Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

*: add context.Context to ensureActiveUser() #57351

Merged
merged 8 commits into from
Dec 2, 2024
Merged

*: add context.Context to ensureActiveUser() #57351

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
73bf9f1
*: add context.Context to ensureActiveUser()
tiancaiamao Nov 13, 2024
c1319e4
fix build
tiancaiamao Nov 13, 2024
e682c70
fix lint check
tiancaiamao Nov 13, 2024
521fda5
fix build ddl test
tiancaiamao Nov 14, 2024
37a85e8
fix build
tiancaiamao Nov 14, 2024
76694b9
Merge branch 'master' into add-ctx
tiancaiamao Dec 2, 2024
f4db089
fix CI
tiancaiamao Dec 2, 2024
2b13a79
fix CI
tiancaiamao Dec 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions pkg/executor/coprocessor.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ func NewCoprocessorDAGHandler(sctx sessionctx.Context) *CoprocessorDAGHandler {
func (h *CoprocessorDAGHandler) HandleRequest(ctx context.Context, req *coprocessor.Request) *coprocessor.Response {
ctx = copHandlerCtx(ctx, req)

e, err := h.buildDAGExecutor(req)
e, err := h.buildDAGExecutor(ctx, req)
if err != nil {
return h.buildErrorResponse(err)
}
Expand Down Expand Up @@ -114,7 +114,7 @@ func (h *CoprocessorDAGHandler) HandleStreamRequest(ctx context.Context, req *co
ctx = copHandlerCtx(ctx, req)
logutil.Logger(ctx).Debug("handle coprocessor stream request")

e, err := h.buildDAGExecutor(req)
e, err := h.buildDAGExecutor(ctx, req)
if err != nil {
return stream.Send(h.buildErrorResponse(err))
}
Expand Down Expand Up @@ -155,7 +155,7 @@ func (h *CoprocessorDAGHandler) buildResponseAndSendToStream(chk *chunk.Chunk, t
return nil
}

func (h *CoprocessorDAGHandler) buildDAGExecutor(req *coprocessor.Request) (exec.Executor, error) {
func (h *CoprocessorDAGHandler) buildDAGExecutor(ctx context.Context, req *coprocessor.Request) (exec.Executor, error) {
if req.GetTp() != kv.ReqTypeDAG {
return nil, errors.Errorf("unsupported request type %d", req.GetTp())
}
Expand All @@ -172,11 +172,11 @@ func (h *CoprocessorDAGHandler) buildDAGExecutor(req *coprocessor.Request) (exec
Username: dagReq.User.UserName,
Hostname: dagReq.User.UserHost,
}
authName, authHost, success := pm.MatchIdentity(dagReq.User.UserName, dagReq.User.UserHost, false)
authName, authHost, success := pm.MatchIdentity(ctx, dagReq.User.UserName, dagReq.User.UserHost, false)
if success && pm.GetAuthWithoutVerification(authName, authHost) {
h.sctx.GetSessionVars().User.AuthUsername = authName
h.sctx.GetSessionVars().User.AuthHostname = authHost
h.sctx.GetSessionVars().ActiveRoles = pm.GetDefaultRoles(authName, authHost)
h.sctx.GetSessionVars().ActiveRoles = pm.GetDefaultRoles(ctx, authName, authHost)
}
}
}
Expand Down
10 changes: 5 additions & 5 deletions pkg/executor/show.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -200,7 +200,7 @@ func (e *ShowExec) fetchAll(ctx context.Context) error {
case ast.ShowEngines:
return e.fetchShowEngines(ctx)
case ast.ShowGrants:
return e.fetchShowGrants()
return e.fetchShowGrants(ctx)
case ast.ShowIndex:
return e.fetchShowIndex()
case ast.ShowProcedureStatus:
Expand Down Expand Up @@ -1845,7 +1845,7 @@ func (e *ShowExec) fetchShowCreateUser(ctx context.Context) error {
require = privValue.RequireStr()
}

authData := checker.GetEncodedPassword(e.User.Username, e.User.Hostname)
authData := checker.GetEncodedPassword(ctx, e.User.Username, e.User.Hostname)
authStr := ""
if !(authPlugin == mysql.AuthSocket && authData == "") {
authStr = fmt.Sprintf(" AS '%s'", authData)
Expand All @@ -1858,7 +1858,7 @@ func (e *ShowExec) fetchShowCreateUser(ctx context.Context) error {
return nil
}

