This is an automated cherry-pick of pingcap#54525

Signed-off-by: ti-chi-bot <[email protected]>
ti-chi-bot · Jul 15, 2024 · bb65c01 · bb65c01
1 parent 223032b
commit bb65c01
Show file tree

Hide file tree

Showing 7 changed files with 1,063 additions and 0 deletions.
diff --git a/errno/errcode.go b/errno/errcode.go
@@ -1119,11 +1119,23 @@ const (
 	ErrPausedDDLJob       = 8262
 
 	// Resource group errors.
+<<<<<<< HEAD:errno/errcode.go
 	ErrResourceGroupExists            = 8248
 	ErrResourceGroupNotExists         = 8249
 	ErrResourceGroupSupportDisabled   = 8250
 	ErrResourceGroupConfigUnavailable = 8251
 	ErrResourceGroupThrottled         = 8252
+=======
+	ErrResourceGroupExists                    = 8248
+	ErrResourceGroupNotExists                 = 8249
+	ErrResourceGroupSupportDisabled           = 8250
+	ErrResourceGroupConfigUnavailable         = 8251
+	ErrResourceGroupThrottled                 = 8252
+	ErrResourceGroupQueryRunawayInterrupted   = 8253
+	ErrResourceGroupQueryRunawayQuarantine    = 8254
+	ErrResourceGroupInvalidBackgroundTaskName = 8255
+	ErrResourceGroupInvalidForRole            = 8257
+>>>>>>> cbf34c51e99 (executor/simple: prohibit setting a resource group to a role (#54525)):pkg/errno/errcode.go
 
 	// TiKV/PD/TiFlash errors.
 	ErrPDServerTimeout           = 9001

diff --git a/errno/errname.go b/errno/errname.go
@@ -1119,6 +1119,7 @@ var MySQLErrName = map[uint16]*mysql.ErrMessage{
 	ErrOptOnCacheTable:                 mysql.Message("'%s' is unsupported on cache tables.", nil),
 	ErrResourceGroupExists:             mysql.Message("Resource group '%-.192s' already exists", nil),
 	ErrResourceGroupNotExists:          mysql.Message("Unknown resource group '%-.192s'", nil),
+	ErrResourceGroupInvalidForRole:     mysql.Message("Cannot set resource group for a role", nil),
 
 	ErrColumnInChange:                 mysql.Message("column %s id %d does not exist, this column may have been updated by other DDL ran in parallel", nil),
 	ErrResourceGroupSupportDisabled:   mysql.Message("Resource control feature is disabled. Run `SET GLOBAL tidb_enable_resource_control='on'` to enable the feature", nil),

diff --git a/errors.toml b/errors.toml
@@ -2696,6 +2696,74 @@ error = '''
 Resource control feature is disabled. Run `SET GLOBAL tidb_enable_resource_control='on'` to enable the feature
 '''
 
+<<<<<<< HEAD
+=======
+["schema:8257"]
+error = '''
+Cannot set resource group for a role
+'''
+
+["server:1040"]
+error = '''
+Too many connections
+'''
+
+["server:1045"]
+error = '''
+Access denied for user '%-.48s'@'%-.255s' (using password: %s)
+'''
+
+["server:1148"]
+error = '''
+The used command is not allowed with this MySQL version
+'''
+
+["server:1153"]
+error = '''
+Got a packet bigger than 'max_allowed_packet' bytes
+'''
+
+["server:1184"]
+error = '''
+Aborted connection %d to db: '%-.192s' user: '%-.48s' host: '%-.255s' (%-.64s)
+'''
+
+["server:1251"]
+error = '''
+Client does not support authentication protocol requested by server; consider upgrading MySQL client
+'''
+
+["server:1698"]
+error = '''
+Access denied for user '%-.48s'@'%-.255s'
+'''
+
+["server:1820"]
+error = '''
+You must reset your password using ALTER USER statement before executing this statement
+'''
+
+["server:3159"]
+error = '''
+Connections using insecure transport are prohibited while --require_secure_transport=ON.
+'''
+
+["server:8052"]
+error = '''
+invalid sequence
+'''
+
+["server:8057"]
+error = '''
+invalid type
+'''
+
+["server:8130"]
+error = '''
+client has multi-statement capability disabled. Run SET GLOBAL tidb_multi_statement_mode='ON' after you understand the security risk
+'''
+
+>>>>>>> cbf34c51e99 (executor/simple: prohibit setting a resource group to a role (#54525))
 ["session:8002"]
 error = '''
 [%d] can not retry select for update statement

