sql: add VIEWEVENTLOG system privilege for event log visibility

souravcrl · claude · souravcrl · commit 8b57f1a7eae9 · 2026-05-06T15:03:43.000+05:30
Previously, viewing the event log required `admin` or `VIEWCLUSTERMETADATA`, both of which are overprivileged for users who only need to read cluster events (e.g. SREs and auditors correlating events during incidents). This change introduces a new `VIEWEVENTLOG` system privilege that grants read-only access to `system.eventlog`. The gRPC Events API now accepts either `VIEWEVENTLOG` or the existing `VIEWCLUSTERMETADATA` privilege, and the error message mentions both options. The privilege also grants implicit `SELECT` on `system.eventlog` so the DB Console SQL-based events page works correctly. Non-admin users can now be granted event log visibility via: ```sql GRANT SYSTEM VIEWEVENTLOG TO <user>; ``` Fixes: #169421 Epic: none Release note (sql change): Added a new `VIEWEVENTLOG` system privilege that grants read-only access to the event log. Non-admin users can be granted event log visibility via `GRANT SYSTEM VIEWEVENTLOG TO <user>` without needing `VIEWCLUSTERMETADATA` or the `admin` role. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/pkg/server/admin.go b/pkg/server/admin.go
@@ -1478,11 +1478,29 @@ func (s *adminServer) Events(
 ) (_ *serverpb.EventsResponse, retErr error) {
 	ctx = s.AnnotateCtx(ctx)
 
-	err := s.privilegeChecker.RequireViewClusterMetadataPermission(ctx)
+	// Accept either VIEWEVENTLOG or VIEWCLUSTERMETADATA.
+	userName, isAdmin, err := s.privilegeChecker.GetUserAndRole(ctx)
 	if err != nil {
-		// NB: not using srverrors.ServerError() here since the priv checker
-		// already returns a proper gRPC error status.
-		return nil, err
+		return nil, srverrors.ServerError(ctx, err)
+	}
+	if !isAdmin {
+		hasEventLog, err := s.privilegeChecker.HasGlobalPrivilege(ctx, userName, privilege.VIEWEVENTLOG)
+		if err != nil {
+			return nil, srverrors.ServerError(ctx, err)
+		}
+		if !hasEventLog {
+			hasClusterMeta, err := s.privilegeChecker.HasGlobalPrivilege(ctx, userName, privilege.VIEWCLUSTERMETADATA)
+			if err != nil {
+				return nil, srverrors.ServerError(ctx, err)
+			}
+			if !hasClusterMeta {
+				return nil, grpcstatus.Errorf(
+					codes.PermissionDenied,
+					"this operation requires the %s or %s system privilege",
+					privilege.VIEWEVENTLOG.DisplayName(),
+					privilege.VIEWCLUSTERMETADATA.DisplayName())
+			}
+		}
 	}
 	redactEvents := !req.UnredactedEvents
 
@@ -1491,10 +1509,6 @@ func (s *adminServer) Events(
 		limit = apiconstants.DefaultAPIEventLimit
 	}
 
-	userName, err := authserver.UserFromIncomingRPCContext(ctx)
-	if err != nil {
-		return nil, srverrors.ServerError(ctx, err)
-	}
 	r, err := s.eventsHelper(ctx, req, userName, int(limit), 0, redactEvents)
 	if err != nil {
 		return nil, srverrors.ServerError(ctx, err)
diff --git a/pkg/sql/authorization.go b/pkg/sql/authorization.go
@@ -286,6 +286,18 @@ func (p *planner) CheckPrivilegeForUser(
 					return nil
 				}
 			}
+			// VIEWEVENTLOG grants implicit SELECT on system.eventlog.
+			if tableID == keys.EventLogTableID {
+				hasViewEventLog, err := p.HasPrivilege(
+					ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.VIEWEVENTLOG, user,
+				)
+				if err != nil {
+					return err
+				}
+				if hasViewEventLog {
+					return nil
+				}
+			}
 		}
 	}
 	return insufficientPrivilegeError(user, privilegeKind, privilegeObject)
diff --git a/pkg/sql/logictest/testdata/logic_test/show_eventlog_privilege b/pkg/sql/logictest/testdata/logic_test/show_eventlog_privilege
@@ -0,0 +1,62 @@
+# LogicTest: local
+
+# Verify that the VIEWEVENTLOG privilege grants access to system.eventlog.
+
+# testuser should not be able to read system.eventlog.
+user testuser
+
+statement error user testuser does not have SELECT privilege on relation eventlog
+SELECT * FROM system.eventlog LIMIT 0
+
+user root
+
+# Grant VIEWEVENTLOG to testuser.
+statement ok
+GRANT SYSTEM VIEWEVENTLOG TO testuser
+
+user testuser
+
+# testuser should now be able to read system.eventlog.
+statement ok
+SELECT * FROM system.eventlog LIMIT 0
+
+user root
+
+# Revoke VIEWEVENTLOG from testuser.
+statement ok
+REVOKE SYSTEM VIEWEVENTLOG FROM testuser
+
+user testuser
+
+# testuser should no longer be able to read system.eventlog.
+statement error user testuser does not have SELECT privilege on relation eventlog
+SELECT * FROM system.eventlog LIMIT 0
+
+user root
+
+# Test that inheriting VIEWEVENTLOG through a role works.
+statement ok
+CREATE ROLE eventlogviewer
+
+statement ok
+GRANT SYSTEM VIEWEVENTLOG TO eventlogviewer
+
+statement ok
+GRANT eventlogviewer TO testuser
+
+user testuser
+
+# testuser should be able to read system.eventlog through role membership.
+statement ok
+SELECT * FROM system.eventlog LIMIT 0
+
+user root
+
+statement ok
+REVOKE eventlogviewer FROM testuser
+
+user testuser
+
+# testuser should no longer be able to read system.eventlog.
+statement error user testuser does not have SELECT privilege on relation eventlog
+SELECT * FROM system.eventlog LIMIT 0
diff --git a/pkg/sql/privilege/kind.go b/pkg/sql/privilege/kind.go
@@ -74,7 +74,8 @@ const (
 	MAINTAIN               Kind = 43
 	TEMPORARY              Kind = 44
 	VIEWSCHEDULE           Kind = 45
-	largestKind                 = VIEWSCHEDULE
+	VIEWEVENTLOG           Kind = 46
+	largestKind                 = VIEWEVENTLOG
 
