sql: refactor pg_has_role to remove privilege.GRANT usage

pkg/ccl/importccl/import_table_creation.go

@@ -329,14 +329,14 @@ func (so *importSequenceOperators) IsTypeVisible(
 	return false, false, errors.WithStack(errSequenceOperators)
 }
 
-// HasPrivilege is part of the tree.EvalDatabase interface.
-func (so *importSequenceOperators) HasPrivilege(
+// HasAnyPrivilege is part of the tree.EvalDatabase interface.
+func (so *importSequenceOperators) HasAnyPrivilege(
 	ctx context.Context,
 	specifier tree.HasPrivilegeSpecifier,
 	user security.SQLUsername,
-	priv privilege.Privilege,
-) (bool, error) {
-	return false, errors.WithStack(errSequenceOperators)
+	privs []privilege.Privilege,
+) (tree.HasAnyPrivilegeResult, error) {
+	return tree.HasNoPrivilege, errors.WithStack(errSequenceOperators)
 }
 
 // IncrementSequenceByID implements the tree.SequenceOperators interface.

pkg/sql/faketreeeval/evalctx.go

@@ -80,14 +80,14 @@ func (so *DummySequenceOperators) IsTypeVisible(
 	return false, false, errors.WithStack(errEvalPlanner)
 }
 
-// HasPrivilege is part of the tree.EvalDatabase interface.
-func (so *DummySequenceOperators) HasPrivilege(
+// HasAnyPrivilege is part of the tree.EvalDatabase interface.
+func (so *DummySequenceOperators) HasAnyPrivilege(
 	ctx context.Context,
 	specifier tree.HasPrivilegeSpecifier,
 	user security.SQLUsername,
-	priv privilege.Privilege,
-) (bool, error) {
-	return false, errors.WithStack(errEvalPlanner)
+	privs []privilege.Privilege,
+) (tree.HasAnyPrivilegeResult, error) {
+	return tree.HasNoPrivilege, errors.WithStack(errEvalPlanner)
 }
 
 // IncrementSequenceByID is part of the tree.SequenceOperators interface.
@@ -317,14 +317,14 @@ func (ep *DummyEvalPlanner) IsTypeVisible(
 	return false, false, errors.WithStack(errEvalPlanner)
 }
 
-// HasPrivilege is part of the tree.EvalDatabase interface.
-func (ep *DummyEvalPlanner) HasPrivilege(
+// HasAnyPrivilege is part of the tree.EvalDatabase interface.
+func (ep *DummyEvalPlanner) HasAnyPrivilege(
 	ctx context.Context,
 	specifier tree.HasPrivilegeSpecifier,
 	user security.SQLUsername,
-	priv privilege.Privilege,
-) (bool, error) {
-	return false, errors.WithStack(errEvalPlanner)
+	privs []privilege.Privilege,
+) (tree.HasAnyPrivilegeResult, error) {
+	return tree.HasNoPrivilege, errors.WithStack(errEvalPlanner)
 }
 
 // ResolveTableName is part of the tree.EvalDatabase interface.

pkg/sql/resolver.go

@@ -299,69 +299,61 @@ func (p *planner) IsTypeVisible(
 	return false, true, nil
 }
 
-// HasPrivilege is part of the tree.EvalDatabase interface.
-func (p *planner) HasPrivilege(
+// HasAnyPrivilege is part of the tree.EvalDatabase interface.
+func (p *planner) HasAnyPrivilege(
 	ctx context.Context,
 	specifier tree.HasPrivilegeSpecifier,
 	user security.SQLUsername,
-	priv privilege.Privilege,
-) (bool, error) {
+	privs []privilege.Privilege,
+) (tree.HasAnyPrivilegeResult, error) {
 	desc, err := p.ResolveDescriptorForPrivilegeSpecifier(
 		ctx,
 		specifier,
 	)
 	if err != nil {
-		return false, err
+		return tree.HasNoPrivilege, err
+	}
+	if desc == nil {
+		return tree.ObjectNotFound, nil
 	}
 
