sql/sem/tree: break dependencies on catalog, sessiondata, security

pkg/BUILD.bazel

@@ -21,7 +21,6 @@ ALL_TESTS = [
     "//pkg/ccl/changefeedccl:changefeedccl_test",
     "//pkg/ccl/cliccl:cliccl_test",
     "//pkg/ccl/importerccl:importerccl_test",
-    "//pkg/ccl/jobsccl/jobsprotectedtsccl:jobsccl_test",
     "//pkg/ccl/jobsccl/jobsprotectedtsccl:jobsprotectedtsccl_test",
     "//pkg/ccl/kvccl/kvfollowerreadsccl:kvfollowerreadsccl_test",
     "//pkg/ccl/kvccl/kvtenantccl:kvtenantccl_test",
@@ -192,6 +191,8 @@ ALL_TESTS = [
     "//pkg/security/certmgr:certmgr_test",
     "//pkg/security/password:password_test",
     "//pkg/security/sessionrevival:sessionrevival_test",
+    "//pkg/security/username:username_disallowed_imports_test",
+    "//pkg/security/username:username_test",
     "//pkg/security:security_test",
     "//pkg/server/debug/goroutineui:goroutineui_test",
     "//pkg/server/debug/pprofui:pprofui_test",
@@ -286,6 +287,7 @@ ALL_TESTS = [
     "//pkg/sql/contention:contention_test",
     "//pkg/sql/contentionpb:contentionpb_test",
     "//pkg/sql/covering:covering_test",
+    "//pkg/sql/decodeusername:decodeusername_test",
     "//pkg/sql/delegate:delegate_test",
     "//pkg/sql/descmetadata:descmetadata_test",
     "//pkg/sql/distsql:distsql_test",
@@ -379,10 +381,12 @@ ALL_TESTS = [
     "//pkg/sql/schemachanger:schemachanger_test",
     "//pkg/sql/sem/builtins:builtins_test",
     "//pkg/sql/sem/cast:cast_test",
+    "//pkg/sql/sem/catconstants:catconstants_disallowed_imports_test",
     "//pkg/sql/sem/eval/cast_test:cast_test_test",
     "//pkg/sql/sem/eval/eval_test:eval_test_test",
     "//pkg/sql/sem/eval:eval_test",
     "//pkg/sql/sem/normalize:normalize_test",
+    "//pkg/sql/sem/tree:tree_disallowed_imports_test",
     "//pkg/sql/sem/tree:tree_test",
     "//pkg/sql/sessiondata:sessiondata_test",
     "//pkg/sql/sessioninit:sessioninit_test",

pkg/acceptance/BUILD.bazel

@@ -14,8 +14,8 @@ go_library(
         "//pkg/acceptance/cluster",
         "//pkg/base",
         "//pkg/build/bazel",
-        "//pkg/security",
         "//pkg/security/securitytest",  #keep
+        "//pkg/security/username",
         "//pkg/server",  # keep
         "//pkg/testutils",
         "//pkg/testutils/serverutils",  # keep
@@ -52,7 +52,8 @@ go_test(
     deps = [
         "//pkg/acceptance/cluster",
         "//pkg/build/bazel",
-        "//pkg/security",
+        "//pkg/security",  # keep
+        "//pkg/security/username",
         "//pkg/testutils/skip",
         "//pkg/util/log",
     ],

pkg/acceptance/cli_test.go

@@ -19,7 +19,7 @@ import (
 
 	"github.com/cockroachdb/cockroach/pkg/acceptance/cluster"
 	"github.com/cockroachdb/cockroach/pkg/build/bazel"
-	"github.com/cockroachdb/cockroach/pkg/security"
+	"github.com/cockroachdb/cockroach/pkg/security/username"
 	"github.com/cockroachdb/cockroach/pkg/testutils/skip"
 	"github.com/cockroachdb/cockroach/pkg/util/log"
 )
@@ -38,7 +38,7 @@ func TestDockerCLI(t *testing.T) {
 
 	containerConfig := defaultContainerConfig()
 	containerConfig.Cmd = []string{"stat", cluster.CockroachBinaryInContainer}
-	containerConfig.Env = []string{fmt.Sprintf("PGUSER=%s", security.RootUser)}
+	containerConfig.Env = []string{fmt.Sprintf("PGUSER=%s", username.RootUser)}
 	ctx := context.Background()
 	if err := testDockerOneShot(ctx, t, "cli_test", containerConfig); err != nil {
 		skip.IgnoreLintf(t, `TODO(dt): No binary in one-shot container, see #6086: %s`, err)
@@ -111,7 +111,7 @@ func TestDockerUnixSocket(t *testing.T) {
 		skip.IgnoreLintf(t, `TODO(dt): No binary in one-shot container, see #6086: %s`, err)
 	}
 
