sql: add VIEWEVENTLOG system privilege for event log visibility

souravcrl · claude · souravcrl · commit 3fa82118747f · 2026-05-27T15:23:51.000+05:30
Previously, viewing the event log required `admin` or `VIEWCLUSTERMETADATA`, both of which are overprivileged for users who only need to read cluster events (e.g. SREs and auditors correlating events during incidents). This change introduces a new `VIEWEVENTLOG` system privilege that grants read-only access to `system.eventlog`. The gRPC Events API now accepts either `VIEWEVENTLOG` or the existing `VIEWCLUSTERMETADATA` privilege, and the error message mentions both options. The privilege also grants implicit `SELECT` on `system.eventlog` so the DB Console SQL-based events page works correctly. Non-admin users can now be granted event log visibility via: ```sql GRANT SYSTEM VIEWEVENTLOG TO <user>; ``` Fixes: #169421 Epic: none Release note (sql change): Added a new `VIEWEVENTLOG` system privilege that grants read-only access to the event log. Non-admin users can be granted event log visibility via `GRANT SYSTEM VIEWEVENTLOG TO <user>` without needing `VIEWCLUSTERMETADATA` or the `admin` role. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/pkg/server/admin.go b/pkg/server/admin.go
@@ -1478,23 +1478,23 @@ func (s *adminServer) Events(
 ) (_ *serverpb.EventsResponse, retErr error) {
 	ctx = s.AnnotateCtx(ctx)
 
-	err := s.privilegeChecker.RequireViewClusterMetadataPermission(ctx)
-	if err != nil {
+	if err := s.privilegeChecker.RequireViewEventLogPermission(ctx); err != nil {
 		// NB: not using srverrors.ServerError() here since the priv checker
 		// already returns a proper gRPC error status.
 		return nil, err
 	}
 	redactEvents := !req.UnredactedEvents
 
+	userName, err := authserver.UserFromIncomingRPCContext(ctx)
+	if err != nil {
+		return nil, srverrors.ServerError(ctx, err)
+	}
+
 	limit := req.Limit
 	if limit == 0 {
 		limit = apiconstants.DefaultAPIEventLimit
 	}
 
-	userName, err := authserver.UserFromIncomingRPCContext(ctx)
-	if err != nil {
-		return nil, srverrors.ServerError(ctx, err)
-	}
 	r, err := s.eventsHelper(ctx, req, userName, int(limit), 0, redactEvents)
 	if err != nil {
 		return nil, srverrors.ServerError(ctx, err)
diff --git a/pkg/server/privchecker/api.go b/pkg/server/privchecker/api.go
@@ -44,6 +44,7 @@ type CheckerForRPCHandlers interface {
 	RequireViewClusterMetadataPermission(ctx context.Context) error
 	RequireRepairClusterPermission(ctx context.Context) error
 	RequireViewDebugPermission(ctx context.Context) error
+	RequireViewEventLogPermission(ctx context.Context) error
 }
 
 // SQLPrivilegeChecker is the part of the privilege checker that can
diff --git a/pkg/server/privchecker/privchecker.go b/pkg/server/privchecker/privchecker.go
@@ -190,6 +190,33 @@ func (c *adminPrivilegeChecker) RequireViewDebugPermission(ctx context.Context)
 		privilege.VIEWDEBUG.DisplayName())
 }
 
+// RequireViewEventLogPermission requires the user have admin or the
+// VIEWEVENTLOG or VIEWCLUSTERMETADATA system privilege and returns an
+// error if the user does not have any.
+func (c *adminPrivilegeChecker) RequireViewEventLogPermission(ctx context.Context) (err error) {
+	userName, isAdmin, err := c.GetUserAndRole(ctx)
+	if err != nil {
+		return srverrors.ServerError(ctx, err)
+	}
+	if isAdmin {
+		return nil
+	}
+	if hasViewEventLog, err := c.HasGlobalPrivilege(ctx, userName, privilege.VIEWEVENTLOG); err != nil {
+		return srverrors.ServerError(ctx, err)
+	} else if hasViewEventLog {
+		return nil
+	}
+	if hasViewClusterMetadata, err := c.HasGlobalPrivilege(ctx, userName, privilege.VIEWCLUSTERMETADATA); err != nil {
+		return srverrors.ServerError(ctx, err)
+	} else if hasViewClusterMetadata {
+		return nil
+	}
+	return grpcstatus.Errorf(
+		codes.PermissionDenied, "this operation requires the %s or %s system privilege",
+		privilege.VIEWEVENTLOG.DisplayName(),
+		privilege.VIEWCLUSTERMETADATA.DisplayName())
+}
+
 // GetUserAndRole is part of the CheckerForRPCHandlers interface.
 func (c *adminPrivilegeChecker) GetUserAndRole(
 	ctx context.Context,
diff --git a/pkg/server/privchecker/privchecker_test.go b/pkg/server/privchecker/privchecker_test.go
@@ -59,6 +59,8 @@ func TestAdminPrivilegeChecker(t *testing.T) {
 	sqlDB.Exec(t, "GRANT SYSTEM VIEWDEBUG TO withviewdebug")
 	sqlDB.Exec(t, "CREATE USER withviewjob")
 	sqlDB.Exec(t, "GRANT SYSTEM VIEWJOB TO withviewjob")
+	sqlDB.Exec(t, "CREATE USER withvieweventlog")
+	sqlDB.Exec(t, "GRANT SYSTEM VIEWEVENTLOG TO withvieweventlog")
 
