cockroachdb · craig · Jan 27, 2022 · Jan 25, 2022
@@ -446,16 +446,16 @@ func restoreV201ZoneconfigPrivilegeTest(exportDir string) func(t *testing.T) {
 		sqlDB.CheckQueryResults(t, `show grants on database test`, testDBGrants)
 
 		testTableGrants := [][]string{
-			{"test", "public", "test_table", "admin", "ALL"},
-			{"test", "public", "test_table", "root", "ALL"},
-			{"test", "public", "test_table", "testuser", "ZONECONFIG"},
+			{"test", "public", "test_table", "admin", "ALL", "true"},
+			{"test", "public", "test_table", "root", "ALL", "true"},
+			{"test", "public", "test_table", "testuser", "ZONECONFIG", "false"},
 		}
 		sqlDB.CheckQueryResults(t, `show grants on test.test_table`, testTableGrants)
 
 		testTable2Grants := [][]string{
-			{"test", "public", "test_table2", "admin", "ALL"},
-			{"test", "public", "test_table2", "root", "ALL"},
-			{"test", "public", "test_table2", "testuser", "ALL"},
+			{"test", "public", "test_table2", "admin", "ALL", "true"},
+			{"test", "public", "test_table2", "root", "ALL", "true"},
+			{"test", "public", "test_table2", "testuser", "ALL", "true"},
 		}
 		sqlDB.CheckQueryResults(t, `show grants on test.test_table2`, testTable2Grants)
 	}

@@ -617,7 +617,7 @@ func showPrivileges(descriptor *descpb.Descriptor) string {
 			if j != 0 {
 				privStringBuilder.WriteString(", ")
 			}
-			privStringBuilder.WriteString(priv)
+			privStringBuilder.WriteString(priv.Kind.String())
 		}
 		privStringBuilder.WriteString(" ON ")
 		privStringBuilder.WriteString(descpb.GetDescriptorName(descriptor))

@@ -66,7 +66,7 @@ testdb sc user1 USAGE
 query-sql
 SHOW GRANTS ON TABLE testdb.sc.othertable FOR user1;
 ----
-testdb sc othertable user1 SELECT
+testdb sc othertable user1 SELECT false
 
 query-sql
 SHOW GRANTS ON TABLE testdb.testtable_simple FOR user1;
@@ -90,12 +90,12 @@ SHOW GRANTS ON SCHEMA sc FOR testuser;
 query-sql
 SHOW GRANTS ON TABLE testdb.testtable_greeting_usage FOR testuser;
 ----
-testdb public testtable_greeting_usage testuser UPDATE
+testdb public testtable_greeting_usage testuser UPDATE false
 
 query-sql
 SHOW GRANTS ON TABLE testdb.testtable_greeting_owner FOR testuser;
 ----
-testdb public testtable_greeting_owner testuser ALL
+testdb public testtable_greeting_owner testuser ALL true
 
 query-sql
 SHOW GRANTS ON TABLE testdb.sc.othertable FOR testuser;
@@ -108,25 +108,25 @@ SHOW GRANTS ON TABLE testdb.testtable_simple FOR testuser;
 query-sql
 SHOW GRANTS ON TABLE testdb.testtable_simple FOR admin;
 ----
-testdb public testtable_simple admin ALL
+testdb public testtable_simple admin ALL true
 
 
 query-sql
 SHOW GRANTS ON TABLE testdb.testtable_greeting_owner FOR admin;
 ----
-testdb public testtable_greeting_owner admin ALL
+testdb public testtable_greeting_owner admin ALL true
 
 
 query-sql
 SHOW GRANTS ON TABLE testdb.testtable_greeting_usage FOR admin;
 ----
-testdb public testtable_greeting_usage admin ALL
+testdb public testtable_greeting_usage admin ALL true
 
 
 query-sql
 SHOW GRANTS ON TABLE testdb.sc.othertable FOR admin;
 ----
-testdb sc othertable admin ALL
+testdb sc othertable admin ALL true
 
