infoschema: add masking policy integration

[tiancaiamao]

What problem does this PR solve?

Issue Number: ref #65744

Problem Summary:

• expose masking policies via infoschema for planner/executor usage

What changed and how does it work?

• load masking policies into infoschema builder and add lookup APIs
• update schema diff handling for create/alter/drop policy jobs

Stacked PRs

• Depends on: meta,session: add mysql.tidb_masking_policy table #66033
• Incremental diff: tiancaiamao/tidb@pr/phase3-system-table...pr/phase4-infoschema

Check List

Tests

• Unit test
• Integration test
• Manual test (add detailed scripts or steps below)
• No need to test

  • Covered by later DDL/integration tests in stacked PRs.

Side effects

• Performance regression: Consumes more CPU
• Performance regression: Consumes more Memory
• Breaking backward compatibility

Documentation

• Affects user behaviors
• Contains syntax changes
• Contains variable changes
• Contains experimental features
• Changes MySQL compatibility

Release note

Please refer to Release Notes Language Style Guide to write a quality release note.

None

Summary by CodeRabbit

• New Features

  • Added masking policy support: create/modify/delete masking policies and persist their metadata.
  • Query masking policies by name, ID, or table/column.
  • System table and bootstrap/upgrade added to store masking policy metadata.

• Chores

  • Initialization and sync flows now include masking policy data so schemas load with masking info.

• Tests

  • Tests updated to account for masking policy handling and new initialization parameter.

[tiprow]

Hi @tiancaiamao. Thanks for your PR.

PRs from untrusted users cannot be marked as trusted with /ok-to-test in this repo meaning untrusted PR authors can never trigger tests themselves. Collaborators can still trigger tests on the PR using /test all.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds masking policy support: meta CRUD and bootstrapping, system table DDL and reserved ID, infoschema storage/accessors and builder wiring, ISSyncer fetch/integration, call-site and test updates to pass masking policies.

Changes

Cohort / File(s)	Summary
InfoSchema core pkg/infoschema/infoschema.go, pkg/infoschema/context/infoschema.go	Add masking policy maps, locks, accessors (ByID/ByName/ByTableColumn/All), clone helpers, mutators (set/delete), and extend Misc interface with three masking-policy methods.
Builder & misc handlers pkg/infoschema/builder.go, pkg/infoschema/builder_misc.go, pkg/infoschema/builder_test.go	Change InitWithDBInfos signature to accept maskingPolicies; propagate masking policies into initMisc; add applyCreate/Alter/DropMaskingPolicy handlers; update tests to pass new arg.
ISSynchronizer loader pkg/infoschema/issyncer/loader.go	Add fetchMaskingPolicies and fetch masking policies during full-load, passing them to Builder.InitWithDBInfos.
Meta storage & APIs pkg/meta/meta.go	Add masking-policy storage keys, ID generator, CRUD (Get/List/Create/Update/Drop), existence checks, errors, and next‑gen boot table version const.
System table defs & IDs pkg/meta/metadef/system.go, pkg/meta/metadef/system_tables_def.go	Add TiDBMaskingPolicyTableID constant and CreateTiDBMaskingPolicyTable SQL DDL for mysql.tidb_masking_policy.
Bootstrap & upgrades pkg/session/bootstrap.go, pkg/session/upgrade_def.go	Wire masking-policy system table into next-gen bootstrap tables; add upgradeToVer255, bump currentBootstrapVersion to include version 255.
Tests & call-site updates pkg/infoschema/infoschema_test.go, pkg/infoschema/infoschema_v2_test.go, pkg/executor/..., pkg/ddl/placement_policy_ddl_test.go, pkg/infoschema/builder_test.go	Update all InitWithDBInfos call sites to pass new maskingPolicies parameter (nil in tests) and adjust expected bootstrap version in restore test.
Other tests & test improvements pkg/executor/importer/importer_testkit_test.go, pkg/session/bootstrap_test.go, br/pkg/restore/.../systable_restore_test.go	Improve importer test verification (collect/write KV pairs and checksum checks); adjust bootstrap test table ID checks and expect version 255 in restore test.

Sequence Diagram(s)

sequenceDiagram
    participant ISSyncer as ISSyncer.Loader
    participant Meta as meta.Reader
    participant Builder as infoschema.Builder
    participant InfoSchema as infoSchema

    ISSyncer->>Meta: ListSchemas(), ListPolicies(), ListResourceGroups()
    ISSyncer->>Meta: ListMaskingPolicies()
    Meta-->>ISSyncer: schemas, policies, resourceGroups, maskingPolicies
    ISSyncer->>Builder: InitWithDBInfos(schemas, policies, resourceGroups, maskingPolicies, version)
    Builder->>InfoSchema: initMisc(policies, resourceGroups, maskingPolicies)
    InfoSchema-->>Builder: maskingPolicy maps populated
    Builder-->>ISSyncer: InitWithDBInfos returns

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

• meta: add masking policy metadata #66032 — Adds masking-policy meta APIs and related meta-level helpers (Gen/List/Get/Create/Update/Drop), strongly related to meta changes in this PR.

