roleccl: enable GRANT/REVOKE for roles without a license

Release note (security update): Non-licensed users are now able to add more principals to the special superuser role/group `admin`. (Creation of additional roles is still a licensed feature). Release note (sql change): It is now possible to use `GRANT` and `REVOKE` to add users to the `admin` role without a valid license. This change aims to enable use of the admin UI and other privileged features without a license.
cockroachdb · Feb 24, 2020 · 35d6eb3 · 35d6eb3
1 parent c3f5aae
commit 35d6eb3
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/pkg/ccl/roleccl/role.go b/pkg/ccl/roleccl/role.go
@@ -78,11 +78,11 @@ func grantRolePlanHook(
 		ctx, span := tracing.ChildSpan(ctx, stmt.StatementTag())
 		defer tracing.FinishSpan(span)
 
-		if err := utilccl.CheckEnterpriseEnabled(
-			p.ExecCfg().Settings, p.ExecCfg().ClusterID(), p.ExecCfg().Organization(), "GRANT <role>",
-		); err != nil {
-			return err
-		}
+		// Note: we do not check the license for GRANT <role>, only for
+		// CREATE/DROP <role>. This is because we want to allow
+		// non-licensed users to add/remove users from the admin role, so
+		// they can grant administrative privileges to user accounts that
+		// are not superusers like "root".
 
 		hasAdminRole, err := p.HasAdminRole(ctx)
 		if err != nil {