sql: add VIEWSCHEDULE system privilege for SHOW SCHEDULES

Previously, `SHOW SCHEDULES` was implicitly gated by `SELECT` on
`system.scheduled_jobs` and `system.jobs`, which only `admin` has by
default. This made it impossible to grant schedule visibility to
non-admin users without granting broad access to system tables.

This change introduces a new `VIEWSCHEDULE` system privilege (following
the pattern of `VIEWJOB`, `VIEWACTIVITY`, etc.) that explicitly gates
`SHOW SCHEDULES`. Admin users satisfy this check implicitly through
`ALL` privileges. The privilege also grants implicit `SELECT` on
`system.scheduled_jobs` and `system.jobs` so the delegated query
executes successfully.

The delegator check is kept (rather than relying solely on the
authorization.go fallback) because without it the user would see a
confusing "does not have SELECT privilege on relation scheduled_jobs"
error instead of a clear message about the VIEWSCHEDULE privilege.

On the DB Console side, the schedules API now checks for SQL execution
errors before accessing results, preventing runtime crashes when the
user lacks the required privilege.

Fixes: #169420
Epic: none
Release note (sql change): Added a new `VIEWSCHEDULE` system privilege
that controls access to `SHOW SCHEDULES`. Non-admin users can be granted
schedule visibility via `GRANT SYSTEM VIEWSCHEDULE TO <user>` without
needing direct `SELECT` on system tables.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: souravcrl

pkg/server/privchecker/BUILD.bazel

@@ -39,6 +39,7 @@ go_test(
         "//pkg/server",
         "//pkg/sql",
         "//pkg/sql/isql",
+        "//pkg/sql/privilege",
         "//pkg/testutils/serverutils",
         "//pkg/testutils/sqlutils",
         "//pkg/testutils/testcluster",

pkg/server/privchecker/privchecker_test.go

@@ -15,6 +15,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/server/privchecker"
 	"github.com/cockroachdb/cockroach/pkg/sql"
 	"github.com/cockroachdb/cockroach/pkg/sql/isql"
+	"github.com/cockroachdb/cockroach/pkg/sql/privilege"
 	"github.com/cockroachdb/cockroach/pkg/testutils/serverutils"
 	"github.com/cockroachdb/cockroach/pkg/testutils/sqlutils"
 	"github.com/cockroachdb/cockroach/pkg/util/leaktest"
@@ -56,6 +57,8 @@ func TestAdminPrivilegeChecker(t *testing.T) {
 	sqlDB.Exec(t, "GRANT SYSTEM VIEWCLUSTERMETADATA TO withviewclustermetadata")
 	sqlDB.Exec(t, "CREATE USER withviewdebug")
 	sqlDB.Exec(t, "GRANT SYSTEM VIEWDEBUG TO withviewdebug")
+	sqlDB.Exec(t, "CREATE USER withviewschedule")
+	sqlDB.Exec(t, "GRANT SYSTEM VIEWSCHEDULE TO withviewschedule")
 
 	execCfg := ts.ExecutorConfig().(sql.ExecutorConfig)
 	kvDB := ts.DB()
@@ -97,6 +100,25 @@ func TestAdminPrivilegeChecker(t *testing.T) {
 	withVaAndRedactedGlobalPrivilege := username.MakeSQLUsernameFromPreNormalizedString("withvaandredactedglobalprivilege")
 	withviewclustermetadata := username.MakeSQLUsernameFromPreNormalizedString("withviewclustermetadata")
 	withViewDebug := username.MakeSQLUsernameFromPreNormalizedString("withviewdebug")
+	withViewSchedule := username.MakeSQLUsernameFromPreNormalizedString("withviewschedule")
+
+	// Test HasGlobalPrivilege for VIEWSCHEDULE.
+	globalPrivTests := []struct {
+		name      string
+		privilege privilege.Kind
+		username  username.SQLUsername
+		wantHas   bool
+	}{
+		{"viewschedule-granted", privilege.VIEWSCHEDULE, withViewSchedule, true},
+		{"viewschedule-not-granted", privilege.VIEWSCHEDULE, withoutPrivs, false},
+	}
+	for _, tt := range globalPrivTests {
+		t.Run(tt.name, func(t *testing.T) {
+			has, err := underTest.HasGlobalPrivilege(ctx, tt.username, tt.privilege)
+			require.NoError(t, err)
+			require.Equal(t, tt.wantHas, has)
+		})
+	}
 
