cockroachdb · craig · Feb 21, 2025 · Feb 14, 2025
@@ -62,6 +62,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/kv/kvserver/protectedts"
 	"github.com/cockroachdb/cockroach/pkg/kv/kvserver/protectedts/ptutil"
 	"github.com/cockroachdb/cockroach/pkg/multitenant/mtinfopb"
+	"github.com/cockroachdb/cockroach/pkg/multitenant/tenantcapabilities"
 	"github.com/cockroachdb/cockroach/pkg/roachpb"
 	"github.com/cockroachdb/cockroach/pkg/security/securitytest"
 	"github.com/cockroachdb/cockroach/pkg/security/username"
@@ -589,9 +590,10 @@ func TestBackupRestoreAppend(t *testing.T) {
 	tc, sqlDB, tmpDir, cleanupFn := backupRestoreTestSetupWithParams(t, multiNode, numAccounts, InitManualReplication, params)
 	defer cleanupFn()
 
-	if !tc.ApplicationLayer(0).Codec().ForSystemTenant() {
-		systemRunner := sqlutils.MakeSQLRunner(tc.SystemLayer(0).SQLConn(t))
-		systemRunner.Exec(t, `ALTER TENANT [$1] GRANT CAPABILITY can_admin_relocate_range=true`, serverutils.TestTenantID().ToUint64())
+	if tc.DefaultTenantDeploymentMode().IsExternal() {
+		tc.GrantTenantCapabilities(
+			ctx, t, serverutils.TestTenantID(),
+			map[tenantcapabilities.ID]string{tenantcapabilities.CanAdminRelocateRange: "true"})
 	}
 
 	// Ensure that each node has at least one leaseholder. (These splits were

@@ -261,6 +261,7 @@ go_test(
         "//pkg/kv/kvserver/kvserverbase",
         "//pkg/kv/kvserver/protectedts",
         "//pkg/kv/kvserver/protectedts/ptpb",
+        "//pkg/multitenant/tenantcapabilities",
         "//pkg/roachpb",
         "//pkg/scheduledjobs",
         "//pkg/scheduledjobs/schedulebase",

@@ -19,6 +19,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/jobs"
 	"github.com/cockroachdb/cockroach/pkg/keys"
 	"github.com/cockroachdb/cockroach/pkg/kv/kvclient/kvcoord"
+	"github.com/cockroachdb/cockroach/pkg/multitenant/tenantcapabilities"
 	"github.com/cockroachdb/cockroach/pkg/roachpb"
 	"github.com/cockroachdb/cockroach/pkg/sql"
 	"github.com/cockroachdb/cockroach/pkg/sql/catalog"
@@ -400,8 +401,13 @@ func newRangeDistributionTester(
 
 	systemDB := sqlutils.MakeSQLRunner(tc.SystemLayer(len(tc.Servers) - 1).SQLConn(t))
 	systemDB.Exec(t, "SET CLUSTER SETTING kv.rangefeed.enabled = true")
+	if tc.DefaultTenantDeploymentMode().IsExternal() {
+		tc.GrantTenantCapabilities(
+			ctx, t, serverutils.TestTenantID(),
+			map[tenantcapabilities.ID]string{tenantcapabilities.CanAdminRelocateRange: "true"})
+	}
+
 	if tc.StartedDefaultTestTenant() {
-		systemDB.Exec(t, `ALTER TENANT [$1] GRANT CAPABILITY can_admin_relocate_range=true`, serverutils.TestTenantID().ToUint64())
 		// Give 1,000,000 upfront tokens to the tenant, and keep the tokens per
 		// second rate to the default value of 10,000. This helps avoid throttling
 		// in the tests.

diff --git a/pkg/server/authserver/authentication_test.go b/pkg/server/authserver/authentication_test.go
@@ -94,15 +94,11 @@ func TestSSLEnforcement(t *testing.T) {
 	})
 	defer srv.Stopper().Stop(ctx)
 
