%O`d#O9ms3_-c>D3u=ypdsT5cdUYy&QkhSbW!ez^o)pCV
zkLp<Q9GIez<J7Ek>Sj3I!U7sMVrJcHbI?8(X9)*-jC$}K5m)jYO@e7!uDXTJDh26M
zD=DKZ#sn2(f^>$mvjs3=ECQy3QIo-9Xa#t;QuloVzJs1nkL2S0ZpkYflcS<(2+BmX
z>~Z_6CtW6!hr;;amfJ5|chex{K_LEspmYoI6hS8%lTgR8F<yV-Oo|@fGHnOh#ST<r
z`A`ljB{p0$bEFO|VDTO~^osh6d63f_8nhcx;|$6w2dEZn#-h(bqcD{CAu5?jg_#a|
zm=F&kw|BQFH<55H3FCaIIdfKs6(vd=m=fh&^olAwx~$KrIA{mEEDk8s-STy6+ZomS
zskQmmNLQ&iX8p#VI;VIVOb)jQl`>>rFsoGv7C4aKyW3S3&wwcr7i*TQR})IX(Eev}
zrAl=7^4a8-)QGeYU+BSBlwovKB?y$pH5JBdk4cF5pbvWTh&)5Ur%;dOk}4`huU|GA
zyNV9K((Wj)cjtx_^+Qrgx#;pEj?@6@yg_+e0wv0-5+9vcQTXV<QOy*3C{U)Cgy>M4
zDMb-;2ojZW^>QVWSVBqk9{2?>9~v=AKp0aQDDk*mG^#~ijTNIpN+BO9Dls9IQ1Mn(
z(sDM;VK&qfs~jU!gI1$Hi);mkZWZf~aCjWoQ(CIj>h+K)r~Te!hy0=)?lP@Anli;{
z;jOdM;*v$vLIfyY>6om{`kg&Z>?@n<BIxhHW^`=5zt!nSqgnU5*x^aTU@t)|<pUnS
zP(pLzgEboF^l-q_uSyz<-d{=fD{Ty&dAV(DQU)abqU@(_47xZtu!h|P;~}MNQ08#D
zhD?7LhxIsw$|t9vFY$=RER)TGqp^M2D}QNy<0WNm9|;X=_ZFR!QQaLVz>5kZ-KCwq
zk`5V*p1QBdh_Dg7e+V06G-MR3zdc;kY<h8<YG`O;)>!EsVudr>by}KV+y3tVotB|p
z`!+7jxA=d_%4b_HY>#9mmrO!GndE^&dgtc@USBgjpKaQ8e!}^S2R@hrik}9MDwC`k
z*368YBx*j#W+2(l^yOI2I)=>}V`WX&oLtVH%d%#Rm1j%rr98*wl)6Nhh<*Uf;W^fx
zot1541(%S`I#@9$OK_z3Ds#C^_KeI7mh0_tdjkthe1%}Q<r3q@-IyQi6Fnj?i-n0&
zX{p=g<~^fJ++Os1Pmytf!|t@(MhCoe(NygntsWg+<_#3b>YqwtsShmlU?b%txJ=th
zfUO4fLk){&`d*!|dF>IpdDYIev0K3iDvQ3m=7rDCuR2=ai=muOKH!&}PBQ@Maa6;l
f(@SIMzdm-V0atd~(a!bv{>IMbXWIS+wgd1VYf6T<

literal 0
HcmV?d00001

diff --git a/pkg/sql/catalog/descpb/privilege.go b/pkg/sql/catalog/descpb/privilege.go
index 1b741e7802c4..c1a3b5c6f96c 100644
--- a/pkg/sql/catalog/descpb/privilege.go
+++ b/pkg/sql/catalog/descpb/privilege.go
@@ -220,7 +220,6 @@ func MaybeFixUsagePrivForTablesAndDBs(ptr **PrivilegeDescriptor) bool {
 		*ptr = &PrivilegeDescriptor{}
 	}
 	p := *ptr
-	modified := false
 
 	if p.Version > InitialVersion {
 		// InitialVersion is for descriptors that were created in versions 20.1 and
@@ -231,6 +230,7 @@ func MaybeFixUsagePrivForTablesAndDBs(ptr **PrivilegeDescriptor) bool {
 		return false
 	}
 
+	modified := false
 	for i := range p.Users {
 		// Users is a slice of values, we need pointers to make them mutable.
 		userPrivileges := &p.Users[i]
diff --git a/pkg/sql/catalog/descpb/privilege_test.go b/pkg/sql/catalog/descpb/privilege_test.go
index c89e81cb8c9c..c69f4123aace 100644
--- a/pkg/sql/catalog/descpb/privilege_test.go
+++ b/pkg/sql/catalog/descpb/privilege_test.go
@@ -703,6 +703,19 @@ func TestMaybeFixUsageAndZoneConfigPrivilege(t *testing.T) {
 				"(InitialVersion) with USAGE should have the privilege converted to ZONECONFIG.",
 			true,
 		},
+		{
+			userPrivileges{
+				fooUser: privilege.List{privilege.ALL},
+			},
+			false,
+			userPrivileges{
+				fooUser: privilege.List{privilege.ALL},
+			},
+			privilege.Table,
+			InitialVersion,
+			"ALL should stay as ALL",
+			true,
+		},
 		{
 			userPrivileges{
 				fooUser: privilege.List{privilege.USAGE},