sql: add VIEWEVENTLOG system privilege for event log visibility

Previously, viewing the event log required `admin` or
`VIEWCLUSTERMETADATA`, both of which are overprivileged for users who
only need to read cluster events (e.g. SREs and auditors correlating
events during incidents).

This change introduces a new `VIEWEVENTLOG` system privilege that
grants read-only access to `system.eventlog`. The gRPC Events API now
accepts either `VIEWEVENTLOG` or the existing `VIEWCLUSTERMETADATA`
privilege, and the error message mentions both options. The privilege
also grants implicit `SELECT` on `system.eventlog` so the DB Console
SQL-based events page works correctly.

Non-admin users can now be granted event log visibility via:
```sql
GRANT SYSTEM VIEWEVENTLOG TO <user>;
```

Fixes: #169421
Epic: none
Release note (sql change): Added a new `VIEWEVENTLOG` system privilege
that grants read-only access to the event log. Non-admin users can be
granted event log visibility via `GRANT SYSTEM VIEWEVENTLOG TO <user>`
without needing `VIEWCLUSTERMETADATA` or the `admin` role.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: souravcrl

pkg/server/admin.go

@@ -1478,11 +1478,29 @@ func (s *adminServer) Events(
 ) (_ *serverpb.EventsResponse, retErr error) {
 	ctx = s.AnnotateCtx(ctx)
 
-	err := s.privilegeChecker.RequireViewClusterMetadataPermission(ctx)
+	// Accept either VIEWEVENTLOG or VIEWCLUSTERMETADATA.
+	userName, isAdmin, err := s.privilegeChecker.GetUserAndRole(ctx)
 	if err != nil {
-		// NB: not using srverrors.ServerError() here since the priv checker
-		// already returns a proper gRPC error status.
-		return nil, err
+		return nil, srverrors.ServerError(ctx, err)
+	}
+	if !isAdmin {
+		hasEventLog, err := s.privilegeChecker.HasGlobalPrivilege(ctx, userName, privilege.VIEWEVENTLOG)
+		if err != nil {
+			return nil, srverrors.ServerError(ctx, err)
+		}
+		if !hasEventLog {
+			hasClusterMeta, err := s.privilegeChecker.HasGlobalPrivilege(ctx, userName, privilege.VIEWCLUSTERMETADATA)
+			if err != nil {
+				return nil, srverrors.ServerError(ctx, err)
+			}
+			if !hasClusterMeta {
+				return nil, grpcstatus.Errorf(
+					codes.PermissionDenied,
+					"this operation requires the %s or %s system privilege",
+					privilege.VIEWEVENTLOG.DisplayName(),
+					privilege.VIEWCLUSTERMETADATA.DisplayName())
+			}
+		}
 	}
 	redactEvents := !req.UnredactedEvents
 
@@ -1491,10 +1509,6 @@ func (s *adminServer) Events(
 		limit = apiconstants.DefaultAPIEventLimit
 	}
 
-	userName, err := authserver.UserFromIncomingRPCContext(ctx)
-	if err != nil {
-		return nil, srverrors.ServerError(ctx, err)
-	}
 	r, err := s.eventsHelper(ctx, req, userName, int(limit), 0, redactEvents)
 	if err != nil {
 		return nil, srverrors.ServerError(ctx, err)

pkg/sql/authorization.go

@@ -286,6 +286,18 @@ func (p *planner) CheckPrivilegeForUser(
 					return nil
 				}
 			}
+			// VIEWEVENTLOG grants implicit SELECT on system.eventlog.
+			if tableID == keys.EventLogTableID {
+				hasViewEventLog, err := p.HasPrivilege(
+					ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.VIEWEVENTLOG, user,
+				)
+				if err != nil {
+					return err
+				}
+				if hasViewEventLog {
+					return nil
+				}
+			}
 		}
 	}
 	return insufficientPrivilegeError(user, privilegeKind, privilegeObject)

pkg/sql/delegate/show_schedules.go

@@ -26,17 +26,22 @@ func (d *delegator) delegateShowSchedules(n *tree.ShowSchedules) (tree.Statement
 	// delegated query would fail with "does not have SELECT privilege on
 	// relation scheduled_jobs", which doesn't tell the user what privilege
 	// they actually need. The authorization.go layer grants implicit SELECT
-	// on the underlying system tables when VIEWSCHEDULE is held.
-	if err := d.catalog.CheckPrivilege(
-		d.ctx, syntheticprivilege.GlobalPrivilegeObject,
-		d.catalog.GetCurrentUser(), privilege.VIEWSCHEDULE,
-	); err != nil {
-		if pgerror.GetPGCode(err) == pgcode.InsufficientPrivilege {
+	// on the underlying system tables when VIEWSCHEDULE or VIEWSYSTEMTABLE
+	// is held, so we let those users through.
+	cat := d.catalog
+	user := cat.GetCurrentUser()
+	hasViewSchedule := cat.CheckPrivilege(
+		d.ctx, syntheticprivilege.GlobalPrivilegeObject, user, privilege.VIEWSCHEDULE,
+	) == nil
+	if !hasViewSchedule {
+		hasViewSystemTable := cat.CheckPrivilege(
+			d.ctx, syntheticprivilege.GlobalPrivilegeObject, user, privilege.VIEWSYSTEMTABLE,
+		) == nil
+		if !hasViewSystemTable {
 			return nil, pgerror.Newf(pgcode.InsufficientPrivilege,
 				"user %s does not have %s system privilege",
-				d.catalog.GetCurrentUser(), privilege.VIEWSCHEDULE)
+				user, privilege.VIEWSCHEDULE)
 		}
-		return nil, err
 	}
 
