new-cluster name=s1
----

exec-sql
CREATE DATABASE d;
CREATE SCHEMA d.ds;
CREATE TYPE d.ds.typ AS ENUM ('hello', 'hi');
CREATE TABLE d.ds.t (x INT PRIMARY KEY, y d.ds.typ);
INSERT INTO d.ds.t VALUES (1, 'hi'), (2, 'hello'), (3, 'hi');
----

# Take a cluster backup that can be used to test cluster, database and tables
# restores.
exec-sql
BACKUP INTO 'nodelocal://1/foo';
----

subtest database-restore

# Root can run every restore.
exec-sql
RESTORE DATABASE d FROM LATEST IN 'nodelocal://1/foo' WITH new_db_name = ddup;
----

query-sql
SELECT * FROM ddup.ds.t;
----
1 hi
2 hello
3 hi

# Non-root admin can run every restore.
exec-sql
CREATE USER testuser;
GRANT ADMIN TO testuser;
----

exec-sql user=testuser
RESTORE DATABASE d FROM LATEST IN 'nodelocal://1/foo' WITH new_db_name = ddup_nonroot;
----

query-sql user=testuser
SELECT * FROM ddup_nonroot.ds.t;
----
1 hi
2 hello
3 hi

exec-sql
REVOKE ADMIN FROM testuser;
----

# Non-admin cannot run database restore unless they have CREATEDB today but we recommend the system
# RESTORE privilege.
exec-sql user=testuser
RESTORE DATABASE d FROM LATEST IN 'nodelocal://1/foo' WITH new_db_name = ddup_nonroot_fail;
----
pq: only users with the CREATEDB privilege can restore databases
HINT: The existing privileges are being deprecated in favour of a fine-grained privilege model explained here https://www.cockroachlabs.com/docs/stable/restore.html#required-privileges. In a future release, to run RESTORE DATABASE, user testuser will exclusively require the RESTORE system privilege.

exec-sql
GRANT SYSTEM RESTORE TO testuser;
----

# This won't be sufficient since we are restoring from nodelocal, we also need
# `EXTERNALIOIMPLICITACCESS` as a non-admin.
exec-sql user=testuser
RESTORE DATABASE d FROM LATEST IN 'nodelocal://1/foo' WITH new_db_name = ddup_nonroot_fail;
----
pq: only users with the admin role or the EXTERNALIOIMPLICITACCESS system privilege are allowed to access the specified nodelocal URI

exec-sql
GRANT SYSTEM EXTERNALIOIMPLICITACCESS TO testuser;
----

exec-sql user=testuser
RESTORE DATABASE d FROM LATEST IN 'nodelocal://1/foo' WITH new_db_name = ddup_nonroot_fail;
----

query-sql
SELECT * FROM ddup_nonroot_fail.ds.t;
----
1 hi
2 hello
3 hi

exec-sql
REVOKE SYSTEM RESTORE, EXTERNALIOIMPLICITACCESS FROM testuser;
----

subtest end

subtest table-restore

exec-sql
CREATE DATABASE root;
----

# Root can run every restore.
exec-sql
RESTORE TABLE d.ds.t FROM LATEST IN 'nodelocal://1/foo' WITH into_db = root;
----

query-sql
SELECT * FROM root.ds.t;
----
1 hi
2 hello
3 hi

# Non-root admin can run every restore.
exec-sql
GRANT ADMIN TO testuser;
----

exec-sql user=testuser
CREATE DATABASE nonroot_admin;
----

exec-sql user=testuser
RESTORE TABLE d.ds.t FROM LATEST IN 'nodelocal://1/foo' WITH into_db = nonroot_admin;
----

query-sql user=testuser
SELECT * FROM nonroot_admin.ds.t;
----
1 hi
2 hello
3 hi

exec-sql
REVOKE ADMIN FROM testuser;
----

exec-sql
CREATE DATABASE nonadmin;
----

# Need to allow testuser to use `nodelocal`.
exec-sql
GRANT SYSTEM EXTERNALIOIMPLICITACCESS TO testuser;
----

# Non-admin cannot run table restore unless they have CREATE on the database
# today but we recommend the database RESTORE privilege.
exec-sql user=testuser
RESTORE TABLE d.ds.t FROM LATEST IN 'nodelocal://1/foo' WITH into_db = nonadmin;
----
pq: user testuser does not have CREATE privilege on database nonadmin
HINT: The existing privileges are being deprecated in favour of a fine-grained privilege model explained here https://www.cockroachlabs.com/docs/stable/restore.html#required-privileges. In a future release, to run RESTORE TABLE, user testuser will exclusively require the RESTORE privilege on database nonadmin.

exec-sql
GRANT RESTORE ON DATABASE nonadmin TO testuser;
----

exec-sql user=testuser
RESTORE TABLE d.ds.t FROM LATEST IN 'nodelocal://1/foo' WITH into_db = nonadmin;
----

query-sql user=testuser
SELECT * FROM nonadmin.ds.t;
----
1 hi
2 hello
3 hi

query-sql user=testuser
USE nonadmin;
SHOW TYPES;
----
ds typ testuser

exec-sql
REVOKE RESTORE ON DATABASE nonadmin FROM testuser;
----

subtest end

subtest cluster-restore
new-cluster name=s2 allow-implicit-access share-io-dir=s1
----

exec-sql
CREATE USER testuser;
----

exec-sql user=testuser
RESTORE FROM LATEST IN 'nodelocal://1/foo';
----
pq: only users with the admin role or the RESTORE system privilege are allowed to perform a cluster restore: user testuser does not have RESTORE system privilege

exec-sql
GRANT SYSTEM RESTORE TO testuser;
----

exec-sql user=testuser
RESTORE FROM LATEST IN 'nodelocal://1/foo';
----

subtest end
