sql: refactor pg_builtin to use actual grant options

The builtins has_table_privilege, has_column_privilege,
has_any_column_privilege now use privileges.Priv.GrantOption instead
of privileges.Kind.GRANT.

Release note: None

pkg/sql/resolver.go

@@ -317,12 +317,22 @@ func (p *planner) HasPrivilege(
 	// hasPrivilegeFunc checks whether any role has the given privilege.
 	hasPrivilegeFunc := func(priv privilege.Privilege) (bool, error) {
 		err := p.CheckPrivilegeForUser(ctx, desc, priv.Kind, user)
+		if err == nil {
+			if priv.GrantOption {
+				if !p.ExecCfg().Settings.Version.IsActive(ctx, clusterversion.ValidateGrantOption) {
+					err = p.CheckPrivilegeForUser(ctx, desc, privilege.GRANT, user)
+				} else {
+					err = p.CheckGrantOptionsForUser(ctx, desc, []privilege.Kind{priv.Kind}, true /* isGrant */)
+				}
+			}
+		}
 		if err != nil {
 			if pgerror.GetPGCode(err) == pgcode.InsufficientPrivilege {
 				return false, nil
 			}
 			return false, err
 		}
+
 		return true, nil
 	}
 

pkg/sql/sem/builtins/pg_builtins.go

@@ -553,6 +553,8 @@ func runSinglePrivilegeCheck(
 	switch d {
 	case tree.DBoolFalse, tree.DNull:
 	case tree.DBoolTrue:
+		// todo remove this check after migrating from evalPrivilegeCheck to hasPrivilege
+		// https://github.com/cockroachdb/cockroach/issues/66173
 		if priv.GrantOption {
 			// GrantOption is set, so AND the result with check(GRANT).
 			d, err = check(privilege.Privilege{Kind: privilege.GRANT})
@@ -2267,7 +2269,7 @@ SELECT description
 					if typmod != -1 {
 						// This logics matches the postgres implementation
 						// of how to calculate the precision based on the typmod
-						//https://github.com/postgres/postgres/blob/d84ffffe582b8e036a14c6bc2378df29167f3a00/src/backend/catalog/information_schema.sql#L109
+						// https://github.com/postgres/postgres/blob/d84ffffe582b8e036a14c6bc2378df29167f3a00/src/backend/catalog/information_schema.sql#L109
 						return tree.NewDInt(((typmod - 4) >> 16) & 65535), nil
 					}
 					return tree.DNull, nil