-	containerConfig.Env = []string{fmt.Sprintf("PGUSER=%s", security.RootUser)}
+	containerConfig.Env = []string{fmt.Sprintf("PGUSER=%s", username.RootUser)}
 	containerConfig.Cmd = append(cmdBase,
 		"/mnt/data/psql/test-psql-unix.sh "+cluster.CockroachBinaryInContainer)
 	if err := testDockerOneShot(ctx, t, "unix_socket_test", containerConfig); err != nil {
@@ -135,7 +135,7 @@ func TestSQLWithoutTLS(t *testing.T) {
 		skip.IgnoreLintf(t, `TODO(dt): No binary in one-shot container, see #6086: %s`, err)
 	}
 
-	containerConfig.Env = []string{fmt.Sprintf("PGUSER=%s", security.RootUser)}
+	containerConfig.Env = []string{fmt.Sprintf("PGUSER=%s", username.RootUser)}
 	containerConfig.Cmd = append(cmdBase,
 		"/mnt/data/psql/test-psql-notls.sh "+cluster.CockroachBinaryInContainer)
 	if err := testDockerOneShot(ctx, t, "notls_secure_test", containerConfig); err != nil {

pkg/acceptance/cluster/BUILD.bazel

@@ -18,6 +18,7 @@ go_library(
         "//pkg/base",
         "//pkg/config/zonepb",
         "//pkg/security",
+        "//pkg/security/username",
         "//pkg/util/contextutil",
         "//pkg/util/log",
         "//pkg/util/log/logflags",

pkg/acceptance/cluster/certs.go

@@ -19,6 +19,7 @@ import (
 	"time"
 
 	"github.com/cockroachdb/cockroach/pkg/security"
+	"github.com/cockroachdb/cockroach/pkg/security/username"
 )
 
 const certsDir = ".localcluster.certs"
@@ -53,12 +54,12 @@ func GenerateCerts(ctx context.Context) func() {
 	// Root user.
 	maybePanic(security.CreateClientPair(
 		certsDir, filepath.Join(certsDir, security.EmbeddedCAKey),
-		2048, 48*time.Hour, false, security.RootUserName(), true /* generate pk8 key */))
+		2048, 48*time.Hour, false, username.RootUserName(), true /* generate pk8 key */))
 
 	// Test user.
 	maybePanic(security.CreateClientPair(
 		certsDir, filepath.Join(certsDir, security.EmbeddedCAKey),
-		1024, 48*time.Hour, false, security.TestUserName(), true /* generate pk8 key */))
+		1024, 48*time.Hour, false, username.TestUserName(), true /* generate pk8 key */))
 
 	// Certs for starting a cockroach server. Key size is from cli/cert.go:defaultKeySize.
 	maybePanic(security.CreateNodePair(

pkg/acceptance/cluster/dockercluster.go

@@ -31,6 +31,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/base"
 	"github.com/cockroachdb/cockroach/pkg/config/zonepb"
 	"github.com/cockroachdb/cockroach/pkg/security"
+	"github.com/cockroachdb/cockroach/pkg/security/username"
 	"github.com/cockroachdb/cockroach/pkg/util/log"
 	"github.com/cockroachdb/cockroach/pkg/util/log/logflags"
 	"github.com/cockroachdb/cockroach/pkg/util/stop"
@@ -768,7 +769,7 @@ func (l *DockerCluster) InternalIP(ctx context.Context, i int) net.IP {
 
 // PGUrl returns a URL string for the given node postgres server.
 func (l *DockerCluster) PGUrl(ctx context.Context, i int) string {
-	certUser := security.RootUser
+	certUser := username.RootUser
 	options := url.Values{}
 	options.Add("sslmode", "verify-full")
 	options.Add("sslcert", filepath.Join(certsDir, security.EmbeddedRootCert))

pkg/acceptance/localcluster/BUILD.bazel

@@ -14,7 +14,7 @@ go_library(
         "//pkg/config/zonepb",
         "//pkg/roachpb",
         "//pkg/rpc",
-        "//pkg/security",
+        "//pkg/security/username",
         "//pkg/server/serverpb",
         "//pkg/settings/cluster",
         "//pkg/testutils",

pkg/acceptance/localcluster/cluster.go

@@ -34,7 +34,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/config/zonepb"
 	"github.com/cockroachdb/cockroach/pkg/roachpb"
 	"github.com/cockroachdb/cockroach/pkg/rpc"
-	"github.com/cockroachdb/cockroach/pkg/security"
+	"github.com/cockroachdb/cockroach/pkg/security/username"
 	"github.com/cockroachdb/cockroach/pkg/server/serverpb"
 	"github.com/cockroachdb/cockroach/pkg/settings/cluster"
 	"github.com/cockroachdb/cockroach/pkg/testutils"
@@ -268,7 +268,7 @@ func (c *Cluster) RPCPort(nodeIdx int) string {
 
