From 77e27f66fe1e4743cfb9ca509a2666794715ce28 Mon Sep 17 00:00:00 2001
From: Jack Wu <jack.wu@cockroachlabs.com>
Date: Wed, 20 Oct 2021 18:24:21 -0400
Subject: [PATCH] sql: with grant option/grant option for

Release note (sql change): If the WITH GRANT OPTION flag is present when granting privileges to a user, then that user is able to grant those same privileges to subsequent users; otherwise, they cannot. If the GRANT OPTION FOR flag is present when revoking privileges from a user, then only the ability the grant those privileges is revoked from that user, not the privileges themselves
---
 .../settings/settings-for-tenants.txt         |   2 +-
 docs/generated/settings/settings.html         |   2 +-
 docs/generated/sql/bnf/grant_stmt.bnf         |   6 +-
 docs/generated/sql/bnf/revoke_stmt.bnf        |   3 +
 docs/generated/sql/bnf/stmt_block.bnf         |  20 +-
 pkg/ccl/importccl/import_table_creation.go    |   1 +
 pkg/clusterversion/cockroach_versions.go      |   8 +
 pkg/cmd/roachtest/cluster.go                  |  16 +
 .../roachtest/cluster/cluster_interface.go    |   1 +
 pkg/sql/alter_default_privileges.go           |   6 +-
 .../catalog/catprivilege/default_privilege.go |  52 +-
 pkg/sql/catalog/descpb/privilege.go           | 146 ++++-
 pkg/sql/catalog/descpb/privilege.pb.go        | 129 ++--
 pkg/sql/catalog/descpb/privilege.proto        |   1 +
 pkg/sql/catalog/descpb/privilege_test.go      | 250 +++++--
 pkg/sql/grant_revoke.go                       |  15 +-
 ...alter_default_privileges_with_grant_option | 611 ++++++++++++++++++
 .../logic_test/grant_revoke_with_grant_option | 292 +++++++++
 ...g_catalog_pg_default_acl_with_grant_option | 164 +++++
 pkg/sql/parser/sql.y                          |  52 +-
 pkg/sql/pg_catalog.go                         |  15 +-
 pkg/sql/privilege/privilege.go                |  47 +-
 pkg/sql/sem/tree/grant.go                     |   7 +-
 pkg/sql/sem/tree/revoke.go                    |   7 +-
 24 files changed, 1681 insertions(+), 172 deletions(-)
 create mode 100644 pkg/sql/logictest/testdata/logic_test/alter_default_privileges_with_grant_option
 create mode 100644 pkg/sql/logictest/testdata/logic_test/grant_revoke_with_grant_option
 create mode 100644 pkg/sql/logictest/testdata/logic_test/pg_catalog_pg_default_acl_with_grant_option

diff --git a/docs/generated/settings/settings-for-tenants.txt b/docs/generated/settings/settings-for-tenants.txt
index 2574ca609b7d..ecaaac1d9f74 100644
--- a/docs/generated/settings/settings-for-tenants.txt
+++ b/docs/generated/settings/settings-for-tenants.txt
@@ -167,4 +167,4 @@ trace.debug.enable	boolean	false	if set, traces for recent requests can be seen
 trace.jaeger.agent	string		the address of a Jaeger agent to receive traces using the Jaeger UDP Thrift protocol, as <host>:<port>. If no port is specified, 6381 will be used.
 trace.opentelemetry.collector	string		address of an OpenTelemetry trace collector to receive traces using the otel gRPC protocol, as <host>:<port>. If no port is specified, 4317 will be used.
 trace.zipkin.collector	string		the address of a Zipkin instance to receive traces, as <host>:<port>. If no port is specified, 9411 will be used.
-version	version	21.2-4	set the active cluster version in the format '<major>.<minor>'
+version	version	21.2-6	set the active cluster version in the format '<major>.<minor>'
diff --git a/docs/generated/settings/settings.html b/docs/generated/settings/settings.html
index f79e16ccfbf4..8d74d4e4a5fe 100644
--- a/docs/generated/settings/settings.html
+++ b/docs/generated/settings/settings.html
@@ -172,6 +172,6 @@
 <tr><td><code>trace.jaeger.agent</code></td><td>string</td><td><code></code></td><td>the address of a Jaeger agent to receive traces using the Jaeger UDP Thrift protocol, as <host>:<port>. If no port is specified, 6381 will be used.</td></tr>
 <tr><td><code>trace.opentelemetry.collector</code></td><td>string</td><td><code></code></td><td>address of an OpenTelemetry trace collector to receive traces using the otel gRPC protocol, as <host>:<port>. If no port is specified, 4317 will be used.</td></tr>
 <tr><td><code>trace.zipkin.collector</code></td><td>string</td><td><code></code></td><td>the address of a Zipkin instance to receive traces, as <host>:<port>. If no port is specified, 9411 will be used.</td></tr>
-<tr><td><code>version</code></td><td>version</td><td><code>21.2-4</code></td><td>set the active cluster version in the format '<major>.<minor>'</td></tr>
+<tr><td><code>version</code></td><td>version</td><td><code>21.2-6</code></td><td>set the active cluster version in the format '<major>.<minor>'</td></tr>
 </tbody>
 </table>
diff --git a/docs/generated/sql/bnf/grant_stmt.bnf b/docs/generated/sql/bnf/grant_stmt.bnf
index c532da5452f9..dc69eb2944ec 100644
--- a/docs/generated/sql/bnf/grant_stmt.bnf
+++ b/docs/generated/sql/bnf/grant_stmt.bnf
@@ -1,6 +1,6 @@
 grant_stmt ::=
-	'GRANT' 'ALL' 'PRIVILEGES' 'ON' targets 'TO' role_spec_list
-	| 'GRANT' 'ALL'  'ON' targets 'TO' role_spec_list
-	| 'GRANT' privilege_list 'ON' targets 'TO' role_spec_list
+	'GRANT' 'ALL' 'PRIVILEGES' 'ON' targets 'TO' role_spec_list opt_with_grant_option
+	| 'GRANT' 'ALL'  'ON' targets 'TO' role_spec_list opt_with_grant_option
+	| 'GRANT' privilege_list 'ON' targets 'TO' role_spec_list opt_with_grant_option
 	| 'GRANT' privilege_list 'TO' role_spec_list
 	| 'GRANT' privilege_list 'TO' role_spec_list 'WITH' 'ADMIN' 'OPTION'
diff --git a/docs/generated/sql/bnf/revoke_stmt.bnf b/docs/generated/sql/bnf/revoke_stmt.bnf
index 4f23347ed806..a24e96e31624 100644
--- a/docs/generated/sql/bnf/revoke_stmt.bnf
+++ b/docs/generated/sql/bnf/revoke_stmt.bnf
@@ -2,5 +2,8 @@ revoke_stmt ::=
 	'REVOKE' 'ALL' 'PRIVILEGES' 'ON' targets 'FROM' role_spec_list
 	| 'REVOKE' 'ALL'  'ON' targets 'FROM' role_spec_list
 	| 'REVOKE' privilege_list 'ON' targets 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' 'ALL' 'PRIVILEGES' 'ON' targets 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' 'ALL'  'ON' targets 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' privilege_list 'ON' targets 'FROM' role_spec_list
 	| 'REVOKE' privilege_list 'FROM' role_spec_list
 	| 'REVOKE' 'ADMIN' 'OPTION' 'FOR' privilege_list 'FROM' role_spec_list
diff --git a/docs/generated/sql/bnf/stmt_block.bnf b/docs/generated/sql/bnf/stmt_block.bnf
index 6c846178024b..e40659bdc2d6 100644
--- a/docs/generated/sql/bnf/stmt_block.bnf
+++ b/docs/generated/sql/bnf/stmt_block.bnf
@@ -74,23 +74,27 @@ discard_stmt ::=
 	'DISCARD' 'ALL'
 
 grant_stmt ::=
-	'GRANT' privileges 'ON' targets 'TO' role_spec_list
+	'GRANT' privileges 'ON' targets 'TO' role_spec_list opt_with_grant_option
 	| 'GRANT' privilege_list 'TO' role_spec_list
 	| 'GRANT' privilege_list 'TO' role_spec_list 'WITH' 'ADMIN' 'OPTION'
-	| 'GRANT' privileges 'ON' 'TYPE' target_types 'TO' role_spec_list
-	| 'GRANT' privileges 'ON' 'SCHEMA' schema_name_list 'TO' role_spec_list
-	| 'GRANT' privileges 'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'TO' role_spec_list
+	| 'GRANT' privileges 'ON' 'TYPE' target_types 'TO' role_spec_list opt_with_grant_option
+	| 'GRANT' privileges 'ON' 'SCHEMA' schema_name_list 'TO' role_spec_list opt_with_grant_option
+	| 'GRANT' privileges 'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'TO' role_spec_list opt_with_grant_option
 
 prepare_stmt ::=
 	'PREPARE' table_alias_name prep_type_clause 'AS' preparable_stmt
 
 revoke_stmt ::=
 	'REVOKE' privileges 'ON' targets 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' privileges 'ON' targets 'FROM' role_spec_list
 	| 'REVOKE' privilege_list 'FROM' role_spec_list
 	| 'REVOKE' 'ADMIN' 'OPTION' 'FOR' privilege_list 'FROM' role_spec_list
 	| 'REVOKE' privileges 'ON' 'TYPE' target_types 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' privileges 'ON' 'TYPE' target_types 'FROM' role_spec_list
 	| 'REVOKE' privileges 'ON' 'SCHEMA' schema_name_list 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' privileges 'ON' 'SCHEMA' schema_name_list 'FROM' role_spec_list
 	| 'REVOKE' privileges 'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' privileges 'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'FROM' role_spec_list
 
 savepoint_stmt ::=
 	'SAVEPOINT' name
@@ -321,6 +325,10 @@ targets ::=
 role_spec_list ::=
 	( role_spec ) ( ( ',' role_spec ) )*
 
+opt_with_grant_option ::=
+	'WITH' 'GRANT' 'OPTION'
+	| 
+
 privilege_list ::=
 	( privilege ) ( ( ',' privilege ) )*
 
@@ -2312,10 +2320,6 @@ alter_default_privileges_target_object ::=
 	| 'TYPES'
 	| 'SCHEMAS'
 
-opt_with_grant_option ::=
-	'WITH' 'GRANT' 'OPTION'
-	| 
-
 role_option ::=
 	'CREATEROLE'
 	| 'NOCREATEROLE'
diff --git a/pkg/ccl/importccl/import_table_creation.go b/pkg/ccl/importccl/import_table_creation.go
index f5e661b5f523..58ad0f005e11 100644
--- a/pkg/ccl/importccl/import_table_creation.go
+++ b/pkg/ccl/importccl/import_table_creation.go
@@ -79,6 +79,7 @@ func MakeTestingSimpleTableDescriptor(
 			Privileges: descpb.NewPrivilegeDescriptor(
 				security.PublicRoleName(),
 				privilege.SchemaPrivileges,
+				privilege.List{},
 				security.RootUserName(),
 			),
 		}).BuildCreatedMutableSchema()
diff --git a/pkg/clusterversion/cockroach_versions.go b/pkg/clusterversion/cockroach_versions.go
index 46dedc598e14..e84d45ad5976 100644
--- a/pkg/clusterversion/cockroach_versions.go
+++ b/pkg/clusterversion/cockroach_versions.go
@@ -271,6 +271,10 @@ const (
 	// limits when splitting requests.
 	TargetBytesAvoidExcess
 
+	// ValidateGrantOption checks whether the current user granting privileges to
+	// another user holds the grant option for those privileges
+	ValidateGrantOption
+
 	// *************************************************
 	// Step (1): Add new versions here.
 	// Do not add new versions to a patch release.
@@ -459,6 +463,10 @@ var versionsSingleton = keyedVersions{
 		Key:     TargetBytesAvoidExcess,
 		Version: roachpb.Version{Major: 21, Minor: 2, Internal: 4},
 	},
+	{
+		Key:     ValidateGrantOption,
+		Version: roachpb.Version{Major: 21, Minor: 2, Internal: 6},
+	},
 
 	// *************************************************
 	// Step (2): Add new versions here.
diff --git a/pkg/cmd/roachtest/cluster.go b/pkg/cmd/roachtest/cluster.go
index 49d3c8d834fa..71343eb75cc0 100644
--- a/pkg/cmd/roachtest/cluster.go
+++ b/pkg/cmd/roachtest/cluster.go
@@ -2308,6 +2308,22 @@ func (c *clusterImpl) ConnE(ctx context.Context, node int) (*gosql.DB, error) {
 	return db, nil
 }
 
+// ConnEUser returns a SQL connection to the specified node as a specific user
+func (c *clusterImpl) ConnEUser(ctx context.Context, node int, user string) (*gosql.DB, error) {
+	urls, err := c.ExternalPGUrl(ctx, c.Node(node))
+	if err != nil {
+		return nil, err
+	}
+	//dataSourceName := fmt.Sprintf("%s?user=%s?password=%s", urls[0], user, password)
+	dataSourceName := strings.Replace(urls[0], "root", user, 1)
+	fmt.Println("datasourcename is: ", dataSourceName)
+	db, err := gosql.Open("postgres", dataSourceName)
+	if err != nil {
+		return nil, err
+	}
+	return db, nil
+}
+
 func (c *clusterImpl) MakeNodes(opts ...option.Option) string {
 	var r option.NodeListOption
 	for _, o := range opts {
diff --git a/pkg/cmd/roachtest/cluster/cluster_interface.go b/pkg/cmd/roachtest/cluster/cluster_interface.go
index 1ec97c76d0a8..fe379db5da79 100644
--- a/pkg/cmd/roachtest/cluster/cluster_interface.go
+++ b/pkg/cmd/roachtest/cluster/cluster_interface.go
@@ -71,6 +71,7 @@ type Cluster interface {
 
 	Conn(ctx context.Context, node int) *gosql.DB
 	ConnE(ctx context.Context, node int) (*gosql.DB, error)
+	ConnEUser(ctx context.Context, node int, user string) (*gosql.DB, error)
 
 	// URLs for the Admin UI.
 
