Skip to content

sql: add TEMPORARY database privilege and fix temp table privilege checking#165992

Merged
trunk-io[bot] merged 2 commits intocockroachdb:masterfrom
rafiss:fix-temp-table-create-privilege
Mar 18, 2026
Merged

sql: add TEMPORARY database privilege and fix temp table privilege checking#165992
trunk-io[bot] merged 2 commits intocockroachdb:masterfrom
rafiss:fix-temp-table-create-privilege

Conversation

@rafiss
Copy link
Collaborator

@rafiss rafiss commented Mar 17, 2026

Summary

This PR fixes #165984CREATE TEMP TABLE incorrectly required CREATE privilege on the public schema, and CockroachDB was missing PostgreSQL's TEMPORARY database privilege.

Commit 1: Add TEMPORARY privilege and fix temp table privilege checking

  • Adds a new TEMPORARY privilege kind (with TEMP as a parser alias), valid on database objects.
  • Grants TEMPORARY to PUBLIC by default on newly created databases, matching PostgreSQL.
  • Fixes the optbuilder to skip the CREATE-on-schema check for temp objects; the execution-time code checks TEMPORARY on the database instead.
  • Updates logic tests for the new privilege in SHOW GRANTS ON DATABASE output.

Commit 2: Migration to grant TEMPORARY to PUBLIC on existing databases

  • Adds cluster version V26_2_GrantTemporaryToPublic.
  • Migration iterates all databases and grants TEMPORARY to PUBLIC where missing.
  • Includes a test that simulates pre-upgrade state and verifies the migration.

Fixes: #165984

@trunk-io
Copy link
Contributor

trunk-io bot commented Mar 17, 2026
edited
Loading

😎 Merged successfully - details.

@cockroach-teamcity
Copy link
Member

cockroach-teamcity commented Mar 17, 2026

This change is Reviewable

@rafiss rafiss force-pushed the fix-temp-table-create-privilege branch 4 times, most recently from 960370f to bcaee6f Compare March 18, 2026 03:49
@cockroach-teamcity
Copy link
Member

cockroach-teamcity commented Mar 18, 2026

⚪ Sysbench [SQL, 3node, oltp_read_write]
Metric Old Commit New Commit Delta Note
sec/op 10.23m ±3% 10.38m ±5% ~ p=0.126 n=15
allocs/op 8.085k ±1% 8.118k ±1% ~ p=0.395 n=15
Reproduce

benchdiff binaries:

mkdir -p benchdiff/bcaee6f/bin/1058449141
gcloud storage cp gs://cockroach-microbench-ci/builds/bcaee6f7f340b008a60cc1ba39c47cd417bfd477/bin/pkg_sql_tests benchdiff/bcaee6f/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests
chmod +x benchdiff/bcaee6f/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests
mkdir -p benchdiff/3adb876/bin/1058449141
gcloud storage cp gs://cockroach-microbench-ci/builds/3adb876f73cd66afdc7713bae1eb14a228d325ef/bin/pkg_sql_tests benchdiff/3adb876/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests
chmod +x benchdiff/3adb876/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests

benchdiff command:

# NB: for best (most stable) results, also add a suitable `--benchtime` that
# results in ~1s to ~5s of benchmark runs. For example, if ops average ~3ms, a
# benchtime of `1000x` is appropriate.
#
# Some benchmarks (in particular BenchmarkSysbench) output additional memory
# profiles covering only the execution (excluding the setup/teardown) - those
# should be preferred for analysis since they more closely correspond to what's
# reported as B/op and alloc/op.
benchdiff --run=^BenchmarkSysbench/SQL/3node/oltp_read_write$ --old=3adb876 --new=bcaee6f --memprofile ./pkg/sql/tests
⚪ Sysbench [KV, 3node, oltp_read_only]
Metric Old Commit New Commit Delta Note
sec/op 3.086m ±1% 3.110m ±2% ~ p=0.389 n=15
allocs/op 2.106k ±0% 2.106k ±0% ~ p=0.655 n=15
Reproduce

benchdiff binaries:

mkdir -p benchdiff/bcaee6f/bin/1058449141
gcloud storage cp gs://cockroach-microbench-ci/builds/bcaee6f7f340b008a60cc1ba39c47cd417bfd477/bin/pkg_sql_tests benchdiff/bcaee6f/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests
chmod +x benchdiff/bcaee6f/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests
mkdir -p benchdiff/3adb876/bin/1058449141
gcloud storage cp gs://cockroach-microbench-ci/builds/3adb876f73cd66afdc7713bae1eb14a228d325ef/bin/pkg_sql_tests benchdiff/3adb876/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests
chmod +x benchdiff/3adb876/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests

benchdiff command:

# NB: for best (most stable) results, also add a suitable `--benchtime` that
# results in ~1s to ~5s of benchmark runs. For example, if ops average ~3ms, a
# benchtime of `1000x` is appropriate.
#
# Some benchmarks (in particular BenchmarkSysbench) output additional memory
# profiles covering only the execution (excluding the setup/teardown) - those
# should be preferred for analysis since they more closely correspond to what's
# reported as B/op and alloc/op.
benchdiff --run=^BenchmarkSysbench/KV/3node/oltp_read_only$ --old=3adb876 --new=bcaee6f --memprofile ./pkg/sql/tests
🔴 Sysbench [KV, 3node, oltp_write_only]
Metric Old Commit New Commit Delta Note
🔴 sec/op 2.923m ±1% 2.957m ±1% +1.18% p=0.004 n=15
allocs/op 4.209k ±0% 4.209k ±0% ~ p=0.428 n=15
Reproduce

benchdiff binaries:

mkdir -p benchdiff/bcaee6f/bin/1058449141
gcloud storage cp gs://cockroach-microbench-ci/builds/bcaee6f7f340b008a60cc1ba39c47cd417bfd477/bin/pkg_sql_tests benchdiff/bcaee6f/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests
chmod +x benchdiff/bcaee6f/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests
mkdir -p benchdiff/3adb876/bin/1058449141
gcloud storage cp gs://cockroach-microbench-ci/builds/3adb876f73cd66afdc7713bae1eb14a228d325ef/bin/pkg_sql_tests benchdiff/3adb876/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests
chmod +x benchdiff/3adb876/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests

benchdiff command:

# NB: for best (most stable) results, also add a suitable `--benchtime` that
# results in ~1s to ~5s of benchmark runs. For example, if ops average ~3ms, a
# benchtime of `1000x` is appropriate.
#
# Some benchmarks (in particular BenchmarkSysbench) output additional memory
# profiles covering only the execution (excluding the setup/teardown) - those
# should be preferred for analysis since they more closely correspond to what's
# reported as B/op and alloc/op.
benchdiff --run=^BenchmarkSysbench/KV/3node/oltp_write_only$ --old=3adb876 --new=bcaee6f --memprofile ./pkg/sql/tests
Artifacts

download:

mkdir -p new
gcloud storage cp gs://cockroach-microbench-ci/artifacts/bcaee6f7f340b008a60cc1ba39c47cd417bfd477/23228184745-1/\* new/
mkdir -p old
gcloud storage cp gs://cockroach-microbench-ci/artifacts/3adb876f73cd66afdc7713bae1eb14a228d325ef/23228184745-1/\* old/

built with commit: bcaee6f7f340b008a60cc1ba39c47cd417bfd477

@cockroach-teamcity cockroach-teamcity added the X-perf-check Microbenchmarks CI: Added to a PR if a performance regression is detected and should be checked label Mar 18, 2026
@rafiss rafiss force-pushed the fix-temp-table-create-privilege branch from bcaee6f to 276440d Compare March 18, 2026 04:51
@cockroach-teamcity
Copy link
Member

cockroach-teamcity commented Mar 18, 2026

⚪ Sysbench [SQL, 3node, oltp_read_write]
Metric Old Commit New Commit Delta Note
sec/op 9.946m ±1% 9.911m ±1% ~ p=0.624 n=15
allocs/op 8.072k ±0% 8.089k ±0% ~ p=0.113 n=15
Reproduce

benchdiff binaries:

mkdir -p benchdiff/276440d/bin/1058449141
gcloud storage cp gs://cockroach-microbench-ci/builds/276440dbba809506bab505712755bc8d0bac449d/bin/pkg_sql_tests benchdiff/276440d/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests
chmod +x benchdiff/276440d/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests
mkdir -p benchdiff/3adb876/bin/1058449141
gcloud storage cp gs://cockroach-microbench-ci/builds/3adb876f73cd66afdc7713bae1eb14a228d325ef/bin/pkg_sql_tests benchdiff/3adb876/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests
chmod +x benchdiff/3adb876/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests

benchdiff command:

# NB: for best (most stable) results, also add a suitable `--benchtime` that
# results in ~1s to ~5s of benchmark runs. For example, if ops average ~3ms, a
# benchtime of `1000x` is appropriate.
#
# Some benchmarks (in particular BenchmarkSysbench) output additional memory
# profiles covering only the execution (excluding the setup/teardown) - those
# should be preferred for analysis since they more closely correspond to what's
# reported as B/op and alloc/op.
benchdiff --run=^BenchmarkSysbench/SQL/3node/oltp_read_write$ --old=3adb876 --new=276440d --memprofile ./pkg/sql/tests
⚪ Sysbench [KV, 3node, oltp_read_only]
Metric Old Commit New Commit Delta Note
sec/op 3.063m ±1% 3.061m ±1% ~ p=1.000 n=15
allocs/op 2.106k ±0% 2.106k ±0% ~ p=0.422 n=15
Reproduce

benchdiff binaries:

mkdir -p benchdiff/276440d/bin/1058449141
gcloud storage cp gs://cockroach-microbench-ci/builds/276440dbba809506bab505712755bc8d0bac449d/bin/pkg_sql_tests benchdiff/276440d/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests
chmod +x benchdiff/276440d/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests
mkdir -p benchdiff/3adb876/bin/1058449141
gcloud storage cp gs://cockroach-microbench-ci/builds/3adb876f73cd66afdc7713bae1eb14a228d325ef/bin/pkg_sql_tests benchdiff/3adb876/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests
chmod +x benchdiff/3adb876/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests

benchdiff command:

# NB: for best (most stable) results, also add a suitable `--benchtime` that
# results in ~1s to ~5s of benchmark runs. For example, if ops average ~3ms, a
# benchtime of `1000x` is appropriate.
#
# Some benchmarks (in particular BenchmarkSysbench) output additional memory
# profiles covering only the execution (excluding the setup/teardown) - those
# should be preferred for analysis since they more closely correspond to what's
# reported as B/op and alloc/op.
benchdiff --run=^BenchmarkSysbench/KV/3node/oltp_read_only$ --old=3adb876 --new=276440d --memprofile ./pkg/sql/tests
⚪ Sysbench [KV, 3node, oltp_write_only]
Metric Old Commit New Commit Delta Note
sec/op 2.875m ±0% 2.882m ±1% ~ p=0.512 n=15
allocs/op 4.203k ±0% 4.202k ±0% ~ p=0.137 n=15
Reproduce

benchdiff binaries:

mkdir -p benchdiff/276440d/bin/1058449141
gcloud storage cp gs://cockroach-microbench-ci/builds/276440dbba809506bab505712755bc8d0bac449d/bin/pkg_sql_tests benchdiff/276440d/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests
chmod +x benchdiff/276440d/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests
mkdir -p benchdiff/3adb876/bin/1058449141
gcloud storage cp gs://cockroach-microbench-ci/builds/3adb876f73cd66afdc7713bae1eb14a228d325ef/bin/pkg_sql_tests benchdiff/3adb876/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests
chmod +x benchdiff/3adb876/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests

benchdiff command:

# NB: for best (most stable) results, also add a suitable `--benchtime` that
# results in ~1s to ~5s of benchmark runs. For example, if ops average ~3ms, a
# benchtime of `1000x` is appropriate.
#
# Some benchmarks (in particular BenchmarkSysbench) output additional memory
# profiles covering only the execution (excluding the setup/teardown) - those
# should be preferred for analysis since they more closely correspond to what's
# reported as B/op and alloc/op.
benchdiff --run=^BenchmarkSysbench/KV/3node/oltp_write_only$ --old=3adb876 --new=276440d --memprofile ./pkg/sql/tests
Artifacts

download:

mkdir -p new
gcloud storage cp gs://cockroach-microbench-ci/artifacts/276440dbba809506bab505712755bc8d0bac449d/23229657213-1/\* new/
mkdir -p old
gcloud storage cp gs://cockroach-microbench-ci/artifacts/3adb876f73cd66afdc7713bae1eb14a228d325ef/23229657213-1/\* old/

built with commit: 276440dbba809506bab505712755bc8d0bac449d

rafiss and others added 2 commits March 18, 2026 01:49
@rafiss @roachdev-claude
sql: add TEMPORARY database privilege and fix temp table privilege ch…
946e538 
…ecking

This commit adds a new TEMPORARY database privilege that controls
whether a user can create temporary tables and views. This aligns
CockroachDB with PostgreSQL's privilege model where TEMPORARY is
a database-level privilege granted to PUBLIC by default.

