sql: gate SHOW SCHEDULES behind VIEWJOB system privilege

souravcrl · claude · souravcrl · commit 4198d370cbde · 2026-05-08T16:05:39.000+05:30
Previously, `SHOW SCHEDULES` was implicitly gated by `SELECT` on `system.scheduled_jobs` and `system.jobs`, which only `admin` has by default. This made it impossible to grant schedule visibility to non-admin users without granting broad access to system tables. This change gates `SHOW SCHEDULES` behind the existing `VIEWJOB` system privilege (which already controls job visibility and is a natural fit for schedule visibility). Admin users satisfy this check implicitly through `ALL` privileges. The privilege also grants implicit `SELECT` on `system.scheduled_jobs` and `system.jobs` so the delegated query executes successfully. The delegator performs an upfront privilege check (rather than relying solely on the authorization.go fallback) because without it the user would see a confusing "does not have SELECT privilege on relation scheduled_jobs" error instead of a clear message about the VIEWJOB privilege. The check properly distinguishes InsufficientPrivilege from transient errors to avoid swallowing operational failures. On the DB Console side, the schedules API now checks for SQL execution errors before accessing results, preventing runtime crashes when the user lacks the required privilege. Fixes: #169420 Epic: none Release note (sql change): `SHOW SCHEDULES` now requires the `VIEWJOB` system privilege. Non-admin users can be granted schedule visibility via `GRANT SYSTEM VIEWJOB TO <user>` without needing direct `SELECT` on system tables. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/pkg/server/privchecker/BUILD.bazel b/pkg/server/privchecker/BUILD.bazel
@@ -39,6 +39,7 @@ go_test(
         "//pkg/server",
         "//pkg/sql",
         "//pkg/sql/isql",
+        "//pkg/sql/privilege",
         "//pkg/testutils/serverutils",
         "//pkg/testutils/sqlutils",
         "//pkg/testutils/testcluster",
diff --git a/pkg/server/privchecker/privchecker_test.go b/pkg/server/privchecker/privchecker_test.go
@@ -15,6 +15,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/server/privchecker"
 	"github.com/cockroachdb/cockroach/pkg/sql"
 	"github.com/cockroachdb/cockroach/pkg/sql/isql"
+	"github.com/cockroachdb/cockroach/pkg/sql/privilege"
 	"github.com/cockroachdb/cockroach/pkg/testutils/serverutils"
 	"github.com/cockroachdb/cockroach/pkg/testutils/sqlutils"
 	"github.com/cockroachdb/cockroach/pkg/util/leaktest"
@@ -56,6 +57,8 @@ func TestAdminPrivilegeChecker(t *testing.T) {
 	sqlDB.Exec(t, "GRANT SYSTEM VIEWCLUSTERMETADATA TO withviewclustermetadata")
 	sqlDB.Exec(t, "CREATE USER withviewdebug")
 	sqlDB.Exec(t, "GRANT SYSTEM VIEWDEBUG TO withviewdebug")
+	sqlDB.Exec(t, "CREATE USER withviewjob")
+	sqlDB.Exec(t, "GRANT SYSTEM VIEWJOB TO withviewjob")
 
 	execCfg := ts.ExecutorConfig().(sql.ExecutorConfig)
 	kvDB := ts.DB()
@@ -97,6 +100,25 @@ func TestAdminPrivilegeChecker(t *testing.T) {
 	withVaAndRedactedGlobalPrivilege := username.MakeSQLUsernameFromPreNormalizedString("withvaandredactedglobalprivilege")
 	withviewclustermetadata := username.MakeSQLUsernameFromPreNormalizedString("withviewclustermetadata")
 	withViewDebug := username.MakeSQLUsernameFromPreNormalizedString("withviewdebug")
+	withViewJob := username.MakeSQLUsernameFromPreNormalizedString("withviewjob")
+
+	// Test HasGlobalPrivilege for VIEWJOB.
+	globalPrivTests := []struct {
+		name      string
+		privilege privilege.Kind
+		username  username.SQLUsername
+		wantHas   bool
+	}{
+		{"viewjob-granted", privilege.VIEWJOB, withViewJob, true},
+		{"viewjob-not-granted", privilege.VIEWJOB, withoutPrivs, false},
+	}
+	for _, tt := range globalPrivTests {
+		t.Run(tt.name, func(t *testing.T) {
+			has, err := underTest.HasGlobalPrivilege(ctx, tt.username, tt.privilege)
+			require.NoError(t, err)
+			require.Equal(t, tt.wantHas, has)
+		})
+	}
 