 	sqltelemetry.IncrementShowCounter(sqltelemetry.Schedules)

pkg/sql/logictest/testdata/logic_test/show_eventlog_privilege

@@ -0,0 +1,62 @@
+# LogicTest: local
+
+# Verify that the VIEWEVENTLOG privilege grants access to system.eventlog.
+
+# testuser should not be able to read system.eventlog.
+user testuser
+
+statement error user testuser does not have SELECT privilege on relation eventlog
+SELECT * FROM system.eventlog LIMIT 0
+
+user root
+
+# Grant VIEWEVENTLOG to testuser.
+statement ok
+GRANT SYSTEM VIEWEVENTLOG TO testuser
+
+user testuser
+
+# testuser should now be able to read system.eventlog.
+statement ok
+SELECT * FROM system.eventlog LIMIT 0
+
+user root
+
+# Revoke VIEWEVENTLOG from testuser.
+statement ok
+REVOKE SYSTEM VIEWEVENTLOG FROM testuser
+
+user testuser
+
+# testuser should no longer be able to read system.eventlog.
+statement error user testuser does not have SELECT privilege on relation eventlog
+SELECT * FROM system.eventlog LIMIT 0
+
+user root
+
+# Test that inheriting VIEWEVENTLOG through a role works.
+statement ok
+CREATE ROLE eventlogviewer
+
+statement ok
+GRANT SYSTEM VIEWEVENTLOG TO eventlogviewer
+
+statement ok
+GRANT eventlogviewer TO testuser
+
+user testuser
+
+# testuser should be able to read system.eventlog through role membership.
+statement ok
+SELECT * FROM system.eventlog LIMIT 0
+
+user root
+
+statement ok
+REVOKE eventlogviewer FROM testuser
+
+user testuser
+
+# testuser should no longer be able to read system.eventlog.
+statement error user testuser does not have SELECT privilege on relation eventlog
+SELECT * FROM system.eventlog LIMIT 0

pkg/sql/logictest/testdata/logic_test/show_schedules_privilege

@@ -60,3 +60,25 @@ user testuser
 # testuser should no longer be able to SHOW SCHEDULES.
 statement error user testuser does not have VIEWSCHEDULE system privilege
 SHOW SCHEDULES
+
+user root
+
+# Test that VIEWSYSTEMTABLE also grants access to SHOW SCHEDULES (no
+# regression for users who previously relied on this broader privilege).
+statement ok
+GRANT SYSTEM VIEWSYSTEMTABLE TO testuser
+
+user testuser
+
+statement ok
+SHOW SCHEDULES
+
+user root
+
+statement ok
+REVOKE SYSTEM VIEWSYSTEMTABLE FROM testuser
+
+user testuser
+
+statement error user testuser does not have VIEWSCHEDULE system privilege
+SHOW SCHEDULES

pkg/sql/privilege/kind.go

@@ -74,7 +74,8 @@ const (
 	MAINTAIN               Kind = 43
 	TEMPORARY              Kind = 44
 	VIEWSCHEDULE           Kind = 45
-	largestKind                 = VIEWSCHEDULE
+	VIEWEVENTLOG           Kind = 46
+	largestKind                 = VIEWEVENTLOG
 
 	// RULE, SET, and ALTERSYSTEM are PostgreSQL ACL-only pseudo-privileges.
 	// They exist solely for ACL character mapping used by acldefault, aclexplode,
@@ -190,6 +191,8 @@ func (k Kind) InternalKey() KindInternalKey {
 		return "TEMPORARY"
 	case VIEWSCHEDULE:
 		return "VIEWSCHEDULE"
+	case VIEWEVENTLOG:
+		return "VIEWEVENTLOG"
 	case SET:
 		return "SET"
 	case ALTERSYSTEM:

pkg/sql/privilege/privilege.go

@@ -101,7 +101,7 @@ var (
 		ALL, BACKUP, RESTORE, MODIFYCLUSTERSETTING, EXTERNALCONNECTION, VIEWACTIVITY, VIEWACTIVITYREDACTED,
 		VIEWCLUSTERSETTING, CANCELQUERY, NOSQLLOGIN, VIEWCLUSTERMETADATA, VIEWDEBUG, EXTERNALIOIMPLICITACCESS, VIEWJOB,
 		MODIFYSQLCLUSTERSETTING, REPLICATION, MANAGEVIRTUALCLUSTER, VIEWSYSTEMTABLE, CREATEROLE, CREATELOGIN, CREATEDB, CONTROLJOB,
-		REPAIRCLUSTER, BYPASSRLS, REPLICATIONDEST, REPLICATIONSOURCE, INSPECT, VIEWSCHEDULE,
+		REPAIRCLUSTER, BYPASSRLS, REPLICATIONDEST, REPLICATIONSOURCE, INSPECT, VIEWSCHEDULE, VIEWEVENTLOG,
 	}
 	VirtualTablePrivileges       = List{ALL, SELECT}
 	ExternalConnectionPrivileges = List{ALL, USAGE, DROP, UPDATE}