# Test permissions checks for non-admin users running RESTORE.
new-cluster name=s1
----

exec-sql
CREATE DATABASE d;
CREATE TABLE d.t (x INT);
INSERT INTO d.t VALUES (1), (2), (3);
----

exec-sql
BACKUP INTO 'nodelocal://1/test/'
----

# Restores should succeed as a non-root user with admin role.
exec-sql
CREATE USER testuser;
GRANT ADMIN TO testuser;
----

exec-sql user=testuser
DROP DATABASE d;
----

exec-sql user=testuser
RESTORE DATABASE d FROM LATEST IN 'nodelocal://1/test/';
----

# Start a new cluster with the same IO dir.
new-cluster name=s2 share-io-dir=s1 allow-implicit-access
----

exec-sql cluster=s2
CREATE USER testuser
----

# Restore into the new cluster.
exec-sql cluster=s2 user=testuser
RESTORE FROM LATEST IN 'nodelocal://1/test/'
----
pq: only users with the admin role or the RESTORE system privilege are allowed to perform a cluster restore: user testuser does not have RESTORE system privilege

exec-sql cluster=s2 user=testuser
RESTORE DATABASE d FROM LATEST IN 'nodelocal://1/test/'
----
pq: only users with the CREATEDB privilege can restore databases
HINT: The existing privileges are being deprecated in favour of a fine-grained privilege model explained here https://www.cockroachlabs.com/docs/stable/restore.html#required-privileges. In a future release, to run RESTORE DATABASE, user testuser will exclusively require the RESTORE system privilege.

exec-sql cluster=s2
CREATE DATABASE d
----

exec-sql cluster=s2 user=testuser
RESTORE TABLE d.t FROM LATEST IN 'nodelocal://1/test/'
----
pq: user testuser does not have CREATE privilege on database d
HINT: The existing privileges are being deprecated in favour of a fine-grained privilege model explained here https://www.cockroachlabs.com/docs/stable/restore.html#required-privileges. In a future release, to run RESTORE TABLE, user testuser will exclusively require the RESTORE privilege on database d.

exec-sql cluster=s2
GRANT CREATE ON DATABASE d TO testuser
----

exec-sql cluster=s2 user=testuser
RESTORE TABLE d.t FROM LATEST IN 'nodelocal://1/test/'
----
NOTICE: The existing privileges are being deprecated in favour of a fine-grained privilege model explained here https://www.cockroachlabs.com/docs/stable/restore.html#required-privileges. In a future release, to run RESTORE TABLE, user testuser will exclusively require the RESTORE privilege on databases d

query-sql cluster=s2
SELECT x FROM d.t ORDER BY x
----
1
2
3

exec-sql cluster=s2
DROP DATABASE d
----

exec-sql cluster=s2
ALTER USER testuser CREATEDB
----

exec-sql cluster=s2 user=testuser
RESTORE DATABASE d FROM LATEST IN 'nodelocal://1/test/'
----
NOTICE: The existing privileges are being deprecated in favour of a fine-grained privilege model explained here https://www.cockroachlabs.com/docs/stable/restore.html#required-privileges. In a future release, to run RESTORE DATABASE, user testuser will exclusively require the RESTORE system privilege.

query-sql cluster=s2
SELECT x FROM d.t ORDER BY x
----
1
2
3

# Test that implicit access is disallowed when the testing knob isn't set.
new-cluster name=s3 share-io-dir=s1
----

exec-sql cluster=s3
CREATE USER testuser
----

exec-sql cluster=s3 user=testuser
RESTORE TABLE d.t FROM LATEST IN 'nodelocal://1/test/'
----
pq: only users with the admin role or the EXTERNALIOIMPLICITACCESS system privilege are allowed to access the specified nodelocal URI