-	if srv.TenantController().StartedDefaultTestTenant() {
+	if srv.DeploymentMode().IsExternal() {
 		// Enable access to the nodes endpoint for the test tenant.
-		_, err := srv.SystemLayer().SQLConn(t).Exec(
-			`ALTER TENANT [$1] GRANT CAPABILITY can_view_node_info=true`, serverutils.TestTenantID().ToUint64())
-		require.NoError(t, err)
-
-		serverutils.WaitForTenantCapabilities(t, srv, serverutils.TestTenantID(), map[tenantcapabilities.ID]string{
-			tenantcapabilities.CanViewNodeInfo: "true",
-		}, "")
+		require.NoError(t, srv.GrantTenantCapabilities(
+			ctx, serverutils.TestTenantID(),
+			map[tenantcapabilities.ID]string{tenantcapabilities.CanViewNodeInfo: "true"}))
 	}
 
 	s := srv.ApplicationLayer()

diff --git a/pkg/server/storage_api/health_test.go b/pkg/server/storage_api/health_test.go
@@ -23,7 +23,6 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/util/log"
 	"github.com/cockroachdb/errors"
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 )
 
 func TestHealthAPI(t *testing.T) {
@@ -123,16 +122,14 @@ func TestLivenessAPI(t *testing.T) {
 	tc := testcluster.StartTestCluster(t, 3, base.TestClusterArgs{})
 	defer tc.Stopper().Stop(context.Background())
 
+	ctx := context.Background()
+
 	// The liveness endpoint needs a special tenant capability.
-	if tc.Server(0).TenantController().StartedDefaultTestTenant() {
+	if tc.DefaultTenantDeploymentMode().IsExternal() {
 		// Enable access to the nodes endpoint for the test tenant.
-		_, err := tc.SystemLayer(0).SQLConn(t).Exec(
-			`ALTER TENANT [$1] GRANT CAPABILITY can_view_node_info=true`, serverutils.TestTenantID().ToUint64())
-		require.NoError(t, err)
-
-		tc.WaitForTenantCapabilities(t, serverutils.TestTenantID(), map[tenantcapabilities.ID]string{
-			tenantcapabilities.CanViewNodeInfo: "true",
-		})
+		tc.GrantTenantCapabilities(
+			ctx, t, serverutils.TestTenantID(),
+			map[tenantcapabilities.ID]string{tenantcapabilities.CanViewNodeInfo: "true"})
 	}
 
 	ts := tc.Server(0).ApplicationLayer()

diff --git a/pkg/server/storage_api/network_test.go b/pkg/server/storage_api/network_test.go
@@ -7,7 +7,6 @@ package storage_api_test
 
 import (
 	"context"
-	"fmt"
 	"testing"
 
 	"github.com/cockroachdb/cockroach/pkg/base"
@@ -34,16 +33,10 @@ func TestNetworkConnectivity(t *testing.T) {
 
 	s0 := testCluster.Server(0)
 
-	if s0.TenantController().StartedDefaultTestTenant() {
-		_, err := s0.SystemLayer().SQLConn(t).Exec(
-			`ALTER TENANT [$1] GRANT CAPABILITY can_debug_process=true`,
-			serverutils.TestTenantID().ToUint64(),
-		)
-		require.NoError(t, err)
-
-		serverutils.WaitForTenantCapabilities(t, s0, serverutils.TestTenantID(), map[tenantcapabilities.ID]string{
-			tenantcapabilities.CanDebugProcess: "true",
-		}, "")
+	if s0.DeploymentMode().IsExternal() {
+		testCluster.GrantTenantCapabilities(
+			ctx, t, serverutils.TestTenantID(),
+			map[tenantcapabilities.ID]string{tenantcapabilities.CanDebugProcess: "true"})
 	}
 
 	ts := s0.ApplicationLayer()
@@ -71,7 +64,7 @@ func TestNetworkConnectivity(t *testing.T) {
 			return err
 		}
 		require.Equal(t, len(resp.Connections), numNodes-1)
-		fmt.Printf("got status: %s", resp.Connections[s0.StorageLayer().NodeID()].Peers[stoppedNodeID].Status.String())
+		t.Logf("got status: %s\n", resp.Connections[s0.StorageLayer().NodeID()].Peers[stoppedNodeID].Status.String())
 		if resp.Connections[s0.StorageLayer().NodeID()].Peers[stoppedNodeID].Status != serverpb.NetworkConnectivityResponse_ERROR {
 			return errors.New("waiting for connection state to be changed.")
 		}

diff --git a/pkg/server/storage_api/nodes_test.go b/pkg/server/storage_api/nodes_test.go
@@ -221,15 +221,11 @@ func TestNodesGRPCResponse(t *testing.T) {
 	})
 	defer srv.Stopper().Stop(ctx)
 