func (e *ShowExec) fetchShowGrants() error {
func (e *ShowExec) fetchShowGrants(ctx context.Context) error {
vars := e.Ctx().GetSessionVars()
checker := privilege.GetPrivilegeManager(e.Ctx())
if checker == nil {
Expand Down Expand Up @@ -1887,11 +1887,11 @@ func (e *ShowExec) fetchShowGrants() error {
if r.Hostname == "" {
r.Hostname = "%"
}
if !checker.FindEdge(e.Ctx(), r, e.User) {
if !checker.FindEdge(ctx, r, e.User) {
return exeerrors.ErrRoleNotGranted.GenWithStackByArgs(r.String(), e.User.String())
}
}
gs, err := checker.ShowGrants(e.Ctx(), e.User, e.Roles)
gs, err := checker.ShowGrants(ctx, e.Ctx(), e.User, e.Roles)
if err != nil {
return errors.Trace(err)
}
Expand Down
62 changes: 31 additions & 31 deletions pkg/executor/simple.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -176,7 +176,7 @@ func (e *SimpleExec) Next(ctx context.Context, _ *chunk.Chunk) (err error) {
case *ast.DropStatsStmt:
err = e.executeDropStats(ctx, x)
case *ast.SetRoleStmt:
err = e.executeSetRole(x)
err = e.executeSetRole(ctx, x)
case *ast.RevokeRoleStmt:
err = e.executeRevokeRole(ctx, x)
case *ast.SetDefaultRoleStmt:
Expand Down Expand Up @@ -274,7 +274,7 @@ func (e *SimpleExec) setDefaultRoleRegular(ctx context.Context, s *ast.SetDefaul
}
for _, role := range s.RoleList {
checker := privilege.GetPrivilegeManager(e.Ctx())
ok := checker.FindEdge(e.Ctx(), role, user)
ok := checker.FindEdge(ctx, role, user)
if !ok {
if _, rollbackErr := sqlExecutor.ExecuteInternal(internalCtx, "rollback"); rollbackErr != nil {
return rollbackErr
Expand Down Expand Up @@ -348,7 +348,7 @@ func (e *SimpleExec) setDefaultRoleAll(ctx context.Context, s *ast.SetDefaultRol
return nil
}

func (e *SimpleExec) setDefaultRoleForCurrentUser(s *ast.SetDefaultRoleStmt) (err error) {
func (e *SimpleExec) setDefaultRoleForCurrentUser(ctx context.Context, s *ast.SetDefaultRoleStmt) (err error) {
checker := privilege.GetPrivilegeManager(e.Ctx())
user := s.UserList[0]
if user.Hostname == "" {
Expand All @@ -358,7 +358,7 @@ func (e *SimpleExec) setDefaultRoleForCurrentUser(s *ast.SetDefaultRoleStmt) (er
if err != nil {
return err
}
ctx := kv.WithInternalSourceType(context.Background(), kv.InternalTxnPrivilege)
ctx = kv.WithInternalSourceType(ctx, kv.InternalTxnPrivilege)
defer e.ReleaseSysSession(ctx, restrictedCtx)
sqlExecutor := restrictedCtx.GetSQLExecutor()

Expand Down Expand Up @@ -388,7 +388,7 @@ func (e *SimpleExec) setDefaultRoleForCurrentUser(s *ast.SetDefaultRoleStmt) (er
if i > 0 {
sqlescape.MustFormatSQL(sql, ",")
}
ok := checker.FindEdge(e.Ctx(), role, user)
ok := checker.FindEdge(ctx, role, user)
if !ok {
return exeerrors.ErrRoleNotGranted.GenWithStackByArgs(role.String(), user.String())
}
Expand Down Expand Up @@ -427,7 +427,7 @@ func (e *SimpleExec) executeSetDefaultRole(ctx context.Context, s *ast.SetDefaul
if len(s.UserList) == 1 && sessionVars.User != nil {
u, h := s.UserList[0].Username, s.UserList[0].Hostname
if u == sessionVars.User.Username && h == sessionVars.User.AuthHostname {
err = e.setDefaultRoleForCurrentUser(s)
err = e.setDefaultRoleForCurrentUser(ctx, s)
if err != nil {
return err
}
Expand Down Expand Up @@ -458,7 +458,7 @@ func (e *SimpleExec) executeSetDefaultRole(ctx context.Context, s *ast.SetDefaul
return domain.GetDomain(e.Ctx()).NotifyUpdatePrivilege(users)
}