diff --git a/pkg/sql/alter_default_privileges.go b/pkg/sql/alter_default_privileges.go
index b6b739855cce..875534dc3f6c 100644
--- a/pkg/sql/alter_default_privileges.go
+++ b/pkg/sql/alter_default_privileges.go
@@ -93,10 +93,12 @@ func (n *alterDefaultPrivilegesNode) startExec(params runParams) error {
 	privileges := n.n.Grant.Privileges
 	grantees := n.n.Grant.Grantees
 	objectType := n.n.Grant.Target
+	grantOption := n.n.Grant.WithGrantOption
 	if !n.n.IsGrant {
 		privileges = n.n.Revoke.Privileges
 		grantees = n.n.Revoke.Grantees
 		objectType = n.n.Revoke.Target
+		grantOption = n.n.Revoke.GrantOptionFor
 	}
 
 	granteeSQLUsernames, err := grantees.ToSQLUsernames(params.p.SessionData(), security.UsernameValidation)
@@ -165,11 +167,11 @@ func (n *alterDefaultPrivilegesNode) startExec(params runParams) error {
 	for _, role := range roles {
 		if n.n.IsGrant {
 			defaultPrivs.GrantDefaultPrivileges(
-				role, privileges, granteeSQLUsernames, objectType,
+				role, privileges, granteeSQLUsernames, objectType, grantOption,
 			)
 		} else {
 			defaultPrivs.RevokeDefaultPrivileges(
-				role, privileges, granteeSQLUsernames, objectType,
+				role, privileges, granteeSQLUsernames, objectType, grantOption,
 			)
 		}
 
diff --git a/pkg/sql/catalog/catprivilege/default_privilege.go b/pkg/sql/catalog/catprivilege/default_privilege.go
index a2ba632600ab..86fc44a9de40 100644
--- a/pkg/sql/catalog/catprivilege/default_privilege.go
+++ b/pkg/sql/catalog/catprivilege/default_privilege.go
@@ -71,6 +71,7 @@ func (d *Mutable) GrantDefaultPrivileges(
 	privileges privilege.List,
 	grantees []security.SQLUsername,
 	targetObject tree.AlterDefaultPrivilegesTargetObject,
+	withGrantOption bool,
 ) {
 	defaultPrivilegesForRole := d.defaultPrivilegeDescriptor.FindOrCreateUser(role)
 	for _, grantee := range grantees {
@@ -79,7 +80,7 @@ func (d *Mutable) GrantDefaultPrivileges(
 		// special privilege cases into real privileges on the PrivilegeDescriptor.
 		// foldPrivileges converts the real privileges back into flags.
 		expandPrivileges(defaultPrivilegesForRole, role, &defaultPrivileges, targetObject)
-		defaultPrivileges.Grant(grantee, privileges)
+		defaultPrivileges.Grant(grantee, privileges, withGrantOption)
 		foldPrivileges(defaultPrivilegesForRole, role, &defaultPrivileges, targetObject)
 		defaultPrivilegesForRole.DefaultPrivilegesPerObject[targetObject] = defaultPrivileges
 	}
@@ -91,6 +92,7 @@ func (d *Mutable) RevokeDefaultPrivileges(
 	privileges privilege.List,
 	grantees []security.SQLUsername,
 	targetObject tree.AlterDefaultPrivilegesTargetObject,
+	grantOptionFor bool,
 ) {
 	defaultPrivilegesForRole := d.defaultPrivilegeDescriptor.FindOrCreateUser(role)
 	for _, grantee := range grantees {
@@ -99,7 +101,7 @@ func (d *Mutable) RevokeDefaultPrivileges(
 		// special privilege cases into real privileges on the PrivilegeDescriptor.
 		// foldPrivileges converts the real privileges back into flags.
 		expandPrivileges(defaultPrivilegesForRole, role, &defaultPrivileges, targetObject)
-		defaultPrivileges.Revoke(grantee, privileges, targetObject.ToPrivilegeObjectType())
+		defaultPrivileges.Revoke(grantee, privileges, targetObject.ToPrivilegeObjectType(), grantOptionFor)
 		foldPrivileges(defaultPrivilegesForRole, role, &defaultPrivileges, targetObject)
 
 		defaultPrivilegesForRole.DefaultPrivilegesPerObject[targetObject] = defaultPrivileges
@@ -151,18 +153,20 @@ func (d *immutable) CreatePrivilegesFromDefaultPrivileges(
 		// it as the case where the user has all privileges.
 		defaultPrivilegesForCreatorRole := descpb.InitDefaultPrivilegesForRole(role)
 		for _, user := range GetUserPrivilegesForObject(defaultPrivilegesForCreatorRole, targetObject) {
-			newPrivs.Grant(
+			newPrivs.GranularGrant(
 				user.UserProto.Decode(),
 				privilege.ListFromBitField(user.Privileges, targetObject.ToPrivilegeObjectType()),
+				privilege.ListFromBitField(user.WithGrantOption, targetObject.ToPrivilegeObjectType()),
 			)
 		}
 	} else {
 		// If default privileges were defined for the role, we create privileges
 		// using the default privileges.
 		for _, user := range GetUserPrivilegesForObject(*defaultPrivilegesForRole, targetObject) {
-			newPrivs.Grant(
+			newPrivs.GranularGrant(
 				user.UserProto.Decode(),
 				privilege.ListFromBitField(user.Privileges, targetObject.ToPrivilegeObjectType()),
+				privilege.ListFromBitField(user.WithGrantOption, targetObject.ToPrivilegeObjectType()),
 			)
 		}
 	}
@@ -173,9 +177,10 @@ func (d *immutable) CreatePrivilegesFromDefaultPrivileges(
 	defaultPrivilegesForAllRoles, found := d.GetDefaultPrivilegesForRole(descpb.DefaultPrivilegesRole{ForAllRoles: true})
 	if found {
 		for _, user := range GetUserPrivilegesForObject(*defaultPrivilegesForAllRoles, targetObject) {
-			newPrivs.Grant(
+			newPrivs.GranularGrant(
 				user.UserProto.Decode(),
 				privilege.ListFromBitField(user.Privileges, targetObject.ToPrivilegeObjectType()),
+				privilege.ListFromBitField(user.WithGrantOption, targetObject.ToPrivilegeObjectType()),
 			)
 		}
 	}
@@ -186,12 +191,26 @@ func (d *immutable) CreatePrivilegesFromDefaultPrivileges(
 	//   For backwards compatibility, also "inherit" privileges from the dbDesc.
 	//   Issue #67378.
 	if targetObject == tree.Tables || targetObject == tree.Sequences {
+		//fmt.Println("tables or sequences loop")
 		for _, u := range databasePrivileges.Users {
-			newPrivs.Grant(u.UserProto.Decode(), privilege.ListFromBitField(u.Privileges, privilege.Table))
+			//fmt.Println(u.UserProto.Decode(), u.Privileges, u.WithGrantOption)
+			// newPrivs.Grant(u.UserProto.Decode(), privilege.ListFromBitField(u.Privileges, privilege.Table), false)
+			newPrivs.GranularGrant(
+				u.UserProto.Decode(),
+				privilege.ListFromBitField(u.Privileges, privilege.Table),
+				privilege.ListFromBitField(u.WithGrantOption, privilege.Table),
+			)
 		}
 	} else if targetObject == tree.Schemas {
+		//fmt.Println("schemas loop")
 		for _, u := range databasePrivileges.Users {
-			newPrivs.Grant(u.UserProto.Decode(), privilege.ListFromBitField(u.Privileges, privilege.Schema))
+			//fmt.Println(u.UserProto.Decode(), u.Privileges, u.WithGrantOption)
+			//newPrivs.Grant(u.UserProto.Decode(), privilege.ListFromBitField(u.Privileges, privilege.Schema), false)
+			newPrivs.GranularGrant(
+				u.UserProto.Decode(),
+				privilege.ListFromBitField(u.Privileges, privilege.Schema),
+				privilege.ListFromBitField(u.WithGrantOption, privilege.Schema),
+			)
 		}
 	}
 	return newPrivs
@@ -249,6 +268,7 @@ func foldPrivileges(
 			security.PublicRoleName(),
 			privilege.List{privilege.USAGE},
 			privilege.Type,
+			false,
 		)
 	}
 	// ForAllRoles cannot be a grantee, nothing left to do.
@@ -256,8 +276,16 @@ func foldPrivileges(
 		return
 	}
 	if privileges.HasAllPrivileges(role.Role, targetObject.ToPrivilegeObjectType()) {
-		setRoleHasAllOnTargetObject(defaultPrivilegesForRole, true, targetObject)
-		privileges.RemoveUser(role.Role)
+		// if user.grantoption == 0, then do this next line CHECK THIS LATER
+		//user := privileges.FindOrCreateUser(role.Role)
+		//if user.WithGrantOption == 0 {
+		//setRoleHasAllOnTargetObject(defaultPrivilegesForRole, true, targetObject)
+		//}
+		user := privileges.FindOrCreateUser(role.Role) //
+		if user.WithGrantOption == 0 {                 //
+			setRoleHasAllOnTargetObject(defaultPrivilegesForRole, true, targetObject)
+			privileges.RemoveUser(role.Role)
+		} //
 	}
 }
 
@@ -273,7 +301,7 @@ func expandPrivileges(
 	targetObject tree.AlterDefaultPrivilegesTargetObject,
 ) {
 	if targetObject == tree.Types && GetPublicHasUsageOnTypes(defaultPrivilegesForRole) {
-		privileges.Grant(security.PublicRoleName(), privilege.List{privilege.USAGE})
+		privileges.Grant(security.PublicRoleName(), privilege.List{privilege.USAGE}, false)
 		setPublicHasUsageOnTypes(defaultPrivilegesForRole, false)
 	}
 	// ForAllRoles cannot be a grantee, nothing left to do.
@@ -281,7 +309,7 @@ func expandPrivileges(
 		return
 	}
 	if GetRoleHasAllPrivilegesOnTargetObject(defaultPrivilegesForRole, targetObject) {
-		privileges.Grant(defaultPrivilegesForRole.GetExplicitRole().UserProto.Decode(), privilege.List{privilege.ALL})
+		privileges.Grant(defaultPrivilegesForRole.GetExplicitRole().UserProto.Decode(), privilege.List{privilege.ALL}, false)
 		setRoleHasAllOnTargetObject(defaultPrivilegesForRole, false, targetObject)
 	}
 }
@@ -299,6 +327,7 @@ func GetUserPrivilegesForObject(
 		userPrivileges = append(userPrivileges, descpb.UserPrivileges{
 			UserProto:  security.PublicRoleName().EncodeProto(),
 			Privileges: privilege.USAGE.Mask(),
+			//GrantOption: privilege.USAGE.Mask(), // CHECK THIS LATER
 		})
 	}
 	// If ForAllRoles is specified, we can return early.
@@ -312,6 +341,7 @@ func GetUserPrivilegesForObject(
 		return append(userPrivileges, descpb.UserPrivileges{
 			UserProto:  userProto,
 			Privileges: privilege.ALL.Mask(),
+			//GrantOption: privilege.ALL.Mask(), // CHECK THIS LATER
 		})
 	}
 	return userPrivileges
diff --git a/pkg/sql/catalog/descpb/privilege.go b/pkg/sql/catalog/descpb/privilege.go
index 912e7e9fa130..eb624a210ded 100644
--- a/pkg/sql/catalog/descpb/privilege.go
+++ b/pkg/sql/catalog/descpb/privilege.go
@@ -18,6 +18,8 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/keys"
 	"github.com/cockroachdb/cockroach/pkg/security"
 	"github.com/cockroachdb/cockroach/pkg/sql/catalog/catconstants"
+	"github.com/cockroachdb/cockroach/pkg/sql/pgwire/pgcode"
+	"github.com/cockroachdb/cockroach/pkg/sql/pgwire/pgerror"
 	"github.com/cockroachdb/cockroach/pkg/sql/privilege"
 	"github.com/cockroachdb/errors"
 )
@@ -111,12 +113,14 @@ func NewCustomSuperuserPrivilegeDescriptor(
 		OwnerProto: owner.EncodeProto(),
 		Users: []UserPrivileges{
 			{
-				UserProto:  security.AdminRoleName().EncodeProto(),
-				Privileges: priv.ToBitField(),
+				UserProto:       security.AdminRoleName().EncodeProto(),
+				Privileges:      priv.ToBitField(),
+				WithGrantOption: priv.ToBitField(),
 			},
 			{
-				UserProto:  security.RootUserName().EncodeProto(),
-				Privileges: priv.ToBitField(),
+				UserProto:       security.RootUserName().EncodeProto(),
+				Privileges:      priv.ToBitField(),
+				WithGrantOption: priv.ToBitField(),
 			},
 		},
 		Version: Version21_2,
@@ -128,21 +132,25 @@ func NewCustomSuperuserPrivilegeDescriptor(
 // used for virtual tables.
 func NewPublicSelectPrivilegeDescriptor() *PrivilegeDescriptor {
 	return NewPrivilegeDescriptor(
-		security.PublicRoleName(), privilege.List{privilege.SELECT}, security.NodeUserName(),
+		security.PublicRoleName(), privilege.List{privilege.SELECT}, privilege.List{}, security.NodeUserName(),
 	)
 }
 
 // NewPrivilegeDescriptor returns a privilege descriptor for the given
 // user with the specified list of privileges.
 func NewPrivilegeDescriptor(
-	user security.SQLUsername, priv privilege.List, owner security.SQLUsername,
+	user security.SQLUsername,
+	priv privilege.List,
+	grantOption privilege.List,
+	owner security.SQLUsername,
 ) *PrivilegeDescriptor {
 	return &PrivilegeDescriptor{
 		OwnerProto: owner.EncodeProto(),
 		Users: []UserPrivileges{
 			{
-				UserProto:  user.EncodeProto(),
-				Privileges: priv.ToBitField(),
+				UserProto:       user.EncodeProto(),
+				Privileges:      priv.ToBitField(),
+				WithGrantOption: grantOption.ToBitField(),
 			},
 		},
 		Version: Version21_2,
@@ -159,28 +167,107 @@ func NewDefaultPrivilegeDescriptor(owner security.SQLUsername) *PrivilegeDescrip
 	return NewCustomSuperuserPrivilegeDescriptor(DefaultSuperuserPrivileges, owner)
 }
 
+// ValidateGrantPrivileges returns an error if the current user tries to grant a privilege that
+// it does not possess or was not granted WITH GRANT OPTION
+func (p *PrivilegeDescriptor) ValidateGrantPrivileges(
+	user security.SQLUsername, privList privilege.List,
+) error {
+	userPriv, _ := p.FindUser(user)
+
+	// User has ALL WITH GRANT OPTION so they can grant anything.
+	if privilege.ALL.IsSetIn(userPriv.WithGrantOption) {
+		return nil
+	}
+
+	for _, priv := range privList {
+		if userPriv.WithGrantOption&priv.Mask() == 0 {
+			return pgerror.Newf(pgcode.InvalidGrantOperation,
+				"missing WITH GRANT OPTION privilege type %s", priv.String())
+		}
+	}
+
+	return nil
+}
+
+// GranularGrant adds new privileges to this descriptor and new grant options which
+// could be different from the privileges. Unlike the normal grant, the privileges
+// and the grant options being granted could be different
+func (p *PrivilegeDescriptor) GranularGrant(
+	user security.SQLUsername, privList privilege.List, grantOptionList privilege.List,
+) {
+	userPriv := p.FindOrCreateUser(user)
+	if privilege.ALL.IsSetIn(userPriv.WithGrantOption) {
+		// User already has 'ALL' privilege: no-op.
+		// If userPriv.WithGrantOption has ALL, then userPriv.Privileges must also have ALL.
+		// It is possible however for userPriv.Privileges to have ALL but userPriv.WithGrantOption to not have ALL
+		return
+	}
+
+	privBits := privList.ToBitField()
+	grantBits := grantOptionList.ToBitField()
+	if privilege.ALL.IsSetIn(privBits) {
+		userPriv.Privileges = privilege.ALL.Mask()
+	} else {
+		if !privilege.ALL.IsSetIn(userPriv.Privileges) {
+			userPriv.Privileges |= privBits
+		}
+	}
+
+	if privilege.ALL.IsSetIn(grantBits) {
+		userPriv.WithGrantOption = privilege.ALL.Mask()
+	} else {
+		if !privilege.ALL.IsSetIn(userPriv.WithGrantOption) {
+			userPriv.WithGrantOption |= grantBits
+		}
+	}
+}
+
 // Grant adds new privileges to this descriptor for a given list of users.
-func (p *PrivilegeDescriptor) Grant(user security.SQLUsername, privList privilege.List) {
+func (p *PrivilegeDescriptor) Grant(
+	user security.SQLUsername, privList privilege.List, withGrantOption bool,
+) {
 	userPriv := p.FindOrCreateUser(user)
-	if privilege.ALL.IsSetIn(userPriv.Privileges) {
+	if privilege.ALL.IsSetIn(userPriv.WithGrantOption) {
 		// User already has 'ALL' privilege: no-op.
+		// If userPriv.WithGrantOption has ALL, then userPriv.Privileges must also have ALL.
+		// It is possible however for userPriv.Privileges to have ALL but userPriv.WithGrantOption to not have ALL
+		return
+	}
+
+	if privilege.ALL.IsSetIn(userPriv.Privileges) && !withGrantOption {
+		// A user can hold all privileges but not all grant options.
+		// If a user holds all privileges but withGrantOption is False,
+		// there is nothing left to be done
 		return
 	}
 
