pingcap · ti-chi-bot · Oct 31, 2022 · Oct 21, 2022 · Oct 25, 2022 · Oct 25, 2022
diff --git a/executor/BUILD.bazel b/executor/BUILD.bazel
@@ -16,6 +16,7 @@ go_library(
         "analyze_idx.go",
         "analyze_incremental.go",
         "analyze_utils.go",
+        "analyze_worker.go",
         "apply_cache.go",
         "batch_checker.go",
         "batch_point_get.go",

diff --git a/executor/show.go b/executor/show.go
@@ -1504,7 +1504,7 @@ func (e *ShowExec) fetchShowCollation() error {
 	return nil
 }
 
-// fetchShowCreateUser composes show create create user result.
+// fetchShowCreateUser composes 'show create user' result.
 func (e *ShowExec) fetchShowCreateUser(ctx context.Context) error {
 	checker := privilege.GetPrivilegeManager(e.ctx)
 	if checker == nil {
@@ -1528,7 +1528,7 @@ func (e *ShowExec) fetchShowCreateUser(ctx context.Context) error {
 
 	exec := e.ctx.(sqlexec.RestrictedSQLExecutor)
 
-	rows, _, err := exec.ExecRestrictedSQL(ctx, nil, `SELECT plugin, Account_locked, JSON_UNQUOTE(JSON_EXTRACT(user_attributes, '$.metadata'))
+	rows, _, err := exec.ExecRestrictedSQL(ctx, nil, `SELECT plugin, Account_locked, JSON_UNQUOTE(JSON_EXTRACT(user_attributes, '$.metadata')), Token_issuer
 		FROM %n.%n WHERE User=%? AND Host=%?`,
 		mysql.SystemDB, mysql.UserTable, userName, strings.ToLower(hostName))
 	if err != nil {
@@ -1557,6 +1557,11 @@ func (e *ShowExec) fetchShowCreateUser(ctx context.Context) error {
 		userAttributes = " ATTRIBUTE " + userAttributes
 	}
 
+	tokenIssuer := rows[0].GetString(3)
+	if len(tokenIssuer) > 0 {
+		tokenIssuer = " TOKEN_REQUIRE token_issuer " + tokenIssuer
+	}
+
 	rows, _, err = exec.ExecRestrictedSQL(ctx, nil, `SELECT Priv FROM %n.%n WHERE User=%? AND Host=%?`, mysql.SystemDB, mysql.GlobalPrivTable, userName, hostName)
 	if err != nil {
 		return errors.Trace(err)
@@ -1580,8 +1585,8 @@ func (e *ShowExec) fetchShowCreateUser(ctx context.Context) error {
 	}
 
 	// FIXME: the returned string is not escaped safely
-	showStr := fmt.Sprintf("CREATE USER '%s'@'%s' IDENTIFIED WITH '%s'%s REQUIRE %s PASSWORD EXPIRE DEFAULT ACCOUNT %s%s",
-		e.User.Username, e.User.Hostname, authplugin, authStr, require, accountLocked, userAttributes)
+	showStr := fmt.Sprintf("CREATE USER '%s'@'%s' IDENTIFIED WITH '%s'%s REQUIRE %s%s PASSWORD EXPIRE DEFAULT ACCOUNT %s%s",
+		e.User.Username, e.User.Hostname, authplugin, authStr, require, tokenIssuer, accountLocked, userAttributes)
 	e.appendRow([]interface{}{showStr})
 	return nil
 }

diff --git a/executor/showtest/show_test.go b/executor/showtest/show_test.go
@@ -1118,6 +1118,12 @@ func TestShowCreateUser(t *testing.T) {
 	tk.MustQuery("SHOW CREATE USER commentUser").Check(testkit.Rows(`CREATE USER 'commentUser'@'%' IDENTIFIED WITH 'mysql_native_password' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK ATTRIBUTE {"comment": "1234"}`))
 	tk.MustExec(`CREATE USER attributeUser attribute '{"name": "Tom", "age": 19}'`)
 	tk.MustQuery("SHOW CREATE USER attributeUser").Check(testkit.Rows(`CREATE USER 'attributeUser'@'%' IDENTIFIED WITH 'mysql_native_password' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK ATTRIBUTE {"age": 19, "name": "Tom"}`))
+
+	// Creating users with 'IDENTIFIED WITH 'tidb_auth_token''
+	tk.MustExec(`CREATE USER 'token_user'@'%' IDENTIFIED WITH 'tidb_auth_token' ATTRIBUTE '{"email": "user@pingcap.com"}'`)
+	tk.MustQuery("SHOW CREATE USER token_user").Check(testkit.Rows(`CREATE USER 'token_user'@'%' IDENTIFIED WITH 'tidb_auth_token' AS '' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK ATTRIBUTE {"email": "user@pingcap.com"}`))
+	tk.MustExec(`ALTER USER 'token_user'@'%' TOKEN_REQUIRE token_issuer 'issuer-ABC'`)
+	tk.MustQuery("SHOW CREATE USER token_user").Check(testkit.Rows(`CREATE USER 'token_user'@'%' IDENTIFIED WITH 'tidb_auth_token' AS '' REQUIRE NONE TOKEN_REQUIRE token_issuer issuer-ABC PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK ATTRIBUTE {"email": "user@pingcap.com"}`))
 }
 
 func TestUnprivilegedShow(t *testing.T) {

diff --git a/executor/simple.go b/executor/simple.go
@@ -836,8 +836,16 @@ func (e *SimpleExec) executeCreateUser(ctx context.Context, s *ast.CreateUserStm
 		}
 	}
 
