sql, server: observability replace role options with system privileges

This patch introduces system privileges that exist currently as
role options. For observability they are the following: VIEWACTIVITY,
VIEWACTIVTYREDACTED and VIEWCLUSTERSETTING. Brand new system
privileges for observability will be introduced in a subsequent PR.
Any additional gating with these system privileges beyond the basic
ones made in this PR will be done in a subsequent PR.

Resolves #83843

Release note: None

Author: Santamaura

pkg/server/BUILD.bazel

@@ -181,6 +181,7 @@ go_library(
         "//pkg/sql/pgwire/pgerror",
         "//pkg/sql/pgwire/pgwirecancel",
         "//pkg/sql/physicalplan",
+        "//pkg/sql/privilege",
         "//pkg/sql/querycache",
         "//pkg/sql/rangeprober",
         "//pkg/sql/roleoption",

pkg/server/admin.go

@@ -24,6 +24,7 @@ import (
 
 	"github.com/cockroachdb/apd/v3"
 	"github.com/cockroachdb/cockroach/pkg/base"
+	"github.com/cockroachdb/cockroach/pkg/clusterversion"
 	"github.com/cockroachdb/cockroach/pkg/config/zonepb"
 	"github.com/cockroachdb/cockroach/pkg/jobs"
 	"github.com/cockroachdb/cockroach/pkg/jobs/jobspb"
@@ -46,6 +47,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/sql/catalog/colinfo"
 	"github.com/cockroachdb/cockroach/pkg/sql/catalog/descpb"
 	"github.com/cockroachdb/cockroach/pkg/sql/parser"
+	"github.com/cockroachdb/cockroach/pkg/sql/privilege"
 	"github.com/cockroachdb/cockroach/pkg/sql/roleoption"
 	"github.com/cockroachdb/cockroach/pkg/sql/sem/tree"
 	"github.com/cockroachdb/cockroach/pkg/sql/sessiondata"
@@ -1839,9 +1841,27 @@ func (s *adminServer) Settings(
 		}
 
 		if !hasModify && !hasView {
-			return nil, status.Errorf(
-				codes.PermissionDenied, "this operation requires either %s or %s role options",
-				roleoption.VIEWCLUSTERSETTING, roleoption.MODIFYCLUSTERSETTING)
+			if s.st.Version.IsActive(ctx, clusterversion.SystemPrivilegesTable) {
+				hasViewSystemPrivilege, err := s.checkHasSystemPrivilege(ctx, user, "VIEWCLUSTERSETTING")
+				if err != nil {
+					return nil, err
+				}
+
+				hasModifystemPrivilege, err := s.checkHasSystemPrivilege(ctx, user, "MODIFYCLUSTERSETTING")
+				if err != nil {
+					return nil, err
+				}
+
+				if !hasViewSystemPrivilege && !hasModifystemPrivilege {
+					return nil, status.Errorf(
+						codes.PermissionDenied, "this operation requires either %s or %s system privileges",
+						privilege.VIEWCLUSTERSETTING, privilege.MODIFYCLUSTERSETTING)
+				}
+			} else {
+				return nil, status.Errorf(
+					codes.PermissionDenied, "this operation requires either %s or %s role options",
+					roleoption.VIEWCLUSTERSETTING, roleoption.MODIFYCLUSTERSETTING)
+			}
 		}
 	}
 
@@ -3411,6 +3431,7 @@ func (s *adminServer) dialNode(
 // have admin privileges.
 type adminPrivilegeChecker struct {
 	ie *sql.InternalExecutor
+	st *cluster.Settings
 }
 
 // requireAdminUser's error return is a gRPC error.
@@ -3440,9 +3461,21 @@ func (c *adminPrivilegeChecker) requireViewActivityPermission(ctx context.Contex
 		}
 
 		if !hasViewActivity {
-			return status.Errorf(
-				codes.PermissionDenied, "this operation requires the %s role option",
-				roleoption.VIEWACTIVITY)
+			hasSystemPrivilege, err := c.checkHasSystemPrivilege(ctx, userName, "VIEWACTIVITY")
+			if err != nil {
+				return err
+			}
+			if c.st.Version.IsActive(ctx, clusterversion.SystemPrivilegesTable) {
+				if !hasSystemPrivilege {
+					return status.Errorf(
+						codes.PermissionDenied, "this operation requires the %s system privilege",
+						privilege.VIEWACTIVITY)
+				}
+			} else {
+				return status.Errorf(
+					codes.PermissionDenied, "this operation requires the %s role option",
+					roleoption.VIEWACTIVITY)
+			}
 		}
 	}
 	return nil
@@ -3462,13 +3495,29 @@ func (c *adminPrivilegeChecker) requireViewActivityOrViewActivityRedactedPermiss
 			return serverError(ctx, err)
 		}
 
