executor: canonicalize db/table names for table-scope GRANT and REVOKE using infoschema metadata

expxiaoli · expxiaoli · commit e697fe6727f5 · 2026-04-01T14:26:05.000+08:00
close #67175
diff --git a/pkg/executor/grant.go b/pkg/executor/grant.go
@@ -119,6 +119,14 @@ func (e *GrantExec) Next(ctx context.Context, _ *chunk.Chunk) error {
 		if tbl != nil && tbl.Meta().Name.L != strings.ToLower(e.Level.TableName) {
 			return infoschema.ErrTableNotExists.GenWithStackByArgs(dbName, e.Level.TableName)
 		}
+		if tbl != nil {
+			// Use the real table name from schema metadata.
+			// This makes `t` and `T` write to the same privilege row.
+			e.Level.TableName = tbl.Meta().Name.O
+		}
+		if db, succ := schema.SchemaByName(dbNameStr); succ {
+			dbName = db.Name.O
+		}
 		if len(e.Level.DBName) > 0 {
 			// The database name should also match.
 			db, succ := schema.SchemaByName(dbNameStr)
diff --git a/pkg/executor/grant_test.go b/pkg/executor/grant_test.go
@@ -22,6 +22,7 @@ import (
 	"github.com/pingcap/tidb/pkg/parser/mysql"
 	"github.com/pingcap/tidb/pkg/parser/terror"
 	"github.com/pingcap/tidb/pkg/testkit"
+	"github.com/pingcap/tidb/pkg/util/collate"
 	"github.com/pingcap/tidb/pkg/util/dbterror/exeerrors"
 	"github.com/stretchr/testify/require"
 )
@@ -103,6 +104,23 @@ func TestGrantDBScope(t *testing.T) {
 	require.True(t, terror.ErrorEqual(err, exeerrors.ErrWrongUsage.GenWithStackByArgs("DB GRANT", "NON-DB PRIVILEGES")))
 }
 
+func TestGrantDBScopeCaseInsensitiveWithNewCollationDisabled(t *testing.T) {
+	oldNewCollationEnabled := collate.NewCollationEnabled()
+	collate.SetNewCollationEnabledForTest(false)
+	defer collate.SetNewCollationEnabledForTest(oldNewCollationEnabled)
+
+	store := testkit.CreateMockStore(t)
+	tk := testkit.NewTestKit(t, store)
+
+	tk.MustExec(`DROP USER IF EXISTS 'testDBCase'@'%'`)
+	tk.MustExec(`CREATE USER 'testDBCase'@'%' IDENTIFIED BY '123'`)
+
+	tk.MustExec(`GRANT SELECT ON test.* TO 'testDBCase'@'%'`)
+	tk.MustExec(`GRANT SELECT ON TEST.* TO 'testDBCase'@'%'`)
+	tk.MustQuery(`SELECT DB, Select_priv FROM mysql.db WHERE User='testDBCase' AND Host='%' ORDER BY DB`).
+		Check(testkit.Rows("test Y"))
+}
+
 func TestGrantTableScope(t *testing.T) {
 	store := testkit.CreateMockStore(t)
 
@@ -146,6 +164,25 @@ func TestGrantTableScope(t *testing.T) {
 		"[executor:1144]Illegal GRANT/REVOKE command; please consult the manual to see which privileges can be used")
 }
 
+func TestGrantTableScopeCaseInsensitiveWithNewCollationDisabled(t *testing.T) {
+	oldNewCollationEnabled := collate.NewCollationEnabled()
+	collate.SetNewCollationEnabledForTest(false)
+	defer collate.SetNewCollationEnabledForTest(oldNewCollationEnabled)
+
+	store := testkit.CreateMockStore(t)
+	tk := testkit.NewTestKit(t, store)
+
+	tk.MustExec(`DROP USER IF EXISTS 'testTblCase'@'%'`)
+	tk.MustExec(`CREATE USER 'testTblCase'@'%' IDENTIFIED BY '123'`)
+	tk.MustExec(`DROP TABLE IF EXISTS test.issue66867_grant`)
+	tk.MustExec(`CREATE TABLE test.issue66867_grant(c1 int)`)
+
+	tk.MustExec(`GRANT SELECT ON test.issue66867_grant TO 'testTblCase'@'%'`)
+	tk.MustExec(`GRANT SELECT ON test.ISSUE66867_GRANT TO 'testTblCase'@'%'`)
+	tk.MustQuery(`SELECT Table_name, Table_priv FROM mysql.tables_priv WHERE User='testTblCase' AND Host='%' AND DB='test' ORDER BY Table_name`).
+		Check(testkit.Rows("issue66867_grant Select"))
+}
+
 func TestGrantColumnScope(t *testing.T) {
 	store := testkit.CreateMockStore(t)
 
diff --git a/pkg/executor/revoke.go b/pkg/executor/revoke.go
@@ -172,7 +172,24 @@ func (e *RevokeExec) revokeOneUser(ctx context.Context, internalSession sessionc
 			return errors.Errorf("There is no such grant defined for user '%s' on host '%s' on database %s", user, host, dbName)
 		}
 	case ast.GrantLevelTable:
-		ok, err := tableUserExists(internalSession, user, host, dbName, e.Level.TableName)
+		tblName := e.Level.TableName
+		if len(dbName) > 0 {
+			// Normalize db/table names before checking mysql.tables_priv.
+			// Different input case should still map to the same object.
+			dbNameCI := ast.NewCIStr(dbName)
+			if db, succ := e.is.SchemaByName(dbNameCI); succ {
+				dbName = db.Name.O
+			}
+			tbl, err := e.is.TableByName(ctx, dbNameCI, ast.NewCIStr(e.Level.TableName))
+			if err != nil && !terror.ErrorEqual(err, infoschema.ErrTableNotExists) {
+				return err
+			}
+			if err == nil {
+				// Use the real table name from schema metadata.
+				tblName = tbl.Meta().Name.O
+			}
+		}
+		ok, err := tableUserExists(internalSession, user, host, dbName, tblName)
 		if err != nil {
 			return err
 		}
diff --git a/pkg/executor/revoke_test.go b/pkg/executor/revoke_test.go
@@ -23,6 +23,7 @@ import (
 	"github.com/pingcap/tidb/pkg/executor"
 	"github.com/pingcap/tidb/pkg/parser/mysql"
 	"github.com/pingcap/tidb/pkg/testkit"
+	"github.com/pingcap/tidb/pkg/util/collate"
 	"github.com/stretchr/testify/require"
 )
 
@@ -82,6 +83,23 @@ func TestRevokeDBScope(t *testing.T) {
 	}
 }
 
+func TestRevokeDBScopeCaseInsensitiveWithNewCollationDisabled(t *testing.T) {
+	oldNewCollationEnabled := collate.NewCollationEnabled()
+	collate.SetNewCollationEnabledForTest(false)
+	defer collate.SetNewCollationEnabledForTest(oldNewCollationEnabled)
+
+	store := testkit.CreateMockStore(t)
+	tk := testkit.NewTestKit(t, store)
+
+	tk.MustExec(`DROP USER IF EXISTS 'testDBCaseRevoke'@'%'`)
+	tk.MustExec(`CREATE USER 'testDBCaseRevoke'@'%' IDENTIFIED BY '123'`)
+
+	tk.MustExec(`GRANT SELECT ON test.* TO 'testDBCaseRevoke'@'%'`)
+	tk.MustExec(`REVOKE SELECT ON TEST.* FROM 'testDBCaseRevoke'@'%'`)
+	tk.MustQuery(`SELECT DB FROM mysql.db WHERE User='testDBCaseRevoke' AND Host='%'`).
+		Check(testkit.Rows())
+}
+
 func TestRevokeTableScope(t *testing.T) {
 	store := testkit.CreateMockStore(t)
 	tk := testkit.NewTestKit(t, store)
@@ -123,6 +141,25 @@ func TestRevokeTableScope(t *testing.T) {
 	require.Len(t, rows, 0)
 }
 
+func TestRevokeTableScopeCaseInsensitiveWithNewCollationDisabled(t *testing.T) {
+	oldNewCollationEnabled := collate.NewCollationEnabled()
+	collate.SetNewCollationEnabledForTest(false)
+	defer collate.SetNewCollationEnabledForTest(oldNewCollationEnabled)
+
+	store := testkit.CreateMockStore(t)
+	tk := testkit.NewTestKit(t, store)
+
+	tk.MustExec(`DROP USER IF EXISTS 'testTblCaseRevoke'@'%'`)
+	tk.MustExec(`CREATE USER 'testTblCaseRevoke'@'%' IDENTIFIED BY '123'`)
+	tk.MustExec(`DROP TABLE IF EXISTS test.issue66867_revoke`)
+	tk.MustExec(`CREATE TABLE test.issue66867_revoke(c1 int)`)
+
+	tk.MustExec(`GRANT SELECT ON test.issue66867_revoke TO 'testTblCaseRevoke'@'%'`)
+	tk.MustExec(`REVOKE SELECT ON test.ISSUE66867_REVOKE FROM 'testTblCaseRevoke'@'%'`)
+	tk.MustQuery(`SELECT Table_name FROM mysql.tables_priv WHERE User='testTblCaseRevoke' AND Host='%' AND DB='test'`).
+		Check(testkit.Rows())
+}
+
 func TestRevokeColumnScope(t *testing.T) {
 	store := testkit.CreateMockStore(t)
 	tk := testkit.NewTestKit(t, store)