-	// hasPrivilegeFunc checks whether any role has the given privilege.
-	hasPrivilegeFunc := func(priv privilege.Privilege) (bool, error) {
-		err := p.CheckPrivilegeForUser(ctx, desc, priv.Kind, user)
-		if err != nil {
+	for _, priv := range privs {
+		// RULE was only added for compatibility with Postgres, and Postgres
+		// never allows RULE to be granted, even if the user has ALL privileges.
+		// See https://www.postgresql.org/docs/8.1/sql-grant.html
+		// and https://www.postgresql.org/docs/release/8.2.0/.
+		if priv.Kind == privilege.RULE {
+			continue
+		}
+
+		if err := p.CheckPrivilegeForUser(ctx, desc, priv.Kind, user); err != nil {
 			if pgerror.GetPGCode(err) == pgcode.InsufficientPrivilege {
-				return false, nil
+				continue
 			}
-			return false, err
+			return tree.HasNoPrivilege, err
 		}
 
 		if priv.GrantOption {
 			if !p.ExecCfg().Settings.Version.IsActive(ctx, clusterversion.ValidateGrantOption) {
-				err := p.CheckPrivilegeForUser(ctx, desc, privilege.GRANT, user)
-				if err != nil {
+				if err := p.CheckPrivilegeForUser(ctx, desc, privilege.GRANT, user); err != nil {
 					if pgerror.GetPGCode(err) == pgcode.InsufficientPrivilege {
-						return false, nil
+						continue
 					}
-					return false, err
+					return tree.HasNoPrivilege, err
 				}
 			} else {
-				err := p.CheckGrantOptionsForUser(ctx, desc, []privilege.Kind{priv.Kind}, user, true /* isGrant */)
-				if err != nil {
+				if err := p.CheckGrantOptionsForUser(ctx, desc, []privilege.Kind{priv.Kind}, user, true /* isGrant */); err != nil {
 					if pgerror.GetPGCode(err) == pgcode.WarningPrivilegeNotGranted {
-						return false, nil
+						continue
 					}
-					return false, err
+					return tree.HasNoPrivilege, err
 				}
 			}
 		}
-
-		return true, nil
+		return tree.HasPrivilege, nil
 	}
 
-	if priv.Kind == privilege.RULE {
-		// RULE was only added for compatibility with Postgres, and Postgres
-		// never allows RULE to be granted, even if the user has ALL privileges.
-		// See https://www.postgresql.org/docs/8.1/sql-grant.html
-		// and https://www.postgresql.org/docs/release/8.2.0/.
-		return false, nil
-	}
-	hasPrivilege, err := hasPrivilegeFunc(privilege.Privilege{Kind: privilege.ALL})
-	if err != nil {
-		return false, err
-	}
-	if hasPrivilege {
-		return true, nil
-	}
-	return hasPrivilegeFunc(priv)
+	return tree.HasNoPrivilege, nil
 }
 
 // ResolveDescriptorForPrivilegeSpecifier resolves a tree.HasPrivilegeSpecifier
@@ -375,7 +367,7 @@ func (p *planner) ResolveDescriptorForPrivilegeSpecifier(
 		)
 	} else if specifier.DatabaseOID != nil {
 		_, database, err := p.Descriptors().GetImmutableDatabaseByID(
-			ctx, p.txn, descpb.ID(*specifier.DatabaseOID), tree.DatabaseLookupFlags{Required: true},
+			ctx, p.txn, descpb.ID(*specifier.DatabaseOID), tree.DatabaseLookupFlags{},
 		)
 		return database, err
 	} else if specifier.SchemaName != nil {
@@ -386,7 +378,7 @@ func (p *planner) ResolveDescriptorForPrivilegeSpecifier(
 			return nil, err
 		}
 		return p.Descriptors().GetImmutableSchemaByName(
-			ctx, p.txn, database, *specifier.SchemaName, tree.SchemaLookupFlags{Required: true},
+			ctx, p.txn, database, *specifier.SchemaName, tree.SchemaLookupFlags{Required: *specifier.SchemaIsRequired},
 		)
 	} else if specifier.TableName != nil || specifier.TableOID != nil {
 		var table catalog.TableDescriptor
@@ -408,21 +400,17 @@ func (p *planner) ResolveDescriptorForPrivilegeSpecifier(
 					"cross-database references are not implemented: %s", tn)
 			}
 			_, table, err = p.Descriptors().GetImmutableTableByName(
-				ctx, p.txn, tn, tree.ObjectLookupFlags{
-					CommonLookupFlags: tree.CommonLookupFlags{
-						Required: true,
-					},
-				},
+				ctx, p.txn, tn, tree.ObjectLookupFlags{},
 			)
 		} else {
 			table, err = p.Descriptors().GetImmutableTableByID(
-				ctx, p.txn, descpb.ID(*specifier.TableOID),
-				tree.ObjectLookupFlags{
-					CommonLookupFlags: tree.CommonLookupFlags{
-						Required: true,
-					},
-				},
+				ctx, p.txn, descpb.ID(*specifier.TableOID), tree.ObjectLookupFlags{},
 			)
+			// When a TableOID is specified and the relation is not found, we return NULL.
+			if err != nil && sqlerrors.IsUndefinedRelationError(err) {
+				// nolint:returnerrcheck
+				return nil, nil
+			}
 		}
 		if err != nil {
 			return nil, err