 	tests := []struct {
 		name            string

pkg/sql/authorization.go

@@ -272,6 +272,20 @@ func (p *planner) CheckPrivilegeForUser(
 			if hasViewSystemTablePriv {
 				return nil
 			}
+			// VIEWSCHEDULE grants implicit SELECT on system.scheduled_jobs and
+			// system.jobs, the two tables underlying SHOW SCHEDULES.
+			tableID := d.GetID()
+			if tableID == keys.ScheduledJobsTableID || tableID == keys.JobsTableID {
+				hasViewSchedule, err := p.HasPrivilege(
+					ctx, syntheticprivilege.GlobalPrivilegeObject, privilege.VIEWSCHEDULE, user,
+				)
+				if err != nil {
+					return err
+				}
+				if hasViewSchedule {
+					return nil
+				}
+			}
 		}
 	}
 	return insufficientPrivilegeError(user, privilegeKind, privilegeObject)

pkg/sql/delegate/show_schedules.go

@@ -10,14 +10,35 @@ import (
 	"strings"
 
 	"github.com/cockroachdb/cockroach/pkg/jobs"
+	"github.com/cockroachdb/cockroach/pkg/sql/pgwire/pgcode"
+	"github.com/cockroachdb/cockroach/pkg/sql/pgwire/pgerror"
+	"github.com/cockroachdb/cockroach/pkg/sql/privilege"
 	"github.com/cockroachdb/cockroach/pkg/sql/sem/tree"
 	"github.com/cockroachdb/cockroach/pkg/sql/sqltelemetry"
+	"github.com/cockroachdb/cockroach/pkg/sql/syntheticprivilege"
 )
 
 // commandColumn converts executor execution arguments into jsonb representation.
 const commandColumn = `crdb_internal.pb_to_json('cockroach.jobs.jobspb.ExecutionArguments', execution_args, false, true)->'args'`
 
 func (d *delegator) delegateShowSchedules(n *tree.ShowSchedules) (tree.Statement, error) {
+	// Provide a clear privilege error upfront. Without this check, the
+	// delegated query would fail with "does not have SELECT privilege on
+	// relation scheduled_jobs", which doesn't tell the user what privilege
+	// they actually need. The authorization.go layer grants implicit SELECT
+	// on the underlying system tables when VIEWSCHEDULE is held.
+	if err := d.catalog.CheckPrivilege(
+		d.ctx, syntheticprivilege.GlobalPrivilegeObject,
+		d.catalog.GetCurrentUser(), privilege.VIEWSCHEDULE,
+	); err != nil {
+		if pgerror.GetPGCode(err) == pgcode.InsufficientPrivilege {
+			return nil, pgerror.Newf(pgcode.InsufficientPrivilege,
+				"user %s does not have %s system privilege",
+				d.catalog.GetCurrentUser(), privilege.VIEWSCHEDULE)
+		}
+		return nil, err
+	}
+
 	sqltelemetry.IncrementShowCounter(sqltelemetry.Schedules)
 
