Merge #155464 #155608

craig[bot] · shghasemi · ajstorm · craig[bot] · commit 0cda953f8b7e · 2025-10-17T15:31:54.000Z
155464: sql: set rolreplication in pg_authid and pg_roles r=shghasemi a=shghasemi Previously, rolreplication column from pg_authid and pg_roles was always set to false, therefore, it did not show whether or not the role has replication privilege. This change sets rolreplication to true if the user has at least one of REPLICATION, REPLICATIONSOURCE, or REPLICATIONDEST privileges. This change will improve the users ability to do introspection. Epic: None Fixes: #147507 Release note (bug fix): Populate rolreplication in pg_catalog.pg_roles and pg_catalog.pg_authid to indicate if the role has at least one of REPLICATION, REPLICATIONSOURCE, or REPLICATIONDEST privileges. 155608: dev-inf: Fix YAML syntax error in GH action r=rickystewart a=ajstorm Changed Stage 3 output format from using colon to dash to avoid YAML parsing error. The colon in 'STAGE3_RESULT: POTENTIAL_BUG_CONFIRMED' was causing YAML to interpret it as a mapping instead of a string. Changed to: 'STAGE3_RESULT - POTENTIAL_BUG_CONFIRMED' This syntax error was preventing the entire workflow from running. Epic: none Release note: none Co-authored-by: Shadi Ghasemitaheri <shadi.ghasemitaheri@cockroachlabs.com> Co-authored-by: Adam Storm <storm@cockroachlabs.com>
diff --git a/.github/workflows/pr-analyzer-threestage.yml b/.github/workflows/pr-analyzer-threestage.yml
@@ -174,8 +174,8 @@ jobs:
             3. A suggested fix
 
             **OUTPUT REQUIREMENT**: End your response with a single line containing only:
-            - `STAGE3_RESULT: POTENTIAL_BUG_CONFIRMED` or
-            - `STAGE3_RESULT: NO_BUG_FOUND`
+            - `STAGE3_RESULT - POTENTIAL_BUG_CONFIRMED` or
+            - `STAGE3_RESULT - NO_BUG_FOUND`
 
       - name: Extract Stage 3 Result
         id: stage3_result
@@ -226,7 +226,7 @@ jobs:
             **If all three stages detected bugs**, this indicates a potential issue that warrants investigation.
 
       - name: Comment on PR if bugs confirmed
-        if: contains(steps.stage3_result.outputs.result, 'STAGE3_RESULT: POTENTIAL_BUG_CONFIRMED')
+        if: contains(steps.stage3_result.outputs.result, 'STAGE3_RESULT - POTENTIAL_BUG_CONFIRMED')
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
diff --git a/pkg/cli/clisqlshell/testdata/describe b/pkg/cli/clisqlshell/testdata/describe
@@ -1966,10 +1966,10 @@ SELECT rolname AS "Role name",
        memberof AS "Member of"
   FROM roles
 Role name,Attributes,Member of
-myuser,"Superuser, Create role, Create DB, Bypass RLS",{admin}
-root,"Superuser, Create role, Create DB, Bypass RLS",{admin}
-admin,"Superuser, Create role, Create DB, Bypass RLS",{}
-node,"Superuser, Create role, Create DB, Cannot login, Bypass RLS",{}
+myuser,"Superuser, Create role, Create DB, Replication, Bypass RLS",{admin}
+root,"Superuser, Create role, Create DB, Replication, Bypass RLS",{admin}
+admin,"Superuser, Create role, Create DB, Replication, Bypass RLS",{}
+node,"Superuser, Create role, Create DB, Cannot login, Replication, Bypass RLS",{}
 
 cli
 \du myuser
@@ -2008,7 +2008,7 @@ SELECT rolname AS "Role name",
        memberof AS "Member of"
   FROM roles
 Role name,Attributes,Member of
-myuser,"Superuser, Create role, Create DB, Bypass RLS",{admin}
+myuser,"Superuser, Create role, Create DB, Replication, Bypass RLS",{admin}
 
 subtest end
 
diff --git a/pkg/sql/logictest/testdata/logic_test/pg_catalog b/pkg/sql/logictest/testdata/logic_test/pg_catalog
@@ -2800,9 +2800,9 @@ FROM pg_catalog.pg_roles
 ORDER BY rolname
 ----
 oid         rolname   rolsuper  rolinherit  rolcreaterole  rolcreatedb  rolcatupdate  rolcanlogin  rolreplication
-2310524507  admin     true      true        true           true         false         true         false
-3233629770  node      true      true        true           true         false         false        false
-1546506610  root      true      true        true           true         false         true         false
+2310524507  admin     true      true        true           true         false         true         true
+3233629770  node      true      true        true           true         false         false        true
+1546506610  root      true      true        true           true         false         true         true
 2264919399  testuser  false     true        false          false        false         true         false
 
 query OTITTBT colnames
@@ -2836,6 +2836,53 @@ testuser
 statement ok
 DELETE FROM system.users WHERE username = 'non_cached_user'
 
