diff --git a/pkg/sql/BUILD.bazel b/pkg/sql/BUILD.bazel index a94383d57414..8c0ce78cb2cd 100644 --- a/pkg/sql/BUILD.bazel +++ b/pkg/sql/BUILD.bazel @@ -467,6 +467,7 @@ go_test( "alter_column_type_test.go", "ambiguous_commit_test.go", "as_of_test.go", + "authorization_test.go", "backfill_num_ranges_in_span_test.go", "backfill_test.go", "builtin_mem_usage_test.go", diff --git a/pkg/sql/authorization.go b/pkg/sql/authorization.go index cee62f3d1d75..bc21b61a059c 100644 --- a/pkg/sql/authorization.go +++ b/pkg/sql/authorization.go @@ -279,6 +279,12 @@ func (p *planner) CheckAnyPrivilege(ctx context.Context, descriptor catalog.Desc } user := p.SessionData().User() + + if user.IsNodeUser() { + // User "node" has all privileges. + return nil + } + privs := descriptor.GetPrivileges() // Check if 'user' itself has privileges. diff --git a/pkg/sql/authorization_test.go b/pkg/sql/authorization_test.go new file mode 100644 index 000000000000..ce8c4351d758 --- /dev/null +++ b/pkg/sql/authorization_test.go @@ -0,0 +1,82 @@ +// Copyright 2022 The Cockroach Authors. +// +// Use of this software is governed by the Business Source License +// included in the file licenses/BSL.txt. +// +// As of the Change Date specified in that file, in accordance with +// the Business Source License, use of this software will be governed +// by the Apache License, Version 2.0, included in the file +// licenses/APL.txt. + +package sql_test + +import ( + "context" + "testing" + + "github.com/cockroachdb/cockroach/pkg/base" + "github.com/cockroachdb/cockroach/pkg/security" + "github.com/cockroachdb/cockroach/pkg/server" + "github.com/cockroachdb/cockroach/pkg/sql/sessiondata" + "github.com/cockroachdb/cockroach/pkg/sql/sqlutil" + "github.com/cockroachdb/cockroach/pkg/testutils/serverutils" + "github.com/cockroachdb/cockroach/pkg/util/leaktest" + "github.com/cockroachdb/cockroach/pkg/util/log" + "github.com/stretchr/testify/require" +) + +func TestCheckAnyPrivilegeForNodeUser(t *testing.T) { + defer leaktest.AfterTest(t)() + defer log.Scope(t).Close(t) + + ctx := context.Background() + s, _, kv := serverutils.StartServer(t, base.TestServerArgs{}) + + defer s.Stopper().Stop(ctx) + + ts := s.(*server.TestServer) + + require.NotNil(t, ts.InternalExecutor()) + + ie := ts.InternalExecutor().(sqlutil.InternalExecutor) + + txn := kv.NewTxn(ctx, "get-all-databases") + row, err := ie.QueryRowEx( + ctx, "get-all-databases", txn, sessiondata.NodeUserSessionDataOverride, + "SELECT count(1) FROM crdb_internal.databases", + ) + require.NoError(t, err) + // 3 databases (system, defaultdb, postgres). + require.Equal(t, row.String(), "(3)") + + _, err = ie.ExecEx(ctx, "create-database1", txn, sessiondata.InternalExecutorOverride{User: security.RootUserName()}, + "CREATE DATABASE test1") + require.NoError(t, err) + + _, err = ie.ExecEx(ctx, "create-database2", txn, sessiondata.InternalExecutorOverride{User: security.RootUserName()}, + "CREATE DATABASE test2") + require.NoError(t, err) + + // Revoke CONNECT on all non-system databases and ensure that when querying + // with node, we can still see all the databases. + _, err = ie.ExecEx(ctx, "revoke-privileges", txn, sessiondata.InternalExecutorOverride{User: security.RootUserName()}, + "REVOKE CONNECT ON DATABASE test1 FROM public") + require.NoError(t, err) + _, err = ie.ExecEx(ctx, "revoke-privileges", txn, sessiondata.InternalExecutorOverride{User: security.RootUserName()}, + "REVOKE CONNECT ON DATABASE test2 FROM public") + require.NoError(t, err) + _, err = ie.ExecEx(ctx, "revoke-privileges", txn, sessiondata.InternalExecutorOverride{User: security.RootUserName()}, + "REVOKE CONNECT ON DATABASE defaultdb FROM public") + require.NoError(t, err) + _, err = ie.ExecEx(ctx, "revoke-privileges", txn, sessiondata.InternalExecutorOverride{User: security.RootUserName()}, + "REVOKE CONNECT ON DATABASE postgres FROM public") + require.NoError(t, err) + + row, err = ie.QueryRowEx( + ctx, "get-all-databases", txn, sessiondata.NodeUserSessionDataOverride, + "SELECT count(1) FROM crdb_internal.databases", + ) + require.NoError(t, err) + // 3 databases (system, defaultdb, postgres, test1, test2). + require.Equal(t, row.String(), "(5)") +}