 func (c *Cluster) makeNode(ctx context.Context, nodeIdx int, cfg NodeConfig) (*Node, <-chan error) {
 	baseCtx := &base.Config{
-		User:     security.NodeUserName(),
+		User:     username.NodeUserName(),
 		Insecure: true,
 	}
 	rpcCtx := rpc.NewContext(ctx, rpc.ContextOptions{

pkg/acceptance/util_docker.go

@@ -22,7 +22,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/acceptance/cluster"
 	"github.com/cockroachdb/cockroach/pkg/base"
 	"github.com/cockroachdb/cockroach/pkg/build/bazel"
-	"github.com/cockroachdb/cockroach/pkg/security"
+	"github.com/cockroachdb/cockroach/pkg/security/username"
 	"github.com/containerd/containerd/platforms"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
@@ -32,7 +32,7 @@ func defaultContainerConfig() container.Config {
 	return container.Config{
 		Image: acceptanceImage,
 		Env: []string{
-			fmt.Sprintf("PGUSER=%s", security.RootUser),
+			fmt.Sprintf("PGUSER=%s", username.RootUser),
 			fmt.Sprintf("PGPORT=%s", base.DefaultPort),
 			"PGSSLCERT=/certs/client.root.crt",
 			"PGSSLKEY=/certs/client.root.key",

pkg/base/BUILD.bazel

@@ -21,7 +21,7 @@ go_library(
     deps = [
         "//pkg/cli/cliflags",
         "//pkg/roachpb",
-        "//pkg/security",
+        "//pkg/security/username",
         "//pkg/settings/cluster",
         "//pkg/util",
         "//pkg/util/envutil",

pkg/base/config.go

@@ -16,7 +16,7 @@ import (
 	"time"
 
 	"github.com/cockroachdb/cockroach/pkg/roachpb"
-	"github.com/cockroachdb/cockroach/pkg/security"
+	"github.com/cockroachdb/cockroach/pkg/security/username"
 	"github.com/cockroachdb/cockroach/pkg/settings/cluster"
 	"github.com/cockroachdb/cockroach/pkg/util/envutil"
 	"github.com/cockroachdb/cockroach/pkg/util/mon"
@@ -27,7 +27,7 @@ import (
 // Base config defaults.
 const (
 	defaultInsecure = false
-	defaultUser     = security.RootUser
+	defaultUser     = username.RootUser
 	httpScheme      = "http"
 	httpsScheme     = "https"
 
@@ -170,7 +170,7 @@ type Config struct {
 
 	// User running this process. It could be the user under which
 	// the server is running or the user passed in client calls.
-	User security.SQLUsername
+	User username.SQLUsername
 
 	// Addr is the address the server is listening on.
 	Addr string
@@ -256,7 +256,7 @@ func (*Config) HistogramWindowInterval() time.Duration {
 // This is also used in tests to reset global objects.
 func (cfg *Config) InitDefaults() {
 	cfg.Insecure = defaultInsecure
-	cfg.User = security.MakeSQLUsernameFromPreNormalizedString(defaultUser)
+	cfg.User = username.MakeSQLUsernameFromPreNormalizedString(defaultUser)
 	cfg.Addr = defaultAddr
 	cfg.AdvertiseAddr = cfg.Addr
 	cfg.HTTPAddr = defaultHTTPAddr

pkg/bench/BUILD.bazel

@@ -33,6 +33,7 @@ go_test(
         "//pkg/base",
         "//pkg/security",
         "//pkg/security/securitytest",
+        "//pkg/security/username",
         "//pkg/server",
         "//pkg/testutils/serverutils",
         "//pkg/testutils/skip",

pkg/bench/pgbench_test.go

@@ -21,7 +21,7 @@ import (
 	"time"
 
 	"github.com/cockroachdb/cockroach/pkg/base"
-	"github.com/cockroachdb/cockroach/pkg/security"
+	"github.com/cockroachdb/cockroach/pkg/security/username"
 	"github.com/cockroachdb/cockroach/pkg/testutils/serverutils"
 	"github.com/cockroachdb/cockroach/pkg/testutils/skip"
 	"github.com/cockroachdb/cockroach/pkg/testutils/sqlutils"
@@ -113,7 +113,7 @@ func BenchmarkPgbenchExec(b *testing.B) {
 		defer s.Stopper().Stop(context.Background())
 
