diff --git a/pkg/infoschema/test/clustertablestest/cluster_tables_test.go b/pkg/infoschema/test/clustertablestest/cluster_tables_test.go index b571f805fd6c2..ba1f140fed718 100644 --- a/pkg/infoschema/test/clustertablestest/cluster_tables_test.go +++ b/pkg/infoschema/test/clustertablestest/cluster_tables_test.go @@ -908,6 +908,24 @@ func TestMDLView(t *testing.T) { } } +func TestMDLViewPrivilege(t *testing.T) { + store := testkit.CreateMockStore(t) + tk := testkit.NewTestKit(t, store) + require.NoError(t, tk.Session().Auth(&auth.UserIdentity{Username: "root", Hostname: "%"}, nil, nil, nil)) + tk.MustQuery("select * from mysql.tidb_mdl_view;").Check(testkit.Rows()) + tk.MustExec("create user 'test'@'%' identified by '';") + require.NoError(t, tk.Session().Auth(&auth.UserIdentity{Username: "test", Hostname: "%"}, nil, nil, nil)) + _, err := tk.Exec("select * from mysql.tidb_mdl_view;") + require.ErrorContains(t, err, "view lack rights") + + // grant all privileges to test user. + require.NoError(t, tk.Session().Auth(&auth.UserIdentity{Username: "root", Hostname: "%"}, nil, nil, nil)) + tk.MustExec("grant all privileges on *.* to 'test'@'%';") + tk.MustExec("flush privileges;") + require.NoError(t, tk.Session().Auth(&auth.UserIdentity{Username: "test", Hostname: "%"}, nil, nil, nil)) + tk.MustQuery("select * from mysql.tidb_mdl_view;").Check(testkit.Rows()) +} + func TestQuickBinding(t *testing.T) { s := new(clusterTablesSuite) s.store, s.dom = testkit.CreateMockStoreAndDomain(t) diff --git a/pkg/session/bootstrap.go b/pkg/session/bootstrap.go index 6b0a90be4722f..f6943bee7115d 100644 --- a/pkg/session/bootstrap.go +++ b/pkg/session/bootstrap.go @@ -460,7 +460,7 @@ const ( lock_name VARCHAR(64) NOT NULL PRIMARY KEY );` // CreateMDLView is a view about metadata locks. - CreateMDLView = `CREATE OR REPLACE VIEW mysql.tidb_mdl_view as ( + CreateMDLView = `CREATE OR REPLACE SQL SECURITY INVOKER VIEW mysql.tidb_mdl_view as ( SELECT tidb_mdl_info.job_id, JSON_UNQUOTE(JSON_EXTRACT(cast(cast(job_meta as char) as json), "$.schema_name")) as db_name, JSON_UNQUOTE(JSON_EXTRACT(cast(cast(job_meta as char) as json), "$.table_name")) as table_name,