 	execCfg := ts.ExecutorConfig().(sql.ExecutorConfig)
 	kvDB := ts.DB()
@@ -101,8 +103,9 @@ func TestAdminPrivilegeChecker(t *testing.T) {
 	withviewclustermetadata := username.MakeSQLUsernameFromPreNormalizedString("withviewclustermetadata")
 	withViewDebug := username.MakeSQLUsernameFromPreNormalizedString("withviewdebug")
 	withViewJob := username.MakeSQLUsernameFromPreNormalizedString("withviewjob")
+	withViewEventLog := username.MakeSQLUsernameFromPreNormalizedString("withvieweventlog")
 
-	// Test HasGlobalPrivilege for VIEWJOB.
+	// Test HasGlobalPrivilege for VIEWJOB and VIEWEVENTLOG.
 	globalPrivTests := []struct {
 		name      string
 		privilege privilege.Kind
@@ -111,6 +114,8 @@ func TestAdminPrivilegeChecker(t *testing.T) {
 	}{
 		{"viewjob-granted", privilege.VIEWJOB, withViewJob, true},
 		{"viewjob-not-granted", privilege.VIEWJOB, withoutPrivs, false},
+		{"vieweventlog-granted", privilege.VIEWEVENTLOG, withViewEventLog, true},
+		{"vieweventlog-not-granted", privilege.VIEWEVENTLOG, withoutPrivs, false},
 	}
 	for _, tt := range globalPrivTests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -163,6 +168,13 @@ func TestAdminPrivilegeChecker(t *testing.T) {
 				withAdmin: false, withoutPrivs: true, withViewDebug: false,
 			},
 		},
+		{
+			"requireViewEventLogPermission",
+			underTest.RequireViewEventLogPermission,
+			map[username.SQLUsername]bool{
+				withAdmin: false, withoutPrivs: true, withViewEventLog: false, withviewclustermetadata: false,
+			},
+		},
 	}
 
 	for _, tt := range tests {
diff --git a/pkg/sql/authorization.go b/pkg/sql/authorization.go
@@ -286,6 +286,18 @@ func (p *planner) CheckPrivilegeForUser(
 					return nil
 				}
 			}
+			// VIEWEVENTLOG grants implicit SELECT on system.eventlog.
+			if tableID == keys.EventLogTableID {
+				hasViewEventLog, err := p.HasPrivilege(
+					ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.VIEWEVENTLOG, user,
+				)
+				if err != nil {
+					return err
+				}
+				if hasViewEventLog {
+					return nil
+				}
+			}
 		}
 	}
 	return insufficientPrivilegeError(user, privilegeKind, privilegeObject)
diff --git a/pkg/sql/logictest/testdata/logic_test/show_eventlog_privilege b/pkg/sql/logictest/testdata/logic_test/show_eventlog_privilege
@@ -0,0 +1,62 @@
+# LogicTest: local
+
+# Verify that the VIEWEVENTLOG privilege grants access to system.eventlog.
+
+# testuser should not be able to read system.eventlog.
+user testuser
+
+statement error user testuser does not have SELECT privilege on relation eventlog
+SELECT * FROM system.eventlog LIMIT 0
+
+user root
+
+# Grant VIEWEVENTLOG to testuser.
+statement ok
+GRANT SYSTEM VIEWEVENTLOG TO testuser
+
+user testuser
+
+# testuser should now be able to read system.eventlog.
+statement ok
+SELECT * FROM system.eventlog LIMIT 0
+
+user root
+
+# Revoke VIEWEVENTLOG from testuser.
+statement ok
+REVOKE SYSTEM VIEWEVENTLOG FROM testuser
+
+user testuser
+
+# testuser should no longer be able to read system.eventlog.
+statement error user testuser does not have SELECT privilege on relation eventlog
+SELECT * FROM system.eventlog LIMIT 0
+
+user root
+
+# Test that inheriting VIEWEVENTLOG through a role works.
+statement ok
+CREATE ROLE eventlogviewer
+
+statement ok
+GRANT SYSTEM VIEWEVENTLOG TO eventlogviewer
+
+statement ok
+GRANT eventlogviewer TO testuser
+
+user testuser
+
+# testuser should be able to read system.eventlog through role membership.
+statement ok
+SELECT * FROM system.eventlog LIMIT 0
+
+user root
+
+statement ok
+REVOKE eventlogviewer FROM testuser
+
+user testuser
+
+# testuser should no longer be able to read system.eventlog.
+statement error user testuser does not have SELECT privilege on relation eventlog
+SELECT * FROM system.eventlog LIMIT 0
diff --git a/pkg/sql/logictest/tests/local/generated_test.go b/pkg/sql/logictest/tests/local/generated_test.go
diff --git a/pkg/sql/privilege/kind.go b/pkg/sql/privilege/kind.go
@@ -73,7 +73,8 @@ const (
 	BUILTIN_UNSAFE_ALLOWED Kind = 42
 	MAINTAIN               Kind = 43
 	TEMPORARY              Kind = 44
-	largestKind                 = TEMPORARY
+	VIEWEVENTLOG           Kind = 45
+	largestKind                 = VIEWEVENTLOG
 