+	// We only have to modify grant option.
 	bits := privList.ToBitField()
 	if privilege.ALL.IsSetIn(bits) {
 		// Granting 'ALL' privilege: overwrite.
 		// TODO(marc): the grammar does not allow it, but we should
 		// check if other privileges are being specified and error out.
 		userPriv.Privileges = privilege.ALL.Mask()
+		if withGrantOption {
+			userPriv.WithGrantOption = privilege.ALL.Mask()
+		}
 		return
 	}
-	userPriv.Privileges |= bits
+
+	if withGrantOption {
+		userPriv.WithGrantOption |= bits
+	}
+	if !privilege.ALL.IsSetIn(userPriv.Privileges) {
+		userPriv.Privileges |= bits
+	}
 }
 
 // Revoke removes privileges from this descriptor for a given list of users.
 func (p *PrivilegeDescriptor) Revoke(
-	user security.SQLUsername, privList privilege.List, objectType privilege.ObjectType,
+	user security.SQLUsername,
+	privList privilege.List,
+	objectType privilege.ObjectType,
+	grantOptionFor bool,
 ) {
 	userPriv, ok := p.FindUser(user)
 	if !ok || userPriv.Privileges == 0 {
@@ -190,14 +277,17 @@ func (p *PrivilegeDescriptor) Revoke(
 
 	bits := privList.ToBitField()
 	if privilege.ALL.IsSetIn(bits) {
-		// Revoking 'ALL' privilege: remove user.
-		// TODO(marc): the grammar does not allow it, but we should
-		// check if other privileges are being specified and error out.
-		p.RemoveUser(user)
+		userPriv.WithGrantOption = 0
+		if !grantOptionFor {
+			// Revoking 'ALL' privilege: remove user.
+			// TODO(marc): the grammar does not allow it, but we should
+			// check if other privileges are being specified and error out.
+			p.RemoveUser(user)
+		}
 		return
 	}
 
-	if privilege.ALL.IsSetIn(userPriv.Privileges) {
+	if privilege.ALL.IsSetIn(userPriv.Privileges) && !grantOptionFor {
 		// User has 'ALL' privilege. Remove it and set
 		// all other privileges one.
 		validPrivs := privilege.GetValidPrivilegesForObject(objectType)
@@ -209,12 +299,28 @@ func (p *PrivilegeDescriptor) Revoke(
 		}
 	}
 
+	if privilege.ALL.IsSetIn(userPriv.WithGrantOption) {
+		// User has 'ALL' grant option. Remove it and set
+		// all other grant options to one.
+		validPrivs := privilege.GetValidPrivilegesForObject(objectType)
+		userPriv.WithGrantOption = 0
+		for _, v := range validPrivs {
+			if v != privilege.ALL {
+				userPriv.WithGrantOption |= v.Mask()
+			}
+		}
+	}
+
 	// One doesn't see "AND NOT" very often.
-	userPriv.Privileges &^= bits
+	userPriv.WithGrantOption &^= bits
+	if !grantOptionFor {
+		userPriv.Privileges &^= bits
 
-	if userPriv.Privileges == 0 {
-		p.RemoveUser(user)
+		if userPriv.Privileges == 0 {
+			p.RemoveUser(user)
+		}
 	}
+
 }
 
 // ValidateSuperuserPrivileges ensures that superusers have exactly the maximum
diff --git a/pkg/sql/catalog/descpb/privilege.pb.go b/pkg/sql/catalog/descpb/privilege.pb.go
index 819e558c5975..8faa36db5050 100644
--- a/pkg/sql/catalog/descpb/privilege.pb.go
+++ b/pkg/sql/catalog/descpb/privilege.pb.go
@@ -30,7 +30,8 @@ const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
 type UserPrivileges struct {
 	UserProto github_com_cockroachdb_cockroach_pkg_security.SQLUsernameProto `protobuf:"bytes,1,opt,name=user_proto,json=userProto,casttype=github.com/cockroachdb/cockroach/pkg/security.SQLUsernameProto" json:"user_proto"`
 	// privileges is a bitfield of 1<<Privilege values.
-	Privileges uint32 `protobuf:"varint,2,opt,name=privileges" json:"privileges"`
+	Privileges      uint32 `protobuf:"varint,2,opt,name=privileges" json:"privileges"`
+	WithGrantOption uint32 `protobuf:"varint,3,opt,name=with_grant_option,json=withGrantOption" json:"with_grant_option"`
 }
 
 func (m *UserPrivileges) Reset()         { *m = UserPrivileges{} }
@@ -334,55 +335,57 @@ func init() {
 }
 
 var fileDescriptor_9343d951995d5a76 = []byte{
-	// 759 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x55, 0xcf, 0x6b, 0xdb, 0x48,
-	0x18, 0xf5, 0xc4, 0xce, 0xaf, 0x71, 0x1c, 0x16, 0x6d, 0x02, 0x5a, 0x27, 0x91, 0xbd, 0x26, 0x0b,
-	0x66, 0x0f, 0x12, 0xe4, 0xb0, 0x2c, 0x61, 0x09, 0x6b, 0x93, 0x84, 0xc0, 0x6e, 0xb1, 0xab, 0x38,
-	0x3d, 0x94, 0x16, 0x21, 0xcb, 0x5f, 0x64, 0xd5, 0x63, 0x8d, 0x3c, 0x23, 0xa5, 0xf5, 0xb5, 0x7f,
-	0x41, 0x8f, 0x3d, 0x16, 0xfa, 0xc7, 0x34, 0xc7, 0x1c, 0x73, 0x4a, 0x5b, 0xe7, 0xd2, 0x63, 0xcf,
-	0x85, 0xd2, 0x32, 0x92, 0x62, 0x2b, 0x8d, 0xed, 0x34, 0x50, 0x7a, 0x08, 0x8c, 0x32, 0x6f, 0xde,
-	0xfb, 0xde, 0xf7, 0xcb, 0xb8, 0xc4, 0x7b, 0x44, 0xb3, 0x4c, 0xdf, 0x24, 0xd4, 0xd6, 0x5a, 0xc0,
-	0x2d, 0xaf, 0xa9, 0x79, 0xcc, 0x39, 0x71, 0x08, 0xd8, 0xa0, 0x7a, 0x8c, 0xfa, 0x54, 0x5a, 0xb5,
-	0xa8, 0xd5, 0x61, 0xd4, 0xb4, 0xda, 0x2a, 0xef, 0x11, 0xf1, 0xd7, 0x34, 0x39, 0xe4, 0x57, 0x6c,
-	0x6a, 0xd3, 0x10, 0xa1, 0x89, 0x53, 0x04, 0x2e, 0xbd, 0x46, 0x78, 0xf9, 0x88, 0x03, 0xab, 0x5f,
-	0x91, 0x70, 0x09, 0x30, 0x0e, 0x38, 0x30, 0x23, 0x04, 0xc8, 0xa8, 0x88, 0xca, 0x8b, 0xd5, 0xfd,
-	0xd3, 0x8b, 0x42, 0xea, 0xd3, 0x45, 0x61, 0xc7, 0x76, 0xfc, 0x76, 0xd0, 0x54, 0x2d, 0xda, 0xd5,
-	0x86, 0x32, 0xad, 0xe6, 0xe8, 0xac, 0x79, 0x1d, 0x5b, 0xe3, 0x60, 0x05, 0xcc, 0xf1, 0xfb, 0xea,
-	0xe1, 0xfd, 0xff, 0x05, 0xb9, 0x6b, 0x76, 0xa1, 0x2e, 0xd8, 0xf4, 0xc5, 0x20, 0xd4, 0x12, 0x61,
-	0x6e, 0x62, 0x3c, 0x8c, 0x9c, 0xcb, 0x33, 0x45, 0x54, 0xce, 0x55, 0x33, 0x42, 0x46, 0x4f, 0xfc,
-	0x7f, 0x3b, 0xf3, 0xe1, 0x55, 0x01, 0x95, 0xbe, 0x20, 0xfc, 0xeb, 0x30, 0xc2, 0x5d, 0xe0, 0x16,
-	0x73, 0x3c, 0x9f, 0x32, 0xa9, 0x82, 0x67, 0x05, 0x21, 0x97, 0x51, 0x31, 0x5d, 0xce, 0x6e, 0xfd,
-	0xa1, 0x8e, 0xb5, 0xae, 0x5e, 0x37, 0x18, 0xab, 0x44, 0x2f, 0x25, 0x1b, 0x67, 0xe9, 0x53, 0x77,
-	0x68, 0x77, 0xe6, 0x87, 0xda, 0xc5, 0x21, 0x75, 0xe4, 0xf7, 0x2f, 0x3c, 0x7f, 0x02, 0x8c, 0x3b,
-	0xd4, 0x95, 0xd3, 0xa1, 0xd9, 0xf5, 0x58, 0x64, 0xe5, 0x9a, 0xb3, 0x07, 0x11, 0x46, 0xbf, 0x02,
-	0xc7, 0x19, 0x78, 0xb3, 0x88, 0xe5, 0x5d, 0x38, 0x36, 0x03, 0xe2, 0x8f, 0x9c, 0xec, 0x53, 0xa6,
-	0x53, 0x02, 0x92, 0x85, 0x73, 0xf0, 0xcc, 0x23, 0x8e, 0xe5, 0xf8, 0x06, 0xa3, 0x04, 0xe4, 0xa5,
-	0x22, 0x2a, 0x67, 0xb7, 0xfe, 0x99, 0x90, 0x8e, 0x49, 0x3c, 0xea, 0x5e, 0x4c, 0x22, 0x3e, 0x0e,
-	0x52, 0xfa, 0x12, 0x24, 0xbe, 0xa5, 0x0e, 0xce, 0x1d, 0x53, 0x66, 0x98, 0x84, 0x84, 0x1a, 0x5c,
-	0xce, 0x85, 0x22, 0x7b, 0x77, 0x15, 0xd9, 0xa7, 0xac, 0x42, 0x88, 0x38, 0xf2, 0x3a, 0x87, 0xa0,
-	0x45, 0x63, 0xb5, 0xec, 0xf1, 0xe8, 0x42, 0xfa, 0x88, 0xf0, 0x46, 0x2b, 0x62, 0x30, 0x46, 0xdd,
-	0x60, 0x78, 0xc0, 0x0c, 0xda, 0x7c, 0x02, 0x96, 0x2f, 0x2f, 0x87, 0x15, 0xaf, 0xdd, 0x55, 0xfd,
-	0xc6, 0x45, 0x1d, 0x58, 0x2d, 0x64, 0xdc, 0x73, 0x7d, 0xd6, 0xaf, 0x3e, 0x12, 0x45, 0x79, 0xfe,
-	0xb6, 0xd0, 0xf8, 0xbe, 0xca, 0xf7, 0x88, 0xc6, 0xa1, 0xab, 0xf9, 0x0c, 0x40, 0xad, 0x10, 0x1f,
-	0xd8, 0x0d, 0xfe, 0x86, 0xc9, 0x6c, 0xf0, 0x23, 0x09, 0x3d, 0xdf, 0x9a, 0x28, 0x9f, 0xff, 0x9c,
-	0xc6, 0x4b, 0xc9, 0x02, 0xfc, 0xac, 0x39, 0xdc, 0xc1, 0xbf, 0x79, 0x41, 0x93, 0x38, 0x96, 0xd1,
-	0x36, 0xb9, 0x11, 0x70, 0xd3, 0x06, 0x83, 0xba, 0x86, 0xdf, 0xf7, 0x80, 0xcb, 0x99, 0x22, 0x2a,
-	0x2f, 0xc4, 0x03, 0xb3, 0x1a, 0xc1, 0x0e, 0x4c, 0x7e, 0x24, 0x40, 0x35, 0xb7, 0x21, 0x20, 0xd2,
-	0x3d, 0xfc, 0xbb, 0xe8, 0x87, 0xf0, 0xb5, 0x68, 0x8e, 0x44, 0xb9, 0x04, 0x8d, 0xd9, 0x14, 0xbd,
-	0x32, 0x9b, 0xe0, 0x59, 0x17, 0xf0, 0x03, 0x93, 0x57, 0x08, 0x19, 0xe5, 0xa1, 0xe6, 0x36, 0x42,
-	0xa4, 0x74, 0x88, 0x37, 0xa7, 0xd0, 0x71, 0xe8, 0x05, 0xe0, 0x5a, 0xc0, 0xe5, 0xb9, 0x04, 0x63,
-	0x61, 0x3c, 0xe3, 0xe1, 0x15, 0x58, 0xaa, 0xe1, 0xd2, 0x34, 0x52, 0xab, 0x0d, 0x5d, 0x93, 0xcb,
-	0xf3, 0x09, 0xca, 0x8d, 0x09, 0x94, 0x11, 0x54, 0xfa, 0x0f, 0x17, 0xa7, 0x99, 0x0e, 0x73, 0xb7,
-	0x90, 0xa0, 0x5b, 0x9b, 0xe0, 0x59, 0x00, 0xa3, 0x09, 0xcf, 0x3f, 0xc6, 0xab, 0x63, 0x47, 0x63,
-	0x7a, 0x81, 0xb2, 0xb7, 0x16, 0x28, 0xa6, 0xef, 0xe3, 0xc2, 0x2d, 0xbd, 0x2f, 0xfd, 0x82, 0xd3,
-	0x1d, 0xe8, 0x87, 0x9d, 0x96, 0xd3, 0xc5, 0x51, 0xfa, 0x17, 0xcf, 0x9e, 0x98, 0x24, 0x80, 0x70,
-	0x2d, 0x66, 0xb7, 0xfe, 0x9c, 0x30, 0x6d, 0x63, 0x56, 0xb3, 0x1e, 0x3d, 0xdc, 0x9e, 0xf9, 0x1b,
-	0x45, 0x01, 0x54, 0xe7, 0x70, 0x46, 0x24, 0xa1, 0xf4, 0x12, 0xe1, 0xfc, 0xb7, 0x91, 0x24, 0x56,
-	0xba, 0x8f, 0xd7, 0x26, 0x0c, 0x7e, 0xb8, 0xd9, 0xa2, 0x45, 0xaf, 0xdd, 0x71, 0xec, 0xe3, 0x04,
-	0xc9, 0xe3, 0xc6, 0x4f, 0xdc, 0xc7, 0x21, 0x96, 0x4f, 0xdf, 0x2b, 0xa9, 0xd3, 0x81, 0x82, 0xce,
-	0x06, 0x0a, 0x3a, 0x1f, 0x28, 0xe8, 0xdd, 0x40, 0x41, 0x2f, 0x2e, 0x95, 0xd4, 0xd9, 0xa5, 0x92,
-	0x3a, 0xbf, 0x54, 0x52, 0x0f, 0xe7, 0xa2, 0xdf, 0xdc, 0xaf, 0x01, 0x00, 0x00, 0xff, 0xff, 0xd9,
-	0xfb, 0x41, 0x97, 0x88, 0x07, 0x00, 0x00,
+	// 785 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x55, 0x41, 0x6f, 0xe3, 0x44,
+	0x14, 0xce, 0x34, 0x69, 0x77, 0x3b, 0x69, 0x16, 0x30, 0x5b, 0xc9, 0x64, 0xb7, 0x4e, 0x88, 0x8a,
+	0x14, 0x71, 0xb0, 0x51, 0x0f, 0x08, 0x55, 0xa8, 0x22, 0x51, 0x5b, 0x2a, 0x01, 0x4a, 0x70, 0x53,
+	0x0e, 0x08, 0x64, 0x4d, 0x9c, 0x57, 0xc7, 0x64, 0xe2, 0x71, 0x66, 0xc6, 0x2d, 0xb9, 0xf2, 0x0b,
+	0x38, 0x72, 0xe4, 0xdf, 0xd0, 0x63, 0x2f, 0x48, 0x3d, 0x15, 0x48, 0x2f, 0x1c, 0x39, 0x23, 0x21,
+	0xd0, 0xd8, 0x6e, 0xe2, 0xd2, 0x24, 0xa5, 0x12, 0xda, 0x43, 0xa5, 0x71, 0xdf, 0x37, 0xdf, 0xf7,
+	0xde, 0xf7, 0xde, 0x9b, 0xe0, 0x9a, 0x18, 0x51, 0xcb, 0x25, 0x92, 0x50, 0xe6, 0x59, 0x3d, 0x10,
+	0x6e, 0xd8, 0xb5, 0x42, 0xee, 0x9f, 0xf9, 0x14, 0x3c, 0x30, 0x43, 0xce, 0x24, 0xd3, 0x36, 0x5d,
+	0xe6, 0x0e, 0x38, 0x23, 0x6e, 0xdf, 0x14, 0x23, 0xaa, 0xfe, 0xba, 0x44, 0x40, 0xf9, 0xb9, 0xc7,
+	0x3c, 0x16, 0x23, 0x2c, 0x75, 0x4a, 0xc0, 0xb5, 0x9f, 0x11, 0x7e, 0x76, 0x22, 0x80, 0xb7, 0x6f,
+	0x49, 0x84, 0x06, 0x18, 0x47, 0x02, 0xb8, 0x13, 0x03, 0x74, 0x54, 0x45, 0xf5, 0xf5, 0xe6, 0xe1,
+	0xc5, 0x75, 0x25, 0xf7, 0xe7, 0x75, 0x65, 0xcf, 0xf3, 0x65, 0x3f, 0xea, 0x9a, 0x2e, 0x1b, 0x5a,
+	0x53, 0x99, 0x5e, 0x77, 0x76, 0xb6, 0xc2, 0x81, 0x67, 0x09, 0x70, 0x23, 0xee, 0xcb, 0xb1, 0x79,
+	0xfc, 0xf9, 0xa7, 0x8a, 0x3c, 0x20, 0x43, 0x68, 0x2b, 0x36, 0x7b, 0x3d, 0x8a, 0xb5, 0x54, 0x9a,
+	0xdb, 0x18, 0x4f, 0x33, 0x17, 0xfa, 0x4a, 0x15, 0xd5, 0x4b, 0xcd, 0x82, 0x92, 0xb1, 0x33, 0xff,
+	0xd7, 0xde, 0xc3, 0x6f, 0x9c, 0xfb, 0xb2, 0xef, 0x78, 0x9c, 0x04, 0xd2, 0x61, 0xa1, 0xf4, 0x59,
+	0xa0, 0xe7, 0x33, 0xe0, 0xd7, 0x54, 0xf8, 0x63, 0x15, 0x6d, 0xc5, 0xc1, 0xdd, 0xc2, 0xef, 0x3f,
+	0x56, 0x50, 0xed, 0x6f, 0x84, 0xdf, 0x9c, 0xd6, 0xb4, 0x0f, 0xc2, 0xe5, 0x7e, 0x28, 0x19, 0xd7,
+	0x1a, 0x78, 0x55, 0xa5, 0x20, 0x74, 0x54, 0xcd, 0xd7, 0x8b, 0x3b, 0xef, 0x98, 0x73, 0xcd, 0x32,
+	0xef, 0x5a, 0x92, 0x4a, 0x25, 0x37, 0x35, 0x0f, 0x17, 0xd9, 0x79, 0x30, 0x35, 0x68, 0xe5, 0x7f,
+	0x35, 0x08, 0xc7, 0xd4, 0x89, 0x43, 0xef, 0xe3, 0x27, 0x67, 0xc0, 0xc5, 0xac, 0xe2, 0x97, 0xa9,
+	0xc8, 0xf3, 0x3b, 0x95, 0x7d, 0x91, 0x60, 0xec, 0x5b, 0x70, 0xea, 0xc0, 0x4f, 0xeb, 0x58, 0xdf,
+	0x87, 0x53, 0x12, 0x51, 0x39, 0xab, 0xe4, 0x90, 0x71, 0x9b, 0x51, 0xd0, 0x5c, 0x5c, 0x82, 0x6f,
+	0x43, 0xea, 0xbb, 0xbe, 0x74, 0x38, 0xa3, 0xa0, 0x6f, 0x54, 0x51, 0xbd, 0xb8, 0xf3, 0xe1, 0x02,
+	0x3b, 0x16, 0xf1, 0x98, 0x07, 0x29, 0x89, 0xfa, 0x38, 0xca, 0xd9, 0x1b, 0x90, 0xf9, 0xd6, 0x06,
+	0xb8, 0x74, 0xca, 0xb8, 0x43, 0x28, 0x8d, 0x35, 0x84, 0x5e, 0x8a, 0x45, 0x0e, 0x1e, 0x2b, 0x72,
+	0xc8, 0x78, 0x83, 0x52, 0x75, 0x14, 0x6d, 0x01, 0x51, 0x8f, 0xa5, 0x6a, 0xc5, 0xd3, 0x59, 0x40,
+	0xfb, 0x03, 0xe1, 0xad, 0x5e, 0xc2, 0xe0, 0xcc, 0xe6, 0xc7, 0x09, 0x81, 0x3b, 0xac, 0xfb, 0x0d,
+	0xb8, 0x52, 0x7f, 0x16, 0x77, 0xbc, 0xf5, 0x58, 0xf5, 0x7b, 0x81, 0x36, 0xf0, 0x56, 0xcc, 0x78,
+	0x10, 0x48, 0x3e, 0x6e, 0x7e, 0xa5, 0x9a, 0xf2, 0xdd, 0x2f, 0x95, 0xce, 0x7f, 0xeb, 0xfc, 0x88,
+	0x5a, 0x02, 0x86, 0x96, 0xe4, 0x00, 0x66, 0x83, 0x4a, 0xe0, 0xf7, 0xf8, 0x3b, 0x84, 0x7b, 0x20,
+	0x13, 0x09, 0xbb, 0xdc, 0x5b, 0x28, 0x5f, 0xfe, 0x2b, 0x8f, 0x37, 0xb2, 0x0d, 0x78, 0x55, 0x9b,
+	0xbb, 0x87, 0xdf, 0x0a, 0xa3, 0x2e, 0xf5, 0x5d, 0xa7, 0x4f, 0x84, 0x13, 0x09, 0xe2, 0x81, 0xc3,
+	0x02, 0x47, 0x8e, 0x43, 0x10, 0x7a, 0xa1, 0x8a, 0xea, 0x4f, 0xd3, 0x85, 0xd9, 0x4c, 0x60, 0x47,
+	0x44, 0x9c, 0x28, 0x50, 0x2b, 0xe8, 0x28, 0x88, 0xf6, 0x19, 0x7e, 0x5b, 0xcd, 0x43, 0x7c, 0x5b,
+	0x0d, 0x47, 0xa6, 0x5d, 0x8a, 0x86, 0x74, 0xd5, 0xac, 0xac, 0x66, 0x78, 0x5e, 0x2a, 0xf8, 0x11,
+	0x11, 0x0d, 0x4a, 0x67, 0x3e, 0xb4, 0x82, 0x4e, 0x8c, 0xd4, 0x8e, 0xf1, 0xf6, 0x12, 0x3a, 0x01,
+	0xa3, 0x08, 0x02, 0x17, 0x84, 0xbe, 0x96, 0x61, 0xac, 0xcc, 0x67, 0x3c, 0xbe, 0x05, 0x6b, 0x2d,
+	0x5c, 0x5b, 0x46, 0xea, 0xf6, 0x61, 0x48, 0x84, 0xfe, 0x24, 0x43, 0xb9, 0xb5, 0x80, 0x32, 0x81,
+	0x6a, 0x9f, 0xe0, 0xea, 0xb2, 0xa2, 0x63, 0xef, 0x9e, 0x66, 0xe8, 0x5e, 0x2c, 0xa8, 0x59, 0x01,
+	0x93, 0x0d, 0x2f, 0x7f, 0x8d, 0x37, 0xe7, 0xae, 0xc6, 0xf2, 0x06, 0x15, 0x1f, 0x6c, 0x50, 0x4a,
+	0x3f, 0xc6, 0x95, 0x07, 0x66, 0x5f, 0x7b, 0x1d, 0xe7, 0x07, 0x30, 0x8e, 0x27, 0xad, 0x64, 0xab,
+	0xa3, 0xf6, 0x11, 0x5e, 0x3d, 0x23, 0x34, 0x82, 0xf8, 0x59, 0x2c, 0xee, 0xbc, 0xbb, 0x60, 0xdb,
+	0xe6, 0x3c, 0xcd, 0x76, 0x72, 0x71, 0x77, 0xe5, 0x03, 0x94, 0x24, 0xd0, 0x5c, 0xc3, 0x05, 0x65,
+	0x42, 0xed, 0x07, 0x84, 0xcb, 0xff, 0xce, 0x24, 0xf3, 0xa4, 0x4b, 0xfc, 0x62, 0xc1, 0xe2, 0xc7,
+	0x2f, 0x5b, 0xf2, 0xd0, 0x5b, 0x8f, 0x5c, 0xfb, 0xd4, 0x20, 0x7d, 0xde, 0xfa, 0xa9, 0x78, 0x9a,
+	0x62, 0xfd, 0xe2, 0x37, 0x23, 0x77, 0x31, 0x31, 0xd0, 0xe5, 0xc4, 0x40, 0x57, 0x13, 0x03, 0xfd,
+	0x3a, 0x31, 0xd0, 0xf7, 0x37, 0x46, 0xee, 0xf2, 0xc6, 0xc8, 0x5d, 0xdd, 0x18, 0xb9, 0x2f, 0xd7,
+	0x92, 0x5f, 0xe9, 0x7f, 0x02, 0x00, 0x00, 0xff, 0xff, 0x67, 0xe1, 0x73, 0xa0, 0xba, 0x07, 0x00,
+	0x00,
 }
 
 func (this *UserPrivileges) Equal(that interface{}) bool {
@@ -410,6 +413,9 @@ func (this *UserPrivileges) Equal(that interface{}) bool {
 	if this.Privileges != that1.Privileges {
 		return false
 	}
+	if this.WithGrantOption != that1.WithGrantOption {
+		return false
+	}
 	return true
 }
 func (this *PrivilegeDescriptor) Equal(that interface{}) bool {
@@ -647,6 +653,9 @@ func (m *UserPrivileges) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	_ = i
 	var l int
 	_ = l
+	i = encodeVarintPrivilege(dAtA, i, uint64(m.WithGrantOption))
+	i--
+	dAtA[i] = 0x18
 	i = encodeVarintPrivilege(dAtA, i, uint64(m.Privileges))
 	i--
 	dAtA[i] = 0x10
@@ -960,6 +969,7 @@ func (m *UserPrivileges) Size() (n int) {
 	l = len(m.UserProto)
 	n += 1 + l + sovPrivilege(uint64(l))
 	n += 1 + sovPrivilege(uint64(m.Privileges))
+	n += 1 + sovPrivilege(uint64(m.WithGrantOption))
 	return n
 }
 
@@ -1153,6 +1163,25 @@ func (m *UserPrivileges) Unmarshal(dAtA []byte) error {
 					break
 				}
 			}
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field WithGrantOption", wireType)
+			}
+			m.WithGrantOption = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowPrivilege
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.WithGrantOption |= uint32(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
 		default:
 			iNdEx = preIndex
 			skippy, err := skipPrivilege(dAtA[iNdEx:])
diff --git a/pkg/sql/catalog/descpb/privilege.proto b/pkg/sql/catalog/descpb/privilege.proto
index a5ac53137f29..538b88dc1686 100644
--- a/pkg/sql/catalog/descpb/privilege.proto
+++ b/pkg/sql/catalog/descpb/privilege.proto
@@ -21,6 +21,7 @@ message UserPrivileges {
                                   (gogoproto.casttype) = "github.com/cockroachdb/cockroach/pkg/security.SQLUsernameProto"];
   // privileges is a bitfield of 1<<Privilege values.
   optional uint32 privileges = 2 [(gogoproto.nullable) = false];
+  optional uint32 with_grant_option = 3 [(gogoproto.nullable) = false];
 }
 
