executor: fix show grants failed after drop granted role

[unconsolable]

Signed-off-by: unconsolable chenzhipeng2012@gmail.com

What problem does this PR solve?

Issue Number: close #29473 #27930

Problem Summary:

What is changed and how it works?

• In executor of DROP ROLE, remove the role to be dropped from activeRoles
• Add a test case

Check List

Tests

• Unit test
• Integration test
• Manual test (add detailed scripts or steps below)
• No code

Side effects

• Performance regression: Consumes more CPU
• Performance regression: Consumes more Memory
• Breaking backward compatibility

Documentation

• Affects user behaviors
• Contains syntax changes
• Contains variable changes
• Contains experimental features
• Changes MySQL compatibility

Release note

Fix show grants failed after drop granted role

[ti-chi-bot]

[REVIEW NOTIFICATION]

This pull request has been approved by:

• morgo
• tiancaiamao

To complete the pull request process, please ask the reviewers in the list to review by filling /cc @reviewer in the comment.
After your PR has acquired the required number of LGTMs, you can assign this pull request to the committer in the list by filling /assign @committer in the comment to help you merge this pull request.

The full list of commands accepted by this bot can be found here.

Details

Reviewer can indicate their review by submitting an approval review.
Reviewer can cancel approval by submitting a request changes review.

[unconsolable]

/cc @morgo
Please help on review when available, thanks~

[tiancaiamao]

Is the activeRoles information propagated to other TiDB instance?
If not, when you drop the role in one TiDB instance and query in another TiDB instance, the error remains there.

[unconsolable]

It is a problem, but I don't know how to solve it... I read through (*SimpleExec).setRoleRegular and can't find related logic.🤔

[tiancaiamao]

./executor/simple.go: return domain.GetDomain(e.ctx).NotifyUpdatePrivilege()

I'm not sure whether this works. E.g, update the privilege cache to make every TiDB instance reload the active role info when drop user is called.

[unconsolable]

I found it hard to do so. In Domain I can't find a way to get the related session, thus I don't know how to get the activeRoles. If we can get it, I think we can check and apply activeRoles in (*Handle).Update().

[tiancaiamao]

OK, at least it solved part of the issue.

[morgo]

/run-integration-test

[morgo]

/run-integration-tests

[morgo]

LGTM

I think the integration test errors are unrelated.

[morgo]

/merge

[ti-chi-bot]

This pull request has been accepted and is ready to merge.

Details

Commit hash: bd3a05f

[unconsolable]

@morgo Shall we keep the issue open to show that it is not fully resolved?

[morgo]

@morgo Shall we keep the issue open to show that it is not fully resolved?

I think we can say this issue is resolved but fork and create another issue. The privilege cache is also automatically re-generated every 5 minutes, so on a live cluster it will eventually resolve itself. Here is a similar case I fixed recently: #27958 -- so there might be other cases as well.

[ti-chi-bot]

@unconsolable: Your PR was out of date, I have automatically updated it for you.

At the same time I will also trigger all tests for you:

/run-all-tests

If the CI test fails, you just re-trigger the test that failed and the bot will merge the PR for you after the CI passes.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.