 		pgURL, cleanupFn := sqlutils.PGUrl(
-			b, s.ServingSQLAddr(), "benchmarkCockroach", url.User(security.RootUser))
+			b, s.ServingSQLAddr(), "benchmarkCockroach", url.User(username.RootUser))
 		pgURL.RawQuery = "sslmode=disable"
 		defer cleanupFn()
 

pkg/ccl/backupccl/BUILD.bazel

@@ -63,14 +63,13 @@ go_library(
         "//pkg/kv/kvserver/protectedts/ptpb",
         "//pkg/roachpb",
         "//pkg/scheduledjobs",
-        "//pkg/security",
+        "//pkg/security/username",
         "//pkg/server/telemetry",
         "//pkg/settings",
         "//pkg/settings/cluster",
         "//pkg/sql",
         "//pkg/sql/catalog",
         "//pkg/sql/catalog/catalogkeys",
-        "//pkg/sql/catalog/catconstants",
         "//pkg/sql/catalog/catpb",
         "//pkg/sql/catalog/colinfo",
         "//pkg/sql/catalog/dbdesc",
@@ -101,6 +100,7 @@ go_library(
         "//pkg/sql/rowexec",
         "//pkg/sql/schemachanger/scbackup",
         "//pkg/sql/sem/builtins",
+        "//pkg/sql/sem/catconstants",
         "//pkg/sql/sem/eval",
         "//pkg/sql/sem/tree",
         "//pkg/sql/sessiondata",
@@ -212,6 +212,7 @@ go_test(
         "//pkg/scheduledjobs",
         "//pkg/security",
         "//pkg/security/securitytest",
+        "//pkg/security/username",
         "//pkg/server",
         "//pkg/settings/cluster",
         "//pkg/spanconfig",

pkg/ccl/backupccl/alter_backup_test.go

@@ -13,7 +13,7 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/cockroachdb/cockroach/pkg/security"
+	"github.com/cockroachdb/cockroach/pkg/security/username"
 	"github.com/cockroachdb/cockroach/pkg/sql"
 	"github.com/cockroachdb/cockroach/pkg/util/leaktest"
 	"github.com/cockroachdb/cockroach/pkg/util/log"
@@ -51,7 +51,7 @@ func TestAlterBackupStatement(t *testing.T) {
 	sqlDB.Exec(t, query)
 
 	ctx := context.Background()
-	store, err := execCfg.DistSQLSrv.ExternalStorageFromURI(ctx, "userfile:///a", security.RootUserName())
+	store, err := execCfg.DistSQLSrv.ExternalStorageFromURI(ctx, "userfile:///a", username.RootUserName())
 	require.NoError(t, err)
 
 	files, err := getEncryptionInfoFiles(ctx, store)

pkg/ccl/backupccl/backup_destination.go

@@ -20,7 +20,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/featureflag"
 	"github.com/cockroachdb/cockroach/pkg/jobs/jobspb"
 	"github.com/cockroachdb/cockroach/pkg/roachpb"
-	"github.com/cockroachdb/cockroach/pkg/security"
+	"github.com/cockroachdb/cockroach/pkg/security/username"
 	"github.com/cockroachdb/cockroach/pkg/settings/cluster"
 	"github.com/cockroachdb/cockroach/pkg/sql"
 	"github.com/cockroachdb/cockroach/pkg/sql/pgwire/pgcode"
@@ -41,7 +41,7 @@ import (
 func fetchPreviousBackups(
 	ctx context.Context,
 	mem *mon.BoundAccount,
-	user security.SQLUsername,
+	user username.SQLUsername,
 	makeCloudStorage cloud.ExternalStorageFromURIFactory,
 	prevBackupURIs []string,
 	encryptionParams jobspb.BackupEncryptionOptions,
@@ -77,7 +77,7 @@ func fetchPreviousBackups(
 // backup manifests in the backup chain.
 func resolveDest(
 	ctx context.Context,
-	user security.SQLUsername,
+	user username.SQLUsername,
 	dest jobspb.BackupDetails_Destination,
 	endTime hlc.Timestamp,
 	incrementalFrom []string,
@@ -232,7 +232,7 @@ func resolveDest(
 func getBackupManifests(
 	ctx context.Context,
 	mem *mon.BoundAccount,
-	user security.SQLUsername,
+	user username.SQLUsername,
 	makeCloudStorage cloud.ExternalStorageFromURIFactory,
 	backupURIs []string,
 	encryption *jobspb.BackupEncryptionOptions,
@@ -299,7 +299,7 @@ func readLatestFile(
 	ctx context.Context,
 	collectionURI string,
 	makeCloudStorage cloud.ExternalStorageFromURIFactory,
-	user security.SQLUsername,
+	user username.SQLUsername,
 ) (string, error) {
 	collection, err := makeCloudStorage(ctx, collectionURI, user)
 	if err != nil {