ccl: drop privileges when dropping external connection

Release justification: Bug fix to newly added feature

Release note: None

pkg/ccl/cloudccl/externalconn/testdata/privileges_external_connection

@@ -61,6 +61,14 @@ exec-sql
 GRANT DROP ON EXTERNAL CONNECTION "drop-privileged" TO testuser;
 ----
 
+# Verify that the privileges exist.
+query-sql
+SELECT * FROM system.privileges
+----
+root /externalconn/drop-privileged {ALL} {}
+root /externalconn/drop-privileged-dup {ALL} {}
+testuser /externalconn/drop-privileged {DROP} {}
+
 exec-sql user=testuser
 DROP EXTERNAL CONNECTION "drop-privileged"
 ----
@@ -79,6 +87,11 @@ exec-sql
 DROP EXTERNAL CONNECTION 'drop-privileged-dup'
 ----
 
+# Verify that the privileges are dropped.
+query-sql
+SELECT * FROM system.privileges
+----
+
 subtest end
 
 subtest create-grants-all
@@ -116,6 +129,14 @@ exec-sql user=testuser
 CREATE EXTERNAL CONNECTION 'not-root' AS 'userfile:///bar'
 ----
 
+# Verify that the privileges exist.
+query-sql
+SELECT * FROM system.privileges
+----
+root /externalconn/root {ALL} {}
+testuser /externalconn/not-root {ALL} {}
+testuser /global/ {EXTERNALCONNECTION} {}
+
 exec-sql user=testuser
 BACKUP TABLE foo INTO 'external://not-root'
 ----

pkg/sql/drop_external_connection.go

@@ -98,6 +98,18 @@ func (p *planner) dropExternalConnection(params runParams, n *tree.DropExternalC
 		return errors.Wrapf(err, "failed to delete external connection")
 	}
 
+	// We must also DELETE all rows from system.privileges that refer to
+	// external connection.
+	if _, err = params.extendedEvalCtx.ExecCfg.InternalExecutor.ExecEx(
+		params.ctx,
+		dropExternalConnectionOp,
+		params.p.Txn(),
+		sessiondata.InternalExecutorOverride{User: username.NodeUserName()},
+		`DELETE FROM system.privileges WHERE path = $1`, ecPrivilege.GetPath(),
+	); err != nil {
+		return errors.Wrapf(err, "failed to delete external connection")
+	}
+
 	return nil
 }