Skip to content

privilege: add ColumnsPrivMap for accelerating column-privilege (#61677)#66532

Merged
ti-chi-bot[bot] merged 5 commits into
pingcap:release-8.5from
ti-chi-bot:cherry-pick-61677-to-release-8.5
Mar 3, 2026
Merged

privilege: add ColumnsPrivMap for accelerating column-privilege (#61677)#66532
ti-chi-bot[bot] merged 5 commits into
pingcap:release-8.5from
ti-chi-bot:cherry-pick-61677-to-release-8.5

Conversation

@ti-chi-bot

@ti-chi-bot ti-chi-bot commented Feb 26, 2026

Copy link
Copy Markdown
Member

This is an automated cherry-pick of #61677

What problem does this PR solve?

Issue Number: ref #61706

Problem Summary:

What changed and how does it work?

Adapt the MySQLPrivilege to support column privilege

This PR pick pkg/privilege/privileges/cache.go and pkg/privilege/privileges/cache_test.go in #61638.

Check List

Tests

  • Unit test (existent cases)
  • Integration test
  • Manual test (add detailed scripts or steps below)
  • No need to test
    • I checked and no code files have been changed.

Side effects

  • Performance regression: Consumes more CPU
  • Performance regression: Consumes more Memory
  • Breaking backward compatibility

Documentation

  • Affects user behaviors
  • Contains syntax changes
  • Contains variable changes
  • Contains experimental features
  • Changes MySQL compatibility

Release note

Please refer to Release Notes Language Style Guide to write a quality release note.

None

Summary by CodeRabbit

  • New Features

    • Column-level privileges now support wildcard matching using "*" to match any column when SELECT access is present.
  • Improvements

    • Optimized column privilege lookup mechanism for enhanced performance in permission verification.
  • Tests

    • Added test coverage for column privilege matching, including wildcard matching scenarios.

@ti-chi-bot ti-chi-bot added release-note-none Denotes a PR that doesn't merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. type/cherry-pick-for-release-8.5 This PR is cherry-picked to release-8.5 from a source PR. labels Feb 26, 2026
@codecov

codecov Bot commented Feb 26, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 73.17073% with 11 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (release-8.5@919579b). Learn more about missing BASE report.

Additional details and impacted files
@@               Coverage Diff                @@
##             release-8.5     #66532   +/-   ##
================================================
  Coverage               ?   54.9898%           
================================================
  Files                  ?       1818           
  Lines                  ?     652868           
  Branches               ?          0           
================================================
  Hits                   ?     359011           
  Misses                 ?     267225           
  Partials               ?      26632           
Flag Coverage Δ
integration 38.3310% <65.8536%> (?)
unit 64.9170% <73.1707%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
dumpling 52.9278% <0.0000%> (?)
parser ∅ <0.0000%> (?)
br 55.6929% <0.0000%> (?)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Comment thread pkg/privilege/privileges/cache.go Outdated
Comment thread pkg/privilege/privileges/cache.go Outdated
@ti-chi-bot ti-chi-bot Bot added approved needs-1-more-lgtm Indicates a PR needs 1 more LGTM. labels Feb 28, 2026
@ti-chi-bot

ti-chi-bot Bot commented Feb 28, 2026

Copy link
Copy Markdown

@tiancaiamao: Your lgtm message is repeated, so it is ignored.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@coderabbitai

coderabbitai Bot commented Mar 2, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

This PR introduces column-level privilege caching through a new ColumnsPrivMap field and MatchColumns() method. It adds wildcard column matching support, refactors RequestVerification to use the optimized lookup, simplifies host comparison logic, and provides test coverage.

Changes

Cohort / File(s) Summary
Privilege Cache Implementation
pkg/privilege/privileges/cache.go
Adds ColumnsPrivMap field for efficient column-privilege lookups; introduces public MatchColumns() method; adds buildColumnsPrivMap() helper; supports wildcard column matching via "*"; refactors RequestVerification to use new lookup path; simplifies compareHost logic; invokes map building during merge and load operations.
Test Coverage
pkg/privilege/privileges/cache_test.go
Introduces TestMatchColumns() to verify column-privilege matching with specific names and wildcards; enhances checkUserRecord with string-based comparisons; expands TestSortUserTable with additional test cases; adds "strings" import for assertion messages.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 Columns whisper in maps so swift,
Wildcards dance—a privilege gift!
Fast lookups bloom through cached delight,
Your security shines ever bright! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 14.29% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and specifically describes the main change: adding ColumnsPrivMap to accelerate column-privilege handling in the privilege system.
Description check ✅ Passed The description follows the required template with essential sections completed: issue reference, problem summary, changes explanation, checklist items marked, and release notes. One key section (what problem does this PR solve / problem summary) lacks detail but the overall structure is complete.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
pkg/privilege/privileges/cache.go (2)

1166-1173: Consider adding parentheses for clarity.

The logic is correct due to operator precedence (&& binds tighter than ||), but adding explicit parentheses would improve readability and make the intent clearer for future maintainers.

