planner,privilege: requires extra privileges for REPLACE and INSERT ON DUPLICATE statements (#23911)

[ti-srebot]

cherry-pick #23911 to release-4.0
You can switch your code base to this Pull Request by using git-extras:

# In tidb repo:
git pr https://github.com/pingcap/tidb/pull/23938

After apply modifications, you can push your change to this PR via:

git push git@github.com:ti-srebot/tidb.git pr/23938:release-4.0-2f877e80301d

---

What problem does this PR solve?

Issue Number: close #23909

Problem Summary:

The REPLACE statements requires Insert+Delete privileges, and INSERT INTO ON DUPLICATE requires Insert+Update privileges, but currently TiDB only checks for the Insert privilege, allowing users to delete or change records even without the permission.

What is changed and how it works?

Add back the extra privilege check when the InsertStmt contains the OnDuplicate clause or IsReplace.

Related changes

• Need to cherry-pick to the release branch
  • release-4.0, release-5.0

Check List

Tests

• Unit test

Side effects

Release note

• Users now need both Insert and Delete privileges on a table to perform REPLACE.
• Users now need both Insert and Update privileges on a table to perform INSERT … ON DUPLICATE KEY UPDATE.

[ti-srebot]

/run-all-tests

[ti-srebot]

@kennytm you're already a collaborator in bot's repo.

[morgo]

/run-sqllogic-test-1
/run-unit-test

[morgo]

/run-unit-test

[kennytm]

PTAL @bb7133

[morgo]

/LGTM

[tiancaiamao]

/LGTM

[ti-chi-bot]

[REVIEW NOTIFICATION]

This pull request has been approved by:

• morgo
• tiancaiamao

To complete the pull request process, please ask the reviewers in the list to review by filling /cc @reviewer in the comment.
After your PR has acquired the required number of LGTMs, you can assign this pull request to the committer in the list by filling /assign @committer in the comment to help you merge this pull request.

The full list of commands accepted by this bot can be found here.

Reviewer can indicate their review by writing /lgtm in a comment.
Reviewer can cancel approval by writing /lgtm cancel in a comment.

[tiancaiamao]

/merge

[ti-chi-bot]

This pull request has been accepted and is ready to merge.

Commit hash: 3e1d3c5

[lysu]

/LGTM

[kennytm]

/run-unit-test

Data race fixed by #23122.

[XuHuaiyu]

/merge

[ti-chi-bot]

@XuHuaiyu: /merge is only allowed for the committers in list.

In response to this:

/merge

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.

[kennytm]

/run-mybatis-test

[kennytm]

/merge

[kennytm]

/merge

https://ci.pingcap.net/blue/rest/organizations/jenkins/pipelines/tidb_ghpr_integration_common_test/runs/1376/nodes/139/log/?start=0

[2021-05-10T06:52:44.920Z] testing tidb...
[2021-05-10T06:52:44.920Z] panic: No error should happen when connecting to test database, but got err=dial tcp 127.0.0.1:4000: connect: connection refused

[kennytm]

/merge

[ti-chi-bot]

@ti-srebot: Your PR was out of date, I have automatically updated it for you.

At the same time I will also trigger all tests for you:

/run-all-tests

If the CI test fails, you just re-trigger the test that failed and the bot will merge the PR for you after the CI passes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.