From e5849abf8d972cf256b22ebdb8c529ea951631c2 Mon Sep 17 00:00:00 2001
From: Rafi Shamim <rafi@cockroachlabs.com>
Date: Mon, 24 Apr 2023 13:48:59 -0400
Subject: [PATCH] crdb_internal: finer-grained priv for viewing
 {cluster,node}_transactions

Previously, only admins could view these tables. Now, we use a
finer-grained permission. Both VIEWACTIVITY and VIEWACTIVITYREDACTED
allow access.

No release note since this is a crdb_internal table.

Release note: None
---
 pkg/sql/crdb_internal.go                      | 12 ++++-
 .../testdata/logic_test/crdb_internal         | 53 +++++++++++++++++++
 2 files changed, 63 insertions(+), 2 deletions(-)

diff --git a/pkg/sql/crdb_internal.go b/pkg/sql/crdb_internal.go
index 7694b058320d..0e1cc07e52e4 100644
--- a/pkg/sql/crdb_internal.go
+++ b/pkg/sql/crdb_internal.go
@@ -2169,9 +2169,13 @@ var crdbInternalLocalTxnsTable = virtualSchemaTable{
 	comment: "running user transactions visible by the current user (RAM; local node only)",
 	schema:  fmt.Sprintf(txnsSchemaPattern, "node_transactions"),
 	populate: func(ctx context.Context, p *planner, _ catalog.DatabaseDescriptor, addRow func(...tree.Datum) error) error {
-		if err := p.RequireAdminRole(ctx, "read crdb_internal.node_transactions"); err != nil {
+		hasViewActivityOrhasViewActivityRedacted, err := p.HasViewActivityOrViewActivityRedactedRole(ctx)
+		if err != nil {
 			return err
 		}
+		if !hasViewActivityOrhasViewActivityRedacted {
+			return noViewActivityOrViewActivityRedactedRoleError(p.User())
+		}
 		req, err := p.makeSessionsRequest(ctx, true /* excludeClosed */)
 		if err != nil {
 			return err
@@ -2188,9 +2192,13 @@ var crdbInternalClusterTxnsTable = virtualSchemaTable{
 	comment: "running user transactions visible by the current user (cluster RPC; expensive!)",
 	schema:  fmt.Sprintf(txnsSchemaPattern, "cluster_transactions"),
 	populate: func(ctx context.Context, p *planner, _ catalog.DatabaseDescriptor, addRow func(...tree.Datum) error) error {
-		if err := p.RequireAdminRole(ctx, "read crdb_internal.cluster_transactions"); err != nil {
+		hasViewActivityOrhasViewActivityRedacted, err := p.HasViewActivityOrViewActivityRedactedRole(ctx)
+		if err != nil {
 			return err
 		}
+		if !hasViewActivityOrhasViewActivityRedacted {
+			return noViewActivityOrViewActivityRedactedRoleError(p.User())
+		}
 		req, err := p.makeSessionsRequest(ctx, true /* excludeClosed */)
 		if err != nil {
 			return err
diff --git a/pkg/sql/logictest/testdata/logic_test/crdb_internal b/pkg/sql/logictest/testdata/logic_test/crdb_internal
index 6706dd4dbb77..0edaf26c14fd 100644
--- a/pkg/sql/logictest/testdata/logic_test/crdb_internal
+++ b/pkg/sql/logictest/testdata/logic_test/crdb_internal
@@ -384,6 +384,59 @@ SELECT  * FROM crdb_internal.cluster_transactions WHERE node_id < 0
 ----
 id  node_id  session_id  start  txn_string  application_name  num_stmts  num_retries  num_auto_retries  last_auto_retry_reason
 
+# Accessing the tables should error for a user without a privilege.
+user testuser
+
+statement error user testuser does not have VIEWACTIVITY or VIEWACTIVITYREDACTED privilege
+SELECT  * FROM crdb_internal.node_transactions WHERE node_id < 0
+
+statement error user testuser does not have VIEWACTIVITY or VIEWACTIVITYREDACTED privilege
+SELECT  * FROM crdb_internal.cluster_transactions WHERE node_id < 0
+
+user root
+
+statement ok
+GRANT SYSTEM VIEWACTIVITY TO testuser
+
+# Now testuser can query transactions since it has the VIEWACTIVITY privilege.
+user testuser
+
+query TITTTTIIIT colnames
+SELECT  * FROM crdb_internal.node_transactions WHERE node_id < 0
+----
+id  node_id  session_id  start  txn_string  application_name  num_stmts  num_retries  num_auto_retries  last_auto_retry_reason
+
+query TITTTTIIIT colnames
+SELECT  * FROM crdb_internal.cluster_transactions WHERE node_id < 0
+----
+id  node_id  session_id  start  txn_string  application_name  num_stmts  num_retries  num_auto_retries  last_auto_retry_reason
+
+user root
+
+statement ok
+REVOKE SYSTEM VIEWACTIVITY FROM testuser
+
+statement ok
+GRANT SYSTEM VIEWACTIVITYREDACTED TO testuser
+
+# testuser can query transactions since it has the VIEWACTIVITYREDACTED privilege.
+user testuser
+
+query TITTTTIIIT colnames
+SELECT  * FROM crdb_internal.node_transactions WHERE node_id < 0
+----
+id  node_id  session_id  start  txn_string  application_name  num_stmts  num_retries  num_auto_retries  last_auto_retry_reason
+
+query TITTTTIIIT colnames
+SELECT  * FROM crdb_internal.cluster_transactions WHERE node_id < 0
+----
+id  node_id  session_id  start  txn_string  application_name  num_stmts  num_retries  num_auto_retries  last_auto_retry_reason
+
+user root
+
+statement ok
+REVOKE SYSTEM VIEWACTIVITYREDACTED FROM testuser
+
 query ITTTTTTTTTTTTTT colnames
 SELECT * FROM crdb_internal.node_sessions WHERE node_id < 0
 ----