 // PrivilegeDescriptor describes a list of users and attached
diff --git a/pkg/sql/catalog/descpb/privilege_test.go b/pkg/sql/catalog/descpb/privilege_test.go
index b7a38d44af50..ff0698c667c0 100644
--- a/pkg/sql/catalog/descpb/privilege_test.go
+++ b/pkg/sql/catalog/descpb/privilege_test.go
@@ -145,10 +145,10 @@ func TestPrivilege(t *testing.T) {
 	for tcNum, tc := range testCases {
 		if !tc.grantee.Undefined() {
 			if tc.grant != nil {
-				descriptor.Grant(tc.grantee, tc.grant)
+				descriptor.Grant(tc.grantee, tc.grant, false)
 			}
 			if tc.revoke != nil {
-				descriptor.Revoke(tc.grantee, tc.revoke, tc.objectType)
+				descriptor.Revoke(tc.grantee, tc.revoke, tc.objectType, false)
 			}
 		}
 		show := descriptor.Show(tc.objectType)
@@ -177,31 +177,31 @@ func TestCheckPrivilege(t *testing.T) {
 		priv privilege.Kind
 		exp  bool
 	}{
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, security.AdminRoleName()),
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, privilege.List{}, security.AdminRoleName()),
 			testUser, privilege.CREATE, true},
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, security.AdminRoleName()),
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, privilege.List{}, security.AdminRoleName()),
 			barUser, privilege.CREATE, false},
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, security.AdminRoleName()),
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, privilege.List{}, security.AdminRoleName()),
 			barUser, privilege.DROP, false},
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, security.AdminRoleName()),
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, privilege.List{}, security.AdminRoleName()),
 			testUser, privilege.DROP, false},
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.ALL}, security.AdminRoleName()),
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.ALL}, privilege.List{}, security.AdminRoleName()),
 			testUser, privilege.CREATE, true},
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, security.AdminRoleName()),
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, privilege.List{}, security.AdminRoleName()),
 			testUser, privilege.ALL, false},
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.ALL}, security.AdminRoleName()),
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.ALL}, privilege.List{}, security.AdminRoleName()),
 			testUser, privilege.ALL, true},
-		{NewPrivilegeDescriptor(testUser, privilege.List{}, security.AdminRoleName()),
+		{NewPrivilegeDescriptor(testUser, privilege.List{}, privilege.List{}, security.AdminRoleName()),
 			testUser, privilege.ALL, false},
-		{NewPrivilegeDescriptor(testUser, privilege.List{}, security.AdminRoleName()),
+		{NewPrivilegeDescriptor(testUser, privilege.List{}, privilege.List{}, security.AdminRoleName()),
 			testUser, privilege.CREATE, false},
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE, privilege.DROP},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE, privilege.DROP}, privilege.List{},
 			security.AdminRoleName()),
 			testUser, privilege.UPDATE, false},
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE, privilege.DROP},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE, privilege.DROP}, privilege.List{},
 			security.AdminRoleName()),
 			testUser, privilege.DROP, true},
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE, privilege.ALL},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE, privilege.ALL}, privilege.List{},
 			security.AdminRoleName()),
 			testUser, privilege.DROP, true},
 	}
@@ -225,18 +225,18 @@ func TestAnyPrivilege(t *testing.T) {
 		user security.SQLUsername
 		exp  bool
 	}{
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, security.AdminRoleName()),
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, privilege.List{}, security.AdminRoleName()),
 			testUser, true},
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, security.AdminRoleName()),
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, privilege.List{}, security.AdminRoleName()),
 			barUser, false},
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.ALL}, security.AdminRoleName()),
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.ALL}, privilege.List{}, security.AdminRoleName()),
 			testUser, true},
-		{NewPrivilegeDescriptor(testUser, privilege.List{}, security.AdminRoleName()),
+		{NewPrivilegeDescriptor(testUser, privilege.List{}, privilege.List{}, security.AdminRoleName()),
 			testUser, false},
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE, privilege.DROP},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE, privilege.DROP}, privilege.List{},
 			security.AdminRoleName()),
 			testUser, true},
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE, privilege.DROP},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE, privilege.DROP}, privilege.List{},
 			security.AdminRoleName()),
 			barUser, false},
 	}
@@ -263,25 +263,25 @@ func TestPrivilegeValidate(t *testing.T) {
 	if err := validate(); err != nil {
 		t.Fatal(err)
 	}
-	descriptor.Grant(testUser, privilege.List{privilege.ALL})
+	descriptor.Grant(testUser, privilege.List{privilege.ALL}, false)
 	if err := validate(); err != nil {
 		t.Fatal(err)
 	}
-	descriptor.Grant(security.RootUserName(), privilege.List{privilege.SELECT})
+	descriptor.Grant(security.RootUserName(), privilege.List{privilege.SELECT}, false)
 	if err := validate(); err != nil {
 		t.Fatal(err)
 	}
-	descriptor.Revoke(security.RootUserName(), privilege.List{privilege.SELECT}, privilege.Table)
+	descriptor.Revoke(security.RootUserName(), privilege.List{privilege.SELECT}, privilege.Table, false)
 	if err := validate(); err == nil {
 		t.Fatal("unexpected success")
 	}
 	// TODO(marc): validate fails here because we do not aggregate
 	// privileges into ALL when all are set.
-	descriptor.Grant(security.RootUserName(), privilege.List{privilege.SELECT})
+	descriptor.Grant(security.RootUserName(), privilege.List{privilege.SELECT}, false)
 	if err := validate(); err == nil {
 		t.Fatal("unexpected success")
 	}
-	descriptor.Revoke(security.RootUserName(), privilege.List{privilege.ALL}, privilege.Table)
+	descriptor.Revoke(security.RootUserName(), privilege.List{privilege.ALL}, privilege.Table, false)
 	if err := validate(); err == nil {
 		t.Fatal("unexpected success")
 	}
@@ -306,7 +306,7 @@ func TestValidPrivilegesForObjects(t *testing.T) {
 	for _, tc := range testCases {
 		for _, priv := range tc.validPrivileges {
 			privDesc := NewDefaultPrivilegeDescriptor(security.AdminRoleName())
-			privDesc.Grant(testUser, privilege.List{priv})
+			privDesc.Grant(testUser, privilege.List{priv}, false)
 			err := privDesc.Validate(id, tc.objectType, "whatever", DefaultSuperuserPrivileges)
 			if err != nil {
 				t.Fatal(err)
@@ -323,7 +323,7 @@ func TestValidPrivilegesForObjects(t *testing.T) {
 
 		for _, priv := range invalidPrivileges {
 			privDesc := NewDefaultPrivilegeDescriptor(security.AdminRoleName())
-			privDesc.Grant(testUser, privilege.List{priv})
+			privDesc.Grant(testUser, privilege.List{priv}, false)
 			err := privDesc.Validate(id, tc.objectType, "whatever", DefaultSuperuserPrivileges)
 			if err == nil {
 				t.Fatalf("unexpected success, %s should not be a valid privilege for a %s",
@@ -361,13 +361,13 @@ func TestSystemPrivilegeValidate(t *testing.T) {
 		}
 
 		// Valid: foo has a subset of the allowed privileges.
-		descriptor.Grant(testUser, privilege.List{privilege.SELECT})
+		descriptor.Grant(testUser, privilege.List{privilege.SELECT}, false)
 		if err := validate(descriptor); err != nil {
 			t.Fatal(err)
 		}
 
 		// Valid: foo has exactly the allowed privileges.
-		descriptor.Grant(testUser, privilege.List{privilege.GRANT})
+		descriptor.Grant(testUser, privilege.List{privilege.GRANT}, false)
 		if err := validate(descriptor); err != nil {
 			t.Fatal(err)
 		}
@@ -381,20 +381,20 @@ func TestSystemPrivilegeValidate(t *testing.T) {
 		)
 
 		// Valid: foo has a subset of the allowed privileges.
-		descriptor.Grant(testUser, privilege.List{privilege.GRANT})
+		descriptor.Grant(testUser, privilege.List{privilege.GRANT}, false)
 		if err := validate(descriptor); err != nil {
 			t.Fatal(err)
 		}
 
 		// Valid: foo can have privileges revoked, including privileges it doesn't currently have.
 		descriptor.Revoke(
-			testUser, privilege.List{privilege.GRANT, privilege.UPDATE, privilege.ALL}, privilege.Table)
+			testUser, privilege.List{privilege.GRANT, privilege.UPDATE, privilege.ALL}, privilege.Table, false)
 		if err := validate(descriptor); err != nil {
 			t.Fatal(err)
 		}
 
 		// Invalid: root user has too many privileges.
-		descriptor.Grant(security.RootUserName(), privilege.List{privilege.UPDATE})
+		descriptor.Grant(security.RootUserName(), privilege.List{privilege.UPDATE}, false)
 		if err := validate(descriptor); !testutils.IsError(err, rootWrongPrivilegesErr) {
 			t.Fatalf("expected err=%s, got err=%v", rootWrongPrivilegesErr, err)
 		}
@@ -410,21 +410,21 @@ func TestSystemPrivilegeValidate(t *testing.T) {
 
 		// Invalid: root's invalid privileges are revoked and replaced with allowable privileges,
 		// but admin is still wrong.
-		descriptor.Revoke(security.RootUserName(), privilege.List{privilege.UPDATE}, privilege.Table)
-		descriptor.Grant(security.RootUserName(), privilege.List{privilege.SELECT, privilege.GRANT})
+		descriptor.Revoke(security.RootUserName(), privilege.List{privilege.UPDATE}, privilege.Table, false)
+		descriptor.Grant(security.RootUserName(), privilege.List{privilege.SELECT, privilege.GRANT}, false)
 		if err := validate(descriptor); !testutils.IsError(err, adminWrongPrivilegesErr) {
 			t.Fatalf("expected err=%s, got err=%v", adminWrongPrivilegesErr, err)
 		}
 
 		// Valid: admin's invalid privileges are revoked and replaced with allowable privileges.
-		descriptor.Revoke(security.AdminRoleName(), privilege.List{privilege.UPDATE}, privilege.Table)
-		descriptor.Grant(security.AdminRoleName(), privilege.List{privilege.SELECT, privilege.GRANT})
+		descriptor.Revoke(security.AdminRoleName(), privilege.List{privilege.UPDATE}, privilege.Table, false)
+		descriptor.Grant(security.AdminRoleName(), privilege.List{privilege.SELECT, privilege.GRANT}, false)
 		if err := validate(descriptor); err != nil {
 			t.Fatal(err)
 		}
 