 
 exec-sql
@@ -180,16 +180,16 @@ testdb sc user1 USAGE
 query-sql
 SHOW GRANTS ON testuser_db.sc.othertable
 ----
-testuser_db sc othertable admin ALL
-testuser_db sc othertable root ALL
-testuser_db sc othertable testuser ALL
+testuser_db sc othertable admin ALL true
+testuser_db sc othertable root ALL true
+testuser_db sc othertable testuser ALL false
 
 query-sql
 SHOW GRANTS ON testuser_db.testtable_greeting_usage
 ----
-testuser_db public testtable_greeting_usage admin ALL
-testuser_db public testtable_greeting_usage root ALL
-testuser_db public testtable_greeting_usage testuser ALL
+testuser_db public testtable_greeting_usage admin ALL true
+testuser_db public testtable_greeting_usage root ALL true
+testuser_db public testtable_greeting_usage testuser ALL false
 
 # testuser should be owner, and therefore have SELECT privs too.
 exec-sql user=testuser
@@ -211,7 +211,7 @@ RESTORE testdb.sc.othertable, testdb.testtable_greeting_usage, testdb.testtable_
 query-sql
 SHOW GRANTS ON restoredb.sc.othertable FOR user1;
 ----
-restoredb sc othertable user1 CREATE
+restoredb sc othertable user1 CREATE false
 
 query-sql
 SHOW GRANTS ON restoredb.sc.othertable FOR testuser;
@@ -220,12 +220,12 @@ SHOW GRANTS ON restoredb.sc.othertable FOR testuser;
 query-sql
 SHOW GRANTS ON restoredb.sc.othertable FOR admin;
 ----
-restoredb sc othertable admin ALL
+restoredb sc othertable admin ALL true
 
 query-sql
 SHOW GRANTS ON restoredb.testtable_greeting_usage FOR user1;
 ----
-restoredb public testtable_greeting_usage user1 CREATE
+restoredb public testtable_greeting_usage user1 CREATE false
 
 # testuser should not be the owner in this case, so won't have SELECT privs.
 query-sql user=testuser
@@ -241,7 +241,7 @@ SHOW GRANTS ON restoredb.testtable_greeting_usage FOR testuser;
 query-sql
 SHOW GRANTS ON restoredb.testtable_greeting_usage FOR admin;
 ----
-restoredb public testtable_greeting_usage admin ALL
+restoredb public testtable_greeting_usage admin ALL true
 
 # Testuser is no longer the owner of restoredb.greeting_owner.
 exec-sql user=testuser
@@ -311,25 +311,25 @@ testdb sc admin ALL
 query-sql
 SHOW GRANTS ON TABLE testdb.testtable_simple FOR admin;
 ----
-testdb public testtable_simple admin ALL
+testdb public testtable_simple admin ALL true
 
 
 query-sql
 SHOW GRANTS ON TABLE testdb.testtable_greeting_owner FOR admin;
 ----
-testdb public testtable_greeting_owner admin ALL
+testdb public testtable_greeting_owner admin ALL true
 
 
 query-sql
 SHOW GRANTS ON TABLE testdb.testtable_greeting_usage FOR admin;
 ----
-testdb public testtable_greeting_usage admin ALL
+testdb public testtable_greeting_usage admin ALL true
 
 
 query-sql
 SHOW GRANTS ON TABLE testdb.sc.othertable FOR admin;
 ----
-testdb sc othertable admin ALL
+testdb sc othertable admin ALL true
 
 
 # First drop the existing database as admin.
@@ -402,22 +402,22 @@ testdb sc admin ALL
 query-sql
 SHOW GRANTS ON TABLE testdb.testtable_simple FOR admin;
 ----
-testdb public testtable_simple admin ALL
+testdb public testtable_simple admin ALL true
 
 query-sql
 SHOW GRANTS ON TABLE testdb.testtable_greeting_usage FOR admin;
 ----
-testdb public testtable_greeting_usage admin ALL
+testdb public testtable_greeting_usage admin ALL true
 
 query-sql
 SHOW GRANTS ON TABLE testdb.testtable_greeting_owner FOR admin;
 ----
-testdb public testtable_greeting_owner admin ALL
+testdb public testtable_greeting_owner admin ALL true
 
 query-sql
 SHOW GRANTS ON TABLE testdb.sc.othertable FOR admin;
 ----
-testdb sc othertable admin ALL
+testdb sc othertable admin ALL true
 
