support privileges for routines and sequences

go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/dolthub/dolt/go v0.40.5-0.20260305221540-0e4e7d5f6c45
 	github.com/dolthub/eventsapi_schema v0.0.0-20260205214132-a7a3c84c84a1
 	github.com/dolthub/flatbuffers/v23 v23.3.3-dh.2
-	github.com/dolthub/go-mysql-server v0.20.1-0.20260304235552-80791ce5e625
+	github.com/dolthub/go-mysql-server v0.20.1-0.20260305225810-9cb9f5aa73d4
 	github.com/dolthub/pg_query_go/v6 v6.0.0-20251215122834-fb20be4254d1
 	github.com/dolthub/sqllogictest/go v0.0.0-20240618184124-ca47f9354216
 	github.com/dolthub/vitess v0.0.0-20260304224106-95dd8eda10b0

go.sum

@@ -255,8 +255,8 @@ github.com/dolthub/fslock v0.0.3 h1:iLMpUIvJKMKm92+N1fmHVdxJP5NdyDK5bK7z7Ba2s2U=
 github.com/dolthub/fslock v0.0.3/go.mod h1:QWql+P17oAAMLnL4HGB5tiovtDuAjdDTPbuqx7bYfa0=
 github.com/dolthub/go-icu-regex v0.0.0-20250916051405-78a38d478790 h1:zxMsH7RLiG+dlZ/y0LgJHTV26XoiSJcuWq+em6t6VVc=
 github.com/dolthub/go-icu-regex v0.0.0-20250916051405-78a38d478790/go.mod h1:F3cnm+vMRK1HaU6+rNqQrOCyR03HHhR1GWG2gnPOqaE=
-github.com/dolthub/go-mysql-server v0.20.1-0.20260304235552-80791ce5e625 h1:pOKtS6gYJ5HiwdRb5KlRia0CRQjym6yyuvQE7auYOOw=
-github.com/dolthub/go-mysql-server v0.20.1-0.20260304235552-80791ce5e625/go.mod h1:8zqJ7NgJ7GEISN7VkYEmrrW3DodmHHMCEjIH72BkoEU=
+github.com/dolthub/go-mysql-server v0.20.1-0.20260305225810-9cb9f5aa73d4 h1:Se6FjR3iurLAJq6TRp8mEJsOIuaADY4n2dbSJOCSFHY=
+github.com/dolthub/go-mysql-server v0.20.1-0.20260305225810-9cb9f5aa73d4/go.mod h1:8zqJ7NgJ7GEISN7VkYEmrrW3DodmHHMCEjIH72BkoEU=
 github.com/dolthub/gozstd v0.0.0-20240423170813-23a2903bca63 h1:OAsXLAPL4du6tfbBgK0xXHZkOlos63RdKYS3Sgw/dfI=
 github.com/dolthub/gozstd v0.0.0-20240423170813-23a2903bca63/go.mod h1:lV7lUeuDhH5thVGDCKXbatwKy2KW80L4rMT46n+Y2/Q=
 github.com/dolthub/ishell v0.0.0-20240701202509-2b217167d718 h1:lT7hE5k+0nkBdj/1UOSFwjWpNxf+LCApbRHgnCA17XE=

server/ast/alter_sequence.go

@@ -21,6 +21,7 @@ import (
 	vitess "github.com/dolthub/vitess/go/vt/sqlparser"
 
 	"github.com/dolthub/doltgresql/postgres/parser/sem/tree"
+	"github.com/dolthub/doltgresql/server/auth"
 	pgnodes "github.com/dolthub/doltgresql/server/node"
 )
 
@@ -92,5 +93,10 @@ func nodeAlterSequence(ctx *Context, node *tree.AlterSequence) (vitess.Statement
 			ownedBy,
 			warnings...),
 		Children: nil,
+		Auth: vitess.AuthInformation{
+			AuthType:    auth.AuthType_UPDATE,
+			TargetType:  auth.AuthTargetType_SequenceIdentifiers,
+			TargetNames: []string{name.SchemaQualifier.String(), name.Name.String()},
+		},
 	}, nil
 }

server/ast/call.go

@@ -16,9 +16,10 @@ package ast
 
 import (
 	"github.com/cockroachdb/errors"
-
 	vitess "github.com/dolthub/vitess/go/vt/sqlparser"
 
