planner, executor, ddl: normalize materialized view log privilege targets and checks

[solotzg]

What problem does this PR solve?

ref #68518

Problem Summary:

Materialized view log privilege checks were not fully consistent across planner/executor/DDL paths:

• Some paths used manual $mlog$... name construction, which risks divergence.
• Privilege target objects and error messages were not fully aligned for MLog-related statements.
• Extension points for future ALTER MATERIALIZED VIEW LOG column-level actions were missing in key paths.

What changed and how does it work?

1. Normalize MLog physical-table name resolution

• Replace scattered manual MLog-name construction with the dedicated helper:
  model.MaterializedViewLogTableName(...).
• Apply this in planner, executor, DDL, and schema tracker related paths.

2. Align privilege checks to resolved MLog target objects

• For MLog-related DDL/SHOW/PURGE/CANCEL flows, checks consistently resolve to the physical MLog object.
• Keep PURGE MATERIALIZED VIEW LOG executor-side OPERATE VIEW verification on resolved MLog.
• Keep cancel-job precheck resolving running job to concrete MV/MLog object before privilege verification.

3. Unify user-facing behavior and expected errors

• Adjust related error messages and privilege-denied targets to be consistent with resolved MLog object semantics.
• Update integration and unit test expectations accordingly.

4. Add TODOs on key extension paths

• Add focused TODOs in parser/planner/DDL key points for future support of column-level
  ALTER MATERIALIZED VIEW LOG actions and action-specific privilege checks.

Check List

Tests

• Unit test
• Integration test
• Manual test (add detailed scripts or steps below)
• No need to test

  • I checked and no code files have been changed.

Side effects

• Performance regression: Consumes more CPU
• Performance regression: Consumes more Memory
• Breaking backward compatibility

Documentation

• Affects user behaviors
• Contains syntax changes
• Contains variable changes
• Contains experimental features
• Changes MySQL compatibility

Release note

Please refer to Release Notes Language Style Guide to write a quality release note.

None

Summary by CodeRabbit

Release Notes

• Bug Fixes
  • Fixed privilege enforcement for materialized view log operations. Privileges like CREATE VIEW, DROP, ALTER, and SHOW VIEW are now correctly checked against the materialized view log object itself, rather than against base tables or dependent materialized views, providing more consistent and predictable authorization behavior.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR refactors how materialized view log (MLOG) tables are named and authorized across the system. A new centralized helper replaces scattered "$mlog$" string concatenations, and privilege enforcement is redirected from base tables to the internal $mlog$ pseudo-table itself for all DDL, SHOW, GRANT, and purge operations.

Changes

Materialized View Log Privilege and Naming Consolidation

Layer / File(s)	Summary
MLOG Table Name Centralization pkg/meta/model/table.go, pkg/ddl/executor.go, pkg/ddl/materialized_view.go, pkg/ddl/schematracker/checker.go, pkg/ddl/schematracker/dm_tracker.go, pkg/executor/materialized_view.go	Introduces MaterializedViewLogTableNamePrefix constant and MaterializedViewLogTableName(baseTableName) helper function; replaces all manual "$mlog$" + ... concatenations with centralized calls throughout DDL and executor code paths.
Planner Privilege Policy for MLOG Operations pkg/planner/core/planbuilder.go	Updates buildShow and buildDDL to record privilege checks against MLOG pseudo-table names: SHOW CREATE MATERIALIZED VIEW LOG and SHOW ... WAIT PURGE check SHOW VIEW/SELECT on the MLOG; CREATE/DROP/ALTER MLOG use CREATE VIEW/DROP/ALTER privileges on the derived MLOG name instead of base-table permissions. Introduces materializedViewLogNameForBaseTable helper.
Executor Privilege Enforcement and Visibility pkg/executor/grant.go, pkg/executor/show.go	isSafeMLogTableGrantPriv now permits the same privilege set as materialized views (materializedViewTablePrivs); tablePrivsForGrantTarget returns materializedViewTablePrivs for MLOG grants. fetchShowMaterializedViewLogs removes base-table database lookups and checks visibility using hasAnyMaterializedViewVisiblePriv against the MLOG name instead of base-table SELECT.
Purge and Cancel Job Authorization Redirect pkg/executor/materialized_view.go	checkCancelMaterializedViewJobPrivilege and resolveCancelPurgeJobPrivilegeTarget now resolve and validate OPERATE VIEW privilege directly against the MLOG metadata; executePurgeMaterializedViewLog switches from validating against dependent materialized views to validating against the MLOG itself.
Unit Test Updates for MLOG Privileges pkg/executor/test/ddl/materialized_view_ddl_test.go, pkg/executor/test/ddl/mview_log_ddl_test.go	Adds authorization scenarios for SHOW MATERIALIZED VIEW LOGS based on MLOG table privileges; updates CREATE VIEW, DROP, ALTER, and SHOW CREATE MLOG privilege tests to validate against $mlog$ pseudo-table; introduces new TestDropMaterializedViewLogPrivilege test; adjusts purge/cancel privilege grants to target MLOG objects.
Integration Test Updates for MLOG Privilege Scenarios tests/integrationtest/t/executor/mview_privilege.test, tests/integrationtest/r/executor/mview_privilege.result	Comprehensive test script and result updates: SHOW VIEW, SELECT, CREATE VIEW, ALTER, DROP, and OPERATE VIEW grants/revokes now target $mlog$ pseudo-tables; expected error messages and privilege denial contexts updated to reference MLOG objects instead of base tables or dependent views; error code for purge_global scenario updated from 1105 to 1142.
Future Refactoring TODO pkg/parser/ast/ddl.go	Adds a TODO comment documenting the intent to support column-level ALTER MATERIALIZED VIEW LOG actions in future development.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• pingcap/tidb#68518: Overlaps on materialized-view-log privilege matrix work in grant.go and materialized_view.go, particularly privilege set definitions and MLOG authorization scoping.
• pingcap/tidb#68691: Adds SHOW MATERIALIZED VIEW ... REMAIN_LOGS and SHOW MATERIALIZED VIEW LOG ... WAIT_PURGE statements whose privilege targeting is updated by this PR.
• pingcap/tidb#68698: Implements SHOW CREATE MATERIALIZED VIEW LOG support whose privilege resolution for the $mlog$ object is directly aligned with this PR's changes to planbuilder.go and show.go.