Suggested labels

sig/planner, ok-to-test

Suggested reviewers

• fzzf678
• wjhuang2016
• lcwangchao
• mjonss

Poem

🐰 I hopped through meta, schema, and test,
I stitched a table where policies rest,
From loader to builder the whispers ran,
Now masking hides data as only rabbits can,
A tiny hop for code, a merry band of jest.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 17.50% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'infoschema: add masking policy integration' accurately describes the main change—integrating masking policies into the infoschema for planner/executor usage.
Description check	✅ Passed	The description adequately addresses the template by identifying the issue reference, summarizing the problem and changes, and correctly marking testing as deferred to later PRs with justification.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/executor/slow_query_test.go (1)

825-825: ⚠️ Potential issue | 🔴 Critical

Missing signature update will cause compilation failure.

This InitWithDBInfos call still uses the old 4-argument signature, but the function signature was extended to include the maskingPolicies parameter. This will cause a compilation error.

-	err := newISBuilder.InitWithDBInfos(nil, nil, nil, 0)
+	err := newISBuilder.InitWithDBInfos(nil, nil, nil, nil, 0)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/executor/slow_query_test.go` at line 825, The call to
newISBuilder.InitWithDBInfos uses the old 4-argument signature; update the
invocation to pass the new maskingPolicies argument (e.g., nil or an appropriate
value) so it matches the extended InitWithDBInfos signature; locate the call to
newISBuilder.InitWithDBInfos in slow_query_test.go and add the maskingPolicies
parameter to the argument list.

🧹 Nitpick comments (3)

pkg/meta/model/masking_policy.go (1)

33-41: Consider a non-empty fallback for unknown masking status.

Returning "" in MaskingPolicyStatus.String() makes invalid states harder to diagnose in logs/errors; UNKNOWN would be clearer.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/meta/model/masking_policy.go` around lines 33 - 41,
MaskingPolicyStatus.String() currently returns an empty string for unknown
values; change the default case to return a non-empty sentinel like "UNKNOWN"
(or "UNKNOWN(<value>)" using fmt.Sprintf("%d", s) for extra context) so
invalid/unknown MaskingPolicyStatus values are clearly visible in logs and
errors; update the default branch in the MaskingPolicyStatus.String method
accordingly.

pkg/meta/meta_test.go (2)

167-182: Consider adding DropMaskingPolicy test coverage.

The test covers Create, Get, Update, and List operations, but DropMaskingPolicy is missing. Given that ActionDropMaskingPolicy is added to BDR actions (see pkg/meta/model/bdr.go), this operation likely exists and should be tested for completeness.

Would you like me to help generate the DropMaskingPolicy test coverage?

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/meta/meta_test.go` around lines 167 - 182, Add a test case exercising
DropMaskingPolicy: after creating and asserting the policy via
meta.NewMutator(txn).CreateMaskingPolicy and verifying with
GetMaskingPolicy/ListMaskingPolicies (the existing setup using
model.MaskingPolicyInfo and m.GetMaskingPolicy), call m.DropMaskingPolicy(id)
(ensure you use the same policy ID used earlier) and assert no error, then begin
a new transaction and verify the policy is no longer returned by
m.GetMaskingPolicy (expect not found/appropriate error) and not present in
m.ListMaskingPolicies; also ensure the BDR action ActionDropMaskingPolicy path
is covered if relevant by committing/starting transactions as in the surrounding
test flow.

---

151-152: Consider verifying the specific error type for duplicate creation.

The test checks that creating a duplicate masking policy returns an error, but unlike TestPlacementPolicy (line 85) which verifies meta.ErrPolicyExists.Equal(err), this test only checks that the error is not nil. For consistency and better test coverage, consider verifying the specific error type.

 	err = m.CreateMaskingPolicy(policy)
 	require.NotNil(t, err)
+	require.True(t, meta.ErrMaskingPolicyExists.Equal(err))

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/meta/meta_test.go` around lines 151 - 152, The test currently asserts
only that m.CreateMaskingPolicy(policy) returned a non-nil error; update it to
assert the specific duplicate-policy error like in TestPlacementPolicy by
replacing the generic require.NotNil(t, err) with an assertion that the error
equals meta.ErrPolicyExists (e.g., use meta.ErrPolicyExists.Equal(err) or an
equivalent equality check) so the test verifies the exact duplicate-creation
error for CreateMaskingPolicy.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/infoschema/builder_misc.go`:
- Around line 74-80: The calls to b.infoSchema.setMaskingPolicy(...) need nil
guards: after calling m.GetMaskingPolicy(diff.SchemaID) in
applyCreateMaskingPolicy (and the other similar function in this file where
setMaskingPolicy is used), check whether the returned policy is nil and handle
it gracefully (e.g., return nil or skip setting) instead of calling
setMaskingPolicy with a nil value; update both places that call
b.infoSchema.setMaskingPolicy to perform this nil check and short-circuit before
invoking setMaskingPolicy.

In `@pkg/infoschema/infoschema.go`:
- Around line 293-300: MaskingPolicyByID currently iterates maskingPolicyMap
without locking, risking a data race with setMaskingPolicy/deleteMaskingPolicy
which use maskingPolicyMutex; modify MaskingPolicyByID to acquire a read lock on
maskingPolicyMutex (RLock) before iterating and release it (RUnlock) after
returning, mirroring the pattern used in MaskingPolicyByName to ensure
concurrent safe reads of maskingPolicyMap.

In `@pkg/meta/meta.go`:
- Around line 157-160: Replace the two plain errors ErrMaskingPolicyExists and
ErrMaskingPolicyNotExists with the project’s typed meta/db errors using the
dbterror/errno pattern (i.e., create error variables using the same
dbterror/errno factory used by other meta objects so they carry SQL error
semantics and codes), and update the masking policy existence check/get call
sites (the functions that return these errors) to wrap/annotate returned errors
with the standard stack/context helper (the same wrapper used elsewhere for meta
errors) so callers receive the typed error plus contextual stack information;
reference the symbols ErrMaskingPolicyExists and ErrMaskingPolicyNotExists and
the masking-policy check/get functions when applying the change.

In `@pkg/parser/keywords.go`:
- Line 153: The keywords list contains duplicate entries for "MASKING" with
conflicting reservedness; remove the duplicate unreserved/reserved entry so
"MASKING" has a single classification (keep the intended reserved entry added at
the top) by editing pkg/parser/keywords.go to delete the other "MASKING" entry
(refer to the two entries of the string "MASKING" in the keywords slice) and
then regenerate the keyword artifacts/bindings so the metadata is consistent.

---

Outside diff comments:
In `@pkg/executor/slow_query_test.go`:
- Line 825: The call to newISBuilder.InitWithDBInfos uses the old 4-argument
signature; update the invocation to pass the new maskingPolicies argument (e.g.,
nil or an appropriate value) so it matches the extended InitWithDBInfos
signature; locate the call to newISBuilder.InitWithDBInfos in slow_query_test.go
and add the maskingPolicies parameter to the argument list.

---

Nitpick comments:
In `@pkg/meta/meta_test.go`:
- Around line 167-182: Add a test case exercising DropMaskingPolicy: after
creating and asserting the policy via meta.NewMutator(txn).CreateMaskingPolicy
and verifying with GetMaskingPolicy/ListMaskingPolicies (the existing setup
using model.MaskingPolicyInfo and m.GetMaskingPolicy), call
m.DropMaskingPolicy(id) (ensure you use the same policy ID used earlier) and
assert no error, then begin a new transaction and verify the policy is no longer
returned by m.GetMaskingPolicy (expect not found/appropriate error) and not
present in m.ListMaskingPolicies; also ensure the BDR action
ActionDropMaskingPolicy path is covered if relevant by committing/starting
transactions as in the surrounding test flow.
- Around line 151-152: The test currently asserts only that
m.CreateMaskingPolicy(policy) returned a non-nil error; update it to assert the
specific duplicate-policy error like in TestPlacementPolicy by replacing the
generic require.NotNil(t, err) with an assertion that the error equals
meta.ErrPolicyExists (e.g., use meta.ErrPolicyExists.Equal(err) or an equivalent
equality check) so the test verifies the exact duplicate-creation error for
CreateMaskingPolicy.

In `@pkg/meta/model/masking_policy.go`:
- Around line 33-41: MaskingPolicyStatus.String() currently returns an empty
string for unknown values; change the default case to return a non-empty
sentinel like "UNKNOWN" (or "UNKNOWN(<value>)" using fmt.Sprintf("%d", s) for
extra context) so invalid/unknown MaskingPolicyStatus values are clearly visible
in logs and errors; update the default branch in the MaskingPolicyStatus.String
method accordingly.

---

ℹ️ Review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2f82da0 and 4185498.