 		// Valid: foo has less privileges than root.
-		descriptor.Grant(testUser, privilege.List{privilege.GRANT})
+		descriptor.Grant(testUser, privilege.List{privilege.GRANT}, false)
 		if err := validate(descriptor); err != nil {
 			t.Fatal(err)
 		}
@@ -499,3 +499,179 @@ func TestValidateOwnership(t *testing.T) {
 		t.Fatal(err)
 	}
 }
+
+// TestGrantWithGrantOption tests whether granting with grant option changes the
+// privilege bits and grant option bits as expected.
+func TestGrantWithGrantOption(t *testing.T) {
+	defer leaktest.AfterTest(t)()
+
+	testUser := security.TestUserName()
+
+	testCases := []struct {
+		pd                  *PrivilegeDescriptor
+		user                security.SQLUsername
+		objectType          privilege.ObjectType
+		grantPrivileges     privilege.List
+		expectedPrivileges  privilege.List
+		expectedGrantOption privilege.List
+	}{
+		{NewPrivilegeDescriptor(testUser, privilege.List{}, privilege.List{}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.SELECT, privilege.INSERT},
+			privilege.List{privilege.SELECT, privilege.INSERT},
+			privilege.List{privilege.SELECT, privilege.INSERT}},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, privilege.List{}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.SELECT, privilege.INSERT},
+			privilege.List{privilege.CREATE, privilege.SELECT, privilege.INSERT},
+			privilege.List{privilege.SELECT, privilege.INSERT}},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.ALL}, privilege.List{}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.SELECT, privilege.INSERT},
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.SELECT, privilege.INSERT}},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.INSERT}, privilege.List{}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.ALL}},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.ALL}, privilege.List{privilege.ALL}, security.AdminRoleName()),
+			testUser, privilege.Schema,
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.ALL}},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, privilege.List{privilege.CREATE}, security.AdminRoleName()),
+			testUser, privilege.Schema,
+			privilege.List{privilege.ALL, privilege.CREATE},
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.ALL}},
+	}
+
+	for tcNum, tc := range testCases {
+		tc.pd.Grant(tc.user, tc.grantPrivileges, true)
+		if tc.pd.Users[0].Privileges != tc.expectedPrivileges.ToBitField() {
+			t.Errorf("#%d: Incorrect privileges, returned %v, expected %v",
+				tcNum, privilege.ListFromBitField(tc.pd.Users[0].Privileges, tc.objectType), tc.expectedPrivileges)
+		}
+		if tc.pd.Users[0].WithGrantOption != tc.expectedGrantOption.ToBitField() {
+			t.Errorf("#%d: Incorrect grant option, returned %v, expected %v",
+				tcNum, privilege.ListFromBitField(tc.pd.Users[0].WithGrantOption, tc.objectType), tc.expectedGrantOption)
+		}
+	}
+}
+
+// TestRevokeWithGrantOption tests whether revoking grant option for changes the
+// privilege bits and grant option bits as expected.
+func TestRevokeWithGrantOption(t *testing.T) {
+	defer leaktest.AfterTest(t)()
+
+	testUser := security.TestUserName()
+
+	testCases := []struct {
+		pd                  *PrivilegeDescriptor
+		user                security.SQLUsername
+		objectType          privilege.ObjectType
+		revokePrivileges    privilege.List
+		expectedPrivileges  privilege.List
+		expectedGrantOption privilege.List
+	}{
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.ALL}, privilege.List{}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.ALL},
+			privilege.List{}},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.ALL}, privilege.List{privilege.ALL}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.CREATE, privilege.GRANT},
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.DROP, privilege.SELECT, privilege.INSERT, privilege.DELETE, privilege.UPDATE, privilege.ZONECONFIG}},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.ALL}, privilege.List{privilege.ALL}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.ALL},
+			privilege.List{}},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.ALL}, privilege.List{privilege.ALL}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.ALL, privilege.CREATE, privilege.SELECT},
+			privilege.List{privilege.ALL},
+			privilege.List{}},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE, privilege.SELECT, privilege.INSERT}, privilege.List{privilege.SELECT}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.CREATE, privilege.DROP, privilege.SELECT},
+			privilege.List{privilege.CREATE, privilege.SELECT, privilege.INSERT},
+			privilege.List{}},
+	}
+
+	for tcNum, tc := range testCases {
+		tc.pd.Revoke(tc.user, tc.revokePrivileges, tc.objectType, true)
+		if tc.pd.Users[0].Privileges != tc.expectedPrivileges.ToBitField() {
+			t.Errorf("#%d: Incorrect privileges, returned %v, expected %v",
+				tcNum, privilege.ListFromBitField(tc.pd.Users[0].Privileges, tc.objectType), tc.expectedPrivileges)
+		}
+		if tc.pd.Users[0].WithGrantOption != tc.expectedGrantOption.ToBitField() {
+			t.Errorf("#%d: Incorrect grant option, returned %v, expected %v",
+				tcNum, privilege.ListFromBitField(tc.pd.Users[0].WithGrantOption, tc.objectType), tc.expectedGrantOption)
+		}
+	}
+}
+
+// TestGranularGrant tests whether granting potentially different privileges and grant options
+// changes the privilege bits and grant option bits as expected.
+func TestGranularGrant(t *testing.T) {
+	defer leaktest.AfterTest(t)()
+
+	testUser := security.TestUserName()
+
+	testCases := []struct {
+		pd                  *PrivilegeDescriptor
+		user                security.SQLUsername
+		objectType          privilege.ObjectType
+		grantPrivileges     privilege.List
+		grantGrantOptions   privilege.List
+		expectedPrivileges  privilege.List
+		expectedGrantOption privilege.List
+	}{
+		{NewPrivilegeDescriptor(testUser, privilege.List{}, privilege.List{}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.SELECT, privilege.INSERT},
+			privilege.List{privilege.SELECT, privilege.INSERT},
+			privilege.List{privilege.SELECT, privilege.INSERT},
+			privilege.List{privilege.SELECT, privilege.INSERT}},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE, privilege.INSERT}, privilege.List{privilege.INSERT}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.CREATE, privilege.SELECT},
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.CREATE, privilege.SELECT, privilege.INSERT}},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE, privilege.INSERT}, privilege.List{privilege.CREATE}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.ALL}},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, privilege.List{privilege.CREATE}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.CREATE, privilege.SELECT, privilege.INSERT, privilege.UPDATE},
+			privilege.List{privilege.SELECT},
+			privilege.List{privilege.CREATE, privilege.SELECT, privilege.INSERT, privilege.UPDATE},
+			privilege.List{privilege.CREATE, privilege.SELECT}},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, privilege.List{privilege.CREATE}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.ALL, privilege.CREATE, privilege.SELECT, privilege.INSERT, privilege.UPDATE},
+			privilege.List{privilege.ALL, privilege.SELECT},
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.ALL}},
+	}
+
+	for tcNum, tc := range testCases {
+		tc.pd.GranularGrant(tc.user, tc.grantPrivileges, tc.grantGrantOptions)
+		if tc.pd.Users[0].Privileges != tc.expectedPrivileges.ToBitField() {
+			t.Errorf("#%d: Incorrect privileges, returned %v, expected %v",
+				tcNum, privilege.ListFromBitField(tc.pd.Users[0].Privileges, tc.objectType), tc.expectedPrivileges)
+		}
+		if tc.pd.Users[0].WithGrantOption != tc.expectedGrantOption.ToBitField() {
+			t.Errorf("#%d: Incorrect grant option, returned %v, expected %v",
+				tcNum, privilege.ListFromBitField(tc.pd.Users[0].WithGrantOption, tc.objectType), tc.expectedGrantOption)
+		}
+	}
+}
diff --git a/pkg/sql/grant_revoke.go b/pkg/sql/grant_revoke.go
index 97ca719aee5c..dc8b5e031569 100644
--- a/pkg/sql/grant_revoke.go
+++ b/pkg/sql/grant_revoke.go
@@ -51,13 +51,14 @@ func (p *planner) Grant(ctx context.Context, n *tree.Grant) (planNode, error) {
 	if err != nil {
 		return nil, err
 	}
+
 	return &changePrivilegesNode{
 		isGrant:      true,
 		targets:      n.Targets,
 		grantees:     grantees,
 		desiredprivs: n.Privileges,
 		changePrivilege: func(privDesc *descpb.PrivilegeDescriptor, privileges privilege.List, grantee security.SQLUsername) {
-			privDesc.Grant(grantee, privileges)
+			privDesc.Grant(grantee, privileges, n.WithGrantOption)
 		},
 		grantOn:          grantOn,
 		granteesNameList: n.Grantees,
@@ -87,7 +88,7 @@ func (p *planner) Revoke(ctx context.Context, n *tree.Revoke) (planNode, error)
 		grantees:     grantees,
 		desiredprivs: n.Privileges,
 		changePrivilege: func(privDesc *descpb.PrivilegeDescriptor, privileges privilege.List, grantee security.SQLUsername) {
-			privDesc.Revoke(grantee, privileges, grantOn)
+			privDesc.Revoke(grantee, privileges, grantOn, n.GrantOptionFor)
 		},
 		grantOn:          grantOn,
 		granteesNameList: n.Grantees,
@@ -178,8 +179,16 @@ func (n *changePrivilegesNode) startExec(params runParams) error {
 					return err
 				}
 			}
-
 			privileges := descriptor.GetPrivileges()
+
+			// Ensure that the granter is allowed to grant the privileges
+			if p.ExecCfg().Settings.Version.IsActive(ctx, clusterversion.ValidateGrantOption) {
+				err := privileges.ValidateGrantPrivileges(p.User(), n.desiredprivs)
+				if err != nil {
+					return err
+				}
+			}
+
 			for _, grantee := range n.grantees {
 				n.changePrivilege(privileges, n.desiredprivs, grantee)
 			}
diff --git a/pkg/sql/logictest/testdata/logic_test/alter_default_privileges_with_grant_option b/pkg/sql/logictest/testdata/logic_test/alter_default_privileges_with_grant_option
new file mode 100644
index 000000000000..cf9c00534ddd
--- /dev/null
+++ b/pkg/sql/logictest/testdata/logic_test/alter_default_privileges_with_grant_option
@@ -0,0 +1,611 @@
+# Should error when a role that does not exist is provided.
+statement error pq: user or role who does not exist
+ALTER DEFAULT PRIVILEGES FOR ROLE who GRANT SELECT ON TABLES to testuser WITH GRANT OPTION
+
+statement error pq: user or role who does not exist
+ALTER DEFAULT PRIVILEGES GRANT SELECT ON TABLES to who WITH GRANT OPTION
+
+statement error pq: user or role who does not exist
+ALTER DEFAULT PRIVILEGES FOR ROLE testuser GRANT SELECT ON TABLES to who WITH GRANT OPTION
+
+statement error pq: user or role who does not exist
+ALTER DEFAULT PRIVILEGES FOR ROLE testuser GRANT SELECT ON TABLES to testuser, who WITH GRANT OPTION
+
+# Should not be able to use invalid privileges.
+statement error pq: invalid privilege type USAGE for table
+ALTER DEFAULT PRIVILEGES GRANT USAGE ON TABLES to testuser WITH GRANT OPTION
+
+statement ok
+GRANT CREATE ON DATABASE test to testuser
+
+statement ok
+CREATE USER testuser2
+
+statement ok
+CREATE USER target
+
+statement ok
+ALTER DEFAULT PRIVILEGES FOR ROLE root GRANT GRANT, SELECT ON TABLES TO testuser;
+
+statement ok
+CREATE TABLE t1()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t1;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t1          admin     ALL
+test           public       t1          root      ALL
+test           public       t1          testuser  CREATE
+test           public       t1          testuser  GRANT
+test           public       t1          testuser  SELECT
+
+user testuser
+
+statement ok
+SELECT * FROM t1
+
+statement error pq: missing WITH GRANT OPTION privilege type GRANT
+GRANT GRANT, SELECT ON TABLE t1 to target
+
+user root
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT GRANT, SELECT, INSERT ON TABLES TO testuser WITH GRANT OPTION
+
+statement ok
+CREATE TABLE t2()
+
+user testuser
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t1;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t1          admin     ALL
+test           public       t1          root      ALL
+test           public       t1          testuser  CREATE
+test           public       t1          testuser  GRANT
+test           public       t1          testuser  SELECT
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t2;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t2          admin     ALL
+test           public       t2          root      ALL
+test           public       t2          testuser  CREATE
+test           public       t2          testuser  GRANT
+test           public       t2          testuser  INSERT
+test           public       t2          testuser  SELECT
+
+statement error pq: missing WITH GRANT OPTION privilege type GRANT
+GRANT GRANT, SELECT ON TABLE t1 to target
+
+statement ok
+GRANT GRANT, SELECT, INSERT ON TABLE t2 to target
+
+user root
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO testuser WITH GRANT OPTION
+
+statement ok
+CREATE TABLE t3()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t3;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t3          admin     ALL
+test           public       t3          root      ALL
+test           public       t3          testuser  ALL
+
+user testuser
+
+statement ok
+GRANT INSERT, DELETE on table t3 to target
+
+user root
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR INSERT, DELETE ON TABLES FROM testuser
+
+statement ok
+CREATE TABLE t4()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t4;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t4          admin     ALL
+test           public       t4          root      ALL
+test           public       t4          testuser  ALL
+
+user testuser
+
+statement error pq: missing WITH GRANT OPTION privilege type INSERT
+GRANT INSERT, DELETE ON TABLE t4 TO target
+
+user root
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL PRIVILEGES ON TABLES FROM testuser
+
+statement ok
+CREATE TABLE t5()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t5;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t5          admin     ALL
+test           public       t5          root      ALL
+test           public       t5          testuser  ALL
+
+user testuser
+
+statement error pq: missing WITH GRANT OPTION privilege type GRANT
+GRANT GRANT, SELECT ON TABLE t5 TO target
+
+user root
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE ALL PRIVILEGES ON TABLES FROM testuser
+
+statement ok
+CREATE TABLE t6()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t6;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t6          admin     ALL
+test           public       t6          root      ALL
+test           public       t6          testuser  CREATE
+
+#-------------------------- testuser alters default privs on itself ---------------------------------
+user testuser
+
+statement ok
+CREATE TABLE t7()
+
+# since testuser created the table, it automatically has ALL PRIVILEGES ON IT
+query TTTTT colnames
+SHOW GRANTS ON TABLE t7;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t7          admin     ALL
+test           public       t7          root      ALL
+test           public       t7          testuser  ALL
+
+# you do not obtain grant option just for creating a table despite having ALL PRIVILEGES
+statement error pq: missing WITH GRANT OPTION privilege type GRANT
+GRANT GRANT ON TABLE t7 TO testuser
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT GRANT ON TABLES TO testuser
+
+statement ok
+CREATE TABLE t8()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t8;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t8          admin     ALL
+test           public       t8          root      ALL
+test           public       t8          testuser  ALL
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT GRANT, SELECT ON TABLES TO testuser WITH GRANT OPTION
+
+statement ok
+CREATE TABLE t9()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t9;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t9          admin     ALL
+test           public       t9          root      ALL
+test           public       t9          testuser  ALL
+
+statement error pq: missing WITH GRANT OPTION privilege type INSERT
+GRANT INSERT, DELETE ON TABLE t9 to testuser
+
+statement ok
+GRANT GRANT, SELECT ON TABLE t9 to testuser
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO testuser WITH GRANT OPTION
+
+statement ok
+CREATE TABLE t10()
+
+statement ok
+GRANT INSERT, DELETE ON TABLE t10 to testuser
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR SELECT ON TABLES FROM testuser
+
+statement ok
+CREATE TABLE t11()
+
+statement error pq: missing WITH GRANT OPTION privilege type SELECT
+GRANT SELECT ON TABLE t11 TO testuser
+
+statement ok
+GRANT GRANT, INSERT, DELETE ON TABLE t11 TO testuser
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL PRIVILEGES ON TABLES FROM testuser
+
+statement ok
+CREATE TABLE t12()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t12;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t12         admin     ALL
+test           public       t12         root      ALL
+test           public       t12         testuser  ALL
+
+statement error pq: missing WITH GRANT OPTION privilege type GRANT
+GRANT GRANT, INSERT, DELETE ON TABLE t12 TO testuser
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE ALL PRIVILEGES ON TABLES FROM testuser
+
+statement ok
+CREATE TABLE t13()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t13;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t13         admin     ALL
+test           public       t13         root      ALL
+test           public       t13         testuser  CREATE
+
+# -------------------------------------- one created user to another (testuser to testuser2) ----------------------------------------------
+user testuser
+
+# Postgres does not seem to validate whether the user revoking privileges on another user holds those privileges themselves
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT GRANT, SELECT, INSERT ON TABLES TO testuser2
+
+user root
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO testuser WITH GRANT OPTION
+
+user testuser
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT GRANT, SELECT ON TABLES TO testuser2
+
+statement ok
+CREATE TABLE t14()
+
+# The reason testuser does not have ALL despite creating the table is that we granted "FOR ROLE root", but testuser is creating
+# the table so when testuser creates a table, it's still going off the previous alter default privs which was to revoke everything
+query TTTTT colnames
+SHOW GRANTS ON TABLE t14;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t14         admin     ALL
+test           public       t14         root      ALL
+test           public       t14         testuser  CREATE
+test           public       t14         testuser2 GRANT
+test           public       t14         testuser2 INSERT
+test           public       t14         testuser2 SELECT
+
+statement error pq: missing WITH GRANT OPTION privilege type GRANT
+GRANT GRANT, INSERT, DELETE ON TABLE t12 TO target
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO testuser WITH GRANT OPTION
+
+user testuser2
+
+statement error pq: missing WITH GRANT OPTION privilege type SELECT
+GRANT SELECT ON TABLE t14 TO target
+
+user testuser
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT GRANT, SELECT ON TABLES TO testuser2 WITH GRANT OPTION
+
+statement ok
+CREATE TABLE t15()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t15;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t15         admin     ALL
+test           public       t15         root      ALL
+test           public       t15         testuser  ALL
+test           public       t15         testuser2 GRANT
+test           public       t15         testuser2 INSERT
+test           public       t15         testuser2 SELECT
+
+user testuser2
+
+statement ok
+GRANT SELECT, GRANT ON TABLE t15 TO target
+
+statement error pq: missing WITH GRANT OPTION privilege type INSERT
+GRANT INSERT ON TABLE t15 TO target
+
+user testuser
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO testuser2 WITH GRANT OPTION
+
+statement ok
+CREATE TABLE t16()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t16;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t16         admin     ALL
+test           public       t16         root      ALL
+test           public       t16         testuser  ALL
+test           public       t16         testuser2 ALL
+
+user testuser2
+
+statement ok
+GRANT INSERT ON TABLE t16 TO target
+
+user testuser
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR SELECT, INSERT ON TABLES FROM testuser2
+
+statement ok
+CREATE TABLE t17()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t17;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t17         admin     ALL
+test           public       t17         root      ALL
+test           public       t17         testuser  ALL
+test           public       t17         testuser2 ALL
+
+user testuser2
+
+statement error pq: missing WITH GRANT OPTION privilege type SELECT
+GRANT SELECT, INSERT ON TABLE t17 TO target
+
+user testuser
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL PRIVILEGES ON TABLES FROM testuser2
+
+statement ok
+CREATE TABLE t18()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t18;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t18         admin     ALL
+test           public       t18         root      ALL
+test           public       t18         testuser  ALL
+test           public       t18         testuser2 ALL
+
+user testuser2
+
+statement error pq: missing WITH GRANT OPTION privilege type SELECT
+GRANT SELECT ON TABLE t18 TO target
+
+user testuser
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE ALL PRIVILEGES ON TABLES FROM testuser2
+
+statement ok
+CREATE TABLE t19()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t19;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t19         admin     ALL
+test           public       t19         root      ALL
+test           public       t19         testuser  ALL
+
+# -------------------------------------- Test Schemas ---------------------------------------------
+user root
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON SCHEMAS TO testuser, testuser2 WITH GRANT OPTION
+
+statement ok
+CREATE SCHEMA s1
+
+query TTTT colnames
+SHOW GRANTS ON SCHEMA s1
+----
+database_name  schema_name  grantee    privilege_type
+test           s1           admin      ALL
+test           s1           root       ALL
+test           s1           testuser   ALL
+test           s1           testuser2  ALL
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL PRIVILEGES ON SCHEMAS FROM testuser, testuser2
+
+statement ok
+CREATE SCHEMA s2
+
+query TTTT colnames
+SHOW GRANTS ON SCHEMA s2
+----
+database_name  schema_name  grantee    privilege_type
+test           s2           admin      ALL
+test           s2           root       ALL
+test           s2           testuser   ALL
+test           s2           testuser2  ALL
+
+user testuser
+
+statement ok
+GRANT CREATE ON SCHEMA s1 TO target
+
+statement ok
+GRANT ALL PRIVILEGES ON SCHEMA s1 TO target
+
+statement error pq: missing WITH GRANT OPTION privilege type CREATE
+GRANT CREATE ON SCHEMA s2 TO target
+
+statement error pq: missing WITH GRANT OPTION privilege type ALL
+GRANT ALL PRIVILEGES ON SCHEMA s2 TO target
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO testuser WITH GRANT OPTION
+
+statement ok
+CREATE TABLE s1.t1()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE s1.t1
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           s1           t1          admin     ALL
+test           s1           t1          root      ALL
+test           s1           t1          testuser  ALL
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL PRIVILEGES ON SCHEMAS FROM testuser
+
+statement ok
+CREATE TABLE s1.t2()
+
+# revoking grant option for a schema that holds a table should not revoke the grant option for the table itself
+statement ok
+GRANT ALL PRIVILEGES ON TABLE s1.t2 TO target
+
+# -------------------------------------- Test Sequences -----------------------------------------
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT CREATE ON SEQUENCES TO testuser2 WITH GRANT OPTION
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL PRIVILEGES ON SEQUENCES FROM testuser
+
+statement ok
+CREATE SEQUENCE seq1
+
+query TTTTT colnames
+SHOW GRANTS ON seq1
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       seq1        admin     ALL
+test           public       seq1        root      ALL
+test           public       seq1        testuser  ALL
+test           public       seq1        testuser2 CREATE
+
+# TODO: implement the grant/revoke for sequence? Can't do much more that this in terms of testing otherwise
+# -------------------------------------- Test Types ---------------------------------------------
+user testuser
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT GRANT, USAGE ON TYPES TO testuser2 WITH GRANT OPTION
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL PRIVILEGES ON TYPES FROM testuser
+
+statement ok
+CREATE TYPE type1 AS ENUM()
+
+query TTTTT colnames
+SHOW GRANTS ON TYPE type1
+----
+database_name  schema_name  type_name   grantee   privilege_type
+test           public       type1       admin     ALL
+test           public       type1       public    USAGE
+test           public       type1       root      ALL
+test           public       type1       testuser  ALL
+test           public       type1       testuser2 GRANT
+test           public       type1       testuser2 USAGE
+
+statement error pq: missing WITH GRANT OPTION privilege type ALL
+GRANT ALL PRIVILEGES ON TYPE type1 TO target
+
+statement error pq: missing WITH GRANT OPTION privilege type USAGE
+GRANT USAGE ON TYPE type1 TO target
+
+user testuser2
+
+statement ok
+GRANT USAGE ON TYPE type1 TO target
+
+# -------------------------------------- Test Roles ---------------------------------------------
+user testuser
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE ALL PRIVILEGES ON TABLES FROM testuser
+
+user testuser2
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE ALL PRIVILEGES ON TABLES FROM testuser2
+
+user root
+
+statement ok
+GRANT testuser, testuser2 TO root;
+
+statement ok
+ALTER DEFAULT PRIVILEGES FOR ROLE testuser, testuser2 GRANT ALL PRIVILEGES ON TABLES TO testuser, testuser2 WITH GRANT OPTION
+
+user testuser
+
+statement ok
+CREATE TABLE t20()
+
+# testuser2 will have ALL privileges because the ALTER statement made from root specifies it happens when testuser does it
+query TTTTT colnames
+SHOW GRANTS ON TABLE t20;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t20         admin     ALL
+test           public       t20         root      ALL
+test           public       t20         testuser  ALL
+test           public       t20         testuser2 ALL
+
+user root
+
+statement ok
+ALTER DEFAULT PRIVILEGES FOR ROLE testuser, testuser2 REVOKE GRANT OPTION FOR ALL PRIVILEGES ON TABLES FROM testuser2
+
+user testuser
+
+statement ok
+CREATE TABLE t21()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t21;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t21         admin     ALL
+test           public       t21         root      ALL
+test           public       t21         testuser  ALL
+test           public       t21         testuser2 ALL
+
+user testuser2
+
+statement error pq: missing WITH GRANT OPTION privilege type ALL
+GRANT ALL PRIVILEGES ON TABLE t21 TO target
+
+statement error pq: missing WITH GRANT OPTION privilege type SELECT
+GRANT SELECT, INSERT ON TABLE t21 TO target
+
+
diff --git a/pkg/sql/logictest/testdata/logic_test/grant_revoke_with_grant_option b/pkg/sql/logictest/testdata/logic_test/grant_revoke_with_grant_option
new file mode 100644
index 000000000000..6763c00f82fa
--- /dev/null
+++ b/pkg/sql/logictest/testdata/logic_test/grant_revoke_with_grant_option
@@ -0,0 +1,292 @@
+statement ok
+CREATE TABLE t(row INT)
+
+statement ok
+CREATE USER testuser2
+
+statement ok
+CREATE USER target
+
+statement ok
+GRANT ALL PRIVILEGES ON TABLE t TO testuser
+
+# switch to testuser
+user testuser
+
+statement error pq: missing WITH GRANT OPTION privilege type ALL
+GRANT ALL PRIVILEGES ON table t to testuser2
+
+# switch to root
+user root
+
+statement ok
+GRANT ALL PRIVILEGES ON TABLE t TO testuser WITH GRANT OPTION
+
+# switch to testuser
+user testuser
+
+statement ok
+GRANT SELECT, GRANT, INSERT ON TABLE t TO testuser2 WITH GRANT OPTION
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser2
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+test           public       t              testuser2  GRANT
+test           public       t              testuser2  INSERT
+test           public       t              testuser2  SELECT
+
+statement ok
+REVOKE INSERT ON TABLE t FROM testuser2
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser2
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+test           public       t              testuser2  GRANT
+test           public       t              testuser2  SELECT
+
+statement ok
+REVOKE GRANT OPTION FOR SELECT ON TABLE t FROM testuser2
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser2
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+test           public       t              testuser2  GRANT
+test           public       t              testuser2  SELECT
+
+# switch to testuser2
+user testuser2
+
+statement error pq: missing WITH GRANT OPTION privilege type SELECT
+GRANT SELECT ON TABLE t TO target
+
+# switch to root
+user root
+
+statement ok
+REVOKE GRANT OPTION FOR ALL PRIVILEGES ON TABLE t FROM testuser
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+test           public       t              testuser   ALL
+
+# switch to testuser
+user testuser
+
+statement error pq: missing WITH GRANT OPTION privilege type SELECT
+GRANT SELECT, GRANT, INSERT, DELETE ON TABLE t TO testuser2 WITH GRANT OPTION
+
+# switch to root
+user root
+
+statement ok
+REVOKE ALL PRIVILEGES ON TABLE t FROM testuser
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+
+statement ok
+GRANT GRANT, UPDATE, DELETE ON TABLE t to testuser WITH GRANT OPTION
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+test           public       t              testuser   DELETE
+test           public       t              testuser   GRANT
+test           public       t              testuser   UPDATE
+
+statement ok
+GRANT ALL PRIVILEGES ON TABLE t to testuser WITH GRANT OPTION
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+test           public       t              testuser   ALL
+
+# switch to testuser
+user testuser
+
+statement ok
+GRANT DELETE ON TABLE t to target
+
+# switch to root
+user root
+
+statement ok
+REVOKE GRANT OPTION FOR UPDATE, DELETE ON TABLE t FROM testuser
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+test           public       t              testuser   ALL
+
+# switch to testuser
+user testuser
+
+statement ok
+GRANT SELECT ON TABLE t TO testuser2 WITH GRANT OPTION
+
+statement error pq: missing WITH GRANT OPTION privilege type UPDATE
+GRANT UPDATE ON TABLE t TO testuser2 WITH GRANT OPTION
+
+statement error pq: missing WITH GRANT OPTION privilege type DELETE
+GRANT DELETE ON TABLE t TO testuser2 WITH GRANT OPTION
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser2
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+test           public       t              testuser2  GRANT
+test           public       t              testuser2  SELECT
+
+# switch to testuser2
+user testuser2
+
+statement ok
+GRANT SELECT ON TABLE t TO target
+
+# briefly test databases, schemas, etc since the code is the same as with tables tested above
+# switch to root
+user root
+
+statement ok
+REVOKE ALL PRIVILEGES ON TABLE t FROM testuser
+
+statement ok
+REVOKE ALL PRIVILEGES ON TABLE t FROM testuser2
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser2
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+
+statement ok
+CREATE SCHEMA s
+
+statement ok
+GRANT GRANT, CREATE ON SCHEMA s TO testuser WITH GRANT OPTION
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+test           s            NULL           testuser   CREATE
+test           s            NULL           testuser   GRANT
+
+# switch to testuser
+user testuser
+
+statement ok
+GRANT CREATE ON SCHEMA s TO testuser2 WITH GRANT OPTION
+
+# switch to root
+user root
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser2
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+test           s            NULL           testuser2  CREATE
+
+statement ok
+REVOKE GRANT OPTION FOR ALL PRIVILEGES ON SCHEMA s FROM testuser
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+test           s            NULL           testuser   CREATE
+test           s            NULL           testuser   GRANT
+
+# switch to testuser
+user testuser
+
+statement error pq: missing WITH GRANT OPTION privilege type CREATE
+GRANT CREATE ON SCHEMA s TO target
+
+# switch to root
+user root
+
+statement ok
+CREATE DATABASE d
+
+statement ok
+GRANT ALL PRIVILEGES ON DATABASE d TO testuser WITH GRANT OPTION
+
+query TTT colnames
+SHOW GRANTS ON DATABASE d
+----
+database_name   grantee    privilege_type
+d               admin      ALL
+d               root       ALL
+d               testuser   ALL
+
+# switch to testuser
+user testuser
+
+statement ok
+GRANT GRANT, CREATE, CONNECT ON DATABASE d TO testuser2 WITH GRANT OPTION
+
+statement ok
+REVOKE GRANT OPTION FOR CREATE ON DATABASE d FROM testuser2
+
+# switch to testuser2
+user testuser2
+
+statement ok
+GRANT GRANT ON DATABASE d TO target WITH GRANT OPTION
+
+statement ok
+GRANT CONNECT ON DATABASE d TO target WITH GRANT OPTION
+
+statement error pq: missing WITH GRANT OPTION privilege type CREATE
+GRANT CREATE ON DATABASE d TO target WITH GRANT OPTION
+
+# switch to root
+user root
+
+query TTT colnames
+SHOW GRANTS ON DATABASE d
+----
+database_name   grantee    privilege_type
+d               admin      ALL
+d               root       ALL
+d               target     CONNECT
+d               target     GRANT
+d               testuser   ALL
+d               testuser2  CONNECT
+d               testuser2  CREATE
+d               testuser2  GRANT
+
+statement ok
+REVOKE ALL PRIVILEGES ON DATABASE d FROM testuser2
+
+query TTT colnames
+SHOW GRANTS ON DATABASE d
+----
+database_name   grantee    privilege_type
+d               admin      ALL
+d               root       ALL
+d               target     CONNECT
+d               target     GRANT
+d               testuser   ALL
+
+# switch to testuser2
+user testuser2
+
+statement error pq: user testuser2 does not have GRANT privilege on database d
+GRANT CONNECT ON DATABASE d TO target WITH GRANT OPTION
diff --git a/pkg/sql/logictest/testdata/logic_test/pg_catalog_pg_default_acl_with_grant_option b/pkg/sql/logictest/testdata/logic_test/pg_catalog_pg_default_acl_with_grant_option
new file mode 100644
index 000000000000..9489342d1237
--- /dev/null
+++ b/pkg/sql/logictest/testdata/logic_test/pg_catalog_pg_default_acl_with_grant_option
@@ -0,0 +1,164 @@
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT SELECT ON TABLES TO PUBLIC WITH GRANT OPTION;
+ALTER DEFAULT PRIVILEGES GRANT USAGE ON SCHEMAS TO PUBLIC WITH GRANT OPTION;
+ALTER DEFAULT PRIVILEGES GRANT SELECT ON SEQUENCES TO PUBLIC WITH GRANT OPTION;
+
+# Public should appear as an empty string with privileges.
+query OOOTT colnames,rowsort
+SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL
+----
+oid         defaclrole  defaclnamespace  defaclobjtype  defaclacl
+4149409857  1546506610  0                r              {=r*/}
+4149409857  1546506610  0                S              {=r*/}
+4149409857  1546506610  0                n              {=U*/}
+
+statement ok
+CREATE USER foo
+
+statement ok
+CREATE USER bar
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT ALL ON TABLES TO foo, bar WITH GRANT OPTION;
+ALTER DEFAULT PRIVILEGES GRANT ALL ON TYPES TO foo, bar WITH GRANT OPTION;
+ALTER DEFAULT PRIVILEGES GRANT ALL ON SCHEMAS TO foo, bar WITH GRANT OPTION;
+ALTER DEFAULT PRIVILEGES GRANT ALL ON SEQUENCES TO foo, bar WITH GRANT OPTION;
+
+query OOOTT colnames,rowsort
+SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL
+----
+oid         defaclrole  defaclnamespace  defaclobjtype  defaclacl
+4149409857  1546506610  0                r              {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/,=r*/}
+4149409857  1546506610  0                S              {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/,=r*/}
+4149409857  1546506610  0                T              {bar=U*/,foo=U*/}
+4149409857  1546506610  0                n              {bar=C*U*/,foo=C*U*/,=U*/}
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR SELECT, DELETE ON TABLES FROM foo, bar;
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR USAGE ON TYPES FROM foo, bar;
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR CREATE ON SCHEMAS FROM foo, bar;
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR CREATE, UPDATE ON SEQUENCES FROM foo, bar;
+
+query OOOTT colnames,rowsort
+SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL
+----
+oid         defaclrole  defaclnamespace  defaclobjtype  defaclacl
+4149409857  1546506610  0                r              {bar=C*a*drw*/,foo=C*a*drw*/,=r*/}
+4149409857  1546506610  0                S              {bar=Ca*d*r*w/,foo=Ca*d*r*w/,=r*/}
+4149409857  1546506610  0                T              {bar=U/,foo=U/}
+4149409857  1546506610  0                n              {bar=CU*/,foo=CU*/,=U*/}
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL ON TABLES FROM foo, bar;
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL ON TYPES FROM foo, bar;
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL ON SCHEMAS FROM foo, bar;
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL ON SEQUENCES FROM foo, bar;
+
+query OOOTT colnames,rowsort
+SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL
+----
+oid         defaclrole  defaclnamespace  defaclobjtype  defaclacl
+4149409857  1546506610  0                r              {bar=Cadrw/,foo=Cadrw/,=r*/}
+4149409857  1546506610  0                S              {bar=Cadrw/,foo=Cadrw/,=r*/}
+4149409857  1546506610  0                T              {bar=U/,foo=U/}
+4149409857  1546506610  0                n              {bar=CU/,foo=CU/,=U*/}
+
+statement ok
+GRANT foo, bar TO root;
+
+statement ok
+ALTER DEFAULT PRIVILEGES FOR ROLE foo, bar GRANT ALL ON TABLES TO foo, bar WITH GRANT OPTION;
+ALTER DEFAULT PRIVILEGES FOR ROLE foo, bar GRANT ALL ON TYPES TO foo, bar WITH GRANT OPTION;
+ALTER DEFAULT PRIVILEGES FOR ROLE foo, bar GRANT ALL ON SCHEMAS TO foo, bar WITH GRANT OPTION;
+ALTER DEFAULT PRIVILEGES FOR ROLE foo, bar GRANT ALL ON SEQUENCES TO foo, bar WITH GRANT OPTION;
+
+# 12 rows should exist, 4 for each role, root, foo and bar.
+query OOOTT colnames,rowsort
+SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL
+----
+oid         defaclrole  defaclnamespace  defaclobjtype  defaclacl
+542080048   1791217281  0                r              {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/}
+542080048   1791217281  0                S              {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/}
+542080048   1791217281  0                T              {bar=U*/,foo=U*/,=U/}
+542080048   1791217281  0                n              {bar=C*U*/,foo=C*U*/}
+38059971    2026795574  0                r              {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/}
+38059971    2026795574  0                S              {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/}
+38059971    2026795574  0                T              {bar=U*/,foo=U*/,=U/}
+38059971    2026795574  0                n              {bar=C*U*/,foo=C*U*/}
+4149409857  1546506610  0                r              {bar=Cadrw/,foo=Cadrw/,=r*/}
+4149409857  1546506610  0                S              {bar=Cadrw/,foo=Cadrw/,=r*/}
+4149409857  1546506610  0                T              {bar=U/,foo=U/}
+4149409857  1546506610  0                n              {bar=CU/,foo=CU/,=U*/}
+
+statement ok
+ALTER DEFAULT PRIVILEGES FOR ROLE foo, bar REVOKE ALL ON TABLES FROM foo, bar;
+ALTER DEFAULT PRIVILEGES FOR ROLE foo, bar REVOKE ALL ON TYPES FROM foo, bar;
+ALTER DEFAULT PRIVILEGES FOR ROLE foo, bar REVOKE ALL ON SCHEMAS FROM foo, bar;
+ALTER DEFAULT PRIVILEGES FOR ROLE foo, bar REVOKE ALL ON SEQUENCES FROM foo, bar;
+
+# Revoking all will result in rows with empty privileges since the privileges
+# are revoked from the creator role.
+query OOOTT colnames,rowsort
+SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL
+----
+oid         defaclrole  defaclnamespace  defaclobjtype  defaclacl
+542080048   1791217281  0                r              {}
+542080048   1791217281  0                S              {}
+542080048   1791217281  0                T              {=U/}
+542080048   1791217281  0                n              {}
+38059971    2026795574  0                r              {}
+38059971    2026795574  0                S              {}
+38059971    2026795574  0                T              {=U/}
+38059971    2026795574  0                n              {}
+4149409857  1546506610  0                r              {bar=Cadrw/,foo=Cadrw/,=r*/}
+4149409857  1546506610  0                S              {bar=Cadrw/,foo=Cadrw/,=r*/}
+4149409857  1546506610  0                T              {bar=U/,foo=U/}
+4149409857  1546506610  0                n              {bar=CU/,foo=CU/,=U*/}
+
+statement ok
+ALTER DEFAULT PRIVILEGES FOR ROLE foo GRANT ALL ON TABLES TO foo;
+ALTER DEFAULT PRIVILEGES FOR ROLE foo GRANT ALL ON SEQUENCES TO foo;
+ALTER DEFAULT PRIVILEGES FOR ROLE foo GRANT ALL ON SCHEMAS TO foo;
+ALTER DEFAULT PRIVILEGES FOR ROLE foo GRANT ALL ON TYPES TO foo;
+ALTER DEFAULT PRIVILEGES FOR ROLE bar GRANT ALL ON TABLES TO bar;
+ALTER DEFAULT PRIVILEGES FOR ROLE bar GRANT ALL ON SEQUENCES TO bar;
+ALTER DEFAULT PRIVILEGES FOR ROLE bar GRANT ALL ON SCHEMAS TO bar;
+ALTER DEFAULT PRIVILEGES FOR ROLE bar GRANT ALL ON TYPES TO bar;
+
+# Entries should disappear since the previous ALTER DEFAULT PRIVILEGE commands
+# revert the default privileges to the default state.
+query OOOTT colnames,rowsort
+SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL
+----
+oid         defaclrole  defaclnamespace  defaclobjtype  defaclacl
+4149409857  1546506610  0                r              {bar=Cadrw/,foo=Cadrw/,=r*/}
+4149409857  1546506610  0                S              {bar=Cadrw/,foo=Cadrw/,=r*/}
+4149409857  1546506610  0                T              {bar=U/,foo=U/}
+4149409857  1546506610  0                n              {bar=CU/,foo=CU/,=U*/}
+
+statement ok
+ALTER DEFAULT PRIVILEGES FOR ROLE foo GRANT USAGE ON TYPES TO foo WITH GRANT OPTION
+
+# foo should show up in the table since it got modified
+query OOOTT colnames,rowsort
+SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL
+----
+oid         defaclrole  defaclnamespace  defaclobjtype  defaclacl
+38059971    2026795574  0                T              {foo=U*/,=U/}
+4149409857  1546506610  0                r              {bar=Cadrw/,foo=Cadrw/,=r*/}
+4149409857  1546506610  0                S              {bar=Cadrw/,foo=Cadrw/,=r*/}
+4149409857  1546506610  0                T              {bar=U/,foo=U/}
+4149409857  1546506610  0                n              {bar=CU/,foo=CU/,=U*/}
+
+statement ok
+ALTER DEFAULT PRIVILEGES FOR ROLE foo REVOKE GRANT OPTION FOR USAGE ON TYPES FROM foo
+
+# foo should disappear since it's back in the "default state"
+query OOOTT colnames,rowsort
+SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL
+----
+oid         defaclrole  defaclnamespace  defaclobjtype  defaclacl
+4149409857  1546506610  0                r              {bar=Cadrw/,foo=Cadrw/,=r*/}
+4149409857  1546506610  0                S              {bar=Cadrw/,foo=Cadrw/,=r*/}
+4149409857  1546506610  0                T              {bar=U/,foo=U/}
+4149409857  1546506610  0                n              {bar=CU/,foo=CU/,=U*/}
diff --git a/pkg/sql/parser/sql.y b/pkg/sql/parser/sql.y
index 48a88bce41e0..72a772a7060a 100644
--- a/pkg/sql/parser/sql.y
+++ b/pkg/sql/parser/sql.y
@@ -4274,9 +4274,9 @@ deallocate_stmt:
 //
 // %SeeAlso: REVOKE, WEBDOCS/grant.html
 grant_stmt:
-  GRANT privileges ON targets TO role_spec_list
+  GRANT privileges ON targets TO role_spec_list opt_with_grant_option
   {
-    $$.val = &tree.Grant{Privileges: $2.privilegeList(), Grantees: $6.roleSpecList(), Targets: $4.targetList()}
+    $$.val = &tree.Grant{Privileges: $2.privilegeList(), Grantees: $6.roleSpecList(), Targets: $4.targetList(), WithGrantOption: $7.bool(),}
   }
 | GRANT privilege_list TO role_spec_list
   {
@@ -4286,11 +4286,11 @@ grant_stmt:
   {
     $$.val = &tree.GrantRole{Roles: $2.nameList(), Members: $4.roleSpecList(), AdminOption: true}
   }
-| GRANT privileges ON TYPE target_types TO role_spec_list
+| GRANT privileges ON TYPE target_types TO role_spec_list opt_with_grant_option
   {
-    $$.val = &tree.Grant{Privileges: $2.privilegeList(), Targets: $5.targetList(), Grantees: $7.roleSpecList()}
+    $$.val = &tree.Grant{Privileges: $2.privilegeList(), Targets: $5.targetList(), Grantees: $7.roleSpecList(), WithGrantOption: $8.bool(),}
   }
-| GRANT privileges ON SCHEMA schema_name_list TO role_spec_list
+| GRANT privileges ON SCHEMA schema_name_list TO role_spec_list opt_with_grant_option
   {
     $$.val = &tree.Grant{
       Privileges: $2.privilegeList(),
@@ -4298,13 +4298,14 @@ grant_stmt:
         Schemas: $5.objectNamePrefixList(),
       },
       Grantees: $7.roleSpecList(),
+      WithGrantOption: $8.bool(),
     }
   }
 | GRANT privileges ON SCHEMA schema_name_list TO role_spec_list WITH error
   {
     return unimplemented(sqllex, "grant privileges on schema with")
   }
-| GRANT privileges ON ALL TABLES IN SCHEMA schema_name_list TO role_spec_list
+| GRANT privileges ON ALL TABLES IN SCHEMA schema_name_list TO role_spec_list opt_with_grant_option
   {
     $$.val = &tree.Grant{
       Privileges: $2.privilegeList(),
@@ -4313,6 +4314,7 @@ grant_stmt:
         AllTablesInSchema: true,
       },
       Grantees: $10.roleSpecList(),
+      WithGrantOption: $11.bool(),
     }
   }
 | GRANT privileges ON SEQUENCE error
@@ -4343,7 +4345,11 @@ grant_stmt:
 revoke_stmt:
   REVOKE privileges ON targets FROM role_spec_list
   {
-    $$.val = &tree.Revoke{Privileges: $2.privilegeList(), Grantees: $6.roleSpecList(), Targets: $4.targetList()}
+    $$.val = &tree.Revoke{Privileges: $2.privilegeList(), Grantees: $6.roleSpecList(), Targets: $4.targetList(), GrantOptionFor: false}
+  }
+| REVOKE GRANT OPTION FOR privileges ON targets FROM role_spec_list
+  {
+    $$.val = &tree.Revoke{Privileges: $5.privilegeList(), Grantees: $9.roleSpecList(), Targets: $7.targetList(), GrantOptionFor: true}
   }
 | REVOKE privilege_list FROM role_spec_list
   {
@@ -4355,7 +4361,11 @@ revoke_stmt:
   }
 | REVOKE privileges ON TYPE target_types FROM role_spec_list
   {
-    $$.val = &tree.Revoke{Privileges: $2.privilegeList(), Targets: $5.targetList(), Grantees: $7.roleSpecList()}
+    $$.val = &tree.Revoke{Privileges: $2.privilegeList(), Targets: $5.targetList(), Grantees: $7.roleSpecList(), GrantOptionFor: false}
+  }
+| REVOKE GRANT OPTION FOR privileges ON TYPE target_types FROM role_spec_list
+  {
+    $$.val = &tree.Revoke{Privileges: $5.privilegeList(), Targets: $8.targetList(), Grantees: $10.roleSpecList(), GrantOptionFor: true}
   }
 | REVOKE privileges ON SCHEMA schema_name_list FROM role_spec_list
   {
@@ -4365,6 +4375,18 @@ revoke_stmt:
         Schemas: $5.objectNamePrefixList(),
       },
       Grantees: $7.roleSpecList(),
+      GrantOptionFor: false,
+    }
+  }
+| REVOKE GRANT OPTION FOR privileges ON SCHEMA schema_name_list FROM role_spec_list
+  {
+    $$.val = &tree.Revoke{
+      Privileges: $5.privilegeList(),
+      Targets: tree.TargetList{
+        Schemas: $8.objectNamePrefixList(),
+      },
+      Grantees: $10.roleSpecList(),
+      GrantOptionFor: true,
     }
   }
 | REVOKE privileges ON ALL TABLES IN SCHEMA schema_name_list FROM role_spec_list
@@ -4376,6 +4398,19 @@ revoke_stmt:
         AllTablesInSchema: true,
       },
       Grantees: $10.roleSpecList(),
+      GrantOptionFor: false,
+    }
+  }
+| REVOKE GRANT OPTION FOR privileges ON ALL TABLES IN SCHEMA schema_name_list FROM role_spec_list
+  {
+    $$.val = &tree.Revoke{
+      Privileges: $5.privilegeList(),
+      Targets: tree.TargetList{
+        Schemas: $11.objectNamePrefixList(),
+        AllTablesInSchema: true,
+      },
+      Grantees: $13.roleSpecList(),
+      GrantOptionFor: true,
     }
   }
 | REVOKE privileges ON SEQUENCE error
@@ -4384,6 +4419,7 @@ revoke_stmt:
   }
 | REVOKE error // SHOW HELP: REVOKE
 
+
 // ALL can either be by itself, or with the optional PRIVILEGES keyword (which no-ops)
 privileges:
   ALL opt_privileges_clause
diff --git a/pkg/sql/pg_catalog.go b/pkg/sql/pg_catalog.go
index 888c82925ac9..793ed7f06854 100644
--- a/pkg/sql/pg_catalog.go
+++ b/pkg/sql/pg_catalog.go
@@ -1243,7 +1243,10 @@ https://www.postgresql.org/docs/13/catalog-pg-default-acl.html`,
 					privileges := privilege.ListFromBitField(
 						userPrivs.Privileges, privilegeObjectType,
 					)
-					defaclItem := createDefACLItem(user, privileges, privilegeObjectType)
+					grantOptions := privilege.ListFromBitField(
+						userPrivs.WithGrantOption, privilegeObjectType,
+					)
+					defaclItem := createDefACLItem(user, privileges, grantOptions, privilegeObjectType)
 					if err := arr.Append(
 						tree.NewDString(defaclItem)); err != nil {
 						return err
@@ -1260,7 +1263,7 @@ https://www.postgresql.org/docs/13/catalog-pg-default-acl.html`,
 						if !catprivilege.GetRoleHasAllPrivilegesOnTargetObject(&defaultPrivilegesForRole, tree.Types) &&
 							catprivilege.GetPublicHasUsageOnTypes(&defaultPrivilegesForRole) {
 							defaclItem := createDefACLItem(
-								"" /* public role */, privilege.List{privilege.USAGE}, privilegeObjectType,
+								"" /* public role */, privilege.List{privilege.USAGE}, privilege.List{}, privilegeObjectType,
 							)
 							if err := arr.Append(tree.NewDString(defaclItem)); err != nil {
 								return err
@@ -1270,7 +1273,7 @@ https://www.postgresql.org/docs/13/catalog-pg-default-acl.html`,
 							defaultPrivilegesForRole.GetExplicitRole().RoleHasAllPrivilegesOnTypes {
 							defaclItem := createDefACLItem(
 								defaultPrivilegesForRole.GetExplicitRole().UserProto.Decode().Normalized(),
-								privilege.List{privilege.ALL}, privilegeObjectType,
+								privilege.List{privilege.ALL}, privilege.List{}, privilegeObjectType,
 							)
 							if err := arr.Append(tree.NewDString(defaclItem)); err != nil {
 								return err
@@ -1313,11 +1316,15 @@ https://www.postgresql.org/docs/13/catalog-pg-default-acl.html`,
 }
 