-	if srv.TenantController().StartedDefaultTestTenant() {
+	if srv.DeploymentMode().IsExternal() {
 		// Enable access to the nodes endpoint for the test tenant.
-		_, err := srv.SystemLayer().SQLConn(t).Exec(
-			`ALTER TENANT [$1] GRANT CAPABILITY can_view_node_info=true`, serverutils.TestTenantID().ToUint64())
-		require.NoError(t, err)
-
-		serverutils.WaitForTenantCapabilities(t, srv, serverutils.TestTenantID(), map[tenantcapabilities.ID]string{
-			tenantcapabilities.CanViewNodeInfo: "true",
-		}, "")
+		require.NoError(t, srv.GrantTenantCapabilities(
+			ctx, serverutils.TestTenantID(),
+			map[tenantcapabilities.ID]string{tenantcapabilities.CanViewNodeInfo: "true"}))
 	}
 
 	var request serverpb.NodesRequest

@@ -1265,6 +1265,30 @@ func (t *testTenant) DeploymentMode() serverutils.DeploymentMode {
 	return t.deploymentMode
 }
 
+// GrantTenantCapabilities is part of the serverutils.TenantControlInterface.
+func (ts *testServer) GrantTenantCapabilities(
+	ctx context.Context, tenID roachpb.TenantID, targetCaps map[tenantcapabilities.ID]string,
+) error {
+	conn, err := ts.SQLConnE()
+	if err != nil {
+		return err
+	}
+
+	var parts []string
+	for k, v := range targetCaps {
+		parts = append(parts, k.String()+"="+v)
+	}
+	capabilities := strings.Join(parts, ",")
+
+	if _, err = conn.Exec(fmt.Sprintf(`ALTER TENANT [$1] GRANT CAPABILITY %s`, capabilities),
+		tenID.ToUint64(),
+	); err != nil {
+		return err
+	}
+
+	return ts.WaitForTenantCapabilities(ctx, tenID, targetCaps, "")
+}
+
 // WaitForTenantCapabilities is part of the serverutils.TenantControlInterface.
 func (ts *testServer) WaitForTenantCapabilities(
 	ctx context.Context,

@@ -54,13 +54,10 @@ func TestDrainingAfterRemoteError(t *testing.T) {
 	tc := testcluster.StartTestCluster(t, 2 /* nodes */, args)
 	defer tc.Stopper().Stop(ctx)
 
-	if srv := tc.Server(0); srv.TenantController().StartedDefaultTestTenant() {
-		systemSqlDB := srv.SystemLayer().SQLConn(t, serverutils.DBName("system"))
-		_, err := systemSqlDB.Exec(`ALTER TENANT [$1] GRANT CAPABILITY can_admin_relocate_range=true`, serverutils.TestTenantID().ToUint64())
-		require.NoError(t, err)
-		serverutils.WaitForTenantCapabilities(t, srv, serverutils.TestTenantID(), map[tenantcapabilities.ID]string{
-			tenantcapabilities.CanAdminRelocateRange: "true",
-		}, "")
+	if tc.DefaultTenantDeploymentMode().IsExternal() {
+		tc.GrantTenantCapabilities(
+			ctx, t, serverutils.TestTenantID(),
+			map[tenantcapabilities.ID]string{tenantcapabilities.CanAdminRelocateRange: "true"})
 	}
 
 	// Create two tables, one with small values, and another with large rows.

@@ -23,6 +23,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/kv"
 	"github.com/cockroachdb/cockroach/pkg/kv/kvclient/kvcoord"
 	"github.com/cockroachdb/cockroach/pkg/kv/kvclient/rangecache"
+	"github.com/cockroachdb/cockroach/pkg/multitenant/tenantcapabilities"
 	"github.com/cockroachdb/cockroach/pkg/roachpb"
 	"github.com/cockroachdb/cockroach/pkg/rpc"
 	"github.com/cockroachdb/cockroach/pkg/server/serverpb"
@@ -449,10 +450,9 @@ func TestDistSQLUnavailableHosts(t *testing.T) {
 			}
 
 			// Grant capability to run RELOCATE to secondary (test) tenant.
-			systemDB := sqlutils.MakeSQLRunner(tc.SystemLayer(0).SQLConn(t))
-			systemDB.Exec(t,
-				`ALTER TENANT [$1] GRANT CAPABILITY can_admin_relocate_range=true`,
-				serverutils.TestTenantID().ToUint64())
+			tc.GrantTenantCapabilities(
+				ctx, t, serverutils.TestTenantID(),
+				map[tenantcapabilities.ID]string{tenantcapabilities.CanAdminRelocateRange: "true"})
 		}
 
