sql,ui: enable non-admin users to see their own jobs

Release note (ui change): Non-admin users can now use the "Jobs detail" page and see their own jobs. Release note (sql change): Non-admin users can now query `SHOW JOBS` and `crdb_internal.jobs` and see their own jobs.
cockroachdb · Jan 24, 2020 · 995bfdc · 995bfdc
1 parent c8c56af
commit 995bfdc
Showing 1 changed file with 18 additions and 1 deletion.
diff --git a/pkg/sql/crdb_internal.go b/pkg/sql/crdb_internal.go
@@ -453,10 +453,18 @@ CREATE TABLE crdb_internal.jobs (
 	coordinator_id     		INT
 )`,
 	populate: func(ctx context.Context, p *planner, _ *DatabaseDescriptor, addRow func(...tree.Datum) error) error {
+		currentUser := p.SessionData().User
+		isAdmin, err := p.HasAdminRole(ctx)
+		if err != nil {
+			return err
+		}
+
+		// Beware: we're querying system.jobs as root; we need to be careful to filter
+		// out results that the current user is not able to see.
 		query := `SELECT id, status, created, payload, progress FROM system.jobs`
 		rows, err := p.ExtendedEvalContext().ExecCfg.InternalExecutor.QueryEx(
 			ctx, "crdb-internal-jobs-table", p.txn,
-			sqlbase.InternalExecutorSessionDataOverride{User: p.SessionData().User},
+			sqlbase.InternalExecutorSessionDataOverride{User: security.RootUser},
 			query)
 		if err != nil {
 			return err
@@ -472,6 +480,15 @@ CREATE TABLE crdb_internal.jobs (
 
 			// Extract data from the payload.
 			payload, err := jobs.UnmarshalPayload(payloadBytes)
+
+			// We filter out masked rows before we allocate all the
+			// datums. Needless allocate when not necessary.
+			if !(isAdmin || (payload != nil && payload.Username == currentUser)) {
+				// This user is neither an admin nor the user who created the
+				// job. They cannot see this row.
+				continue
+			}
+
 			if err != nil {
 				errorStr = tree.NewDString(fmt.Sprintf("error decoding payload: %v", err))
 			} else {