 func createDefACLItem(
-	user string, privileges privilege.List, privilegeObjectType privilege.ObjectType,
+	user string,
+	privileges privilege.List,
+	grantOptions privilege.List,
+	privilegeObjectType privilege.ObjectType,
 ) string {
 	return fmt.Sprintf(`%s=%s/%s`,
 		user,
 		privileges.ListToACL(
+			grantOptions,
 			privilegeObjectType,
 		),
 		// TODO(richardjcai): CockroachDB currently does not track grantors
diff --git a/pkg/sql/privilege/privilege.go b/pkg/sql/privilege/privilege.go
index 0621733af0c5..3a2e76977e44 100644
--- a/pkg/sql/privilege/privilege.go
+++ b/pkg/sql/privilege/privilege.go
@@ -256,35 +256,46 @@ func GetValidPrivilegesForObject(objectType ObjectType) List {
 	}
 }
 
+// privToACL is a map of privilege -> ACL character
+var privToACL = map[Kind]string{
+	CREATE:  "C",
+	SELECT:  "r",
+	INSERT:  "a",
+	DELETE:  "d",
+	UPDATE:  "w",
+	USAGE:   "U",
+	CONNECT: "c",
+}
+
+// orderedPrivs is the list of privileges sorted in alphanumeric order based on the ACL character -> CUacdrw
+var orderedPrivs = List{CREATE, USAGE, INSERT, CONNECT, DELETE, SELECT, UPDATE}
+
 // ListToACL converts a list of privileges to a list of Postgres
 // ACL items.
 // See: https://www.postgresql.org/docs/13/ddl-priv.html#PRIVILEGE-ABBREVS-TABLE
 //     for privileges and their ACL abbreviations.
-func (pl List) ListToACL(objectType ObjectType) string {
+func (pl List) ListToACL(grantOptions List, objectType ObjectType) string {
 	privileges := pl
 	// If ALL is present, explode ALL into the underlying privileges.
 	if pl.Contains(ALL) {
 		privileges = GetValidPrivilegesForObject(objectType)
+		if grantOptions.Contains(ALL) {
+			grantOptions = GetValidPrivilegesForObject(objectType)
+		}
 	}
 	chars := make([]string, len(privileges))
-	for _, privilege := range privileges {
-		switch privilege {
-		case CREATE:
-			chars = append(chars, "C")
-		case SELECT:
-			chars = append(chars, "r")
-		case INSERT:
-			chars = append(chars, "a")
-		case DELETE:
-			chars = append(chars, "d")
-		case UPDATE:
-			chars = append(chars, "w")
-		case USAGE:
-			chars = append(chars, "U")
-		case CONNECT:
-			chars = append(chars, "c")
+	for _, privilege := range orderedPrivs {
+		if _, ok := privToACL[privilege]; !ok {
+			continue
+		}
+		if privileges.Contains(privilege) {
+			chars = append(chars, privToACL[privilege])
+		}
+		if grantOptions.Contains(privilege) {
+			chars = append(chars, "*")
 		}
 	}
-	sort.Strings(chars)
+
 	return strings.Join(chars, "")
+
 }
diff --git a/pkg/sql/sem/tree/grant.go b/pkg/sql/sem/tree/grant.go
index 88ef29dc4367..085629e9883a 100644
--- a/pkg/sql/sem/tree/grant.go
+++ b/pkg/sql/sem/tree/grant.go
@@ -28,9 +28,10 @@ import (
 
 // Grant represents a GRANT statement.
 type Grant struct {
-	Privileges privilege.List
-	Targets    TargetList
-	Grantees   RoleSpecList
+	Privileges      privilege.List
+	Targets         TargetList
+	Grantees        RoleSpecList
+	WithGrantOption bool
 }
 
 // TargetList represents a list of targets.
diff --git a/pkg/sql/sem/tree/revoke.go b/pkg/sql/sem/tree/revoke.go
index bac0a86dd1c5..69bf49983216 100644
--- a/pkg/sql/sem/tree/revoke.go
+++ b/pkg/sql/sem/tree/revoke.go
@@ -24,9 +24,10 @@ import "github.com/cockroachdb/cockroach/pkg/sql/privilege"
 // Revoke represents a REVOKE statement.
 // PrivilegeList and TargetList are defined in grant.go
 type Revoke struct {
-	Privileges privilege.List
-	Targets    TargetList
-	Grantees   RoleSpecList
+	Privileges     privilege.List
+	Targets        TargetList
+	Grantees       RoleSpecList
+	GrantOptionFor bool
 }
 
 // Format implements the NodeFormatter interface.