diff --git a/executor/simple.go b/executor/simple.go
@@ -1094,6 +1094,9 @@ func (e *SimpleExec) executeCreateUser(ctx context.Context, s *ast.CreateUserStm
 		if !variable.EnableResourceControl.Load() {
 			return infoschema.ErrResourceGroupSupportDisabled
 		}
+		if s.IsCreateRole {
+			return infoschema.ErrResourceGroupInvalidForRole
+		}
 
 		resourceGroupName := strings.ToLower(s.ResourceGroupNameOption.Value)
 
@@ -1284,6 +1287,26 @@ func (e *SimpleExec) executeCreateUser(ctx context.Context, s *ast.CreateUserStm
 	return domain.GetDomain(e.ctx).NotifyUpdatePrivilege()
 }
 
+func isRole(ctx context.Context, sqlExecutor sqlexec.SQLExecutor, name, host string) (bool, error) {
+	sql := new(strings.Builder)
+	sqlescape.MustFormatSQL(sql, `SELECT 1 FROM %n.%n WHERE User=%? AND Host=%? AND Account_locked="Y" AND Password_expired="Y";`,
+		mysql.SystemDB, mysql.UserTable, name, strings.ToLower(host))
+	recordSet, err := sqlExecutor.ExecuteInternal(ctx, sql.String())
+	if err != nil {
+		return false, err
+	}
+	defer func() {
+		if closeErr := recordSet.Close(); closeErr != nil {
+			err = closeErr
+		}
+	}()
+	rows, err := sqlexec.DrainRecordSet(ctx, recordSet, 1)
+	if err != nil {
+		return false, err
+	}
+	return len(rows) > 0, nil
+}
+
 func getUserPasswordLimit(ctx context.Context, sqlExecutor sqlexec.SQLExecutor, name string, host string, plOptions *passwordOrLockOptionsInfo) (pRI *passwordReuseInfo, err error) {
 	res := &passwordReuseInfo{notSpecified, notSpecified}
 	sql := new(strings.Builder)
@@ -1906,6 +1929,13 @@ func (e *SimpleExec) executeAlterUser(ctx context.Context, s *ast.AlterUserStmt)
 			if !variable.EnableResourceControl.Load() {
 				return infoschema.ErrResourceGroupSupportDisabled
 			}
+			is, err := isRole(ctx, sqlExecutor, spec.User.Username, spec.User.Hostname)
+			if err != nil {
+				return err
+			}
+			if is {
+				return infoschema.ErrResourceGroupInvalidForRole
+			}
 
 			// check if specified resource group exists
 			resourceGroupName := strings.ToLower(s.ResourceGroupNameOption.Value)

diff --git a/infoschema/error.go b/infoschema/error.go
@@ -36,6 +36,13 @@ var (
 	ErrResourceGroupExists = dbterror.ClassSchema.NewStd(mysql.ErrResourceGroupExists)
 	// ErrResourceGroupNotExists return for resource group not exists.
 	ErrResourceGroupNotExists = dbterror.ClassSchema.NewStd(mysql.ErrResourceGroupNotExists)
+<<<<<<< HEAD:infoschema/error.go
+=======
+	// ErrResourceGroupInvalidBackgroundTaskName return for unknown resource group background task name.
+	ErrResourceGroupInvalidBackgroundTaskName = dbterror.ClassExecutor.NewStd(mysql.ErrResourceGroupInvalidBackgroundTaskName)
+	// ErrResourceGroupInvalidForRole return for invalid resource group for role.
+	ErrResourceGroupInvalidForRole = dbterror.ClassSchema.NewStd(mysql.ErrResourceGroupInvalidForRole)
+>>>>>>> cbf34c51e99 (executor/simple: prohibit setting a resource group to a role (#54525)):pkg/infoschema/error.go
 	// ErrReservedSyntax for internal syntax.
 	ErrReservedSyntax = dbterror.ClassSchema.NewStd(mysql.ErrReservedSyntax)
 	// ErrTableExists returns for table already exists.