upgrades: delete V22_2SystemPrivilegesTable upgrade and version gates

This patch deletes the `V22_2SystemPrivilegesTable` upgrade since its associated unit test starts to fail when the bootstrap schema for the `system.privileges` table is updated. This is safe to do since the release engineering team has previously stated they will bump `binaryMinSupportedVersion` before cutting the branch for 23.1. Release note: None
cockroachdb · Dec 14, 2022 · d8b9040 · d8b9040
1 parent a30fb14
commit d8b9040
Show file tree

Hide file tree

Showing 22 changed files with 88 additions and 319 deletions.
diff --git a/pkg/ccl/backupccl/backup_planning.go b/pkg/ccl/backupccl/backup_planning.go
@@ -24,7 +24,6 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/ccl/utilccl"
 	"github.com/cockroachdb/cockroach/pkg/cloud"
 	"github.com/cockroachdb/cockroach/pkg/cloud/cloudprivilege"
-	"github.com/cockroachdb/cockroach/pkg/clusterversion"
 	"github.com/cockroachdb/cockroach/pkg/featureflag"
 	"github.com/cockroachdb/cockroach/pkg/jobs"
 	"github.com/cockroachdb/cockroach/pkg/jobs/jobspb"
@@ -388,19 +387,16 @@ func checkPrivilegesForBackup(
 		requiresBackupSystemPrivilege := backupStmt.Coverage() == tree.AllDescriptors ||
 			(backupStmt.Targets != nil && backupStmt.Targets.TenantID.IsSet())
 
-		var hasBackupSystemPrivilege bool
-		if p.ExecCfg().Settings.Version.IsActive(ctx, clusterversion.V22_2SystemPrivilegesTable) {
-			err := p.CheckPrivilegeForUser(ctx, syntheticprivilege.GlobalPrivilegeObject,
-				privilege.BACKUP, p.User())
-			hasBackupSystemPrivilege = err == nil
-		}
-
-		if requiresBackupSystemPrivilege && hasBackupSystemPrivilege {
+		if requiresBackupSystemPrivilege {
+			if p.CheckPrivilegeForUser(
+				ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.BACKUP, p.User(),
+			) != nil {
+				return pgerror.Wrapf(
+					err,
+					pgcode.InsufficientPrivilege,
+					"only users with the admin role or the BACKUP system privilege are allowed to perform full cluster backups")
+			}
 			return cloudprivilege.CheckDestinationPrivileges(ctx, p, to)
-		} else if requiresBackupSystemPrivilege && !hasBackupSystemPrivilege {
-			return pgerror.Newf(
-				pgcode.InsufficientPrivilege,
-				"only users with the admin role or the BACKUP system privilege are allowed to perform full cluster backups")
 		}
 	}
 

diff --git a/pkg/ccl/backupccl/restore_planning.go b/pkg/ccl/backupccl/restore_planning.go
@@ -1229,38 +1229,28 @@ func checkPrivilegesForRestore(
 		requiresRestoreSystemPrivilege := restoreStmt.DescriptorCoverage == tree.AllDescriptors ||
 			restoreStmt.Targets.TenantID.IsSet()
 
-		var hasRestoreSystemPrivilege bool
-		if p.ExecCfg().Settings.Version.IsActive(ctx, clusterversion.V22_2SystemPrivilegesTable) {
-			err := p.CheckPrivilegeForUser(ctx, syntheticprivilege.GlobalPrivilegeObject,
-				privilege.RESTORE, p.User())
-			hasRestoreSystemPrivilege = err == nil
-		}
-
-		if requiresRestoreSystemPrivilege && hasRestoreSystemPrivilege {
+		if requiresRestoreSystemPrivilege {
+			if err := p.CheckPrivilegeForUser(
+				ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.RESTORE, p.User(),
+			); err != nil {
+				return pgerror.Wrapf(
+					err,
+					pgcode.InsufficientPrivilege,
+					"only users with the admin role or the RESTORE system privilege are allowed to perform"+
+						" a cluster restore")
+			}
 			return checkRestoreDestinationPrivileges(ctx, p, from)
-		} else if requiresRestoreSystemPrivilege && !hasRestoreSystemPrivilege {
-			return pgerror.Newf(pgcode.InsufficientPrivilege,
-				"only users with the admin role or the RESTORE system privilege are allowed to perform"+
-					" a cluster restore")
 		}
 	}
 