func (e *SimpleExec) setRoleRegular(s *ast.SetRoleStmt) error {
func (e *SimpleExec) setRoleRegular(ctx context.Context, s *ast.SetRoleStmt) error {
// Deal with SQL like `SET ROLE role1, role2;`
checkDup := make(map[string]*auth.RoleIdentity, len(s.RoleList))
// Check whether RoleNameList contain duplicate role name.
Expand All @@ -472,28 +472,28 @@ func (e *SimpleExec) setRoleRegular(s *ast.SetRoleStmt) error {
}

checker := privilege.GetPrivilegeManager(e.Ctx())
ok, roleName := checker.ActiveRoles(e.Ctx(), roleList)
ok, roleName := checker.ActiveRoles(ctx, e.Ctx(), roleList)
if !ok {
u := e.Ctx().GetSessionVars().User
return exeerrors.ErrRoleNotGranted.GenWithStackByArgs(roleName, u.String())
}
return nil
}

func (e *SimpleExec) setRoleAll() error {
func (e *SimpleExec) setRoleAll(ctx context.Context) error {
// Deal with SQL like `SET ROLE ALL;`
checker := privilege.GetPrivilegeManager(e.Ctx())
user, host := e.Ctx().GetSessionVars().User.AuthUsername, e.Ctx().GetSessionVars().User.AuthHostname
roles := checker.GetAllRoles(user, host)
ok, roleName := checker.ActiveRoles(e.Ctx(), roles)
ok, roleName := checker.ActiveRoles(ctx, e.Ctx(), roles)
if !ok {
u := e.Ctx().GetSessionVars().User
return exeerrors.ErrRoleNotGranted.GenWithStackByArgs(roleName, u.String())
}
return nil
}

func (e *SimpleExec) setRoleAllExcept(s *ast.SetRoleStmt) error {
func (e *SimpleExec) setRoleAllExcept(ctx context.Context, s *ast.SetRoleStmt) error {
// Deal with SQL like `SET ROLE ALL EXCEPT role1, role2;`
for _, r := range s.RoleList {
if r.Hostname == "" {
Expand Down Expand Up @@ -524,51 +524,51 @@ func (e *SimpleExec) setRoleAllExcept(s *ast.SetRoleStmt) error {
}

afterExcept := filter(roles, banned)
ok, roleName := checker.ActiveRoles(e.Ctx(), afterExcept)
ok, roleName := checker.ActiveRoles(ctx, e.Ctx(), afterExcept)
if !ok {
u := e.Ctx().GetSessionVars().User
return exeerrors.ErrRoleNotGranted.GenWithStackByArgs(roleName, u.String())
}
return nil
}

func (e *SimpleExec) setRoleDefault() error {
func (e *SimpleExec) setRoleDefault(ctx context.Context) error {
// Deal with SQL like `SET ROLE DEFAULT;`
checker := privilege.GetPrivilegeManager(e.Ctx())
user, host := e.Ctx().GetSessionVars().User.AuthUsername, e.Ctx().GetSessionVars().User.AuthHostname
roles := checker.GetDefaultRoles(user, host)
ok, roleName := checker.ActiveRoles(e.Ctx(), roles)
roles := checker.GetDefaultRoles(ctx, user, host)
ok, roleName := checker.ActiveRoles(ctx, e.Ctx(), roles)
if !ok {
u := e.Ctx().GetSessionVars().User
return exeerrors.ErrRoleNotGranted.GenWithStackByArgs(roleName, u.String())
}
return nil
}

func (e *SimpleExec) setRoleNone() error {
func (e *SimpleExec) setRoleNone(ctx context.Context) error {
// Deal with SQL like `SET ROLE NONE;`
checker := privilege.GetPrivilegeManager(e.Ctx())
roles := make([]*auth.RoleIdentity, 0)
ok, roleName := checker.ActiveRoles(e.Ctx(), roles)
ok, roleName := checker.ActiveRoles(ctx, e.Ctx(), roles)
if !ok {
u := e.Ctx().GetSessionVars().User
return exeerrors.ErrRoleNotGranted.GenWithStackByArgs(roleName, u.String())
}
return nil
}

