*: create a user using tidb_auth_token authentication

[CbcWestwolf]

What problem does this PR solve?

Issue Number: ref #38504

Problem Summary:

What is changed and how it works?

This PR supports creating and altering users with tidb_auth_token. Since the claims in the JWT differ in different scenarios, and more verified claims may be added in the future, this PR introduces a new keyword TOKEN_ISSUER, to declare an additional verified claim.

• If creating the tidb_auth_token user with REQUIRE token_issuer '<issuer-abc>', then the authentication of this user requires that the JWT should have a claim "iss": "<issuer-abc>" in the payload. If not exists, the authentication fails.

Check List

Tests

• Unit test
• Integration test
• Manual test (add detailed scripts or steps below)
• No code

Side effects

• Performance regression: Consumes more CPU
• Performance regression: Consumes more Memory
• Breaking backward compatibility

Documentation

• Affects user behaviors
• Contains syntax changes
• Contains variable changes
• Contains experimental features
• Changes MySQL compatibility

Release note

Please refer to Release Notes Language Style Guide to write a quality release note.

1. `create user` using a new authentication way `tidb_auth_token`
2. add a new column `token_issuer` to `mysql.user`

[ti-chi-bot]

[REVIEW NOTIFICATION]

This pull request has been approved by:

• bb7133
• xhebox

To complete the pull request process, please ask the reviewers in the list to review by filling /cc @reviewer in the comment.
After your PR has acquired the required number of LGTMs, you can assign this pull request to the committer in the list by filling /assign @committer in the comment to help you merge this pull request.

The full list of commands accepted by this bot can be found here.

Details

Reviewer can indicate their review by submitting an approval review.
Reviewer can cancel approval by submitting a request changes review.

[djshow832]

I'm not sure if the update of mysql.user and SQL statements may affect DP tools and other clients. Please confirm with the DP team.

[djshow832]

Is it allowed to specify token_issuer for other auth plugins in create user or alter user statements?

[CbcWestwolf]

Yes, the specified token_issuer is stored into mysql.user for all users. But it would not affect the authentication of the other auth plugin users

[djshow832]

I mean, if a user is identified with mysql_native_password, and the root user alters his token_issuer, this is meaningless. Should we report an error?

[CbcWestwolf]

I think we can give a warning when create user/alter user meet such a scenario.

[djshow832]

I still have no idea what token_issuer is used for. It's not even specified in the spec. Can you explain it in the PR description?

[djshow832]

BTW, please invite @bb7133 to review because he's in the tidb-configuration-reviewers. This PR needs at least one of the tidb-configuration-reviewers to review.

[djshow832]

1. Test that alter something else of the user (such as username) when the auth plugin is tidb_auth_token. The expectation is that it doesn't need to specify the token_issuer because you just want to change the username.
2. Test that alter auth plugin also works.

[djshow832]

Did you change the syntax again? I thought you have already discussed this with the PM before filing this PR. Please add this syntax in the spec and get the PM notified by @ him in the spec.

[CbcWestwolf]

Yes, I removed the keyword TOKEN_REQUIRE. I'll notify the PM in the spec.

[CbcWestwolf]

/cc bb7133

[bb7133]

• When creating a new user with tidb_auth_token plugin, if no attribute or no email is declared, TiDB server would NOT give any warning or error, since the attribute could be modified by ALTER USER statements.

This is the original specification of this feature, could you double confirm if this is expected?(Although the behavior is different, IMHO this is fine).

[CbcWestwolf]

IMHO, I think it is expected. The warning is just for the missing token_issuer, not the email attribute, though they are both needed in the later authentication.

To be honest I think all the warning for this auth plugin is not necessary for our general users. If they indeed miss something in create user, alter user can repair. The warning is just a small reminder.

[bb7133]

LGTM

[xhebox]

/merge

[ti-chi-bot]

This pull request has been accepted and is ready to merge.

Details

Commit hash: 340811b

[sre-bot]

TiDB MergeCI notify

✅ Well Done! New fixed [2] after this pr merged.

CI Name	Result	Duration	Compare with Parent commit
idc-jenkins-ci-tidb/integration-ddl-test	✅ all 6 tests passed	32 min	Fixed
idc-jenkins-ci-tidb/integration-common-test	✅ all 17 tests passed	17 min	Fixed
idc-jenkins-ci/integration-cdc-test	🟢 all 38 tests passed	22 min	Existing passed
idc-jenkins-ci-tidb/common-test	🟢 all 11 tests passed	9 min 44 sec	Existing passed
idc-jenkins-ci-tidb/tics-test	🟢 all 1 tests passed	6 min 41 sec	Existing passed
idc-jenkins-ci-tidb/sqllogic-test-1	🟢 all 26 tests passed	6 min 33 sec	Existing passed
idc-jenkins-ci-tidb/sqllogic-test-2	🟢 all 28 tests passed	6 min 21 sec	Existing passed
idc-jenkins-ci-tidb/mybatis-test	🟢 all 1 tests passed	3 min 14 sec	Existing passed
idc-jenkins-ci-tidb/integration-compatibility-test	🟢 all 1 tests passed	2 min 52 sec	Existing passed
idc-jenkins-ci-tidb/plugin-test	🟢 build success, plugin test success	4min	Existing passed