-		if !hasViewActivity {
-			hasViewActivityRedacted, err := c.hasRoleOption(ctx, userName, roleoption.VIEWACTIVITYREDACTED)
-			if err != nil {
-				return serverError(ctx, err)
-			}
+		hasViewActivityRedacted, err := c.hasRoleOption(ctx, userName, roleoption.VIEWACTIVITYREDACTED)
+		if err != nil {
+			return serverError(ctx, err)
+		}
+
+		if !hasViewActivity && !hasViewActivityRedacted {
+			if c.st.Version.IsActive(ctx, clusterversion.SystemPrivilegesTable) {
+				hasVASystemPrivilege, err := c.checkHasSystemPrivilege(ctx, userName, "VIEWACTIVITY")
+				if err != nil {
+					return err
+				}
+
+				hasVARSystemPrivilege, err := c.checkHasSystemPrivilege(ctx, userName, "VIEWACTIVITYREDACTED")
+				if err != nil {
+					return err
+				}
 
-			if !hasViewActivityRedacted {
+				if !hasVASystemPrivilege && !hasVARSystemPrivilege {
+					return status.Errorf(
+						codes.PermissionDenied, "this operation requires the %s or %s system privilege",
+						privilege.VIEWACTIVITY, privilege.VIEWACTIVITYREDACTED)
+				}
+			} else {
 				return status.Errorf(
 					codes.PermissionDenied, "this operation requires the %s or %s role options",
 					roleoption.VIEWACTIVITY, roleoption.VIEWACTIVITYREDACTED)
@@ -3499,6 +3548,17 @@ func (c *adminPrivilegeChecker) requireViewActivityAndNoViewActivityRedactedPerm
 				codes.PermissionDenied, "this operation requires %s role option and is not allowed for %s role option",
 				roleoption.VIEWACTIVITY, roleoption.VIEWACTIVITYREDACTED)
 		}
+		if c.st.Version.IsActive(ctx, clusterversion.SystemPrivilegesTable) {
+			hasVARSystemPrivilege, err := c.checkHasSystemPrivilege(ctx, userName, "VIEWACTIVITYREDACTED")
+			if err != nil {
+				return err
+			}
+			if hasVARSystemPrivilege {
+				return status.Errorf(
+					codes.PermissionDenied, "this operation requires %s system privilege and is not allowed for %s system privilege",
+					privilege.VIEWACTIVITY, privilege.VIEWACTIVITYREDACTED)
+			}
+		}
 		return c.requireViewActivityPermission(ctx)
 	}
 	return nil
@@ -3575,6 +3635,26 @@ func (c *adminPrivilegeChecker) hasRoleOption(
 	return bool(dbDatum), nil
 }
 
+// checkHasSystemPrivilege is a helper function which executes
+// a query to see if rows return non-nil based on the
+// privilege provided.
+func (c *adminPrivilegeChecker) checkHasSystemPrivilege(
+	ctx context.Context, user username.SQLUsername, privilege string,
+) (bool, error) {
+	row, err := c.ie.QueryRowEx(
+		ctx, "check-has-system-privilege", nil, /* txn */
+		sessiondata.InternalExecutorOverride{User: username.RootUserName()},
+		`SELECT * FROM system.privileges WHERE username = $1 AND privileges @> ARRAY[$2]`,
+		user, privilege)
+	if err != nil {
+		return false, err
+	}
+	if row == nil {
+		return false, nil
+	}
+	return true, nil
+}
+
 var errRequiresAdmin = status.Error(codes.PermissionDenied, "this operation requires admin privilege")
 
 func errRequiresRoleOption(option roleoption.Option) error {

pkg/server/admin_test.go

@@ -28,6 +28,7 @@ import (
 	"time"
 
 	"github.com/cockroachdb/cockroach/pkg/base"
+	"github.com/cockroachdb/cockroach/pkg/clusterversion"
 	"github.com/cockroachdb/cockroach/pkg/config/zonepb"
 	"github.com/cockroachdb/cockroach/pkg/jobs"
 	"github.com/cockroachdb/cockroach/pkg/jobs/jobspb"
@@ -2769,6 +2770,7 @@ func TestAdminPrivilegeChecker(t *testing.T) {
 
 	underTest := &adminPrivilegeChecker{
 		ie: s.InternalExecutor().(*sql.InternalExecutor),
+		st: s.ClusterSettings(),
 	}
 
 	withAdmin, err := username.MakeSQLUsernameFromPreNormalizedStringChecked("withadmin")
@@ -2809,6 +2811,34 @@ func TestAdminPrivilegeChecker(t *testing.T) {
 			},
 		},
 	}
+	// test system privileges if valid version
+	if s.ClusterSettings().Version.IsActive(ctx, clusterversion.SystemPrivilegesTable) {
+		sqlDB.Exec(t, "CREATE USER withvasystemprivilege")
+		sqlDB.Exec(t, "GRANT SYSTEM VIEWACTIVITY TO withvasystemprivilege")
+		sqlDB.Exec(t, "CREATE USER withvaredactedsystemprivilege")
+		sqlDB.Exec(t, "GRANT SYSTEM VIEWACTIVITYREDACTED TO withvaredactedsystemprivilege")
+		sqlDB.Exec(t, "CREATE USER withvaandredactedsystemprivilege")
+		sqlDB.Exec(t, "GRANT SYSTEM VIEWACTIVITY TO withvaandredactedsystemprivilege")
+		sqlDB.Exec(t, "GRANT SYSTEM VIEWACTIVITYREDACTED TO withvaandredactedsystemprivilege")
+
+		withVaSystemPrivilege, err := username.MakeSQLUsernameFromPreNormalizedStringChecked("withvasystemprivilege")
+		require.NoError(t, err)
+		withVaRedactedSystemPrivilege, err := username.MakeSQLUsernameFromPreNormalizedStringChecked("withvaredactedsystemprivilege")
+		require.NoError(t, err)
+		withVaAndRedactedSystemPrivilege, err := username.MakeSQLUsernameFromPreNormalizedStringChecked("withvaandredactedsystemprivilege")
+		require.NoError(t, err)
+
+		tests[0].usernameWantErr[withVaSystemPrivilege] = false
+		tests[1].usernameWantErr[withVaSystemPrivilege] = false
+		tests[2].usernameWantErr[withVaSystemPrivilege] = false
+		tests[0].usernameWantErr[withVaRedactedSystemPrivilege] = true
+		tests[1].usernameWantErr[withVaRedactedSystemPrivilege] = false
+		tests[2].usernameWantErr[withVaRedactedSystemPrivilege] = true
+		tests[0].usernameWantErr[withVaAndRedactedSystemPrivilege] = false
+		tests[1].usernameWantErr[withVaRedactedSystemPrivilege] = false
+		tests[2].usernameWantErr[withVaRedactedSystemPrivilege] = true
+
+	}
 	for _, tt := range tests {
 		for userName, wantErr := range tt.usernameWantErr {
 			t.Run(fmt.Sprintf("%s-%s", tt.name, userName), func(t *testing.T) {

pkg/server/server.go

@@ -715,7 +715,7 @@ func NewServer(cfg Config, stopper *stop.Stopper) (*Server, error) {
 
 	lateBoundServer := &Server{}
 	// TODO(tbg): give adminServer only what it needs (and avoid circular deps).
-	adminAuthzCheck := &adminPrivilegeChecker{ie: internalExecutor}
+	adminAuthzCheck := &adminPrivilegeChecker{ie: internalExecutor, st: st}
 	sAdmin := newAdminServer(lateBoundServer, adminAuthzCheck, internalExecutor)
 
 	// These callbacks help us avoid a dependency on gossip in httpServer.

pkg/server/status_test.go

@@ -2297,7 +2297,7 @@ func TestListActivitySecurity(t *testing.T) {
 	ts := s.(*TestServer)
 	defer ts.Stopper().Stop(ctx)
 
