release-25.4.10-rc: server: resolve role membership for CONNECT privilege checks in DB Console APIs by angles-n-daemons · Pull Request #168493 · cockroachdb/cockroach

angles-n-daemons · 2026-04-16T15:34:28Z

Backport 3/3 commits from #156854 and #167430 on behalf of @kyle-a-wong.

Fixes ENGREQ-409

Summary

The DB Console Databases page API endpoints (/api/v2/database_metadata/,
/api/v2/table_metadata/, /api/v2/table_metadata/updatejob/) only checked
direct username and public as grantees when verifying CONNECT privileges.
Users who inherited CONNECT through a role hierarchy (e.g.,
user -> role_a -> role_b where role_b has CONNECT) saw an empty Databases
page and got 404s, even though SHOW DATABASES in SQL correctly resolves
inherited grants.
Fix all three query functions (getDatabaseMetadataBaseQuery,
getTableMetadataBaseQuery, updateTableMetadataJobAuthorized) to use a
recursive CTE that traverses system.role_members to resolve the full role
membership chain.
Add tests for each affected endpoint verifying that inherited CONNECT grants
are properly resolved and that breaking the role chain revokes access.

Epic: none
Release note (bug fix): Fixed a bug where DB Console Databases page
privilege checks did not resolve role membership chains for CONNECT
grants. Users who inherited CONNECT through role hierarchies now
correctly see their authorized databases and tables.

Release justification: bug fix for customer-impacting issue (ENGREQ-409). Active production incident affecting operator visibility into cluster databases when CONNECT is inherited through role chains.

pull the left join condition on role_members out into the where clause Epic: None Release: None

the admin user currently has no view into all the database/tables due to its non-existence in the role_members table, this change adds a third condition to the where clause to allow the view Epic: None Release: None

…nsole APIs The API endpoints backing the DB Console Databases page (/api/v2/database_metadata/, /api/v2/table_metadata/, and /api/v2/table_metadata/updatejob/) only checked direct username and 'public' as grantees when verifying CONNECT privileges. This meant users who inherited CONNECT through a role hierarchy (e.g., user -> role_a -> role_b where role_b has CONNECT) saw an empty Databases page and got 404s, even though SQL correctly resolves inherited grants. This is most visible in environments that have revoked CONNECT from 'public' as a security hardening measure. Fix all three query functions to use a recursive CTE that traverses system.role_members to resolve the full role membership chain. Resolves: cockroachdb#165991 Release note (bug fix): Fixed a bug where DB Console Databases page privilege checks did not resolve role membership chains for CONNECT grants. Users who inherited CONNECT through role hierarchies now correctly see their authorized databases and tables. Epic: none Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>

blathers-crl · 2026-04-16T15:34:33Z

Thanks for opening a backport.

Before merging, please confirm that it falls into one of the following categories (select one):

Non-production code changes OR fixes for serious issues. Non-production includes test-only changes, build system changes, etc. Serious issues are defined in the policy as correctness, stability, or security issues, data corruption/loss, significant performance regressions, breaking working and widely used functionality, or an inability to detect and debug production issues.
Other approved changes. These changes must be gated behind a disabled-by-default feature flag unless there is a strong justification not to. Reference the approved ENGREQ ticket in the PR body (e.g., "Fixes ENGREQ-123").

Add a brief release justification to the PR description explaining your selection.

Also, confirm that the change does not break backward compatibility and complies with all aspects of the backport policy.

All backports must be reviewed by the TL and EM for the owning area.

cockroach-teamcity · 2026-04-16T15:34:49Z

This change is

jasonlmfong and others added 3 commits April 16, 2026 11:33

api: refactor query logic for get databases/table metadata

2904aee

pull the left join condition on role_members out into the where clause Epic: None Release: None

api: allow admin user to view databases metadata

e4fcd73

the admin user currently has no view into all the database/tables due to its non-existence in the role_members table, this change adds a third condition to the where clause to allow the view Epic: None Release: None

angles-n-daemons requested review from a team as code owners April 16, 2026 15:34

angles-n-daemons requested review from dhartunian and removed request for a team April 16, 2026 15:34

blathers-crl Bot added backport Label PR's that are backports to older release branches T-observability labels Apr 16, 2026

dhartunian approved these changes Apr 16, 2026

View reviewed changes

angles-n-daemons merged commit 387ffa9 into cockroachdb:release-25.4.10-rc Apr 20, 2026
18 checks passed

celeste-cockroachdb Bot added the target-release-25.4.10 label Apr 20, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

release-25.4.10-rc: server: resolve role membership for CONNECT privilege checks in DB Console APIs#168493

release-25.4.10-rc: server: resolve role membership for CONNECT privilege checks in DB Console APIs#168493
angles-n-daemons merged 3 commits intocockroachdb:release-25.4.10-rcfrom
angles-n-daemons:blathers/backport-release-25.4.10-rc-167430

angles-n-daemons commented Apr 16, 2026

Uh oh!

blathers-crl Bot commented Apr 16, 2026

Uh oh!

cockroach-teamcity commented Apr 16, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Conversation

angles-n-daemons commented Apr 16, 2026

Uh oh!

blathers-crl Bot commented Apr 16, 2026

Uh oh!

cockroach-teamcity commented Apr 16, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants