*: support username prefix for starter mode

Author: ChangRui-Ryan

errors.toml

@@ -976,6 +976,11 @@ error = '''
 Cannot add or update a child row: a foreign key constraint fails (%.192s)
 '''
 
+["ddl:1468"]
+error = '''
+User name must start with `%s.` (use `%s.%s` instead)
+'''
+
 ["ddl:1470"]
 error = '''
 String '%-.70s' is too long for %s (should be no longer than %d)
@@ -3101,6 +3106,11 @@ error = '''
 You must reset your password using ALTER USER statement before executing this statement
 '''
 
+["server:20003"]
+error = '''
+User name prefix does not match the assigned keyspace.
+'''
+
 ["server:3159"]
 error = '''
 Connections using insecure transport are prohibited while --require_secure_transport=ON.

pkg/errno/errcode.go

@@ -861,6 +861,7 @@ const (
 	ErrBadUser                                               = 3162
 	ErrUserAlreadyExists                                     = 3163
 	ErrInvalidJSONPathArrayCell                              = 3165
+	ErrUserPrefixMismatch                                    = 20003
 	ErrInvalidEncryptionOption                               = 3184
 	ErrTooLongValueForType                                   = 3505
 	ErrPKIndexCantBeInvisible                                = 3522

pkg/errno/errname.go

@@ -864,6 +864,7 @@ var MySQLErrName = map[uint16]*mysql.ErrMessage{
 	ErrBadUser:                                               mysql.Message("User %s does not exist.", nil),
 	ErrUserAlreadyExists:                                     mysql.Message("User %s already exists.", nil),
 	ErrInvalidJSONPathArrayCell:                              mysql.Message("A path expression is not a path to a cell in an array.", nil),
+	ErrUserPrefixMismatch:                                    mysql.Message("User name prefix does not match the assigned keyspace.", nil),
 	ErrInvalidEncryptionOption:                               mysql.Message("Invalid encryption option.", nil),
 	ErrTooLongValueForType:                                   mysql.Message("Too long enumeration/set value for column %s.", nil),
 	ErrPKIndexCantBeInvisible:                                mysql.Message("A primary key index cannot be invisible", nil),

pkg/executor/grant.go

@@ -174,7 +174,7 @@ func (e *GrantExec) Next(ctx context.Context, _ *chunk.Chunk) error {
 			user.User.Username = e.Ctx().GetSessionVars().User.AuthUsername
 			user.User.Hostname = e.Ctx().GetSessionVars().User.AuthHostname
 		}
-		exists, err := userExists(ctx, e.Ctx(), user.User.Username, user.User.Hostname)
+		exists, err := userExistsWithRetryVariants(ctx, e.Ctx(), &user.User.Username, user.User.Hostname)
 		if err != nil {
 			return err
 		}

pkg/executor/revoke.go

@@ -103,7 +103,7 @@ func (e *RevokeExec) Next(ctx context.Context, _ *chunk.Chunk) error {
 		}
 
 		// Check if user exists.
-		exists, err := userExists(ctx, e.Ctx(), user.User.Username, user.User.Hostname)
+		exists, err := userExistsWithRetryVariants(ctx, e.Ctx(), &user.User.Username, user.User.Hostname)
 		if err != nil {
 			return err
 		}

pkg/executor/simple.go

@@ -40,6 +40,7 @@ import (
 	"github.com/pingcap/tidb/pkg/expression"
 	"github.com/pingcap/tidb/pkg/extension"
 	"github.com/pingcap/tidb/pkg/infoschema"
+	"github.com/pingcap/tidb/pkg/keyspace"
 	"github.com/pingcap/tidb/pkg/kv"
 	"github.com/pingcap/tidb/pkg/meta"
 	"github.com/pingcap/tidb/pkg/meta/model"
@@ -692,7 +693,7 @@ func (e *SimpleExec) executeRevokeRole(ctx context.Context, s *ast.RevokeRoleStm
 	e.setCurrentUser(s.Users)
 
 	for _, role := range s.Roles {
-		exists, err := userExists(ctx, e.Ctx(), role.Username, role.Hostname)
+		exists, err := userExistsWithRetryVariants(ctx, e.Ctx(), &role.Username, role.Hostname)
 		if err != nil {
 			return errors.Trace(err)
 		}
@@ -1157,6 +1158,9 @@ func (e *SimpleExec) executeCreateUser(ctx context.Context, s *ast.CreateUserStm
 
 	users := make([]*auth.UserIdentity, 0, len(s.Specs))
 	for _, spec := range s.Specs {
+		if err := keyspace.GetUsernamePolicy().ValidateUsername(spec.User.Username); err != nil {
+			return err
+		}
 		if len(spec.User.Username) > auth.UserNameMaxLength {
 			return exeerrors.ErrWrongStringLength.GenWithStackByArgs(spec.User.Username, "user name", auth.UserNameMaxLength)
 		}
@@ -1785,7 +1789,7 @@ func (e *SimpleExec) executeAlterUser(ctx context.Context, s *ast.AlterUserStmt)
 			}
 		}
 
-		exists, currentAuthPlugin, err := userExistsInternal(ctx, sqlExecutor, spec.User.Username, spec.User.Hostname)
+		exists, currentAuthPlugin, err := userExistsInternalWithRetryVariants(ctx, sqlExecutor, &spec.User.Username, spec.User.Hostname)
 		if err != nil {
 			return err
 		}
@@ -2075,7 +2079,7 @@ func (e *SimpleExec) executeGrantRole(ctx context.Context, s *ast.GrantRoleStmt)
 	e.setCurrentUser(s.Users)
 
 	for _, role := range s.Roles {
-		exists, err := userExists(ctx, e.Ctx(), role.Username, role.Hostname)
+		exists, err := userExistsWithRetryVariants(ctx, e.Ctx(), &role.Username, role.Hostname)
 		if err != nil {
 			return err
 		}
@@ -2084,7 +2088,7 @@ func (e *SimpleExec) executeGrantRole(ctx context.Context, s *ast.GrantRoleStmt)
 		}
 	}
 	for _, user := range s.Users {
-		exists, err := userExists(ctx, e.Ctx(), user.Username, user.Hostname)
+		exists, err := userExistsWithRetryVariants(ctx, e.Ctx(), &user.Username, user.Hostname)
 		if err != nil {
 			return err
 		}
@@ -2142,6 +2146,9 @@ func (e *SimpleExec) executeRenameUser(s *ast.RenameUserStmt) error {
 	}
 	for _, userToUser := range s.UserToUsers {
 		oldUser, newUser := userToUser.OldUser, userToUser.NewUser
+		if err := keyspace.GetUsernamePolicy().ValidateUsername(newUser.Username); err != nil {
+			return err
+		}
 		if len(newUser.Username) > auth.UserNameMaxLength {
 			return exeerrors.ErrWrongStringLength.GenWithStackByArgs(newUser.Username, "user name", auth.UserNameMaxLength)
 		}
@@ -2455,6 +2462,42 @@ func userExists(ctx context.Context, sctx sessionctx.Context, name string, host
 	return len(rows) > 0, nil
 }
 
+func userExistsWithRetryVariants(ctx context.Context, sctx sessionctx.Context, name *string, host string) (bool, error) {
+	exists, err := userExists(ctx, sctx, *name, host)
+	if err != nil || exists {
+		return exists, err
+	}
+	for _, variant := range keyspace.GetUsernamePolicy().GetUsernameVariants(*name) {
+		exists, err = userExists(ctx, sctx, variant, host)
+		if err != nil {
+			return false, err
+		}
+		if exists {
+			*name = variant
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+func userExistsInternalWithRetryVariants(ctx context.Context, sqlExecutor sqlexec.SQLExecutor, name *string, host string) (bool, string, error) {
+	exists, authPlugin, err := userExistsInternal(ctx, sqlExecutor, *name, host)
+	if err != nil || exists {
+		return exists, authPlugin, err
+	}
+	for _, variant := range keyspace.GetUsernamePolicy().GetUsernameVariants(*name) {
+		exists, authPlugin, err = userExistsInternal(ctx, sqlExecutor, variant, host)
+		if err != nil {
+			return false, "", err
+		}
+		if exists {
+			*name = variant
+			return true, authPlugin, nil
+		}
+	}
+	return false, "", nil
+}
+
 // use the same internal executor to read within the same transaction, otherwise same as userExists
 func userExistsInternal(ctx context.Context, sqlExecutor sqlexec.SQLExecutor, name string, host string) (bool, string, error) {
 	sql := new(strings.Builder)

