sql: with grant option/grant option for

Release note (sql change): If the WITH GRANT OPTION flag is present when granting privileges to a user, then that user is able to grant those same privileges to subsequent users; otherwise, they cannot. If the GRANT OPTION FOR flag is present when revoking privileges from a user, then only the ability the grant those privileges is revoked from that user, not the privileges themselves

docs/generated/settings/settings-for-tenants.txt

@@ -167,4 +167,4 @@ trace.debug.enable	boolean	false	if set, traces for recent requests can be seen
 trace.jaeger.agent	string		the address of a Jaeger agent to receive traces using the Jaeger UDP Thrift protocol, as <host>:<port>. If no port is specified, 6381 will be used.
 trace.opentelemetry.collector	string		address of an OpenTelemetry trace collector to receive traces using the otel gRPC protocol, as <host>:<port>. If no port is specified, 4317 will be used.
 trace.zipkin.collector	string		the address of a Zipkin instance to receive traces, as <host>:<port>. If no port is specified, 9411 will be used.
-version	version	21.2-12	set the active cluster version in the format '<major>.<minor>'
+version	version	21.2-14	set the active cluster version in the format '<major>.<minor>'

docs/generated/settings/settings.html

@@ -172,6 +172,6 @@
 <tr><td><code>trace.jaeger.agent</code></td><td>string</td><td><code></code></td><td>the address of a Jaeger agent to receive traces using the Jaeger UDP Thrift protocol, as <host>:<port>. If no port is specified, 6381 will be used.</td></tr>
 <tr><td><code>trace.opentelemetry.collector</code></td><td>string</td><td><code></code></td><td>address of an OpenTelemetry trace collector to receive traces using the otel gRPC protocol, as <host>:<port>. If no port is specified, 4317 will be used.</td></tr>
 <tr><td><code>trace.zipkin.collector</code></td><td>string</td><td><code></code></td><td>the address of a Zipkin instance to receive traces, as <host>:<port>. If no port is specified, 9411 will be used.</td></tr>
-<tr><td><code>version</code></td><td>version</td><td><code>21.2-12</code></td><td>set the active cluster version in the format '<major>.<minor>'</td></tr>
+<tr><td><code>version</code></td><td>version</td><td><code>21.2-14</code></td><td>set the active cluster version in the format '<major>.<minor>'</td></tr>
 </tbody>
 </table>

docs/generated/sql/bnf/grant_stmt.bnf

@@ -1,6 +1,6 @@
 grant_stmt ::=
-	'GRANT' 'ALL' 'PRIVILEGES' 'ON' targets 'TO' role_spec_list
-	| 'GRANT' 'ALL'  'ON' targets 'TO' role_spec_list
-	| 'GRANT' privilege_list 'ON' targets 'TO' role_spec_list
+	'GRANT' 'ALL' 'PRIVILEGES' 'ON' targets 'TO' role_spec_list opt_with_grant_option
+	| 'GRANT' 'ALL'  'ON' targets 'TO' role_spec_list opt_with_grant_option
+	| 'GRANT' privilege_list 'ON' targets 'TO' role_spec_list opt_with_grant_option
 	| 'GRANT' privilege_list 'TO' role_spec_list
 	| 'GRANT' privilege_list 'TO' role_spec_list 'WITH' 'ADMIN' 'OPTION'

docs/generated/sql/bnf/revoke_stmt.bnf

@@ -2,5 +2,8 @@ revoke_stmt ::=
 	'REVOKE' 'ALL' 'PRIVILEGES' 'ON' targets 'FROM' role_spec_list
 	| 'REVOKE' 'ALL'  'ON' targets 'FROM' role_spec_list
 	| 'REVOKE' privilege_list 'ON' targets 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' 'ALL' 'PRIVILEGES' 'ON' targets 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' 'ALL'  'ON' targets 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' privilege_list 'ON' targets 'FROM' role_spec_list
 	| 'REVOKE' privilege_list 'FROM' role_spec_list
 	| 'REVOKE' 'ADMIN' 'OPTION' 'FOR' privilege_list 'FROM' role_spec_list

docs/generated/sql/bnf/stmt_block.bnf

@@ -74,23 +74,27 @@ discard_stmt ::=
 	'DISCARD' 'ALL'
 
 grant_stmt ::=
-	'GRANT' privileges 'ON' targets 'TO' role_spec_list
+	'GRANT' privileges 'ON' targets 'TO' role_spec_list opt_with_grant_option
 	| 'GRANT' privilege_list 'TO' role_spec_list
 	| 'GRANT' privilege_list 'TO' role_spec_list 'WITH' 'ADMIN' 'OPTION'
-	| 'GRANT' privileges 'ON' 'TYPE' target_types 'TO' role_spec_list
-	| 'GRANT' privileges 'ON' 'SCHEMA' schema_name_list 'TO' role_spec_list
-	| 'GRANT' privileges 'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'TO' role_spec_list
+	| 'GRANT' privileges 'ON' 'TYPE' target_types 'TO' role_spec_list opt_with_grant_option
+	| 'GRANT' privileges 'ON' 'SCHEMA' schema_name_list 'TO' role_spec_list opt_with_grant_option
+	| 'GRANT' privileges 'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'TO' role_spec_list opt_with_grant_option
 
 prepare_stmt ::=
 	'PREPARE' table_alias_name prep_type_clause 'AS' preparable_stmt
 
 revoke_stmt ::=
 	'REVOKE' privileges 'ON' targets 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' privileges 'ON' targets 'FROM' role_spec_list
 	| 'REVOKE' privilege_list 'FROM' role_spec_list
 	| 'REVOKE' 'ADMIN' 'OPTION' 'FOR' privilege_list 'FROM' role_spec_list
 	| 'REVOKE' privileges 'ON' 'TYPE' target_types 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' privileges 'ON' 'TYPE' target_types 'FROM' role_spec_list
 	| 'REVOKE' privileges 'ON' 'SCHEMA' schema_name_list 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' privileges 'ON' 'SCHEMA' schema_name_list 'FROM' role_spec_list
 	| 'REVOKE' privileges 'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' privileges 'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'FROM' role_spec_list
 
 savepoint_stmt ::=
 	'SAVEPOINT' name
@@ -321,6 +325,10 @@ targets ::=
 role_spec_list ::=
 	( role_spec ) ( ( ',' role_spec ) )*
 
+opt_with_grant_option ::=
+	'WITH' 'GRANT' 'OPTION'
+	| 
+
 privilege_list ::=
 	( privilege ) ( ( ',' privilege ) )*
 
@@ -2313,10 +2321,6 @@ alter_default_privileges_target_object ::=
 	| 'TYPES'
 	| 'SCHEMAS'
 
-opt_with_grant_option ::=
-	'WITH' 'GRANT' 'OPTION'
-	| 
-
 role_option ::=
 	'CREATEROLE'
 	| 'NOCREATEROLE'

pkg/ccl/importccl/import_table_creation.go

@@ -79,6 +79,7 @@ func MakeTestingSimpleTableDescriptor(
 			Privileges: descpb.NewPrivilegeDescriptor(
 				security.PublicRoleName(),
 				privilege.SchemaPrivileges,
+				privilege.List{},
 				security.RootUserName(),
 			),
 		}).BuildCreatedMutableSchema()