 		// Connect to node 1 (gateway node)

@@ -78,13 +78,10 @@ func TestTraceAnalyzer(t *testing.T) {
 
 	const gatewayNode = 0
 	srv, s := tc.Server(gatewayNode), tc.ApplicationLayer(gatewayNode)
-	if srv.TenantController().StartedDefaultTestTenant() {
-		systemSqlDB := srv.SystemLayer().SQLConn(t, serverutils.DBName("system"))
-		_, err := systemSqlDB.Exec(`ALTER TENANT [$1] GRANT CAPABILITY can_admin_relocate_range=true`, serverutils.TestTenantID().ToUint64())
-		require.NoError(t, err)
-		serverutils.WaitForTenantCapabilities(t, srv, serverutils.TestTenantID(), map[tenantcapabilities.ID]string{
-			tenantcapabilities.CanAdminRelocateRange: "true",
-		}, "")
+	if srv.DeploymentMode().IsExternal() {
+		require.NoError(t, srv.GrantTenantCapabilities(
+			ctx, serverutils.TestTenantID(),
+			map[tenantcapabilities.ID]string{tenantcapabilities.CanAdminRelocateRange: "true"}))
 	}
 	db := s.SQLConn(t)
 	sqlDB := sqlutils.MakeSQLRunner(db)

@@ -594,13 +594,10 @@ func TestEvalCtxTxnOnRemoteNodes(t *testing.T) {
 		})
 	defer tc.Stopper().Stop(ctx)
 
-	if srv := tc.Server(0); srv.TenantController().StartedDefaultTestTenant() {
-		systemSqlDB := srv.SystemLayer().SQLConn(t, serverutils.DBName("system"))
-		_, err := systemSqlDB.Exec(`ALTER TENANT [$1] GRANT CAPABILITY can_admin_relocate_range=true`, serverutils.TestTenantID().ToUint64())
-		require.NoError(t, err)
-		serverutils.WaitForTenantCapabilities(t, srv, serverutils.TestTenantID(), map[tenantcapabilities.ID]string{
-			tenantcapabilities.CanAdminRelocateRange: "true",
-		}, "")
+	if tc.DefaultTenantDeploymentMode().IsExternal() {
+		tc.GrantTenantCapabilities(
+			ctx, t, serverutils.TestTenantID(),
+			map[tenantcapabilities.ID]string{tenantcapabilities.CanAdminRelocateRange: "true"})
 	}
 
 	db := tc.ServerConn(0)

@@ -663,14 +663,11 @@ func TestProcessorEncountersUncertaintyError(t *testing.T) {
 	ctx := context.Background()
 	defer tc.Stopper().Stop(ctx)
 
-	if tc.StartedDefaultTestTenant() {
-		systemSqlDB := tc.Server(0).SystemLayer().SQLConn(t, serverutils.DBName("system"))
-		_, err := systemSqlDB.Exec(`ALTER TENANT [$1] GRANT CAPABILITY can_admin_relocate_range=true`, serverutils.TestTenantID().ToUint64())
-		require.NoError(t, err)
-		serverutils.WaitForTenantCapabilities(t, tc.Server(0), serverutils.TestTenantID(), map[tenantcapabilities.ID]string{
-			tenantcapabilities.CanAdminRelocateRange: "true",
-		}, "")
+	if tc.DefaultTenantDeploymentMode().IsExternal() {
+		tc.GrantTenantCapabilities(ctx, t, serverutils.TestTenantID(),
+			map[tenantcapabilities.ID]string{tenantcapabilities.CanAdminRelocateRange: "true"})
 	}
+
 	origDB0 := tc.ServerConn(0)
 
 	sqlutils.CreateTable(t, origDB0, "t",

diff --git a/pkg/sql/logictest/logic.go b/pkg/sql/logictest/logic.go
@@ -1728,12 +1728,6 @@ func (t *logicTest) newCluster(
 
 		capabilities := toa.capabilities
 		if len(capabilities) > 0 {
-			for name, value := range capabilities {
-				query := fmt.Sprintf("ALTER TENANT [$1] GRANT CAPABILITY %s = $2", name)
-				if _, err := conn.Exec(query, tenantID.ToUint64(), value); err != nil {
-					t.Fatal(err)
-				}
-			}
 			capabilityMap := make(map[tenantcapabilities.ID]string, len(capabilities))
 			for k, v := range capabilities {
 				capability, ok := tenantcapabilities.FromName(k)
@@ -1742,7 +1736,7 @@ func (t *logicTest) newCluster(
 				}
 				capabilityMap[capability.ID()] = v
 			}
-			t.cluster.WaitForTenantCapabilities(t.t(), tenantID, capabilityMap)
+			t.cluster.GrantTenantCapabilities(context.Background(), t.t(), tenantID, capabilityMap)
 		}
 	}
 

@@ -163,13 +163,9 @@ func TestCPUTimeEndToEnd(t *testing.T) {
 	ctx := context.Background()
 	defer tc.Stopper().Stop(ctx)
 
-	if srv := tc.Server(0); srv.TenantController().StartedDefaultTestTenant() {
-		systemSqlDB := srv.SystemLayer().SQLConn(t, serverutils.DBName("system"))
-		_, err := systemSqlDB.Exec(`ALTER TENANT [$1] GRANT CAPABILITY can_admin_relocate_range=true`, serverutils.TestTenantID().ToUint64())
-		require.NoError(t, err)
-		serverutils.WaitForTenantCapabilities(t, srv, serverutils.TestTenantID(), map[tenantcapabilities.ID]string{
-			tenantcapabilities.CanAdminRelocateRange: "true",
-		}, "")
+	if tc.DefaultTenantDeploymentMode().IsExternal() {
+		tc.GrantTenantCapabilities(ctx, t, serverutils.TestTenantID(),
+			map[tenantcapabilities.ID]string{tenantcapabilities.CanAdminRelocateRange: "true"})
 	}
 
 	db := sqlutils.MakeSQLRunner(tc.Conns[0])

diff --git a/pkg/testutils/serverutils/api.go b/pkg/testutils/serverutils/api.go
@@ -141,6 +141,10 @@ const (
 	ExternalProcess
 )
 
+func (d DeploymentMode) IsExternal() bool {
+	return d == ExternalProcess
+}
+
 // ApplicationLayerInterface defines accessors to the application
 // layer of a test server. Tests written against this interface are
 // effectively agnostic to whether they use a virtual cluster or not.
@@ -506,6 +510,16 @@ type TenantControlInterface interface {
 	// if the tenant record exists in KV.
 	WaitForTenantReadiness(ctx context.Context, tenantID roachpb.TenantID) error
 
+	// GrantTenantCapabilities grants a capability to a tenant and waits until the
+	// in-memory cache reflects the change.
+	//
+	// Note: There is no need to call WaitForTenantCapabilities separately.
+	GrantTenantCapabilities(
+		context.Context,
+		roachpb.TenantID,
+		map[tenantcapabilities.ID]string,
+	) error
+
 	// WaitForTenantCapabilities waits until the in-RAM cache of
 	// tenant capabilities has been populated for the given tenant ID
 	// with the expected target capability values.

diff --git a/pkg/testutils/serverutils/test_cluster_shim.go b/pkg/testutils/serverutils/test_cluster_shim.go
@@ -250,6 +250,11 @@ type TestClusterInterface interface {
 	// cluster.
 	StorageLayer(idx int) StorageLayerInterface
 
+	// DefaultTenantDeploymentMode returns the deployment mode of the default
+	// server or tenant, which can be single-tenant (system-only),
+	// shared-process, or external-process.
+	DefaultTenantDeploymentMode() DeploymentMode
+
 	// SplitTable splits a range in the table, creates a replica for the right
 	// side of the split on TargetNodeIdx, and moves the lease for the right
 	// side of the split to TargetNodeIdx for each SplitPoint. This forces the
@@ -259,6 +264,17 @@ type TestClusterInterface interface {
 	// are indeed distributed as intended.
 	SplitTable(t TestFataler, desc catalog.TableDescriptor, sps []SplitPoint)
 
+	// GrantTenantCapabilities grants a capability to a tenant and waits until all
+	// servers have the in-memory cache reflects the change.
+	//
+	// Note: There is no need to call WaitForTenantCapabilities separately.
+	GrantTenantCapabilities(
+		context.Context,
+		TestFataler,
+		roachpb.TenantID,
+		map[tenantcapabilities.ID]string,
+	)
+
 	// WaitForTenantCapabilities waits until all servers have the specified
 	// tenant capabilities for the specified tenant ID.
 	// Only boolean capabilities are currently supported as we wait for the