to 3.0: fix: execute create as select in one transaction and enforce source SELECT privilege

[gouhongshen]

What type of PR is this?

• API-change
• BUG
• Improvement
• Documentation
• Feature
• Test and CI
• Code Refactoring

Which issue(s) this PR fixes:

issue ##14775

What this PR does / why we need it:

Summary

• Remove old deferred post-DDL CTAS execution path in frontend.
• Ensure CTAS source-query privilege is validated (SELECT on source tables).
• Keep internal executor default behavior, but add an explicit context flag for CTAS to run normal privilege checks.
• Support temporary-table alias resolution for internal SQL by propagating session context.
• Allow CTAS in explicit transactions (remove previous block in uncommitted txn checks).
• Update and enable related BVT expectations/cases.

Why

• inconsistent transactional behavior,
• privilege bypass/ordering issues in CTAS sub-steps.

Compile / execution flow

• Move CTAS follow-up SQL execution into CreateTable path in pkg/sql/compile/ddl.go.
• Remove frontend deferred CTAS execution state/path:
  • pkg/frontend/mysql_cmd_executor.go
  • pkg/frontend/status_stmt.go

Internal executor context and privilege control

• Add internal executor context helpers:

  • tests: pkg/sql/compile/internal_executor_session_test.go

  • pkg/sql/compile/sql_executor.go

  • pkg/sql/compile/compile.go

  • pkg/sql/compile/sql_executor_context.go

  • pkg/frontend/authenticate.go

• Keep behavior aligned with role inheritance and cross-db source reads in existing privilege scenarios.

Transaction policy

• Remove the CTAS-specific restriction from uncommitted transaction statement classification:
  • pkg/frontend/stmt_kind.go
• Add/update test coverage:
  • pkg/frontend/mysql_cmd_executor_test.go
  • pkg/frontend/authenticate_test.go
  • pkg/sql/compile/ddl_test.go

Behavioral Notes

• CTAS now behaves atomically in explicit transactions (begin/commit/rollback).
• Source read privileges are checked for CTAS source query.
• Existing internal executor semantics remain unchanged for non-CTAS internal SQL.

[mergify]

Merge Queue Status

Rule: release-3.0

---

• ✅ Entered queue — 2026-02-11 07:21 UTC
• ✅ Checks passed · in-place
• ✅ Merged — 2026-02-11 08:10 UTC · at fee33601ed6921154ccf2257d9ee6a0ff73b88c8

This pull request spent 49 minutes 17 seconds in the queue, including 49 minutes 5 seconds running CI.

Required conditions to merge

• #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • to 3.0: fix: execute create as select in one transaction and enforce source SELECT privilege #23726
• #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • to 3.0: fix: execute create as select in one transaction and enforce source SELECT privilege #23726
• branch-protection-review-decision = APPROVED [🛡 GitHub branch protection]
  • to 3.0: fix: execute create as select in one transaction and enforce source SELECT privilege #23726
• any of [🛡 GitHub branch protection]:
  • check-success = Matrixone Utils CI (3.0) / Coverage
  • check-neutral = Matrixone Utils CI (3.0) / Coverage
  • check-skipped = Matrixone Utils CI (3.0) / Coverage
• any of [🛡 GitHub branch protection]:
  • check-success = Matrixone CI (3.0) / SCA Test on Ubuntu/x86
  • check-neutral = Matrixone CI (3.0) / SCA Test on Ubuntu/x86
  • check-skipped = Matrixone CI (3.0) / SCA Test on Ubuntu/x86
• any of [🛡 GitHub branch protection]:
  • check-success = Matrixone CI (3.0) / UT Test on Ubuntu/x86
  • check-neutral = Matrixone CI (3.0) / UT Test on Ubuntu/x86
  • check-skipped = Matrixone CI (3.0) / UT Test on Ubuntu/x86
• any of [🛡 GitHub branch protection]:
  • check-success = Matrixone Compose CI (3.0) / multi cn e2e bvt test docker compose(Optimistic/PUSH)
  • check-neutral = Matrixone Compose CI (3.0) / multi cn e2e bvt test docker compose(Optimistic/PUSH)
  • check-skipped = Matrixone Compose CI (3.0) / multi cn e2e bvt test docker compose(Optimistic/PUSH)
• any of [🛡 GitHub branch protection]:
  • check-success = Matrixone Compose CI (3.0) / multi cn e2e bvt test docker compose(PESSIMISTIC)
  • check-neutral = Matrixone Compose CI (3.0) / multi cn e2e bvt test docker compose(PESSIMISTIC)
  • check-skipped = Matrixone Compose CI (3.0) / multi cn e2e bvt test docker compose(PESSIMISTIC)
• any of [🛡 GitHub branch protection]:
  • check-success = Matrixone Standlone CI (3.0) / Multi-CN e2e BVT Test on Linux/x64(LAUNCH, PROXY)
  • check-neutral = Matrixone Standlone CI (3.0) / Multi-CN e2e BVT Test on Linux/x64(LAUNCH, PROXY)
  • check-skipped = Matrixone Standlone CI (3.0) / Multi-CN e2e BVT Test on Linux/x64(LAUNCH, PROXY)
• any of [🛡 GitHub branch protection]:
  • check-success = Matrixone Standlone CI (3.0) / e2e BVT Test on Linux/x64(LAUNCH, PESSIMISTIC)
  • check-neutral = Matrixone Standlone CI (3.0) / e2e BVT Test on Linux/x64(LAUNCH, PESSIMISTIC)
  • check-skipped = Matrixone Standlone CI (3.0) / e2e BVT Test on Linux/x64(LAUNCH, PESSIMISTIC)
• any of [🛡 GitHub branch protection]:
  • check-success = Matrixone Standlone CI (3.0) / e2e BVT Test on Linux/x64(LAUNCH,Optimistic)
  • check-neutral = Matrixone Standlone CI (3.0) / e2e BVT Test on Linux/x64(LAUNCH,Optimistic)
  • check-skipped = Matrixone Standlone CI (3.0) / e2e BVT Test on Linux/x64(LAUNCH,Optimistic)
• any of [🛡 GitHub branch protection]:
  • check-success = Matrixone Upgrade CI (3.0) / Compatibility Test With Target on Linux/x64(LAUNCH)
  • check-neutral = Matrixone Upgrade CI (3.0) / Compatibility Test With Target on Linux/x64(LAUNCH)
  • check-skipped = Matrixone Upgrade CI (3.0) / Compatibility Test With Target on Linux/x64(LAUNCH)