sql,backupccl: allow owners to also control schedules

[adityamaru]

This change relaxes the admin only check that was enforced
when resuming, pasuing, dropping and altering a backup schedule
to also allow non-admin owners of the schedules to perform
these control operations.

Release note (sql change): Owners of a backup schedule can now
control their schedule using the supported pause, resume, drop
and alter queries.

Release justification: high impact change to introduce finer grained
permission control to disaster recovery operations

[cockroach-teamcity]

This change is 

[adityamaru]

First commit is from #87188.

[benbardin]

happy to support this, but why? :)

[adityamaru]

My understanding is that NodeUser is what we should be using for intra-cluster traffic -

cockroach/pkg/security/username/username.go

Line 67 in bf75f1d

const NodeUser = "node"

. It is the user used when a node is acting on its own behalf, rather than as an external user or an app running as root.

[benbardin]

Should it be running on its own behalf? Or should loadSchedule take a context and run as the user executing the query?

More concretely, I guess, can we imagine a world where we want a user to see/load some schedules but not others? (yes, I think?)

[adityamaru]

Or should loadSchedule take a context and run as the user executing the query?

This would be tricky because only admin is allowed to select against a system table. So a non-admin owner would get an error running loadSchedule. The scan of the system table is an internal implementation detail that expects other pieces of the logic to perform the appropriate privilege checks.

can we imagine a world where we want a user to see/load some schedules but not others

Yes, I think so, but "load" is an internal implementation detail so I think the filtering needs to be in the logic that uses the loaded schedule, which is what we're doing here. We are already allowing users to only alter a limited set of schedules if they are non-admin, i.e. the schedules they own. Similarly if we want to limit what schedules a user sees we should be adding this privilege check to SHOW SCHEDULES and other user facing queries that allow for introspection.

[benbardin]

expects other pieces of the logic to perform the appropriate privilege checks

Yeah, exactly this - I'd worry about a developer forgetting that. It's not obvious to me that somebody calling something called loadSchedule() will be executing node-level privileges under the hood. That said, if it's obvious to you (i.e. common practice :) ) then I'm fine with it.

[benbardin]

is n.command.String() helpful info here?

[adityamaru]

🤷 it makes for a more informative error message that you're not allowed to RESUME, DROP, PAUSE it, but I guess you already know that because you're running the command.

[adityamaru]

The race failures are all timeouts and are being investigated here https://cockroachlabs.slack.com/archives/C023S0V4YEB/p1662488784308579. I have high confidence that they are not caused by this diff so going ahead and borsing while we investigate.

bors r=benbardin

[craig]

Merge conflict.

[adityamaru]

Unrelated failures being investigated:

https://cockroachlabs.slack.com/archives/C023S0V4YEB/p1662580252355849
https://cockroachlabs.slack.com/archives/C023S0V4YEB/p1662488784308579

bors r=benbardin

[craig]

Build succeeded:

• Bazel Essential CI (Cockroach)

[adityamaru]

blathers backport release-22.2