*: address @D3Hunter review (parser PR)

Fixes for D3Hunter's review on #68028:

[Blocker] Dual-password clauses are parsed but ignored by execution
  - Add executor stubs that reject RETAIN CURRENT PASSWORD / DISCARD
    OLD PASSWORD with ER_NOT_SUPPORTED_YET in executeAlterUser and
    executeSetPwd. Full execution / privilege / storage logic lives in
    the follow-up PR #68393.
  - Expose exeerrors.ErrNotSupportedYet for callers (was previously
    only available via dbterror.ClassExecutor.NewStd inline).
  - New TestDualPasswordParserOnlyStub in passwordtest to pin the
    stub's behavior.

[Major #2] CREATE USER accepted dual-password clauses outside MySQL grammar
  - Drop the CreateUserSpec/CreateUserSpecList non-terminals and route
    CREATE USER back through the original UserSpec/UserSpecList chain.
    CREATE USER + RETAIN/DISCARD is now a parser-level syntax error,
    matching MySQL.

[Major #3] ALTER USER over-accepted invalid RETAIN combinations
  - Introduce AuthOptionWithPassword (the BY-form subset of AuthOption)
    and restructure AlterUserSpec to bind RETAIN only to that subset.
    Reject at parse time:
      ALTER USER u IDENTIFIED WITH plugin AS '<hash>' RETAIN ...
      ALTER USER u IDENTIFIED WITH plugin RETAIN ...
      ALTER USER u RETAIN CURRENT PASSWORD (no auth)
      ALTER USER u IDENTIFIED BY '...' DISCARD OLD PASSWORD
  - DISCARD becomes its own AlterUserSpec variant (no auth-option
    coexists with it).

[Major #4] Grammar label/documentation contradiction
  - Drop the misleading 'unsupported dual password option' label on the
    deleted CreateUserSpec; rewrite UserSpec/AlterUserSpec labels to
    state the contract accurately.

[Major #5] Generic *PasswordOrLockOption type was overloaded
  - Introduce dedicated ast.DualPasswordOption and
    ast.DualPasswordOptionType (with DualPasswordRetainCurrent /
    DualPasswordDiscardOld). UserSpec.DualPasswordOption now uses the
    dedicated type. Remove the RetainCurrentPassword and
    DiscardOldPassword iota entries from PasswordOrLockOption.

[Minor #6] ALTER USER USER() branch
  - USER() still does not route through AlterUserSpecList; dual-password
    on USER() is now a parse-time syntax error (covered by negative test).

[Minor #7] Parser tests had no negative coverage
  - Add explicit ok=false rows for CREATE USER + RETAIN, the AS-hash +
    RETAIN form, bare RETAIN with no auth, plain BY + DISCARD,
    bare-plugin + RETAIN, and ALTER USER USER() + RETAIN.

[Minor #8] CREATE/ALTER user-spec grammar duplication
  - Now naturally eliminated because CREATE USER reuses UserSpec.

Behavior PR (#68393) needs to:
  - Remove the executor stubs added here.
  - Adopt the new ast.DualPasswordOption / DualPasswordOptionType
    symbols (the iota entries it currently consumes are gone).

Ref #60587

Author: takaidohigasi

pkg/executor/simple.go

@@ -1649,6 +1649,16 @@ func checkPasswordReusePolicy(ctx context.Context, sqlExecutor sqlexec.SQLExecut
 }
 