 	tests := []struct {
 		name            string
diff --git a/pkg/sql/authorization.go b/pkg/sql/authorization.go
@@ -272,6 +272,20 @@ func (p *planner) CheckPrivilegeForUser(
 			if hasViewSystemTablePriv {
 				return nil
 			}
+			// VIEWJOB grants implicit SELECT on system.scheduled_jobs and
+			// system.jobs, the two tables underlying SHOW SCHEDULES.
+			tableID := d.GetID()
+			if tableID == keys.ScheduledJobsTableID || tableID == keys.JobsTableID {
+				hasViewJob, err := p.HasPrivilege(
+					ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.VIEWJOB, user,
+				)
+				if err != nil {
+					return err
+				}
+				if hasViewJob {
+					return nil
+				}
+			}
 		}
 	}
 	return insufficientPrivilegeError(user, privilegeKind, privilegeObject)
diff --git a/pkg/sql/delegate/show_schedules.go b/pkg/sql/delegate/show_schedules.go
@@ -10,14 +10,45 @@ import (
 	"strings"
 
 	"github.com/cockroachdb/cockroach/pkg/jobs"
+	"github.com/cockroachdb/cockroach/pkg/sql/pgwire/pgcode"
+	"github.com/cockroachdb/cockroach/pkg/sql/pgwire/pgerror"
+	"github.com/cockroachdb/cockroach/pkg/sql/privilege"
 	"github.com/cockroachdb/cockroach/pkg/sql/sem/tree"
 	"github.com/cockroachdb/cockroach/pkg/sql/sqltelemetry"
+	"github.com/cockroachdb/cockroach/pkg/sql/syntheticprivilege"
 )
 
 // commandColumn converts executor execution arguments into jsonb representation.
 const commandColumn = `crdb_internal.pb_to_json('cockroach.jobs.jobspb.ExecutionArguments', execution_args, false, true)->'args'`
 
 func (d *delegator) delegateShowSchedules(n *tree.ShowSchedules) (tree.Statement, error) {
+	// Provide a clear privilege error upfront. Without this check, the
+	// delegated query would fail with "does not have SELECT privilege on
+	// relation scheduled_jobs", which doesn't tell the user what privilege
+	// they actually need. The authorization.go layer grants implicit SELECT
+	// on the underlying system tables when VIEWJOB or VIEWSYSTEMTABLE
+	// is held, so we let those users through.
+	cat := d.catalog
+	user := cat.GetCurrentUser()
+	globalPrivObj := syntheticprivilege.GlobalPrivilegeObject
+	hasViewJob := false
+	if err := cat.CheckPrivilege(d.ctx, globalPrivObj, user, privilege.VIEWJOB); err == nil {
+		hasViewJob = true
+	} else if pgerror.GetPGCode(err) != pgcode.InsufficientPrivilege {
+		return nil, err
+	}
+	if !hasViewJob {
+		if err := cat.CheckPrivilege(d.ctx, globalPrivObj, user, privilege.VIEWSYSTEMTABLE); err == nil {
+			// VIEWSYSTEMTABLE grants access too.
+		} else if pgerror.GetPGCode(err) != pgcode.InsufficientPrivilege {
+			return nil, err
+		} else {
+			return nil, pgerror.Newf(pgcode.InsufficientPrivilege,
+				"user %s does not have %s system privilege",
+				user, privilege.VIEWJOB)
+		}
+	}
+
 	sqltelemetry.IncrementShowCounter(sqltelemetry.Schedules)
 