pkg/executor/test/simpletest/BUILD.bazel

@@ -9,9 +9,11 @@ go_test(
     ],
     flaky = True,
     race = "on",
-    shard_count = 12,
+    shard_count = 13,
     deps = [
         "//pkg/config",
+        "//pkg/config/deploymode",
+        "//pkg/config/kerneltype",
         "//pkg/parser/ast",
         "//pkg/parser/auth",
         "//pkg/parser/mysql",

pkg/executor/test/simpletest/simple_test.go

@@ -22,6 +22,8 @@ import (
 
 	"github.com/pingcap/errors"
 	"github.com/pingcap/tidb/pkg/config"
+	"github.com/pingcap/tidb/pkg/config/deploymode"
+	"github.com/pingcap/tidb/pkg/config/kerneltype"
 	"github.com/pingcap/tidb/pkg/parser/ast"
 	"github.com/pingcap/tidb/pkg/parser/auth"
 	"github.com/pingcap/tidb/pkg/parser/mysql"
@@ -38,6 +40,44 @@ import (
 	"go.opencensus.io/stats/view"
 )
 
+func TestStarterUsernamePolicyInSimpleExec(t *testing.T) {
+	if !kerneltype.IsNextGen() {
+		t.Skip("starter deploy mode is nextgen-only")
+	}
+
+	restoreConfig := config.RestoreFunc()
+	originalMode := deploymode.Get()
+	t.Cleanup(func() {
+		restoreConfig()
+		require.NoError(t, deploymode.Set(originalMode))
+	})
+
+	config.UpdateGlobal(func(conf *config.Config) {
+		conf.KeyspaceName = "SYSTEM"
+	})
+	require.NoError(t, deploymode.Set(deploymode.Starter))
+
+	store := testkit.CreateMockStore(t)
+	tk := testkit.NewTestKit(t, store)
+	tk.MustExec("create user if not exists `SYSTEM.r1`@`%`")
+	tk.MustExec("create user if not exists `SYSTEM.u1`@`%`")
+
+	tk.MustContainErrMsg("create user u2@'%' identified by 'pwd'", "User name must start with `SYSTEM.`")
+	tk.MustContainErrMsg("create role r2", "User name must start with `SYSTEM.`")
+	tk.MustExec("create role `SYSTEM.r2`")
+	tk.MustQuery("select User from mysql.user where User='SYSTEM.r2' and Host='%'").Check(testkit.Rows("SYSTEM.r2"))
+	tk.MustContainErrMsg("rename user `SYSTEM.u1`@`%` to u2@'%'", "User name must start with `SYSTEM.`")
+
+	tk.MustExec("grant r1 to u1")
+	tk.MustQuery("select TO_USER from mysql.role_edges where FROM_USER='SYSTEM.r1' and TO_USER='SYSTEM.u1' and TO_HOST='%'").Check(testkit.Rows("SYSTEM.u1"))
+
+	tk.MustExec("revoke `SYSTEM.r1` from `SYSTEM.u1`")
+	tk.MustQuery("select TO_USER from mysql.role_edges where FROM_USER='SYSTEM.r1' and TO_USER='SYSTEM.u1' and TO_HOST='%'").Check(testkit.Rows())
+
+	tk.MustExec("alter user u1 identified by 'pwd2'")
+	tk.MustQuery("select authentication_string from mysql.user where user='SYSTEM.u1' and host='%'").Check(testkit.Rows(auth.EncodePassword("pwd2")))
+}
+
 func TestUserWithSetNames(t *testing.T) {
 	store := testkit.CreateMockStore(t)
 	tk := testkit.NewTestKit(t, store)