 	columnExprs := []string{

pkg/sql/logictest/testdata/logic_test/show_schedules_privilege

@@ -0,0 +1,62 @@
+# LogicTest: local
+
+# Verify that SHOW SCHEDULES requires the VIEWSCHEDULE privilege.
+
+# testuser should not be able to SHOW SCHEDULES.
+user testuser
+
+statement error user testuser does not have VIEWSCHEDULE system privilege
+SHOW SCHEDULES
+
+user root
+
+# Grant VIEWSCHEDULE to testuser.
+statement ok
+GRANT SYSTEM VIEWSCHEDULE TO testuser
+
+user testuser
+
+# testuser should now be able to SHOW SCHEDULES.
+statement ok
+SHOW SCHEDULES
+
+user root
+
+# Revoke VIEWSCHEDULE from testuser.
+statement ok
+REVOKE SYSTEM VIEWSCHEDULE FROM testuser
+
+user testuser
+
+# testuser should no longer be able to SHOW SCHEDULES.
+statement error user testuser does not have VIEWSCHEDULE system privilege
+SHOW SCHEDULES
+
+user root
+
+# Test that inheriting VIEWSCHEDULE through a role works.
+statement ok
+CREATE ROLE scheduleviewer
+
+statement ok
+GRANT SYSTEM VIEWSCHEDULE TO scheduleviewer
+
+statement ok
+GRANT scheduleviewer TO testuser
+
+user testuser
+
+# testuser should be able to SHOW SCHEDULES through role membership.
+statement ok
+SHOW SCHEDULES
+
+user root
+
+statement ok
+REVOKE scheduleviewer FROM testuser
+
+user testuser
+
+# testuser should no longer be able to SHOW SCHEDULES.
+statement error user testuser does not have VIEWSCHEDULE system privilege
+SHOW SCHEDULES

pkg/sql/logictest/tests/local/generated_test.go

@@ -73,7 +73,8 @@ const (
 	BUILTIN_UNSAFE_ALLOWED Kind = 42
 	MAINTAIN               Kind = 43
 	TEMPORARY              Kind = 44
-	largestKind                 = TEMPORARY
+	VIEWSCHEDULE           Kind = 45
+	largestKind                 = VIEWSCHEDULE
 
 	// RULE, SET, and ALTERSYSTEM are PostgreSQL ACL-only pseudo-privileges.
 	// They exist solely for ACL character mapping used by acldefault, aclexplode,
@@ -187,6 +188,8 @@ func (k Kind) InternalKey() KindInternalKey {
 		return "MAINTAIN"
 	case TEMPORARY:
 		return "TEMPORARY"
+	case VIEWSCHEDULE:
+		return "VIEWSCHEDULE"
 	case SET:
 		return "SET"
 	case ALTERSYSTEM:

pkg/sql/privilege/kind.go

@@ -101,7 +101,7 @@ var (
 		ALL, BACKUP, RESTORE, MODIFYCLUSTERSETTING, EXTERNALCONNECTION, VIEWACTIVITY, VIEWACTIVITYREDACTED,
 		VIEWCLUSTERSETTING, CANCELQUERY, NOSQLLOGIN, VIEWCLUSTERMETADATA, VIEWDEBUG, EXTERNALIOIMPLICITACCESS, VIEWJOB,
 		MODIFYSQLCLUSTERSETTING, REPLICATION, MANAGEVIRTUALCLUSTER, VIEWSYSTEMTABLE, CREATEROLE, CREATELOGIN, CREATEDB, CONTROLJOB,
-		REPAIRCLUSTER, BYPASSRLS, REPLICATIONDEST, REPLICATIONSOURCE, INSPECT,
+		REPAIRCLUSTER, BYPASSRLS, REPLICATIONDEST, REPLICATIONSOURCE, INSPECT, VIEWSCHEDULE,
 	}
 	VirtualTablePrivileges       = List{ALL, SELECT}
 	ExternalConnectionPrivileges = List{ALL, USAGE, DROP, UPDATE}

pkg/sql/privilege/privilege.go

@@ -12,6 +12,7 @@ import {
   executeInternalSql,
   LARGE_RESULT_SIZE,
   SqlExecutionRequest,
+  sqlApiErrorMessage,
   sqlResultsAreEmpty,
 } from "./sqlApi";
 
@@ -78,6 +79,9 @@ export function getSchedules(req: {
     execute: true,
   };
   return executeInternalSql<ScheduleColumns>(request).then(result => {
+    if (result.error) {
+      throw new Error(sqlApiErrorMessage(result.error.message));
+    }
     const txnResults = result.execution.txn_results;
     if (sqlResultsAreEmpty(result)) {
       // No data.
@@ -122,6 +126,9 @@ export function getSchedule(id: Long): Promise<Schedule> {
     execute: true,
   };
   return executeInternalSql<ScheduleColumns>(request).then(result => {
+    if (result.error) {
+      throw new Error(sqlApiErrorMessage(result.error.message));
+    }
     const txnResults = result.execution.txn_results;
     if (txnResults.length === 0 || !txnResults[0].rows) {
       // No data.