Suggested labels

sig/planner, size/XXL, release-note-none

Suggested reviewers

• windtalker
• wshwsh12
• winoros
• gengliqi

Poem

🐰 From "$mlog$" + name scattered wide,
A helper function brings them unified.
Privileges shift from base to MLOG's own land—
Authorization now in the logger's hand.
Each GRANT and DROP sings true, centralized and grand! 🎭

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 5.26% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: normalizing materialized view log privilege targets and checks across multiple packages.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description is comprehensive and clearly addresses the problem, solution approach, and includes all required sections per the template.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tiprow]

Hi @solotzg. Thanks for your PR.

PRs from untrusted users cannot be marked as trusted with /ok-to-test in this repo meaning untrusted PR authors can never trigger tests themselves. Collaborators can still trigger tests on the PR using /test all.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[codecov]

Codecov Report

❌ Patch coverage is 0% with 70 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (feature/release-8.5-materialized-view-2603@7a81553). Learn more about missing BASE report.

Additional details and impacted files

@@                               Coverage Diff                               @@
##             feature/release-8.5-materialized-view-2603     #68819   +/-   ##
===============================================================================
  Coverage                                              ?   22.4152%           
===============================================================================
  Files                                                 ?       1712           
  Lines                                                 ?     645154           
  Branches                                              ?          0           
===============================================================================
  Hits                                                  ?     144613           
  Misses                                                ?     482441           
  Partials                                              ?      18100           

Flag	Coverage Δ
integration	22.4152% <0.0000%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
dumpling	∅ <0.0000%> (?)
parser	∅ <0.0000%> (?)
br	23.5563% <0.0000%> (?)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[windtalker]

lgtm

[solotzg]

/retest

[tiprow]

@solotzg: PRs from untrusted users cannot be marked as trusted with /ok-to-test in this repo meaning untrusted PR authors can never trigger tests themselves. Collaborators can still trigger tests on the PR using /test.

Details

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: gengliqi, windtalker
Once this PR has been reviewed and has the lgtm label, please assign henrybw, tangenta for approval. For more information see the Code Review Process.
Please ensure that each of them provides their approval before proceeding.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS [windtalker]
• pkg/ddl/OWNERS
• pkg/meta/OWNERS
• pkg/parser/OWNERS
• pkg/planner/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ti-chi-bot]

[LGTM Timeline notifier]

Timeline:

• 2026-06-01 01:33:49.545831284 +0000 UTC m=+146130.616148684: ☑️ agreed by windtalker.
• 2026-06-02 06:21:47.997029486 +0000 UTC m=+249809.067346896: ☑️ agreed by gengliqi.

[windtalker]

/override idc-jenkins-ci-tidb/mysql-test pull-br-integration-test pull-unit-test-ddlv1 idc-jenkins-ci-tidb/check_dev idc-jenkins-ci-tidb/check_dev_2 idc-jenkins-ci-tidb/unit-test

[ti-chi-bot]

@windtalker: Overrode contexts on behalf of windtalker: idc-jenkins-ci-tidb/check_dev, idc-jenkins-ci-tidb/check_dev_2, idc-jenkins-ci-tidb/mysql-test, idc-jenkins-ci-tidb/unit-test, pull-br-integration-test, pull-unit-test-ddlv1

Details

In response to this:

/override idc-jenkins-ci-tidb/mysql-test pull-br-integration-test pull-unit-test-ddlv1 idc-jenkins-ci-tidb/check_dev idc-jenkins-ci-tidb/check_dev_2 idc-jenkins-ci-tidb/unit-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.