 
 # Now let's try a cluster restore and expect all of the same privileges tha
@@ -448,7 +448,7 @@ testdb sc user1 USAGE
 query-sql
 SHOW GRANTS ON TABLE testdb.sc.othertable FOR user1;
 ----
-testdb sc othertable user1 SELECT
+testdb sc othertable user1 SELECT false
 
 query-sql
 SHOW GRANTS ON TABLE testdb.testtable_simple FOR user1;
@@ -472,12 +472,12 @@ SHOW GRANTS ON SCHEMA testdb.sc FOR testuser;
 query-sql
 SHOW GRANTS ON TABLE testdb.testtable_greeting_usage FOR testuser;
 ----
-testdb public testtable_greeting_usage testuser UPDATE
+testdb public testtable_greeting_usage testuser UPDATE false
 
 query-sql
 SHOW GRANTS ON TABLE testdb.testtable_greeting_owner FOR testuser;
 ----
-testdb public testtable_greeting_owner testuser ALL
+testdb public testtable_greeting_owner testuser ALL true
 
 query-sql
 SHOW GRANTS ON TABLE testdb.sc.othertable FOR testuser;
@@ -511,19 +511,19 @@ testdb sc admin ALL
 query-sql
 SHOW GRANTS ON TABLE testdb.testtable_simple FOR admin;
 ----
-testdb public testtable_simple admin ALL
+testdb public testtable_simple admin ALL true
 
 query-sql
 SHOW GRANTS ON TABLE testdb.testtable_greeting_owner FOR admin;
 ----
-testdb public testtable_greeting_owner admin ALL
+testdb public testtable_greeting_owner admin ALL true
 
 query-sql
 SHOW GRANTS ON TABLE testdb.testtable_greeting_usage FOR admin;
 ----
-testdb public testtable_greeting_usage admin ALL
+testdb public testtable_greeting_usage admin ALL true
 
 query-sql
 SHOW GRANTS ON TABLE testdb.sc.othertable FOR admin;
 ----
-testdb sc othertable admin ALL
+testdb sc othertable admin ALL true
@@ -436,26 +436,24 @@ func (p PrivilegeDescriptor) IsValidPrivilegesForObjectType(
 	return true, UserPrivileges{}, 0
 }
 
-// UserPrivilegeString is a pair of strings describing the
-// privileges for a given user.
-type UserPrivilegeString struct {
+// UserPrivilege represents a User and its Privileges
+type UserPrivilege struct {
 	User       security.SQLUsername
-	Privileges []string
-}
-
-// PrivilegeString returns a string of comma-separted privilege names.
-func (u UserPrivilegeString) PrivilegeString() string {
-	return strings.Join(u.Privileges, ",")
+	Privileges []privilege.Privilege
 }
 
 // Show returns the list of {username, privileges} sorted by username.
 // 'privileges' is a string of comma-separated sorted privilege names.
-func (p PrivilegeDescriptor) Show(objectType privilege.ObjectType) []UserPrivilegeString {
-	ret := make([]UserPrivilegeString, 0, len(p.Users))
+func (p PrivilegeDescriptor) Show(objectType privilege.ObjectType) []UserPrivilege {
+	ret := make([]UserPrivilege, 0, len(p.Users))
 	for _, userPriv := range p.Users {
-		ret = append(ret, UserPrivilegeString{
+		privileges := privilege.PrivilegesFromBitFields(userPriv.Privileges, userPriv.WithGrantOption, objectType)
+		sort.Slice(privileges, func(i, j int) bool {
+			return strings.Compare(privileges[i].Kind.String(), privileges[j].Kind.String()) < 0
+		})
+		ret = append(ret, UserPrivilege{
 			User:       userPriv.User(),
-			Privileges: privilege.ListFromBitField(userPriv.Privileges, objectType).SortedNames(),
+			Privileges: privileges,
 		})
 	}
 	return ret