func (e *SimpleExec) executeSetRole(s *ast.SetRoleStmt) error {
func (e *SimpleExec) executeSetRole(ctx context.Context, s *ast.SetRoleStmt) error {
switch s.SetRoleOpt {
case ast.SetRoleRegular:
return e.setRoleRegular(s)
return e.setRoleRegular(ctx, s)
case ast.SetRoleAll:
return e.setRoleAll()
return e.setRoleAll(ctx)
case ast.SetRoleAllExcept:
return e.setRoleAllExcept(s)
return e.setRoleAllExcept(ctx, s)
case ast.SetRoleNone:
return e.setRoleNone()
return e.setRoleNone(ctx)
case ast.SetRoleDefault:
return e.setRoleDefault()
return e.setRoleDefault(ctx)
}
return nil
}
Expand Down Expand Up @@ -764,7 +764,7 @@ func (e *SimpleExec) executeRevokeRole(ctx context.Context, s *ast.RevokeRoleStm
if checker == nil {
return errors.New("miss privilege checker")
}
if ok, roleName := checker.ActiveRoles(e.Ctx(), activeRoles); !ok {
if ok, roleName := checker.ActiveRoles(ctx, e.Ctx(), activeRoles); !ok {
u := e.Ctx().GetSessionVars().User
return exeerrors.ErrRoleNotGranted.GenWithStackByArgs(roleName, u.String())
}
Expand Down Expand Up @@ -1778,10 +1778,10 @@ func (e *SimpleExec) executeAlterUser(ctx context.Context, s *ast.AlterUserStmt)
if !(hasCreateUserPriv || hasSystemSchemaPriv) {
return plannererrors.ErrSpecificAccessDenied.GenWithStackByArgs("CREATE USER")
}
if checker.RequestDynamicVerificationWithUser("SYSTEM_USER", false, spec.User) && !(hasSystemUserPriv || hasRestrictedUserPriv) {
if !(hasSystemUserPriv || hasRestrictedUserPriv) && checker.RequestDynamicVerificationWithUser(ctx, "SYSTEM_USER", false, spec.User) {
return plannererrors.ErrSpecificAccessDenied.GenWithStackByArgs("SYSTEM_USER or SUPER")
}
if sem.IsEnabled() && checker.RequestDynamicVerificationWithUser("RESTRICTED_USER_ADMIN", false, spec.User) && !hasRestrictedUserPriv {
if sem.IsEnabled() && checker.RequestDynamicVerificationWithUser(ctx, "RESTRICTED_USER_ADMIN", false, spec.User) && !hasRestrictedUserPriv {
return plannererrors.ErrSpecificAccessDenied.GenWithStackByArgs("RESTRICTED_USER_ADMIN")
}
}
Expand All @@ -1795,7 +1795,7 @@ func (e *SimpleExec) executeAlterUser(ctx context.Context, s *ast.AlterUserStmt)
failedUsers = append(failedUsers, user)
continue
}
currentAuthPlugin, err := privilege.GetPrivilegeManager(e.Ctx()).GetAuthPlugin(spec.User.Username, spec.User.Hostname)
currentAuthPlugin, err := privilege.GetPrivilegeManager(e.Ctx()).GetAuthPlugin(ctx, spec.User.Username, spec.User.Hostname)
if err != nil {
return err
}
Expand Down Expand Up @@ -2311,7 +2311,7 @@ func (e *SimpleExec) executeDropUser(ctx context.Context, s *ast.DropUserStmt) e
// Because in TiDB SUPER can be used as a substitute for any dynamic privilege, this effectively means that
// any user with SUPER requires a user with SUPER to be able to DROP the user.
// We also allow RESTRICTED_USER_ADMIN to count for simplicity.
if checker.RequestDynamicVerificationWithUser("SYSTEM_USER", false, user) && !(hasSystemUserPriv || hasRestrictedUserPriv) {
if !(hasSystemUserPriv || hasRestrictedUserPriv) && checker.RequestDynamicVerificationWithUser(ctx, "SYSTEM_USER", false, user) {
if _, err := sqlExecutor.ExecuteInternal(internalCtx, "rollback"); err != nil {
return err
}
Expand Down Expand Up @@ -2432,7 +2432,7 @@ func (e *SimpleExec) executeDropUser(ctx context.Context, s *ast.DropUserStmt) e
}
if s.IsDropRole {
// apply new activeRoles
if ok, roleName := checker.ActiveRoles(e.Ctx(), activeRoles); !ok {
if ok, roleName := checker.ActiveRoles(ctx, e.Ctx(), activeRoles); !ok {
u := e.Ctx().GetSessionVars().User
return exeerrors.ErrRoleNotGranted.GenWithStackByArgs(roleName, u.String())
}
Expand Down Expand Up @@ -2522,7 +2522,7 @@ func (e *SimpleExec) executeSetPwd(ctx context.Context, s *ast.SetPwdStmt) error
h = s.User.Hostname