+## rolreplication from pg_catalog.pg_authid and pg_catalog.pg_roles
+statement ok
+CREATE ROLE test_no_replication;
+CREATE ROLE test_replication;
+GRANT SYSTEM REPLICATION to test_replication;
+CREATE ROLE test_src_replication;
+GRANT SYSTEM REPLICATIONSOURCE to test_src_replication;
+CREATE ROLE test_dst_replication;
+GRANT SYSTEM REPLICATIONDEST to test_dst_replication;
+
+query TB colnames
+SELECT rolname, rolreplication FROM pg_catalog.pg_roles
+ORDER BY rolname
+----
+rolname               rolreplication
+admin                 true
+node                  true
+root                  true
+test_dst_replication  true
+test_no_replication   false
+test_replication      true
+test_src_replication  true
+testuser              false
+
+query TB colnames
+SELECT rolname, rolreplication FROM pg_catalog.pg_authid
+ORDER BY rolname
+----
+rolname               rolreplication
+admin                 true
+node                  true
+root                  true
+test_dst_replication  true
+test_no_replication   false
+test_replication      true
+test_src_replication  true
+testuser              false
+
+statement ok
+DROP ROLE test_no_replication;
+REVOKE SYSTEM REPLICATION FROM test_replication;
+REVOKE SYSTEM REPLICATIONSOURCE FROM test_src_replication;
+REVOKE SYSTEM REPLICATIONDEST FROM test_dst_replication;
+DROP ROLE test_replication;
+DROP ROLE test_src_replication;
+DROP ROLE test_dst_replication;
+
 ## pg_catalog.pg_auth_members
 
 query OOOB colnames
diff --git a/pkg/sql/pg_catalog.go b/pkg/sql/pg_catalog.go
@@ -607,6 +607,26 @@ func userIsSuper(
 	return tree.DBool(isSuper), err
 }
 
+func userHasReplicationPrivilegeOrRoleOption(
+	ctx context.Context, p *planner, userName username.SQLUsername,
+) (tree.DBool, error) {
+	replication, err := p.UserHasGlobalPrivilegeOrRoleOption(ctx, privilege.REPLICATION, userName)
+	if err != nil {
+		return *tree.DBoolFalse, err
+	}
+
+	replicationDest, err := p.UserHasGlobalPrivilegeOrRoleOption(ctx, privilege.REPLICATIONDEST, userName)
+	if err != nil {
+		return *tree.DBoolFalse, err
+	}
+
+	replicationSrc, err := p.UserHasGlobalPrivilegeOrRoleOption(ctx, privilege.REPLICATIONSOURCE, userName)
+	if err != nil {
+		return *tree.DBoolFalse, err
+	}
+	return tree.DBool(replication || replicationDest || replicationSrc), nil
+}
+
 var pgCatalogAuthIDTable = virtualSchemaTable{
 	comment: `authorization identifiers - differs from postgres as we do not display passwords, 
 and thus do not require admin privileges for access. 
@@ -649,6 +669,11 @@ https://www.postgresql.org/docs/9.5/catalog-pg-authid.html`,
 				return err
 			}
 
+			replication, err := userHasReplicationPrivilegeOrRoleOption(ctx, p, userName)
+			if err != nil {
+				return err
+			}
+
 			return addRow(
 				h.UserOid(userName),                              // oid
 				tree.NewDName(userName.Normalized()),             // rolname
@@ -657,7 +682,7 @@ https://www.postgresql.org/docs/9.5/catalog-pg-authid.html`,
 				tree.MakeDBool(isRoot || tree.DBool(createRole)), // rolcreaterole
 				tree.MakeDBool(isRoot || tree.DBool(createDB)),   // rolcreatedb
 				tree.MakeDBool(roleCanLogin),                     // rolcanlogin.
-				tree.DBoolFalse,                                  // rolreplication
+				tree.MakeDBool(replication),                      // rolreplication
 				tree.MakeDBool(tree.DBool(bypassRLS)),            // rolbypassrls
 				negOneVal,                                        // rolconnlimit
 				passwdStarString,                                 // rolpassword
@@ -3022,6 +3047,11 @@ https://www.postgresql.org/docs/9.5/view-pg-roles.html`,
 					return err
 				}
 
+				replication, err := userHasReplicationPrivilegeOrRoleOption(ctx, p, userName)
+				if err != nil {
+					return err
+				}
+
 				return addRow(
 					h.UserOid(userName),                               // oid
 					tree.NewDName(userName.Normalized()),              // rolname
@@ -3031,7 +3061,7 @@ https://www.postgresql.org/docs/9.5/view-pg-roles.html`,
 					tree.MakeDBool(isSuper || tree.DBool(createDB)),   // rolcreatedb
 					tree.DBoolFalse,                                   // rolcatupdate
 					tree.MakeDBool(roleCanLogin),                      // rolcanlogin.
-					tree.DBoolFalse,                                   // rolreplication
+					tree.MakeDBool(replication),                       // rolreplication
 					negOneVal,                                         // rolconnlimit
 					passwdStarString,                                  // rolpassword
 					rolValidUntil,                                     // rolvaliduntil
