Merge #74920 #75088 #75116 #75145 #75149

74920: server: create new endpoint that return the roles of the sql user r=maryliag a=maryliag

The commit creates a new endpoint `/sqlroles` that returns
a list of roles of the SQL user logged in.

Partially addresses #74817

Release note (api change): Creation of new endpoint `/sqlroles` that
returns a list of the SQL roles for the SQL user logged in.

75088: sql: migrate has_sequence_privilege from evalPrivilegeCheck to ctx.Pl… r=otan a=ecwall

…anner.HasPrivilege

refs #66173

Migrate has_sequence_privilege from evalPrivilegeCheck to ctx.Planner.HasPrivilege.

Release note: None

75116: bazel: update comments in `BUILD.bazel`, include reference to `dev -h` r=irfansharif a=rickystewart

Most of this stuff is out-of-date at this point.

Release note: None

75145: sql: deflake TestTelemetry r=rytaft a=rytaft

This commit deflakes `TestTelemetry` by adding a more precise
`feature-allowlist`.

Fixes #75138

Release note: None

75149: cloud: close Reader before resetting in ResumingReader r=knz a=adityamaru

This change `Close()`s the Reader before resetting it when we
encounter a resumable error in the ResumingReader. This is particularly
important for the http external storage provide, since forgetting to
call Close() results in goroutine leaks from go1.17.6 onwards.

See: golang/go#50652

Fixes: #75143

Release note: None

Co-authored-by: Marylia Gutierrez <marylia@cockroachlabs.com>
Co-authored-by: Evan Wall <wall@cockroachlabs.com>
Co-authored-by: Ricky Stewart <ricky@cockroachlabs.com>
Co-authored-by: Rebecca Taft <becca@cockroachlabs.com>
Co-authored-by: Aditya Maru <adityamaru@gmail.com>

BUILD.bazel

@@ -2,6 +2,10 @@ load("@bazel_gazelle//:def.bzl", "gazelle")
 load("@io_bazel_rules_go//go:def.bzl", "go_path", "nogo")
 load("//build/bazelutil/staticcheckanalyzers:def.bzl", "STATICCHECK_CHECKS")
 
+# Consider using `dev` to easily perform Bazel builds. Run `dev doctor` to see
+# if your machine is up to snuff, and `dev -h` for a list of everything `dev`
+# can do.
+
 exports_files([
     "DEPS.bzl",
     "TEAMS.yaml",
@@ -142,54 +146,6 @@ exports_files([
 #   https://docs.bazel.build/versions/master/user-manual.html
 #   https://docs.bazel.build/versions/master/guide.html
 
-# TODO(irfansharif): Document a few usage patterns for bazel and how to
-# understand all the autogen stuff. Probably as a tech note. Here are a few
-# short hands I've used so far:
-#
-#   bazel test //pkg/kv/kvserver/concurrency/...
-#   bazel test //pkg/kv/kvserver:all --test_cache_results=no --test_output=all
-#   bazel test --features race //pkg/kv/kvserver/concurrency/... --test_output=all \
-#     --test_arg='-test.v' --test_arg='-show-logs' --test_filter='TestBTreeClone.*' \
-#     --run_under='stress -maxtime=120s' --cache_test_results=no
-#   bazel build //pkg/sql/opt
-#   bazel build //pkg/sql/opt:all
-#   bazel build //pkg/sql/colexec:gen-exec
-#   bazel build //pkg/cmd/cockroach-short
-#   bazel build //:libjemalloc
-#   bazel query //pkg/sql/colexec:all
-#   bazel run //:gazelle
-#   bazel run //pkg/cmd/cockroach-short -- demo
-#   bazel run //pkg/sql/opt/optgen/cmd/langgen -- -h
-#
-# The //<stuff> names can also be fully qualified using @cockroach, and that
-# appears in certain parts of the codebase/elsewhere. Specifically it'll look
-# like:
-#
-#   bazel build @cockroach//pkg/cmd/cockroach-short
-#
-# TODO(irfansharif): We should define shorthands for all of the above. See
-# https://docs.bazel.build/versions/master/skylark/tutorial-custom-verbs.html
-
-# TODO(irfansharif): The way we currently generate code through bazel, that
-# code is only available within the bazel sandbox. Bazel ignores all
-# the pre-generated code that is already checked into the codebase (through
-# `make generate`/etc.) through the exclude directives above. It's generating
-# everything on the fly.
-#
-# As we move towards bazel, we'll want to introduce a mechanism that implants
-# the generated code within the sandbox placing them "back into" the
-# appropriate packages. This is to ensure we don't break existing IDEs and code
-# editors which rely on files existing in the same package itself (as opposed
-# to the sandbox). This way we could continue checking in auto-generated code.
-# We should provide a bazel alternative for `make generate` that does this very
-# same thing. See [1], this is a long standing issue for folks using using Go,
-# bazel, and autogenerated code.
-#
-# [1]: https://github.com/bazelbuild/rules_go/issues/512.
-
-# TODO(irfansharif): We'll need to pin toolchains somewhere to make sure
-# everything below works as expected.
-
 gazelle(
     name = "gazelle",
     prefix = "github.com/cockroachdb/cockroach",

docs/generated/http/full.md

@@ -4121,6 +4121,46 @@ Response object returned by TableIndexStatsResponse.
 
