Skip to content

privileges,planner: implement checks for RESTRICTED_USER_ADMIN for granting privileges and roles#64297

Merged
ti-chi-bot[bot] merged 1 commit intopingcap:masterfrom
YangKeao:impl-64295
Nov 17, 2025
Merged

privileges,planner: implement checks for RESTRICTED_USER_ADMIN for granting privileges and roles#64297
ti-chi-bot[bot] merged 1 commit intopingcap:masterfrom
YangKeao:impl-64295

Conversation

@YangKeao
Copy link
Copy Markdown
Member

@YangKeao YangKeao commented Nov 5, 2025

What problem does this PR solve?

Issue Number: close #64295

Problem Summary:

The current implementation of SEM is not good enough (for both v1 and v2). We'll need to restrict the granting and revoking of roles which have RESTRICTED_USER_ADMIN, or the user with ROLE ADMIN permission can easy take the higher privilege.

What changed and how does it work?

  1. Users with RESTRICTED_USER_ADMIN are not allowed to be deleted
  2. Users with RESTRICTED_USER_ADMIN are not allowed to have their names modified
  3. Users with the RESTRICTED_USER_ADMIN permission are not allowed to change permissions.
  4. An user with the RESTRICTED_USER_ADMIN attribute is not allowed to be used as a role.

Users with RESTRICTED_USER_ADMIN are not limited by these four rules.

Check List

Tests

  • Unit test
  • Integration test
  • Manual test (add detailed scripts or steps below)
  • No need to test
    • I checked and no code files have been changed.

Side effects

  • Performance regression: Consumes more CPU
  • Performance regression: Consumes more Memory
  • Breaking backward compatibility

Documentation

  • Affects user behaviors
  • Contains syntax changes
  • Contains variable changes
  • Contains experimental features
  • Changes MySQL compatibility

Release note

None

@YangKeao
implement checks for RESTRICTED_USER_ADMIN for granting privileges an…
6106556 
…d roles

Signed-off-by: Yang Keao <yangkeao@chunibyo.icu>
@ti-chi-bot ti-chi-bot Bot added release-note-none Denotes a PR that doesn't merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. sig/planner SIG: Planner labels Nov 5, 2025
@YangKeao YangKeao requested review from hawkingrei and xhebox November 5, 2025 11:17
@codecov
Copy link
Copy Markdown

codecov Bot commented Nov 5, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.8328%. Comparing base (16e461a) to head (6106556).
⚠️ Report is 575 commits behind head on master.

Additional details and impacted files 
@@               Coverage Diff                @@
##             master     #64297        +/-   ##
================================================
+ Coverage   72.7524%   74.8328%   +2.0804%     
================================================
  Files          1859       1867         +8     
  Lines        504107     522478     +18371     
================================================
+ Hits         366750     390985     +24235     
+ Misses       115098     109718      -5380     
+ Partials      22259      21775       -484
Flag Coverage Δ
integration 43.2433% <100.0000%> (?)
unit 74.0782% <100.0000%> (+1.7514%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
dumpling 52.8700% <ø> (ø)
parser ∅ <ø> (∅)
br 47.7263% <ø> (+1.3652%) ⬆️
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@ti-chi-bot ti-chi-bot Bot added the needs-1-more-lgtm Indicates a PR needs 1 more LGTM. label Nov 6, 2025
@xhebox
Copy link
Copy Markdown
Contributor

xhebox commented Nov 6, 2025

/retest

@ti-chi-bot
Copy link
Copy Markdown

ti-chi-bot Bot commented Nov 12, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hawkingrei, xhebox

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ti-chi-bot ti-chi-bot Bot added approved lgtm and removed needs-1-more-lgtm Indicates a PR needs 1 more LGTM. labels Nov 12, 2025
@ti-chi-bot
Copy link
Copy Markdown

ti-chi-bot Bot commented Nov 12, 2025

[LGTM Timeline notifier]

Timeline:

  • 2025-11-06 03:18:48.784328446 +0000 UTC m=+326578.227358324: ☑️ agreed by xhebox.
  • 2025-11-12 07:54:58.790528123 +0000 UTC m=+861548.233558002: ☑️ agreed by hawkingrei.

@hawkingrei
Copy link
Copy Markdown
Member

hawkingrei commented Nov 17, 2025

/retest

@ti-chi-bot ti-chi-bot Bot merged commit 3328284 into pingcap:master Nov 17, 2025
29 checks passed
@YangKeao YangKeao added needs-cherry-pick-release-7.1 Should cherry pick this PR to release-7.1 branch. needs-cherry-pick-release-7.5 Should cherry pick this PR to release-7.5 branch. needs-cherry-pick-release-8.1 Should cherry pick this PR to release-8.1 branch. needs-cherry-pick-release-8.5 Should cherry pick this PR to release-8.5 branch. labels Mar 3, 2026
ti-chi-bot pushed a commit to ti-chi-bot/tidb that referenced this pull request Mar 3, 2026
@YangKeao @ti-chi-bot
This is an automated cherry-pick of pingcap#64297
84c133f 
Signed-off-by: ti-chi-bot <ti-community-prow-bot@tidb.io>
@ti-chi-bot
Copy link
Copy Markdown
Member

ti-chi-bot commented Mar 3, 2026

In response to a cherrypick label: new pull request created to branch release-7.1: #66646.
But this PR has conflicts, please resolve them!

@ti-chi-bot ti-chi-bot mentioned this pull request Mar 3, 2026
Open
13 tasks
ti-chi-bot pushed a commit to ti-chi-bot/tidb that referenced this pull request Mar 3, 2026
@YangKeao @ti-chi-bot
This is an automated cherry-pick of pingcap#64297
8f16f4f 
Signed-off-by: ti-chi-bot <ti-community-prow-bot@tidb.io>
@ti-chi-bot
Copy link
Copy Markdown
Member

ti-chi-bot commented Mar 3, 2026

In response to a cherrypick label: new pull request created to branch release-8.1: #66647.
But this PR has conflicts, please resolve them!

@ti-chi-bot ti-chi-bot mentioned this pull request Mar 3, 2026
Open
13 tasks
@ti-chi-bot
Copy link
Copy Markdown
Member

ti-chi-bot commented Mar 3, 2026

In response to a cherrypick label: new pull request created to branch release-7.5: #66648.
But this PR has conflicts, please resolve them!

ti-chi-bot pushed a commit to ti-chi-bot/tidb that referenced this pull request Mar 3, 2026
@YangKeao @ti-chi-bot
This is an automated cherry-pick of pingcap#64297
9ad56a2 
Signed-off-by: ti-chi-bot <ti-community-prow-bot@tidb.io>
@ti-chi-bot ti-chi-bot mentioned this pull request Mar 3, 2026
Open
13 tasks
ti-chi-bot pushed a commit to ti-chi-bot/tidb that referenced this pull request Mar 3, 2026
@YangKeao @ti-chi-bot
This is an automated cherry-pick of pingcap#64297
dc852d7 
Signed-off-by: ti-chi-bot <ti-community-prow-bot@tidb.io>
@ti-chi-bot
Copy link
Copy Markdown
Member

ti-chi-bot commented Mar 3, 2026

In response to a cherrypick label: new pull request created to branch release-8.5: #66649.
But this PR has conflicts, please resolve them!

@ti-chi-bot ti-chi-bot mentioned this pull request Mar 3, 2026
Merged
13 tasks
@YangKeao YangKeao added the needs-cherry-pick-release-6.5 Should cherry pick this PR to release-6.5 branch. label Mar 5, 2026
ti-chi-bot pushed a commit to ti-chi-bot/tidb that referenced this pull request Mar 5, 2026
@YangKeao @ti-chi-bot
This is an automated cherry-pick of pingcap#64297
bc81e8f 
Signed-off-by: ti-chi-bot <ti-community-prow-bot@tidb.io>
@ti-chi-bot
Copy link
Copy Markdown
Member

ti-chi-bot commented Mar 5, 2026

In response to a cherrypick label: new pull request created to branch release-6.5: #66712.
But this PR has conflicts, please resolve them!

@ti-chi-bot ti-chi-bot mentioned this pull request Mar 5, 2026
Open
13 tasks
ti-chi-bot Bot pushed a commit that referenced this pull request Mar 18, 2026
@ti-chi-bot
privileges,planner: implement checks for RESTRICTED_USER_ADMIN for …
ee2d993 
…granting privileges and roles (#64297) (#66649)

close #64295
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hawkingrei hawkingrei hawkingrei approved these changes

@xhebox xhebox xhebox approved these changes

Assignees

No one assigned

Labels

approved lgtm needs-cherry-pick-release-6.5 Should cherry pick this PR to release-6.5 branch. needs-cherry-pick-release-7.1 Should cherry pick this PR to release-7.1 branch. needs-cherry-pick-release-7.5 Should cherry pick this PR to release-7.5 branch. needs-cherry-pick-release-8.1 Should cherry pick this PR to release-8.1 branch. needs-cherry-pick-release-8.5 Should cherry pick this PR to release-8.5 branch. release-note-none Denotes a PR that doesn't merit a release note. sig/planner SIG: Planner size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Also need to check RESTRICTED_USER_ADMIN when granting/revoking role which is RESTRICTED_USER_ADMIN

4 participants

@YangKeao @xhebox @hawkingrei @ti-chi-bot