externalconn: grant ALL on CREATE EXTERNAL CONNECTION

[adityamaru]

Previously, the user that created the external connection
was not granted any privileges as the creator/owner of the
object. This diff changes this by granting the user ALL
privileges.

When synthetic privileges have a concept of owners, we should
also set the owner of the External Connection object to the
creator. This can happen once #86181
is addressed.

There was also a small bug in the grant/revoke code where
external connection names that required to be wrapped in
"" egs: "foo-kms" were being incorrectly stringified when
creating the synthetic privilege path. This resulted in:

CREATE EXTERNAL CONNECTION "foo-kms" AS ...
GRANT USAGE ON EXTERNAL CONNECTION "foo-kms" TO baz

To fail with a "foo-kms" cannot be found, even though it was
infact created before attempting the grant. Tests have been added to
test this case.

Fixes: #86261

Release note (bug fix): Users that create an external connection
are now granted ALL privileges on the object.

Release justification: bug fix for new functionality

[cockroach-teamcity]

This change is 

[RichardJCai]

This should be Normalized and not SQLIdentifier

// Normalized returns the normalized username, suitable for equality
// comparison and lookups. The username is unquoted.
func (s SQLUsername) Normalized() string { return s.u }

// SQLIdentifier returns the normalized username in a form
// suitable for parsing as a SQL identifier.
// The identifier is quoted if it contains special characters
// or it is a reserved keyword.
func (s SQLUsername) SQLIdentifier() string {
	var buf bytes.Buffer
	lexbase.EncodeRestrictedSQLIdent(&buf, s.u, lexbase.EncNoFlags)
	return buf.String()
}

I think if you add a test by creating a username with "SELECT" it'll error out here

[adityamaru]

@RichardJCai if we use Normalized usernames with special identifiers aren't quoted. So for example:

CREATE USER "bar-foo";
GRANT SYSTEM EXTERNALCONNECTION TO "bar-foo";

# Login as "bar-foo"
CREATE EXTERNAL CONNECTION foo AS 'nodelocal://foo';

--- FAILS cause the GRANT statement is `GRANT ALL ON EXTERNAL CONNECTION "foo" TO bar-foo` and the `-` is unquoted.

Is the correct pattern to use Normalized but to quote the username in the grant statement itself? fwiw I couldn't reproduce the "SELECT" example you mentioned above but maybe I'm missing a step.

[RichardJCai]

@RichardJCai if we use Normalized usernames with special identifiers aren't quoted. So for example:

CREATE USER "bar-foo";
GRANT SYSTEM EXTERNALCONNECTION TO "bar-foo";

# Login as "bar-foo"
CREATE EXTERNAL CONNECTION foo AS 'nodelocal://foo';

--- FAILS cause the GRANT statement is `GRANT ALL ON EXTERNAL CONNECTION "foo" TO bar-foo` and the `-` is unquoted.

Is the correct pattern to use Normalized but to quote the username in the grant statement itself? fwiw I couldn't reproduce the "SELECT" example you mentioned above but maybe I'm missing a step.

Oops you're right, I was thinking of it in the context of actually writing it to the system.privileges table, you're right for using this in the GRANT statement.

[adityamaru]

Failures are unrelated and being tracked in #86376.

TFTRs!

bors r+

[craig]

Build failed (retrying...):

• Bazel Essential CI (Cockroach)

[craig]

Build failed (retrying...):

• Bazel Essential CI (Cockroach)

[craig]

Build succeeded:

• Bazel Essential CI (Cockroach)