+	tokenIssuer := ""
+	for _, authTokenOption := range s.AuthTokenOptions {
+		switch authTokenOption.Type {
+		case ast.TokenIssuer:
+			tokenIssuer = authTokenOption.Value
+		}
+	}
+
 	sql := new(strings.Builder)
-	sqlexec.MustFormatSQL(sql, `INSERT INTO %n.%n (Host, User, authentication_string, plugin, user_attributes, Account_locked) VALUES `, mysql.SystemDB, mysql.UserTable)
+	sqlexec.MustFormatSQL(sql, `INSERT INTO %n.%n (Host, User, authentication_string, plugin, user_attributes, Account_locked, Token_issuer) VALUES `, mysql.SystemDB, mysql.UserTable)
 
 	users := make([]*auth.UserIdentity, 0, len(s.Specs))
 	for _, spec := range s.Specs {
@@ -877,13 +885,13 @@ func (e *SimpleExec) executeCreateUser(ctx context.Context, s *ast.CreateUserStm
 		}
 
 		switch authPlugin {
-		case mysql.AuthNativePassword, mysql.AuthCachingSha2Password, mysql.AuthTiDBSM3Password, mysql.AuthSocket:
+		case mysql.AuthNativePassword, mysql.AuthCachingSha2Password, mysql.AuthTiDBSM3Password, mysql.AuthSocket, mysql.AuthTiDBAuthToken:
 		default:
 			return ErrPluginIsNotLoaded.GenWithStackByArgs(spec.AuthOpt.AuthPlugin)
 		}
 
 		hostName := strings.ToLower(spec.User.Hostname)
-		sqlexec.MustFormatSQL(sql, `(%?, %?, %?, %?, %?, %?)`, hostName, spec.User.Username, pwd, authPlugin, userAttributes, lockAccount)
+		sqlexec.MustFormatSQL(sql, `(%?, %?, %?, %?, %?, %?, %?)`, hostName, spec.User.Username, pwd, authPlugin, userAttributes, lockAccount, tokenIssuer)
 		users = append(users, spec.User)
 	}
 	if len(users) == 0 {
@@ -1036,7 +1044,7 @@ func (e *SimpleExec) executeAlterUser(ctx context.Context, s *ast.AlterUserStmt)
 				spec.AuthOpt.AuthPlugin = authplugin
 			}
 			switch spec.AuthOpt.AuthPlugin {
-			case mysql.AuthNativePassword, mysql.AuthCachingSha2Password, mysql.AuthTiDBSM3Password, mysql.AuthSocket, "":
+			case mysql.AuthNativePassword, mysql.AuthCachingSha2Password, mysql.AuthTiDBSM3Password, mysql.AuthSocket, mysql.AuthTiDBAuthToken, "":
 			default:
 				return ErrPluginIsNotLoaded.GenWithStackByArgs(spec.AuthOpt.AuthPlugin)
 			}
@@ -1064,6 +1072,12 @@ func (e *SimpleExec) executeAlterUser(ctx context.Context, s *ast.AlterUserStmt)
 			fields = append(fields, alterField{"user_attributes=json_merge_patch(user_attributes, %?)", newAttributesStr})
 		}
 
+		if len(s.AuthTokenOptions) > 0 {
+			for _, authTokenOption := range s.AuthTokenOptions {
+				fields = append(fields, alterField{authTokenOption.Type.String() + "=%?", authTokenOption.Value})
+			}
+		}
+
 		if len(fields) > 0 {
 			sql := new(strings.Builder)
 			sqlexec.MustFormatSQL(sql, "UPDATE %n.%n SET ", mysql.SystemDB, mysql.UserTable)

diff --git a/executor/simpletest/simple_test.go b/executor/simpletest/simple_test.go
@@ -711,6 +711,10 @@ func TestUser(t *testing.T) {
 	result.Check(testkit.Rows(auth.EncodePassword("")))
 	dropUserSQL = `DROP USER IF EXISTS 'test1'@'localhost' ;`
 	tk.MustExec(dropUserSQL)
+	tk.MustExec(`CREATE USER token_user IDENTIFIED WITH 'tidb_auth_token' TOKEN_REQUIRE token_issuer 'issuer-abc'`)
+	tk.MustQuery(`SELECT plugin, token_issuer FROM mysql.user WHERE user = 'token_user'`).Check(testkit.Rows("tidb_auth_token issuer-abc"))
+	tk.MustExec(`ALTER USER token_user TOKEN_REQUIRE token_issuer 'issuer-123'`)
+	tk.MustQuery(`SELECT plugin, token_issuer FROM mysql.user WHERE user = 'token_user'`).Check(testkit.Rows("tidb_auth_token issuer-123"))
 