📒 Files selected for processing (24)

• pkg/ddl/placement_policy_ddl_test.go
• pkg/executor/slow_query_test.go
• pkg/executor/stmtsummary_test.go
• pkg/infoschema/builder.go
• pkg/infoschema/builder_misc.go
• pkg/infoschema/builder_test.go
• pkg/infoschema/context/infoschema.go
• pkg/infoschema/infoschema.go
• pkg/infoschema/infoschema_test.go
• pkg/infoschema/infoschema_v2_test.go
• pkg/infoschema/issyncer/loader.go
• pkg/meta/meta.go
• pkg/meta/meta_test.go
• pkg/meta/metadef/system.go
• pkg/meta/metadef/system_tables_def.go
• pkg/meta/model/bdr.go
• pkg/meta/model/job.go
• pkg/meta/model/job_args.go
• pkg/meta/model/job_args_test.go
• pkg/meta/model/masking_policy.go
• pkg/meta/reader.go
• pkg/parser/keywords.go
• pkg/session/bootstrap.go
• pkg/session/upgrade_def.go

[codecov]

Codecov Report

❌ Patch coverage is 6.59026% with 326 lines in your changes missing coverage. Please review.
✅ Project coverage is 76.3677%. Comparing base (8ad6083) to head (ef26e31).
⚠️ Report is 58 commits behind head on master.

Additional details and impacted files

@@               Coverage Diff                @@
##             master     #66034        +/-   ##
================================================
- Coverage   77.7059%   76.3677%   -1.3383%     
================================================
  Files          1991       2057        +66     
  Lines        552094     585480     +33386     
================================================
+ Hits         429010     447118     +18108     
- Misses       122164     135101     +12937     
- Partials        920       3261      +2341     

Flag	Coverage Δ
integration	46.2666% <6.5902%> (+6.4647%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
dumpling	60.4888% <ø> (ø)
parser	∅ <ø> (∅)
br	65.7551% <ø> (+2.6640%)	⬆️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[tiancaiamao]

/retest

[tiprow]

@tiancaiamao: PRs from untrusted users cannot be marked as trusted with /ok-to-test in this repo meaning untrusted PR authors can never trigger tests themselves. Collaborators can still trigger tests on the PR using /test.

Details

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[tiancaiamao]

/retest

[tiprow]

@tiancaiamao: PRs from untrusted users cannot be marked as trusted with /ok-to-test in this repo meaning untrusted PR authors can never trigger tests themselves. Collaborators can still trigger tests on the PR using /test.

Details

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[tiancaiamao]

/retest

[tiprow]

@tiancaiamao: PRs from untrusted users cannot be marked as trusted with /ok-to-test in this repo meaning untrusted PR authors can never trigger tests themselves. Collaborators can still trigger tests on the PR using /test.

Details

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[hawkingrei]

/retest

[hawkingrei]

/retest

[tiancaiamao]

/retest

[tiprow]

@tiancaiamao: PRs from untrusted users cannot be marked as trusted with /ok-to-test in this repo meaning untrusted PR authors can never trigger tests themselves. Collaborators can still trigger tests on the PR using /test.

Details

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[hawkingrei]

/ok-to-test

[hawkingrei]

/retest

[hawkingrei]

/retest

[hawkingrei]

/retest

[tiancaiamao]

/retest

[bb7133]

LGTM

[tiancaiamao]

/retest

[tiancaiamao]

/retest

[tiancaiamao]

/retest

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bb7133, wjhuang2016

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bb7133,wjhuang2016]
• pkg/ddl/OWNERS [bb7133,wjhuang2016]
• pkg/infoschema/OWNERS [bb7133,wjhuang2016]
• pkg/meta/OWNERS [bb7133,wjhuang2016]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ti-chi-bot]

[LGTM Timeline notifier]

Timeline:

• 2026-05-18 05:23:59.92090794 +0000 UTC m=+155369.425038616: ☑️ agreed by bb7133.
• 2026-05-19 07:39:56.224703993 +0000 UTC m=+249925.728834669: ☑️ agreed by wjhuang2016.

[tiancaiamao]

/retest

[tiancaiamao]

/retest

[tiancaiamao]

/retest

[tiancaiamao]

/retest

[tiprow]

@tiancaiamao: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
fast_test_tiprow	ef26e31	link	true	/test fast_test_tiprow

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[tiancaiamao]

/test pull-integration-realcluster-test-next-gen

[tiprow]

@tiancaiamao: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

/test fast_test_tiprow

/test tidb_parser_test

Use /test all to run all jobs.

Details

In response to this:

/test pull-integration-realcluster-test-next-gen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.