sql: implement DROP PROVISIONED ROLES execution#166958
Draft
souravcrl wants to merge 3 commits intocockroachdb:masterfrom
Draft
sql: implement DROP PROVISIONED ROLES execution#166958souravcrl wants to merge 3 commits intocockroachdb:masterfrom
souravcrl wants to merge 3 commits intocockroachdb:masterfrom
Conversation
Add the `DropProvisionedRoles` AST struct and `DropProvisionedRolesOptions`
to `pkg/sql/sem/tree/drop.go`, along with statement metadata methods in
`stmt.go`.
The new statement supports optional filter clauses:
DROP PROVISIONED ROLES
WITH SOURCE = 'ldap:ldap.example.com',
LAST ACCESS TIME OLDER THAN '2025-01-01'
LIMIT 10
`DropProvisionedRolesOptions` has its own `Format`, `CombineWith`, and
`IsDefault` methods, mirroring the pattern used by `ShowUsersOptions`.
Epic CRDB-52460
fixes CRDB-52797
Release note: None
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Extend the SQL parser grammar to support the DROP PROVISIONED ROLES statement with optional WITH clauses and LIMIT: DROP PROVISIONED ROLES [WITH <options>] [LIMIT <n>] Options (comma-separated): SOURCE = <string> LAST ACCESS TIME OLDER THAN <expr> Add `PROVISIONED` as an unreserved keyword. Define dedicated grammar rules (`opt_with_drop_provisioned_roles_options`, `drop_provisioned_roles_options_list`, `drop_provisioned_roles_option`) and wire the new `drop_provisioned_roles_stmt` production into `drop_stmt`. Add parse roundtrip tests covering all option combinations. Epic CRDB-52460 fixes: CRDB-52797 Release note: None Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add `DropProvisionedRolesNode` in a new `drop_provisioned_roles.go` file that implements the plan node for the DROP PROVISIONED ROLES statement. The execution logic: 1. Requires CREATEROLE privilege. 2. Builds a filtered SQL query against system.users joined with system.role_options to find users with PROVISIONSRC, optionally filtered by SOURCE value and LAST ACCESS TIME OLDER THAN timestamp. 3. For each matched user, checks dependencies (owned objects, grants, default privileges, scheduled jobs, system privileges). Users with dependencies are skipped with a client NOTICE rather than failing the entire operation. 4. Deletes the role from system.users, system.role_members, system.role_options, system.database_role_settings, and revokes web sessions. 5. Bumps role-related table versions and logs per-user DropRole audit events. Note: This plan node is not yet wired into opaque.go dispatch; that happens in a subsequent PR. Epic CRDB-52460 fixes: CRDB-52797 Release note: None Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Contributor
|
Merging to
After your PR is submitted to the merge queue, this comment will be automatically updated with its status. If the PR fails, failure details will also be posted here |
Member
|
This change is |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add
DropProvisionedRolesNodein a newdrop_provisioned_roles.gofilethat implements the plan node for the DROP PROVISIONED ROLES statement.
The execution logic:
system.role_options to find users with PROVISIONSRC, optionally
filtered by SOURCE value and LAST ACCESS TIME OLDER THAN timestamp.
default privileges, scheduled jobs, system privileges). Users with
dependencies are skipped with a client NOTICE rather than failing
the entire operation.
system.role_options, system.database_role_settings, and revokes
web sessions.
events.
Note: This plan node is not yet wired into opaque.go dispatch; that
happens in a subsequent PR.
Epic CRDB-52460
fixes: CRDB-52797
Release note: None