checker := privilege.GetPrivilegeManager(e.Ctx())
checker.MatchIdentity(u, h, false)
checker.MatchIdentity(ctx, u, h, false)
activeRoles := e.Ctx().GetSessionVars().ActiveRoles
if checker != nil && !checker.RequestVerification(activeRoles, "", "", "", mysql.SuperPriv) {
currUser := e.Ctx().GetSessionVars().User
Expand All @@ -2544,7 +2544,7 @@ func (e *SimpleExec) executeSetPwd(ctx context.Context, s *ast.SetPwdStmt) error
disableSandboxMode = true
}

authplugin, err := privilege.GetPrivilegeManager(e.Ctx()).GetAuthPlugin(u, h)
authplugin, err := privilege.GetPrivilegeManager(e.Ctx()).GetAuthPlugin(ctx, u, h)
if err != nil {
return err
}
Expand Down
2 changes: 1 addition & 1 deletion pkg/planner/core/logical_plan_builder.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5012,7 +5012,7 @@ func (b *PlanBuilder) BuildDataSourceFromView(ctx context.Context, dbName pmodel
if tableInfo.View.Security == pmodel.SecurityDefiner {
if pm != nil {
for _, v := range b.visitInfo {
if !pm.RequestVerificationWithUser(v.db, v.table, v.column, v.privilege, tableInfo.View.Definer) {
if !pm.RequestVerificationWithUser(ctx, v.db, v.table, v.column, v.privilege, tableInfo.View.Definer) {
return nil, plannererrors.ErrViewInvalid.GenWithStackByArgs(dbName.O, tableInfo.Name.O)
}
}
Expand Down
18 changes: 9 additions & 9 deletions pkg/planner/core/planbuilder.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3606,11 +3606,11 @@ func (b *PlanBuilder) buildSimple(ctx context.Context, node ast.StmtNode) (base.
b.visitInfo = appendDynamicVisitInfo(b.visitInfo, []string{"ROLE_ADMIN"}, false, err)
// Check if any of the users are RESTRICTED
for _, user := range raw.Users {
b.visitInfo = appendVisitInfoIsRestrictedUser(b.visitInfo, b.ctx, user, "RESTRICTED_USER_ADMIN")
b.visitInfo = appendVisitInfoIsRestrictedUser(ctx, b.visitInfo, b.ctx, user, "RESTRICTED_USER_ADMIN")
}
case *ast.RevokeStmt:
var err error
b.visitInfo, err = collectVisitInfoFromRevokeStmt(b.ctx, b.visitInfo, raw)
b.visitInfo, err = collectVisitInfoFromRevokeStmt(ctx, b.ctx, b.visitInfo, raw)
if err != nil {
return nil, err
}
Expand All @@ -3625,7 +3625,7 @@ func (b *PlanBuilder) buildSimple(ctx context.Context, node ast.StmtNode) (base.
if pi.User != loginUser.Username {
err := plannererrors.ErrSpecificAccessDenied.GenWithStackByArgs("SUPER or CONNECTION_ADMIN")
b.visitInfo = appendDynamicVisitInfo(b.visitInfo, []string{"CONNECTION_ADMIN"}, false, err)
b.visitInfo = appendVisitInfoIsRestrictedUser(b.visitInfo, b.ctx, &auth.UserIdentity{Username: pi.User, Hostname: pi.Host}, "RESTRICTED_CONNECTION_ADMIN")
b.visitInfo = appendVisitInfoIsRestrictedUser(ctx, b.visitInfo, b.ctx, &auth.UserIdentity{Username: pi.User, Hostname: pi.Host}, "RESTRICTED_CONNECTION_ADMIN")
}
} else if handleutil.GlobalAutoAnalyzeProcessList.Contains(raw.ConnectionID) {
// Only the users with SUPER or CONNECTION_ADMIN privilege can kill auto analyze.
Expand All @@ -3641,11 +3641,11 @@ func (b *PlanBuilder) buildSimple(ctx context.Context, node ast.StmtNode) (base.
// The main privilege checks for DROP USER are currently performed in executor/simple.go
// because they use complex OR conditions (not supported by visitInfo).
for _, user := range raw.UserList {
b.visitInfo = appendVisitInfoIsRestrictedUser(b.visitInfo, b.ctx, user, "RESTRICTED_USER_ADMIN")
b.visitInfo = appendVisitInfoIsRestrictedUser(ctx, b.visitInfo, b.ctx, user, "RESTRICTED_USER_ADMIN")
}
case *ast.SetPwdStmt:
if raw.User != nil {
b.visitInfo = appendVisitInfoIsRestrictedUser(b.visitInfo, b.ctx, raw.User, "RESTRICTED_USER_ADMIN")
b.visitInfo = appendVisitInfoIsRestrictedUser(ctx, b.visitInfo, b.ctx, raw.User, "RESTRICTED_USER_ADMIN")
}
case *ast.ShutdownStmt:
b.visitInfo = appendVisitInfo(b.visitInfo, mysql.ShutdownPriv, "", "", "", nil)
Expand Down Expand Up @@ -3684,7 +3684,7 @@ func (b *PlanBuilder) buildSimple(ctx context.Context, node ast.StmtNode) (base.
return p, nil
}