-	var hasRestoreSystemPrivilege bool
 	// If running a database restore, check that the user has the `RESTORE` system
 	// privilege.
 	//
 	// TODO(adityamaru): In 23.1 a missing `RESTORE` privilege should return an
 	// error. In 22.2 we continue to check for old style privileges and role
 	// options.
-	if len(restoreStmt.Targets.Databases) > 0 {
-		if p.ExecCfg().Settings.Version.IsActive(ctx, clusterversion.V22_2SystemPrivilegesTable) {
-			err := p.CheckPrivilegeForUser(ctx, syntheticprivilege.GlobalPrivilegeObject,
-				privilege.RESTORE, p.User())
-			hasRestoreSystemPrivilege = err == nil
-		}
-	}
-
-	if hasRestoreSystemPrivilege {
+	if len(restoreStmt.Targets.Databases) > 0 &&
+		p.CheckPrivilegeForUser(ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.RESTORE, p.User()) == nil {
 		return checkRestoreDestinationPrivileges(ctx, p, from)
 	}
 

diff --git a/pkg/server/admin.go b/pkg/server/admin.go
@@ -24,7 +24,6 @@ import (
 
 	apd "github.com/cockroachdb/apd/v3"
 	"github.com/cockroachdb/cockroach/pkg/base"
-	"github.com/cockroachdb/cockroach/pkg/clusterversion"
 	"github.com/cockroachdb/cockroach/pkg/config/zonepb"
 	"github.com/cockroachdb/cockroach/pkg/jobs"
 	"github.com/cockroachdb/cockroach/pkg/jobs/jobspb"
@@ -1989,12 +1988,8 @@ func (s *adminServer) Settings(
 		// Non-root access cannot see the values in any case.
 		lookupPurpose = settings.LookupForReporting
 
-		hasView := false
-		hasModify := false
-		if s.st.Version.IsActive(ctx, clusterversion.V22_2SystemPrivilegesTable) {
-			hasView = s.checkHasGlobalPrivilege(ctx, user, privilege.VIEWCLUSTERSETTING)
-			hasModify = s.checkHasGlobalPrivilege(ctx, user, privilege.MODIFYCLUSTERSETTING)
-		}
+		hasView := s.checkHasGlobalPrivilege(ctx, user, privilege.VIEWCLUSTERSETTING)
+		hasModify := s.checkHasGlobalPrivilege(ctx, user, privilege.MODIFYCLUSTERSETTING)
 		if !hasModify && !hasView {
 			hasView, err := s.hasRoleOption(ctx, user, roleoption.VIEWCLUSTERSETTING)
 			if err != nil {
@@ -3679,10 +3674,7 @@ func (c *adminPrivilegeChecker) requireViewActivityPermission(ctx context.Contex
 		return serverError(ctx, err)
 	}
 	if !isAdmin {
-		hasView := false
-		if c.st.Version.IsActive(ctx, clusterversion.V22_2SystemPrivilegesTable) {
-			hasView = c.checkHasGlobalPrivilege(ctx, userName, privilege.VIEWACTIVITY)
-		}
+		hasView := c.checkHasGlobalPrivilege(ctx, userName, privilege.VIEWACTIVITY)
 		if !hasView {
 			hasView, err := c.hasRoleOption(ctx, userName, roleoption.VIEWACTIVITY)
 			if err != nil {
@@ -3707,12 +3699,8 @@ func (c *adminPrivilegeChecker) requireViewActivityOrViewActivityRedactedPermiss
 		return serverError(ctx, err)
 	}
 	if !isAdmin {
-		hasView := false
-		hasViewRedacted := false
-		if c.st.Version.IsActive(ctx, clusterversion.V22_2SystemPrivilegesTable) {
-			hasView = c.checkHasGlobalPrivilege(ctx, userName, privilege.VIEWACTIVITY)
-			hasViewRedacted = c.checkHasGlobalPrivilege(ctx, userName, privilege.VIEWACTIVITYREDACTED)
-		}
+		hasView := c.checkHasGlobalPrivilege(ctx, userName, privilege.VIEWACTIVITY)
+		hasViewRedacted := c.checkHasGlobalPrivilege(ctx, userName, privilege.VIEWACTIVITYREDACTED)
 		if !hasView && !hasViewRedacted {
 			hasView, err := c.hasRoleOption(ctx, userName, roleoption.VIEWACTIVITY)
 			if err != nil {
@@ -3744,10 +3732,7 @@ func (c *adminPrivilegeChecker) requireViewActivityAndNoViewActivityRedactedPerm
 	}
 