-	expectedErrNoPermission := "this operation requires the VIEWACTIVITY or VIEWACTIVITYREDACTED role options"
+	expectedErrNoPermission := "this operation requires the VIEWACTIVITY or VIEWACTIVITYREDACTED system privilege"
 	contentionMsg := &serverpb.ListContentionEventsResponse{}
 	flowsMsg := &serverpb.ListDistSQLFlowsResponse{}
 	getErrors := func(msg protoutil.Message) []serverpb.ListActivityError {

pkg/sql/authorization.go

@@ -14,6 +14,7 @@ import (
 	"context"
 	"fmt"
 
+	"github.com/cockroachdb/cockroach/pkg/clusterversion"
 	"github.com/cockroachdb/cockroach/pkg/keys"
 	"github.com/cockroachdb/cockroach/pkg/kv"
 	"github.com/cockroachdb/cockroach/pkg/security/username"
@@ -35,6 +36,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/sql/sessiondata"
 	"github.com/cockroachdb/cockroach/pkg/sql/sessioninit"
 	"github.com/cockroachdb/cockroach/pkg/sql/sqlutil"
+	"github.com/cockroachdb/cockroach/pkg/sql/syntheticprivilege"
 	"github.com/cockroachdb/cockroach/pkg/util"
 	"github.com/cockroachdb/cockroach/pkg/util/log"
 	"github.com/cockroachdb/cockroach/pkg/util/mon"
@@ -856,12 +858,20 @@ func (p *planner) HasViewActivityOrViewActivityRedactedRole(ctx context.Context)
 		if err != nil {
 			return hasViewActivity, err
 		}
-		if !hasViewActivity {
-			hasViewActivityRedacted, err := p.HasRoleOption(ctx, roleoption.VIEWACTIVITYREDACTED)
-			if err != nil {
-				return hasViewActivityRedacted, err
-			}
-			if !hasViewActivityRedacted {
+		hasViewActivityRedacted, err := p.HasRoleOption(ctx, roleoption.VIEWACTIVITYREDACTED)
+		if err != nil {
+			return hasViewActivityRedacted, err
+		}
+		if !hasViewActivity && !hasViewActivityRedacted {
+			if p.ExecCfg().Settings.Version.IsActive(ctx, clusterversion.SystemPrivilegesTable) {
+				noViewActivityErr := p.CheckPrivilege(ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.VIEWACTIVITY)
+				noViewActivityRedactedErr := p.CheckPrivilege(ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.VIEWACTIVITYREDACTED)
+				if noViewActivityErr != nil && noViewActivityRedactedErr != nil {
+					// a number of tests fail if an error is returned here.
+					// nolint:returnerrcheck
+					return false, nil
+				}
+			} else {
 				return false, nil
 			}
 		}

pkg/sql/crdb_internal.go

@@ -1570,11 +1570,15 @@ CREATE TABLE crdb_internal.cluster_settings (
 			if !hasModify && !hasView {
 				if p.ExecCfg().Settings.Version.IsActive(ctx, clusterversion.SystemPrivilegesTable) {
 					// We check for EITHER the MODIFYCLUSTERSETTING or VIEWCLUSTERSETTING
-					// role option OR the MODIFYCLUSTERSETTING system cluster privilege.
+					// role option OR the MODIFYCLUSTERSETTING or VIEWCLUSTERSETTING system cluster privilege.
 					// We return the error for "system cluster privilege" due to
 					// the long term goal of moving away from coarse-grained role options.
-					if err := p.CheckPrivilege(ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.MODIFYCLUSTERSETTING); err != nil {
-						return err
+					hasNoModifyErr := p.CheckPrivilege(ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.MODIFYCLUSTERSETTING)
+					hasNoViewErr := p.CheckPrivilege(ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.VIEWCLUSTERSETTING)
+					if hasNoModifyErr != nil && hasNoViewErr != nil {
+						return pgerror.Newf(pgcode.InsufficientPrivilege,
+							"only users with either %s or %s system privileges are allowed to read "+
+								"crdb_internal.cluster_settings", privilege.MODIFYCLUSTERSETTING, privilege.VIEWCLUSTERSETTING)
 					}
 				} else {
 					return pgerror.Newf(pgcode.InsufficientPrivilege,