sql: support the USAGE privilege on schemas

[rohany]

Fixes #53342.

This commit adds the USAGE privilege to schemas. The USAGE privilege
allows a user to resolve objects under a schema.

Release note (sql change): Support the USAGE privelege on schemas.

[cockroach-teamcity]

This change is 

[rohany]

First commit is #53344

[solongordon]

Reviewed 16 of 16 files at r1.
Reviewable status: complete! 0 of 0 LGTMs obtained (waiting on @ajwerner, @lucy-zhang, @rohany, and @solongordon)

---

pkg/sql/logictest/testdata/logic_test/schema, line 293 at r2 (raw file):

statement ok
CREATE TABLE privs.usage_tbl (x INT);
CREATE TYPE privs.usage_typ AS ENUM ('usage');

Would it make this test stronger if you also granted SELECT on the table and USAGE on the type?

[rohany]

Would it make this test stronger if you also granted SELECT on the table and USAGE on the type?

I don't think so, as Postgres(and we now) check the schema permissions first before the object permissions. I'm asserting that I get a schema permission error as well, so we know that we're getting the right error

[ajwerner]

Reviewed 3 of 4 files at r2.
Reviewable status: complete! 1 of 0 LGTMs obtained (waiting on @lucy-zhang, @rohany, and @solongordon)

[ajwerner]

speaking of @solongordon's question, do we properly deal with the USAGE privilege on enums?

Reviewable status: complete! 1 of 0 LGTMs obtained (waiting on @lucy-zhang, @rohany, and @solongordon)

[thoszhang]

Reviewed 14 of 16 files at r1, 4 of 4 files at r2.
Reviewable status: complete! 1 of 0 LGTMs obtained (waiting on @rohany)

---

pkg/sql/grant_revoke.go, line 231 at r2 (raw file):

			}
		case *schemadesc.Mutable:
			if err := p.writeSchemaDescChange(

Don't have to change anything right now, but I think eventually we should be doing all these writes in the same batch.

[rohany]

speaking of @solongordon's question, do we properly deal with the USAGE privilege on enums?

No, the usage privilege on enums is a bit different. USAGE on enums doesn't disallow just using the type in a SELECT 'x'::mytype. It only disallows you from using the type in a table or something that would cause a back reference.

[ajwerner]

speaking of @solongordon's question, do we properly deal with the USAGE privilege on enums?

No, the usage privilege on enums is a bit different. USAGE on enums doesn't disallow just using the type in a SELECT 'x'::mytype. It only disallows you from using the type in a table or something that would cause a back reference.

Just so we're clear, what you mean is if you have USAGE then you can create tables, right? Not having it disallows using it in tables. Nothing prevents selecting it IIUC so long as you can resolve it. That was my reading of

For types and domains, allows use of the type or domain in the creation of tables, functions, and other schema objects. (Note that this privilege does not control all “usage” of the type, such as values of the type appearing in queries. It only prevents objects from being created that depend on the type. The main purpose of this privilege is controlling which users can create dependencies on a type, which could prevent the owner from changing the type later.)

https://www.postgresql.org/docs/12/ddl-priv.html

[rohany]

Yes, thats what I meant. I was trying to say that having usage or not doesn't affect this particular test case.

[rohany]

bors r+

[otan]

bors r-

looks like this is broken on CI

[craig]

Canceled.

[rohany]

hmmmm

[otan]

:D

[rohany]

bors r+

[craig]

Build succeeded:

• GitHub CI (Cockroach)