♻️ Suggested clarification
 	return record.baseRecord.match(user, host) &&
 		strings.EqualFold(record.DB, db) &&
 		strings.EqualFold(record.TableName, table) &&
-		(strings.EqualFold(record.ColumnName, col) || col == "*" && (record.ColumnPriv&mysql.SelectPriv > 0))
+		(strings.EqualFold(record.ColumnName, col) || (col == "*" && (record.ColumnPriv&mysql.SelectPriv > 0)))
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@pkg/privilege/privileges/cache.go` around lines 1166 - 1173, The boolean
expression in columnsPrivRecord.match is correct but unclear; update the return
statement in function columnsPrivRecord.match to add explicit parentheses around
the final OR condition so the intent is obvious: keep the checks
record.baseRecord.match(user, host) && strings.EqualFold(record.DB, db) &&
strings.EqualFold(record.TableName, table) and wrap
(strings.EqualFold(record.ColumnName, col) || (col == "*" && (record.ColumnPriv
& mysql.SelectPriv) > 0)) to clarify grouping of ColumnName equality vs the
special "*" + ColumnPriv check.

1296-1298: Misleading comment: method is used in production code.

The comment states "exported only for test" but MatchColumns is also called in RequestVerification (line 1402). Consider updating the comment to reflect its actual usage.

📝 Suggested fix
-// MatchColumns is exported only for test
+// MatchColumns finds a column-level privilege record for the given user, host, db, table, and column.
+// The special column value "*" matches any column with SELECT privilege.
 func (p *MySQLPrivilege) MatchColumns(user, host, db, table, column string) *columnsPrivRecord {
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@pkg/privilege/privileges/cache.go` around lines 1296 - 1298, The comment for
MatchColumns is misleading—it's not only exported for tests but also invoked
from production code (see RequestVerification calling
MySQLPrivilege.MatchColumns); update the doc comment above func
MatchColumns(user, host, db, table, column string) *columnsPrivRecord to
accurately describe its purpose and usage (e.g., "MatchColumns returns the
columns privilege record for the given user/host/db/table/column; used by
RequestVerification and tests"), ensuring the comment references
MySQLPrivilege.MatchColumns and RequestVerification so future readers know it's
used in production.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/privilege/privileges/cache.go`:
- Around line 1166-1173: The boolean expression in columnsPrivRecord.match is
correct but unclear; update the return statement in function
columnsPrivRecord.match to add explicit parentheses around the final OR
condition so the intent is obvious: keep the checks
record.baseRecord.match(user, host) && strings.EqualFold(record.DB, db) &&
strings.EqualFold(record.TableName, table) and wrap
(strings.EqualFold(record.ColumnName, col) || (col == "*" && (record.ColumnPriv
& mysql.SelectPriv) > 0)) to clarify grouping of ColumnName equality vs the
special "*" + ColumnPriv check.
- Around line 1296-1298: The comment for MatchColumns is misleading—it's not
only exported for tests but also invoked from production code (see
RequestVerification calling MySQLPrivilege.MatchColumns); update the doc comment
above func MatchColumns(user, host, db, table, column string) *columnsPrivRecord
to accurately describe its purpose and usage (e.g., "MatchColumns returns the
columns privilege record for the given user/host/db/table/column; used by
RequestVerification and tests"), ensuring the comment references
MySQLPrivilege.MatchColumns and RequestVerification so future readers know it's
used in production.

ℹ️ Review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 919579b and 9c3f4ba.

📒 Files selected for processing (2)
  • pkg/privilege/privileges/cache.go
  • pkg/privilege/privileges/cache_test.go

@ti-chi-bot ti-chi-bot Bot added lgtm and removed needs-1-more-lgtm Indicates a PR needs 1 more LGTM. labels Mar 2, 2026
@ti-chi-bot

ti-chi-bot Bot commented Mar 2, 2026

Copy link
Copy Markdown

[LGTM Timeline notifier]

Timeline:

  • 2026-02-28 06:23:06.141709122 +0000 UTC m=+77210.060875209: ☑️ agreed by tiancaiamao.
  • 2026-03-02 02:42:09.903295094 +0000 UTC m=+153174.481374288: ☑️ agreed by fzzf678.

@ti-chi-bot

ti-chi-bot Bot commented Mar 2, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fzzf678, tiancaiamao, wjhuang2016

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [tiancaiamao,wjhuang2016]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ti-chi-bot ti-chi-bot Bot added cherry-pick-approved Cherry pick PR approved by release team. and removed do-not-merge/cherry-pick-not-approved labels Mar 3, 2026
@fzzf678

fzzf678 commented Mar 3, 2026

Copy link
Copy Markdown
Contributor

/retest

2 similar comments
@fzzf678

fzzf678 commented Mar 3, 2026

Copy link
Copy Markdown
Contributor

/retest

@fzzf678

fzzf678 commented Mar 3, 2026

Copy link
Copy Markdown
Contributor

/retest

@fzzf678

fzzf678 commented Mar 3, 2026

Copy link
Copy Markdown
Contributor

/retest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved cherry-pick-approved Cherry pick PR approved by release team. lgtm release-note-none Denotes a PR that doesn't merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. type/cherry-pick-for-release-8.5 This PR is cherry-picked to release-8.5 from a source PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants