From 4a15d4d04bada0faa4080b26f8f9bf53247d6245 Mon Sep 17 00:00:00 2001
From: shonge <soog2008@hotmail.com>
Date: Tue, 6 Aug 2019 19:29:42 +0800
Subject: [PATCH 01/10] add grant permit host  option.

---
 .../templates/scripts/_initialize_tidb_users.py.tpl      | 9 +++++++--
 charts/tidb-cluster/values.yaml                          | 3 +++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl b/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl
index 19fa043669..a445f7373c 100755
--- a/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl
+++ b/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl
@@ -1,5 +1,10 @@
 import os, MySQLdb
 host = '{{ template "cluster.name" . }}-tidb'
+{{- if .Values.tidb.permitHost }}
+permit_host = '{{ .Values.tidb.permitHost }}'
+{{- else }}
+permit_host = '%%'
+{{- end }}
 port = 4000
 password_dir = '/etc/tidb/password'
 conn = MySQLdb.connect(host=host, port=port, user='root', connect_timeout=5)
@@ -10,9 +15,9 @@ for file in os.listdir(password_dir):
     with open(os.path.join(password_dir, file), 'r') as f:
         password = f.read()
     if user == 'root':
-        conn.cursor().execute("set password for 'root'@'%%' = %s;", (password,))
+        conn.cursor().execute("set password for 'root'@%s = %s;", (permit_host, password,))
     else:
-        conn.cursor().execute("create user %s@'%%' identified by %s;", (user, password,))
+        conn.cursor().execute("create user %s@%s identified by %s;", (user, permit_host, password,))
 conn.cursor().execute("flush privileges;")
 conn.commit()
 {{- if .Values.tidb.initSql }}
diff --git a/charts/tidb-cluster/values.yaml b/charts/tidb-cluster/values.yaml
index dcb94bf0e4..f00a526307 100644
--- a/charts/tidb-cluster/values.yaml
+++ b/charts/tidb-cluster/values.yaml
@@ -264,6 +264,9 @@ tidb:
   # kubectl create secret generic tidb-secret --from-literal=root=<root-password> --namespace=<namespace>
   # If unset, the root password will be empty and you can set it after connecting
   # passwordSecretName: tidb-secret
+  # permitHost is the host which will only be allowed to connect to the TiDB.
+  # If unset, defaults to '%'.
+  # permitHost: 127.0.0.1
   # initSql is the SQL statements executed after the TiDB cluster is bootstrapped.
   # initSql: |-
   #   create database app;

From 681c3ec3320b6be1cda1604438f6e8f67b6126cd Mon Sep 17 00:00:00 2001
From: shonge <soog2008@hotmail.com>
Date: Fri, 16 Aug 2019 10:10:54 +0800
Subject: [PATCH 02/10] fixed "Can't find any matching in user table"

---
 .../templates/scripts/_initialize_tidb_users.py.tpl           | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl b/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl
index a445f7373c..149bb6c0a0 100755
--- a/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl
+++ b/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl
@@ -14,6 +14,10 @@ for file in os.listdir(password_dir):
     user = file
     with open(os.path.join(password_dir, file), 'r') as f:
         password = f.read()
+    if permit_host != '%%':
+        conn.cursor().execute("update mysql.user set Host=%s where User='root';", (permit_host,))
+        conn.cursor().execute("flush privileges;")
+        conn.commit()
     if user == 'root':
         conn.cursor().execute("set password for 'root'@%s = %s;", (permit_host, password,))
     else:

From da1f8b77981b8a8bf1ef7e2fd4a1b30f9cce4e76 Mon Sep 17 00:00:00 2001
From: shonge <soog2008@hotmail.com>
Date: Fri, 16 Aug 2019 14:28:34 +0800
Subject: [PATCH 03/10] add permitHost trigger to job.yaml

---
 charts/tidb-cluster/templates/tidb-initializer-job.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/tidb-cluster/templates/tidb-initializer-job.yaml b/charts/tidb-cluster/templates/tidb-initializer-job.yaml
index 4760f748f2..c708d4e6fa 100644
--- a/charts/tidb-cluster/templates/tidb-initializer-job.yaml
+++ b/charts/tidb-cluster/templates/tidb-initializer-job.yaml
@@ -1,4 +1,4 @@
-{{- if or .Values.tidb.passwordSecretName .Values.tidb.initSql }}
+{{- if or .Values.tidb.permitHost .Values.tidb.passwordSecretName .Values.tidb.initSql }}
 apiVersion: batch/v1
 kind: Job
 metadata:

From f62d06fb428e1cd4f35ab2e8b6bcbf5aff61b8d7 Mon Sep 17 00:00:00 2001
From: Song <soog2008@hotmail.com>
Date: Fri, 16 Aug 2019 16:12:47 +0800
Subject: [PATCH 04/10] Update charts/tidb-cluster/values.yaml

Co-Authored-By: Tennix <tennix@users.noreply.github.com>
---
 charts/tidb-cluster/values.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/tidb-cluster/values.yaml b/charts/tidb-cluster/values.yaml
index 871ca183aa..ba94e52deb 100644
--- a/charts/tidb-cluster/values.yaml
+++ b/charts/tidb-cluster/values.yaml
@@ -265,7 +265,7 @@ tidb:
   # If unset, the root password will be empty and you can set it after connecting
   # passwordSecretName: tidb-secret
   # permitHost is the host which will only be allowed to connect to the TiDB.
-  # If unset, defaults to '%'.
+  # If unset, defaults to '%' which means allow any host to connect to the TiDB.
   # permitHost: 127.0.0.1
   # initSql is the SQL statements executed after the TiDB cluster is bootstrapped.
   # initSql: |-

From 0a791423640ad8e2290e2a207654315664cc96ff Mon Sep 17 00:00:00 2001
From: Song <soog2008@hotmail.com>
Date: Fri, 16 Aug 2019 16:17:46 +0800
Subject: [PATCH 05/10] Update tidb-initializer-job.yaml

move permitHost after passwordSecretName
---
 charts/tidb-cluster/templates/tidb-initializer-job.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/tidb-cluster/templates/tidb-initializer-job.yaml b/charts/tidb-cluster/templates/tidb-initializer-job.yaml
index c708d4e6fa..84d4487b50 100644
--- a/charts/tidb-cluster/templates/tidb-initializer-job.yaml
+++ b/charts/tidb-cluster/templates/tidb-initializer-job.yaml
@@ -1,4 +1,4 @@
-{{- if or .Values.tidb.permitHost .Values.tidb.passwordSecretName .Values.tidb.initSql }}
+{{- if or .Values.tidb.passwordSecretName .Values.tidb.permitHost .Values.tidb.initSql }}
 apiVersion: batch/v1
 kind: Job
 metadata:

From 38482d515790e8850f617972da2d80f62db13e19 Mon Sep 17 00:00:00 2001
From: Song <soog2008@hotmail.com>
Date: Fri, 16 Aug 2019 16:18:25 +0800
Subject: [PATCH 06/10] Update
 charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl

Co-Authored-By: Tennix <tennix@users.noreply.github.com>
---
 .../templates/scripts/_initialize_tidb_users.py.tpl             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl b/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl
index 149bb6c0a0..51c729b042 100755
--- a/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl
+++ b/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl
@@ -1,7 +1,7 @@
 import os, MySQLdb
 host = '{{ template "cluster.name" . }}-tidb'
 {{- if .Values.tidb.permitHost }}
-permit_host = '{{ .Values.tidb.permitHost }}'
+permit_host = {{ .Values.tidb.permitHost | default %% | quote }}
 {{- else }}
 permit_host = '%%'
 {{- end }}

From 8104cfde4263740ccc92b146db9cb2336978fff9 Mon Sep 17 00:00:00 2001
From: Song <soog2008@hotmail.com>
Date: Fri, 16 Aug 2019 16:22:28 +0800
Subject: [PATCH 07/10] Update _initialize_tidb_users.py.tpl

---
 .../templates/scripts/_initialize_tidb_users.py.tpl           | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl b/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl
index 51c729b042..d61ff5d853 100755
--- a/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl
+++ b/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl
@@ -1,10 +1,6 @@
 import os, MySQLdb
 host = '{{ template "cluster.name" . }}-tidb'
-{{- if .Values.tidb.permitHost }}
 permit_host = {{ .Values.tidb.permitHost | default %% | quote }}
-{{- else }}
-permit_host = '%%'
-{{- end }}
 port = 4000
 password_dir = '/etc/tidb/password'
 conn = MySQLdb.connect(host=host, port=port, user='root', connect_timeout=5)

From 9cc3b2c542e34c2ef61019a957113beec0e915c6 Mon Sep 17 00:00:00 2001
From: Song <soog2008@hotmail.com>
Date: Fri, 16 Aug 2019 17:36:17 +0800
Subject: [PATCH 08/10] Update _initialize_tidb_users.py.tpl

fix default permit host quote
---
 .../templates/scripts/_initialize_tidb_users.py.tpl             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl b/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl
index d61ff5d853..26e4d00b95 100755
--- a/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl
+++ b/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl
@@ -1,6 +1,6 @@
 import os, MySQLdb
 host = '{{ template "cluster.name" . }}-tidb'
-permit_host = {{ .Values.tidb.permitHost | default %% | quote }}
+permit_host = {{ .Values.tidb.permitHost | default "%%" | quote }}
 port = 4000
 password_dir = '/etc/tidb/password'
 conn = MySQLdb.connect(host=host, port=port, user='root', connect_timeout=5)

From 383ec54b7da4127c42342074f362a67b3543c9f3 Mon Sep 17 00:00:00 2001
From: Song <soog2008@hotmail.com>
Date: Mon, 26 Aug 2019 16:30:44 +0800
Subject: [PATCH 09/10] fix access denied for root when executing initsql.

---
 .../scripts/_initialize_tidb_users.py.tpl        | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl b/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl
index 26e4d00b95..c68a772933 100755
--- a/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl
+++ b/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl
@@ -1,6 +1,6 @@
 import os, MySQLdb
 host = '{{ template "cluster.name" . }}-tidb'
-permit_host = {{ .Values.tidb.permitHost | default "%%" | quote }}
+permit_host = {{ .Values.tidb.permitHost | default "%" | quote }}
 port = 4000
 password_dir = '/etc/tidb/password'
 conn = MySQLdb.connect(host=host, port=port, user='root', connect_timeout=5)
@@ -10,19 +10,19 @@ for file in os.listdir(password_dir):
     user = file
     with open(os.path.join(password_dir, file), 'r') as f:
         password = f.read()
-    if permit_host != '%%':
-        conn.cursor().execute("update mysql.user set Host=%s where User='root';", (permit_host,))
-        conn.cursor().execute("flush privileges;")
-        conn.commit()
     if user == 'root':
-        conn.cursor().execute("set password for 'root'@%s = %s;", (permit_host, password,))
+        conn.cursor().execute("set password for 'root'@'%%' = %s;", (password,))
     else:
         conn.cursor().execute("create user %s@%s identified by %s;", (user, permit_host, password,))
-conn.cursor().execute("flush privileges;")
-conn.commit()
 {{- if .Values.tidb.initSql }}
 with open('/data/init.sql', 'r') as sql:
     for line in sql.readlines():
         conn.cursor().execute(line)
         conn.commit()
 {{- end }}
+if permit_host != '%%':
+    conn.cursor().execute("update mysql.user set Host=%s where User='root';", (permit_host,))
+    conn.cursor().execute("flush privileges;")
+    conn.commit()
+conn.cursor().execute("flush privileges;")
+conn.commit()

From fc415df415db8a2c4859157ab224182e4e71c4e3 Mon Sep 17 00:00:00 2001
From: Song <soog2008@hotmail.com>
Date: Wed, 4 Sep 2019 15:36:09 +0800
Subject: [PATCH 10/10] delete two duplicate commit lines

---
 .../templates/scripts/_initialize_tidb_users.py.tpl             | 2 --
 1 file changed, 2 deletions(-)

diff --git a/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl b/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl
index c68a772933..487d8a4951 100755
--- a/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl
+++ b/charts/tidb-cluster/templates/scripts/_initialize_tidb_users.py.tpl
@@ -22,7 +22,5 @@ with open('/data/init.sql', 'r') as sql:
 {{- end }}
 if permit_host != '%%':
     conn.cursor().execute("update mysql.user set Host=%s where User='root';", (permit_host,))
-    conn.cursor().execute("flush privileges;")
-    conn.commit()
 conn.cursor().execute("flush privileges;")
 conn.commit()