 	// RULE, SET, and ALTERSYSTEM are PostgreSQL ACL-only pseudo-privileges.
 	// They exist solely for ACL character mapping used by acldefault, aclexplode,
@@ -190,6 +191,8 @@ func (k Kind) InternalKey() KindInternalKey {
 		return "TEMPORARY"
 	case VIEWSCHEDULE:
 		return "VIEWSCHEDULE"
+	case VIEWEVENTLOG:
+		return "VIEWEVENTLOG"
 	case SET:
 		return "SET"
 	case ALTERSYSTEM:
diff --git a/pkg/sql/privilege/privilege.go b/pkg/sql/privilege/privilege.go
@@ -101,7 +101,7 @@ var (
 		ALL, BACKUP, RESTORE, MODIFYCLUSTERSETTING, EXTERNALCONNECTION, VIEWACTIVITY, VIEWACTIVITYREDACTED,
 		VIEWCLUSTERSETTING, CANCELQUERY, NOSQLLOGIN, VIEWCLUSTERMETADATA, VIEWDEBUG, EXTERNALIOIMPLICITACCESS, VIEWJOB,
 		MODIFYSQLCLUSTERSETTING, REPLICATION, MANAGEVIRTUALCLUSTER, VIEWSYSTEMTABLE, CREATEROLE, CREATELOGIN, CREATEDB, CONTROLJOB,
-		REPAIRCLUSTER, BYPASSRLS, REPLICATIONDEST, REPLICATIONSOURCE, INSPECT, VIEWSCHEDULE,
+		REPAIRCLUSTER, BYPASSRLS, REPLICATIONDEST, REPLICATIONSOURCE, INSPECT, VIEWSCHEDULE, VIEWEVENTLOG,
 	}
 	VirtualTablePrivileges       = List{ALL, SELECT}
 	ExternalConnectionPrivileges = List{ALL, USAGE, DROP, UPDATE}

Original file line number	Diff line number	Diff line change
`@@ -286,6 +286,18 @@ func (p *planner) CheckPrivilegeForUser(`
`286`	`286`	`return nil`
`287`	`287`	`}`
`288`	`288`	`}`
	`289`	`+ // VIEWEVENTLOG grants implicit SELECT on system.eventlog.`
	`290`	`+ if tableID == keys.EventLogTableID {`
	`291`	`+ hasViewEventLog, err := p.HasPrivilege(`
	`292`	`+ ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.VIEWEVENTLOG, user,`
	`293`	`+ )`
	`294`	`+ if err != nil {`
	`295`	`+ return err`
	`296`	`+ }`
	`297`	`+ if hasViewEventLog {`
	`298`	`+ return nil`
	`299`	`+ }`
	`300`	`+ }`
`289`	`301`	`}`
`290`	`302`	`}`
`291`	`303`	`return insufficientPrivilegeError(user, privilegeKind, privilegeObject)`
Original file line number	Diff line number	Diff line change
`@@ -101,7 +101,7 @@ var (`
`101`	`101`	`ALL, BACKUP, RESTORE, MODIFYCLUSTERSETTING, EXTERNALCONNECTION, VIEWACTIVITY, VIEWACTIVITYREDACTED,`
`102`	`102`	`VIEWCLUSTERSETTING, CANCELQUERY, NOSQLLOGIN, VIEWCLUSTERMETADATA, VIEWDEBUG, EXTERNALIOIMPLICITACCESS, VIEWJOB,`
`103`	`103`	`MODIFYSQLCLUSTERSETTING, REPLICATION, MANAGEVIRTUALCLUSTER, VIEWSYSTEMTABLE, CREATEROLE, CREATELOGIN, CREATEDB, CONTROLJOB,`
`104`		`- REPAIRCLUSTER, BYPASSRLS, REPLICATIONDEST, REPLICATIONSOURCE, INSPECT, VIEWSCHEDULE,`
	`104`	`+ REPAIRCLUSTER, BYPASSRLS, REPLICATIONDEST, REPLICATIONSOURCE, INSPECT, VIEWSCHEDULE, VIEWEVENTLOG,`
`105`	`105`	`}`
`106`	`106`	`VirtualTablePrivileges = List{ALL, SELECT}`
`107`	`107`	`ExternalConnectionPrivileges = List{ALL, USAGE, DROP, UPDATE}`