Skip to content

Commit

Permalink
sql: drop user/role did not detect usage by types
Browse files Browse the repository at this point in the history
Previously, it was possible to drop a user / role in use by a type
because the detection logic only checked ownership. To address this,
this patch will check if the user exists within any types before
allowing the drop to go through.

Note: An automated repair during upgrade exists to fix descriptors with
this issue, since they can break SHOW GRANTS. The same repair query can
also be invoked manually.

Fixes: cockroachdb#124441

Release note (bug fix): Drop role/user could leave references behind
inside types, which could prevent SHOW GRANTS from working
  • Loading branch information
fqazi committed May 23, 2024
1 parent 076f6a1 commit fe68996
Show file tree
Hide file tree
Showing 2 changed files with 39 additions and 0 deletions.
13 changes: 13 additions & 0 deletions pkg/sql/drop_role.go
Original file line number Diff line number Diff line change
Expand Up @@ -249,6 +249,19 @@ func (n *DropRoleNode) startExec(params runParams) error {
ObjectName: tn.String(),
})
}
for _, u := range typDesc.GetPrivileges().Users {
if _, ok := userNames[u.User()]; ok {
tn, err := getTypeNameFromTypeDescriptor(lCtx, typDesc)
if err != nil {
return err
}
if privilegeObjectFormatter.Len() > 0 {
privilegeObjectFormatter.WriteString(", ")
}
privilegeObjectFormatter.FormatNode(&tn)
break
}
}
}
for _, fnDesc := range lCtx.fnDescs {
if _, ok := userNames[fnDesc.GetPrivileges().Owner()]; ok {
Expand Down
26 changes: 26 additions & 0 deletions pkg/sql/logictest/testdata/logic_test/role
Original file line number Diff line number Diff line change
Expand Up @@ -1881,3 +1881,29 @@ statement error SUBJECT role option is only supported after v24.1 upgrade is fin
ALTER ROLE testuser SUBJECT 'foo'

subtest end

# Validates that drop role will be prevented if the role is in use by
# any schema objects. This is validates and prevents the regression found
# in #124441
subtest drop_role_block_validation

statement ok
CREATE DATABASE block_db;
USE block_db;
CREATE TABLE t(n int);
CREATE TYPE typ AS ENUM ('open', 'closed', 'inactive');
CREATE FUNCTION f() RETURNS INT LANGUAGE SQL AS $$ SELECT 1 $$;
CREATE ROLE block_user;
GRANT ALL ON DATABASE block_db to block_user;
GRANT ALL ON SCHEMA public to block_user;
GRANT ALL ON TABLE t to block_user;
GRANT ALL ON TYPE typ to block_user;
GRANT ALL ON FUNCTION f to block_user;

statement error pgcode 2BP01 cannot drop role/user block_user: grants still exist on block_db, block_db.public.t, block_db.public, block_db.public.typ, block_db.public.f
DROP ROLE block_user

statement ok
USE defaultdb;

subtest end

0 comments on commit fe68996

Please sign in to comment.