 	// RULE, SET, and ALTERSYSTEM are PostgreSQL ACL-only pseudo-privileges.
 	// They exist solely for ACL character mapping used by acldefault, aclexplode,
@@ -187,6 +188,8 @@ func (k Kind) InternalKey() KindInternalKey {
 		return "MAINTAIN"
 	case TEMPORARY:
 		return "TEMPORARY"
+	case VIEWEVENTLOG:
+		return "VIEWEVENTLOG"
 	case SET:
 		return "SET"
 	case ALTERSYSTEM:
diff --git a/pkg/sql/privilege/privilege.go b/pkg/sql/privilege/privilege.go
@@ -101,7 +101,7 @@ var (
 		ALL, BACKUP, RESTORE, MODIFYCLUSTERSETTING, EXTERNALCONNECTION, VIEWACTIVITY, VIEWACTIVITYREDACTED,
 		VIEWCLUSTERSETTING, CANCELQUERY, NOSQLLOGIN, VIEWCLUSTERMETADATA, VIEWDEBUG, EXTERNALIOIMPLICITACCESS, VIEWJOB,
 		MODIFYSQLCLUSTERSETTING, REPLICATION, MANAGEVIRTUALCLUSTER, VIEWSYSTEMTABLE, CREATEROLE, CREATELOGIN, CREATEDB, CONTROLJOB,
-		REPAIRCLUSTER, BYPASSRLS, REPLICATIONDEST, REPLICATIONSOURCE, INSPECT,
+		REPAIRCLUSTER, BYPASSRLS, REPLICATIONDEST, REPLICATIONSOURCE, INSPECT, VIEWEVENTLOG,
 	}
 	VirtualTablePrivileges       = List{ALL, SELECT}
 	ExternalConnectionPrivileges = List{ALL, USAGE, DROP, UPDATE}

Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,7 @@ type CheckerForRPCHandlers interface {`
`44`	`44`	`RequireViewClusterMetadataPermission(ctx context.Context) error`
`45`	`45`	`RequireRepairClusterPermission(ctx context.Context) error`
`46`	`46`	`RequireViewDebugPermission(ctx context.Context) error`
	`47`	`+ RequireViewEventLogPermission(ctx context.Context) error`
`47`	`48`	`}`
`48`	`49`
`49`	`50`	`// SQLPrivilegeChecker is the part of the privilege checker that can`
Original file line number	Diff line number	Diff line change
`@@ -286,6 +286,18 @@ func (p *planner) CheckPrivilegeForUser(`
`286`	`286`	`return nil`
`287`	`287`	`}`
`288`	`288`	`}`
	`289`	`+ // VIEWEVENTLOG grants implicit SELECT on system.eventlog.`
	`290`	`+ if tableID == keys.EventLogTableID {`
	`291`	`+ hasViewEventLog, err := p.HasPrivilege(`
	`292`	`+ ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.VIEWEVENTLOG, user,`
	`293`	`+ )`
	`294`	`+ if err != nil {`
	`295`	`+ return err`
	`296`	`+ }`
	`297`	`+ if hasViewEventLog {`
	`298`	`+ return nil`
	`299`	`+ }`
	`300`	`+ }`
`289`	`301`	`}`
`290`	`302`	`}`
`291`	`303`	`return insufficientPrivilegeError(user, privilegeKind, privilegeObject)`
Original file line number	Diff line number	Diff line change
`@@ -101,7 +101,7 @@ var (`
`101`	`101`	`ALL, BACKUP, RESTORE, MODIFYCLUSTERSETTING, EXTERNALCONNECTION, VIEWACTIVITY, VIEWACTIVITYREDACTED,`
`102`	`102`	`VIEWCLUSTERSETTING, CANCELQUERY, NOSQLLOGIN, VIEWCLUSTERMETADATA, VIEWDEBUG, EXTERNALIOIMPLICITACCESS, VIEWJOB,`
`103`	`103`	`MODIFYSQLCLUSTERSETTING, REPLICATION, MANAGEVIRTUALCLUSTER, VIEWSYSTEMTABLE, CREATEROLE, CREATELOGIN, CREATEDB, CONTROLJOB,`
`104`		`- REPAIRCLUSTER, BYPASSRLS, REPLICATIONDEST, REPLICATIONSOURCE, INSPECT,`
	`104`	`+ REPAIRCLUSTER, BYPASSRLS, REPLICATIONDEST, REPLICATIONSOURCE, INSPECT, VIEWEVENTLOG,`
`105`	`105`	`}`
`106`	`106`	`VirtualTablePrivileges = List{ALL, SELECT}`
`107`	`107`	`ExternalConnectionPrivileges = List{ALL, USAGE, DROP, UPDATE}`