 	if !isAdmin {
-		hasViewRedacted := false
-		if c.st.Version.IsActive(ctx, clusterversion.V22_2SystemPrivilegesTable) {
-			hasViewRedacted = c.checkHasGlobalPrivilege(ctx, userName, privilege.VIEWACTIVITYREDACTED)
-		}
+		hasViewRedacted := c.checkHasGlobalPrivilege(ctx, userName, privilege.VIEWACTIVITYREDACTED)
 		if !hasViewRedacted {
 			hasViewRedacted, err := c.hasRoleOption(ctx, userName, roleoption.VIEWACTIVITYREDACTED)
 			if err != nil {
@@ -3778,14 +3763,10 @@ func (c *adminPrivilegeChecker) requireViewClusterMetadataPermission(
 		return serverError(ctx, err)
 	}
 	if !isAdmin {
-		if c.st.Version.IsActive(ctx, clusterversion.V22_2SystemPrivilegesTable) {
-			if hasViewClusterMetadata := c.checkHasGlobalPrivilege(ctx, userName, privilege.VIEWCLUSTERMETADATA); !hasViewClusterMetadata {
-				return grpcstatus.Errorf(
-					codes.PermissionDenied, "this operation requires the %s system privilege",
-					privilege.VIEWCLUSTERMETADATA)
-			}
-		} else {
-			return grpcstatus.Error(codes.PermissionDenied, "this operation requires admin privilege")
+		if hasViewClusterMetadata := c.checkHasGlobalPrivilege(ctx, userName, privilege.VIEWCLUSTERMETADATA); !hasViewClusterMetadata {
+			return grpcstatus.Errorf(
+				codes.PermissionDenied, "this operation requires the %s system privilege",
+				privilege.VIEWCLUSTERMETADATA)
 		}
 	}
 	return nil
@@ -3799,14 +3780,10 @@ func (c *adminPrivilegeChecker) requireViewDebugPermission(ctx context.Context)
 		return serverError(ctx, err)
 	}
 	if !isAdmin {
-		if c.st.Version.IsActive(ctx, clusterversion.V22_2SystemPrivilegesTable) {
-			if hasViewDebug := c.checkHasGlobalPrivilege(ctx, userName, privilege.VIEWDEBUG); !hasViewDebug {
-				return grpcstatus.Errorf(
-					codes.PermissionDenied, "this operation requires the %s system privilege",
-					privilege.VIEWDEBUG)
-			}
-		} else {
-			return grpcstatus.Error(codes.PermissionDenied, "this operation requires admin privilege")
+		if hasViewDebug := c.checkHasGlobalPrivilege(ctx, userName, privilege.VIEWDEBUG); !hasViewDebug {
+			return grpcstatus.Errorf(
+				codes.PermissionDenied, "this operation requires the %s system privilege",
+				privilege.VIEWDEBUG)
 		}
 	}
 	return nil

diff --git a/pkg/server/admin_test.go b/pkg/server/admin_test.go
@@ -28,7 +28,6 @@ import (
 	"time"
 