 	columnExprs := []string{
diff --git a/pkg/sql/logictest/testdata/logic_test/show_schedules_privilege b/pkg/sql/logictest/testdata/logic_test/show_schedules_privilege
@@ -0,0 +1,84 @@
+# LogicTest: local
+
+# Verify that SHOW SCHEDULES requires the VIEWJOB privilege.
+
+# testuser should not be able to SHOW SCHEDULES.
+user testuser
+
+statement error user testuser does not have VIEWJOB system privilege
+SHOW SCHEDULES
+
+user root
+
+# Grant VIEWJOB to testuser.
+statement ok
+GRANT SYSTEM VIEWJOB TO testuser
+
+user testuser
+
+# testuser should now be able to SHOW SCHEDULES.
+statement ok
+SHOW SCHEDULES
+
+user root
+
+# Revoke VIEWJOB from testuser.
+statement ok
+REVOKE SYSTEM VIEWJOB FROM testuser
+
+user testuser
+
+# testuser should no longer be able to SHOW SCHEDULES.
+statement error user testuser does not have VIEWJOB system privilege
+SHOW SCHEDULES
+
+user root
+
+# Test that inheriting VIEWJOB through a role works.
+statement ok
+CREATE ROLE scheduleviewer
+
+statement ok
+GRANT SYSTEM VIEWJOB TO scheduleviewer
+
+statement ok
+GRANT scheduleviewer TO testuser
+
+user testuser
+
+# testuser should be able to SHOW SCHEDULES through role membership.
+statement ok
+SHOW SCHEDULES
+
+user root
+
+statement ok
+REVOKE scheduleviewer FROM testuser
+
+user testuser
+
+# testuser should no longer be able to SHOW SCHEDULES.
+statement error user testuser does not have VIEWJOB system privilege
+SHOW SCHEDULES
+
+user root
+
+# Test that VIEWSYSTEMTABLE also grants access to SHOW SCHEDULES (no
+# regression for users who previously relied on this broader privilege).
+statement ok
+GRANT SYSTEM VIEWSYSTEMTABLE TO testuser
+
+user testuser
+
+statement ok
+SHOW SCHEDULES
+
+user root
+
+statement ok
+REVOKE SYSTEM VIEWSYSTEMTABLE FROM testuser
+
+user testuser
+
+statement error user testuser does not have VIEWJOB system privilege
+SHOW SCHEDULES
diff --git a/pkg/sql/logictest/tests/local/generated_test.go b/pkg/sql/logictest/tests/local/generated_test.go
diff --git a/pkg/ui/workspaces/cluster-ui/src/api/schedulesApi.ts b/pkg/ui/workspaces/cluster-ui/src/api/schedulesApi.ts
@@ -12,6 +12,7 @@ import {
   executeInternalSql,
   LARGE_RESULT_SIZE,
   SqlExecutionRequest,
+  sqlApiErrorMessage,
   sqlResultsAreEmpty,
 } from "./sqlApi";
 
@@ -78,6 +79,9 @@ export function getSchedules(req: {
     execute: true,
   };
   return executeInternalSql<ScheduleColumns>(request).then(result => {
+    if (result.error) {
+      throw new Error(sqlApiErrorMessage(result.error.message));
+    }
     const txnResults = result.execution.txn_results;
     if (sqlResultsAreEmpty(result)) {
       // No data.
@@ -122,6 +126,9 @@ export function getSchedule(id: Long): Promise<Schedule> {
     execute: true,
   };
   return executeInternalSql<ScheduleColumns>(request).then(result => {
+    if (result.error) {
+      throw new Error(sqlApiErrorMessage(result.error.message));
+    }
     const txnResults = result.execution.txn_results;
     if (txnResults.length === 0 || !txnResults[0].rows) {
       // No data.
