@@ -382,9 +382,9 @@ func overrideSessionTimeZone(session *Session) {
382382// or caveats to nil for the migrated session in that scenario, so that the
383383// deep equals check does not fail in this scenario either.
384384//
385- // Additionally, we sort the caveats of both the kv and sql sessions by
386- // their ID, so that they are always comparable in a deterministic way with deep
387- // equals.
385+ // Additionally, we sort the caveats & permissions of both the kv and sql
386+ // sessions by their ID, so that they are always comparable in a deterministic
387+ // way with deep equals.
388388func overrideMacaroonRecipe (kvSession * Session , migratedSession * Session ) {
389389 if kvSession .MacaroonRecipe != nil {
390390 kvPerms := kvSession .MacaroonRecipe .Permissions
@@ -402,6 +402,7 @@ func overrideMacaroonRecipe(kvSession *Session, migratedSession *Session) {
402402 }
403403
404404 sqlCaveats := migratedSession .MacaroonRecipe .Caveats
405+ sqlPerms := migratedSession .MacaroonRecipe .Permissions
405406
406407 // If there have been caveats set for the MacaroonRecipe,
407408 // the order of the postgres db caveats will in very rare cases
@@ -421,5 +422,28 @@ func overrideMacaroonRecipe(kvSession *Session, migratedSession *Session) {
421422 ) < 0
422423 })
423424 }
425+
426+ // Similarly, we sort the macaroon permissions for both the kv
427+ // and sql sessions, so that we can compare them in a
428+ // deterministic way.
429+ if kvPerms != nil {
430+ sort .Slice (kvPerms , func (i , j int ) bool {
431+ if kvPerms [i ].Entity == kvPerms [j ].Entity {
432+ return kvPerms [i ].Action <
433+ kvPerms [j ].Action
434+ }
435+
436+ return kvPerms [i ].Entity < kvPerms [j ].Entity
437+ })
438+
439+ sort .Slice (sqlPerms , func (i , j int ) bool {
440+ if sqlPerms [i ].Entity == sqlPerms [j ].Entity {
441+ return sqlPerms [i ].Action <
442+ sqlPerms [j ].Action
443+ }
444+
445+ return sqlPerms [i ].Entity < sqlPerms [j ].Entity
446+ })
447+ }
424448 }
425449}
0 commit comments