 	"github.com/cockroachdb/cockroach/pkg/base"
-	"github.com/cockroachdb/cockroach/pkg/clusterversion"
 	"github.com/cockroachdb/cockroach/pkg/config/zonepb"
 	"github.com/cockroachdb/cockroach/pkg/jobs"
 	"github.com/cockroachdb/cockroach/pkg/jobs/jobspb"
@@ -2779,6 +2778,17 @@ func TestAdminPrivilegeChecker(t *testing.T) {
 	sqlDB.Exec(t, "ALTER ROLE withvaandredacted WITH VIEWACTIVITY")
 	sqlDB.Exec(t, "ALTER ROLE withvaandredacted WITH VIEWACTIVITYREDACTED")
 	sqlDB.Exec(t, "CREATE USER withoutprivs")
+	sqlDB.Exec(t, "CREATE USER withvaglobalprivilege")
+	sqlDB.Exec(t, "GRANT SYSTEM VIEWACTIVITY TO withvaglobalprivilege")
+	sqlDB.Exec(t, "CREATE USER withvaredactedglobalprivilege")
+	sqlDB.Exec(t, "GRANT SYSTEM VIEWACTIVITYREDACTED TO withvaredactedglobalprivilege")
+	sqlDB.Exec(t, "CREATE USER withvaandredactedglobalprivilege")
+	sqlDB.Exec(t, "GRANT SYSTEM VIEWACTIVITY TO withvaandredactedglobalprivilege")
+	sqlDB.Exec(t, "GRANT SYSTEM VIEWACTIVITYREDACTED TO withvaandredactedglobalprivilege")
+	sqlDB.Exec(t, "CREATE USER withviewclustermetadata")
+	sqlDB.Exec(t, "GRANT SYSTEM VIEWCLUSTERMETADATA TO withviewclustermetadata")
+	sqlDB.Exec(t, "CREATE USER withviewdebug")
+	sqlDB.Exec(t, "GRANT SYSTEM VIEWDEBUG TO withviewdebug")
 
 	execCfg := s.ExecutorConfig().(sql.ExecutorConfig)
 
@@ -2812,6 +2822,11 @@ func TestAdminPrivilegeChecker(t *testing.T) {
 	require.NoError(t, err)
 	withoutPrivs, err := username.MakeSQLUsernameFromPreNormalizedStringChecked("withoutprivs")
 	require.NoError(t, err)
+	withVaGlobalPrivilege := username.MakeSQLUsernameFromPreNormalizedString("withvaglobalprivilege")
+	withVaRedactedGlobalPrivilege := username.MakeSQLUsernameFromPreNormalizedString("withvaredactedglobalprivilege")
+	withVaAndRedactedGlobalPrivilege := username.MakeSQLUsernameFromPreNormalizedString("withvaandredactedglobalprivilege")
+	withviewclustermetadata := username.MakeSQLUsernameFromPreNormalizedString("withviewclustermetadata")
+	withViewDebug := username.MakeSQLUsernameFromPreNormalizedString("withviewdebug")
 