 func (e *SimpleExec) executeAlterUser(ctx context.Context, s *ast.AlterUserStmt) error {
+	// MySQL 8.0 dual-password clauses (RETAIN CURRENT PASSWORD /
+	// DISCARD OLD PASSWORD) are accepted by the parser in this PR but the
+	// matching executor / privilege / storage logic lands in a follow-up
+	// (pingcap/tidb#68393). Reject explicitly with a stable error so users
+	// see "not supported yet" instead of silent success.
+	for _, spec := range s.Specs {
+		if spec.DualPasswordOption != nil {
+			return exeerrors.ErrNotSupportedYet.GenWithStackByArgs("dual password (RETAIN CURRENT PASSWORD / DISCARD OLD PASSWORD)")
+		}
+	}
 	disableSandBoxMode := false
 	var err error
 	if e.Ctx().InSandBoxMode() {
@@ -2493,6 +2503,11 @@ func userExistsInternal(ctx context.Context, sqlExecutor sqlexec.SQLExecutor, na
 }
 
 func (e *SimpleExec) executeSetPwd(ctx context.Context, s *ast.SetPwdStmt) error {
+	// See executeAlterUser: RETAIN CURRENT PASSWORD parsing lands in this PR;
+	// execution lands in pingcap/tidb#68393. Until then, fail closed.
+	if s.RetainCurrentPassword {
+		return exeerrors.ErrNotSupportedYet.GenWithStackByArgs("SET PASSWORD ... RETAIN CURRENT PASSWORD")
+	}
 	ctx = kv.WithInternalSourceType(ctx, kv.InternalTxnPrivilege)
 	sysSession, err := e.GetSysSession()
 	if err != nil {

pkg/executor/test/passwordtest/BUILD.bazel

@@ -8,7 +8,7 @@ go_test(
         "password_management_test.go",
     ],
     flaky = True,
-    shard_count = 9,
+    shard_count = 10,
     deps = [
         "//pkg/domain",
         "//pkg/errno",

pkg/executor/test/passwordtest/password_management_test.go

@@ -989,6 +989,35 @@ func checkAuthUser(t *testing.T, tk *testkit.TestKit, user string, failedLoginCo
 	require.Equal(t, autoAccountLocked, ua[0].PasswordLocking.AutoAccountLocked)
 }
 
+// TestDualPasswordParserOnlyStub guards the executor stub added in the
+// parser-only PR (#68028). The grammar now accepts MySQL 8.0 dual-password
+// clauses (RETAIN CURRENT PASSWORD / DISCARD OLD PASSWORD), but the matching
+// executor / privilege / storage logic lands in the follow-up PR (#68393).
+// Until then the executor must fail fast with ER_NOT_SUPPORTED_YET so users
+// don't see silent success.
+//
+// When #68393 lands and removes the stubs, this test should be replaced by
+// the real dual-password coverage that lives there.
+func TestDualPasswordParserOnlyStub(t *testing.T) {
+	store := testkit.CreateMockStore(t)
+	tk := testkit.NewTestKit(t, store)
+	require.NoError(t, tk.Session().Auth(&auth.UserIdentity{Username: "root", Hostname: "%"}, nil, nil, nil))
+
+	tk.MustExec("DROP USER IF EXISTS dpstub")
+	tk.MustExec("CREATE USER dpstub IDENTIFIED BY 'old'")
+
+	// ALTER USER ... RETAIN CURRENT PASSWORD must fail with ER_NOT_SUPPORTED_YET.
+	tk.MustGetErrCode("ALTER USER dpstub IDENTIFIED BY 'new' RETAIN CURRENT PASSWORD", errno.ErrNotSupportedYet)
+	// ALTER USER ... DISCARD OLD PASSWORD must fail with ER_NOT_SUPPORTED_YET.
+	tk.MustGetErrCode("ALTER USER dpstub DISCARD OLD PASSWORD", errno.ErrNotSupportedYet)
+	// SET PASSWORD ... RETAIN CURRENT PASSWORD must fail with ER_NOT_SUPPORTED_YET.
+	tk.MustGetErrCode("SET PASSWORD FOR dpstub = 'new' RETAIN CURRENT PASSWORD", errno.ErrNotSupportedYet)
+
+	// A regular ALTER USER (no dual-password clause) must still succeed —
+	// the stub guard only triggers when DualPasswordOption is set.
+	tk.MustExec("ALTER USER dpstub IDENTIFIED BY 'plain'")
+}
+
 func selectSQL(user string) string {
 	userAttributesSQL := new(strings.Builder)
 	sqlescape.MustFormatSQL(userAttributesSQL, "SELECT user_attributes from mysql.user WHERE USER = %? AND HOST = 'localhost' for update", user)

