From 375e166d6034838e47a4258b920bce47047988d6 Mon Sep 17 00:00:00 2001
From: Zijie Lu <wslzj40@gmail.com>
Date: Wed, 6 Oct 2021 23:16:50 +0800
Subject: [PATCH] privilege: add Create Temporary Tables  privilege on db level
 (#28547)

---
 go.mod                                  |  2 +-
 go.sum                                  |  4 ++--
 planner/core/logical_plan_test.go       |  2 ++
 privilege/privileges/cache.go           |  2 +-
 privilege/privileges/privileges_test.go | 24 ++++++++++++++++++++++++
 5 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/go.mod b/go.mod
index 7787e47638e2a..af31eb026ff06 100644
--- a/go.mod
+++ b/go.mod
@@ -49,7 +49,7 @@ require (
 	github.com/pingcap/fn v0.0.0-20200306044125-d5540d389059
 	github.com/pingcap/kvproto v0.0.0-20210806074406-317f69fb54b4
 	github.com/pingcap/log v0.0.0-20210906054005-afc726e70354
-	github.com/pingcap/parser v0.0.0-20210917114242-ac711116bdff
+	github.com/pingcap/parser v0.0.0-20211004011848-db58bac78f2a
 	github.com/pingcap/sysutil v0.0.0-20210730114356-fcd8a63f68c5
 	github.com/pingcap/tidb-tools v5.0.3+incompatible
 	github.com/pingcap/tipb v0.0.0-20210802080519-94b831c6db55
diff --git a/go.sum b/go.sum
index 145d1d5ecbdf5..de9977a6177a3 100644
--- a/go.sum
+++ b/go.sum
@@ -603,8 +603,8 @@ github.com/pingcap/log v0.0.0-20210625125904-98ed8e2eb1c7/go.mod h1:8AanEdAHATuR
 github.com/pingcap/log v0.0.0-20210906054005-afc726e70354 h1:SvWCbCPh1YeHd9yQLksvJYAgft6wLTY1aNG81tpyscQ=
 github.com/pingcap/log v0.0.0-20210906054005-afc726e70354/go.mod h1:DWQW5jICDR7UJh4HtxXSM20Churx4CQL0fwL/SoOSA4=
 github.com/pingcap/parser v0.0.0-20210525032559-c37778aff307/go.mod h1:xZC8I7bug4GJ5KtHhgAikjTfU4kBv1Sbo3Pf1MZ6lVw=
-github.com/pingcap/parser v0.0.0-20210917114242-ac711116bdff h1:LiwvvutmyeSkFkdVM09mH6KK+OeDVJzX7WKy9Lf0ri0=
-github.com/pingcap/parser v0.0.0-20210917114242-ac711116bdff/go.mod h1:+xcMiiZzdIktT/Nqdfm81dkECJ2EPuoAYywd57py4Pk=
+github.com/pingcap/parser v0.0.0-20211004011848-db58bac78f2a h1:W3BnzcjP9j7EsRHEwRb0zMLSHTjFW14zB/GMk7tlIhg=
+github.com/pingcap/parser v0.0.0-20211004011848-db58bac78f2a/go.mod h1:+xcMiiZzdIktT/Nqdfm81dkECJ2EPuoAYywd57py4Pk=
 github.com/pingcap/sysutil v0.0.0-20200206130906-2bfa6dc40bcd/go.mod h1:EB/852NMQ+aRKioCpToQ94Wl7fktV+FNnxf3CX/TTXI=
 github.com/pingcap/sysutil v0.0.0-20210315073920-cc0985d983a3/go.mod h1:tckvA041UWP+NqYzrJ3fMgC/Hw9wnmQ/tUkp/JaHly8=
 github.com/pingcap/sysutil v0.0.0-20210730114356-fcd8a63f68c5 h1:7rvAtZe/ZUzOKzgriNPQoBNvleJXBk4z7L3Z47+tS98=
diff --git a/planner/core/logical_plan_test.go b/planner/core/logical_plan_test.go
index 2ee4991f28609..eaa731ba04fdd 100644
--- a/planner/core/logical_plan_test.go
+++ b/planner/core/logical_plan_test.go
@@ -1072,6 +1072,7 @@ func (s *testPlanSuite) TestVisitInfo(c *C) {
 				{mysql.GrantPriv, "test", "", "", nil, false, "", false},
 				{mysql.ReferencesPriv, "test", "", "", nil, false, "", false},
 				{mysql.LockTablesPriv, "test", "", "", nil, false, "", false},
+				{mysql.CreateTMPTablePriv, "test", "", "", nil, false, "", false},
 				{mysql.AlterPriv, "test", "", "", nil, false, "", false},
 				{mysql.ExecutePriv, "test", "", "", nil, false, "", false},
 				{mysql.IndexPriv, "test", "", "", nil, false, "", false},
@@ -1142,6 +1143,7 @@ func (s *testPlanSuite) TestVisitInfo(c *C) {
 				{mysql.GrantPriv, "test", "", "", nil, false, "", false},
 				{mysql.ReferencesPriv, "test", "", "", nil, false, "", false},
 				{mysql.LockTablesPriv, "test", "", "", nil, false, "", false},
+				{mysql.CreateTMPTablePriv, "test", "", "", nil, false, "", false},
 				{mysql.AlterPriv, "test", "", "", nil, false, "", false},
 				{mysql.ExecutePriv, "test", "", "", nil, false, "", false},
 				{mysql.IndexPriv, "test", "", "", nil, false, "", false},
diff --git a/privilege/privileges/cache.go b/privilege/privileges/cache.go
index be55f4afade08..c8682684b2489 100644
--- a/privilege/privileges/cache.go
+++ b/privilege/privileges/cache.go
@@ -53,7 +53,7 @@ const globalDBVisible = mysql.CreatePriv | mysql.SelectPriv | mysql.InsertPriv |
 const (
 	sqlLoadRoleGraph        = "SELECT HIGH_PRIORITY FROM_USER, FROM_HOST, TO_USER, TO_HOST FROM mysql.role_edges"
 	sqlLoadGlobalPrivTable  = "SELECT HIGH_PRIORITY Host,User,Priv FROM mysql.global_priv"
-	sqlLoadDBTable          = "SELECT HIGH_PRIORITY Host,DB,User,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Grant_priv,Index_priv,References_priv,Lock_tables_priv,Alter_priv,Execute_priv,Create_view_priv,Show_view_priv FROM mysql.db ORDER BY host, db, user"
+	sqlLoadDBTable          = "SELECT HIGH_PRIORITY Host,DB,User,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Grant_priv,Index_priv,References_priv,Lock_tables_priv,Create_tmp_table_priv,Alter_priv,Execute_priv,Create_view_priv,Show_view_priv FROM mysql.db ORDER BY host, db, user"
 	sqlLoadTablePrivTable   = "SELECT HIGH_PRIORITY Host,DB,User,Table_name,Grantor,Timestamp,Table_priv,Column_priv FROM mysql.tables_priv"
 	sqlLoadColumnsPrivTable = "SELECT HIGH_PRIORITY Host,DB,User,Table_name,Column_name,Timestamp,Column_priv FROM mysql.columns_priv"
 	sqlLoadDefaultRoles     = "SELECT HIGH_PRIORITY HOST, USER, DEFAULT_ROLE_HOST, DEFAULT_ROLE_USER FROM mysql.default_roles"
diff --git a/privilege/privileges/privileges_test.go b/privilege/privileges/privileges_test.go
index cf42d0fdbf5e6..1f66a2cf25217 100644
--- a/privilege/privileges/privileges_test.go
+++ b/privilege/privileges/privileges_test.go
@@ -2492,3 +2492,27 @@ func TestDBNameCaseSensitivityInTableLevel(t *testing.T) {
 	mustExec(t, se, "CREATE USER test_user")
 	mustExec(t, se, "grant select on metrics_schema.up to test_user;")
 }
+
+func TestGrantCreateTmpTables(t *testing.T) {
+	t.Parallel()
+	store, clean := newStore(t)
+	defer clean()
+
+	tk := testkit.NewTestKit(t, store)
+	tk.MustExec("CREATE DATABASE create_tmp_table_db")
+	tk.MustExec("USE create_tmp_table_db")
+	tk.MustExec("CREATE USER u1")
+	tk.MustExec("CREATE TABLE create_tmp_table_table (a int)")
+	tk.MustExec("GRANT CREATE TEMPORARY TABLES on create_tmp_table_db.* to u1")
+	tk.MustExec("GRANT CREATE TEMPORARY TABLES on *.* to u1")
+	// Must set a session user to avoid null pointer dereferencing
+	tk.Session().Auth(&auth.UserIdentity{
+		Username: "root",
+		Hostname: "localhost",
+	}, nil, nil)
+	tk.MustQuery("SHOW GRANTS FOR u1").Check(testkit.Rows(
+		`GRANT CREATE TEMPORARY TABLES ON *.* TO 'u1'@'%'`,
+		`GRANT CREATE TEMPORARY TABLES ON create_tmp_table_db.* TO 'u1'@'%'`))
+	tk.MustExec("DROP USER u1")
+	tk.MustExec("DROP DATABASE create_tmp_table_db")
+}