The privilege check is version-gated on V26_2 so that during
mixed-version clusters the old behavior (checking CREATE on the
schema) is preserved.

Key changes:
- Add TEMPORARY to the privilege kind enum and wire it through the
  privilege system.
- In the optbuilder's resolveSchemaForCreate, check TEMPORARY on
  the database instead of CREATE on the schema for temp objects
  after V26_2.
- Handle TEMPORARY privilege specially in optCatalog.CheckPrivilege
  to resolve against the database descriptor.
- Add logic tests for the new privilege behavior with skipif/onlyif
  for mixed-version configs.

Release note (sql change): Added TEMPORARY database privilege that
controls whether users can create temporary tables and views. This
privilege is granted to the public role by default on new databases,
matching PostgreSQL behavior.

Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>
@rafiss @roachdev-claude
sql: add migration to grant TEMPORARY to PUBLIC on existing databases
d256406 
Add a cluster version migration (V26_2_GrantTemporaryToPublic) that
grants the TEMPORARY privilege to the public role on all existing
databases. This ensures that existing databases match the behavior of
newly created databases where PUBLIC has TEMPORARY by default.

The migration iterates over all database descriptors and adds the
TEMPORARY privilege to the public role if it is not already present.

Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>
@rafiss rafiss force-pushed the fix-temp-table-create-privilege branch from 276440d to d256406 Compare March 18, 2026 05:51
@cockroach-teamcity
Copy link
Member

cockroach-teamcity commented Mar 18, 2026

⚪ Sysbench [SQL, 3node, oltp_read_write]
Metric Old Commit New Commit Delta Note
sec/op 9.775m ±0% 9.822m ±1% ~ p=0.029 n=15
allocs/op 8.076k ±0% 8.102k ±0% ~ p=0.054 n=15
Reproduce

benchdiff binaries:

mkdir -p benchdiff/d256406/bin/1058449141
gcloud storage cp gs://cockroach-microbench-ci/builds/d256406140a7ce6a0aeabf1cb62e74ef7691217a/bin/pkg_sql_tests benchdiff/d256406/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests
chmod +x benchdiff/d256406/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests
mkdir -p benchdiff/3adb876/bin/1058449141
gcloud storage cp gs://cockroach-microbench-ci/builds/3adb876f73cd66afdc7713bae1eb14a228d325ef/bin/pkg_sql_tests benchdiff/3adb876/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests
chmod +x benchdiff/3adb876/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests

benchdiff command:

# NB: for best (most stable) results, also add a suitable `--benchtime` that
# results in ~1s to ~5s of benchmark runs. For example, if ops average ~3ms, a
# benchtime of `1000x` is appropriate.
#
# Some benchmarks (in particular BenchmarkSysbench) output additional memory
# profiles covering only the execution (excluding the setup/teardown) - those
# should be preferred for analysis since they more closely correspond to what's
# reported as B/op and alloc/op.
benchdiff --run=^BenchmarkSysbench/SQL/3node/oltp_read_write$ --old=3adb876 --new=d256406 --memprofile ./pkg/sql/tests
⚪ Sysbench [KV, 3node, oltp_read_only]
Metric Old Commit New Commit Delta Note
sec/op 3.079m ±2% 3.097m ±2% +0.58% p=0.023 n=15
allocs/op 2.106k ±0% 2.106k ±0% ~ p=0.220 n=15
Reproduce

benchdiff binaries:

mkdir -p benchdiff/d256406/bin/1058449141
gcloud storage cp gs://cockroach-microbench-ci/builds/d256406140a7ce6a0aeabf1cb62e74ef7691217a/bin/pkg_sql_tests benchdiff/d256406/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests
chmod +x benchdiff/d256406/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests
mkdir -p benchdiff/3adb876/bin/1058449141
gcloud storage cp gs://cockroach-microbench-ci/builds/3adb876f73cd66afdc7713bae1eb14a228d325ef/bin/pkg_sql_tests benchdiff/3adb876/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests
chmod +x benchdiff/3adb876/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests

benchdiff command:

# NB: for best (most stable) results, also add a suitable `--benchtime` that
# results in ~1s to ~5s of benchmark runs. For example, if ops average ~3ms, a
# benchtime of `1000x` is appropriate.
#
# Some benchmarks (in particular BenchmarkSysbench) output additional memory
# profiles covering only the execution (excluding the setup/teardown) - those
# should be preferred for analysis since they more closely correspond to what's
# reported as B/op and alloc/op.
benchdiff --run=^BenchmarkSysbench/KV/3node/oltp_read_only$ --old=3adb876 --new=d256406 --memprofile ./pkg/sql/tests
⚪ Sysbench [KV, 3node, oltp_write_only]
Metric Old Commit New Commit Delta Note
sec/op 2.929m ±2% 2.937m ±1% ~ p=0.967 n=15
allocs/op 4.207k ±0% 4.207k ±0% ~ p=0.674 n=15
Reproduce

benchdiff binaries:

mkdir -p benchdiff/d256406/bin/1058449141
gcloud storage cp gs://cockroach-microbench-ci/builds/d256406140a7ce6a0aeabf1cb62e74ef7691217a/bin/pkg_sql_tests benchdiff/d256406/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests
chmod +x benchdiff/d256406/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests
mkdir -p benchdiff/3adb876/bin/1058449141
gcloud storage cp gs://cockroach-microbench-ci/builds/3adb876f73cd66afdc7713bae1eb14a228d325ef/bin/pkg_sql_tests benchdiff/3adb876/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests
chmod +x benchdiff/3adb876/bin/1058449141/cockroachdb_cockroach_pkg_sql_tests

benchdiff command:

# NB: for best (most stable) results, also add a suitable `--benchtime` that
# results in ~1s to ~5s of benchmark runs. For example, if ops average ~3ms, a
# benchtime of `1000x` is appropriate.
#
# Some benchmarks (in particular BenchmarkSysbench) output additional memory
# profiles covering only the execution (excluding the setup/teardown) - those
# should be preferred for analysis since they more closely correspond to what's
# reported as B/op and alloc/op.
benchdiff --run=^BenchmarkSysbench/KV/3node/oltp_write_only$ --old=3adb876 --new=d256406 --memprofile ./pkg/sql/tests
Artifacts

download:

mkdir -p new
gcloud storage cp gs://cockroach-microbench-ci/artifacts/d256406140a7ce6a0aeabf1cb62e74ef7691217a/23231140061-1/\* new/
mkdir -p old
gcloud storage cp gs://cockroach-microbench-ci/artifacts/3adb876f73cd66afdc7713bae1eb14a228d325ef/23231140061-1/\* old/

built with commit: d256406140a7ce6a0aeabf1cb62e74ef7691217a

@rafiss rafiss marked this pull request as ready for review March 18, 2026 14:09
@rafiss rafiss requested review from a team as code owners March 18, 2026 14:09
@rafiss rafiss requested review from andrew-r-thomas, dhartunian and yuzefovich and removed request for a team March 18, 2026 14:09
@rafiss rafiss requested review from a team, fqazi, jasonlmfong, michae2, msbutler and shghasemi and removed request for a team, andrew-r-thomas, dhartunian, jasonlmfong, michae2, msbutler and yuzefovich March 18, 2026 14:09
fqazi
fqazi approved these changes Mar 18, 2026
View reviewed changes
Copy link
Collaborator

@fqazi fqazi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:lgtm:

@fqazi partially reviewed 45 files and made 1 comment.
Reviewable status: :shipit: complete! 1 of 0 LGTMs obtained (waiting on shghasemi).

@rafiss
Copy link
Collaborator Author

rafiss commented Mar 18, 2026

TFTR!

/trunk merge

@trunk-io trunk-io bot merged commit 1f44e24 into cockroachdb:master Mar 18, 2026
30 checks passed
@rafiss rafiss deleted the fix-temp-table-create-privilege branch March 19, 2026 22:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fqazi fqazi fqazi approved these changes

@shghasemi shghasemi Awaiting requested review from shghasemi

Assignees

No one assigned

Labels

target-release-26.2.0 X-perf-check Microbenchmarks CI: Added to a PR if a performance regression is detected and should be checked

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

sql: CREATE TEMP TABLE incorrectly requires CREATE privilege on public schema

3 participants

@rafiss @cockroach-teamcity @fqazi