pkg/keyspace/BUILD.bazel

@@ -5,12 +5,15 @@ go_library(
     srcs = [
         "doc.go",
         "keyspace.go",
+        "username_policy.go",
     ],
     importpath = "github.com/pingcap/tidb/pkg/keyspace",
     visibility = ["//visibility:public"],
     deps = [
         "//pkg/config",
+        "//pkg/config/deploymode",
         "//pkg/config/kerneltype",
+        "//pkg/util/dbterror/exeerrors",
         "@com_github_pingcap_kvproto//pkg/kvrpcpb",
         "@com_github_tikv_client_go_v2//tikv",
         "@org_uber_go_zap//:zap",
@@ -24,10 +27,13 @@ go_test(
     srcs = ["keyspace_test.go"],
     embed = [":keyspace"],
     flaky = True,
-    shard_count = 2,
+    shard_count = 3,
     deps = [
         "//pkg/config",
+        "//pkg/config/deploymode",
         "//pkg/config/kerneltype",
+        "//pkg/parser/terror",
+        "//pkg/util/dbterror/exeerrors",
         "@com_github_stretchr_testify//require",
     ],
 )

pkg/keyspace/keyspace_test.go

@@ -19,7 +19,10 @@ import (
 	"testing"
 
 	"github.com/pingcap/tidb/pkg/config"
+	"github.com/pingcap/tidb/pkg/config/deploymode"
 	"github.com/pingcap/tidb/pkg/config/kerneltype"
+	"github.com/pingcap/tidb/pkg/parser/terror"
+	"github.com/pingcap/tidb/pkg/util/dbterror/exeerrors"
 	"github.com/stretchr/testify/require"
 )
 
@@ -71,6 +74,42 @@ func TestNoKeyspaceNameSet(t *testing.T) {
 	}
 }
 
+func TestUsernamePolicy(t *testing.T) {
+	restoreConfig := config.RestoreFunc()
+	originalMode := deploymode.Get()
+	t.Cleanup(func() {
+		restoreConfig()
+		if kerneltype.IsNextGen() {
+			require.NoError(t, deploymode.Set(originalMode))
+		}
+	})
+
+	config.UpdateGlobal(func(conf *config.Config) {
+		conf.KeyspaceName = "ks"
+	})
+
+	policy := GetUsernamePolicy()
+	require.NoError(t, policy.ValidateUsername("user"))
+	require.Empty(t, policy.GetUsernameVariants("user"))
+	require.Empty(t, policy.GetOriginalUsername("ks.user"))
+
+	if !kerneltype.IsNextGen() {
+		return
+	}
+
+	require.NoError(t, deploymode.Set(deploymode.Starter))
+	policy = GetUsernamePolicy()
+	require.NoError(t, policy.ValidateUsername("ks.user"))
+	require.True(t, policy.ValidateUsernameFormat("other.user"))
+	require.True(t, policy.ValidateUsernameFormat("other.user.extra"))
+	require.True(t, terror.ErrorEqual(policy.ValidateUsername("user"), exeerrors.ErrUserNameNeedPrefix))
+	require.Equal(t, []string{"ks.user"}, policy.GetUsernameVariants("user"))
+	require.Empty(t, policy.GetUsernameVariants("ks.user"))
+	require.Empty(t, policy.GetUsernameVariants("other.user"))
+	require.Empty(t, policy.GetUsernameVariants("other.user.extra"))
+	require.Equal(t, "user", policy.GetOriginalUsername("ks.user"))
+}
+
 func BenchmarkGetKeyspaceNameBytesBySettings(b *testing.B) {
 	if !kerneltype.IsNextGen() {
 		b.Skip("NextGen is not enabled, skipping benchmark")