 	// Test alter user.
 	createUserSQL = `CREATE USER 'test1'@'localhost' IDENTIFIED BY '123', 'test2'@'localhost' IDENTIFIED BY '123', 'test3'@'localhost' IDENTIFIED BY '123', 'test4'@'localhost' IDENTIFIED BY '123';`

diff --git a/parser/ast/misc.go b/parser/ast/misc.go
@@ -1430,6 +1430,37 @@ func (t *TLSOption) Restore(ctx *format.RestoreCtx) error {
 	return nil
 }
 
+const (
+	TokenIssuer AuthTokenOptionType = iota
+)
+
+type AuthTokenOptionType int
+
+type AuthTokenOption struct {
+	Type  AuthTokenOptionType
+	Value string
+}
+
+func (t *AuthTokenOption) Restore(ctx *format.RestoreCtx) error {
+	switch t.Type {
+	case TokenIssuer:
+		ctx.WriteKeyWord("TOKEN_ISSUER ")
+		ctx.WriteString(t.Value)
+	default:
+		return errors.Errorf("Unsupported AuthTokenOption.Type %d", t.Type)
+	}
+	return nil
+}
+
+func (t AuthTokenOptionType) String() string {
+	switch t {
+	case TokenIssuer:
+		return "TOKEN_ISSUER"
+	default:
+		return "UNKNOWN"
+	}
+}
+
 const (
 	MaxQueriesPerHour = iota + 1
 	MaxUpdatesPerHour
@@ -1523,6 +1554,7 @@ type CreateUserStmt struct {
 	IfNotExists              bool
 	Specs                    []*UserSpec
 	TLSOptions               []*TLSOption
+	AuthTokenOptions         []*AuthTokenOption
 	ResourceOptions          []*ResourceOption
 	PasswordOrLockOptions    []*PasswordOrLockOption
 	CommentOrAttributeOption *CommentOrAttributeOption
@@ -1560,6 +1592,18 @@ func (n *CreateUserStmt) Restore(ctx *format.RestoreCtx) error {
 		}
 	}
 
+	if len(n.AuthTokenOptions) != 0 {
+		ctx.WriteKeyWord(" TOKEN_REQUIRE ")
+	}
+	for i, option := range n.AuthTokenOptions {
+		if i != 0 {
+			ctx.WriteKeyWord(" AND ")
+		}
+		if err := option.Restore(ctx); err != nil {
+			return errors.Annotatef(err, "An error occurred while restore CreateUserStmt.AuthTokenOptions[%d]", i)
+		}
+	}
+
 	if len(n.ResourceOptions) != 0 {
 		ctx.WriteKeyWord(" WITH")
 	}
@@ -1617,6 +1661,7 @@ type AlterUserStmt struct {
 	CurrentAuth              *AuthOption
 	Specs                    []*UserSpec
 	TLSOptions               []*TLSOption
+	AuthTokenOptions         []*AuthTokenOption
 	ResourceOptions          []*ResourceOption
 	PasswordOrLockOptions    []*PasswordOrLockOption
 	CommentOrAttributeOption *CommentOrAttributeOption
@@ -1657,6 +1702,19 @@ func (n *AlterUserStmt) Restore(ctx *format.RestoreCtx) error {
 		}
 	}
 
+	if len(n.AuthTokenOptions) != 0 {
+		ctx.WriteKeyWord(" TOKEN_REQUIRE ")
+	}
+
+	for i, option := range n.AuthTokenOptions {
+		if i != 0 {
+			ctx.WriteKeyWord(" AND ")
+		}
+		if err := option.Restore(ctx); err != nil {
+			return errors.Annotatef(err, "An error occurred while restore AlterUserStmt.AuthTokenOptions[%d]", i)
+		}
+	}
+
 	if len(n.ResourceOptions) != 0 {
 		ctx.WriteKeyWord(" WITH")
 	}

diff --git a/parser/misc.go b/parser/misc.go
@@ -736,6 +736,8 @@ var tokenMap = map[string]int{
 	"TINYTEXT":                 tinytextType,
 	"TLS":                      tls,
 	"TO":                       to,
+	"TOKEN_REQUIRE":            tokenRequire,
+	"TOKEN_ISSUER":             tokenIssuer,
 	"TOKUDB_DEFAULT":           tokudbDefault,
 	"TOKUDB_FAST":              tokudbFast,
 	"TOKUDB_LZMA":              tokudbLzma,

diff --git a/parser/mysql/const.go b/parser/mysql/const.go
@@ -177,8 +177,10 @@ const (
 	AuthNativePassword      = "mysql_native_password" // #nosec G101
 	AuthCachingSha2Password = "caching_sha2_password" // #nosec G101
 	AuthTiDBSM3Password     = "tidb_sm3_password"     // #nosec G101
+	AuthMySQLClearPassword  = "mysql_clear_password"
 	AuthSocket              = "auth_socket"
 	AuthTiDBSessionToken    = "tidb_session_token"
+	AuthTiDBAuthToken       = "tidb_auth_token"
 )
 
 // MySQL database and tables.