+	"github.com/dolthub/doltgresql/server/auth"
+
 	"github.com/dolthub/doltgresql/postgres/parser/sem/tree"
 	pgnodes "github.com/dolthub/doltgresql/server/node"
 )
@@ -43,6 +44,10 @@ func nodeCall(ctx *Context, node *tree.Call) (vitess.Statement, error) {
 	if len(node.Procedure.OrderBy) > 0 {
 		return nil, errors.Errorf("procedure ORDER BY is not yet supported")
 	}
+
+	ctx.Auth().PushAuthType(auth.AuthType_EXECUTE)
+	defer ctx.Auth().PopAuthType()
+
 	var qualifier vitess.TableIdent
 	var name vitess.ColIdent
 	switch funcRef := node.Procedure.Func.FunctionReference.(type) {
@@ -66,5 +71,12 @@ func nodeCall(ctx *Context, node *tree.Call) (vitess.Statement, error) {
 	return vitess.InjectedStatement{
 		Statement: pgnodes.NewCall(qualifier.String(), name.String(), exprs),
 		Children:  exprs,
+		Auth: vitess.AuthInformation{
+			AuthType:    auth.AuthType_EXECUTE,
+			TargetType:  auth.AuthTargetType_FunctionIdentifiers,
+			TargetNames: []string{qualifier.String(), name.String()},
+			// TODO: need to get argument types separated by comma ( check routineArgTypesKey function )
+			Extra: "",
+		},
 	}, nil
 }

server/ast/create_function.go

@@ -25,6 +25,7 @@ import (
 	"github.com/dolthub/doltgresql/core/id"
 	"github.com/dolthub/doltgresql/postgres/parser/parser"
 	"github.com/dolthub/doltgresql/postgres/parser/sem/tree"
+	"github.com/dolthub/doltgresql/server/auth"
 	"github.com/dolthub/doltgresql/server/functions/framework"
 	pgnodes "github.com/dolthub/doltgresql/server/node"
 	"github.com/dolthub/doltgresql/server/plpgsql"
@@ -138,6 +139,11 @@ func nodeCreateFunction(ctx *Context, node *tree.CreateFunction) (vitess.Stateme
 			sqlDefParsed,
 			node.ReturnsSetOf,
 		),
+		Auth: vitess.AuthInformation{
+			AuthType:    auth.AuthType_CREATE,
+			TargetType:  auth.AuthTargetType_SchemaIdentifiers,
+			TargetNames: []string{tableName.Catalog(), tableName.Schema()},
+		},
 	}, nil
 }
 

server/ast/create_procedure.go

@@ -23,6 +23,7 @@ import (
 	"github.com/dolthub/doltgresql/core/procedures"
 	"github.com/dolthub/doltgresql/postgres/parser/sem/tree"
 	"github.com/dolthub/doltgresql/postgres/parser/types"
+	"github.com/dolthub/doltgresql/server/auth"
 	pgnodes "github.com/dolthub/doltgresql/server/node"
 	"github.com/dolthub/doltgresql/server/plpgsql"
 	pgtypes "github.com/dolthub/doltgresql/server/types"
@@ -112,5 +113,10 @@ func nodeCreateProcedure(ctx *Context, node *tree.CreateProcedure) (vitess.State
 			sqlDef,
 			sqlDefParsed,
 		),
+		Auth: vitess.AuthInformation{
+			AuthType:    auth.AuthType_CREATE,
+			TargetType:  auth.AuthTargetType_SchemaIdentifiers,
+			TargetNames: []string{tableName.Catalog(), tableName.Schema()},
+		},
 	}, nil
 }

server/ast/create_sequence.go

@@ -23,6 +23,7 @@ import (
 	"github.com/dolthub/doltgresql/core/id"
 	"github.com/dolthub/doltgresql/core/sequences"
 	"github.com/dolthub/doltgresql/postgres/parser/sem/tree"
+	"github.com/dolthub/doltgresql/server/auth"
 	pgnodes "github.com/dolthub/doltgresql/server/node"
 	pgtypes "github.com/dolthub/doltgresql/server/types"
 )
@@ -200,5 +201,10 @@ func nodeCreateSequence(ctx *Context, node *tree.CreateSequence) (vitess.Stateme
 			OwnerColumn: ownerColumnName,
 		}),
 		Children: nil,
+		Auth: vitess.AuthInformation{
+			AuthType:    auth.AuthType_CREATE,
+			TargetType:  auth.AuthTargetType_SchemaIdentifiers,
+			TargetNames: []string{name.DbQualifier.String(), name.SchemaQualifier.String()},
+		},
 	}, nil
 }

server/ast/func_expr.go

@@ -21,6 +21,7 @@ import (
 	vitess "github.com/dolthub/vitess/go/vt/sqlparser"
 
 	"github.com/dolthub/doltgresql/postgres/parser/sem/tree"
+	"github.com/dolthub/doltgresql/server/auth"
 	pgexprs "github.com/dolthub/doltgresql/server/expression"
 )
 
