statement ok
CREATE DATABASE a

query TTTB colnames,rowsort
SHOW GRANTS ON DATABASE a
----
database_name  grantee  privilege_type  is_grantable
a              admin    ALL             true
a              public   CONNECT         false
a              root     ALL             true

statement error user root must have exactly \[ALL\] privileges on database "a"
REVOKE CONNECT ON DATABASE a FROM root

statement error user admin must have exactly \[ALL\] privileges on database "a"
REVOKE CONNECT ON DATABASE a FROM admin

statement ok
CREATE USER readwrite

statement error pq: role/user "test-user" does not exist
GRANT ALL ON DATABASE a TO readwrite, "test-user"

statement ok
INSERT INTO system.users VALUES('test-user','',false,3);

statement ok
GRANT ALL PRIVILEGES ON DATABASE a TO readwrite, "test-user" WITH GRANT OPTION

statement error syntax error
GRANT SELECT,ALL ON DATABASE a TO readwrite

statement error syntax error
REVOKE SELECT,ALL ON DATABASE a FROM readwrite

query TTTB rowsort
SHOW GRANTS ON DATABASE a
----
a  admin      ALL      true
a  public     CONNECT  false
a  readwrite  ALL      true
a  root       ALL      true
a  test-user  ALL      true

query TTTB rowsort
SHOW GRANTS ON DATABASE a FOR readwrite, "test-user"
----
a  public     CONNECT  false
a  readwrite  ALL      true
a  test-user  ALL      true

statement ok
REVOKE CONNECT ON DATABASE a FROM "test-user",readwrite

query TTTB rowsort
SHOW GRANTS ON DATABASE a
----
a  admin      ALL         true
a  public     CONNECT     false
a  readwrite  BACKUP      true
a  readwrite  CREATE      true
a  readwrite  DROP        true
a  readwrite  RESTORE     true
a  readwrite  ZONECONFIG  true
a  root       ALL         true
a  test-user  BACKUP      true
a  test-user  CREATE      true
a  test-user  DROP        true
a  test-user  RESTORE     true
a  test-user  ZONECONFIG  true

query TTTB rowsort
SHOW GRANTS ON DATABASE a FOR readwrite, "test-user"
----
a  public     CONNECT     false
a  readwrite  BACKUP      true
a  readwrite  CREATE      true
a  readwrite  DROP        true
a  readwrite  RESTORE     true
a  readwrite  ZONECONFIG  true
a  test-user  BACKUP      true
a  test-user  CREATE      true
a  test-user  DROP        true
a  test-user  RESTORE     true
a  test-user  ZONECONFIG  true

statement ok
REVOKE CREATE ON DATABASE a FROM "test-user"

query TTTB rowsort
SHOW GRANTS ON DATABASE a
----
a  admin      ALL         true
a  public     CONNECT     false
a  readwrite  BACKUP      true
a  readwrite  CREATE      true
a  readwrite  DROP        true
a  readwrite  RESTORE     true
a  readwrite  ZONECONFIG  true
a  root       ALL         true
a  test-user  BACKUP      true
a  test-user  DROP        true
a  test-user  RESTORE     true
a  test-user  ZONECONFIG  true

statement ok
REVOKE ALL PRIVILEGES ON DATABASE a FROM "test-user"

query TTTB rowsort
SHOW GRANTS ON DATABASE a FOR readwrite, "test-user"
----
a  public     CONNECT     false
a  readwrite  BACKUP      true
a  readwrite  CREATE      true
a  readwrite  DROP        true
a  readwrite  RESTORE     true
a  readwrite  ZONECONFIG  true

statement ok
REVOKE ALL ON DATABASE a FROM readwrite,"test-user"

query TTTB rowsort
SHOW GRANTS ON DATABASE a
----
a  admin   ALL      true
a  public  CONNECT  false
a  root    ALL      true

query TTTB
SHOW GRANTS ON DATABASE a FOR readwrite, "test-user"
----
a  public  CONNECT  false

# Usage privilege should not be grantable on databases.

statement error pq: invalid privilege type USAGE for database
GRANT USAGE ON DATABASE a TO testuser

statement ok
CREATE DATABASE b

statement ok
GRANT CREATE, CONNECT ON DATABASE b TO testuser

user testuser

statement ok
CREATE TABLE b.t()

# CONNECT privilege should not be inherited from DB when creating a table.

query TTTTTB colnames,rowsort
SHOW GRANTS ON b.t
----
database_name  schema_name  table_name  grantee   privilege_type  is_grantable
b              public       t           admin     ALL             true
b              public       t           root      ALL             true
b              public       t           testuser  ALL             true

# Calling SHOW GRANTS on an invalid user should error out.

statement error role/user "invaliduser" does not exist
SHOW GRANTS FOR invaliduser

# Verify that owner and child of owner have is_grantable implicitly.

user root

statement ok
CREATE USER owner_grant_option_child

statement ok
GRANT testuser to owner_grant_option_child

statement ok
ALTER USER testuser WITH createdb

user testuser

statement ok
CREATE DATABASE owner_grant_option

statement ok
GRANT CONNECT ON DATABASE owner_grant_option TO owner_grant_option_child

query TTTB colnames,rowsort
SHOW GRANTS ON DATABASE owner_grant_option
----
database_name       grantee                   privilege_type  is_grantable
owner_grant_option  admin                     ALL             true
owner_grant_option  owner_grant_option_child  CONNECT         true
owner_grant_option  public                    CONNECT         false
owner_grant_option  root                      ALL             true
owner_grant_option  testuser                  ALL             true

# Verify that is_grantable moves to the new owner.

user root

statement ok
CREATE ROLE other_owner

statement ok
ALTER DATABASE owner_grant_option OWNER TO other_owner

query TTTB colnames,rowsort
SHOW GRANTS ON DATABASE owner_grant_option
----
database_name       grantee                   privilege_type  is_grantable
owner_grant_option  admin                     ALL             true
owner_grant_option  other_owner               ALL             true
owner_grant_option  owner_grant_option_child  CONNECT         false
owner_grant_option  public                    CONNECT         false
owner_grant_option  root                      ALL             true