 
 
+## UserSQLRoles
+
+`GET /_status/sqlroles`
+
+
+
+Support status: [reserved](#support-status)
+
+#### Request Parameters
+
+
+
+
+UserSQLRolesRequest requests a list of roles of the logged in SQL user.
+
+
+
+
+
+
+
+
+#### Response Parameters
+
+
+
+
+UserSQLRolesResponse returns a list of roles for the logged SQL user.
+
+
+| Field | Type | Label | Description | Support status |
+| ----- | ---- | ----- | ----------- | -------------- |
+| roles | [string](#cockroach.server.serverpb.UserSQLRolesResponse-string) | repeated | roles is a list of roles for the SQL user. | [reserved](#support-status) |
+
+
+
+
+
+
+
 ## RequestCA
 
 `GET /_join/v1/ca`

pkg/cloud/cloud_io.go

@@ -231,6 +231,9 @@ func (r *ResumingReader) Read(p []byte) (int, error) {
 			}
 			log.Errorf(r.Ctx, "Retry IO: error %s", lastErr)
 			lastErr = nil
+			if r.Reader != nil {
+				r.Reader.Close()
+			}
 			r.Reader = nil
 		}
 	}

pkg/server/BUILD.bazel

@@ -48,6 +48,7 @@ go_library(
         "tenant_status.go",
         "testing_knobs.go",
         "testserver.go",
+        "user.go",
     ],
     cgo = True,
     importpath = "github.com/cockroachdb/cockroach/pkg/server",
@@ -307,6 +308,7 @@ go_test(
         "status_test.go",
         "sticky_engine_test.go",
         "testserver_test.go",
+        "user_test.go",
         "version_cluster_test.go",
     ],
     data = glob(["testdata/**"]),

pkg/server/serverpb/status.go

@@ -34,6 +34,7 @@ type SQLStatusServer interface {
 	IndexUsageStatistics(context.Context, *IndexUsageStatisticsRequest) (*IndexUsageStatisticsResponse, error)
 	ResetIndexUsageStats(context.Context, *ResetIndexUsageStatsRequest) (*ResetIndexUsageStatsResponse, error)
 	TableIndexStats(context.Context, *TableIndexStatsRequest) (*TableIndexStatsResponse, error)
+	UserSQLRoles(ctx context.Context, request *UserSQLRolesRequest) (*UserSQLRolesResponse, error)
 }
 
 // OptionalNodesStatusServer is a StatusServer that is only optionally present

pkg/server/serverpb/status.proto

@@ -1401,6 +1401,16 @@ message ResetIndexUsageStatsRequest {
 message ResetIndexUsageStatsResponse {
 }
 
+// UserSQLRolesRequest requests a list of roles of the logged in SQL user.
+message UserSQLRolesRequest {
+}
+
+// UserSQLRolesResponse returns a list of roles for the logged SQL user.
+message UserSQLRolesResponse {
+  // roles is a list of roles for the SQL user.
+  repeated string roles = 1;
+}
+
 service Status {
   // Certificates retrieves a copy of the TLS certificates.
   rpc Certificates(CertificatesRequest) returns (CertificatesResponse) {
@@ -1779,4 +1789,10 @@ service Status {
       get: "/_status/databases/{database}/tables/{table}/indexstats"
     };
   }
+
+  rpc UserSQLRoles(UserSQLRolesRequest) returns (UserSQLRolesResponse) {
+    option (google.api.http) = {
+      get: "/_status/sqlroles"
+    };
+  }
 }

pkg/server/user.go

@@ -0,0 +1,69 @@
+// Copyright 2022 The Cockroach Authors.
+//
+// Use of this software is governed by the Business Source License
+// included in the file licenses/BSL.txt.
+//
+// As of the Change Date specified in that file, in accordance with
+// the Business Source License, use of this software will be governed
+// by the Apache License, Version 2.0, included in the file
+// licenses/APL.txt.
+
+package server
+
+import (
+	"context"
+
+	"github.com/cockroachdb/cockroach/pkg/server/serverpb"
+	"github.com/cockroachdb/cockroach/pkg/sql/sessiondata"
+	"github.com/cockroachdb/errors"
+)
+
+// UserSQLRoles return a list of the logged in SQL user roles.
+func (s *baseStatusServer) UserSQLRoles(
+	ctx context.Context, req *serverpb.UserSQLRolesRequest,
+) (_ *serverpb.UserSQLRolesResponse, retErr error) {
+	ctx = propagateGatewayMetadata(ctx)
+	ctx = s.AnnotateCtx(ctx)
+	username, err := userFromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	it, err := s.sqlServer.internalExecutor.QueryIteratorEx(
+		ctx, "sqlroles", nil, /* txn */
+		sessiondata.InternalExecutorOverride{User: username},
+		"SELECT option FROM system.role_options WHERE username=$1", username,
+	)
+	if err != nil {
+		return nil, err
+	}
+	// We have to make sure to close the iterator since we might return from the
+	// for loop early (before Next() returns false).
+	defer func() { retErr = errors.CombineErrors(retErr, it.Close()) }()
+
+	ok, err := it.Next(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	var resp serverpb.UserSQLRolesResponse
+	if !ok {
+		// The query returned 0 rows.
+		return &resp, nil
+	}
+	scanner := makeResultScanner(it.Types())
+	for ; ok; ok, err = it.Next(ctx) {
+		row := it.Cur()
+		var role string
+		err = scanner.ScanIndex(row, 0, &role)
+		if err != nil {
+			return nil, err
+		}
+		resp.Roles = append(resp.Roles, role)
+	}
+
+	if err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}