@@ -132,5 +133,10 @@ func nodeFuncExpr(ctx *Context, node *tree.FuncExpr) (vitess.Expr, error) {
 		Distinct:  distinct,
 		Exprs:     exprs,
 		Over:      (*vitess.Over)(windowDef),
+		Auth: vitess.AuthInformation{
+			AuthType:    auth.AuthType_EXECUTE,
+			TargetType:  auth.AuthTargetType_FunctionIdentifiers,
+			TargetNames: []string{qualifier.String(), name.String()},
+		},
 	}, nil
 }

server/ast/grant.go

@@ -15,8 +15,9 @@
 package ast
 
 import (
-	"github.com/cockroachdb/errors"
+	"strings"
 
+	"github.com/cockroachdb/errors"
 	"github.com/dolthub/dolt/go/libraries/doltcore/doltdb"
 	vitess "github.com/dolthub/vitess/go/vt/sqlparser"
 
@@ -34,6 +35,8 @@ func nodeGrant(ctx *Context, node *tree.Grant) (vitess.Statement, error) {
 	var grantTable *pgnodes.GrantTable
 	var grantSchema *pgnodes.GrantSchema
 	var grantDatabase *pgnodes.GrantDatabase
+	var grantSequence *pgnodes.GrantSequence
+	var grantRoutine *pgnodes.GrantRoutine
 	switch node.Targets.TargetType {
 	case privilege.Table:
 		tables := make([]doltdb.TableName, 0, len(node.Targets.Tables)+len(node.Targets.InSchema))
@@ -92,6 +95,53 @@ func nodeGrant(ctx *Context, node *tree.Grant) (vitess.Statement, error) {
 			Privileges: privileges,
 			Databases:  node.Targets.Databases.ToStrings(),
 		}
+	case privilege.Sequence:
+		sequences := make([]auth.SequencePrivilegeKey, 0, len(node.Targets.Sequences)+len(node.Targets.InSchema))
+		for _, seq := range node.Targets.Sequences {
+			sequences = append(sequences, auth.SequencePrivilegeKey{
+				Schema: sequenceSchema(seq),
+				Name:   seq.Parts[0],
+			})
+		}
+		for _, schema := range node.Targets.InSchema {
+			sequences = append(sequences, auth.SequencePrivilegeKey{
+				Schema: schema,
+				Name:   "",
+			})
+		}
+		privileges, err := convertPrivilegeKinds(auth.PrivilegeObject_SEQUENCE, node.Privileges)
+		if err != nil {
+			return nil, err
+		}
+		grantSequence = &pgnodes.GrantSequence{
+			Privileges: privileges,
+			Sequences:  sequences,
+		}
+	case privilege.Function, privilege.Procedure, privilege.Routine:
+		routines := make([]auth.RoutinePrivilegeKey, 0, len(node.Targets.Routines)+len(node.Targets.InSchema))
+		for _, r := range node.Targets.Routines {
+			routines = append(routines, auth.RoutinePrivilegeKey{
+				Schema: routineSchema(r.Name),
+				Name:   r.Name.Parts[0],
+				// TODO: there can be 2 routines with the same name but different argument types
+				//  need a fix for getting argument types from parsing CALL statement
+				//ArgTypes: routineArgTypesKey(r.Args),
+			})
+		}
+		for _, schema := range node.Targets.InSchema {
+			routines = append(routines, auth.RoutinePrivilegeKey{
+				Schema: schema,
+				Name:   "",
+			})
+		}
+		privileges, err := convertPrivilegeKinds(auth.PrivilegeObject_FUNCTION, node.Privileges)
+		if err != nil {
+			return nil, err
+		}
+		grantRoutine = &pgnodes.GrantRoutine{
+			Privileges: privileges,
+			Routines:   routines,
+		}
 	default:
 		return nil, errors.Errorf("this form of GRANT is not yet supported")
 	}
@@ -100,6 +150,8 @@ func nodeGrant(ctx *Context, node *tree.Grant) (vitess.Statement, error) {
 			GrantTable:      grantTable,
 			GrantSchema:     grantSchema,
 			GrantDatabase:   grantDatabase,
+			GrantSequence:   grantSequence,
+			GrantRoutine:    grantRoutine,
 			GrantRole:       nil,
 			ToRoles:         node.Grantees,
 			WithGrantOption: node.WithGrantOption,
@@ -109,6 +161,31 @@ func nodeGrant(ctx *Context, node *tree.Grant) (vitess.Statement, error) {
 	}, nil
 }
 