func collectVisitInfoFromRevokeStmt(sctx base.PlanContext, vi []visitInfo, stmt *ast.RevokeStmt) ([]visitInfo, error) {
func collectVisitInfoFromRevokeStmt(ctx context.Context, sctx base.PlanContext, vi []visitInfo, stmt *ast.RevokeStmt) ([]visitInfo, error) {
// To use REVOKE, you must have the GRANT OPTION privilege,
// and you must have the privileges that you are granting.
dbName := stmt.Level.DBName
Expand Down Expand Up @@ -3724,7 +3724,7 @@ func collectVisitInfoFromRevokeStmt(sctx base.PlanContext, vi []visitInfo, stmt
}
for _, u := range stmt.Users {
// For SEM, make sure the users are not restricted
vi = appendVisitInfoIsRestrictedUser(vi, sctx, u.User, "RESTRICTED_USER_ADMIN")
vi = appendVisitInfoIsRestrictedUser(ctx, vi, sctx, u.User, "RESTRICTED_USER_ADMIN")
}
if nonDynamicPrivilege {
// Dynamic privileges use their own GRANT OPTION. If there were any non-dynamic privilege requests,
Expand All @@ -3736,12 +3736,12 @@ func collectVisitInfoFromRevokeStmt(sctx base.PlanContext, vi []visitInfo, stmt

// appendVisitInfoIsRestrictedUser appends additional visitInfo if the user has a
// special privilege called "RESTRICTED_USER_ADMIN". It only applies when SEM is enabled.
func appendVisitInfoIsRestrictedUser(visitInfo []visitInfo, sctx base.PlanContext, user *auth.UserIdentity, priv string) []visitInfo {
func appendVisitInfoIsRestrictedUser(ctx context.Context, visitInfo []visitInfo, sctx base.PlanContext, user *auth.UserIdentity, priv string) []visitInfo {
if !sem.IsEnabled() {
return visitInfo
}
checker := privilege.GetPrivilegeManager(sctx)
if checker != nil && checker.RequestDynamicVerificationWithUser("RESTRICTED_USER_ADMIN", false, user) {
if checker != nil && checker.RequestDynamicVerificationWithUser(ctx, "RESTRICTED_USER_ADMIN", false, user) {
err := plannererrors.ErrSpecificAccessDenied.GenWithStackByArgs(priv)
visitInfo = appendDynamicVisitInfo(visitInfo, []string{priv}, false, err)
}
Expand Down
Loading