pkg/parser/ast/misc.go

@@ -1554,7 +1554,7 @@ func (n *SetDefaultRoleStmt) Accept(v Visitor) (Node, bool) {
 type UserSpec struct {
 	User               *auth.UserIdentity
 	AuthOpt            *AuthOption
-	DualPasswordOption *PasswordOrLockOption
+	DualPasswordOption *DualPasswordOption
 	IsRole             bool
 }
 
@@ -1592,9 +1592,9 @@ func (n *UserSpec) SecurityString() string {
 	dualClause := ""
 	if n.DualPasswordOption != nil {
 		switch n.DualPasswordOption.Type {
-		case RetainCurrentPassword:
+		case DualPasswordRetainCurrent:
 			dualClause = " RETAIN CURRENT PASSWORD"
-		case DiscardOldPassword:
+		case DualPasswordDiscardOld:
 			dualClause = " DISCARD OLD PASSWORD"
 		}
 	}
@@ -1725,11 +1725,42 @@ const (
 	PasswordRequireCurrentDefault
 
 	UserResourceGroupName
+)
+
+// DualPasswordOptionType identifies the dual-password action attached to a
+// UserSpec by the parser. Dedicated to dual-password semantics so the AST
+// does not conflate it with PasswordOrLockOption (account lock, expiration,
+// failed-login policy, etc.) which has different per-statement scoping rules.
+type DualPasswordOptionType int
 
-	RetainCurrentPassword
-	DiscardOldPassword
+const (
+	// DualPasswordRetainCurrent corresponds to RETAIN CURRENT PASSWORD.
+	DualPasswordRetainCurrent DualPasswordOptionType = iota + 1
+	// DualPasswordDiscardOld corresponds to DISCARD OLD PASSWORD.
+	DualPasswordDiscardOld
 )
 
+// DualPasswordOption represents a per-UserSpec MySQL 8.0 dual-password clause
+// (RETAIN CURRENT PASSWORD or DISCARD OLD PASSWORD). The grammar attaches it
+// to the UserSpec rather than to AlterUserStmt because MySQL allows different
+// dual-password actions per spec inside a multi-user ALTER USER statement.
+type DualPasswordOption struct {
+	Type DualPasswordOptionType
+}
+
+// Restore implements Node interface.
+func (d *DualPasswordOption) Restore(ctx *format.RestoreCtx) error {
+	switch d.Type {
+	case DualPasswordRetainCurrent:
+		ctx.WriteKeyWord("RETAIN CURRENT PASSWORD")
+	case DualPasswordDiscardOld:
+		ctx.WriteKeyWord("DISCARD OLD PASSWORD")
+	default:
+		return errors.Errorf("Unsupported DualPasswordOption.Type %d", d.Type)
+	}
+	return nil
+}
+
 type PasswordOrLockOption struct {
 	Type  int
 	Count int64
@@ -1770,10 +1801,6 @@ func (p *PasswordOrLockOption) Restore(ctx *format.RestoreCtx) error {
 		ctx.WriteKeyWord(" DAY")
 	case PasswordReuseDefault:
 		ctx.WriteKeyWord("PASSWORD REUSE INTERVAL DEFAULT")
-	case RetainCurrentPassword:
-		ctx.WriteKeyWord("RETAIN CURRENT PASSWORD")
-	case DiscardOldPassword:
-		ctx.WriteKeyWord("DISCARD OLD PASSWORD")
 	default:
 		return errors.Errorf("Unsupported PasswordOrLockOption.Type %d", p.Type)
 	}