+// sequenceSchema returns the schema portion of an UnresolvedObjectName for a sequence.
+func sequenceSchema(name *tree.UnresolvedObjectName) string {
+	if name.NumParts >= 2 {
+		return name.Parts[1]
+	}
+	return ""
+}
+
+// routineSchema returns the schema portion of an UnresolvedObjectName for a routine.
+func routineSchema(name *tree.UnresolvedObjectName) string {
+	if name.NumParts >= 2 {
+		return name.Parts[1]
+	}
+	return ""
+}
+
+// routineArgTypesKey builds a canonical string key from a RoutineArgs list using only the argument types.
+func routineArgTypesKey(args tree.RoutineArgs) string {
+	parts := make([]string, len(args))
+	for i, arg := range args {
+		parts[i] = arg.Type.SQLString()
+	}
+	return strings.Join(parts, ",")
+}
+
 // convertPrivilegeKind converts a privilege from its parser representation to the server representation.
 func convertPrivilegeKinds(object auth.PrivilegeObject, kinds []privilege.Kind) ([]auth.Privilege, error) {
 	privileges := make([]auth.Privilege, len(kinds))

server/ast/revoke.go

@@ -34,6 +34,8 @@ func nodeRevoke(ctx *Context, node *tree.Revoke) (vitess.Statement, error) {
 	var revokeTable *pgnodes.RevokeTable
 	var revokeSchema *pgnodes.RevokeSchema
 	var revokeDatabase *pgnodes.RevokeDatabase
+	var revokeSequence *pgnodes.RevokeSequence
+	var revokeRoutine *pgnodes.RevokeRoutine
 	switch node.Targets.TargetType {
 	case privilege.Table:
 		tables := make([]doltdb.TableName, len(node.Targets.Tables)+len(node.Targets.InSchema))
@@ -92,6 +94,53 @@ func nodeRevoke(ctx *Context, node *tree.Revoke) (vitess.Statement, error) {
 			Privileges: privileges,
 			Databases:  node.Targets.Databases.ToStrings(),
 		}
+	case privilege.Sequence:
+		sequences := make([]auth.SequencePrivilegeKey, 0, len(node.Targets.Sequences)+len(node.Targets.InSchema))
+		for _, seq := range node.Targets.Sequences {
+			sequences = append(sequences, auth.SequencePrivilegeKey{
+				Schema: sequenceSchema(seq),
+				Name:   seq.Parts[0],
+			})
+		}
+		for _, schema := range node.Targets.InSchema {
+			sequences = append(sequences, auth.SequencePrivilegeKey{
+				Schema: schema,
+				Name:   "",
+			})
+		}
+		privileges, err := convertPrivilegeKinds(auth.PrivilegeObject_SEQUENCE, node.Privileges)
+		if err != nil {
+			return nil, err
+		}
+		revokeSequence = &pgnodes.RevokeSequence{
+			Privileges: privileges,
+			Sequences:  sequences,
+		}
+	case privilege.Function, privilege.Procedure, privilege.Routine:
+		routines := make([]auth.RoutinePrivilegeKey, 0, len(node.Targets.Routines)+len(node.Targets.InSchema))
+		for _, r := range node.Targets.Routines {
+			routines = append(routines, auth.RoutinePrivilegeKey{
+				Schema: routineSchema(r.Name),
+				Name:   r.Name.Parts[0],
+				// TODO: there can be 2 routines with the same name but different argument types
+				//  need a fix for getting argument types from parsing CALL statement
+				//ArgTypes: routineArgTypesKey(r.Args),
+			})
+		}
+		for _, schema := range node.Targets.InSchema {
+			routines = append(routines, auth.RoutinePrivilegeKey{
+				Schema: schema,
+				Name:   "",
+			})
+		}
+		privileges, err := convertPrivilegeKinds(auth.PrivilegeObject_FUNCTION, node.Privileges)
+		if err != nil {
+			return nil, err
+		}
+		revokeRoutine = &pgnodes.RevokeRoutine{
+			Privileges: privileges,
+			Routines:   routines,
+		}
 	default:
 		return nil, errors.Errorf("this form of REVOKE is not yet supported")
 	}
@@ -100,6 +149,8 @@ func nodeRevoke(ctx *Context, node *tree.Revoke) (vitess.Statement, error) {
 			RevokeTable:    revokeTable,
 			RevokeSchema:   revokeSchema,
 			RevokeDatabase: revokeDatabase,
+			RevokeSequence: revokeSequence,
+			RevokeRoutine:  revokeRoutine,
 			RevokeRole:     nil,
 			FromRoles:      node.Grantees,
 			GrantedBy:      node.GrantedBy,