 	tests := []struct {
 		name            string
@@ -2823,70 +2838,41 @@ func TestAdminPrivilegeChecker(t *testing.T) {
 			underTest.requireViewActivityPermission,
 			map[username.SQLUsername]bool{
 				withAdmin: false, withVa: false, withVaRedacted: true, withVaAndRedacted: false, withoutPrivs: true,
+				withVaGlobalPrivilege: false, withVaRedactedGlobalPrivilege: true, withVaAndRedactedGlobalPrivilege: false,
 			},
 		},
 		{
 			"requireViewActivityOrViewActivityRedactedPermission",
 			underTest.requireViewActivityOrViewActivityRedactedPermission,
 			map[username.SQLUsername]bool{
 				withAdmin: false, withVa: false, withVaRedacted: false, withVaAndRedacted: false, withoutPrivs: true,
+				withVaGlobalPrivilege: false, withVaRedactedGlobalPrivilege: false, withVaAndRedactedGlobalPrivilege: false,
 			},
 		},
 		{
 			"requireViewActivityAndNoViewActivityRedactedPermission",
 			underTest.requireViewActivityAndNoViewActivityRedactedPermission,
 			map[username.SQLUsername]bool{
 				withAdmin: false, withVa: false, withVaRedacted: true, withVaAndRedacted: true, withoutPrivs: true,
+				withVaGlobalPrivilege: false, withVaRedactedGlobalPrivilege: true, withVaAndRedactedGlobalPrivilege: true,
 			},
 		},
 		{
 			"requireViewClusterMetadataPermission",
 			underTest.requireViewClusterMetadataPermission,
 			map[username.SQLUsername]bool{
-				withAdmin: false, withoutPrivs: true,
+				withAdmin: false, withoutPrivs: true, withviewclustermetadata: false,
 			},
 		},
 		{
 			"requireViewDebugPermission",
 			underTest.requireViewDebugPermission,
 			map[username.SQLUsername]bool{
-				withAdmin: false, withoutPrivs: true,
+				withAdmin: false, withoutPrivs: true, withViewDebug: false,
 			},
 		},
 	}
-	// test system privileges if valid version
-	if s.ClusterSettings().Version.IsActive(ctx, clusterversion.V22_2SystemPrivilegesTable) {
-		sqlDB.Exec(t, "CREATE USER withvaglobalprivilege")
-		sqlDB.Exec(t, "GRANT SYSTEM VIEWACTIVITY TO withvaglobalprivilege")
-		sqlDB.Exec(t, "CREATE USER withvaredactedglobalprivilege")
-		sqlDB.Exec(t, "GRANT SYSTEM VIEWACTIVITYREDACTED TO withvaredactedglobalprivilege")
-		sqlDB.Exec(t, "CREATE USER withvaandredactedglobalprivilege")
-		sqlDB.Exec(t, "GRANT SYSTEM VIEWACTIVITY TO withvaandredactedglobalprivilege")
-		sqlDB.Exec(t, "GRANT SYSTEM VIEWACTIVITYREDACTED TO withvaandredactedglobalprivilege")
-		sqlDB.Exec(t, "CREATE USER withviewclustermetadata")
-		sqlDB.Exec(t, "GRANT SYSTEM VIEWCLUSTERMETADATA TO withviewclustermetadata")
-		sqlDB.Exec(t, "CREATE USER withviewdebug")
-		sqlDB.Exec(t, "GRANT SYSTEM VIEWDEBUG TO withviewdebug")
-
-		withVaGlobalPrivilege := username.MakeSQLUsernameFromPreNormalizedString("withvaglobalprivilege")
-		withVaRedactedGlobalPrivilege := username.MakeSQLUsernameFromPreNormalizedString("withvaredactedglobalprivilege")
-		withVaAndRedactedGlobalPrivilege := username.MakeSQLUsernameFromPreNormalizedString("withvaandredactedglobalprivilege")
-		withviewclustermetadata := username.MakeSQLUsernameFromPreNormalizedString("withviewclustermetadata")
-		withViewDebug := username.MakeSQLUsernameFromPreNormalizedString("withviewdebug")
-
-		tests[0].usernameWantErr[withVaGlobalPrivilege] = false
-		tests[1].usernameWantErr[withVaGlobalPrivilege] = false
-		tests[2].usernameWantErr[withVaGlobalPrivilege] = false
-		tests[0].usernameWantErr[withVaRedactedGlobalPrivilege] = true
-		tests[1].usernameWantErr[withVaRedactedGlobalPrivilege] = false
-		tests[2].usernameWantErr[withVaRedactedGlobalPrivilege] = true
-		tests[0].usernameWantErr[withVaAndRedactedGlobalPrivilege] = false
-		tests[1].usernameWantErr[withVaAndRedactedGlobalPrivilege] = false
-		tests[2].usernameWantErr[withVaAndRedactedGlobalPrivilege] = true
-		tests[3].usernameWantErr[withviewclustermetadata] = false
-		tests[4].usernameWantErr[withViewDebug] = false
 
-	}
 	for _, tt := range tests {
 		for userName, wantErr := range tt.usernameWantErr {
 			t.Run(fmt.Sprintf("%s-%s", tt.name, userName), func(t *testing.T) {

diff --git a/pkg/server/status.go b/pkg/server/status.go
@@ -32,7 +32,6 @@ import (
 
 	"github.com/cockroachdb/cockroach/pkg/base"
 	"github.com/cockroachdb/cockroach/pkg/build"
-	"github.com/cockroachdb/cockroach/pkg/clusterversion"
 	"github.com/cockroachdb/cockroach/pkg/gossip"
 	"github.com/cockroachdb/cockroach/pkg/jobs"
 	"github.com/cockroachdb/cockroach/pkg/jobs/jobspb"
@@ -339,10 +338,7 @@ func (b *baseStatusServer) checkCancelPrivilege(
 		if sessionUser != reqUser {
 			// Must have CANCELQUERY privilege to cancel other users'
 			// sessions/queries.
-			hasCancelQuery := false
-			if b.privilegeChecker.st.Version.IsActive(ctx, clusterversion.V22_2SystemPrivilegesTable) {
-				hasCancelQuery = b.privilegeChecker.checkHasGlobalPrivilege(ctx, reqUser, privilege.CANCELQUERY)
-			}
+			hasCancelQuery := b.privilegeChecker.checkHasGlobalPrivilege(ctx, reqUser, privilege.CANCELQUERY)
 			if !hasCancelQuery {
 				ok, err := b.privilegeChecker.hasRoleOption(ctx, reqUser, roleoption.CANCELQUERY)
 				if err != nil {

diff --git a/pkg/sql/alter_table.go b/pkg/sql/alter_table.go
@@ -863,10 +863,7 @@ func (p *planner) setAuditMode(
 	}
 	if !hasAdmin {
 		// Check for system privilege first, otherwise fall back to role options.
-		hasModify := false
-		if p.ExecCfg().Settings.Version.IsActive(ctx, clusterversion.V22_2SystemPrivilegesTable) {
-			hasModify = p.CheckPrivilege(ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.MODIFYCLUSTERSETTING) == nil
-		}
+		hasModify := p.CheckPrivilege(ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.MODIFYCLUSTERSETTING) == nil
 		if !hasModify {
 			hasModify, err = p.HasRoleOption(ctx, roleoption.MODIFYCLUSTERSETTING)
 			if err != nil {

diff --git a/pkg/sql/authorization.go b/pkg/sql/authorization.go
@@ -14,7 +14,6 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/cockroachdb/cockroach/pkg/clusterversion"
 	"github.com/cockroachdb/cockroach/pkg/keys"
 	"github.com/cockroachdb/cockroach/pkg/kv"
 	"github.com/cockroachdb/cockroach/pkg/security/username"
@@ -894,12 +893,8 @@ func (p *planner) HasViewActivityOrViewActivityRedactedRole(ctx context.Context)
 		return hasAdmin, err
 	}
 	if !hasAdmin {
-		hasView := false
-		hasViewRedacted := false
-		if p.ExecCfg().Settings.Version.IsActive(ctx, clusterversion.V22_2SystemPrivilegesTable) {
-			hasView = p.CheckPrivilege(ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.VIEWACTIVITY) == nil
-			hasViewRedacted = p.CheckPrivilege(ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.VIEWACTIVITYREDACTED) == nil
-		}
+		hasView := p.CheckPrivilege(ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.VIEWACTIVITY) == nil
+		hasViewRedacted := p.CheckPrivilege(ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.VIEWACTIVITYREDACTED) == nil
 		if !hasView && !hasViewRedacted {
 			hasView, err := p.HasRoleOption(ctx, roleoption.VIEWACTIVITY)
 			if err != nil {

diff --git a/pkg/sql/crdb_internal.go b/pkg/sql/crdb_internal.go
@@ -24,7 +24,6 @@ import (
 
 	"github.com/cockroachdb/cockroach/pkg/base"
 	"github.com/cockroachdb/cockroach/pkg/build"
-	"github.com/cockroachdb/cockroach/pkg/clusterversion"
 	"github.com/cockroachdb/cockroach/pkg/config/zonepb"
 	"github.com/cockroachdb/cockroach/pkg/gossip"
 	"github.com/cockroachdb/cockroach/pkg/jobs"
@@ -1687,12 +1686,8 @@ CREATE TABLE crdb_internal.cluster_settings (
 			return err
 		}
 		if !hasAdmin {
-			hasModify := false
-			hasView := false
-			if p.ExecCfg().Settings.Version.IsActive(ctx, clusterversion.V22_2SystemPrivilegesTable) {
-				hasModify = p.CheckPrivilege(ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.MODIFYCLUSTERSETTING) == nil
-				hasView = p.CheckPrivilege(ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.VIEWCLUSTERSETTING) == nil
-			}
+			hasModify := p.CheckPrivilege(ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.MODIFYCLUSTERSETTING) == nil
+			hasView := p.CheckPrivilege(ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.VIEWCLUSTERSETTING) == nil
 
 			if !hasModify && !hasView {
 				hasModify, err := p.HasRoleOption(ctx, roleoption.MODIFYCLUSTERSETTING)

diff --git a/pkg/sql/delegate/BUILD.bazel b/pkg/sql/delegate/BUILD.bazel
@@ -40,7 +40,6 @@ go_library(
     importpath = "github.com/cockroachdb/cockroach/pkg/sql/delegate",
     visibility = ["//visibility:public"],
     deps = [
-        "//pkg/clusterversion",
         "//pkg/jobs",
         "//pkg/jobs/jobspb",
         "//pkg/security/username",