privilege: execute admin command must have Super_priv.

plan/planbuilder.go

@@ -498,6 +498,9 @@ func (b *planBuilder) buildAdmin(as *ast.AdminStmt) (Plan, error) {
 	default:
 		return nil, ErrUnsupportedType.Gen("Unsupported ast.AdminStmt(%T) for buildAdmin", as)
 	}
+
+	// Admin command can only be executed by administrator.
+	b.visitInfo = appendVisitInfo(b.visitInfo, mysql.SuperPriv, "", "", "")
 	return ret, nil
 }
 

privilege/privileges/privileges_test.go

@@ -15,6 +15,7 @@ package privileges_test
 
 import (
 	"fmt"
+	"strings"
 	"testing"
 
 	. "github.com/pingcap/check"
@@ -301,6 +302,24 @@ func (s *testPrivilegeSuite) TestInformationSchema(c *C) {
 	mustExec(c, se, `select * from information_schema.key_column_usage`)
 }
 
+func (s *testPrivilegeSuite) TestAdminCommand(c *C) {
+	se := newSession(c, s.store, s.dbName)
+	c.Assert(se.Auth(&auth.UserIdentity{Username: "root", Hostname: "localhost"}, nil, nil), IsTrue)
+	mustExec(c, se, `CREATE USER 'test_admin'@'localhost';`)
+	mustExec(c, se, `FLUSH PRIVILEGES;`)
+	mustExec(c, se, `CREATE TABLE t(a int)`)
+
+	c.Assert(se.Auth(&auth.UserIdentity{Username: "test_admin", Hostname: "localhost"}, nil, nil), IsTrue)
+	_, err := se.Execute(context.Background(), "ADMIN SHOW DDL JOBS")
+	c.Assert(strings.Contains(err.Error(), "privilege check fail"), IsTrue)
+	_, err = se.Execute(context.Background(), "ADMIN CHECK TABLE t")
+	c.Assert(strings.Contains(err.Error(), "privilege check fail"), IsTrue)
+
+	c.Assert(se.Auth(&auth.UserIdentity{Username: "root", Hostname: "localhost"}, nil, nil), IsTrue)
+	_, err = se.Execute(context.Background(), "ADMIN SHOW DDL JOBS")
+	c.Assert(err, IsNil)
+}
+
 func mustExec(c *C, se session.Session, sql string) {
 	_, err := se.Execute(context.Background(), sql)
 	c.Assert(err, IsNil)